by Dr. Radut

AI Attack Simulation with Microsoft Sentinel

Published by Laurie Rhodes -

Very quietly, the last two weeks has seen the general availability of AI capability take another big step forward.  Anthropic's announcement of support for Model Context Protocol with Claude Desktop provides wide access for Artificial Intelligence to utilise tools when asked to perform tasks.

The use of tools isn't in itself revolutionary but until now there hasn't been any defacto standard on how they should be written without the use of separate and heavy frameworks.  Model Context Protocol and TypeScript (or Python) simplifies this.  The bonus is that MCP servers are transportable and can be used directly with custom API driven solutions in Container Apps and Function Apps.  

Microsoft Sentinel Attack Simulator

This project serves a couple of purposes.  I've been working a lot with Microsoft's Advanced Security Information Model (ASIM) schemas with Security Data Warehousing.  There are really big reasons for Microsoft's security capability to normalise data structures onto standardised tables and move away from the "bitsy" product based Custom Log tables we have worked with in Sentinel until now.  It's a really big job for Microsoft to work through the integration of hundreds on product logs into a supported normalisation and we all have countless numbers of Sentinel alert rules that will need to be migrated to work with the new ASIM format.

With the migration of Sentinel alert rules to ASIM, we need to be able to test our alerts.  Common knowledge says that it's not possible to test alert events in Sentinel... but this isn't actually true anymore.  Using Azure Monitor Agent Data Collection Rules, we cant write test data to ASIM tables.    Claude Desktop's support for Model Context Protocol allows it to perform web searches and with the tool provided here, simulate events with Sentinel.

Example Use

To show how this simulation can occur, I'm going to randomly select one of the lastest published vulnerabilities from https://www.exploit-db.com/

Exploit database

With Claude Desktop running the Sentinel Writer server, I provide a clear prompt instructing AI to consider the exploit and the Sentinel tables events related to the exploit would be shown in. 

AI Prompt

And AI does the rest!

Claude AI Response:

I'll create a sequence of events that would represent the attack pattern for an authenticated RCE in a web application like SOPlanning.

Successfully wrote ASimWebSessionLogs event to Sentinel

Successfully wrote ASimFileEventLogs event to Sentinel

Successfully wrote ASimProcessEventLogs event to Sentinel

Successfully wrote ASimNetworkSessionLogs event to Sentinel: 

This sequence represents:

  1. Initial authenticated web session
  2. Suspicious file upload to the web application
  3. Creation of a potentially malicious PHP file
  4. Process execution under the web server context
  5. Suspicious outbound network connection

These events would trigger several potential detection rules:

  • Suspicious file uploads to web directories
  • Unusual process execution from web server
  • Suspicious outbound connections from web server

Would you like me to create any additional events or help develop specific detection rules for this attack pattern?

I can verify the writing of this data to Sentinel:

Sentinel data verified

Notes about this project

The full project is available here: https://github.com/LaurieRhodes/PUBLIC-Sentinel-Attack-Simulator

  • Read the documentation from the root of the project for the install.  
  • The installation uses a workaround for a current bug that prevents loading of MCP servers with Windows desktops.
  • Schemas are provided for AI for all writeable Sentinel tables and AI is required to validate adherence to schemas prior to submitting events.

Writing to Sentinel requires AMA Data Collection Rules to be deployed for all supported tables.  Custom schemas and rules may be created for Custom Log (_CL) tables.  The currently supported tables for writing are:
 

  • Anomalies
  • ASimAuditEventLogs
  • ASimAuthenticationEventLogs
  • ASimAuthenticationEventLogs.old
  • ASimDhcpEventLogs
  • ASimDnsActivityLogs
  • ASimFileEventLogs
  • ASimNetworkSessionLogs
  • ASimProcessEventLogs
  • ASimRegistryEventLogs
  • ASimUserManagementActivityLogs
  • ASimWebSessionLogs
  • AWSCloudTrail
  • AWSCloudWatch
  • AWSGuardDuty
  • AWSVPCFlow
  • CommonSecurityLog
  • GCPAuditLogs
  • GoogleCloudSCC
  • SecurityEvent
  • Syslog
  • WindowsEvent

There is endless opportunity for improvement with this project and it's taught me the importance of evolving data quality validations and providing context to AI about the data its working with.  That itself could become a full time job!  

Knowing what I know now, there is a lot I want to clean up, especially with my Data Collection Rules and their casting of data types using project.  In it's current state this is still a useful tool for understanding AI interaction with Sentinel which opens the door for a lot more interesting Security automation.