Perform Evidence & Entities Investigations (part 2)

By Ashwin Venugopal -



To read part 1 please click here 


Investigate a User Account

You can easily identify the user accounts with the most active alerts (displayed on the dashboard as "Users at risk") and investigate the cases of potentially compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between the devices with that user account.

You can find user account information in the following views:

  • Dashboard
  • Alert queue
  • Device details page

A clickable user account link is available in these views, which will take you to the user account details page where more details about the user account are shown and when you investigate a user account entity, you will see:

User details

The User details pane on left provides information about the user, like the related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and log-on types. The Azure ATP alert sections contains a link that will take you to the Azure ATP page if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.

Overview

The Overview tab shows the incident details and a list of the devices the user has logged on to. You can also expand these to see the details of the log-on events for each device.

Alerts

The Alerts tab provides a list of the alerts that are associated with the user account which is a filtered view of the Alert queue and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.

Observed in organization

This tab allows you to specify a date range to see a list of the devices where this user was observed logged on to, the most frequent and the least logged on user account for each of these devices, and the total observed users on each device. By selecting an item on the Observed in organization table, you will expand the item, revealing more details about the device while directly selecting a link within a item will send you to the corresponding page. 

Investigate an IP Address

you can keep in check the possible communication between your devices and external Internet Protocol (IP) addresses while simultaneously identifying all the devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of the breach, associated files, and infected devices. You can find information from the following sections in the IP address view:

  • IP Worldwide and Reverse DNS names- The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS.

  • Alerts related to this IP- The alerts related to this IP section provides a list of the alerts that are associated with the IP.

  • IP in organization- The IP in the organization section provides details on the prevalence of the IP address in the organization.

  • Prevalence- The prevalence section displays how many devices have connected to this IP address and when the IP was the first and the last seen. You can also filter the results of this section by time period; the default period is 30 days. 

Investigate a Domain

You can easily investigate a domain to see if the devices and the servers in your enterprise network have been communicating with a known malicious domain by using the search feature or by clicking on a domain link from the Device timeline. You can see the information from the following sections in the URL view:
  • URL details, Contacts, Nameservers
  • Alerts related to this URL
  • URL in organization
  • Most recent observed devices with URL

URL worldwide

The URL worldwide section lists the URL, a link to further details, the number of related open incidents, and the number of active alerts.

Incident

The incident card displays a bar chart of all the active alerts in incidents over the past 180 days. 

Prevalence

This card provides details of the URLs prevalence within the organization over a specified period of time. and although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available for prevalence is over the past day, while the longest range is over the past six months.

Alerts

This tab provides a list of the alerts that are associated with the URL while the table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more. 

Observed in organization

This tab provides a chronological view of the events and the associated alerts observed on the URL while including the timeline and a customizable table listing the event details such as, the time, device, and a brief description of what happened. Investigate a domain:
  1. Select URL from the Search bar drop-down menu.
  2. Enter the URL in the Search field. 
  3. Select the search icon or press Enter. The details about the URL are displayed. Search results will only be returned for the URLs observed in the communications from the devices in the organization. 
  4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all the devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
  5. Selecting any of the device names will take you to that device's view, where you can continue to investigate reported alerts, behaviors, and events.   



To read part 1 please click here 




Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more