Threat Hunting with Azure Sentinel

By Ashwin Venugopal -

 



Manage Azure Sentinel Threat-Hunting Queries

To efficiently find and isolate security threats, and unwanted activities in Contoso's environment, you can use the Azure Sentinel which contains powerful query tools.

Hunt by using built-in queries

Search and query tools can be used in Azure Sentinel to hunt for security threats and tactics throughout your environment. The Hunting page in Azure Sentinel provides built-in queries that can easily guide your hunting process as well as helps you to pursue the appropriate hunting paths to uncover issues in your environment while also exposing issues with the help of Hunting Queries that aren't significant enough on their own to generate an alert but have happened often enough over time to warrant investigation. 

The Hunting page also provides a list of all hunting queries that can be saved by selecting the Favorites star icon for the query in the list. 

Tip- When a query is selected as a favorite, it runs automatically each time you open the Hunting page.

Hunt for Threats by Using the MITRE ATT&CK Framework

The MITRE ATT&CK framework is used by Azure Sentinel to categorize as well as order queries by tactics. ATT&CK is known as the knowledge base of tactics and techniques that are used as well as observed in the global threat landscape. Whenever you are threat hunting in Azure Sentinel, the ATT&CK framework can be used to categorize and run queries by using the MITRE ATT&CK tactics timeline. Selecting any tactic will filter the available queries by the selected tactic and these tactics includes:
  • Initial access- Tactics that the adversary uses to gain entry to a network, by exploiting vulnerabilities or configuration weaknesses in public-facing systems. An example is targeted spear-phishing.

  • Execution- Tactics that results in an adversary running their code on a target system. For example, a malicious hacker might run a PowerShell script to download more attacker tools and/or scan other systems.

  • Persistence- Tactics that allow an adversary to maintain access to a target system, even after restarts and credential changes. An example of a persistence technique is an attacker who creates a scheduled task that run their code at a specific time or on restart.

  • Privilege escalation- Tactics that an adversary uses to gain higher-level privileges on a system, such as local administrator or root.

  • Defense evasion- Tactics that attackers use to avoid detection. Evasion tactics includes hiding malicious code within trusted processes and folders, encrypting or obfuscating adversary code, or disabling security software.

  • Credential access- Tactics deployed on systems and networks to steal usernames as well as credentials for reuse. 

  • Discovery- Tactics that adversaries use to obtain information about systems and networks that they want to exploit or use for their tactical advantage. 

  • Lateral movement- Tactics that allows an attacker to move from one system to another within a network. Common techniques include pass-the-hash methods of authenticating users and abuse of the Remote Desktop Protocol.

  • Collection- Tactics that an adversary uses to gather and consolidate the information they were targeting as part of their objectives.

  • Command & control- Tactics that an attacker uses to communicate with a system under their control. One example is an attacker communicating with a system over an uncommon or high-numbered port to evade detection by security appliances or proxies.

  • Exfiltration- Tactics used to move data from the compromised network to a system or network that's fully under control of an attacker.

  • Impact- Tactics that an attacker uses to affect the availability of systems, networks, and data. Methods in this category include denial-of-service attacks and disk-wiping or data-wiping software.   

Save Key Findings with Bookmarks

In Contoso's environment to hunt for threats, you should review large amounts of  log data for the evidence of malicious behavior and during this process, you might find events that you want to remember, revisit, as well as analyze as part of validating potential hypotheses while understanding the full story of a compromise.  

Hunt by using bookmarks

Bookmarks in Azure Sentinel are helpful in your hunt for threats by securing the queries you ran in Azure Sentinel, besides the query results that you deem relevant. Bookmarked data can be seen to both you and your teammates for easy collaboration. 

You can revisit your bookmarked data at any time on the Bookmarks tab of the Hunting page and can use filtering and search options to quickly find specific data for your current information. Alternatively, you can also review your bookmarked data directly in the HuntingBookmark table in your Log Analytics workspace. 

Note- Bookmarked events contains standard event information but can be used in different ways throughout the Azure Sentinel interface.

Observe Threats Overtime with Livestream

Hunting livestream can be used to test queries against live events as they occur which offers interactive sessions that can notify you whenever the Azure Sentinel finds matching events for your query. You can use a livestream to:

  • Test new queries against live events. 
  • Generate notifications for threats.
  • Launch investigations.

Livestream queries refresh after every 30 seconds and generate Azure notifications of any new results from the query. 


Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more