11th section starting with more and more Sentinel. Already in this series we saw that how the different pieces are connected and helping you SOC teams to proactively work on threats.
So let’s do some designs and configurations.
Table of Contents
Design and configure analytics rules
Sentinel has to style of analytics rules and they are Built-in and Custom analytic rules.
Built-in rules
Sentinel offers pre-configured analytics rules for detecting a wide range of security risks. These built-in rules employ machine learning, behavioral analytics, and other sophisticated approaches to detect potentially dangerous conduct. They include a wide range of threat categories, such as brute-force assaults, account breach, data exfiltration, and others.
You must enable these built-in analytics rules in your Sentinel workspace before you can utilize them. When activated, they will begin automatically evaluating your data and will notify you if any questionable activity is found.
Currently available built-in rules:
- Anomaly
- Fusion
- Microsoft security
- Machine learning (ML) behavior analytics
- Scheduled alerts
- Near-real-time
See more from Learn
Custom rules
Custom rules may be adjusted to your individual security requirements and are effective for detecting risks that are specific to your business or environment.
To build a custom rule in Sentinel, you must first identify the criteria that will activate the rule. You may establish these requirements using a range of data sources, including log data, network traffic, and others. After you’ve specified the requirements, you may configure the rule to do various actions, such as sending an email notice or opening a ticket in a ticketing system.
Sentinel has a rule creation wizard that walks you through the process of creating custom rules. The wizard lets you choose the data sources to utilize, create the rule’s requirements, and describe the actions to execute when the rule is activated.
And also for Custom rules, Learn has some good content
Activate Microsoft security analytics rules
Use the built-in rules in Microsoft Sentinel to specify which connected Microsoft security solutions should automatically generate Microsoft Sentinel incidents in real time. You can also edit the rules to define more specific options for filtering which of the Microsoft security solution’s alerts should generate incidents in Microsoft Sentinel.
To create a rule from templates open Analytics -> Rule templates
Choose a template, I will use Defender for Office 365. Note that Create rule button may be disabled for certain rule templates, indicating that you are unable to create a rule from the selected template due to a missing data source.
Select severity levels and include or exclude specific alerts
On the next page you can attach playbooks to the rule
Field | Description |
---|---|
Automation rule name | Choose a name that uniquely describes this automation rule |
Trigger | Predefined value that can’t be changed. |
Conditions | Typical query filter construct that can be edited and sorted. |
Actions | Selection list of actions; select which action you want to be performed if the query filter conditions are met. |
Rule expiration | Date and time for rule to be disabled. Default is indefinite. |
Order | If multiple rules are created, select sequential numbers to reorder the incident automation rules in the left pane. |
Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps.
You can define multiple Microsoft Security analytics rules for each Microsoft security service type. Because each rule serves as a filter, duplicate incidents are avoided. Even if an alert matches more than one Microsoft Security analytics rule, only one Microsoft Sentinel incident is created.
And once done, click create
And you can see the new rule that you just created
Configure built-in scheduled queries
If you want to create a scheduled query from Rule templates, navigate to Analytics -> Rules templates and choose rule template, then create a rule
It will create the rule for you with the predefined set of conditions
And the predefined query with relevant information
Configure custom scheduled queries
And you can also build custom queries
Once you start creating the Scheduled query, you can also choose MITRE tactics for it.
Define incident creation logic
Incident creation logic in Sentinel could have the following steps involved:
- Data Ingestion: Sentinel collects security-related data from various sources, such as logs, events, and alerts generated by different security solutions and services. This includes data from firewalls, intrusion detection systems, antivirus software, and more. The collected data is processed for further analysis.
- Event Correlation: The ingested data is analyzed to identify patterns, anomalies, and potential security threats. Event correlation techniques are applied to determine relationships between different events and to identify sequences of events that may indicate a security incident. By correlating events, Sentinel can establish a contextual understanding of the security landscape.
- Rule-Based Detection: Sentinel applies a set of predefined rules or custom queries to the analyzed data. These rules are designed to trigger when specific conditions are met. For example, a rule might detect a known malware signature or identify multiple failed login attempts from the same IP address. When the conditions of a rule are satisfied, an alert is generated.
- Machine Learning and Behavioral Analysis: In addition to rule-based detection, Sentinel utilizes machine learning algorithms and behavioral analysis techniques. This enables the system to detect anomalies and identify unknown or emerging threats that may not be captured by predefined rules. By analyzing historical data and patterns of system behavior, Sentinel can identify suspicious activities or deviations from normal behavior.
- Alert Generation: When a security event or condition meets the defined criteria in the detection rules or analysis algorithms, an alert is generated. The alert contains information about the event, its severity, and any associated metadata. Alerts serve as notifications to the security operations team that a potential security incident has been identified.
- Incident Creation: Based on the generated alerts, Sentinel consolidates related alerts into incidents. Incidents represent higher-level security events that require investigation and response. By grouping related alerts together, Sentinel provides a unified view of the incident, allowing security teams to better understand the scope and impact of the security event.
- Incident Prioritization: Incidents are assigned priority levels based on their severity, impact, and potential risk to the organization. This prioritization helps security teams focus their efforts on the most critical incidents first, ensuring efficient allocation of resources and timely response to the most significant threats.
- Workflow and Response: Once an incident is created and prioritized, security teams follow predefined workflows to investigate and respond to the incident. This typically involves gathering additional evidence, analyzing system logs, conducting forensics, and taking appropriate actions to mitigate the threat or contain the incident. The workflows help ensure a consistent and effective incident response process.
These procedures are necessary for enterprises to use Sentinel’s incident generation logic to detect and respond to security issues, improving their overall security posture.
Manage and use watchlists
Any organization’s threat management strategy must include managing and utilizing watchlists. Security teams may monitor and follow possible risks by generating a list of entities, such IP addresses or email addresses, that need more examination using watchlists. In order to build, maintain, and use watchlists in your security environment, Microsoft Sentinel offers tools.
You can use Watchlist in example for the following:
- Rapid Import: Import IP addresses, file hashes, and other data from CSV files to quickly investigate threats and respond to incidents.
- Utilize Watchlist Name-Value Pairs: Use watchlist name-value pairs for joins and filters in various aspects, such as alert rules, threat hunting, workbooks, notebooks, and general queries.
- Import Business Data as Watchlists: Import business-related data, like user lists with privileged system access or terminated employees, and create allow lists and blocklists to detect or prevent specific user activities.
- Reduce Alert Fatigue: Create allowlists to suppress alerts from authorized users or benign events, preventing unnecessary alerts and reducing alert fatigue.
- Enrich Event Data: Leverage watchlists to enrich event data by incorporating name-value combinations from external data sources, enhancing the context and insights derived from the events.
You can create Watchlist manually.
And define the source. Azure Storage is still in Preview.
And if you wish to use it, you need a SAS-token to access the storage. See more here on what is a SAS-token https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#sas-token
Or you use the provided templates:
- High Value Assets: A list of equipment, resources, or other assets in the organization that have critical value.
- Identity Correlation: A collection of connected user accounts owned by the same individual.
- Network Addresses: A list of IP subnets and the organizational settings in which they exist.
- Service Accounts: A list of service accounts and the people that possess them.
- Terminated Employees: A list of employee user accounts that have been or are scheduled to be terminated.
- VIP Users: A list of employee user accounts with a high effect value in the organization.
You can either Create from template or download the schema (CSV file)
And add your own information to it
If you choose to create from template, it will populate the SearchKey for you.
See more from Microsoft Learn,
Manage and use threat indicators
Threat indicators are an important part of every company’s cybersecurity strategy. These indicators give information about possible security risks, and businesses that use them effectively can improve their threat detection and response capabilities.
You can add them with the following:
- Enable data interfaces to multiple TI platforms and feeds to import threat intelligence into Microsoft Sentinel.
- The imported threat intelligence may be seen and managed in Logs and on the Microsoft Sentinel Threat Intelligence website.
- Detect risks and produce security warnings and events based on imported threat intelligence using the built-in Analytics rule templates.
- With the Threat Intelligence worksheet, you can see essential information about your imported threat intelligence in Microsoft Sentinel.
You can add Microsoft Defender Threat Intelligence which is still in Preview from Content hub
Before you connect, you can add the content to be added with the following options
Once done, click Connect
You can also add sources from Sentinel -> Threat Management -> Threat intelligence
You can manually create your own
In example for Domain names.
You can import your own TI definitions
or import from existing solutions
And it will connect the following Data connectors
It will install multiple different Analytics rules and Hunting Queries
See more from Microsoft Learn,
Closure
Currently available built-in rules:
- Anomaly
- Fusion
- Microsoft security
- Machine learning (ML) behavior analytics
- Scheduled alerts
- Near-real-time
How can you active Microsoft security analytics rules? What roles does Logic apps play in this?
What should you consider when defining incident creation logic?
How Watchlists work and what types of templates there are?
- High Value Assets: A list of equipment, resources, or other assets in the organization that have critical value.
- Identity Correlation: A collection of connected user accounts owned by the same individual.
- Network Addresses: A list of IP subnets and the organizational settings in which they exist.
- Service Accounts: A list of service accounts and the people that possess them.
- Terminated Employees: A list of employee user accounts that have been or are scheduled to be terminated.
- VIP Users: A list of employee user accounts with a high effect value in the organization.
How you can enable TI’s (threat indicators)
You can add them with the following:
- Enable data interfaces to multiple TI platforms and feeds to import threat intelligence into Microsoft Sentinel.
- The imported threat intelligence may be seen and managed in Logs and on the Microsoft Sentinel Threat Intelligence website.
- Detect risks and produce security warnings and events based on imported threat intelligence using the built-in Analytics rule templates.
- With the Threat Intelligence worksheet, you can see essential information about your imported threat intelligence in Microsoft Sentinel.