The article explains how to integrate Wazuh with Microsoft Azure and Microsoft Entra ID to collect telemetry from Azure Activity, Entra ID, and Azure Storage logs for detecting suspicious cloud behavior. It also shows how Stratus Red Team can emulate Azure and Entra ID attack techniques such as application backdoors, SAS-based exfiltration, resource lock deletion, and privilege escalation to validate custom Wazuh rules. #MicrosoftAzure #MicrosoftEntraID #Wazuh #StratusRedTeam
Keypoints
- Wazuh is configured to ingest Azure Activity logs, Entra ID logs, and Azure Storage diagnostic logs from a Log Analytics workspace.
- A Microsoft Entra ID service principal application is created and granted Log Analytics API permissions so Wazuh can access telemetry.
- Azure Activity logging is set up to monitor subscription-level actions such as role assignments, policy changes, and resource lock deletion.
- Entra ID Audit and Sign-in logs are enabled to track identity changes, authentication events, application updates, and consent grants.
- Azure Storage diagnostic logs are enabled to detect blob access, SAS URL usage, and storage-related exfiltration activity.
- Custom Wazuh rules are created to detect persistence, privilege escalation, exfiltration, defense evasion, and impact in Azure and Entra ID.
- Stratus Red Team is used on an Ubuntu endpoint to simulate attacks and validate that the Wazuh detections trigger correctly.
MITRE Techniques
- [T1651 ] Cloud Administration Command – Used to create service principal credentials that may establish persistence in Entra ID (‘Add service principal credentials’).
- [T1098 ] Account Manipulation – Used when creating federated identity credentials or application credentials to maintain persistent access (‘FederatedIdentityCredentials’, ‘Create application – Certificates and secrets management’, ‘federated identity credential creation’).
- [T1005 ] Data from Local System – Used in the disk export scenario where a managed disk is accessed through a SAS URL to obtain data (‘Potential Azure managed disk export detected through SAS URL generation’).
- [T1567 ] Exfiltration to Cloud Storage – Used to export disk data or move data out through storage-related SAS access (‘disk export or data exfiltration’, ‘storage exfiltration activity’).
- [T1537 ] Transfer Data to Cloud Account – Used when Azure Storage account keys are retrieved to prepare for access or exfiltration (‘storage account key retrieval’).
- [T1485 ] Data Destruction – Used when an Azure resource lock is deleted, removing protection before destructive changes (‘Azure resource lock deletion detected’).
Indicators of Compromise
- [URLs/Domains ] Azure CLI and Stratus Red Team acquisition sources – https://aka.ms/InstallAzureCLIDeb, github.com/DataDog/stratus-red-team/releases/download/v2.31.1/stratus-red-team_Linux_x86_64.tar.gz
- [File paths ] Wazuh credential and config locations – /var/ossec/wodles/credentials/log_analytics_credentials, /var/ossec/etc/ossec.conf
- [File names ] Stratus Red Team binary and archive – stratus, stratus.tar.gz
- [Application/command identifiers ] Attack scenarios used for validation – entra-id.persistence.backdoor-application-sp, entra-id.persistence.backdoor-application-fic, azure.exfiltration.disk-export, azure.privilege-escalation.root-user-access-administrator, and 4 more scenarios
- [Azure resource/log names ] Collected telemetry sources – AzureActivity, AuditLogs, SignInLogs, StorageBlobLogs
- [Azure CLI output identifiers ] Environment and subscription context – AzureCloud, Azure subscription 1, wazuh_test.onmicrosoft.com
Read more: https://wazuh.com/blog/detecting-stratus-red-team-adversary-emulation-on-microsoft-azure-with-wazuh/