Managing & Collecting Data (part 1)

By Ashwin Venugopal -


 



To read part 2, please click here



Choosing Data that Matters

Data management plays a key role in the successful big data analytics through which an SIEM solution works. The multiple platforms introduced recently can carry out log analysis locally and only forward relevant events on to the SIEM solution. The new security products can easily focus on collecting specific data and resolving threats within their own boundaries for example:
  • Identity and Access Management (IAM) for continuous analysis and condition-based access, per session. 
  • Endpoint Detection and Response (EDR) for detailed analysis on every host, with centralized analytics across devices for threat mapping and remediation.
  • A Cloud-Access Security Broker (CASB) for user-behavior analytics across firewalls and external cloud-based solutions.
  • A Nex-Generation Firewall (NGFW) for monitoring and responding to dynamic changes in behavior across internal - and external - facing networks.  

While working with the large data volumes, the 7 Vs of Big Data described as follows can be used to guide your ideas:

  1. Volume- it directly impacts the cost of moving as well as storing the data.
  2. Velocity- it impacts the time to respond to an event.
  3. Variety- can guide with the questions like are we including every aspect of apps and infrastructure?, Where are the blackspots? 
  4. Variability- figure out if the information available is easy to understand or not.
  5. Veracity- determine the source and accuracy of the data.
  6. Visualization- confirm if the data can be used to create visualizations and comparisons. 
  7. Value- regularly review the data value, reduce waste, and retain value.

This information can be used to assess the type of data ingestion into Microsoft Sentinel. 

Understanding Connectors

There are four types of connectors according to their method of ingesting data from source, they are- Native connections, Direct connections, API connections, Agent-based (Windows Server Agent and Syslog).

Native connections - service to service

Microsoft Sentinel can directly integrate with several resources across the Microsoft security product range like the following:
  • Azure AD, including the advanced Identity Protection Solution
  • Office 365, including Exchange Online, Teams, and OneDrive for Business
  • Cloud App Security, the CASB and Cloud Workload Protection Platform (CWPP) solution
  • Microsoft Defender for Cloud, including Microsoft Defender Advanced Threat Protection (ATP)
  • Azure ATP 

  Direct connections - service to service

Few connectors (like below) available in Microsoft Sentinel requires configuration from the source location and will generally give all the information as well as link to the appropriate location:
  1. Amazon Web Service (AWS), for AWS Cloud Trail
  2. Azure Firewall
  3. Azure Front Door
  4. Azure Network Security Groups (NSGs); flow logs and rule activations
  5. Microsoft Intune; audit logs and operational logs  

API connections

They can permit the connections to be made to their solutions in order to extract the logs and bring the data into Microsoft Sentinel. For example:
  1. Azure Information Protection (AIP)
  2. Barracuda Web Application Firewall
  3. Microsoft Web Application Firewall
  4. Symentec Integrated Cyber Defense Exchange (ICDx)
  5. Symentec cloud Workload Protection

Agent-based

This connector is capable of the widest range of data connection and is an industry-standard method of shipping logs between resources and SIEM solutions. Although these are of three types but you can easily deploy more than one according to your requirements or multiple of same types too. They are:
  1. Windows Server Agent, 
  2. Syslog server, and
  3. Syslog server with CEF 






To read part 2, please click here





Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more