Section 11 – Mitigate threats using Microsoft Sentinel – Manage Microsoft Sentinel analytics rules

11th section starting with more and more Sentinel. Already in this series we saw that how the different pieces are connected and helping you SOC teams to proactively work on threats.

So let’s do some designs and configurations.

Design and configure analytics rules

Sentinel has to style of analytics rules and they are Built-in and Custom analytic rules.

Built-in rules

Sentinel offers pre-configured analytics rules for detecting a wide range of security risks. These built-in rules employ machine learning, behavioral analytics, and other sophisticated approaches to detect potentially dangerous conduct. They include a wide range of threat categories, such as brute-force assaults, account breach, data exfiltration, and others.

You must enable these built-in analytics rules in your Sentinel workspace before you can utilize them. When activated, they will begin automatically evaluating your data and will notify you if any questionable activity is found.

Currently available built-in rules:

• Anomaly
• Fusion
• Microsoft security
• Machine learning (ML) behavior analytics
• Scheduled alerts
• Near-real-time

See more from Learn

Custom rules

Custom rules may be adjusted to your individual security requirements and are effective for detecting risks that are specific to your business or environment.

To build a custom rule in Sentinel, you must first identify the criteria that will activate the rule. You may establish these requirements using a range of data sources, including log data, network traffic, and others. After you’ve specified the requirements, you may configure the rule to do various actions, such as sending an email notice or opening a ticket in a ticketing system.

Sentinel has a rule creation wizard that walks you through the process of creating custom rules. The wizard lets you choose the data sources to utilize, create the rule’s requirements, and describe the actions to execute when the rule is activated.

And also for Custom rules, Learn has some good content

Activate Microsoft security analytics rules

Use the built-in rules in Microsoft Sentinel to specify which connected Microsoft security solutions should automatically generate Microsoft Sentinel incidents in real time. You can also edit the rules to define more specific options for filtering which of the Microsoft security solution’s alerts should generate incidents in Microsoft Sentinel.

To create a rule from templates open Analytics -> Rule templates

Choose a template, I will use Defender for Office 365. Note that Create rule button may be disabled for certain rule templates, indicating that you are unable to create a rule from the selected template due to a missing data source.

Select severity levels and include or exclude specific alerts

On the next page you can attach playbooks to the rule

Field	Description
Automation rule name	Choose a name that uniquely describes this automation rule
Trigger	Predefined value that can’t be changed.
Conditions	Typical query filter construct that can be edited and sorted.
Actions	Selection list of actions; select which action you want to be performed if the query filter conditions are met.
Rule expiration	Date and time for rule to be disabled. Default is indefinite.
Order	If multiple rules are created, select sequential numbers to reorder the incident automation rules in the left pane.

Playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps, which means that you get all the power, customizability, and built-in templates of Logic Apps.

You can define multiple Microsoft Security analytics rules for each Microsoft security service type. Because each rule serves as a filter, duplicate incidents are avoided. Even if an alert matches more than one Microsoft Security analytics rule, only one Microsoft Sentinel incident is created.

And once done, click create

And you can see the new rule that you just created

Configure built-in scheduled queries

If you want to create a scheduled query from Rule templates, navigate to Analytics -> Rules templates and choose rule template, then create a rule

It will create the rule for you with the predefined set of conditions

And the predefined query with relevant information

Configure custom scheduled queries

And you can also build custom queries

Once you start creating the Scheduled query, you can also choose MITRE tactics for it.

Define incident creation logic

Incident creation logic in Sentinel could have the following steps involved:

• Data Ingestion: Sentinel collects security-related data from various sources, such as logs, events, and alerts generated by different security solutions and services. This includes data from firewalls, intrusion detection systems, antivirus software, and more. The collected data is processed for further analysis.
• Event Correlation: The ingested data is analyzed to identify patterns, anomalies, and potential security threats. Event correlation techniques are applied to determine relationships between different events and to identify sequences of events that may indicate a security incident. By correlating events, Sentinel can establish a contextual understanding of the security landscape.
• Rule-Based Detection: Sentinel applies a set of predefined rules or custom queries to the analyzed data. These rules are designed to trigger when specific conditions are met. For example, a rule might detect a known malware signature or identify multiple failed login attempts from the same IP address. When the conditions of a rule are satisfied, an alert is generated.
• Machine Learning and Behavioral Analysis: In addition to rule-based detection, Sentinel utilizes machine learning algorithms and behavioral analysis techniques. This enables the system to detect anomalies and identify unknown or emerging threats that may not be captured by predefined rules. By analyzing historical data and patterns of system behavior, Sentinel can identify suspicious activities or deviations from normal behavior.
• Alert Generation: When a security event or condition meets the defined criteria in the detection rules or analysis algorithms, an alert is generated. The alert contains information about the event, its severity, and any associated metadata. Alerts serve as notifications to the security operations team that a potential security incident has been identified.
• Incident Creation: Based on the generated alerts, Sentinel consolidates related alerts into incidents. Incidents represent higher-level security events that require investigation and response. By grouping related alerts together, Sentinel provides a unified view of the incident, allowing security teams to better understand the scope and impact of the security event.
• Incident Prioritization: Incidents are assigned priority levels based on their severity, impact, and potential risk to the organization. This prioritization helps security teams focus their efforts on the most critical incidents first, ensuring efficient allocation of resources and timely response to the most significant threats.
• Workflow and Response: Once an incident is created and prioritized, security teams follow predefined workflows to investigate and respond to the incident. This typically involves gathering additional evidence, analyzing system logs, conducting forensics, and taking appropriate actions to mitigate the threat or contain the incident. The workflows help ensure a consistent and effective incident response process.

These procedures are necessary for enterprises to use Sentinel’s incident generation logic to detect and respond to security issues, improving their overall security posture.

Manage and use watchlists

Any organization’s threat management strategy must include managing and utilizing watchlists. Security teams may monitor and follow possible risks by generating a list of entities, such IP addresses or email addresses, that need more examination using watchlists. In order to build, maintain, and use watchlists in your security environment, Microsoft Sentinel offers tools.

You can use Watchlist in example for the following:

• Rapid Import: Import IP addresses, file hashes, and other data from CSV files to quickly investigate threats and respond to incidents.
• Utilize Watchlist Name-Value Pairs: Use watchlist name-value pairs for joins and filters in various aspects, such as alert rules, threat hunting, workbooks, notebooks, and general queries.
• Import Business Data as Watchlists: Import business-related data, like user lists with privileged system access or terminated employees, and create allow lists and blocklists to detect or prevent specific user activities.
• Reduce Alert Fatigue: Create allowlists to suppress alerts from authorized users or benign events, preventing unnecessary alerts and reducing alert fatigue.
• Enrich Event Data: Leverage watchlists to enrich event data by incorporating name-value combinations from external data sources, enhancing the context and insights derived from the events.

You can create Watchlist manually.

And define the source. Azure Storage is still in Preview.

And if you wish to use it, you need a SAS-token to access the storage. See more here on what is a SAS-token https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview#sas-token

Or you use the provided templates:

• High Value Assets: A list of equipment, resources, or other assets in the organization that have critical value.
• Identity Correlation: A collection of connected user accounts owned by the same individual.
• Network Addresses: A list of IP subnets and the organizational settings in which they exist.
• Service Accounts: A list of service accounts and the people that possess them.
• Terminated Employees: A list of employee user accounts that have been or are scheduled to be terminated.
• VIP Users: A list of employee user accounts with a high effect value in the organization.

You can either Create from template or download the schema (CSV file)

And add your own information to it

If you choose to create from template, it will populate the SearchKey for you.

See more from Microsoft Learn,

Manage and use threat indicators

Threat indicators are an important part of every company’s cybersecurity strategy. These indicators give information about possible security risks, and businesses that use them effectively can improve their threat detection and response capabilities.

You can add them with the following:

• Enable data interfaces to multiple TI platforms and feeds to import threat intelligence into Microsoft Sentinel.
• The imported threat intelligence may be seen and managed in Logs and on the Microsoft Sentinel Threat Intelligence website.
• Detect risks and produce security warnings and events based on imported threat intelligence using the built-in Analytics rule templates.
• With the Threat Intelligence worksheet, you can see essential information about your imported threat intelligence in Microsoft Sentinel.

You can add Microsoft Defender Threat Intelligence which is still in Preview from Content hub

Before you connect, you can add the content to be added with the following options

Once done, click Connect

You can also add sources from Sentinel -> Threat Management -> Threat intelligence

You can manually create your own

In example for Domain names.

You can import your own TI definitions

or import from existing solutions

And it will connect the following Data connectors

It will install multiple different Analytics rules and Hunting Queries

See more from Microsoft Learn,

Closure

Currently available built-in rules:

• Anomaly
• Fusion
• Microsoft security
• Machine learning (ML) behavior analytics
• Scheduled alerts
• Near-real-time

How can you active Microsoft security analytics rules? What roles does Logic apps play in this?

What should you consider when defining incident creation logic?

How Watchlists work and what types of templates there are?

• High Value Assets: A list of equipment, resources, or other assets in the organization that have critical value.
• Identity Correlation: A collection of connected user accounts owned by the same individual.
• Network Addresses: A list of IP subnets and the organizational settings in which they exist.
• Service Accounts: A list of service accounts and the people that possess them.
• Terminated Employees: A list of employee user accounts that have been or are scheduled to be terminated.
• VIP Users: A list of employee user accounts with a high effect value in the organization.

How you can enable TI’s (threat indicators)

You can add them with the following:

• Enable data interfaces to multiple TI platforms and feeds to import threat intelligence into Microsoft Sentinel.
• The imported threat intelligence may be seen and managed in Logs and on the Microsoft Sentinel Threat Intelligence website.
• Detect risks and produce security warnings and events based on imported threat intelligence using the built-in Analytics rule templates.
• With the Threat Intelligence worksheet, you can see essential information about your imported threat intelligence in Microsoft Sentinel.

Link to main post