Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

Quick wins – Proactively identify signs of intrusions in real time with Azure Sentinel Livestream

Azure Sentinel News Editor by Azure Sentinel News Editor
December 11, 2020
in Security and Compliance
0
Microsoft’s John Thompson and VMware’s Sanjay Poonen share a similar view of the security landscape
5.3kViews
132 Shares Share on Facebook Share on Twitter

This blog was written as a collaboration between @Sarah_Young and @Cristhofer Munoz .

As the severity and frequency of attacks rise, there is even more need for proactive threat hunting. This is becoming increasingly important as organizations seek to stay ahead of the latest cyber threats. Your systems and security appliances generate mountains of data that can be difficult to parse and filter into meaningful events.

Over the last several months, we’ve been able to help our customers use Azure Sentinel’s hunting capabilities to hunt down for signs of intrusions and stay on top of suspicious activities that went undetected by their security systems. These customers have cited measuring improvement in both the speed and accuracy of response, reduction in time for investigation and in attack surface exposure.

If you’re an investigator who wants to be proactive about looking for security threats, Azure Sentinel has powerful hunting search and query tools to hunt for security threats across your organization’s data sources. To help security analysts look proactively for new anomalies that weren’t detected by your security apps, Azure Sentinel’s built-in hunting queries guide you into asking the right questions to find issues in the data you already have on your network.

In this blog post, we will cover the tactical details of Azure Sentinel’s new Livestream hunting capability and how you can use this to help your SOC analysts proactively identify emerging threats.

What is Azure Sentinel Livestream?

Azure Sentinel Livestream is a user session-based, user interface driven feature that allows an Azure Sentinel user to quickly create a Livestream session using a Log Analytics query. The Livestream query will run in the background and will notify you of any results obtained during the Livestream session. It can be found under the Hunting blade of Azure Sentinel, next to the Queries tab.

Firstly, let’s take a simple example to explain the concept:

LivestreamBlog 1.png

The query we’re running is below:

SecurityEvent

|where EventID == 4625

In this query we’re asking Azure Sentinel to stream all Windows login events in this workspace where the event ID = 4625 (that’s for when an account fails to log on). As you can see, we’re getting a lot of events here, and they’re being updated every 30 seconds by the live stream.

In our demo environment we have lots of failed logins happening all the time to make interesting data for us to play around with; but if this were a real life production environment, we wouldn’t typically expect to see very many failed logins at all. However, failed logins can and do happen in production as per the course of normal events, and we certainly wouldn’t want to trigger a full incident every time a failed logon occurs as this would lead to incident overload and alert fatigue for your SOC analysts.

So, what’s the point of Livestream in Sentinel and how does it help us in proactively addressing threats in your environment? Using the example above, we know that some failed logon events are normal. However, Livestream can help you identify if these “normal” events suddenly increase in frequency: this is possibly an indicator that something is amiss in your environment. It’s for this reason that we have added an “Elevate to alert rule” button as part of Sentinel Livestream: if your SOC analysts detect there is a change in the threshold of your baseline environment activities as monitored by Livestream, they can use this button to upgrade the Livestream query to an alert rule, and thus it will start generating incidents to be allocated and can be dealt with as per your security incident response process.

Livestream2.png

Advanced Sentinel Livestream use cases

In the previous section, we took a straightforward query we could run as part of a Sentinel Livestream interactive session. Now let’s look at an example of a more advanced use case where Sentinel Livestream can help with proactive hunting.

Below is an alert rule that is comparing threat intelligence data feeds to aggregated log data and will notify you when a match occurs. Threat data feeds are ongoing streams of data that are related to potential or current threats, so the notification might indicate a potential threat to your organization. As in our earlier example, instead of creating a custom alert rule for this, you could create a Livestream session instead when you want to be notified of a potential issue. If required, you could elevate this to an alert rule.

let dt_lookBack = 1h;

let ioc_lookBack = 14d;

ThreatIntelligenceIndicator

| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()

| where Active == true

| where isnotempty(FileName)

|  join (

  SecurityEvent | where TimeGenerated >= ago(dt_lookBack)

      | where EventID in (“4688″,”8002″,”4648″,”4673”)

                 | where isnotempty(Process)

      | extend SecurityEvent_TimeGenerated = TimeGenerated, Event = EventID

)

on $left.FileName == $right.Process

| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId

| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, 

SecurityEvent_TimeGenerated, FileName, Computer, IpAddress, Account, Event, Activity  

| extend timestamp = SecurityEvent_TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress

How do I create my own Sentinel Livestream?

There are two ways to create your own Sentinel Livestream. The first way is to elevate an existing hunting query by right clicking on that query and selecting “Add to Livestream.”

The second way to create a Livestream is to go to Hunting blade of Azure Sentinel and select the Livestream tab next to the Queries tab.

Livestream4.png

Select “New Livestream”.

Livestream5.png

Give your Livestream a name and enter your query. It’s important to remember that queries for Livestreaming cannot reference time periods due to the nature of the Livestream looking for query matches in real-time.

Save the query and select “Play” to start the Livestream running. You will see the results in the bottom half of the screen.

You can also check on the status of your Livestreams from the main Livestream tab in Sentinel: whether they are playing or paused, how many results the Livestream has generated and when the last result that the query in the Livestream matched was. Be mindful that when the user who initiated the Livestream running signs out of Azure, the Livestream will cease running.

Livestream7.png

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/quick-wins-proactively-identify-signs-of-intrusions-in-real-time/ba-p/1269745

Tags: AzureAzure SentinelDetectionHuntingSecuritySIEM
Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Azure Sentinel To-Go (Part1): A Lab w/ Prerecorded Data 😈 & a Custom Logs Pipe via ARM Templates 🚀

CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

Compliance Reporting for Azure

What’s new: Microsoft Teams connector in Public Preview

Ingest Fastly Web Application Firewall logs into Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

What’s new: Azure Sentinel and Microsoft Defender ATP improved alert integration

3 months ago
CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

Creating an Azure Sentinel Taskbar and Start Menu Shortcut and Icon for Quick Access

2 months ago
Microsoft’s Azure Defender for IoT Uses CyberX Tech

Microsoft’s Azure Defender for IoT Uses CyberX Tech

3 months ago
Microsoft’s John Thompson and VMware’s Sanjay Poonen share a similar view of the security landscape

Coretek Services Recognized as the 2020 Microsoft US Partner Award Winner – Other – Advisory Services

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News