Perform Evidence & Entities Investigations (part 2)

By Ashwin Venugopal -



To read part 1 please click here 


Investigate a User Account

You can easily identify the user accounts with the most active alerts (displayed on the dashboard as "Users at risk") and investigate the cases of potentially compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between the devices with that user account.

You can find user account information in the following views:

  • Dashboard
  • Alert queue
  • Device details page

A clickable user account link is available in these views, which will take you to the user account details page where more details about the user account are shown and when you investigate a user account entity, you will see:

User details

The User details pane on left provides information about the user, like the related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and log-on types. The Azure ATP alert sections contains a link that will take you to the Azure ATP page if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.

Overview

The Overview tab shows the incident details and a list of the devices the user has logged on to. You can also expand these to see the details of the log-on events for each device.

Alerts

The Alerts tab provides a list of the alerts that are associated with the user account which is a filtered view of the Alert queue and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.

Observed in organization

This tab allows you to specify a date range to see a list of the devices where this user was observed logged on to, the most frequent and the least logged on user account for each of these devices, and the total observed users on each device. By selecting an item on the Observed in organization table, you will expand the item, revealing more details about the device while directly selecting a link within a item will send you to the corresponding page. 

Investigate an IP Address

you can keep in check the possible communication between your devices and external Internet Protocol (IP) addresses while simultaneously identifying all the devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of the breach, associated files, and infected devices. You can find information from the following sections in the IP address view:

  • IP Worldwide and Reverse DNS names- The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS.

  • Alerts related to this IP- The alerts related to this IP section provides a list of the alerts that are associated with the IP.

  • IP in organization- The IP in the organization section provides details on the prevalence of the IP address in the organization.

  • Prevalence- The prevalence section displays how many devices have connected to this IP address and when the IP was the first and the last seen. You can also filter the results of this section by time period; the default period is 30 days. 

Investigate a Domain

You can easily investigate a domain to see if the devices and the servers in your enterprise network have been communicating with a known malicious domain by using the search feature or by clicking on a domain link from the Device timeline. You can see the information from the following sections in the URL view:
  • URL details, Contacts, Nameservers
  • Alerts related to this URL
  • URL in organization
  • Most recent observed devices with URL

URL worldwide

The URL worldwide section lists the URL, a link to further details, the number of related open incidents, and the number of active alerts.

Incident

The incident card displays a bar chart of all the active alerts in incidents over the past 180 days. 

Prevalence

This card provides details of the URLs prevalence within the organization over a specified period of time. and although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available for prevalence is over the past day, while the longest range is over the past six months.

Alerts

This tab provides a list of the alerts that are associated with the URL while the table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more. 

Observed in organization

This tab provides a chronological view of the events and the associated alerts observed on the URL while including the timeline and a customizable table listing the event details such as, the time, device, and a brief description of what happened. Investigate a domain:
  1. Select URL from the Search bar drop-down menu.
  2. Enter the URL in the Search field. 
  3. Select the search icon or press Enter. The details about the URL are displayed. Search results will only be returned for the URLs observed in the communications from the devices in the organization. 
  4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all the devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
  5. Selecting any of the device names will take you to that device's view, where you can continue to investigate reported alerts, behaviors, and events.   



To read part 1 please click here 




Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more

Design Planning (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Complex Organizational Structures SIEM can be an expensive security control, hence, it is common multiple businesses to contribute to the overall expense. Various organizational units may require a level of access to specific dashboards or sets of data. Microsoft Sentinel offers the ability to assign table-level permissions and limit the level of access to the minimum required to perform requisite job functions.  Role-based Access Control (RBAC) Requirements Microsoft Sentinel offers an extensive list of Azure built-in roles that can be used to provide granular access according to the job requirements and permitted level of access. Some of them are various Microsoft Sentinel dedicated roles: Microsoft Sentinel Contributor- Can perform all engineering-related configuration, such as creating alert rules, configuring data connectors, and additional similar tasks.  Microsoft Sentinel Reader- Can query the log data stor
Read more