Section 13 – Mitigate threats using Microsoft Sentinel – Manage Microsoft Sentinel incidents

Triage incidents in Microsoft Sentinel

What is Triaging?

The SOC’s initial level is triaging. Triaging incoming security situations and assessing their seriousness are the responsibilities of Tier 1 employees. This entails figuring out the incident’s origin, estimating its size, and evaluating its consequences.

Triaging in Sentinel

Assigning events a severity rating in the context of Microsoft Sentinel ensures that they are prioritized and looked into as soon as possible.

Microsoft Sentinel has a feature called Incident Metrics that gives security operations teams a consolidated view of incident data. It enables security analysts to classify occurrences in accordance with their seriousness and conduct appropriate investigations.

Workflow

And one example how to Triage in Sentinel:

1. Open the Sentinel portal.
2. Navigate to “Incidents” and locate the suspected incident using various search criteria.
3. Select the incident and choose “View full details” from the incident summary pane.
4. In the “Overview” tab, review incident details, timeline, entities, insights, and similar incidents.
5. Run a pre-existing playbook on the incident if needed by selecting “Incident actions” and “Run playbook.”
6. Under the “Entities” tab, find the relevant entity using search or filters.
7. Run a playbook on the entity by selecting it and choosing “Run playbook” to gather additional information.
8. In the “Insights” section, select appropriate insight categories for entity information.
9. Explore comments related to playbook actions under the “Comments” tab in the “Incident” section.

This process allows for a systematic investigation of the incident and its associated entities, with the option to use pre-configured playbooks to streamline the investigation.

Investigation Graph

Analysts may use the investigation graph to ask the relevant questions for each inquiry. By linking pertinent data with any connected entity, the investigation graph assists you in understanding the breadth and identifying the underlying cause of a possible security concern. By picking an object on the graph and selecting one of the expansion choices, you may delve deeper and study it.

It simplifies incident investigation with:

1. Visual Entity Relationships: A live, visual graph shows entity connections from raw data, aiding in data source correlation.
2. Full Scope Discovery: Built-in exploration queries reveal the entire breach scope, preventing oversight.
3. Guided Investigation: Predefined steps ensure efficient questioning and action-taking during threat analysis.

Community tools

Or an Community made tool called STAT (Sentinel Triage AssistanT) it should you good insight what component are used in Triaging.

In the Author words, project goals include:

• Reducing the time (and cost) of building Microsoft Sentinel Automation
• Reducing the time to test Microsoft Sentinel Automation through the use of consistent callable modules
• Increasing SOC efficiency by triaging Incidents before they reach an analyst

You can read a great overview of the tool and why it could be used here.

Investigate incidents in Microsoft Sentinel

To effectively investigate incidents in Microsoft Sentinel:

1. Ensure Entity Mapping: Utilize entity mapping fields during analytics rule setup, as the investigation graph relies on original incidents containing entities.
2. Assigning Incidents to Guest Users: Grant guest users the Directory Reader role in your Azure AD tenant if they need to assign incidents. Regular users have this role by default.

To investigate an incident in Microsoft Sentinel, follow these steps:

1. Access Security Incidents:
   • Go to the Security incidents page within your Sentinel workspace to view a list of generated incidents. You can filter them by status, severity, or time range.
2. Review Incident Details:
   • Choose the specific incident you want to investigate and review its details, including name, severity, status, and involved entities.
3. Investigate Entities:
   • Explore the entities involved in the incident, such as users, hosts, applications, or network devices. Sentinel enriches entities with context to aid in understanding the incident’s scope.
4. Review Related Alerts:
   • Investigate alerts associated with the incident. These alerts come from various data connectors and are correlated automatically to provide a comprehensive view.
5. Analyze the Timeline:
   • Delve into the incident’s timeline, which presents a chronological sequence of events. Use this to identify the incident’s root cause and scope.
6. Explore Playbooks:
   • Investigate any associated playbooks, which automate incident response workflows. This exploration can provide valuable insights into the incident investigation process.

These steps help security professionals comprehensively investigate and respond to security incidents within the Microsoft Sentinel environment.

If you need further reading, you should check out his excellent Learn article.

Respond to incidents in Microsoft Sentinel

Workflow

Responding to security incidents in Microsoft Sentinel involves a structured approach:

1. Access Incident: Visit the Security Incidents page.
2. Review Details: Select the specific incident, check its severity, status, and entities involved.
3. Understand Context: Investigate entities and related alerts to gauge the incident’s scope.
4. Automate with Playbooks: Utilize available playbooks to automate response actions like isolating affected systems or blocking threats.
5. Manual Actions: When needed, take manual steps, like isolating devices, disabling compromised accounts, or gathering additional data.
6. Document Actions: Maintain detailed records of your actions for compliance and analysis.
7. Team Collaboration: Collaborate with other teams, such as IT and legal, as required. To achieve this create a Teams site https://learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams
8. Contain and Eradicate Threats: Focus on containing and eliminating the threat; patch vulnerabilities, remove malware, or close security gaps.
9. Communication: Keep stakeholders informed, including management and affected users.
10. Continuous Monitoring: Ensure the threat remains contained and perform post-incident analysis for lessons learned.
11. Closure: Mark the incident as “resolved” or “closed” in Microsoft Sentinel.
12. Policy and Playbook Updates: Enhance security by updating incident response playbooks and policies based on incident analysis.

OpenAI and Sentinel

If you want to take it the next level, you could use OpenAI with Sentinel Playbooks. See below for a 4 part series on this functionality.

Investigate multi-workspace incidents

One of Sentinels key features is the multi-workspace incident investigation, especially beneficial for Managed Security Service Providers (MSSPs) dealing with multiple workspaces across tenants. This feature allows users to investigate incidents across various workspaces simultaneously, ensuring comprehensive visibility and control.

To access this view, open Microsoft Sentinel, select the workspaces you want to investigate, and then use the “View incidents” button. You can apply filters just like in the regular Incidents screen.

In the multi-workspace view, you can manage incidents across selected workspaces and directories, provided you have the necessary permissions. Warning messages appear for workspaces where you have only read permissions, restricting modification of incidents in those spaces.

Azure Lighthouse (MSSPs)

Lighthouse is an excellent solution for MSSPS as they provide cybersecurity monitoring and management for multiple clients.

Some benefits for Lighthouse integration are:

• Cross tenant queries
• Cross tenant workbooks
• Cross tenant incident screen
• Cross tenant automation
• Cross tenant analytics rules

See more from Learn on Azure Lighthouse onboarding

And more on the workspace design from Microsoft

Workspace manager

And if you have those multiple workspaces, see the new Workspace manager. With workspace manager, you may manage several Microsoft Sentinel workplaces inside one or more Azure tenants.

Enable Azure Lighthouse if you’re managing workspaces across multiple Azure AD tenants.

What is needed?

• At least two Microsoft Sentinel workplaces are required. One workspace to manage and at least one additional workspace to manage.
• The Microsoft Sentinel Contributor role must be assigned on both the central workspace (when workspace manager is enabled) and the member workspace(s) that the contributor must manage.

Read here for the announcement

See more from Learn on Multi-workplace incidents

Identify advanced threats with User and Entity Behavior Analytics (UEBA)

What it is?

Modern security technology known as UEBA (User and Entity activity Analytics) uses machine learning algorithms to examine data from many sources and identify anomalous activity. The goal of UEBA technologies is to provide quick threat identification and response by carefully examining user and entity behaviors. These technologies are exceptional at tracking user activity, discovering nefarious insiders, locating compromised accounts, and quickly identifying data breaches.

What is can do?

Microsoft Sentinel UEBA (User and Entity Behavior Analytics) helps organizations to:

1. Detect Anomalies: Identify irregularities in user, entity, and device activities, helping spot potential security threats.
2. Behavior Profiling: Employ behavior profiling to identify and respond to security threats based on users’ and entities’ actions.
3. Custom Detection Rules: Tailor your security strategy by creating custom detection rules that align with your organization’s specific security requirements and threat landscape.

How to use it?

1. Connect Data Sources:
   • Link various data sources (e.g., Office 365, Azure, AWS) to Microsoft Sentinel for data ingestion.
2. Enable UEBA:
   • Activate UEBA by selecting Configuration -> Settings -> Enable EUBA https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics
3. Configure UEBA:
   • Tailor UEBA settings, including enabling default detection rules, creating custom rules, and configuring anomaly profiles.
4. Analyze Alerts:
   • Monitor alerts, triggered by Microsoft Sentinel UEBA detecting unusual behavior, on the “Incidents” page.
5. Investigate Incidents:
   • Dive into incidents prompted by alerts using the “Investigate” page.
6. Take Action:
   • Remediate issues post-investigation with various options, such as automation rules and playbooks.

Investigation

Entities

Data components that Microsoft Sentinel recognizes and categorizes as entities, such as user accounts, hosts, IP addresses, and others, are included in alerts transmitted to Microsoft Sentinel. If the warning doesn’t provide enough details about the entity, sometimes this identification might be difficult.

Entity pages

Any entity (currently restricted to users and hosts) that you come across in a search, an alert, or an investigation may be selected to take you to an entity page, a datasheet containing all the pertinent details about that entity. Basic facts about the entity, a history of significant events connected to this entity, and perceptions about the entity’s behavior are among the sorts of information you may discover on this page.

The timeline

The entity page’s contribution to behavior analytics in Microsoft Sentinel is largely made up of the timeline. It tells a tale about entity-related incidents to assist you comprehend the entity’s behavior over a certain period of time.

You can adjust the time range to any specifically specified time period or select it from a number of predefined alternatives. You may also specify filters to only display certain kinds of events or alerts in the timeline’s information.

Entity Insights

Entity insights are queries created by Microsoft security researchers to aid your analysts’ investigation efforts. The insights, which are shown as a component of the entity page, offer useful security data about hosts and users in the form of tables and graphs. This information saves you from having to go to Log Analytics.

Analytical rule templates for anomaly detection

1. Enhancing Detection: Anomalies, when combined, signal potential threats, improving detection. They can also refine alert conditions.
2. Supporting Investigations: Anomalies provide evidence during investigations, accelerating the process and reducing response times.
3. Proactive Threat Hunts: Threat hunters use anomalies as clues to identify suspicious behavior quickly, minimizing threat impact.

You can now find anomaly rules displayed in a grid in the Anomalies tab in the Analytics page. The list can be filtered by the following criteria:

• Status – whether the rule is enabled or disabled.
• Tactics – the MITRE ATT&CK framework tactics covered by the anomaly.
• Techniques – the MITRE ATT&CK framework techniques covered by the anomaly.
• Data sources – the type of logs that need to be ingested and analyzed for the anomaly to be defined.

You cannot edit the rule but the is a Flighting mode enables you to test anomalies without affecting your production configuration. Anomalies produced in Flighting mode will include a ‘Flighting’ tag, whereas Production anomalies will not.

That’s it, also want to mention this excellent Sentinel Ninja guide from Ofer Shezaf

Closure

So, let’s discover what we learner during this section.

Triaging in Sentinel

Assigning events a severity rating in the context of Microsoft Sentinel ensures that they are prioritized and looked into as soon as possible.

Microsoft Sentinel has a feature called Incident Metrics that gives security operations teams a consolidated view of incident data. It enables security analysts to classify occurrences in accordance with their seriousness and conduct appropriate investigations.

Investigation graph simplifies incident investigation with:

1. Visual Entity Relationships: A live, visual graph shows entity connections from raw data, aiding in data source correlation.
2. Full Scope Discovery: Built-in exploration queries reveal the entire breach scope, preventing oversight.
3. Guided Investigation: Predefined steps ensure efficient questioning and action-taking during threat analysis.

How to effectively investigate security incidents in Microsoft Sentinel:

1. Access Incidents: Visit the Security Incidents page, filter by status, severity, or time range.
2. Review Details: Select a specific incident, examine its name, severity, status, and entities involved.
3. Investigate Entities: Analyze the entities like users, hosts, applications, or network devices for context.
4. Review Alerts: Scrutinize correlated alerts from various data sources for a comprehensive view.
5. Analyze Timeline: Delve into the chronological event sequence to pinpoint the incident’s root cause and scope.
6. Explore Playbooks: Investigate automation workflows (playbooks) for valuable insights into the incident investigation process.

How to effectively respond to security incidents in Microsoft Sentinel:

1. Access Incident: Visit the Security Incidents page.
2. Review Details: Select the specific incident, assess its severity, status, and entities involved.
3. Understand Context: Investigate entities and related alerts to grasp the incident’s scope.
4. Automate with Playbooks: Use playbooks to automate response actions like isolating systems or blocking threats.
5. Manual Actions: If necessary, take manual steps, e.g., isolating devices or disabling compromised accounts.
6. Document Actions: Keep detailed records for compliance and analysis.
7. Collaborate with Teams: Work with IT and legal teams as needed.
8. Contain and Eradicate Threats: Focus on threat containment and elimination.
9. Communication: Keep stakeholders, including management and affected users, informed.
10. Continuous Monitoring: Ensure the threat stays contained and learn from post-incident analysis.
11. Closure: Mark the incident as “resolved” or “closed” in Microsoft Sentinel.
12. Policy and Playbook Updates: Improve security by updating playbooks and policies based on incident analysis.

On multi-workspace feature we learner that One of Sentinels key features is the multi-workspace incident investigation, especially beneficial for Managed Security Service Providers (MSSPs) dealing with multiple workspaces across tenants. This feature allows users to investigate incidents across various workspaces simultaneously, ensuring comprehensive visibility, control and Multi-workplace incidents investigation.

And finally how User and Entity Behavior Analytics (UEBA) is a cybersecurity technology leveraging machine learning to detect unusual patterns of behavior in users and entities. It enhances threat detection, supports investigations, and aids proactive threat hunting by analyzing data from various sources to identify potential security threats.

Link to main post