Today Microsoft released Azure Sentinel, a SIEM service running in the Cloud. Now looking at Sentinel is it not a completely new service it is built upon a lot of existing services in Azure such as Security Center, Log Analytics workspace which is being used to query and structure the data underneath. Still it brings some new enchancements which allows us to analyse the data further and follow-up using cases and alerting.
But again this brings Microsoft to the market where there is a bit crowded space already with vendors such as Splunk, QRadar, Arcsight, Sumologic, Alienvault, Exabeam and so on. So Microsoft has a lot to prove if they want to compete in this market as well and also provide integrations outside of their own platform and not just “microsoft” integrations. m
What does actually Sentinel bring to the table?
At first glance, it provides much of the same capabilities as Microsoft has already had with Log Analytics but also tight integration with all of Microsoft’s cloud products. They are also integrating with other products that they already have to provide security orchestration automated response using Playbooks which are integrated into Logic Apps.
What kind of data sources does it support?
Is essense it is three types of data that can be collected
- Native Microsoft Services – With native Microsoft services it is using API integration such as, Azure Activity, Azure IP, Azure AD Identity Protection, Azure AD, Office 365, Microsoft cloud security, Azure ATP, Azure Security Center. NOTE: Missing Intune based activity and Windows Defender ATP from the list.
- API based data sources – Using REST API to send data directly to Azure Sentinel, such as integration with AWS Cloudtrail which is still not enabled in the preview but can be used to stream activity from AWS to Sentinel.
- Agent based data sources – Is basically agents running on Windows or Linux that collects data locally or can also act as an syslog collector. This are used to collect data from sources such as Palo Alto, CheckPoint, Cisco and such.
When a data source is connected, which is a pretty simple process, Microsoft has a lot of prebuilt dashboards that can be added to enrich the data collection to give you instant overview. These agents
All dashboards can be installed directly but require that the dataset and schemas are available in the underlying OMS workspace or else it will not generate any data.
All the dashboards are built upon Kusto queries from the dataset, and can easily adjusted or you can create your own dashboard here is an example with a dashboard based upon Failed sign-ins, by location
SigninLogs
| extend ErrorCode = Status.errorCode
| extend FailureReason = Status.failureReason
| where ErrorCode !in ("0","5048","50140", "51006", "50059", "65001", "52004",
"50055", "50144","50072", "50074", "16000","16001", "16003", "50127", "50125",
"50129","50143", "81010", "81014", "81012")
| summarize amount = count() by Location
Analysing with Notebooks
Sentinel support the use of Jyputer Notebooks to do analysis of the data sources Jupyter is an open source project that lets you easily combine markdown text, executable code (Python, R, and F#), persistent data, graphics, and visualizations onto a single, sharable canvas called a notebook.
1: Download Python (Pref anaconda distribution from here –> https://www.anaconda.com/distribution/#download-section) then you can use the following section here to get started with Jyputer notebooks –> https://nbviewer.jupyter.org/github/Azure/Azure-Sentinel/blob/master/Notebooks/Get%20Started.ipynb
Or you can you cloudbased Azure Notebooks, which can be done by going into notebooks
And from there you can clone the Azure Sentinel Notebooks.
Running trough the initial notebook that Microsoft has made will list out some basic information using the Kusto library that is part of the notebook. One thing that you should note that is you need to run trough all the steps to authenticate. This is done by choosing each line and click “Run” command.
NOTE: You will notice that a command is done with you don’t see a Star in the [] to the left. If the kernel is running a command as part of the notebook it will state [*]
Sentinel Fusion
As part of Sentinel, Microsoft has also built-in machine learning. One such innovation is Azure Sentinel Fusion built especially to reduce false negative alerts.
Fusion uses graph powered machine learning algorithms to correlate between millions of lower fidelity anomalous activities from different products such as Azure AD Identity Protection, and Microsoft Cloud App Security, to combine them into a manageable number of interesting security cases. However Fusion is not enabled by default and you need to register that resource provider on your subscription first.
The example below can be run directly from cloud shell but you need to change the subscripiton ID and resource ID.
az resource update --ids /subscriptions/{Subscription Guid}/resourceGroups/
{Log analytics resource Group
Name}/providers/Microsoft.OperationalInsights/workspaces
/{Log analytics workspace Name}/providers/Microsoft.SecurityInsights
/settings/Fusion --api-version 2019-01-01-preview --set
properties.IsEnabled=true --subscription "{Subscription Guid}"
Kusto Query Language
Since Sentinel is using Log Analytics underneath it means that we can using Kusto query langugage to find information. A Kusto query is a read-only request to process data and return results. The request is stated in plain text, using a data-flow model designed to make the syntax easy to read, author, and automate. The query uses schema entities that are organized in a hierarchy similar to SQL’s: databases, tables, and columns.
You can see some examples of using Kusto here –> https://docs.microsoft.com/nb-no/azure/kusto/query/samples
Some other examples
Finding all signed in account +/- 1 hour
let GetAllLogonsForUser = (suspiciousEventTime:datetime, v_User:string){
//+-1h for any logons
let v_StartTime = suspiciousEventTime-1h;
let v_EndTime = suspiciousEventTime+1h;
SecurityEvent
| where TimeGenerated between (v_StartTime .. v_EndTime)
| where EventID == 4624
| where AccountType == "User"
| where tolower(Account) contains tolower(v_User)
| summarize min(TimeGenerated), max(TimeGenerated) by EventID, Account,
LogonTypeName, SubStatus, AccountType, Computer, WorkstationName,
IpAddress
| project min_TimeGenerated, max_TimeGenerated, EventID, Account,
LogonTypeName, SubStatus, AccountType, Computer, WorkstationName,
IpAddress
| top 10 by min_TimeGenerated asc nulls last
};
// change datetime value and <username> value below
GetAllLogonsForUser(datetime('2019-01-20T10:02:51.000'), tolower("<username>"))
but there is a bunch more examples with it comes to queries, dashboards and hunting on Github here –> https://github.com/Azure/Azure-Sentinel
Alerts and cases
Alerts and cases are also consisting of Kusto rules. Alerts are created when an threshold is reached because of a Kusto Query. As an example I can create an rule based upon if someone deallocated virtual machines using Azure Resource Manager
AzureActivity | where OperationName == "Deallocate Virtual Machine"
Then you define the threshold in terms of “greater then” or “fewer then” or “equals to”
What is missing?
- Missing integration with Windows Defender ATP which I see currently is the big miss. Since Windows Defender ATP itself has a large ecosystem for analytics and actually has SIEM integration with other vendors but not Sentinel is a big miss. However there is an internal connector coming soon.
- ITSM integration – I don’t see any option to integrate Sentinel with any form of ITSM tool directly from within the service. The only way to make an integration with ITSM is to have a response trigger as part of an alert to integrate with an ITSM tool or integrate it with Azure Monitor.
- Security Graph API is not integrated into this, as of now it has seperate connectors to each of the services.
Learn more?
Microsoft has also published this GitHub repo which has a pretty good list of examples that can be used to analyse using Jyputer notebooks –> https://github.com/Azure/Azure-Sentinel/tree/master/Notebooks
Also be sure to follow the following people on Twitter to get more information on the feature itself.
@RavivTamir
@RyanWHeff