DIVING DEEP INTO MICROSOFT SENTINEL

(1)

DIVING DEEP INTO

MICROSOFT SENTINEL

(2)

INTRODUCTION

Diving Deep Into Microsoft Sentinel

WHAT YOU’LL LEARN

» The fundamentals about what Sentinel is, and how it works.

» How to ingest data into Sentinel for analysis

» Setting up Workbooks to visualize the data, potential issues and trends

» Using Playbooks to automate alerts and remediation

» Hunting for Indicators of Compromise

(3)

Fundamentals of Microsoft Sentinel

CHAPTER 01

(4)

Microsoft Sentinel is a cloud native Security Information Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution. A SIEM solution aggregates data and provides real-time analysis of security alerts generated by applications and network appliances. A SOAR solution automates the investigations and responses of security alerts. It is common for IT Professionals to mix up the capabilities of SIEM and SOAR since they tend to work together for the goal of protection. However, these were traditionally two separate products or components. Microsoft designed Microsoft Sentinel to handle both SIEM and SOAR.

What matters most about Microsoft Sentinel is that it can:

» Be set up in a relatively short time

» Gather data from cloud and on-premises security sources

» Provide automated analysis and remediation of anomalies with little human intervention.

How Does It Work?

First, devices and services need to start streaming their data into Microsoft Sentinel, via Data Connectors. Technically, the data flows into Azure Log Analytics. Workbooks are used to visualize the data, potential issues and trends, and help create specific queries. These queries can help create rules called analytics. After creating analytic rules, you start to see Incidents, as well as process automated actions via

Playbooks. When analyzing Incidents, you can leave a trail of Bookmarks to flag interesting or anomalous data for follow up and discover other areas that may be affected. Finally, and after gaining experience, you can go Hunting for threats. Each concept is outlined in more detail below:

Data Connectors – These are connection methods to the variety of sources Microsoft Sentinel can integrate with. There are multiple different connector types:

» Service to Service: Out of the box, native connections (i.e. Office 365) are integrated with a few clicks

» External solution via API: 3rd party solutions that have integration provided by a set of APIs

» External solution via agent: Agent based deployment via Linux server to collect Syslog of Common Event Format (CEF) logs. Also, can be deployed directly on servers that are not connected to Azure directly.

FUNDAMENTALS OF

MICROSOFT SENTINEL

(5)

FUNDAMENTALS OF Microsoft Sentinel

Log Analytics

All data ingested into Microsoft Sentinel

must come from a Log Analytics workspace.

A workspace is basically a limitless storage container to hold all your data from a variety of sources. It is recommended to have a

single, dedicated workspace created for Microsoft Sentinel.

(6)

FUNDAMENTALS OF MICROSOFT SENTINEL

Workbooks

Provides a means of monitor the data that has been ingested into Microsoft Sentinel.

Built-in workbooks allow you to evaluate data immediately. Custom workbooks can also be created to allow you to view your data the way you need to.

(7)

FUNDAMENTALS OF MICROSOFT SENTINEL

Analytics

Custom rule sets that can be created to search across all ingested data to discover potential threats. There are many pre-built rules provided as well as connections to

Microsoft sources such as Microsoft Defender ATP and Cloud App Security. Additional

custom rules can be created based on queries.

These can run on a scheduled interval. All hits from each rule can generate an incident and/

or run a playbook.

(8)

FUNDAMENTALS OF MICROSOFT SENTINEL

Incidents

Alerts that are generated based on Analytic rule sets. An incident can contain multiple alerts. They allow for further investigation to determine if there were additional areas of exposure using the investigation graph.

Incidents can be assigned to an individual to delegate the investigative tasks.

(9)

FUNDAMENTALS OF MICROSOFT SENTINEL

Playbooks

Playbooks are essentially Azure Logic Apps with specific designation to Microsoft

Sentinel alerts. They allow for an orchestrated and automated response to alerts that are

triggered via Analytics. Anything that you can do within a new or existing Logic App can also be extended to run based on an Microsoft

Sentinel alert.

(10)

FUNDAMENTALS OF MICROSOFT SENTINEL

Notebooks

Microsoft Sentinel has integrated Jupyter notebooks directly into the Azure Portal. A notebook is a web application integrated into your browser that allows you to have live visualizations and code\queries running directly within the browser. A few notebooks are provided by Microsoft to illustrate their capabilities.

(11)

FUNDAMENTALS OF MICROSOFT SENTINEL

Hunting

Hunting allows for manual, proactive

investigations into possible security threats based on the ingested data. Microsoft

provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic

task to run on a schedule. Hunting capabilities include:

» Queries (using Kusto Query Language)

» Notebooks

» Bookmarks

» Live Stream

(12)

How Much Does It Cost?

Because you’re storing data in the cloud, and not in databases on premises, Microsoft Sentinel’s cost is generally attractive. To calculate the anticipated costs, will need to estimate how much data will be ingested per day as well as how long the data will be retained.

There are multiple areas where charges are incurred

» Data ingested from network appliances, AWS, etc.

» Data ingested from Log analytics, Logic app runs, and machine learning models

» Data storage for longer than 90 days

Breakdown of Anticipated Costs for Data Ingestion

FUNDAMENTALS OF MICROSOFT SENTINEL

Capacity Microsoft Sentinel Azure Log Analytics

None (Pay-As-You-Go) $2.46 per GB-ingested $2.76 per GB (first 5GB free per month)

100 GB per day $123 per day $219.52 per day

200 GB per day $221.40 per day $412.16 per day

300 GB per day $319.80 per day $604.80 per day

501+ GB per day $492 per day + $98.40 per day

(for each 100 GB increment after 500 GB in daily capacity)

$968.80 per day + $193.76 per day for each 100 GB increment after 500 GB in daily capacity

(13)

FUNDAMENTALS OF MICROSOFT SENTINEL

If you choose a capacity reservation, you are charged a fixed fee up to the capacity limits. If you exceed the chosen capacity, you are charged the per GB rate over the capacity.

The Pay-as-you-go rate is ideal for initial deployments, smaller organizations, or if you do not know how much data you will need to ingest. It takes between 65-70GB of data within the Pay-as-you-go model to match the costs of the 100GB/day capacity. You can increase or decrease your capacity at any time.

There are several free elements as well including:

» First 31 days of Microsoft Sentinel

» 90 Day retention ($0.12/GB/Month after 90 days)

» Microsoft Data source ingestion*:

» Azure Activity Logs

» Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) Microsoft Threat Protection Products

» Azure Security Center

» Azure Defender

» Microsoft 365 Defender

» Microsoft Defender for Office 365

» Microsoft Defender for Identity

» Microsoft Defender for Endpoint

» Microsoft Cloud App Security

» NOTE: Azure Active Directory (AAD) data is not free

(14)

Microsoft Sentinel may be the newcomer to the SIEM world; however, it is quickly becoming a top tier solution due to its cloud native

design. Microsoft has made a significant investment into this service and has all intentions of driving its capabilities above and beyond what competitors offer. With the ease of deployment, minimal to no cost initial integrations into Microsoft services, and familiar Azure interface, Microsoft Sentinel provides the means for any organization to have a SIEM solution.

In the next section on Microsoft Sentinel, we will take you through the process of initial setup and onboarding data sources to Microsoft Sentinel. If you’d like assistance, Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.

FUNDAMENTALS OF

MICROSOFT SENTINEL

(15)

Onboarding Data Sources into

Microsoft Sentinel

CHAPTER 02

(16)

ONBOARDING DATA SOURCES

Knowing what data you wish to analyze within a SIEM solution provides a tremendous advantage to deploying Microsoft Sentinel. However, that is not always the case during an initial deployment. You don’t know what you don’t know.

Luckily, Microsoft allows free ingestion of most Azure and Office 365 activities (note, Azure AD Audit data is not free). If you are unsure of how you plan on best utilizing a SIEM solution, it is recommended to get started using the free data for a very low cost solution until you have a security operations plan and understand how Microsoft Sentinel will support that plan.

Getting Started

To get started with Microsoft Sentinel there are a few basic prerequisites:

» Active Azure subscription

• Contributor permissions on subscription is required to create the Microsoft Sentinel components

» Log Analytics Workspace

• Recommend creating a new, dedicated workspace for Microsoft Sentinel

• Contributor or reader permissions on resource group where workspace is located

» Additional permissions based on data connectors

Once the prerequisites have been configured, go to the Azure Portal and search for and select Microsoft Sentinel. Choose your dedicated workspace (Or select Add if not already created). This will configure the workspace for Microsoft Sentinel (increasing free retention for 90 days, opposed to 30 days) and then take you to the Overview page.

Ingesting Data

Once Microsoft Sentinel has been provisioned, your first task is to connect your data sources. There are currently three methods to connect a variety of data sources.

» Service to Service

» APIs

» Syslog/Common Event Format

(17)

Service-to-Service

Service-to-Service connection options are fully configured with a few clicks directly in the Azure portal, as long as you have the right level of permissions. For example, to connect Office 365 data, you need to use a Global or Security Administrator account to authenticate and add the data connector. However, no other

configuration or components are required. Simply go to the Connector page directly in the Microsoft Sentinel >

Data Connectors page. There will be an option to connect to the service. For Office 365 data connector, select Exchange and/or SharePoint and click Apply changes. You will be able to see data flowing to Microsoft Sentinel within 15 minutes. Each connector has insights to the amount of data received.

ONBOARDING DATA

SOURCES

(18)

New Dynamic, New Tools

Get familiar with the new tools to troubleshoot and triage issues. For Teams, that means the

Call Quality Diagnostic tool. If users experience poor quality, help desks can use the Call Quality Diagnostic (CQD) tool to ID where the issue

lies (i.e. headset, network, or service). If it

appears the Internet is the root cause, users can check their last mile by using ping or tracert to 13.107.64.2 (Microsoft’s virtual head-end).

6 of 10

APIsSeveral supported external solutions can connect via API or agent. API connections are typically embedded into the appliance configuration and you need to share Microsoft Sentinel Workspace ID and Key. For example, if you have a Barracuda Web Application Firewall, you can configure the solution to directly send to Microsoft Sentinel by obtaining the Workspace ID and key from Microsoft Sentinel and following the instructions provided by Microsoft and the vendor solution page.

ONBOARDING DATA

SOURCES

(19)

Syslog/CEF

The final connection option is an agent-based Linux server to proxy syslog or Common Event Format (CEF) logs. Most major Linux OS types are supported (See Prerequisites). You can choose to deploy your own server in Azure or an alternative location (on-premises, other cloud, etc.). Some data connectors allow for an automatic deployment on an Azure based Linux VM. It is recommended to deploy the agent in the same location where the data source lives. You can have a single agent for multiple data sources.

Data sources can use the default port of 514. TCP is preferred, but UDP and TLS are supported. For TLS

communication, you will need to configure the Syslog daemon (rsyslog or syslog-ng) to communicate in TLS. If deploying the server on-premises, the agent VM also needs to communicate to Microsoft Sentinel via port 443.

General instructions are provided in the data connector page. You need to install the agent collector on the Linux VM by running the following commands:

ONBOARDING DATA SOURCES

### Verify Python on your machine ###

python –version

### Run with elevated permissions ###

sudo wget https://raw.githubusercontent.

com/Azure/Azure-Microsoft Sentinel/master/

DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py [WorkspaceID] [Workspace Primary Key]

This can be copied directly from the data collector page. Additional instructions for each type of data connector are also provided to forward Syslog or CEF logs to the agent VM.

(20)

6 of 10

Summary

Connecting your data sources is the first step to begin utilizing Microsoft Sentinel. It is recommended to immediately connect the free,

built in components to easily test out Microsoft Sentinel, such as Office 365 data. Once you connect a data source, you can begin creating workbooks, hunting queries, and analytic rules. Fortunately, Microsoft has also provided most data connectors with Microsoft created

templates for each of these components. If you are not sure what specifically to hunt for, these templates provide an out of the box experience to maximize your initial efforts in deploying Microsoft Sentinel.

ONBOARDING DATA SOURCES

What’s Next

In the next section of, we will go through example use cases of

the data captured and the overall operations of Microsoft Sentinel.

(21)

Operating

Microsoft Sentinel

CHAPTER 03

(22)

OPERATING MICROSOFT SENTINEL

Now that Microsoft Sentinel has started collecting data, it’s time for a deep dive into each component to discover how to utilize the data. The examples below are sample use cases of what Microsoft Sentinel can do. It is by no means an extensive overview of the capabilities. There is a massive amount of potential available.

Always start simple with the built-in features Microsoft provides. Start with specific scenarios or risks you wish to monitor. Then build onto that with more advanced, specific queries as you identify potential threats that are impacting your organization. This blog outlines some sample use cases from the following components:

»Workbooks »Hunting

»Analytics »Incidents »Playbooks

(23)

Workbooks

Workbooks allow you to take the data ingested into Microsoft Sentinel and visualize what it looks like. There are built-in templates provided by Microsoft and custom workbooks can be created. Workbooks can provide quick wins, since they’ll provide logical insights without requiring Microsoft Sentinel expertise.

One such template is the Exchange Online Workbook, showing insights on email activities within the tenant.

The following is an example of potential suspicious activities to investigate.

OPERATING MICROSOFT

SENTINEL

(24)

6 of 10

Another template, the Security Alerts workbook, provides a holistic view of where alerts are coming from and their overall severity. This can help identify where a lot of noise may be coming from and allow further investigation or modification of existing policies to reduce false

positives.

Microsoft is disabling legacy authentication on Oct. 13, 2020 for several protocols. You can use the Insecure Protocols workbook to

capture existing legacy authentication attempts to plan on migrating to Modern Authentication. This workbook can account for both Azure AD and on-premises Active Directory authentication.

OPERATING MICROSOFT

SENTINEL

(25)

Custom Workbooks

Custom workbooks can be created to provide the exact insights you are looking for. You can add several

different components including text labels, parameters for resource picker searches, and links and buttons for actions. Queries and metrics can be added for further customization. Finally, using the advanced editor, you can import Gallery or ARM templates to create the workbook from JSON code.

OPERATING MICROSOFT

SENTINEL

(26)

6 of 10

Hunting

For advanced Security Operators and IT Pros, hunting allows proactive assessments against specific risks. They allow manual, proactive investigations into possible security threats based on the ingested data. Hunting is based off queries. Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic rule to run on a schedule.

Sample queries can also be obtained from each data connector page.

OPERATING MICROSOFT

SENTINEL

(27)

Analytics

Once you have a solid query created, you can create an analytic alert rule to perform additional actions on those results. As with most other components of Microsoft Sentinel, Microsoft has also provided built-in analytic template rules with pre-created queries based on the data sources. You simply need to select the template and click Create rule.

OPERATING MICROSOFT SENTINEL

During the creation of a template or custom analytic rule, you can configure specific settings to create an appropriate schedule and alert threshold. You can specify how often to run the query and how far back to search. In additional, alert threshold specifies how many results are required to issue an incident alert.

(28)

6 of 10

On the next page, you define whether to create an incident alert from the results.

Alert Grouping will allow you to group a minimum number of results together rather than potentially creating an incident alert for each result.

OPERATING MICROSOFT SENTINEL

Finally, you can assign a playbook for automated remediation or actions against the results.

(29)

Incidents

Incidents are only created when specified by an analytic alert rule. In the Microsoft Sentinel Portal, click on Incidents to view a list of all incidents created. Clicking on View full details provides additional information on the incident. You can change the severity, if applicable, set the Status, and assign the incident to the

responsible individual to investigate further. You can also manually submit the results of this incident against any playbook created for Microsoft Sentinel.

OPERATING MICROSOFT SENTINEL

Currently in preview, clicking on Investigate provides the Investigation Graph. This provides an interactive overview of all entities involved in the incident. This will assist to understand the scope and impact of the incident, determine a root cause, and stop any potential threats that may be occurring elsewhere.

(30)

6 of 10

Playbooks

Playbooks are Azure Logic Apps, but specific for Microsoft Sentinel by adding an API connection to Microsoft Sentinel alerts. The example playbook below sets and Azure AD user account to disabled when an alert is triggered and puts a comment into the Incident. Additional

actions can be added, such as a simple email notification. Anything that Logic Apps can connect to, you can tie it into an Microsoft Sentinel Playbook and Analytic Rule to automate that action.

OPERATING MICROSOFT

SENTINEL

(31)

This has been a small sample of the capabilities of Microsoft Sentinel. Microsoft Sentinel can be extended in many ways to manage and monitor your environment. You can integrate Microsoft Sentinel into an existing Splunk deployment or deploy it as Infrastructure as code using DevOps. Microsoft Sentinel can be used in conjunction with Azure Lighthouse to manage and monitor multiple Azure environments allowing Enabling

Technologies the ability fully manage your Microsoft Sentinel deployment and ongoing operations and incident response.

OPERATING MICROSOFT

SENTINEL

(32)

6 of 10

Advanced SecOps – Hunting

CHAPTER 04

(33)

Microsoft Sentinel Hunting is based off queries. It allows for manual, proactive investigations into possible security threats based on the ingested data as well as retroactive pursuits of attacks and root cause analysis.

Hunting consists of several capabilities:

»Queries - Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic rule to run on a schedule.

»Bookmarks - Lets you save items discovered across queries, workbooks, and other activities for later investigations or incidents

»Livestream - Live, interactive sessions that uses queries and provides results in real time as they occur »Notebooks - Provides guided step-by-step hunting and investigation workflows that can be reused

Queries are based on Kusto Query Language (KQL). These can be very simple queries to extremely complex, specific use case scenarios. To get started, in the Microsoft Sentinel Portal, go to Hunting. You can run one or all the built-in queries or click New Query to create a new custom query.

ADVANCED SECOPS -

HUNTING

(34)

6 of 10

When building a query, if you are not familiar with the data types available in Microsoft Sentinel, you can use the left side of the page to view the available tables and filters to assist with creating the correct query. While typing, you are provided an ISE-like experience to help define your query. In addition to the built-in queries provided by Microsoft, there are many examples on GitHub and other online sources.

Having some idea of what you are hunting will help draft these queries.

ADVANCED SECOPS -

HUNTING

(35)

Live Stream

While queries help discover activity that has already occurred and ingested, hunting using livestream allows you to create an interactive session and actively run queries to find any activities you are searching for, malicious

or not. When an alert occurs, you will receive an Azure Portal notification. Each session can also be used to create an analytic alert rule by clicking Elevate to alert.

ADVANCED SECOPS -

HUNTING

(36)

6 of 10

At some point in your Microsoft Sentinel journey, the built-in and community provided queries may not meet your organizational

requirements or provide the specific use case scenario you are hunting for. You will have to create a query for yourself. Azure utilizes KQL or Kusto Query Language. A KQL query is a read-only request to process data and return results.

Microsoft Sentinel and KQL make use primarily of Tabular expression statements, which is a composition of data sources (Tables), data

operators (filters such as where), and rendering operators (such as count). Each request is separated by the pipe character (|). Most of the syntax, particularly the tables, are case-sensitive.

sourceTable | operator1 | operator2 | renderInstruction Here is a very simple example query and breakdown

SecurityAlert | where TimeGenerated > ago(1d) | count

1. The statement starts with a reference to a table.

2. The data (rows) for that table are then filtered by the value of the column using and then filtered by the value of the column.

3. The query then returns the count of “surviving” rows.

Results are shown in column values. These columns can be customized, renames, or combined to match from multiple tables.

ADVANCED SECOPS -

HUNTING

(37)

Query Best Practices

Creating your own queries from scratch can be a daunting and intimidating task. The following suggestions are best practices to get started creating queries from scratch. There are many best practices as well as other preferred ways to go about creating queries. While these certainly apply to all queries, simply and complex,

these are meant for those who are just starting to learn the language and will help to prevent an overwhelming feeling of complexity until you are more comfortable with the language.

» Start small. Building a massive multi-line query from scratch will lead to syntax errors and other issues.

» Build your query one line at a time and continue to add filters as needed

» Run your query as you build it to validate you are obtaining the intended data

» Use limit or count at the end to validate number of results.

» Remove when satisfied with the results

» Use time filters with the first-row table selection or first filter using where

» Use filters on tables or columns, not on operators or calculated columns via expression

» Do not use (or limit use) of wildcard (*) characters

» Combine two simply queries with join operator rather than trying a more complex query

» Use Comments (//) to make notes about your query

Hunting can be a powerful way to provide valuable insights across all your organization’s data sources.

Microsoft has done a great job providing numerous built-in capabilities with over 80 default hunting queries and 100’s of example queries within Log Analytics Queries. Community resources, such as GitHub, provide many additional customized, scenario-based queries. Chances are, you will not need to create any custom or unique query of your own as you are building out your cloud SIEM solution.

ADVANCED SECOPS -

HUNTING

(38)

6 of 10

Summary

In this guide, it’s been shown how Microsoft Sentinel can efficiently monitor, alert, and remediate security incidents. We outlined how to collect data at cloud scale—across users, devices, applications, and infrastructure, both on-premises and in multiple clouds. We showed how workbooks can provide at-a-glance information about the state of organizational threats and about specific issues. Playbooks use AI and automation to surface incidents for the SoC to take action, and respond with built-in orchestration and automation of common tasks.

And hunting using KQL allows the SoC to proactively hunt for Indicators of Compromise.

Thanks for reading the eGuide! If you’ve come this far, you probably are a self-starter, so if you need a resource, Enabling Technologies can be a resource as you properly operate your secure and productive environment in the cloud.

DIVING DEEP INTO MICROSOFT SENTINEL

DIVING DEEP INTO

MICROSOFT SENTINEL

INTRODUCTION

Diving Deep Into Microsoft Sentinel

WHAT YOU’LL LEARN

Fundamentals of Microsoft Sentinel

CHAPTER 01

FUNDAMENTALS OF

MICROSOFT SENTINEL

FUNDAMENTALS OF Microsoft Sentinel

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF MICROSOFT SENTINEL

FUNDAMENTALS OF

MICROSOFT SENTINEL

Onboarding Data Sources into

Microsoft Sentinel

CHAPTER 02

ONBOARDING DATA SOURCES

ONBOARDING DATA

SOURCES

ONBOARDING DATA

SOURCES

ONBOARDING DATA SOURCES

ONBOARDING DATA SOURCES

Operating

Microsoft Sentinel

CHAPTER 03

OPERATING MICROSOFT SENTINEL

OPERATING MICROSOFT

SENTINEL

OPERATING MICROSOFT

SENTINEL

OPERATING MICROSOFT

SENTINEL

OPERATING MICROSOFT

SENTINEL

OPERATING MICROSOFT SENTINEL

OPERATING MICROSOFT SENTINEL

OPERATING MICROSOFT SENTINEL

OPERATING MICROSOFT

SENTINEL

OPERATING MICROSOFT

SENTINEL

Advanced SecOps – Hunting

CHAPTER 04

ADVANCED SECOPS -

HUNTING

ADVANCED SECOPS -

HUNTING

ADVANCED SECOPS -

HUNTING

ADVANCED SECOPS -

HUNTING

ADVANCED SECOPS -

HUNTING

ADVANCED SECOPS -

HUNTING

Thanks for Reading!

We can help operationalize and secure your organization’s IT

environment.

Click here to schedule a quick call to see how we can help.