Setting up Sentinel for your environment is simple. All you require is:
An active Azure subscription.
An Log Analytics space.
Once you have that then, you can access Sentinel within the Azure portal to deploy and then to start adding the data connectors.
You can activate Sentinel on the Azure Monitor Log Analytics workspaces, and both the data ingestion as well as Sentinel costs are waived for 31 days (up at 10GB per calendar day of data logs). It’s worth noting that you’re restricted to 20 workspaces per Azure tenant, however it should be enough to give you familiar with the platform.
In the case of existing workspaces only Sentinel costs are waived during the trial period of 31 days. Furthermore, any fees for additional automation or bring-your own machine learning still apply.
There are currently a variety of Microsoft data connectors that are available out-of-the-box and these provide near real-time integration, including, Office 365, Azure AD, Microsoft 365 Defender and Defender for Cloud Apps.
Sentinel also has over 100 data connectors that are available for alternatives to Microsoft, including AWS, Barracuda, Cisco and Symantec. Sentinel also offers support for generic connectors allowing you to send data through Windows Firewall, Syslog, REST API and common event format (CEF) that allows the sending of data from any data source. So, it’s very flexible for your system.
After your data connectors have been set, Sentinel will begin analysing and reporting on possible security threats in your environment, using the built-in alert rules.
The real strength that lies in Microsoft Sentinel is the ability to develop custom alert rules as well as automated playbooks to detect and treat risks in real-time. The custom alert rules and playbooks allow you to modify Sentinel to protect your organisation against specific threats that it may face.
Managed Microsoft Sentinel in action – A typical scenario…
In this example, an organisation’s Azure AD Connect account was compromised, and the credentials have been exfiltrated. We will analyze this attack and explain the ways in which Microsoft Sentinel could have been utilized to detect and stop the attack at various points of the chain of cyber-attacks.
Cyber kill chains are a sequence of eight steps that track an attack’s progress from reconnaissance the exploitation of data, which helps to improve our understanding of the timeline of cyber-attacks.
We will be focusing on the alerting and remediation response against reconnaissance, intrusion , and exfiltration.
Why should you choose Azure AD Connect?
If you’re not aware of Azure AD Connect (AAD Connect) It is an application that enables organizations to connect their on-premises Active Directory with their Azure Active Directory environment. Most commonly, the authentication configurations for AAD Connect can be done using Password Hash Sync (PHS) or Pass Through Authentication (PTA).
Password Hash Sync operates by synchronising the passwords that have been hashed on Active Directory with Azure Active Directory, which allows users to sign in to cloud services with their on-premises credentials. While Pass Through Authentication allows users to sign up for cloud services with their on-premises credentials by forwarding authentication requests to an on-premises Active Directory server.
Both these configurations deal with how to manage an organisation’s credentials. As such, it is often a valuable attack target for hackers. This is why it is crucial to ensure that security is maintained for the AAD Connect service, and the server on which it runs is protected to prevent the loss of passwords.
Reconnaissance
The first stage of an attack chain that is cyber is called reconnaissance. Research has shown that as high as 60 percent of an attacker’s time is spent investigating an organisation and their infrastructure prior to begin the attack. So, while reconnaissance isn’t a threat, nor is it an exploit. It is important to remember that reconnaissance is the very first step to a cyber-attack. It is therefore essential to respond to such security threats whenever they occur.
The most popular form of reconnaissance is the use of port scanning to identify servers and find out what operating system is being used and, possibly, what applications are running. Armed with this information, hackers can exploit vulnerabilities that are known or make use of a password spray technique in order to get a foothold in the system.
Using Microsoft Sentinel, we can create a custom alarm rule that will react when it detects potential ports scanning and trigger playbooks to address the threat.
To respond to this alert, we can create an automated playbook that is developed by using the Logic Apps framework available in Azure. Logic Apps uses a simple drag and drop interface to create a list of tasks to execute.
The advantage of Logic Apps is that they can be utilized to create complicated workflows that could consume the time of an organisation’s IT personnel which can reduce the amount of time spent in mundane tasks.
Intrusion
One of the forms of attack that many organizations have to contend with is the password spray attack. It is an attack that involves an attacker who will attempt to gain access to the system by through default or widely used credentials.
Attackers are also increasingly making lists of the most frequently used passwords in order to gain access to systems. According to the NCSC, over 75% of organizations used passwords that were included in the top ten thousand most commonly used passwords. Therefore, it’s no wonder that attacks using password spray have become commonplace!
It is unlikely that attackers will attempt to sign into an account by hand using their personal IP address, rather they’ll attempt to automate the process by using botnets. When an alert is generated for an unusual signing-in that we are able to find that IP of sign-in alert to determine if it originated from a known botnet. Then, block the user from signing in and then raise a ticket through Service Now to notify IT personnel of a potential account breach.
While most workflows can be developed using the standard building blocks providing in Logic Apps, a more elaborate workflow might be needed. In this case we can’t easily create a Logic App to compare the IP address of the alert to the botnet list that is known. But, Logic Apps allows us to integrate with Functions Apps, which are small blocks of custom code that can be executed. Therefore, we can develop a Logic App that can perform more complicated tasks.
Exfiltration
Once an attacker gains initial access to a network they’ll seek ways to gain access to data from a system. In our hypothetical scenario an attacker is able to access an administrator account local to them and is now trying to transfer all credentials for the user to the Active Directory.
Since the attacker has hacked the server that hosts the AAD Connect service, they could compromise the built-in service account which AAD Connect uses to perform its synchronisation, a method commonly referred to as DCSync. It is a fake Domain Controller and can request password information from the target Domain Controller.
Inside the Microsoft security stack, Azure Advanced Threat Protection has out-of-the-box detection for DCSync attacks. However many security teams confront the challenge of having traverse the different dashboards for every Microsoft security solution they’ve installed, like Microsoft Defender ATP, Azure ATP, and CAS.
It was the case that in past times, it caused time to be wasted switching between dashboards and consoles that had slower response times and the potential of missing threats and connections.
Since the introduction in Microsoft Sentinel, an organisation is now able to view threats and alerts across their entire IT infrastructure. They can also take advantage of events within Sentinel to compare the alerts as well as entities from all data sources to include contextual information that will aid the process of investigation.
Conclusion
In the end, Microsoft Sentinel is a strong SIEM that can be used in the ever-changing technological landscape. It provides a bird’s-eye view of your complete IT property, as well as smart analytics , which are supported by advanced artificial intelligence to help detect and respond to threats in close-to-real-time.
As shown in the example on this page, Sentinel allows seamless integration with your pre-existing Microsoft as well as non-Microsoft systems, while still providing you the option of customizing Sentinel to meet your specific security needs.
All this contributes to defending your company from the growing cyber security threats of our day and age. Microsoft Sentinel’s automation of playbooks can also increase the efficiency of IT and support personnel by reducing the amount of time-consuming and insignificant remediation tasks needed, all while speeding up response times to incidents.