SlideShare a Scribd company logo

Azure sentinel

Download as PPTX, PDF
Marius Sandbu
Marius Sandbu

How to use Azure Sentinel and Microsoft Defender ATP architecture

Technology
1 of 42
How to Catch the Bad Guys with Azure Sentinel and Microsoft Defender ATP Marius Sandbu Cloud Tech Lead @ EVRY @msandbu https://msandbu.org
Agenda • Evolution • Attacks and the landscape in 2019 • A Overview on Microsoft Security Ecosystem • Azure Sentinel & Defender ATP • Enabling data sources and collection • Designing a security solution • Connecting the dots and automation
It’s hunting season!
• Active Directory • Group Policy • AD based clients • On-premises Collaboration • System Management tools • Traditional Antivirus Once Upon a time…….
Lockergoga • Entrypoint trough Email or drive-by download • Distributed using Group Policy • Each Payload was Unique • Digitally signed by trusted third party
BARIUM • Infected Trusted Sources and using drive-by download • CCleaner and ASUS Update • Compromised endpoints with ransomware
Landscape 2019 • Azure Active Directory • Mobile Device Management • Endpoint Protection • SaaS • Web-based collaboration • Multiple OS and devices • + The existing legacy stuff
Attacks by the numbers 300% Increase in Identity Attacks over the past year 350 Thousand Compromised Accounts detected in April 2018 46 Billion Attacker driven sign-ins May 2018 23 Million High Risk Enterprise Sign- in attempts March 2018 1,29 Billion Authentications Blocked in August 2018 Source: Microsoft Ignite 2018
AAD • Dump users and groups with Azure AD • Password Spray: MailSniper • Password Spray: CredKing O365 • Get Global Address List: MailSniper • Find Open Mailboxes: MailSniper • User account enumeration with ActiveSync • Harvest email addresses • Verify target is on O365, [DNS], [urls], [list], [getuserrealm] • Enumerate usernames, 2FA status via ActiveSync [o365userenum] • Role, group, admin enumeration with Get-MsolRoleMember [RainDance] • Bruteforce of Autodiscover: SensePost Ruler • Phishing for credentials • Phishing using OAuth app • 2FA MITM Phishing: evilginx2 [github] • Add Mail forwarding rule • Add Global Admin Account • Delegate Tenant Admin • MailSniper: Search Mailbox for credentials • Search for Content with eDiscovery • Account Takeover: Add- MailboxPermission • Pivot to On-Prem host: SensePost Ruler • Exchange Tasks for C2: MWR • Send Internal Email • MailSniper: Search Mailbox for content • Search for Content with eDiscovery • Exfil email using EWS APIs with PowerShell • Download documents and email • Financial/wire fraud EndPoint • Search host for Azure credentials: SharpCloud • Ransomware • Persistence through Outlook Home Page: SensePost Ruler • Persistence through custom Outlook Form • Create Hidden Mailbox Rule [tool] On-PremExchange • Portal Recon • Enumerate domain accounts using Skype4B, [LyncSmash] • Enumerate domain accounts: OWA & Exchange • Enumerate domain accounts: OWA: FindPeople • OWA version discovery • Password Spray using Invoke-PasswordSprayOWA, EWS, Atomizer • Bruteforce of Autodiscover: SensePost Ruler • PasswordSpray Lync/S4B [LyncSniper] • Exchange MTA • Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B) • Delegation Prepared by @JohnLaTwC, May 2019, v1.06 Microsoft
Password Spray attacks in ~15 Minutes Attack leveraging Legacy Protocols* Email addresses = UPN – Easy to find online (mailhunter or https://www.rapid7.com/db/modules/auxiliary/gather/search_e mail_collector) *Microsoft disabling legacy authentication protocols in Office365 – in 2020 http://bit.ly/2ktycIC No Easy way to block authentication attempts from «known IP’s»
Azure Sentinel SQL Encryption & Data Masking The Azure Security Ecosystem
Logging sources in the Cloud Audit Item Category Enabled by Default Retention User Activity Office 365 Security No 90 Days Admin Activity Office 365 Security No 90 Days Mailbox Audit Exchange Online Yes 90 Days Sign-In Activity Azure AD Yes 30 Days (AAD P1) Users at Risk Azure AD Yes 7 Days (30 Days, P1/P2) Risky Sign-ins Azure AD Yes 7 Days (30 Days, P1/P2) Azure MFA Usage Azure AD Yes 30 Days Directory Audit Azure AD Yes 7 Days (30 Days, P1/P2) Intune Activity Log Intune Yes 1 Year (Graph API)
Logging sources in the Cloud Audit Item Category Enabled by Default Retention Azure Resource Manager Azure Yes 30 Days Network Security Group Flow Logs Azure No Depending on Configuration Azure Diagnostics Logs* Azure No Depending on Configuration Azure Application Insight Azure No Depending on Configuration VM Logs OS Yes Size defined in Group Policy Custom Logs OS N/A Application specific logs Azure Security Center Azure No (Cost per host/PaaS) SaaS Usage N/A No Requires Cloud App Discovery Custom Sources** N/A No Depending on Configuration • Diagnostics logs available for most Azure Services • ** Custom Connectors https://techcommunity.microsoft.com/t5/Azure- Sentinel/Azure-Sentinel-Creating-Custom-Connectors/ba-p/864060
Azure Sentinel ● Cloud Native SIEM and SOAR Solution ● Provides unified view and dashboards to the different data sources ● Utilizes Machine Learning to collerate data from multiple sources – Fusion* ● Threat Intelligence integration * Fusion will soon be enabled by default
Azure Sentinel - Capabilities ● Data stored in data lake using Log Analytics ● Supports multiple data sources ● Predefined Connectors with dashboards ● Integrateable with Jupyter for in-depth analysis ● Playbooks using Azure Logic Apps ● Alerts available using Security Graph API (GET/PATCH/SUBSCRIBE) - https://graph.microsoft.com/v1.0/security/alerts?$top=1
Azure Sentinel - Capabilities Log Analytics Settings Logic App Automation Incident Creation Rules Data Sources and status Jupyter Notebooks Predefined Queries Dashboards Incidents based upon rules Log Analytics Workspace
Microsoft Defender ATP 3 Party SIEM and Log Analytics Platforms Azure Services Office 365 Azure ATP 3 Party providers Client Endpoints Windows Server Azure Security Center Windows Server Cloud App Security Intune Azure AIP Data Connectors Kusto Queries Logs / Custom Logs Log Analytics Workspace Automation Remidiation Azure Security Graph Threat Intelligence Power BI Automation Layer Data Management Layer Data Sources User Interaction Layer Dashboards Visualization Hunting Queries Jupyter Notebooks● EDR powered by Sense Agent (agentless) ● Security Center Agent for Server Registry (Values, Changes) Files (Value, Changes, Hash, Name) Processes (Creation, Hash, Name) Memory dump Network Connections Local User information OS and Computer Information ● Memory forensics ● Hunting and Automated response ● Supported by Logic Apps / Flow
Microsoft Defender ATP - Capabilities ● Support for Windows 10 (Mac Preview coming*) ● Support for Windows Server trough Security Center (but limited capabilities) ● Support for 2008 R2 came yesterday ● Support for other OS trough Partner Ecosystem ● Microsoft Threat Protection Integration (Cloud App Security, AIP, Azure ATP, Office 365) ● Microsoft Threat Experts ● *PREVIEW* Live Reponse / Threat & Vulnerability Management *PREVIEW*
Azure Sentinel and Defender ATP Security Center Azure ADMicrosoft Defender ATP Azure Sentinel Endpoints Azure AD System activity Office 365 Other Sources Hunting Kusto / Jupyter / Dashboards Logic Apps Partner Ecosystem Automation Cloud App Security Conditional Access Cloud App Discovery Data Sources Alerts Threat Intelligence * * Internal Connector coming soon (Custom alerts playbook (https://www.linkedin.com/pulse/azure-sentinel-custom-logs- getting-your-mdatp-alerts-paul-huijbregts/) ITSM
#ExpertsLiveNO So how to get started? Create a Log Analytics Workspace Create a Sentinel Workspace Azure Sentinel Connect Data Sources • Supported Data Sources are based upon Log Analytics • Only way to delete a Sentinel instance is to remove the module from Log Analytics • Define Role based access Control Azure Sentinel Contributor Azure Sentinel Reader Azure Sentinel Responder Combined with Table based RBAC https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access#table- level-rbac Create Hunting Queries Create Automation Rules Get Windows 10 E5 lisense Onboard Machines (Using Onboarding script) Onboard Servers (Azure Security Center) Add Integrations (Requires licenses) Defender ATP Azure Sentinel Setup ATP Workspace
#ExpertsLiveNO Architecting a Sentinel solution Log Analytics Workspace Log Analytics Workspace • Retention (1 Year)* • Location (West Europe) • Avoid Multiple Log Analytics Workspace • Multihoming possible for Windows Agents • Not Linux or Azure Data Sources  • Use Azure Policy or ARM to deploy Agents • Adjust how often data is collected (Perf Metrics) * Table level retention on roadmap Logs & Performance Metrics
#ExpertsLiveNO Architecting a Sentinel solution Agent collect 30-second interval performance metrics TimeGenerated Agent Upload (30 sec – 2 minutes) Azure Diagnostics 2 – 15 Minutes Surge Protection <1 minute Temporary Storage 5-15 seconds _TimeReceived Temporary Storage 5-15 seconds _TimeReceived Network Performance Monitoring 3 Minutes Temporary Storage 5- 15 Seconds _TimeReceived Indexing <5 Minutes Sentinel Workspace Export ELK / SPLUNK
Enabling data sources Log Table name Permissions
Enabling data sources Insecure Protocols Dashboard 1: Enable Audit in Group Policy 2: Enable Collection of Security Events https://blogs.technet.microsoft.com/jonsh/azure-sentinel-insecure-protocols- dashboard-setup/
Enabling data sources Threat Intelligence Security Center Azure Security Center – Standard NB: Remember Cost for the service Define Log Analytics Workspace and Auto Provisioning Machines onboarded to Defender ATP https://securitycenter.windows.com
Enabling data sources Custom Logs and log sources * Utilize Sysmon from Sysinternals to collect process information on Infrastructure Workspace - Advanced Settings - Data - Event Logs
Enabling data sources Azure PaaS Services https://docs.microsoft.com/en-us/azure/governance/policy/samples/audit-diagnostic-setting Azure Monitor – Diagnostics – Services – Log Analytics
Enabling data sources Network Traffic - Azure NSG Flow Logs Bug – Delete old Flow Logs  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-delete-nsg-flow-log-blobs • Enable Network Watcher • Enable Flow Logs NSG* • Integrate with Azure Sentinel Workspace
Enabling data sources ● Microsoft Defender ATP data is not available in Sentinel ● No simple way to sanitize data only available trough REST API ● Microsoft.OperationalInsights/workspaces/{workspaceName}/purge?api-version=2015-03-20 ● Data Purger Role Required or higher
#ExpertsLiveNO Configuring detection rules • Automate Threat Detection Rules • https://github.com/wortell/AZSentinel • Big Thanks to Wortell! • Or find predefined rules • https://github.com/netevert/sentinel-analytics-library • https://github.com/BlueTeamLabs/sentinel-attack • Then add automated response
Creating Automated Response
Example hunting Sentinel & Defender ATP ● Attack techniques defined by MITRE ATT&CK Knowledge base -- https://attack.mitre.org/ ● Universal but adapted using Kusto queries by Microsoft https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries https://github.com/Azure/Azure-Sentinel
Kusto Query Language ● Read only request to process data and results from a dataset ● Queries are built defining the source and statements with defined filters Office365 • Column1 • Column2 VMConnection • Column1 • Column2 Table1 | where Column1 == «value1» | count Read-only Query Example:
Example hunting Sentinel • Looking after failed authentication attempts to virtual infrastructure SecurityEvent | where EventID == 4625 | where AccountType == "User" | summarize CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress • Looking after failed authentication attempts to Azure portal SigninLogs | where TimeGenerated >= timeRange | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city) | where AppDisplayName contains "Azure Portal" | where ResultType !in ("0", "50125", "50140") Requires Security Center enabled Requires integration with Azure AD Azure AD Sign-in ID’s https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference- sign-ins-error-codes
Example hunting Sentinel • Mass Download Office 365 SharePoint let historicalActivity= OfficeActivity | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") | where TimeGenerated between(ago(30d)..ago(7d)) | summarize historicalCount=count() by ClientIP; let recentActivity = OfficeActivity | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") | where TimeGenerated > ago(1d) | summarize recentCount=count() by ClientIP; recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP; Requires integration with Office 365
Example hunting Microsoft Defender ATP • Use of Tor Client on Endpoint NetworkCommunicationEvents | where EventTime < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe") // Returns MD5 hashes of files used by Tor, to enable you to block them. // We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash). | summarize MachineCount=dcount(ComputerName), MachineNames=makeset(ComputerName, 5) by InitiatingProcessMD5 | order by MachineCount desc
Azure Sentinel and Defender ATP moving forward ● Heavily integrated solution across the Microsoft ecosystem ● Unified Approach to logging and threat hunting across plattforms ● (Identity, SaaS, Endpoint, PaaS and Infrastructure) ● More Intelligence built-in using Machine Learning and threat intelligence ● Having Automated response that can work across solutions ● Providing a decent set of capabiliites to catch the bad buys
Questions and more information? Article / Source URL Best Pratice Workspace Design http://bit.ly/2mlUhJE Azure Sentinel Github Repository http://bit.ly/2m6TSdU Azure Sentinel and MSP https://docs.microsoft.com/en- us/azure/sentinel/multiple-tenants-service-providers Azure Sentinel price calculator http://bit.ly/2mrGTns Defender ATP Github Repo https://github.com/microsoft/WindowsDefenderATP- Hunting-Queries Jupyter and Python Security Tools https://github.com/microsoft/msticpy Defender ATP Hunting Queries https://github.com/Microsoft/WindowsDefenderATP- Hunting-Queries Email: msandbu@gmail.com Twitter: @msandbu Blog: msandbu.org
Pricing Example: 2 Virtual Machines running in Azure • Collecting Network Flow Logs and Traffic Analysis • Collecting Security Events (Requires Security Center) • 1 Year Retention on Log Analytics Workspace • Collecting Custom Logs (3 GB a month) • Collecting Azure AD and Activity Logs (Activity Logs are free) • Outbound ITSM Calls • Sentinel enabled and Logic Apps Example cost per month Security Center x2 VM’s = $29,20 Log Analytics (Security Events free + VM logs (3 GB) + + Retention) = $ 49,17 Network Watcher (Logs ingested and traffic analysis = $25,50 Azure Sentinel (GB analyzed) = $2,60 Outbound ITSM (Within 1000 units free tier) Total Cost = $106 per month Log Analytics Workspace Azure Monitor Application Insight Azure Sentinel Logic App Action Groups  Retention (< Default 31 Days Retention free) (< Sentinel 90 Days Retention free) (< Above 90 Days, Log Analytics Retention fees)  Storage (< Default 5 GB Storage free  Location Price SKU Azure Monitor Price SKU SentinelPrice SKU Logic Apps Price SKU Azure Automation Azure Security Center Azure Automation Price SKU Security Center  500 MB free log ingestion per day to Log analytics  Per Hour cost per vm  Per hour cost for PaaS  Billed for data analyzed (Not Ingested)  Activity Log, Office365 analyzed is free  Price per action run Price SKU Application Insight Price SKU Network Watcher Network Watcher  Log ingestion + Log Analytics cost  (< Default 5 GB Log data free per month)  Cost for probes and Traffic Analysis  500 Minutes prosess automation free per month  5 Nodes free  Custom Metrics (Cost Per metrics)  Logs (Alert rule cost  Activity Log (Free)  Notification ITSM, SMS, Phone,Webhook, Email Some free units per month  5 GB Free per month  Web Test cost per month  Ping probes free
Pricing • Sentinel pricing is based upon data analyzed not ingested • The more data that is in the datasets defined in a hunting query the higher the cost will be • Use timefilter or scoping queries to ensure that you can control cost • Some of the predefined queries have date limits defined but not all! • Still unsure if regular Log Analytics Search Queries will affect the cost. • Some data is free for ingesting analyzing • Pay nothing extra when you ingest data from Office 365 audit logs, Azure activity logs, and alerts from Microsoft threat protection solutions.
MSP Approach Log Data Azure Office 365 Azure Active Directory Virtual Machines Network Devices Microsoft Cloud EMS Microsoft Azure Log Data Azure Log Data Azure Customer 0 - Subscription Customer 1 - Subscription Customer 2 - Subscription Custom Log Sources Office 365 Azure Active Directory Microsoft Azure Network Devices Virtual Machines Defender ATP Delegated Access (Lighthouse) Delegated Access (Lighthouse) Delegated Access (Lighthouse) Azure Portal MSP Azure Active Directory Rules & Automation Rules & Automation Rules & Automation MSP Approach • Delegated Access using Lighthouse • All Rules and logic defined within each workspace • No way to search across multiple tenants • Cost still going directly to subscription owner

Recommended

Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinel
arnaudlh
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure Sentinel
Cheah Eng Soon
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure Sentinel
Robert Crane
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
BGA Cyber Security
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
Mohit Chhabra
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 

Recommended

Microsoft Defender and Azure Sentinel
Microsoft Defender and Azure SentinelMicrosoft Defender and Azure Sentinel
Microsoft Defender and Azure Sentinel
David J Rosenthal
 
Introduction to Azure Sentinel
Introduction to Azure SentinelIntroduction to Azure Sentinel
Introduction to Azure Sentinel
arnaudlh
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Modernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure SentinelModernize your Security Operations with Azure Sentinel
Modernize your Security Operations with Azure Sentinel
Cheah Eng Soon
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure Sentinel
Robert Crane
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure Sentinel
BGA Cyber Security
 
Azure Sentinel.pptx
Azure Sentinel.pptxAzure Sentinel.pptx
Azure Sentinel.pptx
Mohit Chhabra
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
David J Rosenthal
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
Cheah Eng Soon
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
Allen Brokken
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
Microsoft Tech Community
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
David J Rosenthal
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
Karina Matos
 
Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview
Syed Sabhi Haider
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
arnaudlh
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
Srikanth Kappagantula
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
Eng Teong Cheah
 
Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101
R M Shahidul Islam Shahed
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
Ajit Wadhawan
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
Amazon Web Services
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips
Mario Worwell
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
manoharparakh
 
Azure governance
Azure governanceAzure governance
Azure governance
girish goudar
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
Marcos Oikawa
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and Compliance
David J Rosenthal
 
NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
Mike Mihm
 
Microsoft Sentinel Deployment V1.pptx
Microsoft Sentinel Deployment V1.pptxMicrosoft Sentinel Deployment V1.pptx
Microsoft Sentinel Deployment V1.pptx
saadatali65
 

More Related Content

What's hot

Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
David J Rosenthal
 

What's hot (20)

Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Azure Security and Management
Azure Security and ManagementAzure Security and Management
Azure Security and Management
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
 
Microsoft 365 Security and Compliance
Microsoft 365 Security and ComplianceMicrosoft 365 Security and Compliance
Microsoft 365 Security and Compliance
 
Azure security and Compliance
Azure security and ComplianceAzure security and Compliance
Azure security and Compliance
 
Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview Microsoft Cloud Application Security Overview
Microsoft Cloud Application Security Overview
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
Azure role based access control (rbac)
Azure role based access control (rbac)Azure role based access control (rbac)
Azure role based access control (rbac)
 
Access Security - Privileged Identity Management
Access Security - Privileged Identity ManagementAccess Security - Privileged Identity Management
Access Security - Privileged Identity Management
 
Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101
 
SOAR and SIEM.pptx
SOAR and SIEM.pptxSOAR and SIEM.pptx
SOAR and SIEM.pptx
 
Amazon GuardDuty Lab
Amazon GuardDuty LabAmazon GuardDuty Lab
Amazon GuardDuty Lab
 
Azure Sentinel Tips
Azure Sentinel Tips Azure Sentinel Tips
Azure Sentinel Tips
 
WHY SOC Services needed?
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
 
Azure governance
Azure governanceAzure governance
Azure governance
 
Azure governance v4.0
Azure governance v4.0Azure governance v4.0
Azure governance v4.0
 
Microsoft Office 365 Security and Compliance
Microsoft Office 365 Security and ComplianceMicrosoft Office 365 Security and Compliance
Microsoft Office 365 Security and Compliance
 

Similar to Azure sentinel

Similar to Azure sentinel (20)

NVS_Sentinel
NVS_SentinelNVS_Sentinel
NVS_Sentinel
 
Microsoft Sentinel Deployment V1.pptx
Microsoft Sentinel Deployment V1.pptxMicrosoft Sentinel Deployment V1.pptx
Microsoft Sentinel Deployment V1.pptx
 
L400-P1 Overview.pdf
L400-P1 Overview.pdfL400-P1 Overview.pdf
L400-P1 Overview.pdf
 
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics ReadinessAlabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
Alabama CyberNow 2018: Cloud Hardening and Digital Forensics Readiness
 
Adam ochs sentinel
Adam ochs sentinelAdam ochs sentinel
Adam ochs sentinel
 
TechTalksUtah-Sentinel-20191108.pptx
TechTalksUtah-Sentinel-20191108.pptxTechTalksUtah-Sentinel-20191108.pptx
TechTalksUtah-Sentinel-20191108.pptx
 
Alfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azureAlfredo Reino - Monitoring aws and azure
Alfredo Reino - Monitoring aws and azure
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
 
Антон Бойко (Microsoft Azure MVP, Ukrainian Azure Community Founder) «Azure M...
Антон Бойко (Microsoft Azure MVP, Ukrainian Azure Community Founder) «Azure M...Антон Бойко (Microsoft Azure MVP, Ukrainian Azure Community Founder) «Azure M...
Антон Бойко (Microsoft Azure MVP, Ukrainian Azure Community Founder) «Azure M...
 
Azure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adxAzure satpn19 time series analytics with azure adx
Azure satpn19 time series analytics with azure adx
 
DevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid themDevSum - Top Azure security fails and how to avoid them
DevSum - Top Azure security fails and how to avoid them
 
2019-06-04 aOS Strasbourg - Technique 3 - MS Threat Protection - Seyfallah Ta...
2019-06-04 aOS Strasbourg - Technique 3 - MS Threat Protection - Seyfallah Ta...2019-06-04 aOS Strasbourg - Technique 3 - MS Threat Protection - Seyfallah Ta...
2019-06-04 aOS Strasbourg - Technique 3 - MS Threat Protection - Seyfallah Ta...
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptxSANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
SANS_PentestHackfest_2022-PurpleTeam_Cloud_Identity.pptx
 
Tokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, augustTokyo azure meetup #8 azure update, august
Tokyo azure meetup #8 azure update, august
 
Tokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, AugustTokyo azure meetup #8 - Azure Update, August
Tokyo azure meetup #8 - Azure Update, August
 
microsoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptxmicrosoft-cybersecurity-reference-architectures (1).pptx
microsoft-cybersecurity-reference-architectures (1).pptx
 
Remediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinelRemediate and secure your organization with azure sentinel
Remediate and secure your organization with azure sentinel
 

More from Marius Sandbu

More from Marius Sandbu (14)

Securing Virtual Machines in Microsoft Azure
Securing Virtual Machines in Microsoft AzureSecuring Virtual Machines in Microsoft Azure
Securing Virtual Machines in Microsoft Azure
 
Hackcon - Ransomware
Hackcon - RansomwareHackcon - Ransomware
Hackcon - Ransomware
 
EUC State of the Union 2021
EUC State of the Union 2021EUC State of the Union 2021
EUC State of the Union 2021
 
Ransomware - Hvordan beskytte seg mot slike angrep?
Ransomware - Hvordan beskytte seg mot slike angrep? Ransomware - Hvordan beskytte seg mot slike angrep?
Ransomware - Hvordan beskytte seg mot slike angrep?
 
Ransomware erfaringer 2021
Ransomware erfaringer 2021Ransomware erfaringer 2021
Ransomware erfaringer 2021
 
Migrate to WVD and Beyond
Migrate to WVD and BeyondMigrate to WVD and Beyond
Migrate to WVD and Beyond
 
State of the EUC - 2020 What's new in End-User Computing
State of the EUC - 2020 What's new in End-User ComputingState of the EUC - 2020 What's new in End-User Computing
State of the EUC - 2020 What's new in End-User Computing
 
State of the EUC - 2020 What's new in End-User Computing
State of the EUC - 2020 What's new in End-User ComputingState of the EUC - 2020 What's new in End-User Computing
State of the EUC - 2020 What's new in End-User Computing
 
Windows Virtual Desktop
Windows Virtual DesktopWindows Virtual Desktop
Windows Virtual Desktop
 
Citrix Cloud XL - Running Ctirix in Public Cloud
Citrix Cloud XL - Running Ctirix in Public CloudCitrix Cloud XL - Running Ctirix in Public Cloud
Citrix Cloud XL - Running Ctirix in Public Cloud
 
Citrix with Microsoft EMS
Citrix with Microsoft EMSCitrix with Microsoft EMS
Citrix with Microsoft EMS
 
Delivering and optimizing citrix from microsoft azure
Delivering and optimizing citrix from microsoft azure Delivering and optimizing citrix from microsoft azure
Delivering and optimizing citrix from microsoft azure
 
Application layering vs Application Isolation
Application layering vs Application IsolationApplication layering vs Application Isolation
Application layering vs Application Isolation
 
Netscaler and system center
Netscaler and system centerNetscaler and system center
Netscaler and system center
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

Azure sentinel

  • 1. How to Catch the Bad Guys with Azure Sentinel and Microsoft Defender ATP Marius Sandbu Cloud Tech Lead @ EVRY @msandbu https://msandbu.org
  • 2. Agenda • Evolution • Attacks and the landscape in 2019 • A Overview on Microsoft Security Ecosystem • Azure Sentinel & Defender ATP • Enabling data sources and collection • Designing a security solution • Connecting the dots and automation
  • 4. • Active Directory • Group Policy • AD based clients • On-premises Collaboration • System Management tools • Traditional Antivirus Once Upon a time…….
  • 5. Lockergoga • Entrypoint trough Email or drive-by download • Distributed using Group Policy • Each Payload was Unique • Digitally signed by trusted third party
  • 6. BARIUM • Infected Trusted Sources and using drive-by download • CCleaner and ASUS Update • Compromised endpoints with ransomware
  • 7. Landscape 2019 • Azure Active Directory • Mobile Device Management • Endpoint Protection • SaaS • Web-based collaboration • Multiple OS and devices • + The existing legacy stuff
  • 8.
  • 9. Attacks by the numbers 300% Increase in Identity Attacks over the past year 350 Thousand Compromised Accounts detected in April 2018 46 Billion Attacker driven sign-ins May 2018 23 Million High Risk Enterprise Sign- in attempts March 2018 1,29 Billion Authentications Blocked in August 2018 Source: Microsoft Ignite 2018
  • 10. AAD • Dump users and groups with Azure AD • Password Spray: MailSniper • Password Spray: CredKing O365 • Get Global Address List: MailSniper • Find Open Mailboxes: MailSniper • User account enumeration with ActiveSync • Harvest email addresses • Verify target is on O365, [DNS], [urls], [list], [getuserrealm] • Enumerate usernames, 2FA status via ActiveSync [o365userenum] • Role, group, admin enumeration with Get-MsolRoleMember [RainDance] • Bruteforce of Autodiscover: SensePost Ruler • Phishing for credentials • Phishing using OAuth app • 2FA MITM Phishing: evilginx2 [github] • Add Mail forwarding rule • Add Global Admin Account • Delegate Tenant Admin • MailSniper: Search Mailbox for credentials • Search for Content with eDiscovery • Account Takeover: Add- MailboxPermission • Pivot to On-Prem host: SensePost Ruler • Exchange Tasks for C2: MWR • Send Internal Email • MailSniper: Search Mailbox for content • Search for Content with eDiscovery • Exfil email using EWS APIs with PowerShell • Download documents and email • Financial/wire fraud EndPoint • Search host for Azure credentials: SharpCloud • Ransomware • Persistence through Outlook Home Page: SensePost Ruler • Persistence through custom Outlook Form • Create Hidden Mailbox Rule [tool] On-PremExchange • Portal Recon • Enumerate domain accounts using Skype4B, [LyncSmash] • Enumerate domain accounts: OWA & Exchange • Enumerate domain accounts: OWA: FindPeople • OWA version discovery • Password Spray using Invoke-PasswordSprayOWA, EWS, Atomizer • Bruteforce of Autodiscover: SensePost Ruler • PasswordSpray Lync/S4B [LyncSniper] • Exchange MTA • Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B) • Delegation Prepared by @JohnLaTwC, May 2019, v1.06 Microsoft
  • 11. Password Spray attacks in ~15 Minutes Attack leveraging Legacy Protocols* Email addresses = UPN – Easy to find online (mailhunter or https://www.rapid7.com/db/modules/auxiliary/gather/search_e mail_collector) *Microsoft disabling legacy authentication protocols in Office365 – in 2020 http://bit.ly/2ktycIC No Easy way to block authentication attempts from «known IP’s»
  • 12. Azure Sentinel SQL Encryption & Data Masking The Azure Security Ecosystem
  • 13. Logging sources in the Cloud Audit Item Category Enabled by Default Retention User Activity Office 365 Security No 90 Days Admin Activity Office 365 Security No 90 Days Mailbox Audit Exchange Online Yes 90 Days Sign-In Activity Azure AD Yes 30 Days (AAD P1) Users at Risk Azure AD Yes 7 Days (30 Days, P1/P2) Risky Sign-ins Azure AD Yes 7 Days (30 Days, P1/P2) Azure MFA Usage Azure AD Yes 30 Days Directory Audit Azure AD Yes 7 Days (30 Days, P1/P2) Intune Activity Log Intune Yes 1 Year (Graph API)
  • 14. Logging sources in the Cloud Audit Item Category Enabled by Default Retention Azure Resource Manager Azure Yes 30 Days Network Security Group Flow Logs Azure No Depending on Configuration Azure Diagnostics Logs* Azure No Depending on Configuration Azure Application Insight Azure No Depending on Configuration VM Logs OS Yes Size defined in Group Policy Custom Logs OS N/A Application specific logs Azure Security Center Azure No (Cost per host/PaaS) SaaS Usage N/A No Requires Cloud App Discovery Custom Sources** N/A No Depending on Configuration • Diagnostics logs available for most Azure Services • ** Custom Connectors https://techcommunity.microsoft.com/t5/Azure- Sentinel/Azure-Sentinel-Creating-Custom-Connectors/ba-p/864060
  • 15. Azure Sentinel ● Cloud Native SIEM and SOAR Solution ● Provides unified view and dashboards to the different data sources ● Utilizes Machine Learning to collerate data from multiple sources – Fusion* ● Threat Intelligence integration * Fusion will soon be enabled by default
  • 16. Azure Sentinel - Capabilities ● Data stored in data lake using Log Analytics ● Supports multiple data sources ● Predefined Connectors with dashboards ● Integrateable with Jupyter for in-depth analysis ● Playbooks using Azure Logic Apps ● Alerts available using Security Graph API (GET/PATCH/SUBSCRIBE) - https://graph.microsoft.com/v1.0/security/alerts?$top=1
  • 17. Azure Sentinel - Capabilities Log Analytics Settings Logic App Automation Incident Creation Rules Data Sources and status Jupyter Notebooks Predefined Queries Dashboards Incidents based upon rules Log Analytics Workspace
  • 18. Microsoft Defender ATP 3 Party SIEM and Log Analytics Platforms Azure Services Office 365 Azure ATP 3 Party providers Client Endpoints Windows Server Azure Security Center Windows Server Cloud App Security Intune Azure AIP Data Connectors Kusto Queries Logs / Custom Logs Log Analytics Workspace Automation Remidiation Azure Security Graph Threat Intelligence Power BI Automation Layer Data Management Layer Data Sources User Interaction Layer Dashboards Visualization Hunting Queries Jupyter Notebooks● EDR powered by Sense Agent (agentless) ● Security Center Agent for Server Registry (Values, Changes) Files (Value, Changes, Hash, Name) Processes (Creation, Hash, Name) Memory dump Network Connections Local User information OS and Computer Information ● Memory forensics ● Hunting and Automated response ● Supported by Logic Apps / Flow
  • 19. Microsoft Defender ATP - Capabilities ● Support for Windows 10 (Mac Preview coming*) ● Support for Windows Server trough Security Center (but limited capabilities) ● Support for 2008 R2 came yesterday ● Support for other OS trough Partner Ecosystem ● Microsoft Threat Protection Integration (Cloud App Security, AIP, Azure ATP, Office 365) ● Microsoft Threat Experts ● *PREVIEW* Live Reponse / Threat & Vulnerability Management *PREVIEW*
  • 20. Azure Sentinel and Defender ATP Security Center Azure ADMicrosoft Defender ATP Azure Sentinel Endpoints Azure AD System activity Office 365 Other Sources Hunting Kusto / Jupyter / Dashboards Logic Apps Partner Ecosystem Automation Cloud App Security Conditional Access Cloud App Discovery Data Sources Alerts Threat Intelligence * * Internal Connector coming soon (Custom alerts playbook (https://www.linkedin.com/pulse/azure-sentinel-custom-logs- getting-your-mdatp-alerts-paul-huijbregts/) ITSM
  • 21. #ExpertsLiveNO So how to get started? Create a Log Analytics Workspace Create a Sentinel Workspace Azure Sentinel Connect Data Sources • Supported Data Sources are based upon Log Analytics • Only way to delete a Sentinel instance is to remove the module from Log Analytics • Define Role based access Control Azure Sentinel Contributor Azure Sentinel Reader Azure Sentinel Responder Combined with Table based RBAC https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access#table- level-rbac Create Hunting Queries Create Automation Rules Get Windows 10 E5 lisense Onboard Machines (Using Onboarding script) Onboard Servers (Azure Security Center) Add Integrations (Requires licenses) Defender ATP Azure Sentinel Setup ATP Workspace
  • 22. #ExpertsLiveNO Architecting a Sentinel solution Log Analytics Workspace Log Analytics Workspace • Retention (1 Year)* • Location (West Europe) • Avoid Multiple Log Analytics Workspace • Multihoming possible for Windows Agents • Not Linux or Azure Data Sources  • Use Azure Policy or ARM to deploy Agents • Adjust how often data is collected (Perf Metrics) * Table level retention on roadmap Logs & Performance Metrics
  • 23. #ExpertsLiveNO Architecting a Sentinel solution Agent collect 30-second interval performance metrics TimeGenerated Agent Upload (30 sec – 2 minutes) Azure Diagnostics 2 – 15 Minutes Surge Protection <1 minute Temporary Storage 5-15 seconds _TimeReceived Temporary Storage 5-15 seconds _TimeReceived Network Performance Monitoring 3 Minutes Temporary Storage 5- 15 Seconds _TimeReceived Indexing <5 Minutes Sentinel Workspace Export ELK / SPLUNK
  • 24. Enabling data sources Log Table name Permissions
  • 25. Enabling data sources Insecure Protocols Dashboard 1: Enable Audit in Group Policy 2: Enable Collection of Security Events https://blogs.technet.microsoft.com/jonsh/azure-sentinel-insecure-protocols- dashboard-setup/
  • 26. Enabling data sources Threat Intelligence Security Center Azure Security Center – Standard NB: Remember Cost for the service Define Log Analytics Workspace and Auto Provisioning Machines onboarded to Defender ATP https://securitycenter.windows.com
  • 27. Enabling data sources Custom Logs and log sources * Utilize Sysmon from Sysinternals to collect process information on Infrastructure Workspace - Advanced Settings - Data - Event Logs
  • 28. Enabling data sources Azure PaaS Services https://docs.microsoft.com/en-us/azure/governance/policy/samples/audit-diagnostic-setting Azure Monitor – Diagnostics – Services – Log Analytics
  • 29. Enabling data sources Network Traffic - Azure NSG Flow Logs Bug – Delete old Flow Logs  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-delete-nsg-flow-log-blobs • Enable Network Watcher • Enable Flow Logs NSG* • Integrate with Azure Sentinel Workspace
  • 30. Enabling data sources ● Microsoft Defender ATP data is not available in Sentinel ● No simple way to sanitize data only available trough REST API ● Microsoft.OperationalInsights/workspaces/{workspaceName}/purge?api-version=2015-03-20 ● Data Purger Role Required or higher
  • 31. #ExpertsLiveNO Configuring detection rules • Automate Threat Detection Rules • https://github.com/wortell/AZSentinel • Big Thanks to Wortell! • Or find predefined rules • https://github.com/netevert/sentinel-analytics-library • https://github.com/BlueTeamLabs/sentinel-attack • Then add automated response
  • 33. Example hunting Sentinel & Defender ATP ● Attack techniques defined by MITRE ATT&CK Knowledge base -- https://attack.mitre.org/ ● Universal but adapted using Kusto queries by Microsoft https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries https://github.com/Azure/Azure-Sentinel
  • 34. Kusto Query Language ● Read only request to process data and results from a dataset ● Queries are built defining the source and statements with defined filters Office365 • Column1 • Column2 VMConnection • Column1 • Column2 Table1 | where Column1 == «value1» | count Read-only Query Example:
  • 35. Example hunting Sentinel • Looking after failed authentication attempts to virtual infrastructure SecurityEvent | where EventID == 4625 | where AccountType == "User" | summarize CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress • Looking after failed authentication attempts to Azure portal SigninLogs | where TimeGenerated >= timeRange | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city) | where AppDisplayName contains "Azure Portal" | where ResultType !in ("0", "50125", "50140") Requires Security Center enabled Requires integration with Azure AD Azure AD Sign-in ID’s https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference- sign-ins-error-codes
  • 36. Example hunting Sentinel • Mass Download Office 365 SharePoint let historicalActivity= OfficeActivity | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") | where TimeGenerated between(ago(30d)..ago(7d)) | summarize historicalCount=count() by ClientIP; let recentActivity = OfficeActivity | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") | where TimeGenerated > ago(1d) | summarize recentCount=count() by ClientIP; recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP; Requires integration with Office 365
  • 37. Example hunting Microsoft Defender ATP • Use of Tor Client on Endpoint NetworkCommunicationEvents | where EventTime < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe") // Returns MD5 hashes of files used by Tor, to enable you to block them. // We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash). | summarize MachineCount=dcount(ComputerName), MachineNames=makeset(ComputerName, 5) by InitiatingProcessMD5 | order by MachineCount desc
  • 38. Azure Sentinel and Defender ATP moving forward ● Heavily integrated solution across the Microsoft ecosystem ● Unified Approach to logging and threat hunting across plattforms ● (Identity, SaaS, Endpoint, PaaS and Infrastructure) ● More Intelligence built-in using Machine Learning and threat intelligence ● Having Automated response that can work across solutions ● Providing a decent set of capabiliites to catch the bad buys
  • 39. Questions and more information? Article / Source URL Best Pratice Workspace Design http://bit.ly/2mlUhJE Azure Sentinel Github Repository http://bit.ly/2m6TSdU Azure Sentinel and MSP https://docs.microsoft.com/en- us/azure/sentinel/multiple-tenants-service-providers Azure Sentinel price calculator http://bit.ly/2mrGTns Defender ATP Github Repo https://github.com/microsoft/WindowsDefenderATP- Hunting-Queries Jupyter and Python Security Tools https://github.com/microsoft/msticpy Defender ATP Hunting Queries https://github.com/Microsoft/WindowsDefenderATP- Hunting-Queries Email: msandbu@gmail.com Twitter: @msandbu Blog: msandbu.org
  • 40. Pricing Example: 2 Virtual Machines running in Azure • Collecting Network Flow Logs and Traffic Analysis • Collecting Security Events (Requires Security Center) • 1 Year Retention on Log Analytics Workspace • Collecting Custom Logs (3 GB a month) • Collecting Azure AD and Activity Logs (Activity Logs are free) • Outbound ITSM Calls • Sentinel enabled and Logic Apps Example cost per month Security Center x2 VM’s = $29,20 Log Analytics (Security Events free + VM logs (3 GB) + + Retention) = $ 49,17 Network Watcher (Logs ingested and traffic analysis = $25,50 Azure Sentinel (GB analyzed) = $2,60 Outbound ITSM (Within 1000 units free tier) Total Cost = $106 per month Log Analytics Workspace Azure Monitor Application Insight Azure Sentinel Logic App Action Groups  Retention (< Default 31 Days Retention free) (< Sentinel 90 Days Retention free) (< Above 90 Days, Log Analytics Retention fees)  Storage (< Default 5 GB Storage free  Location Price SKU Azure Monitor Price SKU SentinelPrice SKU Logic Apps Price SKU Azure Automation Azure Security Center Azure Automation Price SKU Security Center  500 MB free log ingestion per day to Log analytics  Per Hour cost per vm  Per hour cost for PaaS  Billed for data analyzed (Not Ingested)  Activity Log, Office365 analyzed is free  Price per action run Price SKU Application Insight Price SKU Network Watcher Network Watcher  Log ingestion + Log Analytics cost  (< Default 5 GB Log data free per month)  Cost for probes and Traffic Analysis  500 Minutes prosess automation free per month  5 Nodes free  Custom Metrics (Cost Per metrics)  Logs (Alert rule cost  Activity Log (Free)  Notification ITSM, SMS, Phone,Webhook, Email Some free units per month  5 GB Free per month  Web Test cost per month  Ping probes free
  • 41. Pricing • Sentinel pricing is based upon data analyzed not ingested • The more data that is in the datasets defined in a hunting query the higher the cost will be • Use timefilter or scoping queries to ensure that you can control cost • Some of the predefined queries have date limits defined but not all! • Still unsure if regular Log Analytics Search Queries will affect the cost. • Some data is free for ingesting analyzing • Pay nothing extra when you ingest data from Office 365 audit logs, Azure activity logs, and alerts from Microsoft threat protection solutions.
  • 42. MSP Approach Log Data Azure Office 365 Azure Active Directory Virtual Machines Network Devices Microsoft Cloud EMS Microsoft Azure Log Data Azure Log Data Azure Customer 0 - Subscription Customer 1 - Subscription Customer 2 - Subscription Custom Log Sources Office 365 Azure Active Directory Microsoft Azure Network Devices Virtual Machines Defender ATP Delegated Access (Lighthouse) Delegated Access (Lighthouse) Delegated Access (Lighthouse) Azure Portal MSP Azure Active Directory Rules & Automation Rules & Automation Rules & Automation MSP Approach • Delegated Access using Lighthouse • All Rules and logic defined within each workspace • No way to search across multiple tenants • Cost still going directly to subscription owner