Blogs by Ashwin

  Plan for the Azure Sentinel Workspace  You can install the Azure Sentinel solution in Log Analytics Workspace, whose implementation is mostly focused on the Log Analytics Workspace creation. The only important option when creating a new log on the Log Analytics Workspace is the region which specifies the location where the log data will reside. The three implementation options are:    Single-Tenant with a single Azure Sentinel Workspace Single-Tenant with regional Azure Sentinel Workspace Multi-Tenant Single-tenant single workspace This workspace can receive logs from resources in other regions within the same tenant. Generally the log data (when collected) always travel across different regions and stored in another region, which creates two possible concerns- first, it can incur a bandwidth cost. Second, if there is a data governance requirement to keep data in a specific region, then the single workspace option would not be an implementation option. Its pros and cons includes:

  Introduction to Azure Sentinel What is the Security Incident & Event Management (SIEM)? A tool that can be used by an organization to collect, analyze, and perform security operations on its computer systems is widely known as an SIEM and in its simplest form, it can enable you to: Collect and query logs. Do some form of correlation or anomaly detection. Create alerts and incidents based on your findings. An SIEM system might offer functionality such as: Log management- The ability to collect, store, and query the log data from resources within your environment. Alerting- A proactive look inside the log data for potential security incidents and anomalies. Visualization- Graphs and dashboards that provides visual insights into your log data. Incident management- The ability to create, update, assign, and investigate incidents that have been identified. Querying data- A rich query language, similar to that for log management, that you can use to query and understand your data.  Wha

  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat

  Use the Summarize Operator The count operator can create a new column with the help of its variations and with the calculated result for the specified fields. The By clause, makes the result set in three columns- Process, Computer, Count. The arg_max() and arg_min() functions can filter out top and bottom rows respectively while the make_functions return a dynamic (JSON) array based on the specific function's purpose. Use the Render operator to create visualizations The render operator generates a visualization of the query results. The supported visualizations are: areachart bacchant columnchart piechart scatterchart timechart   Build Multi-Table Statements Using KQL Use the Union operator The union operators take two or more tables and returns the rows of all of them and it is essential to understand how results are passed as well as impacted with the pipe character.  Use Join operator The join operator merges the rows of two tables to form a new table by matching the specified

  The Kusto Query Language (KQL) Statement Structure A KQL query is a read-only request to process the data and return results which is stated in plain text, using the data-flow model designed to make the syntax easy to read, write, and automate; while consisting of a sequence of query statements in which at least one of them is a tabular expression statement that produces data arranged in a table-like mesh of columns as well as rows.  The tabular expression statement's syntax has tabular data flow from one tabular query operator to another, starting with the data source and then flowing through a set of data transformation operators bound together through the use of pipe (|) delimiter.  Note- it is essential to understand how the results flow through the pipe "|". Everything on the left of the pipe is processed then sent to the right of the pipe. Access the Log Analytics demo environment If you have an account to log into Azure, then Microsoft can provide you with an acc

  To read part 1 please click  here MITRE ATT&CK Tactics Each alert type has a description, severity, and MITRE ATT&CK tactic. Security Center's kill chain intents are based on version 7 of the MITRE ATT&CK matrix and described in the table below: Tactic Description PreAttack It could be either an attempt to access a certain resource regardless of malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system, and identify an entry point. InitialAccess It is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates, etc. Persistence It is any access, action, or configuration change to a system that gi

  To read part 2 please click  here Security Alerts Security Center can generate alerts for resources deployed on Azure as well as on on-premises and hybrid cloud environments which are always triggered by advanced detections and are available only with the Azure Defender. Respond to today's threats There have been some important changes in the threat landscape over the last 20 years due to which the realities have been changed leading to an unprecedented level of professionalism in the attacker ranks. They are now interested in  stealing information, financial accounts, and private data- all of which they can use to generate cash on open market or use a particular business, political, or military position.  To counter these, organizations often deploy various point solutions focused on defending either the enterprise perimeter or endpoints by looking for known attack signatures and these solutions often tend to generate a high volume of low fidelity alerts, which requires a securi

  Protect Non Azure Resources Besides defending your Azure environment, you can also add Azure Defender capabilities to your hybrid environment to:  Protect your non Azure servers. Protect your VMs in other clouds (such as AWS and GCP). Protect SQL databases. For machines, the Log Analytics Agent is the only required technology while providing more insights for the security alerts, connecting other cloud providers resources to offer cloud security posture management information.  Add non Azure machines with Azure Arc Azure Arc enabled servers always preferred the way of adding your non Azure machines to the Azure Security Center while providing enhanced capabilities such as the option to enable the guest configuration policies on the machine, deploy the Log Analytics agent as an extension, simplify deployment with other Azure services, and more. What are Azure Arc enabled servers? Azure Arc enabled servers permits you to manage your windows and Linux machines hosted outside of Azure, o