Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

How to Use Azure Sentinel to Detect SolarWinds SUNBURST

Azure Sentinel News Editor by Azure Sentinel News Editor
December 25, 2020
in Security and Compliance
0
Azure Stack and Azure Arc for data services from Blog Posts – SQLServerCentral
2.7kViews
208 Shares Share on Facebook Share on Twitter

The teams at Microsoft have been working over the past several days to put together some content for Azure Sentinel customers who may be affected by the recent SolarWinds ORION hack.

UPDATE: After this original post, the Microsoft teams delivered a more comprehensive post and is continually updating it. See that here: SolarWinds Post-Compromise Hunting with Azure Sentinel

Here’s the current list of collateral.

Detections and Hunting queries specific to the SolarWinds hack:

  • SolarWinds TEARDROP memory-only dropper IOCs in Window’s defender Exploit Guard activity
  • SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents
  • SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents
  • Suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
  • Solorigate Defender Detections
  • Solorigate Network Beacon
  • Solorigate DNS Pattern
  • Solorigate Encoded Domain in URL

Workbook for the SolarWinds hack:

  • SolarWinds Post Compromise Hunting

Notebook for the SolarWinds hack:

  • Guided Investigation – Solarwinds Post Compromise Activity

New and existing detections and hunting queries that will help expose similar compromise in the future:

  • Hosts with new logons
  • New user created and added to the built-in administrators group
  • User account added to built in domain local or global group
  • Tracking Privileged Account Rare Activity
  • ADFS Certificate Export
  • ADFS Key Export (Sysmon)
  • Entropy for Processes for a given Host
  • Rare processes run by Service accounts
  • Uncommon processes – bottom 5%
  • Modified domain federation trust settings
  • New access credential added to Application or Service Principal
  • Mail.Read Permissions Granted to Application
  • Suspicious application consent similar to O365 Attack Toolkit
  • Suspicious application consent for offline access
  • Exchange workflow MailItemsAccessed operation anomaly
  • Suspect Mailbox Export on IIS/OWA
  • Host Exporting Mailbox and Removing Export

UPDATE: Since this blog release, Microsoft has now released the Detections as Analytics Rules automatically and directly in the Azure Sentinel console for all customers.

New Analytics Rules

Reference: https://azurecloudai.blog/2020/12/16/how-to-use-azure-sentinel-to-detect-solarwinds-sunburst/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
Enriching Windows Security Events with Parameterized Function

How to Report When an Azure Sentinel Analytics Rule is Deleted

Microsoft announces security, identity, management, and compliance updates across Azure and Office

Azure Sentinel RBAC Review

ITC Secure Achieves Microsoft Gold Partner Status

Achieving SOC Operational Efficiency for Azure Sentinel Hunting – the Replay

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

odix joins MISA program and integrates its FileWall with Microsoft Azure Sentinel

odix joins MISA program and integrates its FileWall with Microsoft Azure Sentinel

4 months ago
What’s new: Microsoft Teams connector in Public Preview

What’s new: SOC operational metrics now available in Azure Sentinel

3 months ago
ITC Secure Achieves Microsoft Gold Partner Status

Achieving SOC Operational Efficiency for Azure Sentinel Hunting – the Replay

2 months ago
Azure Stack and Azure Arc for data services from Blog Posts – SQLServerCentral

Cloud-based Supercomputer Accelerates COVID-19 Drug Discovery

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News