Use Entity Behavior Analytics in Azure Sentinel

By Ashwin Venugopal -

 



User & Entity Behavior Analytics (UEBA)

To eliminate the drudgery from your analysts' workloads and the uncertainty from their efforts you can simply use the UEBA capability in Azure Sentinel, which delivers high-fidelity and actionable intelligence, so that they can focus on investigation as well as remediation.

Azure Sentinel collects logs and alerts from all of its connected data sources to analyze them as well as build baseline behavioral profiles of your organization's entities across time and peer group horizon. By using various techniques and machine learning capabilities, Sentinel can then easily identify anomalous activities as well as help you to determine if an asset has been compromised, while also figuring out the relative sensitivity of particular assets, identify the peer groups of assets, as well as evaluate the potential impact of any given compromised asset. Armed with this information, you can effectively prioritize your investigation and incident handling.

Security-driven analytics

 As Azure Sentinel is Inspired by the Gartner's paradigm for UEBA solutions, it offers an "outside-in" approach, based on the following three frames of reference:

  • Use cases- By prioritizing for relevant attack vectors and scenarios based on security research aligned with the MITRE ATT&CK framework of tactics, techniques, and subtechniques that put various entities as victims, perpetrators, or pivot points in the kill chain; Azure Sentinel focuses specifically on the most valuable logs each data source can provide. 

  • Data sources- While first and foremost supporting Azure data sources, Azure Sentinel thoughtfully selects third-party data sources to provide data that matches our threat scenarios. 

  • Analytics- Using various Machine Learning (ML) algorithms, Azure Sentinel identifies anomalous activities and presents evidence clearly as well as concisely in the form of contextual enrichments.     

Azure Sentinel offers the artifacts that can help your security analysts to get a clear understanding of anomalous activities in context, and in comparison with the user's baseline profile and all the actions performed by a user are evaluated contextually, where a "true" outcome indicates an identified anomaly:
  • across geographical locations, devices, and environments.
  • across time and frequency horizons.
  • as compared to peers' behavior.
  • as compared to organization's behavior. 

Explore Entities

The alerts that are sent to Azure Sentinel, includes data elements that Azure Sentinel identifies and classifies as entities, such as user accounts, hosts, IP addresses and others. If the alert does not contain sufficient information about the entity, this identification can become a challenge,.

In order to minimize the risk of this happening, you should first of all verify that all of your alert providers properly identify the entities in the alerts they produce while also synchronizing user account entities with Azure AD which may create a unifying directory, to be able to merge user account entities. The following types of entities are currently identified in Azure Sentinel:

  • User account
  • Host
  • IP address
  • Malware
  • File
  • Process
  • Cloud application
  • Domain name
  • Azure resource
  • File (FileHash)
  • Registry key  
  • Registry value
  • Security group
  • URL
  • IoT device
  • Mailbox
  • Mail cluster
  • Mail message
  • Submission mail

Entity Pages

If you encounter any entity in a search, an alert, or an investigation, you can select it and then take it to an entity page, which is a datasheet full of useful information about that particular entity. You can find various information this page including the basic facts about the entity, a timeline of notable events, related to this entity and insights about the entity's behavior. Entity pages consists of three parts: 
  • The left-side panel contains the entity's identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Security Center, and Microsoft Defender.

  • The center panel shows a graphical and textual timeline of notable events related to the entity, such as alerts, bookmarks, and activities. The queries that detect those activities are developed by Microsoft security research teams. 

  • The right-side panel presents behavioral insights on the entity. These insights help to quickly identify anomalies and security threats. The insights are developed by the Microsoft security research teams, and are based on anomaly detection models.  

Entity Insights

Entity insights are the queries defined by the Microsoft security researchers to help your analysts investigate more efficiently and effectively. They are generally presented as a part of the entity page, and offers valuable security information on hosts as well as users, in the form of tabular data and charts. They include the data regarding sign-ins, Group Additions, Anomalous Events, and more, as well as includes advanced ML algorithms to detect anomalous behavior and are based on the following data types:
  • Syslog
  • SecurityEvent
  • Audit Logs
  • Sign-in Logs
  • Office Activity
  • Behavior Analytics (UEBA) 

How to use entity pages?

Entity pages are designed to be a part of multiple usage scenarios, and can be accessed from incident management, the investigation graph, bookmarks, or directly from the entity search page under Entity behavior analytics in the Azure Sentinel main menu.






Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more