Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home AI & ML

How to Create a Backup Notification System in the Event an Unauthorized User Accesses Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
January 14, 2021
in AI & ML
0
What’s new: Microsoft Teams connector in Public Preview
6.2kViews
855 Shares Share on Facebook Share on Twitter

A request was made recently about how to prevent an unauthorized and elevated user account from getting access to Azure Sentinel. Essentially, the scenario is this:

  1. An environment was compromised.
  2. A compromised user account had elevated access.
  3. The compromised user account shut down monitoring (Azure Sentinel) so as not to be detected.

I’m still working the full process out completely from a best practices perspective, but here’s one method of using an Azure Monitor Alert as a backup notification method when someone unauthorized does something in Azure Sentinel.

This is yet another case of using the tools you have (and knowing they exist) and keeping it simple.

Setting up the Azure Monitor Alert

In the Azure portal, got to Azure Monitor, then to the Alerts blade, then click to start creation of a New Alert Rule.

Start a new Alert Rule

On the main Alert Rule creation screen, choose Log Analytics Workspaces as the resource to alert against. And, choose the Log Analytics workspace to use.

Resource selection

IMPORTANT: Consider this. Because we’re creating a backup alerting process, you will also want to create a backup (secondary) Log Analytics workspace and a second Diagnostic Setting for the Azure Activity log. You don’t want to rely on the same Log Analytics workspace assigned to Azure Sentinel in the event the compromised user account does something extra nasty to cover their tracks, such as wiping out the Azure Sentinel Log Analytics workspace. This extra workspace will cost extra (not including in the Azure Sentinel costs – of which the Azure Activity Connector is free anyway), so keep that in mind. But, for security monitoring and alerting purposes, it’s probably worth the cost if this is an actual concern of your organization.

Next, configure the Signal Logic. For our purposes, choose Custom log search.

Custom log search Signal Logic

Next, on the signal logic configuration screen, enter a custom query. You can use the following query that allows you to generate a whitelist of users who should be authorized to perform actions in Azure Sentinel. If it finds a user account not in the whitelist, it will issue an alert. Note that it is querying against the AzureActivity table, looking for successful Administrative operations for SecurityInsights.

//Create a whitelist of users who should be able to access Azure Sentinel, then check to see if unauthorized users have performed activities.
//Replace the users in the variable for AuthorizedUser with authorized accounts. Authorized account format is gleaned from AzureActivity/Caller
let List = datatable(AuthorizedUser: string)["user1@domain.com", "user2@domain.com", "user3@domain.com"];
let timeframe = 1d;
AzureActivity
| where OperationNameValue has "MICROSOFT.SECURITYINSIGHTS"
| where ActivityStatusValue == "Success"
| where CategoryValue == "Administrative"
| join kind= leftanti (
    List
    | project Caller = tolower(AuthorizedUser)
    )
    on Caller
| extend AccountCustomEntity = Caller
| extend IPCustomEntity = CallerIpAddress

Reference: https://azurecloudai.blog/2021/01/08/how-to-create-a-backup-notification-in-the-event-an-unauthorized-user-accesses-azure-sentinel/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
AI & ML

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
AI & ML

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

What’s new: Microsoft Teams connector in Public Preview

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Upcoming Webinar: A Day in the Life of an Azure Sentinel Analyst

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

3 months ago
Microsoft introduces integrated Darktrace-a-like, Azure Sentinel

Download and Backup Your Azure Sentinel Playbooks

2 months ago
Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

Microsoft acquires CyberX to accelerate and secure customers’ IoT deployments

4 months ago
Microsoft bolsters threat prevention capabilities for enterprises

Microsoft bolsters threat prevention capabilities for enterprises

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News