Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

Azure Sentinel Sigma & SOC Prime Integration (Part 2): Directly deploy to Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 4, 2020
in SIEM, SOC
0
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services
2.1kViews
561 Shares Share on Facebook Share on Twitter

This installment was written as a collaboration between @Cristhofer Munoz  and @Ofer_Shezaf.

Today’s cybersecurity landscape is filled with a variety of evolving threats, demanding new ways to protect your assets and stay on top of emerging security threats.

In the second installment of this blog we focus on the second integration point with SOC Prime, that is, the ability to advance your security analytics with SOC Prime’s extensive threat detection marketplace. In Part 1, we covered the steps to convert Sigma rules to Azure Sentinel using SOC Prime’s Uncoder.io tool.

Today, we cover the steps to enable the integration with SOC Prime’s threat detection marketplace that will enable you to consume detection rules into Azure Sentinel with a single click. In the next installment of this blog series, we will cover the steps to consume hunting queries out of SOC Prime.

What is SOC Prime Threat Detection Marketplace (TDM)?


SOC Prime’s Threat Detection Marketplace (TDM) was developed by security incident responders for fastest threat detection content delivery to CISO’s, SOC Managers and SOC Analysts. Threat Detection Marketplace provides actionable and relevant use cases to defend against cyber threats and to enhance SOC operations significantly. It has about thousands saved searches, queries, and correlation rules that improve the efficiency of ArcSight, Elastic, QRadar, and Splunk, and now also Azure Sentinel. Select use cases that were already built and tested for the technologies you have in your organization and save the time of your security experts that is wasted on re-inventing Use Cases.

Access to interactive MITRE ATT&CK exploration section and global cyber attack statistics allows you to determine the most relevant cyber security threats and measures to protect your organization from them.

tdm.png

 Get more information about Threat Detection Marketplace: https://my.socprime.com/en/tdm/

Azure Sentinel Queries and Rules

SOC Prime’s intuitive platform enables you to filter and consume rules for your desired platform, in our case – Azure Sentinel rules or queries.

To do so, click on the filter button on the top left, click on “Platform”, then select “Azure Sentinel Query” or “Azure Sentinel Rule”. Queries provide bare-bone KQL queries. Use them in different Azure Sentinel modules including hunting, workbooks or logs. Rules provide a full Azure Sentinel analytics scheduled query rule as a JSON file. Copy the fields from the file to the Azure Sentinel rule creation wizard, or use the Azure Sentinel API to upload the file definition as is. Or better! Deploy the rules directly from TDM to your Azure Sentinel workspace as described in the next section. 

filter.gif

Configure the parameters required to deploy rules

In order to enable automatic deployment, you need to configure TDM with just a few parameters. First click on your “Account”, then click on “Microsoft Azure Sentinel API” from the dropdown.

After clicking on the “Microsoft Azure Sentinel API” button, the configuration page for the API will load.

There is a set of parameters that need to be configured for the Microsoft Azure Sentinel API Configuration: 

  1. Client ID,
  2. Client Secret,
  3. Tenant ID,
  4. Subscription ID,
  5. Resource Group,
  6. Sentinel Workspace

In the following sections we will learn how to obtain those parameters.

Register an Azure AD App

To receive a client secret, you must register an application in Azure AD App Registrations

  1. Login to Azure AD and at home screen, click on App Registrations, and select New Registration
  2. Specify a name for the application and click Register, for example SOC_Prime_Sentinel
appregistration.gif

3. Navigate to the created application page, you will be automatically navigated to the ‘Overview’ section.

4. Copy the ‘Tenant ID‘ & ‘Client ID‘, which you will use as parameters (3) and (1) respectively in the “Microsoft Azure Sentinel API” in TDM.

overview.gif

5. Then, navigate to the’ Certificates & Secrets’ section and register ‘Client secrets’. To do this, click the ‘New client secret button’, type the description and set the Expire.

6. You will then be directed to the ‘Certificates & Secrets’ page where the client secret is created. Use it as the parameter (2) in the “Microsoft Azure Sentinel API” in TDM.

IMPORTANT  – Click copy next to the new secret and store it somewhere  temporarily. You  cannot  come back to get the secret once you leave the blade.  

secret.gif

Find your subscription, resource group and workspace IDs

  1. Browse to your Azure Sentinel workspace and select settings from the left side menu.
  2. Select the “Advanced Settings” tab. Copy the subscription ID,  resource group, and workspace ID as parameters (4), (5), and (6) respectively in the “Microsoft Azure Sentinel API” in TDM.
workspaceid.gif

Assign Permissions to the registered App

To allow the application to write and create rules , we need to provide the app the permissions to do so.

  1. Navigate to the Azure subscription in which includes the Azure Sentinel workspace  
  2. In the Access Control (IAM) section, select ‘Add’
  3. Click on ‘Add Role Assignments’
  4. Select the ‘Azure Sentinel Contributor’ role and start inputting the name of the application in the ‘Select’ field
addrole.gif

Single Click Deployment from TDM to Azure Sentinel

Now that you configured the auto-deployment, filter the rules in TDM for Azure Sentinel rules. You can also search for a specific rule or filter by MITRE technique. When you select a rule, it will navigate you to another pane providing additional details, and for Sentinel rules allow you to “Deploy in my Sentinel”.

Make sure to pay attention to the data sources used by the rule. If the data source is Sysmon, refer to the Sysmon section below on instructions on how to enable Sysmon based detections.

In the example below, I selected a rule that detects command line parameters used by Rubeus hack tool. By clicking on the “Deploy in my Azure Sentinel” button, it will deploy the rule to your Azure Sentinel instance. :cool:

hacktool.gif

Putting it all together – View & Edit in Azure Sentinel

After you receive the success message from SOC Prime, the rule is deployed in your Azure Sentinel instance. The rule will be available under ‘Active Templates’ tab within the ‘Analytics’ pane of Azure Sentinel.

In Azure Sentinel, you have the ability to view/edit the rule and thoroughly understand the use case and MITRE ATT&CK tactics or technique it correlates to. Moreover, you can utilize the rule wizard to modify additional rule parameters, group alerts into incidents to reduce the alert fatigue and lastly, automate the response to the alert. For more information on creating and automating playbooks, see Respond to threats.

sentinel.gif

Onboarding Sysmon Events to Azure Sentinel

A copious amount of rules in the SOC Prime Threat Detection marketplace require Sysmon data to be able to detect the use case. Sysmon is a de-facto standard to extend Microsoft Windows audit which allows to detect anomalies, suspicious events on Windows hosts, gather SHA-256 hashes from every running executable, and much more.

Follow the following steps to onboard Sysmon events into Azure Sentinel:

  1. Install Sysmon on the machines you want to monitor; to do so follow the official documentation
  2. Install the Log Analytics agent on the machines you want to monitor; this is not needed if you already installed it for another Sentinel data source such as Security Events.
  3. Now we are ready to activate the windows event logs as data sources. To do so, navigate to ‘Advanced Settings’ pane of your workspace, click on Data and activate the following event logs:
  • Microsoft-Windows-Sysmon/Operational
  • Microsoft-Windows-WMI-Activity/Operational
eventlogs.gif

4. By now the data should be flowing into your Azure Sentinel instance. You can check this by navigating to ‘Logs’ and using the following KQL query:

  Event | where Source == "Microsoft-Windows-Sysmon" | limit 20

kql.jpg

5. Deploy the Sysmon parser:

  • Paste the relevant query for your Sysmon version from GitHub to the logs screen in Azure Sentinel: 9.10, 10.42
  • Click on Save button, use “SysmonEvent” as the name and select “Function” in the “Save as” drop down. Any category will work. Note that function usually takes 10-15 minutes to activate.

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-sigma-amp-soc-prime-integration-part-2-directly/ba-p/1276337

Tags: Detection EngineeringDFIRSIEMsigmaSOCSOC PrimeThreat huntingUse Case Factory
Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
SIEM

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

February 8, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Next Post
The ‘All-Seeing’ Azure Sentinel Provides Omnipresent Level Security

Help for Security Operations Centers facing new challenges

What’s new: Microsoft Teams connector in Public Preview

BT supporta Microsoft Azure Sentinel

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

ServiceNow Recognized as a Microsoft Security 20/20 Partner Award Winner

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Announcing a new Azure Sentinel GitHub Leaderboard!

3 months ago
ForgeRock Joins Microsoft Intelligent Security Association

Satya Nadella’s 5 biggest statements at Microsoft Ignite 2020

3 months ago
Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

3 months ago
Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Trevali powers digital operating platform with Dynamics 365, Azure & Microsoft 365 cloud services

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News