Allowing Sentinel to be activated in your system is simple, all you require is:
An active Azure subscription.
A Log Analytics Workspace.
Once you’ve got that, you can browse to Sentinel from your Azure portal to begin deploying it the data connectors. Once you have that, you are ready to start adding the data connectors.
You can turn on Sentinel in the new Azure Monitor Log Analytics workspaces. Both log ingestion, and Sentinel charges are waived for 31 days (up up to 10GB logs per day). It’s worth noting you are limited to a 20-workspace limit per Azure tenant, but it’s enough to give you a feel for the platform.
In the case of existing workspaces only Sentinel fees are waived in the trial period of 31 days. In addition, any charges for additional automation or bring-your own machine learning remain in effect.
There are currently a variety of Microsoft data connectors accessible out of the box and provide close-to-real-time integration, such as, Office 365, Azure AD, Microsoft 365 Defender and Defender for Cloud Apps.
Sentinel also offers over 100 connectors in the box for data for non-Microsoft products, including AWS, Barracuda, Cisco and Symantec. Sentinel also supports generic connectors, allowing you to transmit data using Windows Firewall, Syslog, REST API or common event format (CEF) which allows the sending of data from any source of data. So, it’s very flexible to your infrastructure.
Once your data connectors are enabled, Sentinel will begin analysing and reporting on security threats in your environment, using the built-in alert rules.
The real strength to Microsoft Sentinel is the ability to design custom alerts and playbooks that automate to identify and address security threats immediately. The custom alert rules and playbooks allow you to personalize Sentinel to defend your organization against any specific threats that it may face.
Microsoft Sentinel in action – A typical scenario…
In this example an organization’s Azure AD Connect instance was compromised and their credentials have been stolen. We will examine this attack and explain how Microsoft Sentinel could have been used to warn and limit this attack in different stages of the chain of attack.
A cyber-kill chain made up of 8 steps that trace an attack’s progress from reconnaissance data exploitation and thereby improving our understanding of the time-line of an attack via cyber.
We will focus on the alerting and remediation response against intrusion, reconnaissance and exfiltration.
Why should you choose Azure AD Connect?
For those who aren’t aware of Azure AD Connect (AAD Connect) is a tool that allows organisations in connecting their local Active Directory with their Azure Active Directory environment. The most common authentication configurations for AAD Connect can be done using Password Hash Sync (PHS) or Pass Through Authentication (PTA).
Password Hash Sync works by synchronizing the passwords that have been hashed on Active Directory with Azure Active Directory, allowing users to sign-in to cloud services using their existing credentials. While Pass Through Authentication allows users to sign into cloud services with their on-premises login credentials. It does this by forwarding the authentication request to an Active Directory server.
Both configurations concern managing an organisation’s credentials, and as such is often a valuable opportunity for hackers. Therefore, it is essential to ensure that security is maintained for the AAD Connect service and the server it sits on is secured from breach of the credentials.
Reconnaissance
The initial step in this chain includes reconnaissance. Research shows that up to 60 percent of an attacker’s time is spent researching an organisation and their infrastructure prior to begin their attack. Therefore, reconnaissance is not a risk, neither is it an exploit. It is essential to remember that reconnaissance is the first step on the path to cyber-attacks. This is why it is essential to react to threats when they occur.
The most well-known method of reconnaissance is that of port scanning to fingerprint servers and find out what operating system is running and potentially what services are running. With this information, attackers could exploit vulnerabilities known to be exploited or make use of a password spray technique in an attempt to gain foothold in the system.
By using Microsoft Sentinel, we can make a custom alert rule that will respond to detect a possibility of port scanning and trigger a playbook to remediate the threat.
To take action in response to this alert you can design an automated playbook developed using the Logic Apps framework available in Azure. Logic Apps uses a simple drag-and-drop interface to create a list of tasks that need to be executed.
The advantage that Logic Apps is they can be used to build complicated workflows that could consume time and energy of the IT team of an organization and reduce the amount of time they spend working on mundane, repetitive tasks.
Intrusion
An ever-growing form of intrusion that many organisations confront is the attack on passwords. It is an attack in which an attacker would seek to access to a system through default or widely used credentials.
The hackers are also using lists of the most frequently used passwords in order in order to access systems. According to the NCSC, over 75% of businesses had passwords that feature among the top 1000 most frequently used passwords. Therefore, it’s no wonder that the attacks on passwords are becoming commonplace!
The attackers aren’t likely to sign in to an account manually using their own IP address. Instead, they’ll attempt to automatize the process with botnets. So, when an alert gets generated for an unusual signing-in it is possible to look up the IP address of the alert, and determine if it originated from a known botnet. Block users from signing in and open a ticket with Service Now to notify IT personnel of a potential account breach.
While the majority of workflows can be built using the basic building blocks providing in Logic Apps, a more elaborate workflow might be needed. For this reason, we can’t make an Logic App to compare the IP address of the alert against the list of botnets that are known to exist. The good news is that Logic Apps allows us to integrate with Functions Apps which are tiny pieces of custom code that can be executed. This means that we can build a Logic App that can perform more complicated tasks.
Exfiltration
Once an attacker gains initial access to a network, they will be looking for methods to get data out of the system. In our hypothetical scenario it is the case that an intruder has access an administrator account on the local network and is now looking to remove all credentials of the user stored in Active Directory.
Because the attacker has compromised the server that hosts AAD Connect, and has accessed the server hosting AAD Connect service, they may compromise the built-in account which AAD Connect uses to perform its synchronisation, a technique commonly known as DCSync. It tries to impersonate a Domain Controller and is able to request password information from the targeted Domain Controller.
Within the Microsoft security stack, Azure Advanced Threat Protection comes with a built-in detection of DCSync attacks. However many security teams have the problem of having to traverse the different dashboards for each Microsoft security product they’ve implemented, including Microsoft Defender ATP, Azure ATP, and CAS.
The past caused time to be wasted switching between dashboards and consoles that had slower response times , and possibly missed threats and connections.
With the introduction to Managed Microsoft Sentinel, an organisation can now view threats and alerts across their entire IT infrastructure. They can also take advantage of incidents within Sentinel to compare alerts and entities across all sources of data and add context-related information that is meaningful to the investigation process.
Conclusion
In the end, Microsoft Sentinel is a strong SIEM that can be used in the current technological landscape. It gives you a bird’s-eye view of your complete IT estate and includes sophisticated analytics, aided by artificial intelligence to help identify and combat threats in real time.
As seen in the examples in this blog, Sentinel allows seamless integration with your pre-existing Microsoft and non-Microsoft infrastructure and still give you the ability to customize Sentinel to match your security needs.
This helps protect your business against the increasing cyber security threats of our modern world. Microsoft Sentinel’s automation of playbooks also increases the efficiency of IT and support personnel by reducing the number of insignificant and time-consuming remediation work required, all while increasing the speed of response to issues.
© All Rights Reserved.