Our website is under attack

Hi @Adnan Alisic

Most importantly, you need to be collecting logs to a SIEM in order to investigate your incidents.

Here's a list of log sources you need to consider:

Critical Priority (Tier 1) - Deploy First

These logs provide immediate security value for detecting active threats and should be ingested into the Analytics tier for real-time analysis.

Azure Infrastructure Logs

• Azure Activity Logs - Track all control plane operations (resource creation, deletion, configuration changes)
• Azure AD Sign-in Logs - Authentication events, failed logins, MFA challenges, risky sign-ins
• Azure AD Audit Logs - User/group management, role assignments, policy changes
• Azure AD Identity Protection - Risk detections, risky users, risky sign-ins
• Azure Resource Health - Service health events affecting your resources

Web Application & Application Layer

• Web Server Access Logs (IIS/Apache/Nginx) - All HTTP/HTTPS requests with client IPs, URIs, status codes, user agents
• Web Server Error Logs - Application errors, 4xx/5xx responses, exception details
• Application Gateway Access Logs - Requests processed by Azure Application Gateway
• Application Gateway Firewall Logs - WAF rule matches, blocks, and alerts
• Application Insights - Custom application logs, exceptions, traces, dependencies
• Azure App Service Logs - Application logs, HTTP logs, deployment logs
• Custom Application Logs - Authentication/authorization events, business transaction logs, security-relevant application events

Network Security

• Azure Firewall Logs - Application rules, network rules, threat intelligence hits
• Network Security Group (NSG) Flow Logs - Allowed/denied traffic flows at network layer
• Azure DDoS Protection Logs - DDoS mitigation events and attack telemetry
• Azure Front Door Access Logs - Global CDN/WAF request logs
• Load Balancer Logs - Health probe events, backend pool availability

Security Infrastructure

• Microsoft Defender for Cloud Alerts - Security alerts from Azure Defender plans
• Microsoft Defender for Endpoint - EDR telemetry, alerts, device events (if applicable)
• Azure Key Vault Audit Logs - Secret/key/certificate access and modifications
• Azure Storage Analytics Logs - Blob/file/queue/table access patterns

Operating System & Endpoints

• Windows Security Events - Event IDs 4624 (logon), 4625 (failed logon), 4672 (special privileges), 4688 (process creation)
• Syslog from Linux Servers - Authentication (authlog), sudo commands, system events
• Common Event Format (CEF) - Standardized security events from various appliances

In addition, here are some first-steps which may help you set up Sentinel for your needs:

Incident Investigation & Response Framework

Immediate Investigation Steps

Based on the attack timelines you've provided (December 1st at 18:35 UTC and December 1st at 12:42 UTC), here's a structured investigation approach:

1. Initial Triage & Scoping

• Define the attack window: Focus log analysis on 30 minutes before and after each incident (18:05-19:05 UTC and 12:12-13:12 UTC)
• Identify affected systems: Document which web servers, applications, databases, and services were targeted
• Assess attack type: Based on current trends, the most common attacks in late 2024 include:
  • SQL Injection attacks, which constitute over half of web application attacks AIONCLOUD
    • DDoS attacks, comprising about 53% of bot-driven attacks against web applications Barracuda Networks
      • API exploitation attempts
        • Authentication bypass attempts

2. Critical Log Analysis

You should immediately examine:

Web Server Logs:

• Access logs for unusual request patterns, especially:
  • Abnormal HTTP methods (PUT, DELETE, TRACE)
    • Suspicious user-agent strings
      • Unusual URI patterns with SQL syntax, script tags, or path traversal attempts
        • High-frequency requests from single IPs
          • Geographic anomalies in source IPs

Application Logs:

• Failed authentication attempts
• Privilege escalation attempts
• Unusual database queries
• Error messages indicating exploitation attempts
• New user accounts created during attack windows

Network Logs:

• Volumetric traffic patterns indicating DDoS flooding attacks Barracuda Networks
• Connection attempts to unusual ports
• Outbound connections to suspicious IPs (potential data exfiltration)
• DNS queries to unknown or suspicious domains

Security Device Logs:

• WAF (Web Application Firewall) blocks and alerts
• IDS/IPS signatures triggered
• Firewall deny logs
• Load balancer connection patterns

3. Attack Pattern Identification

Look for these specific indicators based on 2024 attack trends:

Common attack patterns include security misconfigurations (30% of attacks), code injection (21%), and SQL injection attempts AIONCLOUD. Check for:

• SQL Injection signatures: Look for queries containing OR 1=1, UNION SELECT, '; DROP TABLE, hexadecimal encoding, comment strings (--, /**/)
• Authentication bypass attempts: Directory traversal exploits and command injection vulnerabilities Check Point
• Bot activity: Repetitive patterns, rapid successive requests, known bot user-agents
• API abuse: Excessive API calls, attempts to access undocumented endpoints

Microsoft Sentinel Log Collection Strategy

Priority Log Sources to Ingest

Based on Microsoft Sentinel best practices and web application security requirements, configure these data connectors:

Tier 1: Critical Security Data (Analytics Tier)

Primary security data contains critical security value for real-time monitoring, scheduled alerts, and analytics to detect threats Microsoft Learn

1. Web Application Logs

• IIS/Apache/Nginx access and error logs
• Application-specific logs (authentication, authorization, transactions)
• WAF logs (ModSecurity, Azure WAF, CloudFlare, etc.)
• Custom application logging for business logic events

2. Security Infrastructure

• Azure Activity Logs (track configuration changes)
• Azure AD Sign-in logs
• Security Events (Windows Event Logs)
• Syslog from Linux servers
• EDR/Antivirus alerts

3. Network Security

• Azure Network Security Group (NSG) flow logs
• Azure Firewall logs
• Load balancer logs showing distribution patterns

4. Cloud Platform Logs

• Azure Monitor metrics
• Azure Resource health events
• Azure Service Health alerts

Tier 2: Secondary Investigation Data (Data Lake Tier)

Secondary security data provides supplemental context for investigations with high-volume verbose logs Microsoft Learn

5. Deep Network Analysis

• NetFlow logs for understanding network communication patterns Microsoft Learn
• VPC flow logs for examining network flows between clouds and endpoints Microsoft Learn
• Proxy server logs containing user and application requests Microsoft Learn

6. Supporting Context Logs

• Storage access logs for identifying unauthorized data exposure Microsoft Learn
• TLS/SSL certificate monitor logs for attacks involving certificates Microsoft Learn
• DNS query logs

Implementation Recommendations

Data Collection Configuration

Use Azure Monitor Agent and Data Collection Rules (DCRs) to filter logs and optimize data ingestion costs Microsoft LearnMicrosoft Learn. Consider:

1. Pre-filtering at source: Filter out irrelevant logs or unwanted details before ingestion into Sentinel Microsoft Learn
2. Ingestion-time transformations: Use KQL transformations to filter data by rows or columns, normalize logs with ASIM, and remove sensitive data Microsoft Learn
3. Custom parsing: Create custom parsers for your specific web application logs to extract meaningful fields

Data Retention Strategy

• Critical logs: 90-180 days in Analytics tier for active querying
• Supporting logs: 365+ days in Data Lake tier for historical investigations
• Configure appropriate retention based on compliance requirements and budget

Investigation Benefits with Sentinel

Collecting these logs into Sentinel provides:

1. Unified Investigation Platform

• Single-platform architecture for security data with unified query experience Microsoft Learn
• Correlate events across multiple log sources using KQL queries
• Built-in investigation graphs to visualize attack chains

2. Advanced Analytics

• Built-in detection rules for common web attacks (OWASP Top 10)
• Anomaly detection using machine learning for unusual patterns
• Threat intelligence integration to identify known malicious IPs/domains
• UEBA (User and Entity Behavior Analytics) for detecting compromised accounts

3. Automated Response

• Playbooks (Logic Apps) for automated containment:
  • Isolate compromised VMs
    • Block malicious IPs at firewall/WAF
      • Disable compromised user accounts
        • Send alerts to security team

4. Forensic Investigation

• Search jobs for scanning large datasets and long-term retention data Microsoft Learn
• Timeline reconstruction across multiple systems
• Evidence preservation with audit trails
• Integration with threat hunting workbooks

5. Compliance & Reporting

• Audit trails in AzureActivity and LAQueryLogs tables for tracking all actions and queries Microsoft Learn
• Pre-built compliance reports
• Incident documentation and case management

Prevention & Hardening Recommendations

Immediate Actions

1. Patch & Update
   • Review applications for known CVEs, especially API-related vulnerabilities
     • Update web frameworks, libraries, and dependencies
       • Apply security patches to all infrastructure
       1. WAF Configuration
          • Enable/configure Web Application Firewall if not already active
            • Create custom rules for detected attack patterns
              • Enable OWASP Core Rule Set
                • Implement rate limiting per IP
                1. Access Controls
                   • Implement IP whitelisting for administrative interfaces
                     • Enable MFA for all administrative accounts
                       • Review and restrict service account permissions
                         • Implement least privilege access
                         1. Input Validation
                            • Implement strict input validation on all user-facing fields
                              • Use parameterized queries to prevent SQL injection
                                • Sanitize and encode all output
                                  • Implement Content Security Policy (CSP) headers

Strategic Improvements

1. Security Monitoring
   • Deploy Application Insights for application performance and anomaly detection
     • Configure Azure DDoS Protection
       • Implement real-time alerting for suspicious patterns
       1. Architecture Hardening
          • Segment networks to limit lateral movement
            • Implement Zero Trust architecture principles
              • Use Azure Private Endpoints for databases
                • Enable encryption in transit and at rest
                1. Incident Response Planning
                   • Develop an incident response plan with defined roles, procedures, and communication protocols Cloud Tango
                     • Create playbooks for common attack scenarios
                       • Schedule regular tabletop exercises
                         • Establish external vendor relationships (forensics, IR specialists)
2. Regular Testing

• Conduct regular vulnerability scans
• Perform penetration testing
• Run red team exercises
  • Review and test backup/restore procedures

    Incident Investigation & Response Framework

    Immediate Investigation Steps

    Based on the attack timelines you've provided (December 1st at 18:35 UTC and December 1st at 12:42 UTC), here's a structured investigation approach:

    1. Initial Triage & Scoping

    • Define the attack window: Focus log analysis on 30 minutes before and after each incident (18:05-19:05 UTC and 12:12-13:12 UTC)
    • Identify affected systems: Document which web servers, applications, databases, and services were targeted
    • Assess attack type: Based on current trends, the most common attacks in late 2024 include:
      • SQL Injection attacks, which constitute over half of web application attacks AIONCLOUD
      • DDoS attacks, comprising about 53% of bot-driven attacks against web applications Barracuda Networks
      • API exploitation attempts
      • Authentication bypass attempts

    2. Critical Log Analysis

    You should immediately examine: Web Server Logs:
    • Access logs for unusual request patterns, especially:
      • Abnormal HTTP methods (PUT, DELETE, TRACE)
      • Suspicious user-agent strings
      • Unusual URI patterns with SQL syntax, script tags, or path traversal attempts
      • High-frequency requests from single IPs
      • Geographic anomalies in source IPs
    Application Logs:
    • Failed authentication attempts
    • Privilege escalation attempts
    • Unusual database queries
    • Error messages indicating exploitation attempts
    • New user accounts created during attack windows
    Network Logs:
    • Volumetric traffic patterns indicating DDoS flooding attacks Barracuda Networks
    • Connection attempts to unusual ports
    • Outbound connections to suspicious IPs (potential data exfiltration)
    • DNS queries to unknown or suspicious domains
    Security Device Logs:
    • WAF (Web Application Firewall) blocks and alerts
    • IDS/IPS signatures triggered
    • Firewall deny logs
    • Load balancer connection patterns

    3. Attack Pattern Identification

    Look for these specific indicators based on 2024 attack trends: Common attack patterns include security misconfigurations (30% of attacks), code injection (21%), and SQL injection attempts AIONCLOUD. Check for:
    • SQL Injection signatures: Look for queries containing OR 1=1, UNION SELECT, '; DROP TABLE, hexadecimal encoding, comment strings (--, /**/)
    • Authentication bypass attempts: Directory traversal exploits and command injection vulnerabilities Check Point
    • Bot activity: Repetitive patterns, rapid successive requests, known bot user-agents
    • API abuse: Excessive API calls, attempts to access undocumented endpoints

    Microsoft Sentinel Log Collection Strategy

    Priority Log Sources to Ingest

    Based on Microsoft Sentinel best practices and web application security requirements, configure these data connectors:

    Tier 1: Critical Security Data (Analytics Tier)

    Primary security data contains critical security value for real-time monitoring, scheduled alerts, and analytics to detect threats Microsoft Learn 1. Web Application Logs
    • IIS/Apache/Nginx access and error logs
    • Application-specific logs (authentication, authorization, transactions)
    • WAF logs (ModSecurity, Azure WAF, CloudFlare, etc.)
    • Custom application logging for business logic events
    2. Security Infrastructure
    • Azure Activity Logs (track configuration changes)
    • Azure AD Sign-in logs
    • Security Events (Windows Event Logs)
    • Syslog from Linux servers
    • EDR/Antivirus alerts
    3. Network Security
    • Azure Network Security Group (NSG) flow logs
    • Azure Firewall logs
    • Load balancer logs showing distribution patterns
    4. Cloud Platform Logs
    • Azure Monitor metrics
    • Azure Resource health events
    • Azure Service Health alerts

    Tier 2: Secondary Investigation Data (Data Lake Tier)

    Secondary security data provides supplemental context for investigations with high-volume verbose logs Microsoft Learn 5. Deep Network Analysis
    • NetFlow logs for understanding network communication patterns Microsoft Learn
    • VPC flow logs for examining network flows between clouds and endpoints Microsoft Learn
    • Proxy server logs containing user and application requests Microsoft Learn
    6. Supporting Context Logs
    • Storage access logs for identifying unauthorized data exposure Microsoft Learn
    • TLS/SSL certificate monitor logs for attacks involving certificates Microsoft Learn
    • DNS query logs

    Implementation Recommendations

    Data Collection Configuration

    Use Azure Monitor Agent and Data Collection Rules (DCRs) to filter logs and optimize data ingestion costs Microsoft LearnMicrosoft Learn. Consider:
    1. Pre-filtering at source: Filter out irrelevant logs or unwanted details before ingestion into Sentinel Microsoft Learn
    2. Ingestion-time transformations: Use KQL transformations to filter data by rows or columns, normalize logs with ASIM, and remove sensitive data Microsoft Learn
    3. Custom parsing: Create custom parsers for your specific web application logs to extract meaningful fields

    Data Retention Strategy

    • Critical logs: 90-180 days in Analytics tier for active querying
    • Supporting logs: 365+ days in Data Lake tier for historical investigations
    • Configure appropriate retention based on compliance requirements and budget

    Investigation Benefits with Sentinel

    Collecting these logs into Sentinel provides:

    1. Unified Investigation Platform

    • Single-platform architecture for security data with unified query experience Microsoft Learn
    • Correlate events across multiple log sources using KQL queries
    • Built-in investigation graphs to visualize attack chains

    2. Advanced Analytics

    • Built-in detection rules for common web attacks (OWASP Top 10)
    • Anomaly detection using machine learning for unusual patterns
    • Threat intelligence integration to identify known malicious IPs/domains
    • UEBA (User and Entity Behavior Analytics) for detecting compromised accounts

    3. Automated Response

    • Playbooks (Logic Apps) for automated containment:
      • Isolate compromised VMs
      • Block malicious IPs at firewall/WAF
      • Disable compromised user accounts
      • Send alerts to security team

    4. Forensic Investigation

    • Search jobs for scanning large datasets and long-term retention data Microsoft Learn
    • Timeline reconstruction across multiple systems
    • Evidence preservation with audit trails
    • Integration with threat hunting workbooks

    5. Compliance & Reporting

    • Audit trails in AzureActivity and LAQueryLogs tables for tracking all actions and queries Microsoft Learn
    • Pre-built compliance reports
    • Incident documentation and case management

    Prevention & Hardening Recommendations

    Immediate Actions

    1. Patch & Update
       • Review applications for known CVEs, especially API-related vulnerabilities
       • Update web frameworks, libraries, and dependencies
       • Apply security patches to all infrastructure
    2. WAF Configuration
       • Enable/configure Web Application Firewall if not already active
       • Create custom rules for detected attack patterns
       • Enable OWASP Core Rule Set
       • Implement rate limiting per IP
    3. Access Controls
       • Implement IP whitelisting for administrative interfaces
       • Enable MFA for all administrative accounts
       • Review and restrict service account permissions
       • Implement least privilege access
    4. Input Validation
       • Implement strict input validation on all user-facing fields
       • Use parameterized queries to prevent SQL injection
       • Sanitize and encode all output
       • Implement Content Security Policy (CSP) headers

    Strategic Improvements

    1. Security Monitoring
       • Deploy Application Insights for application performance and anomaly detection
       • Configure Azure DDoS Protection
       • Implement real-time alerting for suspicious patterns
    2. Architecture Hardening
       • Segment networks to limit lateral movement
       • Implement Zero Trust architecture principles
       • Use Azure Private Endpoints for databases
       • Enable encryption in transit and at rest
    3. Incident Response Planning
       • Develop an incident response plan with defined roles, procedures, and communication protocols Cloud Tango
       • Create playbooks for common attack scenarios
       • Schedule regular tabletop exercises
       • Establish external vendor relationships (forensics, IR specialists)