Visualise Attacks with Azure Sentinel

Azure Sentinel is a cloud native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution that leverages pre-built data connectors to connect to a range of security solutions. It then allows you to process that data for investigation and response. Being cloud native there is no infrastructure to manage and integration with other cloud services (especially Microsoft 365 and Azure) is extremely easy. In this blog, I’ll be walking through some simple steps to get started with the best feature of Azure Sentinel, visualising incidents and attacks.

Scenario

Our fictitious organisation has just setup Azure sentinel and is looking to get a better grip on security by providing a single view to investigate data from multiple security solutions. As identity is now considered the primary security perimeter, connecting up Azure AD seems a good place to start. The organisation has Azure AD Premium P2 license, so I setup a data connector to Azure Active Directory (AAD) Identity Protection to leverage its automated risk detection.

Fig 1. Enable AAD Identity Protection data connector In the image below you can see the analytic templates available on the connector page, which in this case simply creates incidents in Azure Sentinel. An incident contains all the relevant evidence to help an investigation based on the analytic templates enabled.

Fig 2. Relevant Analytic Templates For other connectors this can be a much larger list containing more specific rules. I create a rule based on the above template using default settings and wait for results to come in….. The image below shows that a ‘unfamiliar sign-in properties’ incident has been created from AAD Identity Protection. Drilling into one of these incidents, I decide to set the priority as low, raise the state from new to active and assign to myself. I also add a comment to suggest this person may have moved house.

Fig 3. Start Incident Investigation The ‘Entities’ section tells us that this incident includes an account and an IP address only. Clicking on investigate takes me to the investigation page where the visualisation tools are. In the animation below I’m using the visualisation tools to drill into related information. The first is expanding recent Microsoft 365 activity by IP address and the second to check the most prevalent accounts from the offending IP address. This provides a quick way to validate or trace to other incidents.

Fig 4. Investigate using Visualisations After validating the location as low risk I can close the incident and assign a classification. In this case ‘Benign Positive – Suspicious but expected’ is the most suitable.

Fig 5. Close Incident

Azure Sentinel – other useful features

When investigating incidents that have multiple events or actions, the timeline view will tell you the series of events contained within the incident, allowing you to track the attack path potentially through multiple security solutions. Below you can see Microsoft Defender Advanced Threat Protection and Azure Security centre has reported that malware was detected, and a subsequent action was taken to remove.

Fig 6. Malware Detected In a further example below, information from Microsoft Cloud App Security has reported the latest Twitter breach that occurred on July 15th 2020. An incident is also automatically created which would allow me to view all the users in the organisation who used Twitter in the last 90 days.

Fig 7. Twitter Breach Alert As you can see, viewing all your security solutions in one place saves a lot of time and gives you more high-level clarity and oversight on all those disparate security solutions your organisation has.

Conclusion

Even though this is just an entry level look at Azure Sentinel it shows the simplicity of connecting data and how you can use graphs for investigating rather than more time-consuming queries. For security teams with limited resources, this significantly lowers barrier to entry. Azure Sentinel has a wealth of other features such as automated threat responses via Play Books and more proactive tooling using hunting. I highly recommend you take a look at the Azure Sentinel blog page to get a feel for some of the possibilities.

References:

Azure Sentinel documentation Azure Sentinel blog page

How Silversands can help

Silversands provide security & compliance services across Microsoft 365, Azure and the hybrid cloud, giving us a great position to offer expertise across your whole organisation. We run regular webinars on Microsoft 365 and Azure, so please check out our schedule. We can help you integrate and optimise Azure Sentinel to fit your requirements. This often includes automation with existing services or connecting the right logs from the right sources. If you want to talk to one of our experts please complete and submit the form below: