Use Entity Behavior Analytics in Azure Sentinel

By Ashwin Venugopal -

 



User & Entity Behavior Analytics (UEBA)

To eliminate the drudgery from your analysts' workloads and the uncertainty from their efforts you can simply use the UEBA capability in Azure Sentinel, which delivers high-fidelity and actionable intelligence, so that they can focus on investigation as well as remediation.

Azure Sentinel collects logs and alerts from all of its connected data sources to analyze them as well as build baseline behavioral profiles of your organization's entities across time and peer group horizon. By using various techniques and machine learning capabilities, Sentinel can then easily identify anomalous activities as well as help you to determine if an asset has been compromised, while also figuring out the relative sensitivity of particular assets, identify the peer groups of assets, as well as evaluate the potential impact of any given compromised asset. Armed with this information, you can effectively prioritize your investigation and incident handling.

Security-driven analytics

 As Azure Sentinel is Inspired by the Gartner's paradigm for UEBA solutions, it offers an "outside-in" approach, based on the following three frames of reference:

  • Use cases- By prioritizing for relevant attack vectors and scenarios based on security research aligned with the MITRE ATT&CK framework of tactics, techniques, and subtechniques that put various entities as victims, perpetrators, or pivot points in the kill chain; Azure Sentinel focuses specifically on the most valuable logs each data source can provide. 

  • Data sources- While first and foremost supporting Azure data sources, Azure Sentinel thoughtfully selects third-party data sources to provide data that matches our threat scenarios. 

  • Analytics- Using various Machine Learning (ML) algorithms, Azure Sentinel identifies anomalous activities and presents evidence clearly as well as concisely in the form of contextual enrichments.     

Azure Sentinel offers the artifacts that can help your security analysts to get a clear understanding of anomalous activities in context, and in comparison with the user's baseline profile and all the actions performed by a user are evaluated contextually, where a "true" outcome indicates an identified anomaly:
  • across geographical locations, devices, and environments.
  • across time and frequency horizons.
  • as compared to peers' behavior.
  • as compared to organization's behavior. 

Explore Entities

The alerts that are sent to Azure Sentinel, includes data elements that Azure Sentinel identifies and classifies as entities, such as user accounts, hosts, IP addresses and others. If the alert does not contain sufficient information about the entity, this identification can become a challenge,.

In order to minimize the risk of this happening, you should first of all verify that all of your alert providers properly identify the entities in the alerts they produce while also synchronizing user account entities with Azure AD which may create a unifying directory, to be able to merge user account entities. The following types of entities are currently identified in Azure Sentinel:

  • User account
  • Host
  • IP address
  • Malware
  • File
  • Process
  • Cloud application
  • Domain name
  • Azure resource
  • File (FileHash)
  • Registry key  
  • Registry value
  • Security group
  • URL
  • IoT device
  • Mailbox
  • Mail cluster
  • Mail message
  • Submission mail

Entity Pages

If you encounter any entity in a search, an alert, or an investigation, you can select it and then take it to an entity page, which is a datasheet full of useful information about that particular entity. You can find various information this page including the basic facts about the entity, a timeline of notable events, related to this entity and insights about the entity's behavior. Entity pages consists of three parts: 
  • The left-side panel contains the entity's identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Security Center, and Microsoft Defender.

  • The center panel shows a graphical and textual timeline of notable events related to the entity, such as alerts, bookmarks, and activities. The queries that detect those activities are developed by Microsoft security research teams. 

  • The right-side panel presents behavioral insights on the entity. These insights help to quickly identify anomalies and security threats. The insights are developed by the Microsoft security research teams, and are based on anomaly detection models.  

Entity Insights

Entity insights are the queries defined by the Microsoft security researchers to help your analysts investigate more efficiently and effectively. They are generally presented as a part of the entity page, and offers valuable security information on hosts as well as users, in the form of tabular data and charts. They include the data regarding sign-ins, Group Additions, Anomalous Events, and more, as well as includes advanced ML algorithms to detect anomalous behavior and are based on the following data types:
  • Syslog
  • SecurityEvent
  • Audit Logs
  • Sign-in Logs
  • Office Activity
  • Behavior Analytics (UEBA) 

How to use entity pages?

Entity pages are designed to be a part of multiple usage scenarios, and can be accessed from incident management, the investigation graph, bookmarks, or directly from the entity search page under Entity behavior analytics in the Azure Sentinel main menu.






Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more