Oyedibu/Hybrid-SOC-Lab-with-automated-incident-response

# 混合 SOC 家庭实验室：检测与响应 本项目演示了混合 SOC 环境的实现。我将本地物理机器通过 Azure Arc 集成到 Microsoft Sentinel，并构建了一个自动化 SOAR 剧本，用于实时识别并标记暴力破解攻击者。 # 目标 构建一个功能性的 SOC 环境，能够检测物理端点上的暴力破解攻击，并使用 Microsoft Sentinel（SIEM）和 Azure Logic Apps（SOAR）自动化响应操作。 ``` graph TD subgraph "On-Premises (Local Lab)" Kali["Kali Linux (Attacker)"] -- Brute Force / Hydra --> WS2022["Windows Server 2022"] WS2022 -- "Security Logs (Event 4625)" --> Arc["Azure Arc Agent"] end subgraph "Azure Cloud" Arc -- "Log Ingestion" --> LAW["Log Analytics Workspace"] LAW -- "KQL Query" --> Sentinel["Microsoft Sentinel"] Sentinel -- "Trigger Incident" --> LogicApp["Azure Logic App (SOAR)"] LogicApp -- "Add Comment with IP" --> Sentinel end style Kali fill:#f96,stroke:#333 style Sentinel fill:#0078d4,color:#fff style LogicApp fill:#0078d4,color:#fff ``` # 使用技术 ``` .SIEM/SOAR: Microsoft Sentinel .CLoud Infrastructure: Azure Log Analytics Workspace, Azure Arc .Automation: Azure Logic Apps .Endpoint: Windows Server 2022 (Target)/Kali Linux(Attacker) .Tools: Hydra (Brute Force simulation), Kusto Query Language(KQL) ``` # 阶段 1：检测工程 ``` .Log Ingestion: Integratea physical Windows Server with Azure Sentinel using the Azure Arc and Log Analytics agent .KQL Development: COnfigured a custom Analytics Rule to monitor SecurityEvent logs for Event ID 4625(Failed Login) .Dectection Logic: kgl SecurityEvent | where EventID ==4625 | summarize FailureCount = count() by IpAddress, TargetAccount, Computer | where FailureCount > 5 ``` # 阶段 2：SOAR 实施 ``` .Trigger: Created a Logic App Playbook triggered automatically upon Sentinel Incident creation. .Workflow Logic: 1.Get Incident: Retrieve full incident metadata. 2.Entity Extraction: Utilized the Entities - Get IPs action to isolate the attacker's source address. 3.Incident Enrichment: Automated the posting of a SOC comment back to the Sentinel incident, auditing the attacker's IP for immediate visibility. ``` # 挑战与故障排除 ``` This phase involved overcoming several real-world configuration hurdles: .RBAC Permissions: Encountered "No Microsoft Sentinel permissions" errors. Resolved by granting the Sentinel Playbook Responder role to the Logic App within the specific Resource Group. .API Connection Policies: Attempted to use Gmail/Outlook connectors for notifications but pivoted to Internal Incident Comments bypass cross-tenant authentication restrictions (401 Unauthorized), keeping the workflow entirely within the SOC ecosystem. .Dynamic Data Mapping: Resolved an issue where IP addresses were returning empty brackets [] by refining the Entity Mapping in the Sentinel Analytics rule. ``` # 结果与证据 ``` .Successful Attack Simulation: Hydra successfully triggered multiple alerts in Sentinel. .Automation Success: The Logic App successfully parsed the attack data and updated the incident comments within seconds of the breach detection. ``` # 未来规划 ``` .Active Blocking: Intergrating with pfSense or Azure Firwall APIs to automatically block the detected IP at the perimeter .Geographic Enrichment: Using IP geolocation APIs to tag the attacker's physical loaction in the incident logs ```

标签：AMSI绕过, Azure Arc, Azure Log Analytics, Azure Logic Apps, Brute Force, FTP漏洞扫描, KQL, Microsoft Sentinel, PoC, SOAR, Windows Server 2022, 事件4625, 云端安全, 失败登录检测, 威胁检测, 安全编排, 安全运营中心, 实时响应, 实验室环境, 日志摄取, 暴力破解, 混合SOC, 端点安全, 红队行动, 网络映射, 自动化响应, 补丁管理