Blogs by Ashwin

  Threat Detection with Azure Sentinel Analytics What is Azure Sentinel Analytics? Azure Sentinel Analytics offers several functionalities that can be used to implement security for the data and resources at Contoso.  Historical data  collected from your workstations, servers, networking devices, firewalls, intrusion prevention, sensors, and so on can be analyzed from various sources to identify correlations and anomalies. Analytics rules can trigger alerts based on the attack techniques that are used by known malicious actors and these rules can be easily set up to help ensure your SOC is alerted to potential security incidents in your environment regularly. Why use analytics rules for security operations? Azure Sentinel Analytics plays a vital part in the overall detection of the security threat by correlating and matching the signals that impact the presence of a cybersecurity threat. You can easily get insights into where an attack originated from, what resources were compromised,

  Plan for threat intelligence connectors Azure Sentinel readily allows you to import the threat indicators your organization uses, which can enhance your security analysts ability to detect and prioritize known threats. Several features from Azure Sentinel then become available or are enhanced are as follows: Analytics includes a set of scheduled rule templates you can enable to generate alerts and incidents based on matches of log events from your threat indicators. Workbooks provide summarized information about the threat indicators imported into Azure Sentinel and any alerts generated from analytics rule that match your threat indicators. Hunting queries allow security investigators to use threat indicators within the context of common hunting scenarios. Notebooks can use threat indicators when you investigate anomalies and hunt for malicious behaviors.    There are two types of Threat Intelligence Connectors- the TAXII Connector and the Threat Intelligence Platforms Connector. Bot

  Plan for the Syslog Connector The events from Linux-based, Syslog-supporting machines or appliances can be streamed into Azure Sentinel using the Log Analytics agent for Linux. The host's native Syslog daemon will collect local events of the specified types and forward them locally to the agent, which will stream them to your Log Analytics workspace. Log Analytics also helps in collecting the messages sent by the rsyslog or syslog-ng daemons, where rsyslog is the default that's on version 5 of Red Hat Enterprise Linux (RHEL), CentOS, and Oracle except for the Linux version sysklog Syslog event collection and the rsyslog daemon should be installed and configured to replace sysklog for these versions of Linux. How it works? Syslog is an event logging protocol that is common to Linux and when the Log Analytics agent for Linux is installed on your VM or appliance, the installation routine configures the local Syslog daemon to forward messages to the agent on TCP port 25224 which

  Plan for Common Event Format Connector Events from Linux-based Syslog-supporting machines or appliances can be streamed into Azure Sentinel using the Log Analytics agent which can be done for any device that allows you to install the Log Analytics agent directly on the host. Log Analytics readily help in collecting the messages sent by the rsyslog or syslog-ng daemons, where rsyslog is the default that on version 5 of Red Hat Enterprise Linux (RHEL), CentOS, and Oracle Linux version sysklog is not supported for Syslog event collection. Sysklog should be replaced by rsyslog daemon for these versions of Linux.   How it works? Syslog is an event logging protocol that is common to Linux and when the Log Analytics agent for Linux is installed on your VM or appliance, the installation routine can easily configure the local Syslog daemon to forward messages to the agent on TCP port 25224 which in turn send the message to your Log Analytics workspace over HTTPS, where can be parsed into an e

  Plan for Windows Hosts Security Events Connector The Security Events connector lets you stream all security events from your Windows systems to your Azure Sentinel workspace. You can select which event to stream from among the following sets: All events- All Windows security and AppLocker events. Common- A standard set of events for auditing purposes. A full user audit trail is included in this set. There are also auditing actions such as security group changes, key domain controller Kerberos operations, and other types of events in line with accepted best practices.  The Common event set may contain some types of events that aren't so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level while still maintaining full audit trail capability. Minimal- A small set of events that might indicate potential threat. This set does not contain a full audit trail. It covers only the events that might indicate a successful breac

  Plan for Microsoft 365 Defender Connectors A purpose-driven user interface is provided by the Microsoft 365 security portal to mitigate threats detected by Microsoft 365 Defender whose products includes: Microsoft Defender for Endpoint Microsoft Defender for Identity Microsoft Defender for Office 365 Microsoft Cloud App Security Each of the products have a connector that is capable of sending alerts to the Security Alerts table in Sentinel. In the Microsoft 365 Defender connector only Microsoft Defender for Endpoint data is configurable currently. Connect alerts from Microsoft Defender for Office 365 Microsoft Defender for Office 365 can easily safeguard your organization against malicious threats posed by email messages, links (URL), and collaboration tools with the help of following types of ingested alerts: A potentially malicious URL click was detected Email messages containing malware removed after delivery Email messages containing phish URLs removed after delivery Email report

  Ingest Log Data with Data Connectors You should connect your data sources with Azure Sentinel Connectors to collect the log data whose page displays a growing list of the connectors provided by Azure Sentinel, after selecting the Open connector page (the detailed connector page has a left and right blade).  The information about the connector, the connector's status, and the last time a log was received if connected is provided by the left blade. Whereas the right tab has two tabs- Instructions and Next Steps. The instructions tab can be different based on the connector having Prerequisites and Configuration which can be followed to connect to the data source. The Next Steps tab offers a quick reference to workbooks, query samples, and analytical templates. Data connectors can only be disconnected/deactivated, not deleted. Note-  The connector does not install Workbooks and Analytical Templates as they are already available in the Sentinel environment for out of the box connector

  Plan for Azure Sentinel Watchlists Azure Sentinel watchlists are famous for collecting data from external data sources to promote the correlation with the events in your Azure Sentinel environment. Common scenarios for using watchlists includes: Investigating threats and responding to incidents quickly with the rapid import of IP addresses, file hashes, and other data from CSV files. Once imported, you can use watchlist name- value pairs for joins and filters in alert rules, threat hunting, workbooks, notebooks, and general queries. Importing business data as a watchlist. For example, import user lists with privileged system access, or terminated employees, and then use the watchlist to create allow as well as deny lists used to detect or prevent those users from logging in to the network. Reducing alert fatigue. Create allow lists to suppress alerts from a group of users, such as users from authorized IP addresses that perform tasks that would normally trigger the alert, and prevent

  Query Logs in Logs Page In Azure Sentinel, the logs page provides access to the query window while allowing you to run queries, save queries, run saved queries, create a new alert rule, and export.  If  you want to run a query, first of all enter a query text and then press the run button. The query results can be seen at the bottom section of the form. Understand Azure Sentinel Table Azure Sentinel consists of Analytic Rules that will generate alerts and incidents based on querying the tables within Log Analytics while simultaneously providing tables to be a repository of indicators and watchlists. Some of the Sentinel Data Connectors are capable of ingesting alerts directly. The table below is the Azure Sentinel feature related tables: Table Description SecurityAlert Contains alerts generated from Sentinel Analytical Rules. Also, it includes alerts created directly from Sentinel Data Connector. SecurityIncident Alerts