I have identified malicious activities associated with the user account "Chris." I will demonstrate the necessary procedures to disable the account and halt the malicious actions, subsequently outlining the measures implemented to enhance system security.
Disable the Compromise Account
The initial priority is addressing the compromised account, necessitating the immediate disabling of said account to mitigate any potential further harm.
Navigate to "Azure Active Directory".
- Click on "Users" under Manage at the left side bar.
- Click on "Chris".
- Click on "Edit" under Account status.
- Uncheck the box for "Account enabled". Then click on "Save".
- Chris's account will be disabled now.
Add Diagnostic Settings in Log Analytic Workspaces
Given that the compromised account has removed the diagnostic settings, I will proceed to reinstate them.
- Navigate to Azure Portal search bar, Search: "log analytic workspace" for "SEC-Monitoring".
- Scroll down and click on "Diagnostic settings" under Monitoring at the left side bar.
- Click on "Add diagnostic setting".
- Name Diagnostic setting name: "Microsoft Sentinel"
- Check the box for "audit", "allLogs", and "Allmetrics".
- Check the box for "Send to Log Analytic workspace".
- Set Log Analytic workspace: SEC-Monitoring".
- Click on "Save".
Re-enabling Auditing and Health Monitoring in Sentinel
Given that the compromised account has removed the auditing and health monitoring setting in Sentinel, I will re-enable it.
- Navigate to Microsoft Sentinel for "SEC-Monitoring".
- Scroll down and click on "Settings" under Configuration at the left side bar.
- Click on "Settings" at the top of the page.
- Scroll down, click on "Auditing and health monitoring" to expand.
- Click on "Enable".
Close the Incidents
Given that I have remediated the incidents, I will close the incidents that was assigned to me.
- Navigate to Microsoft Sentinel | Incidents.
- Select all the incidents that was assigned to me by checking their box. Than, click on "Actions" on the top of the page.
- Change the Status to "Closed".
- Classification reason: "True Positive - Suspicious activity".
- Comment: Write what happens during Chris's account compromised.
- Click on "Apply".
- Successfully Closed the incident with remediation.
Remediate Incident in SIEM
I have identified malicious activities associated with the user account "Chris." I will demonstrate the necessary procedures to disable the account and halt the malicious actions, subsequently outlining the measures implemented to enhance system security.
Disable the Compromise Account
The initial priority is addressing the compromised account, necessitating the immediate disabling of said account to mitigate any potential further harm.
- Click on "Users" under Manage at the left side bar.
- Click on "Chris".
- Click on "Edit" under Account status.
- Uncheck the box for "Account enabled". Then click on "Save".
- Chris's account will be disabled now.
Add Diagnostic Settings in Log Analytic Workspaces
Given that the compromised account has removed the diagnostic settings, I will proceed to reinstate them. - Navigate to Azure Portal search bar, Search: "log analytic workspace" for "SEC-Monitoring".- Scroll down and click on "Diagnostic settings" under Monitoring at the left side bar.
- Click on "Add diagnostic setting".
- Name Diagnostic setting name: "Microsoft Sentinel" - Check the box for "audit", "allLogs", and "Allmetrics". - Check the box for "Send to Log Analytic workspace". - Set Log Analytic workspace: SEC-Monitoring". - Click on "Save".
Re-enabling Auditing and Health Monitoring in Sentinel
Given that the compromised account has removed the auditing and health monitoring setting in Sentinel, I will re-enable it. - Navigate to Microsoft Sentinel for "SEC-Monitoring".- Scroll down and click on "Settings" under Configuration at the left side bar.
- Click on "Settings" at the top of the page.
- Scroll down, click on "Auditing and health monitoring" to expand. - Click on "Enable".
Close the Incidents
Given that I have remediated the incidents, I will close the incidents that was assigned to me. - Navigate to Microsoft Sentinel | Incidents.- Select all the incidents that was assigned to me by checking their box. Than, click on "Actions" on the top of the page.
- Change the Status to "Closed". - Classification reason: "True Positive - Suspicious activity". - Comment: Write what happens during Chris's account compromised. - Click on "Apply".
- Successfully Closed the incident with remediation.