Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

Azure Sentinel part 1: why detection needs steroids

Azure Sentinel News Editor by Azure Sentinel News Editor
November 12, 2020
in Security Operations, Threat Intelligence
0
Azure Sentinel To-Go (Part2): Integrating a Basic Windows Lab 🧪 via ARM Templates 🚀
1.8kViews

By: Christophe Parisel

Detecting Service Principal anomalies in Azure activity logs is challenging:

  • Busy services generate thousands of logs per minute, if not more;
  • Service Principal Names (SPNs) are numerous: you might end up with more service principals than named users in your AAD;
  • A significant number of SPNs have administrative roles, meaning wide-ranging role assignments for performing nearly arbitrary operations in Azure resource providers.
  • With system-assigned Managed Identities, many SPNs have become transient.

For all those reasons, relying on traditional queries to hunt for anomalies is mostly irrelevant.

If we to turn to a statistical approach as an alternate way for chasing anomalies, the only ready-made tool at our disposal is Azure Sentinel time series analysis. This article is the first instalment of a discussion about SPN anomalies detection in Azure Activity:

  • This instalment will explain how time series, like traditional queries, fail to meet our expectations;
  • The next instalment will propose a more efficient solution;
  • I might add extra installments depending on the interest raised by the cyber /architects community.

Time series analysis

Let me pick a SPN at random in an automated infra-as-code workload. Over a sample period of about a month, the time series decomposition of Azure operations is looking as follows:

This SPN is not very active: 221k ops/month is not that much. Despite of this, and even under a high resolution (we used 1 hour steps to make the time series), we see that the decomposition does not show any seasonal component.

Let’s dive further into the series and run a default[*] anomalies decomposition:

The only spotted spike lies between October 22 and 23. This doesn’t come as a surprise since it’s the most outstanding feature in the original decomposition. Aren’t there other anomalies missed by the decomposition?

Let run the anomalies decomposition with the lowest detection threshold[**] to capture more cases:

Now we see new spikes with very low scores: a plateau between October 4 and 7, a negative spike on October 5, an oscillation between October 7 and 9, a negative spike on October 19. But are they actual anomalies in terms of cybersecurity?

To answer this question, we need more insights: for that, let’s summarize count() on the actual operations performed by the SPN:

The result is fuzzy since one operation overwhelms all others, but we see something unexpected: a Microsoft.Network action with a count of just one. Due to the fuzziness we do not see it on the chart, so let’s refine the summarization on log(count()):

We see that the anomalies raised by the decomposer do not look so suspicious. But there is a security issue on October 10 that is missed by analysis: on the left-hand side of the green arrow, I have highlighted a unique, unprecedented call to the Network resource provider to modify a network interface.

Eventually, the only way to pinpoint the October 10 anomaly is by making series on all the operation values[***], but this triggers many high-score false positives (we see at least 6 of them in the picture below):

Unfortunately, false positives only get worse as we put more SPNs under our supervision.

There’s room for improvement obviously. In the next part, we will see what’s wrong with time series and how we can remediate that in Azure Sentinel.

Notes:

[*]: default arguments are: threshold=1.5, seasonality=autodetect, trend=’linefit’

[**]: threshold=0.0

[***]: make-series by OperationNameValue

By: Christophe Parisel

Reference: https://www.linkedin.com/pulse/azure-sentinel-part-1-why-detection-needs-steroids-christophe-parisel/?trackingId=oICwUC1MfeidShF81dGnmA%3D%3D

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

January 1, 2021
Next Post
BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

BlueVoyant acquires Managed Sentinel, builds out Microsoft MSS offerings

BDO Expands its Managed Detection and Response Capabilities to Support Microsoft Azure Sentinel Clients and Becomes a Microsoft Intelligent Security Association Member

BDO Expands its Managed Detection and Response Capabilities to Support Microsoft Azure Sentinel Clients and Becomes a Microsoft Intelligent Security Association Member

CyberSheath Selected to Join Microsoft Intelligent Security Association

CyberSheath Selected to Join Microsoft Intelligent Security Association

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Guided Hunting Notebook: Base64-Encoded Linux Commands

3 months ago
Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

3 months ago
After Partner Feedback, Microsoft Releases Azure Sentinel SIEM Service

After Partner Feedback, Microsoft Releases Azure Sentinel SIEM Service

3 months ago
Playbooks & Watchlists Part 2: Automate incident response for Deny-list/Allow-list

Playbooks & Watchlists Part 2: Automate incident response for Deny-list/Allow-list

5 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News