Voiced by Amazon Polly |
Microsoft Sentinel performs the following activities related to logs:
- Collect
- Detect
- Investigate
- Respond
Detection is done with the help of Analytics rules written in the KQL query. User Entity Behavior Model (UEBA) detects compromised/malicious users. If detection using the above methods skips any anomalous situation, the hypothesis-based search can be initiated using collected logs. Such search is termed as “Hunting”.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
Hypothesis
To search collected logs, motive/aim/idea/assumption is used as a starting point. Different activities, as per MITRE ATT&CK framework, are queried. Results of different queries are correlated to check the starting point of the search and the motive/aim/idea/assumption is satisfied. This brings a proactive approach towards security. The hunting process flow described by Microsoft is as follows:
Microsoft’s Threat Hunting Process [1]
The Hunting feature of Microsoft sentinel is located at Sentinel–>Threat management–>Hunting as shown below:
Microsoft Sentinel Hunting Dashboard [2]
The Hunting feature of Microsoft Defender is located at Microsoft Defender–>Hunting–>Advanced hunting as shown below:
Microsoft Defender Hunting Dashboard [3]
Explore the hunt creation process from portal.azure.com. Log analytics workspace, with Sentinel instance deployed, is connected with all data collection sources using data connectors. Once the logs start streaming in the log analytics workspace, start the hunt creation process.
Explore results of all hunting queries pre-filled in Sentinel’s hunting dashboard. Queries generating results can be clubbed and saved under one hunt. Running this saved hunt provides a result-delta. Use this parameter to keep watch on the increase/decrease in results.
Microsoft Sentinel pre-filled Hunting Queries results [4]
A new hunt, with a single query, can also be created. Referring to the MITRE ATT&CK framework, queries can be written for different techniques under the tactic of interest. Once the query is found to be generating evidence, it can be added to the hunt created.
Microsoft Sentinel Hunt Creation [5]
Knowledge of KQL (Kusto Query Language) is required to be able to hunt. Hunt creation and hunting should be a continuous process. Different features related to the created hunt are:
- Bookmarks
- Entities
- Queries
Microsoft Sentinel created Hunt features [6]
Bookmarks: Bookmarked results of hunting queries are displayed.
Entities: Selected hunt-related entities are displayed. Click on the entity directs to the UEBA page related to that entity. Actions taken include running a playbook and creating a threat indicator.
Queries: Selected hunt-related queries are displayed.
Livestream
Sentinel > Threat management > Hunting > Queries tab > Right-click on query > Select Add to livestream
Microsoft Sentinel Hunt Bookmarks Tab [7]
To monitor the result of a query added to the hunt as the related event occurs, add a query to Livestream. Queries without a time parameter included in the query are eligible to be added.
Sentinel > Threat management > Hunting > Livestream tab needs a play button to be clicked to show results live.
Microsoft Sentinel Hunt Livestream Tab [8]
Notebook
Microsoft Sentinel Hunt using Notebook [9]
To explore analysis and visualization with machine learning models implemented in Python, Notebook is a Threat management feature in Sentinel. Hunting with machine learning concepts gives more flexibility to the hunting process.
-
- Azure ML workspace creation
- Notebook creation from Template and Saving.
- Saved Notebook is launched to open it in Azure AML workspace.
- To use Notebook, click on Compute instance.
Hunting Queries from the Community Centre
Explore Sentinel queries at www.github.com/azure/azure-sentinel–>Hunting Queries folder.
GitHub Community Microsoft Sentinel Hunting Queries [11]
Hunting Queries from Data Connectors
Explore Sentinel queries at Sentinel–>Content management–>Content hub–>use filter Content Type–>select Hunting queries.
Microsoft Sentinel Content Hub Hunting Queries [12]
Hunting query
Example: Port opened for an Azure Resource. Go to Log Analytics and run the query
let lookback = 1d;
AzureActivity
| where TimeGenerated >= ago(lookback)
| where OperationNameValue has_any ("ipfilterrules", "securityRules", "publicIPAddresses", "firewallrules") and OperationNameValue endswith "write"
// Choosing Accepted here because it has the Rule Attributes included
| where ActivityStatusValue == "Accepted"
// If there is publicIP info, include it
| extend parsed_properties = parse_json(tostring(parse_json(Properties).responseBody)).properties
| extend publicIPAddressVersion = case(Properties has_cs 'publicIPAddressVersion', tostring(parsed_properties.publicIPAddressVersion), "")
| extend publicIPAllocationMethod = case(Properties has_cs 'publicIPAllocationMethod', tostring(parsed_properties.publicIPAllocationMethod), "")
// Include rule attributes for context
| extend access = case(Properties has_cs 'access', tostring(parsed_properties.access), "")
| extend description = case(Properties has_cs 'description', tostring(parsed_properties.description), "")
| extend destinationPortRange = case(Properties has_cs 'destinationPortRange', tostring(parsed_properties.destinationPortRange), "")
| extend direction = case(Properties has_cs 'direction', tostring(parsed_properties.direction), "")
| extend protocol = case(Properties has_cs 'protocol', tostring(parsed_properties.protocol), "")
| extend sourcePortRange = case(Properties has_cs 'sourcePortRange', tostring(parsed_properties.sourcePortRange), "")
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
ResourceIds = make_set(_ResourceId, 100)
by
Caller,
CallerIpAddress,
Resource,
ResourceGroup,
ActivityStatusValue,
ActivitySubstatus,
SubscriptionId,
access,
description,
destinationPortRange,
direction,
protocol,
sourcePortRange,
publicIPAddressVersion,
publicIPAllocationMethod
| extend
Name = tostring(split(Caller, '@', 0)[0]),
UPNSuffix = tostring(split(Caller, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = CallerIpAddress
Port opened for an Azure Resource [12]
Summary
A reactive approach is a traditional way to handle anomalous situations with respect to an organization’s security. A proactive approach secures the organization in a better way. Hunting follows a proactive security approach. Hunting logs round the clock predicts possible anomalous situations. KQL provides all the necessary commands required. Microsoft Sentinel’s hunting feature provides bookmarking and the live streaming of query results. Created hunts can be updated with newer queries whenever required. Export-import options introduce ease of hunting. With community support, at a great level, Microsoft’s Threat Hunting feature, implemented using Sentinel as well as Microsoft Defender, introduces much required proactiveness to security measure implementations.
References
[1] Understand cybersecurity threat hunts – Training | Microsoft Learn
[2][ 4][5][6][7][8][9] portl.azure.com/sentinel
[3] security.microsoft.com/Hunting/advanced hunting
[10] www.github.com/azure/azure-sentinel
[11] portal.azure.com/sentinel/content management
[12] Sentinel content hub
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
WRITTEN BY Sheetal Thakare
Click to Comment