1. How to Catch the Bad Guys with
Azure Sentinel and Microsoft
Defender ATP
Marius Sandbu
Cloud Tech Lead @ EVRY
@msandbu
https://msandbu.org
2. Agenda
• Evolution
• Attacks and the landscape in 2019
• A Overview on Microsoft Security Ecosystem
• Azure Sentinel & Defender ATP
• Enabling data sources and collection
• Designing a security solution
• Connecting the dots and automation
4. • Active Directory
• Group Policy
• AD based clients
• On-premises Collaboration
• System Management tools
• Traditional Antivirus
Once Upon a time…….
5. Lockergoga
• Entrypoint trough Email or
drive-by download
• Distributed using Group Policy
• Each Payload was Unique
• Digitally signed by trusted
third party
6. BARIUM
• Infected Trusted Sources and
using drive-by download
• CCleaner and ASUS Update
• Compromised endpoints with
ransomware
7. Landscape 2019
• Azure Active Directory
• Mobile Device Management
• Endpoint Protection
• SaaS
• Web-based collaboration
• Multiple OS and devices
• + The existing legacy stuff
8.
9. Attacks by the numbers
300% Increase in Identity Attacks over the past year
350 Thousand
Compromised
Accounts
detected in
April 2018
46 Billion
Attacker driven
sign-ins May
2018
23 Million
High Risk
Enterprise Sign-
in attempts
March 2018
1,29 Billion
Authentications
Blocked in
August 2018
Source: Microsoft Ignite 2018
10. AAD
• Dump users and groups with
Azure AD
• Password Spray: MailSniper
• Password Spray: CredKing
O365
• Get Global Address List:
MailSniper
• Find Open Mailboxes: MailSniper
• User account enumeration with
ActiveSync
• Harvest email addresses
• Verify target is on O365, [DNS],
[urls], [list], [getuserrealm]
• Enumerate usernames, 2FA
status via ActiveSync
[o365userenum]
• Role, group, admin enumeration
with Get-MsolRoleMember
[RainDance]
• Bruteforce of Autodiscover:
SensePost Ruler
• Phishing for credentials
• Phishing using OAuth app
• 2FA MITM Phishing:
evilginx2 [github]
• Add Mail forwarding rule
• Add Global Admin Account
• Delegate Tenant Admin
• MailSniper: Search Mailbox
for credentials
• Search for Content with
eDiscovery
• Account Takeover: Add-
MailboxPermission
• Pivot to On-Prem host:
SensePost Ruler
• Exchange Tasks for C2:
MWR
• Send Internal Email
• MailSniper: Search
Mailbox for content
• Search for Content with
eDiscovery
• Exfil email using EWS APIs
with PowerShell
• Download documents
and email
• Financial/wire fraud
EndPoint
• Search host for Azure
credentials: SharpCloud
• Ransomware • Persistence through Outlook
Home Page: SensePost Ruler
• Persistence through custom
Outlook Form
• Create Hidden Mailbox Rule
[tool]
On-PremExchange
• Portal Recon
• Enumerate domain accounts
using Skype4B, [LyncSmash]
• Enumerate domain accounts:
OWA & Exchange
• Enumerate domain accounts:
OWA: FindPeople
• OWA version discovery
• Password Spray using
Invoke-PasswordSprayOWA,
EWS, Atomizer
• Bruteforce of Autodiscover:
SensePost Ruler
• PasswordSpray Lync/S4B
[LyncSniper]
• Exchange MTA • Search Mailboxes with
eDiscovery searches (EXO,
Teams, SPO, OD4B,
Skype4B)
• Delegation
Prepared by @JohnLaTwC, May 2019, v1.06
Microsoft
11. Password Spray attacks in ~15 Minutes
Attack leveraging Legacy Protocols*
Email addresses = UPN – Easy to find
online (mailhunter or
https://www.rapid7.com/db/modules/auxiliary/gather/search_e
mail_collector)
*Microsoft disabling legacy authentication protocols in Office365 – in 2020 http://bit.ly/2ktycIC
No Easy way to block authentication
attempts from «known IP’s»
13. Logging sources in the Cloud
Audit Item Category Enabled by Default Retention
User Activity Office 365 Security No 90 Days
Admin Activity Office 365 Security No 90 Days
Mailbox Audit Exchange Online Yes 90 Days
Sign-In Activity Azure AD Yes 30 Days (AAD P1)
Users at Risk Azure AD Yes 7 Days (30 Days, P1/P2)
Risky Sign-ins Azure AD Yes 7 Days (30 Days, P1/P2)
Azure MFA Usage Azure AD Yes 30 Days
Directory Audit Azure AD Yes 7 Days (30 Days, P1/P2)
Intune Activity Log Intune Yes 1 Year (Graph API)
14. Logging sources in the Cloud
Audit Item Category Enabled by Default Retention
Azure Resource Manager Azure Yes 30 Days
Network Security Group Flow Logs Azure No Depending on Configuration
Azure Diagnostics Logs* Azure No Depending on Configuration
Azure Application Insight Azure No Depending on Configuration
VM Logs OS Yes Size defined in Group Policy
Custom Logs OS N/A Application specific logs
Azure Security Center Azure No (Cost per host/PaaS)
SaaS Usage N/A No Requires Cloud App Discovery
Custom Sources** N/A No Depending on Configuration
• Diagnostics logs available for most Azure Services
• ** Custom Connectors https://techcommunity.microsoft.com/t5/Azure-
Sentinel/Azure-Sentinel-Creating-Custom-Connectors/ba-p/864060
15. Azure Sentinel
● Cloud Native SIEM and SOAR Solution
● Provides unified view and dashboards to
the different data sources
● Utilizes Machine Learning to collerate data
from multiple sources – Fusion*
● Threat Intelligence integration
* Fusion will soon be enabled by default
16. Azure Sentinel - Capabilities
● Data stored in data lake using Log Analytics
● Supports multiple data sources
● Predefined Connectors with dashboards
● Integrateable with Jupyter for in-depth analysis
● Playbooks using Azure Logic Apps
● Alerts available using Security Graph API
(GET/PATCH/SUBSCRIBE) -
https://graph.microsoft.com/v1.0/security/alerts?$top=1
17. Azure Sentinel - Capabilities
Log Analytics Settings
Logic App Automation
Incident Creation Rules
Data Sources and status
Jupyter Notebooks
Predefined Queries
Dashboards
Incidents based upon rules
Log Analytics Workspace
18. Microsoft Defender ATP
3 Party SIEM and
Log Analytics
Platforms
Azure Services
Office 365
Azure ATP
3 Party providers
Client Endpoints
Windows Server
Azure Security
Center
Windows Server
Cloud App
Security
Intune
Azure AIP
Data Connectors
Kusto Queries
Logs / Custom Logs
Log
Analytics
Workspace
Automation
Remidiation
Azure Security
Graph
Threat Intelligence
Power BI
Automation Layer
Data Management
Layer
Data Sources
User Interaction
Layer
Dashboards
Visualization
Hunting
Queries
Jupyter
Notebooks● EDR powered by Sense Agent (agentless)
● Security Center Agent for Server
Registry (Values, Changes)
Files (Value, Changes, Hash, Name)
Processes (Creation, Hash, Name)
Memory dump
Network Connections
Local User information
OS and Computer Information
● Memory forensics
● Hunting and Automated response
● Supported by Logic Apps / Flow
19. Microsoft Defender ATP - Capabilities
● Support for Windows 10 (Mac Preview coming*)
● Support for Windows Server trough Security Center (but limited capabilities)
● Support for 2008 R2 came yesterday
● Support for other OS trough Partner Ecosystem
● Microsoft Threat Protection Integration (Cloud App Security, AIP, Azure ATP, Office 365)
● Microsoft Threat Experts
● *PREVIEW* Live Reponse / Threat & Vulnerability Management *PREVIEW*
20. Azure Sentinel and Defender ATP
Security
Center
Azure ADMicrosoft
Defender
ATP
Azure
Sentinel
Endpoints
Azure
AD
System activity
Office
365
Other
Sources
Hunting
Kusto / Jupyter
/ Dashboards
Logic Apps
Partner Ecosystem
Automation
Cloud App Security
Conditional
Access
Cloud App Discovery
Data Sources
Alerts
Threat Intelligence
*
* Internal Connector coming soon (Custom alerts playbook (https://www.linkedin.com/pulse/azure-sentinel-custom-logs-
getting-your-mdatp-alerts-paul-huijbregts/)
ITSM
21. #ExpertsLiveNO
So how to get started?
Create a Log
Analytics
Workspace
Create a
Sentinel
Workspace
Azure Sentinel
Connect Data
Sources
• Supported Data Sources are based upon Log Analytics
• Only way to delete a Sentinel instance is to remove the module from Log
Analytics
• Define Role based access Control
Azure Sentinel Contributor
Azure Sentinel Reader
Azure Sentinel Responder
Combined with Table based RBAC
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access#table-
level-rbac
Create
Hunting
Queries
Create
Automation
Rules
Get Windows
10 E5 lisense
Onboard
Machines
(Using Onboarding
script)
Onboard
Servers
(Azure Security
Center)
Add
Integrations
(Requires licenses)
Defender ATP
Azure Sentinel
Setup ATP
Workspace
22. #ExpertsLiveNO
Architecting a Sentinel solution
Log Analytics
Workspace
Log Analytics
Workspace
• Retention (1 Year)*
• Location (West Europe)
• Avoid Multiple Log Analytics Workspace
• Multihoming possible for Windows Agents
• Not Linux or Azure Data Sources
• Use Azure Policy or ARM to deploy Agents
• Adjust how often data is collected (Perf Metrics)
* Table level retention on roadmap
Logs & Performance Metrics
25. Enabling data sources
Insecure Protocols Dashboard
1: Enable Audit in Group Policy 2: Enable Collection of Security Events
https://blogs.technet.microsoft.com/jonsh/azure-sentinel-insecure-protocols-
dashboard-setup/
26. Enabling data sources
Threat Intelligence Security Center
Azure Security Center – Standard
NB: Remember Cost for the service Define Log Analytics Workspace and Auto Provisioning
Machines onboarded to Defender ATP
https://securitycenter.windows.com
27. Enabling data sources
Custom Logs and log sources
* Utilize Sysmon from Sysinternals to collect process information on Infrastructure
Workspace - Advanced Settings - Data - Event Logs
30. Enabling data sources
● Microsoft Defender ATP data is not available in Sentinel
● No simple way to sanitize data only available trough REST API
● Microsoft.OperationalInsights/workspaces/{workspaceName}/purge?api-version=2015-03-20
● Data Purger Role Required or higher
31. #ExpertsLiveNO
Configuring detection rules
• Automate Threat Detection Rules
• https://github.com/wortell/AZSentinel
• Big Thanks to Wortell!
• Or find predefined rules
• https://github.com/netevert/sentinel-analytics-library
• https://github.com/BlueTeamLabs/sentinel-attack
• Then add automated response
33. Example hunting Sentinel & Defender ATP
● Attack techniques defined by MITRE ATT&CK
Knowledge base -- https://attack.mitre.org/
● Universal but adapted using Kusto queries by Microsoft
https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries
https://github.com/Azure/Azure-Sentinel
34. Kusto Query Language
● Read only request to process data and results from a dataset
● Queries are built defining the source and statements with defined filters
Office365
• Column1
• Column2
VMConnection
• Column1
• Column2
Table1
| where Column1 == «value1»
| count
Read-only
Query Example:
35. Example hunting Sentinel
• Looking after failed authentication attempts to virtual infrastructure
SecurityEvent
| where EventID == 4625
| where AccountType == "User"
| summarize CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType,
Computer, WorkstationName, IpAddress
• Looking after failed authentication attempts to Azure portal
SigninLogs
| where TimeGenerated >= timeRange
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| where AppDisplayName contains "Azure Portal"
| where ResultType !in ("0", "50125", "50140")
Requires Security
Center enabled
Requires integration
with Azure AD
Azure AD Sign-in ID’s https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-
sign-ins-error-codes
36. Example hunting Sentinel
• Mass Download Office 365 SharePoint
let historicalActivity=
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated between(ago(30d)..ago(7d))
| summarize historicalCount=count() by ClientIP;
let recentActivity = OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation in ("FileDownloaded", "FileUploaded")
| where TimeGenerated > ago(1d)
| summarize recentCount=count() by ClientIP;
recentActivity | join kind= leftanti (
historicalActivity
) on ClientIP;
Requires integration
with Office 365
37. Example hunting Microsoft Defender ATP
• Use of Tor Client on Endpoint
NetworkCommunicationEvents
| where EventTime < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe")
// Returns MD5 hashes of files used by Tor, to enable you to block them.
// We count how prevalent each file is (by machines) and show examples for some of them (up to 5
machine names per hash).
| summarize MachineCount=dcount(ComputerName), MachineNames=makeset(ComputerName, 5) by
InitiatingProcessMD5
| order by MachineCount desc
38. Azure Sentinel and Defender ATP moving forward
● Heavily integrated solution across the Microsoft ecosystem
● Unified Approach to logging and threat hunting across plattforms
● (Identity, SaaS, Endpoint, PaaS and Infrastructure)
● More Intelligence built-in using Machine Learning and threat intelligence
● Having Automated response that can work across solutions
● Providing a decent set of capabiliites to catch the bad buys
39. Questions and more information?
Article / Source URL
Best Pratice Workspace Design http://bit.ly/2mlUhJE
Azure Sentinel Github Repository http://bit.ly/2m6TSdU
Azure Sentinel and MSP https://docs.microsoft.com/en-
us/azure/sentinel/multiple-tenants-service-providers
Azure Sentinel price calculator http://bit.ly/2mrGTns
Defender ATP Github Repo https://github.com/microsoft/WindowsDefenderATP-
Hunting-Queries
Jupyter and Python Security Tools https://github.com/microsoft/msticpy
Defender ATP Hunting Queries https://github.com/Microsoft/WindowsDefenderATP-
Hunting-Queries
Email: msandbu@gmail.com
Twitter: @msandbu
Blog: msandbu.org
40. Pricing
Example:
2 Virtual Machines running in Azure
• Collecting Network Flow Logs and Traffic Analysis
• Collecting Security Events (Requires Security Center)
• 1 Year Retention on Log Analytics Workspace
• Collecting Custom Logs (3 GB a month)
• Collecting Azure AD and Activity Logs (Activity Logs are free)
• Outbound ITSM Calls
• Sentinel enabled and Logic Apps
Example cost per month
Security Center x2 VM’s = $29,20
Log Analytics (Security Events free + VM logs (3 GB) + +
Retention) = $ 49,17
Network Watcher (Logs ingested and traffic analysis = $25,50
Azure Sentinel (GB analyzed) = $2,60
Outbound ITSM (Within 1000 units free tier)
Total Cost = $106 per month
Log Analytics Workspace
Azure Monitor
Application Insight
Azure Sentinel
Logic App
Action
Groups
Retention
(< Default 31 Days Retention free)
(< Sentinel 90 Days Retention free)
(< Above 90 Days, Log Analytics
Retention fees)
Storage
(< Default 5 GB Storage free
Location
Price SKU Azure Monitor
Price SKU SentinelPrice SKU Logic Apps
Price SKU Azure Automation
Azure
Security
Center
Azure Automation
Price SKU Security Center
500 MB free log
ingestion per day to
Log analytics
Per Hour cost per
vm
Per hour cost for
PaaS
Billed for data analyzed (Not
Ingested)
Activity Log, Office365
analyzed is free
Price per
action run
Price SKU Application Insight
Price SKU Network Watcher
Network
Watcher
Log ingestion + Log
Analytics cost
(< Default 5 GB Log data
free per month)
Cost for probes and
Traffic Analysis
500 Minutes prosess
automation free per month
5 Nodes free
Custom Metrics (Cost Per metrics)
Logs (Alert rule cost
Activity Log (Free)
Notification
ITSM, SMS, Phone,Webhook, Email
Some free units per month
5 GB Free per
month
Web Test cost per
month
Ping probes free
41. Pricing
• Sentinel pricing is based upon data analyzed not ingested
• The more data that is in the datasets defined in a hunting query the higher the cost will be
• Use timefilter or scoping queries to ensure that you can control cost
• Some of the predefined queries have date limits defined but not all!
• Still unsure if regular Log Analytics Search Queries will affect the cost.
• Some data is free for ingesting analyzing
• Pay nothing extra when you ingest data from Office 365 audit logs, Azure activity logs, and
alerts from Microsoft threat protection solutions.
42. MSP Approach
Log Data
Azure
Office 365
Azure
Active Directory Virtual Machines
Network Devices
Microsoft Cloud
EMS
Microsoft Azure
Log Data
Azure
Log Data
Azure
Customer 0 - Subscription
Customer 1 - Subscription
Customer 2 - Subscription
Custom Log
Sources
Office 365
Azure
Active Directory
Microsoft Azure
Network Devices
Virtual Machines
Defender ATP
Delegated
Access
(Lighthouse)
Delegated
Access
(Lighthouse)
Delegated
Access
(Lighthouse)
Azure Portal
MSP Azure
Active Directory Rules & Automation
Rules & Automation
Rules & Automation
MSP Approach
• Delegated Access using
Lighthouse
• All Rules and logic
defined within each
workspace
• No way to search across
multiple tenants
• Cost still going directly to
subscription owner