Table of Contents
- What is SIEM and SOAR?
- What is Azure Sentinel?
- Azure Sentinel Pricing
- Log Analytics and Azure Sentinel Overview
- Deep Dive and Deployment
- Data Connectors
- Analytics Rules
- Hunting Rules
- Threat Intelligence
- Entity Behavior
- Extra sources of Information
Everything resides on the Internet now a days, whether it is some private photos or intellectual company information. With all of the benefits in the world that Internet has brought us, it came with lots of threats and dangers as well. Cyberthreats and Cybersecurity has become one of the most hot topics where large organizations spend millions and billions of Dollars just to stay protected out there. Hackers attack every 39 seconds i.e 2,244 times a day. 300,000+ new malware is created every day. Cybercrime is more profitable than the global illegal drug trade. The averge data breach now costs up to $3.92 million. 80% of hackers say “Humans are the most responsible for security breaches”. 43% of cyberatttacks target small businesses. On average, companies take about 197 days to identity and 69 days to contain a breach. Hackers steal 75 identities every second.
Microsoft Alone Spends around 1 Billion Dollars on just Security. Global Cybersecurity spending has been predicted to exceed 1 Trillion $ as per this Magazine Aritcle. All this spending is just done to secure ourselves from the threat out there. There is atleast 1,200 Petabytes ( 1.2 Million Terabytes ) sum total of data stored in just between Google, Amazon, Microsoft and Facebook. It is impossible to manually look at all that data all the time and keep it secure. This is where a SIEM and a SOAR solution comes in and helps us stay secure.
2. What is SIEM and SOAR?
It is impossible for a company or an individual to manually keep a check on all the logs that are getting generated daily. Security Information and Event Management (SIEM) solutions play an imporatant role in capturing all the data and offering a comprehensive view of an enterprise’s information security.
SIEM combines two technologies:- Security Information Management (SIM) and Security Event Management (SEM). SIM collects all the data and logs to conduct analysis and reports on cybersecurity threats and events. SEM is real-time monitoring and conducts co-relation between all the logs and events.
SOAR is an acronym for Security Orchestration, Automation and Response. SIEM generates endless number of alerts and incidents. It is really tough for the security analysts to manually look into them and manage all the cases. SOAR helps the organizations to design workflows and introduce playbooks to respond to security threats. They provide the automation capability that is much needed in today’s world to be efficient.
Some of the SIEM and SOAR solutions out there are:-
- Azure Sentinel
In this post we will be deep diving into Microsoft Azure Sentinel.
3. What is Azure Sentinel?
Azure Sentinel is Microsoft’s Security Infromation Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It is scalable and cloud-native. Azure Sentinel provide smart security analytics and threat intelligence across the organization. It provides a single hub for threat visibility, alert detection, threat response and proactive hunting. Azure Sentinel provides advance SIEM and SOAR capabilities that every organization need to be secure out there. It is able to collect data at cloud scale across all devices, applications, users and infrastructure, both in multiple clouds and on-premise.
Image Source: “https://docs.microsoft.com/en-us/azure/sentinel/overview“
4. Azure Sentinel Pricing
Let’s just answer one of the most important questions before we proceed on how to deploy and work with it- How much does Azure Sentinel Costs?
There is no upfront cost, no terminations fees and you only pay for what you use. To simplify, Azure Sentinel the tool itself does not cost anything. The cost that is associated with it is based on Data ingestion. That means you only pay for what you want to ingest.
The Pay-As-You-Go pricing is $2.40 per GB-ingested.
There is Free Trial that you can take advantage of. It can be enabled at no additional cost for the first 31 days. Beyond that you will be charges on Pay-As-You-Go pricing model.
There are lots of promotions and discounts available as well:
|100 GB per Day||$120 per day||50%|
|200 GB per Day||$216 per day||55%|
|300 GB per day||$312 per day||57%|
|400 GB per Day||$400 per day||58%|
|500 GB per Day||$480 per day||60%|
|More than 500 GB per Day||$480 per day + $96 per day for each 100GB increment after 500 GB.||60%|
One of the most important initiative that Microsoft took for Azure Sentinel, is that there is no cost for data ingested from the following sources: Azure Activity Logs, Office 365 audit Logs (includes Sharepoint, Exchange and One Drive) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center, Microsoft Cloud App Security and Azure Information Protection can be ingested at no additional cost into both Azure Sentinel and Azure Monitor Log Analytics.
For More information please refer: https://azure.microsoft.com/en-ca/pricing/details/azure-sentinel/
5. Log Analytics and Azure Sentinel Overview
Azure Log Analytics is Microsoft’s OMS (Operations Management Suit) solution which ingests data from your cloud and on-prem resources. It is the primary tool for interactively analysing and editing log queries. Azure Sentinel is a tool that is build on top of Log Analytics. Log Analytics is the base of azure sentinel. Log Analytics gathers all the data and with Azure Sentinel we are able to analyse and secure our environment by constantly investigating that data.
6. Deployment and Deep Dive
Now its time to deep dive into Azure Sentinel, how it works and how to deploy it. We will be starting with how to create a workspace and a brief overview of the dashboard.
We will be using a Microsoft’s test demo environment for our walkthrough. The first and foremost step is to create a Log analytics workspace if you don’t have one.
Login to portal.azure.com
Search for Azure Sentinel > Click on Create > Create new workspace ( If you already have a log analytics workspace you will see it here ) > Select your subscription and Resource Group.
Once a workspace is created you will see the following Azure Sentinel Dashboard ( In your case it won’t have any data at the moment )
At first if you are completely new to Azure Sentinel it can look overwhelming but don’t worry, let’s go over each element that you see over in the dashboard.
On the top most part of the window we see “Last 24 hours”. This is the timeframe that this dashboard is showing events and incidents of, in this case 24 hours. We can change this timeframe to 7 days or 30 days and also put custom time as well. Below that we see total number of events that occured. Have in mind that these are not total number of incidents that occured but just events and logs. On its right we see total number of incidents and their status.
Here on the top left side we have Total number of events over time and date. With total number of alerts, total Performance metrics logs that are ingested, security events (ingested from servers, have a look at this blog for an idea Security Events) and others. Below that we have Potential malicious events found in the environment with location. On right top cornor we have the recent incidents that occured in the workspace. Below that we have data source anomalies and findings which we can deep dive into as well.
2. Data Connectors
Once we have a workspace in place, the first and foremost things to setup are the data connectors. We need data to start flowing into sentinel before we can start analysing them. Microsoft has done a great job of making this process really easy, even for most of the 3rd party data connectors. Let’s start with the free data ingestion connectors i.e Azure Active Directory and Office 365.
From the Azure Sentinel Dashboard select > Data Connectors from the left panel > Look for Azure Active Directory and select > From bottom right cornor click on Open Connectors Page.
Once there you will have the full details and the data that is gonna be ingested. On the left panel you will see the description about the connector. Below that it shows the Data Types which are greyed out at the moment. Once they are connected they turn green ( which is a good indicator to check health ). On the right panel it shows us the Prerequisites in terms of permissions we need to make any changes. Below we see the configurations. Its as simple as it looks, just click the ticket mark and apply changes and that data will start flowing to your sentinel Workspace. And like this you can connect all the data connectors that you want to see getting ingested from. To see how to ingest security events from the on-prem servers and enable auditing of Account and group membership changes review this article: Security Events
To review the list of all 3rd party connectors please view the following page:
3. Analytic Rules
Analytic rules are set of KQL ( Kusto Query Language ) queries which are scheduled to run and have a set lookback period. Whenever the analytic rule finds any output it creates a corresponding incident of the severity as specified by the rule. This is where the analysis comes in. With all the data that we have, analytic rules constantly run and look towards all that data and finds information that is really useful. To put this to context let’s go over how to add analytic rules and what to look for.
Lets start from the left side. First Select Analytics from the Left pane. You will be at “Active Rules” Tab and for start there will be nothing as we havn’t added any analytic rule yet. From the middle window at top select “Rule Templates”. These are all the rules that come from Microsoft and also Github community. When we select an analytic rule in our case “User account enabled and disabled within 10 minutes” > On right panel we see all the description and details associated with that particular rule. On top we see Severity i.e “Medium” and rule type as “Scheduled”.
There are 2 types of rules that can be created.
1. Scheduled Rules:
These are the rules which have a set rule frequency i.e Run query every 1 day ( Can be set to anything ) and also Rule Period ( Last 1 Day of data etc ). There is a threshold that we can set ( Trigger alert if query returns more than 0 results ). We can also group the incidents being generated together. There is capability of setting up automation response ( playbooks ) as well.
2. Microsoft incident Creation Rules:
These are the rules which generate incident based on incident generation from other microsoft security sources such as Identity Protection, Microsoft Cloud App Security, Microsoft Defender ATP etc. Note: These type of rules do not have the ability to set automated response. So, you will not be able to get alerted on these incidents. Although, there is an Automation module in preview which can be used to run playbooks whenever these incidents are generated.
To create a new analytic rule we go into the “Templates” blade under analytic rule tab> Then we select the rule that we want to add. Once selected we just hit Create Rule from botthom right cornor of the screen as shown in above image. This will open another window with all the information associated with the rule. We would have the following tabs:
General: This tab shows the Name, Description, Tactics, Sevverity and Status of the rule. We can modify all the things over here. Make sure the status is enabled and we set the severity according to our requirements.
Set Rule Logic: This tab review the query results ( Whenever the query runs what results are shown ), Alert Enrichment ( We have the ability to map entities generated by the rules to appropriate fields available. This enables Azure Sentinel to recognize and classify the data in these fields for further analysis), Query scheduling ( here we specify when do we want the query to run and what should be the lookup data be), Alert Threshold ( A threshold to set on alert to only create an incident when number of query results are greater than this number ), Event Grouping ( We can groups all events according to our needs ) This is indeed one of the most useful tab when it comes to optimization of the rules.
Incident Settings: This is the other most important tab to configure under analytic rules. It has the following options: Incident Settings ( Azure Sentinel alerts can be grouped together into an Incident that should be looked into. ) and Alert Grouping ( Set how the alerts that are triggered by this analytics rule, are grouped into incidents.
Grouping alerts into incidents provides the context you need to respond and reduces the noise from single alerts. )
Automated Response: This is the tab where we can select the playbook that we need it to run whenever an incident is generated. Remember: To enable playbooks to trigger automatically it is important to select the playbook under this tab for each analytic rule that we want it to run.
4. Hunting Rules
Time to go over Hunting Rules. In simple terms, hunting rules are same as analytic rules i.e set of pre-defined KQL queries. The only difference is that hunting rules unlike analytic rules do not create incidents and are not scheduled to run over time. Although the benefit here is we can run all queries at once and view the results which makes a great technique for hunting and looking behind the scenes of the environment.
We have the ability to click on the “star” icon beside every rule to book mark it. With this ability we can keep the important rules on top. We can also change them into analytic rules if we want them to run over a scheduled period. We can view the data sources, the total results and tactics associated with each rule. Sentinel whenever onboarded comes with a number of hunting rules by default. If we need to add more we can import from Github.
Workbooks is one of the most important feature of Azure Sentinel. In normal terms, they are logs presented in a form of graphs and tables. This makes it easier to proactively check the environment quickly rather than manually typing in big log queries. Azure Sentinel has around 90-100 templates in place for almost all kinds of table data schemes including 3rd party sources.
To add new workbooks go to Azure Sentinel Dashboard> Workbooks from left menu > Search for the workbook you are looking for > click on save from bottom right corner.
It will save the workbook in the “My Workbooks” tab where you can view them easily and also edit and customize them.
Some of the workbooks I personally make sure to check are:
- Azure AD Audit Logs
- Azure AD Audit, Activity and Sign-in Logs
- Azure AD Sign-in Logs
- Azure Key Vault Security
- Cybersecurity Maturity Model Certification ( CMMC )
- Insecure Protocols
- Workspace Audit
These workbooks are much more beneficial than we imagine. Doing a weekly or monthly proactive check on the data can make our investigations much more thorough and deep.
Any time we are working with a SIEM product, it is really crucial to filter out the noise and reduce the manual intervention as much as we can so we can focus on the critical and important alerts. Microsoft has done a good job in providing this with the “Automation” capability in Azure Sentinel.
To setup Automation > Go to Azure Sentinel Dashboard> Select Automation > Configure permissions.
You need to explicitly give permissions for automation rules to run playbooks. Automation rules allow you to centrally manage all the automation of incident handling. Automation rules streamline automation use in Azure Sentinel and enable you to simplify complex workflows for your incident orchestration processes. Automation rules are triggered by the creation of incidents. You can set conditions to govern when actions will run, based on the incident and entity details and on analytics rules. You can also set the order of actions and the rule’s expiration time.
7. Threat Intelligence
There are huge number of cyber attacks and campaigns that happen on a daily basis. Lots of large organizations, communities and Microsoft monitors them and saves the ip addresses, domains, hashes through which the attacks come from. This helps us monitor them in our environment for footprints. With Threat Intelligence ability in Azure Sentinel we are able to add these known malicious IP Addresses, Malwares, Botnets, Hashes and domains. Analytic Rules are configured through which they are investigated in the environment every 4-6 hours depending upon the schedule we set them to. Anytime these are found it creates a medium severity incident for us to look into.
Microsoft also provides a connector through which we are able to ingest all the known botnets and ip’s saved by Microsoft which makes our environment more secure. The connector is called Microsoft Threat Intelligence. Some other platforms where we can ingest data from into Azure Sentinel are: Palo Alto Networks MindMeld, MISP.
Azure Sentinel integrates with Microsoft Graph Security API data sources to enable monitoring, alerting, and hunting using your threat intelligence. Use this connector to send threat indicators to Azure Sentinel from your Threat Intelligence Platform (TIP), such as Threat Connect, Palo Alto Networks MindMeld, MISP, or other integrated applications. Threat indicators can include IP addresses, domains, URLs, and file hashes.
Adding more as when released.