By Mark Brezicky and Azure Security News
Now that Azure Sentinel has started collecting data, it’s time for a deep dive into each component to discover how to utilize the data. The examples below are sample use cases of what Azure Sentinel can do. It is by no means an extensive overview of the capabilities. There is a massive amount of potential available.
Always start simple with the built-in features Microsoft provides. Start with specific scenarios or risks you wish to monitor. Then build onto that with more advanced, specific queries as you identify potential threats that are impacting your organization. This blog outlines some sample use cases from the following components:
Workbooks allow you to take the data ingested into Azure Sentinel and visualize what it looks like. There are built-in templates provided by Microsoft and custom workbooks can be created. Workbooks can provide quick wins, since they’ll provide logical insights without requiring Sentinel expertise.
One such template is the Exchange Online Workbook, showing insights on email activities within the tenant. The following is an example of potential suspicious activities to investigate.
Another template, the Security Alerts workbook, provides a holistic view of where alerts are coming from and their overall severity. This can help identify where a lot of noise may be coming from and allow further investigate or modification of existing policies to reduce false positives.
Microsoft is disabling legacy authentication on Oct. 13, 2020 for several protocols. You can use the Insecure Protocols workbook to capture existing legacy authentication attempts to plan on migrating to Modern Authentication. This workbook can account for both Azure AD and on-premises Active Directory authentication.
Custom workbooks can be created to provide the exact insights you are looking for. You can add several different components including text labels, parameters for resource picker searches, and links and buttons for actions. Queries and metrics can be added for further customization. Finally, using the advanced editor, you can import Gallery or ARM templates to create the workbook from JSON code.
For advanced Security Operators and IT Pros, hunting allows proactive assessments against specific risks. They allow manual, proactive investigations into possible security threats based on the ingested data. Hunting is based off queries. Microsoft provided several built-in queries and custom queries can also be created. Once a query is created you can convert it into an analytic rule to run on a schedule.
Sample queries can also be obtained from each data connector page.
Once you have a solid query created, you can create an analytic alert rule to perform additional actions on those results. As with most other components of Azure Sentinel, Microsoft has also provided built-in analytic template rules with pre-created queries based on the data sources. You simply need to select the template and click Create rule.
During the creation of a template or custom analytic rule, you can configure specific settings to create an appropriate schedule and alert threshold. You can specify how often to run the query and how far back to search. In additional, alert threshold specifies how many results are required to issue an incident alert.
On the next page, you define whether to create an incident alert from the results. Alert Grouping will allow you to group a minimum number of results together rather than potentially creating an incident alert for each result
Finally, you can assign a playbook for automated remediation or actions against the results. More details about playbooks are below.
Incidents are only created when specified by an analytic alert rule. In the Azure Sentinel Portal, click on Incidents to view a list of all incidents created. Clicking on View full details provides additional information on the incident. You can change the severity, if applicable, set the Status, and assign the incident to the responsible individual to investigate further. You can also manually submit the results of this incident against any playbook created for Azure Sentinel.
Currently in preview, clicking on Investigate provides the Investigation Graph. This provides an interactive overview of all entities involved in the incident. This will assist to understand the scope and impact of the incident, determine a root cause, and stop any potential threats that may be occurring elsewhere.
Playbooks are Azure Logic Apps, but specific for Azure Sentinel by adding an API connection to Azure Sentinel alerts. The example playbook below sets and Azure AD user account to disabled when an alert is triggered and puts a comment into the Incident. Additional actions can be added, such as a simple email notification. Anything that Logic Apps can connect to, you can tie it into an Azure Sentinel Playbook and Analytic Rule to automate that action.