Threat Hunting in Microsoft Sentinel (part 3)

 



To read part 1, please click here
To read part 2, please click here


Using Microsoft Sentinel Notebooks

In the navigation area of Microsoft Sentinel, press Notebooks to reach the notebooks page whose different sections are described below:
  • The header bar- On the left side of the header bar is a Sign up for Azure notebooks button which will take you to another page to sign up for this service; to the right is the Clone Notebooks button to help you to create a new project within notebooks along with a copy of the existing notebook stored in GitHub; on the right of that is Go to your notebooks button to take you to your instance of Azure notebooks. 

  • The summary bar- It generally shows the number of existing notebooks, the number of any coming soon, and a link to know more information about Azure notebooks. Here, you can view whether there are any new notebooks that have been added to Microsoft Sentinel or if they can be of any use.

  • The notebook list- Here, you can view all the available Jupyter Notebook templates provided by the Microsoft Sentinel GitHub repository, maintained and updated by Microsoft regularly. It shows the name of the notebook along with the authorizing company beneath it, while the last update time and the type (whether Hunting or Investigation) will be given to the right.

  • The notebook details pane- Whenever you select a notebook, it will show the notebook details blade where the notebook's name is at the top of the page, below it the name of the company that created it as well as the last time it was updated. There is also the Required data types field that can refer to the Microsoft Sentinel logs that it will be querying. The Launch Notebook Preview) button is located at the bottom of this blade which is capable of cloning the selected notebooks and can then take you into the notebook. 

Performing a Hunt

Although there are no set rules for running a hunt, but you can follow the following steps to focus your work:
  • Develop Premise- Here, you have to determine a few things like what is it that you are trying to find or prove?, Did a new user account perform actions that it shouldn't have?, is someone from foreign entity trying to gain access to your system?, etc. After developing the premise by specifying the given things, you can proceed further.

  • Determine Data- In this step, you can determine the type of data required to start your investigation with and if the needed data is not acquired, then you may have to go back and revise your premise. But, once you start finding the specific types of activities in the various logs, you can record them to find the data in the future. 

  • Plan Hunt- Now, you have to view the data gathered in the previous step and determine how to access it which can be easily done either by Microsoft Sentinel queries directly or you will have to look out for additional information with the help of a notebook. You might also write the queries as well as additional code, or use already written queries. 

  • Execute Investigation- Now you can execute your queries gained from the previous step which may be either in Microsoft Sentinel or/and in a notebook. Wherever the queries are run, but after looking at the results, you may have to revise your premise or know if you need more data and have to go back to the previous step.

  • Respond- After successfully gathering all the information, you can respond to the results of the investigation by simply plugging the new found security gap or escalate to your team, or the Chief Information Security Officer (CISO), Chief Information Officer (CIO), or even the board and present what you found. 

  • Monitor- Here, you have to determine how you can perform continuous monitoring to protect against your investigating situation or improve the ability to investigate again next time. It would be best to create an analytics query so that you can automatically find this situation and may be handled by a playbook.

  • Improve- In this step, you and the others can determine the way to improve the queries used in the hunt, and also how to avoid any further requirement of this hunt in the future. You can improve via rewriting the queries to be more specific, or changing the operating procedures, etc.  

These steps can be taken to start your threat-hunting investigation, but you should have your own repeatable process that is always improving, allowing you to share your results with your co-workers and threat-hunting community. 








To read part 1, please click here
To read part 2, please click here


Comments

Popular posts from this blog

Deployment (Part 3)

Query, Visualize, & Monitor Data in Azure Sentinel

Project Resourcing (Part 2)