Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home SIEM

How to integrate vulnerability management in Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
November 27, 2020
in SIEM
0
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
2.0kViews
438 Shares Share on Facebook Share on Twitter

Special thanks to Yaniv Shasha and Ofer Shezaf that collaborating with me on this blog post and thanks to Clive Watson and Kieran Bhardwaj for their support.

Introduction

During recent Azure Sentinel workshops some customers have asked for the possibility to ingest Vulnerability data into Azure Sentinel. In this blog, I will explain how to ingest and analyse vulnerability data in Azure Sentinel. I’m using Tenable as an example, but it can be any Threat & Vulnerability Management (TVM) platform.

Before explaining how the Tenable vulnerability management solution integrates with Azure Sentinel, it is very important to understand the use case of each one of those solutions.

First, what is a vulnerability management solution?

A vulnerability management solution enables enterprises to discover and mitigate potential vulnerabilities on their networks.

To do so, vulnerability management solutions provide continuous asset discovery, assessment (vulnerability and compliance), reporting and analysis prioritization capabilities. In other words, vulnerability management solutions scan for potential vulnerabilities, alerts your security team, and help them prioritize the remediations tasks. 

Now that we understand what a vulnerability management solution is, why should vulnerability management solutions become a critical part of your SIEM/SOAR platform?

Asset information such as operating system services and vulnerabilities are critical for enriching events. Your SIEM can use Tenable’s data to get asset information. Let me give an example: a SIEM solution can help determine not only whether there is traffic from an identified malicious internet location, but also whether this traffic goes to a vulnerable asset. This can both increase the severity of an incident in the SIEM system and provide feed back to the vulnerability management solution to prioritize vulnerability remediation for the vulnerable machine.

So, let’s move to our main topic: How to automate vulnerability management using Azure Sentinel. 

Scenarios

Let’s assume that your security team wants to collect data from Tenable vulnerability management solution to:

  • Discover and identify all the assets in their environments attack surface before they can start to adequately protect it.
  • Identify vulnerabilities, misconfigurations and other weaknesses.
  • Understand vulnerabilities in the context of business risk and use that data to prioritize their efforts.
  • Show successful remediation of vulnerabilities and misconfigurations.
  • Correlate vulnerabilities with other data stored in Azure Sentinel like (Security Events).

In order to implement this scenario and workflow already described, Azure Logic Apps are your friend. 🙂

The playbooks (based on a Logic App) described in this post were created to allow Azure Sentinel customers to import Tenable data. These playbooks, however, can easily be modified to point to any other TVM solutions.

Prerequisites

  • How to onboard Azure Sentinel: see here
  • How to get Tenable.io vulnerability management up and running: see here
  • Tenable.io API Key: see here  
  • Tenable.io API Ref: see here
  • Configuring security playbook using Azure Logic Apps: see here

Data Ingestion

Security SaaS vendors like Tenable.io have an API you can authenticate to and query vulnerability results for based on a datetime. You will have to write some code or use a logic app to query the API and send the results to Azure Sentinel’s Data Collector API.

List of assets

This playbook performs the following steps:

  1. Trigger on a defined schedule.
  2. Read data from Tenable.io API https://cloud.tenable.com/workbenches/assets
  3. Retrieve the list of discovered assets with information (OS, ID, IP, FQDN and source of detection).
  4. Transform the data into the appropriate JSON format.
  5. Send the result to Azure Sentinel Log Analytics.

Once your data is connected, you can start analysing the data.

The rich query language used by Azure Sentinel called KQL, enables you to create advanced and complex queries in just a few lines. Here the link to KQL documentation – https://docs.microsoft.com/azure/azure-monitor/log-query/query-language

Let’s run a simple query to display the list of assets discovered by Tenable:

Tenable_Assets_Details_CL

| extend IP = extract("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}",0, ipv4_s)

| extend Last_seen = last_seen_t 

| summarize arg_max(last_seen_t, *) by id_g

| extend Asset_ID = id_g 

| where IP != ""

| extend Detection_source = extract(".*: \"(.*)\",",1, sources_s)

| extend Operating_system = extract("\"([a-zA-Z]*)\"",1, operating_system_s)

| extend FQDN = extract("\"(.*)\"",1, fqdn_s)

| project TimeGenerated, Last_seen, Asset_ID, IP, Operating_system, FQDN, Detection_source 

List of machines and associated vulnerabilities

This playbook performs the following steps:

  1. Trigger on a defined schedule.
  2. Read data from Tenable.io API to get the list of vulnerable assets: https://cloud.tenable.com/workbenches/assets/vulnerabilities
  3. Transform the data into the appropriate JSON format.
  4. For each asset ID, use another http action to get the list of vulnerabilities associated. https://cloud.tenable.com/workbenches/assets/asset_id/vulnerabilities
  5. Send the result to l Log Analytics.

Please see the playbook code in our Github: https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-TenableVlun

Let’s run a simple query to display the list of assets with associated vulnerabilities:

let Sev = datatable (Severity:int, severity:string)

    ["4", "Critical",

     "3", "High",

     "2", "Medium",

     "1", "Low",

     "0", "Info"] ;

Sev

| join (

    Vulns_AssetID_List

) on Severity 

| project TimeGenerated, AssetID_g, VulnID_s, VulnName_s, plugin_family_s, severity

Additional Playbooks can be implemented to collect more data from Tenable, like recommended solutions to remediate vulnerabilities: https://cloud.tenable.com/solutions

Vulnerability management dashboard

Based on data collected using previous steps, I created a dashboard to help security teams determine the risk to their organization.

Analysts now can accurately characterize the risk to the organization from specific vulnerabilities. The data that analysts can rely upon from this dashboard are vulnerabilities that were found across a multitude of vectors from active scanning and from host analysis mined from systems.

Asset management view

Assets within an organization are moving, joining, and leaving a network daily, which can be difficult to manage properly. Organizations that have an accurate asset management system can gain complete visibility on what devices are in use, and what operating system is installed on the network.

List of vulnerabilities with severity and state

Summary chart tracking unmitigated vulnerabilities of low, medium, high, and critical severity

Assets with associated vulnerabilities 

Risk management 

Tenable calculates a dynamic Asset Exposure Score (AES) for each asset on your network to represent the asset’s relative exposure as an integer between 0 and 1000. A higher AES indicates higher exposure.

Tenable calculates AES based on the current Asset Criticality Rating score (ACR, Tenable-provided or custom) and the severity associated with the asset.

Recommended solutions 

Tenable provides recommended solutions for all vulnerabilities on your network. 

Information about each solution includes:

  1. Description of the solution
  2. Asset affected, and the total number of assets affected by the vulnerabilities included in the solution.
  3. Common Vulnerabilities and Exposures (CVE ) count, the CVEs included in the solution.
  4. Common Vulnerability Scoring System  (CVSS ), the highest CVSSv2 score (or CVSSv3 score, when available) for the vulnerabilities addressed by the solution.

Detection rule (Brute Force RDP Attack on vulnerable machine)

In this use case, my goal is to identify the machines at risk (with vulnerabilities) on which we saw an RDP brute force attack (based on security events generated from the server).

I installed a virtual machine (‘honeypot’ Windows machine in this example but this could also be Linux for SSH brute force attacks) in Azure IaaS (Infrastructure as a Service). In the Networking configuration, I add an ‘Inbound port rule’ with Destination port 3389 allowed.

I create an inbound rule (any-any) using port 3389 port so that malicious RDP connections will come in. This can be verified in the Windows Event Viewer (Event ID 4625 – An account failed to logon).

Another option to detect Brute Force is to leverage Azure Security Center: https://azure.microsoft.com/en-us/blog/how-azure-security-center-detects-ddos-attack-using-cyber-thr…

Then alerts generated by ASC (Azure Security Center) can be sent to Azure Sentinel and correlated with other data like vulnerability.

First, I started with the Brute Force detection rule. Personally, I always create and fine-tune a rule via the Logs section and verify the attributes we want to use for entities. Entities are required for investigation and dashboards. For example:

let threshold = 5;

SecurityEvent

| where EventID == "4625"

| project Computer, Account, IpAddress, TimeGenerated

| summarize PerHourCount = count() by IpAddress, bin(TimeGenerated, 1h), Account, Computer

| where PerHourCount > threshold

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), UserList = make-set(Account), Failure = sum(PerHourCount) by RemoteIP = IpAddress, Computer

| project StartTime, EndTime, Computer, RemoteIP, UserList, Failure

| extend IPCustomEntity = IpAddress, AccountCustomEntity = UserList

| extend HostCustomEntity = Computer

Once the rule was created, I waited for the first incident to appear in the Overview or Incidents page 

After we receive an incident, we can select the incident to see the incident details. A further option is to select the investigate button to get a graphical overview of the incident for analysis, or to select “View Full Details” to see the raw data.

The next step is to correlate Brute Force detection with vulnerability data to identify machines at risk.

For this use case here what I used as detection rule:

let Severity = datatable (severity_s:string , severity:string)

    ["4", "Critical",

     "3", "High",

     "2", "Medium",

     "1", "Low",

     "0", "Info"] ;

let High_vuls = Severity

| join (

    Vulns_AssetID_List_CL) on severity_s

| summarize arg_max(TimeGenerated, *) by IP_s, VulnID_s

| extend Asset_IP = IP_s

| where severity in ("Critical", "High", "Medium") ;

// Brute force detection

let threshold = 5;

let Brut_force= SecurityEvent

| where EventID == "4625"

| project Computer, Account, IpAddress, TimeGenerated

| summarize PerHourCount = count() by IpAddress, bin(TimeGenerated, 1h), Account, Computer

| where PerHourCount > threshold;

Brut_force

// Joint brute force with vulnerability info

| join kind=inner (High_vuls) on Asset_IP

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), UserList = make-set(Account), VulnsIDList = make-set(VulnID_s), VulnsNameList = make-set(VulnName_s) by RemoteIP = IpAddress, Computer

| extend IPCustomEntity = IpAddress, AccountCustomEntity = UserList

| extend HostCustomEntity = Computer

After we receive an incident, we can select the incident to see the incident details.

With the entity Account we know the username used by the attackers to try to logon.

I regrouped all accounts in a list called « UserList » 

Mitigation

As you have seen in this blog, we can address real-world use cases by integrating vulnerability data into Azure Sentinel, showing how easy it is to create detection rules and visualizations. Although mitigation can be done using different methods, if you are using Azure Security Center, we recommend implementing the following remediation/preventative steps:

  • Password Policy: Attackers usually launch brute-force attacks using widely available tools that utilize wordlists and smart rulesets to intelligently and automatically guess user passwords. So, the first step is to make sure to utilize complex passwords for all virtual machines. A complex password policy that enforces frequent password changes should be in place. Learn more about the best practices for enforcing password policies.
  • Endpoints: Endpoints allow communication with your VM from the Internet. When creating a VM in the Azure environment, two endpoints get created by default to help manage the VM, Remote Desktop and PowerShell. It is recommended to remove any endpoints that are not needed and to only add them when required. Should you have an endpoint open, it is recommended to change the public port that is used whenever possible. When creating a new Windows VM, by default the public port for Remote Desktop is set to “Auto” which means a random public port will get automatically generated for you. Get more information on how to set up endpoints on a classic Windows virtual machine in Azure.
  • Enable Network Security Group: Azure Security Center recommends that you enable a network security group (NSG) if it’s not already enabled. NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your VM instances in a Virtual Network. An endpoint ACL allows you to control which IP address, or CIDR subnet of addresses, you want to allow access over that management protocol. Learn more about how to filter network traffic with network security groups and enable Network Security Groups in Azure Security Center.
  • Using VPN for management: A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection to an on-premises location. You can also use VPN gateways to send encrypted traffic between Azure virtual networks over the Microsoft network. To send encrypted network traffic between your Azure virtual network and on-premises site, you must create a VPN gateway for your virtual network. Both Site to Site and Point to Site gateway connections allow us to completely remove public endpoints and connect directly to the Virtual Machine over secure VPN connection.

Summary

We just walked through the process of standing up Azure Sentinel Side-by-Side with Tenable. Stay tuned for more Side-by-Side details in our blog channel.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-integrate-vulnerability-management-in-azure-sentinel/ba-p/1635728

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
SIEM

Changes in How Running Hunting Queries Works in Azure Sentinel

February 11, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
SIEM

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

February 8, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Next Post
Microsoft Azure Sentinel Uses Data Analytics to Improve Security

What’s New: Azure Firewall Connector in Public Preview!

Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year

Remediate Vulnerable Secure Channel Connections with the Insecure Protocols Workbook

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

What’s New: Query line numbering, Azure Sentinel in the schema pane

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

3 months ago
Enriching Windows Security Events with Parameterized Function

What’s New: HTML and Markdown support for incident comment

2 months ago
After Partner Feedback, Microsoft Releases Azure Sentinel SIEM Service

After Partner Feedback, Microsoft Releases Azure Sentinel SIEM Service

3 months ago
What’s new: Microsoft Teams connector in Public Preview

The Best Online Microsoft Azure Courses and Training

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News