In this lab, we step into the role of a Security Operations Center (SOC) analyst tasked with investigating a surge in suspicious activity within a Microsoft Azure environment. The anomalous behavior originates from an unexpected geographical location, raising concerns about potential unauthorized access and data breaches. As part of the investigative process, we will leverage Elastic Stack (ELK)—specifically Elasticsearch, Logstash, and Kibana—to analyze a variety of logs, including Active Directory (AD) Logs, Activity Logs, and Blob Storage Logs, which have been configured to flow into the ELK platform for centralized analysis.
Throughout this walkthrough, we will engage in cloud forensics and threat hunting to uncover the tactics and techniques used by the attacker. This includes identifying the origin of the attack, tracing the attacker’s movements across the infrastructure, and evaluating the scope of the compromise. The investigation will touch on several key MITRE ATT&CK tactics such as Initial Access, Persistence, Privilege Escalation, Lateral Movement, and Exfiltration. By dissecting the logs and correlating events, we will build a comprehensive picture of the attack, understanding not just what happened, but also how and why it occurred. The lab will challenge us to identify compromised accounts, suspicious IP addresses, unauthorized access to resources, and potential data exfiltration attempts. We will also explore how attackers establish persistence and escalate privileges within a cloud environment, emphasizing the importance of proactive monitoring and response in modern cybersecurity operations.