Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home KQL

Why Enabling Entities for Azure Sentinel Investigations is so Important

Azure Sentinel News Editor by Azure Sentinel News Editor
December 25, 2020
in KQL
0
Watching the Watchers: Monitoring Azure Sentinel Query Activity for Malicious Activity.
2.8kViews
508 Shares Share on Facebook Share on Twitter

Building out or enabling Analytics Rules in Azure Sentinel allows customers the ability to automate analysis of the data that is being ingested and stored in the Log Analytics workspace. These are important for exposing security events and potential threats to the environment. Analytics Rules produce Incidents (if you’ve allowed the defaults during the rule enablement) when they find that something you told it to look for and alert you to.

From an investigative analyst perspective, these Incidents should contain enough context to help in eventually solving the “case” or at least enabling first steps toward that direction. A vitally important piece of that context is supplied through the Entities that get associated with the Incident. These Entities are discovered through the Analytics Rule logic (KQL) and recorded as part of the Incident.

An Incident without Entities is nearly worthless. Here’s a few reasons why.

1. Lack of Evidence Makes for a Sad Detective

The best example of how to explain this is to use regular law enforcement. When a crime is committed, the more facts that can be gathered ensures that detective (or investigative analyst) can begin the investigation. A suspect, a phone number, an address, an action, and anything else that is important to carrying out an investigation should be included if possible.

Think of this from a detective’s perspective. A case file is handed to the detective. The detective begins perusing the file’s contents to find that there’s no suspect, no witness, and no evidence. How would they proceed? This is probably what makes the TV detectives so snarky and bad tempered. I can just hear it: “Oh, thanks Sarge.”

Currently, Azure Sentinel allows enabling of the following Entities (or facts/artifacts). I’ve matched each Entity to it’s law enforcement relative to better understand the relation:

  • Account = Suspect or witness
  • Host = Home or business address
  • IP = Phone number (sometimes there are multiple, i.e., cell, home, business)
  • URL = Suspect action (might contain an alibi, might incriminate)
  • FileHash = Evidence (the smoking gun)

As with law enforcement, a lack of a suspect or any type of evidence makes an Azure Sentinel Investigation just as painful. But, our goal is also to provide as much context as possible. The more context (the more evidence, facts, etc.) the quicker an Investigation can be closed. Missing Incident collateral can lead to undetermined and cold cases.


No Entities makes for a sad detective

2. No Investigation Graph

Did you know that without at least one Entity associated with an Incident the super-cool Investigation Graph is not available?

No Entity, No Fun

The Investigation Graph is a graphical component that turns our Entities into a timeline or story of how a potential threat progressed. It provides huge value for analysts to be able to view the in a more meaningful way and a way to visualize the progression. For example, it could build out that a user click on a link in an email that downloaded content from a nefarious website that compromised the account. Without the Account, URL, and IP entities, we’d have a much more difficult time figuring out the storyline. It could still be done, but there’d be a lot of manual work and we might end up missing something important.

Investigation Graph

3. No Automation for Additional Context

For every Investigation I help with, I always supply a bit of automation through a couple Playbooks. Once submits IP Addresses to IP-API.com to return geographical location and submits the information to the Comments section of the Incident. Another thing I do (if there’s also an Account Entity) is submit an email address to the Haveibeenpwned service to determine if the account is clean (not publicly compromised). Without Entities, you can’t supply this additional context. Knowing the location and who manages the IP Address and knowing that the account is safe, is important context.

Additional Context

Why the PSA?

I talk about how important Entities are during my workshops, but what brought this up specifically for this PSA was the recent availability of free content for Azure Sentinel customers from SOC Prime. (See: SOC Prime O365 rules and more now offered free, exclusively to Azure Sentinel users).

After a bit of initial investigation, there are no Entities assigned in the KQL logic for the Analytics Rules provided. So, you’ll need to add your own.

It’s easy to do. Just go back into the Analytics Rule and on the Set Rule Logic tab in the Analytics Rule wizard, click the dropdown for each Entity Type and select the appropriate value.

Assign Entities

The one’s supplied by SOC Prime (thank you, SOC Prime!) are for Office 365, so I know at least the Account entity is available to assign.

UPDATE November 3, 2020: This post raised enough awareness of the incomplete SOC Prime Analytics Rules that the organization is working to fix them. Updates will come in the “next flight” – which is sometime in the next 2 weeks.

4. EXTRA: No URL Detonation

After posting this, my colleague, Matt Egen (super, excellent Azure Sentinel resource, btw) pointed out something I’d forgotten to include.

Unique to Azure Sentinel, in the Investigation Graph, we have the ability to display a “screen capture” of the URL the user clicked on (or, that was used in execution of a crime). This screen capture gets associated and attached as evidence to the Incident/Investigation. This provides the best sand-boxing environment for an analyst to ensure that they can see exactly what the perpetrator saw without compromising the rest of the environment. Try this with a competing security tool.

P.S. There’s other cool aspects of this “Sonar” technology for our URL detonation that I’ll cover in depth in a future blog post.

Can you think of other reasons why Entities are important? Let me know.

Reference: https://azurecloudai.blog/2020/11/02/psa-the-importance-of-entities-for-azure-sentinel-investigations/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
KQL

New Azure Sentinel Learning Modules Released

February 1, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Connect the New Intune Devices Log Azure Sentinel

January 26, 2021
What’s new: Microsoft Teams connector in Public Preview
KQL

How to Create a Backup Notification in the Event an Unauthorized User Accesses Azure Sentinel

January 11, 2021
Next Post
The ‘All-Seeing’ Azure Sentinel Provides Omnipresent Level Security

Modernize Security for Efficiency and Scale Using Azure Sentinel from Microsoft

Microsoft Releases Azure Sentinel, a Cloud Native SIEM, to General Availability

How to Send Azure SQL Server Audit Logs to Azure Sentinel

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Mimecast Email Security for Azure Sentinel is now available in the Microsoft Azure Marketplace

Sending enriched Azure Sentinel alerts to 3rd party SIEM and Ticketing Systems

3 months ago
Microsoft and Docker collaborate on new ways to deploy containers on Azure

Microsoft and Docker collaborate on new ways to deploy containers on Azure

3 months ago
Vectra AI and Microsoft partner on security integration

How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

2 months ago
Microsoft is quietly becoming a cybersecurity powerhouse

Display the Azure Sentinel Analytics Rules that have produced Incidents

2 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Trending

What’s new: Microsoft Teams connector in Public Preview
IR

How to Generate Azure Sentinel Incidents for Testing

by Azure Sentinel News Editor
February 26, 2021
0

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here’s a couple easy ways...

What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021
  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News