Threat Hunting in Microsoft Sentinel (part 3)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 2, please click here


Using Microsoft Sentinel Notebooks

In the navigation area of Microsoft Sentinel, press Notebooks to reach the notebooks page whose different sections are described below:
  • The header bar- On the left side of the header bar is a Sign up for Azure notebooks button which will take you to another page to sign up for this service; to the right is the Clone Notebooks button to help you to create a new project within notebooks along with a copy of the existing notebook stored in GitHub; on the right of that is Go to your notebooks button to take you to your instance of Azure notebooks. 

  • The summary bar- It generally shows the number of existing notebooks, the number of any coming soon, and a link to know more information about Azure notebooks. Here, you can view whether there are any new notebooks that have been added to Microsoft Sentinel or if they can be of any use.

  • The notebook list- Here, you can view all the available Jupyter Notebook templates provided by the Microsoft Sentinel GitHub repository, maintained and updated by Microsoft regularly. It shows the name of the notebook along with the authorizing company beneath it, while the last update time and the type (whether Hunting or Investigation) will be given to the right.

  • The notebook details pane- Whenever you select a notebook, it will show the notebook details blade where the notebook's name is at the top of the page, below it the name of the company that created it as well as the last time it was updated. There is also the Required data types field that can refer to the Microsoft Sentinel logs that it will be querying. The Launch Notebook Preview) button is located at the bottom of this blade which is capable of cloning the selected notebooks and can then take you into the notebook. 

Performing a Hunt

Although there are no set rules for running a hunt, but you can follow the following steps to focus your work:
  • Develop Premise- Here, you have to determine a few things like what is it that you are trying to find or prove?, Did a new user account perform actions that it shouldn't have?, is someone from foreign entity trying to gain access to your system?, etc. After developing the premise by specifying the given things, you can proceed further.

  • Determine Data- In this step, you can determine the type of data required to start your investigation with and if the needed data is not acquired, then you may have to go back and revise your premise. But, once you start finding the specific types of activities in the various logs, you can record them to find the data in the future. 

  • Plan Hunt- Now, you have to view the data gathered in the previous step and determine how to access it which can be easily done either by Microsoft Sentinel queries directly or you will have to look out for additional information with the help of a notebook. You might also write the queries as well as additional code, or use already written queries. 

  • Execute Investigation- Now you can execute your queries gained from the previous step which may be either in Microsoft Sentinel or/and in a notebook. Wherever the queries are run, but after looking at the results, you may have to revise your premise or know if you need more data and have to go back to the previous step.

  • Respond- After successfully gathering all the information, you can respond to the results of the investigation by simply plugging the new found security gap or escalate to your team, or the Chief Information Security Officer (CISO), Chief Information Officer (CIO), or even the board and present what you found. 

  • Monitor- Here, you have to determine how you can perform continuous monitoring to protect against your investigating situation or improve the ability to investigate again next time. It would be best to create an analytics query so that you can automatically find this situation and may be handled by a playbook.

  • Improve- In this step, you and the others can determine the way to improve the queries used in the hunt, and also how to avoid any further requirement of this hunt in the future. You can improve via rewriting the queries to be more specific, or changing the operating procedures, etc.  

These steps can be taken to start your threat-hunting investigation, but you should have your own repeatable process that is always improving, allowing you to share your results with your co-workers and threat-hunting community. 








To read part 1, please click here
To read part 2, please click here


Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more