Threat Hunting with Azure Sentinel

By Ashwin Venugopal -

 



Manage Azure Sentinel Threat-Hunting Queries

To efficiently find and isolate security threats, and unwanted activities in Contoso's environment, you can use the Azure Sentinel which contains powerful query tools.

Hunt by using built-in queries

Search and query tools can be used in Azure Sentinel to hunt for security threats and tactics throughout your environment. The Hunting page in Azure Sentinel provides built-in queries that can easily guide your hunting process as well as helps you to pursue the appropriate hunting paths to uncover issues in your environment while also exposing issues with the help of Hunting Queries that aren't significant enough on their own to generate an alert but have happened often enough over time to warrant investigation. 

The Hunting page also provides a list of all hunting queries that can be saved by selecting the Favorites star icon for the query in the list. 

Tip- When a query is selected as a favorite, it runs automatically each time you open the Hunting page.

Hunt for Threats by Using the MITRE ATT&CK Framework

The MITRE ATT&CK framework is used by Azure Sentinel to categorize as well as order queries by tactics. ATT&CK is known as the knowledge base of tactics and techniques that are used as well as observed in the global threat landscape. Whenever you are threat hunting in Azure Sentinel, the ATT&CK framework can be used to categorize and run queries by using the MITRE ATT&CK tactics timeline. Selecting any tactic will filter the available queries by the selected tactic and these tactics includes:
  • Initial access- Tactics that the adversary uses to gain entry to a network, by exploiting vulnerabilities or configuration weaknesses in public-facing systems. An example is targeted spear-phishing.

  • Execution- Tactics that results in an adversary running their code on a target system. For example, a malicious hacker might run a PowerShell script to download more attacker tools and/or scan other systems.

  • Persistence- Tactics that allow an adversary to maintain access to a target system, even after restarts and credential changes. An example of a persistence technique is an attacker who creates a scheduled task that run their code at a specific time or on restart.

  • Privilege escalation- Tactics that an adversary uses to gain higher-level privileges on a system, such as local administrator or root.

  • Defense evasion- Tactics that attackers use to avoid detection. Evasion tactics includes hiding malicious code within trusted processes and folders, encrypting or obfuscating adversary code, or disabling security software.

  • Credential access- Tactics deployed on systems and networks to steal usernames as well as credentials for reuse. 

  • Discovery- Tactics that adversaries use to obtain information about systems and networks that they want to exploit or use for their tactical advantage. 

  • Lateral movement- Tactics that allows an attacker to move from one system to another within a network. Common techniques include pass-the-hash methods of authenticating users and abuse of the Remote Desktop Protocol.

  • Collection- Tactics that an adversary uses to gather and consolidate the information they were targeting as part of their objectives.

  • Command & control- Tactics that an attacker uses to communicate with a system under their control. One example is an attacker communicating with a system over an uncommon or high-numbered port to evade detection by security appliances or proxies.

  • Exfiltration- Tactics used to move data from the compromised network to a system or network that's fully under control of an attacker.

  • Impact- Tactics that an attacker uses to affect the availability of systems, networks, and data. Methods in this category include denial-of-service attacks and disk-wiping or data-wiping software.   

Save Key Findings with Bookmarks

In Contoso's environment to hunt for threats, you should review large amounts of  log data for the evidence of malicious behavior and during this process, you might find events that you want to remember, revisit, as well as analyze as part of validating potential hypotheses while understanding the full story of a compromise.  

Hunt by using bookmarks

Bookmarks in Azure Sentinel are helpful in your hunt for threats by securing the queries you ran in Azure Sentinel, besides the query results that you deem relevant. Bookmarked data can be seen to both you and your teammates for easy collaboration. 

You can revisit your bookmarked data at any time on the Bookmarks tab of the Hunting page and can use filtering and search options to quickly find specific data for your current information. Alternatively, you can also review your bookmarked data directly in the HuntingBookmark table in your Log Analytics workspace. 

Note- Bookmarked events contains standard event information but can be used in different ways throughout the Azure Sentinel interface.

Observe Threats Overtime with Livestream

Hunting livestream can be used to test queries against live events as they occur which offers interactive sessions that can notify you whenever the Azure Sentinel finds matching events for your query. You can use a livestream to:

  • Test new queries against live events. 
  • Generate notifications for threats.
  • Launch investigations.

Livestream queries refresh after every 30 seconds and generate Azure notifications of any new results from the query. 


Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more