Deception Help
Deceive
Active Directory Decoys
Configuring Microsoft Azure Sentinel to Forward Active Directory Event Logs

Deception

Configuring Microsoft Azure Sentinel to Forward Active Directory Event Logs

You can configure Microsoft Azure Sentinel to filter event logs from the Active Directory (AD) domain controllers for decoy accounts or enumeration detection. You can forward these logs to the Zscaler Deception Admin Portal when adversary actions are detected.

Prerequisites

Make sure the following prerequisites are met:

Configure all AD servers to forward security logs to Azure Sentinel.
There is network connectivity from the Azure Sentinel instance to the Deception Admin Portal on TCP port 443.

Configuring Microsoft Azure Sentinel to Forward AD Event Logs

Follow these steps to configure Azure Sentinel to forward logs to the Deception Admin Portal:

Step 1: Configure and Download the Azure Sentinel Trigger Script
A trigger script sends logs from Azure Sentinel to the Deception Admin Portal. To download the Azure Sentinel trigger scripts, see Configuring and Downloading a Trigger Script.
Close
Step 2: Configure Azure Sentinel to Forward Logs to the Deception Admin Portal
1. Create a new logic app in the same resource group as the log analytics workspace. To learn more, refer to the Microsoft documentation.
2. In the Logic Apps Designer, click Blank Logic App.
  See image.
  Close
3. In the Add a trigger window, go to All > Schedule > Triggers > Sliding Window.
  See image.
  Close
4. In the Sliding Window window, on the Parameters tab, configure the window for 1 minute.
  See image.
  Close
5. In the Add an action window, go to All > Azure Monitor Logs > Actions > Run query and list results.
  See image.
  Close
6. In the Azure Monitor Logs window, under Tenant, select the tenant with your Azure log analytics workspace and sign in to create a connection to Azure monitor logs.
7. In the Run query and list results window:
  1. Select the same Subscription, Resource Group, and Resource Type as your log analytics workspace on Azure Sentinel.
  2. Enter the Resource Name.
  3. In Query, copy the SecurityEvent code from the trigger script you downloaded.
    The downloaded trigger script for Azure Sentinel has a different SecurityEvent code depending on the attack use case (Decoy User Accounts or Enumeration Detection) that you selected and the domain controller configuration.
  4. For Time Range, enter "Last hour".
    See image.
    Close
8. Click New Step.
9. Click Condition Control.
  See image.
  Close
10. Under Condition, build your condition:
  1. Click Choose a value.
  2. On the Expression tab, select length(collection).
    See image.
    Close
  3. On the Dynamic content tab, select value under Run query and list results.
    The value field is added within the length expression.
    See image.
    Close
  4. Click OK.
  5. Select is greater than from the drop-down menu, and enter 0.
    See image.
    Close
11. Under True, click Add an action, and then select HTTP.
  See image.
  Close
12. In the HTTP window:
  1. Under Method, select POST from the drop-down menu.
  2. Under URI, copy the URI from the trigger script you downloaded.
    The downloaded trigger script for Azure Sentinel has a different URI depending on the attack use case (Decoy User Accounts or Enumeration Detection) that you selected and the domain controller configuration.
  3. Under Body, select Body from Run query and list results.
    See image.
    Close
  To avoid data trimming, go to HTTP > Settings > Networking > Content Transfer and disable Allow chunking.
  See image.
  Close
13. Click Save to save the logic app.
  See image.
  Close
To test AD decoys, log in to a decoy AD user account. You can see events triggered in Azure Sentinel and the Deception Admin Portal.
Close