Perform Threat hunting in Azure Sentinel

By Ashwin Venugopal -

 





CyberSecurity Threat Hunting

The term "threat hunting" is defined differently by different people. The most commonly used definition is that it is the idea that you are proactively hunting through your environment for a threat or a set of activities that you have not previously detected. 

Other uses of the term hunting includes searching for threats with newly obtained indicators. If a new IP Address considered harmful is provided by a Threat Intelligence Feed, an analyst can then note the IP address to search the log to find if the new indicator was seen in the past. Azure Sentinel already provides hunting queries to facilitate this process.Next, you can hunt for more evidence-based threats from a current Incident or Alert as part of an Incident Analysis Process which is vital to explore the data based on the evidence found in a current incident. Both Azure Sentinel and Microsoft 365 Defender provides this type of hunting capability.

Using KQL queries to find threats is the only thing common in all these approaches. Microsoft Defender and Microsoft Defender Endpoint are more focused on indicator and analysis type of hunting while Azure Sentinel provides more features to manage the threat hunting process.

Proactive hunts

Hunt should be done on the basis of a hypothesis which might start with "Operational Threat Intelligence", and then list the attackers' tactics and techniques. A hypothesis can search for a specific technique, not an indicator like an IP address and if a malicious activity is identified, we might have discovered the attacker earlier in the attack process before they have an opportunity to exfiltrate the data.

Process to hunt threats

Threat hunting is known as a continuous process and we can start at the top of our cycle with our hypothesis which helps us to plan out what we are going to hunt for, as well as requires us to understand where we are going to hunt and how we will do it. The hunting cycle doesn't stop when we execute hunt, there are still several phases we need to conduct throughout the life cycle, including responding to anomalies. Even if there is no active threat, there will always be activities to perform. Routine tasks should include:
  • Setting up new monitoring.
  • Improving our detection capabilities.  
Everything done in the threat hunting should be documented and it should include:
  • What, How, and Why
  • Input and Output
  • How to replicate the hunt
  • Next steps

Develop Threat Hunting Hypothesis

As we all know, Hunting should always start with a hypothesis i.e. the idea of what we are going to hunt and getting this right is critical because it drives our focuses on what we are going to do. There are many factors, but here are the key ones:
  • Keep it achievable- Don't perform a hunt where you know you have no hope of finding results because you don't have the data available or have insufficient knowledge about the threat to understand how to find it. 

  • Keep the scope narrow- Avoid broad a hypothesis such as "I am going to hunt for strange log-ons". Such a hypothesis fails to define what the results could mean.

  • Keep it time-bound- The time-bound is also used in documentation. If you time-bound your hunts there is a chance you will end up just repeating the same hunt on the same dataset. You will be able to say,"I did this hunt, at this time, covering this period". With this documented your team members will know what period was hunted for with this hypothesis.

  • Keep it useful & efficient- A good SOC team typically has a good idea about where their coverage is good and where it is weaker as well as needs improvement. There is no point in hunting fro an advanced threat that targets an industry you are not in or a platform you are not using.

  • Keep it related to the threat model that you are defending against- Otherwise, you may spend much time threat hunting for things that you will never find and which are not a threat.  

You should not start your Threat Hunting journey going after the most advanced threats, but you should start with the basics and incrementally mature your organization's Threat Hunting capabilities. You should always start with a simple Hunt Hypothesis and then gradually increase your capabilities.  








Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more