The process of enabling Sentinel in your home is easy, all you require is:
An active Azure subscription.
Log Analytics workspace. Log Analytics Workspace.
Once you’ve got that you have that, you can go to Sentinel in Azure’s Azure portal to start deploying and then to add the data connectors.
It is possible to enable Sentinel in the new Azure Monitor Log Analytics workspaces, and both the data ingestion as well as Sentinel costs are free for the first 30 days (up up to 10GB logs per day). It’s important to note that you’re restricted to 20 workspaces per Azure tenant, however it’s enough to get an understanding of the system.
In the case of existing workspaces only the Sentinel costs are waived during the trial period of 31 days. Additionally, any costs for additional automation or bring-your own machine learning remain in effect.
There are currently a variety of Microsoft data connectors that are readily available and offer close-to-real-time integration, such as, Office 365, Azure AD, Microsoft 365 Defender and Defender for Cloud Apps.
Sentinel also offers over 100 data connectors that are available for other non-Microsoft applications, such as AWS, Barracuda, Cisco, and Symantec. Sentinel also supports generic connectors that allow you to transmit data using Windows Firewall, Syslog, REST API or the Common Event Format (CEF) which allows users to transmit data from any source of data. It’s also very adaptable to the infrastructure you have.
When your data connectors are activated, Sentinel will begin analysing and reporting on any potential threats to your environment by using the built-in alert rules.
But the true power that lies in Microsoft Sentinel is the ability to create custom alert rules and playbooks that automate to identify and eliminate dangers in real time. The custom alert rules and playbooks let you modify Sentinel to safeguard your business against the specific threats it encounters.
Microsoft Sentinel in action – A typical scenario…
In this case the company’s Azure AD Connect account was compromised and their credentials were stolen. We will look into this incident and discuss the ways in which Microsoft Sentinel could have been utilized to detect and stop the attack at various points of the chain of cyber-attacks.
Do you need a Managed Microsoft Sentinel solution? Get in touch with wizardcyber.com today…
Cyber kill chains are a sequence of eight steps that trace the attack’s progression from reconnaissance to data exploitation , thereby enhancing our understanding of the time-line of an attack on the internet.
We will focus on the remediation and alerting response against intrusion, reconnaissance and exfiltration.
Why should you choose Azure AD Connect?
For those who aren’t aware of Azure AD Connect (AAD Connect) is an application that allows organizations to link their existing on-premises Active Directory with their Azure Active Directory environment. The most commonly used authentication settings for AAD Connect are through Password Hash Sync (PHS) or Pass Through Authentication (PTA).
Password Hash Sync works by synchronizing the hashed passwords stored on Active Directory with Azure Active Directory and allowing users to sign in to cloud services with their on-premises credentials. While Pass Through Authentication allows users to sign in to cloud services with their on-premises authenticated credentials, by forwarding requests for authentication to an off-site Active Directory server.
Both of these configurations are concerned with managing an organization’s credentials, and as such is often a attack target for hackers. Therefore, it is essential to ensure that it is protected by the AAD Connect service and the server that it is hosted on is secured to avoid breach of the credentials.
Reconnaissance
The first step in the chain of cyber-attacks is to conduct reconnaissance. Research suggests that as much as 60 percent of the time spent by attackers is spent analyzing an organization and its infrastructure prior to start the attack. Therefore, reconnaissance isn’t a threat, or exploit, it is a good idea to be aware of. It is crucial to keep in mind that reconnaissance is the initial step in the process of an attack on the cyberspace. Therefore, it is crucial to be prepared to deal with such attacks when they happen.
The most popular form of security is to make use of port scanning to identify servers, and determine which operating system is being used and possibly what services are running. Armed with this information, hackers can exploit vulnerabilities that are known or employ a password spray attack to try to gain position in the system.
Utilizing Microsoft Sentinel, we can make a custom alert rule that will respond to detect a possibility of ports scanning and trigger an action plan to eliminate the danger.
To react to this alert it is possible to create an automated playbook that is developed by using an Logic Apps framework available in Azure. Logic Apps uses a simple drag-and-drop interface to create a sequence of tasks to be completed.
The benefit that Logic Apps is that they can be utilized to create complicated workflows that normally consume the time of IT staff in an organization and reduce the amount of time they spend doing mundane, repetitive tasks.
Intrusion
A growing form of attack that many organizations are facing is the attack on passwords. It is an attack in which an attacker would try to get access to the system by with default or common credentials.
Hackers are increasingly making lists of the most commonly used passwords for accessing systems. As per the NCSC more than 75% of organizations were using passwords that are among the top 1000 most frequently used passwords. It’s not a surprise that attacks using password spray are becoming more commonplace!
Attackers aren’t likely to try to sign in to an account by hand using their own IP address, but instead they’ll try to automatize the process using botnets. Therefore, when an alert is issued for an unusual sign-in it is possible to look up an IP address associated with the sign-in alert to determine if it was generated by a known botnet. If so, we can block the user from logging in and create a ticket in Service Now to notify IT staff of a possible account breach.
Although most workflows can be developed using the standard building blocks provided by Logic Apps, a more complicated workflow may be required. In this instance, we are unable to make an Logic App to compare the IP address of the alert to the list of botnets that are known to exist. But, Logic Apps allows us to connect with Functions Apps which are tiny blocks of code that are custom designed to be executed. This means that we can build a Logic App that can perform more complicated tasks.
Exfiltration
After an attacker gains initial access to a network, they’ll be searching for ways to gain access to data from the system. In our fictional example, an attacker is able to access an administrator account local to them and is now seeking to transfer all credentials of the user stored in Active Directory.
Since the attacker has hacked the server that hosts AAD Connect, and has accessed the server hosting AAD Connect service, they could compromise the built-in service account that AAD Connect uses to perform its synchronisation process, a technique commonly known as DCSync. It tries to impersonate a Domain Controller and is able to request password information from the targeted Domain Controller.
In the Microsoft security stack, Azure Advanced Threat Protection provides out-of-the-box protection against DCSync attacks. However many security teams have the challenge of having to navigate through the various dashboards for every Microsoft security product they’ve implemented, including Microsoft Defender ATP, Azure ATP, and CAS.
The past has resulted in wasted time trying to navigate between various dashboards and consoles that had slower response times , and possibly missed threats and their correlations.
With the launch the use of Microsoft Sentinel, an organisation can now monitor threats and alerts across their entire IT infrastructure. Additionally, they can make use of events within Sentinel to connect the alerts as well as entities from all sources of data to provide contextual data that can be useful to the process of investigation.
Conclusion
In the end, Microsoft Sentinel is a robust SIEM that is suited to the current technological landscape. It offers a bird’s eye view of your complete IT estate , and intelligent analytics that are backed by the latest artificial intelligence that helps you identify and combat threats in real-time.
As you can see in the examples that are presented in the blog Sentinel is able to seamlessly integrate with your existing Microsoft as well as non-Microsoft systems and still give you the ability to customize Sentinel to meet your security needs.
All of this helps to protect your business from the ever-growing cybersecurity threats that threaten our contemporary world. Microsoft Sentinel’s automated playbooks also increases the efficiency of IT and support staff by reducing the number of time-consuming and insignificant remediation tasks , all the while accelerating the response time to security incidents.