ThirdSpace ThirdSpace
ThirdSpace
Close 0 Reset Search Run Search What are you looking for? Type at least three characters to search. Filter Search Results
  • All Content
  • Blog
  • Case Studies
  • Event
  • Resources
  • News
  • Careers
  • Access Centre
  • Technologies
  • Workshops
  • Solutions
  • People
Load more
17 September 2019

The definitive guide to Azure Sentinel: Everything you need to know to get started with Microsoft’s cloud SIEM

  • Cyber security
  • Advanced Threat Analytics
  • Azure AD
  • Azure Sentinel
  • Cloud App Security
Mathew Richards

We review why Azure Sentinel soars above other SIEMs and delivers unparalleled security through AI, analytics and automation.

Security is a key focus for today’s organisations and ensuring visibility across the entire cloud and on-premises infrastructure is critical.

Organisations tell us that creating a single view of their cyber security and telemetry data – coupled with providing meaningful insights and alerts – is often a hugely complex task that involves deploying large, resource intensive solutions.

Managing these solutions to ensure they are quick to surface insights at scale is also difficult, and having the operational processes in place to respond to and investigate incidents is often a vital step that security staff struggle to stay on top of.

Azure Sentinel from Microsoft has been designed to help you address these challenges.

In this blog, we’ll demonstrate the power of Azure Sentinel and how it can defend and respond against even the most sophisticated of attacks.

 

What is Azure Sentinel?

Azure Sentinel is Microsoft’s cloud-native security information and event management (SIEM) AND security orchestration automated response (SOAR) solution all in one!

It brings together the latest in security innovation and advanced AI to provide near real-time intelligent security analytics for a bird’s-eye view over your entire enterprise’s IT estate.

With Sentinel you can consume security related data from almost any source – not just sources inside your Microsoft tenant! This removes the need to manage multiple pieces of complex and costly infrastructure components – whilst providing a cloud platform solution that can easily scale to your needs.

Sentinel uses machine learning and AI models to surface important insights based on data consumed through a wide catalogue of data connectors. This includes native connections to all key Microsoft sources, together with a range of native 3rd party connectors which includes technologies from AWS, Symantec, Baracuda, Cisco and many others.

The solution analyses in excess of 6.5 trillion signals daily to provide unparalleled threat intelligence. This, coupled with the ability to filter millions of signals into meaningful dashboard alerts provides comprehensive hunting and investigative capabilities – enabling you to expedite your response to potential attacks.

Sentinel also integrates with a wide range of systems – providing the option to automate your incident response activities, thereby allowing you to orchestrate your activities in an efficient and effective manner.

4 key security pillars

Put simply, Azure Sentinel enables you to:

Collect

Easily gather data at cloud scale across users, devices, applications and infrastructure both on-premises and across multiple clouds.

Detect

Sentinel recognises previously discovered threats and minimises false positives by using analytics and threat intelligence drawn directly from Microsoft.

Investigate

Artificial intelligence identifies threats and hunts suspicious activities at scale.

Respond

React calmly and quickly to incidents with built-in automation processes and responses.

How to enable Sentinel in your environment

Enabling Sentinel in your environment is simple, all you need is the following:

  • An active Azure subscription.
  • A Log Analytics workspace.
  • Contributor or reader permission turned on in the resource group that the workspace belongs to.

Once you have that, you can browse to Sentinel within the Azure portal to deploy – then you are ready to begin adding your data connectors.

One thing to consider is that during the preview period Azure Sentinel is free to use, however the underlying Log Analytics workspace will gather cost for data ingested from your data connectors after you use the first free 5GB.

Currently there are several Microsoft data connectors that are available out-of-the-box and these provide near real-time integration, including, Office 365, Azure AD, Azure ATP and Cloud App Security (CAS).

Sentinel also provides out-of-the-box data connectors for non-Microsoft solutions, including AWS, Barracuda, Cisco, and Symantec. Sentinel additionally provides support for generic connectors allowing the you to send data via Windows Firewall, Syslog, REST API, or common event format (CEF), enabling you to send information from any data source. So, it’s very flexible to your infrastructure.

Once your data connectors are enabled, Sentinel will begin analysing and reporting on potential threats within your environment using the built-in alert rules.

However, the real power of Azure Sentinel is the ability to write custom alert rules and automated playbooks to help detect and remediate threats in real time. These custom alert rules and playbooks allow you to tailor Azure Sentinel to help you protect your organisation against any specific threats it faces.

Webinar: Azure Sentinel Demo - See Microsoft’s security tool in action

See how Sentinel can help you identify and stop threats before they have the opportunity to cause damage. You'll learn:

  • What Sentinel does, how it works – and how you can harness the power of AI
  • How its unique features can help you revolutionise your security operations
Book my place

Azure Sentinel in action – A typical scenario…

In this example, an organisation’s Azure AD Connect instance has been compromised and their credentials have been exfiltrated. We will investigate this attack and highlight how Azure Sentinel could have been used to alert and mitigate this attack at different points of the cyber kill chain.

The cyber kill chain is a series of 8 steps that trace an attack from reconnaissance to data exploitation – enhancing our understanding of the timeline of a cyber-attack.

We will be focusing on the alerting and remediation response against reconnaissance, intrusion and exfiltration.

Why target Azure AD Connect?

For those unaware of Azure AD Connect (AAD Connect), it is a tool that allows organisations to connect their on-premises Active Directory with their Azure Active Directory environment. The most common authentication configurations for AAD Connect are via Password Hash Sync (PHS) or Pass Through Authentication (PTA).

Password Hash Sync operates by synchronising the hashed passwords that sits on Active Directory with Azure Active Directory, allowing users to sign into cloud services using their on-premises credentials. Whereas Pass Through Authentication allows users to sign into cloud services using their on-premises credentials by forwarding authentication requests to an on-premises Active Directory server.

Both these configurations deal with the management of an organisation’s credentials, as such it is often a valuable target for attackers. Hence it is vital that the AAD Connect service, and the server it sits on is protected to prevent the compromise of credentials.

Reconnaissance

The first step of the cyber kill chain is reconnaissance. Research shows that up to 60% of an attacker’s time is spent investigating an organisation and their infrastructure before they begin their attack. So, while reconnaissance is not a threat nor is it an exploit. It is important to remember that reconnaissance is the first step on the path to a cyber-attack. As such it is vital to respond to such threats when they occur.

The most common form of reconnaissance is the use of port scanning to fingerprint servers and identify what OS is in use and potentially what services are running. With this information, attackers will exploit known vulnerabilities or use a password spray attack to attempt to gain a foothold in the system.

Using Azure Sentinel, we can create a custom alert rule that will react when it detects potential port scanning and trigger a playbook to remediate the threat.

To respond to this alert, we can create an automated playbook which is built using the Logic Apps framework available in Azure. Logic Apps uses a simple drag and drop interface to build a series of tasks to execute.

The advantage of Logic Apps is they can be used to build complex workflows that would normally take up valuable time of an organisation’s IT personnel – thus reducing the amount of time spent on trivial, repetitive tasks.

In this screenshot is an example playbook that will update the firewall rules for every server within our example organisation to block the attacker from gaining any more information on our systems.

Intrusion

An ever-growing form of intrusion that many organisations face, is the password spray attack. This is a type of attack where an attacker will attempt to gain access into a system using default or commonly used credentials.

Attackers are also increasingly using lists of the most commonly used passwords to gain access to systems. According to the NCSC, over 75% of organisations had passwords that feature in the top 1,000 most commonly used passwords. So, it’s no surprise that password spray attacks are becoming commonplace!

Attackers are unlikely to attempt to sign into an account manually from their own IP address, instead they’ll attempt to automate the task using botnets. Hence when an alert is raised for an unusual sign-in, we can look up the IP address of the sign-in alert and check whether it came from a known botnet, block the user from signing in and raise a ticket in Service Now to notify IT personnel of a potential account breach.

While most workflows can be created using the basic building blocks providing in Logic Apps, a more complex workflow is sometimes required. In this case we can’t easily create a Logic App to compare the IP address of the alert against a list of known botnets. However, Logic Apps allows us to integrate with Functions Apps, which are small blocks of custom code that can be run. As a result, we can create the following Logic App that can perform more complex tasks.

Exfiltration

Once an attacker has gained initial access in a network, they will be looking for ways to extract data from a system. In our fictitious example, the attacker has gained access to a local administrator account and is now looking to export all the user credentials stored in the Active Directory.

As the attacker has breached the server which hosts the AAD Connect service, they can compromise the built-in service account which AAD Connect uses to perform its synchronisation, an attack method commonly referred to as DCSync. It impersonates a Domain Controller and can request password data from the target Domain Controller.

Within the Microsoft security stack, Azure Advanced Threat Protection has out-of-the-box detection for DCSync attacks. However, many security teams face the problem of having to navigate the different dashboards for each Microsoft security solution they have deployed, such as Microsoft Defender ATP, Azure ATP, and CAS.

In the past this has meant that time was wasted navigating between different dashboards and consoles with slower response times and potentially missed threats and correlations.

With the introduction of Azure Sentinel, an organisation can now view threats and alerts across their entire IT estate. They can also take advantage of incidents within Sentinel to correlate alerts and entities across all data sources to add contextual information that is meaningful to the investigation process.

In this example, Microsoft Advanced Threat Analytics (ATA) has detected a DCSync attack on the AAD Connect server, which in turn has raised an alert in Sentinel. Taking advantage of automated playbooks, we can create a Logic App that will send out an approval email to an IT security team asking them if this is a threat or not. If confirmed, the Logic App will use the built-in Microsoft Defender ATA tool to isolate the server from the network, begin a virus scan and raise a ticket within Service Now.

DCSync attack alert in Microsoft Advanced Threat Analytics
Automated Playbook Response

 

Conclusion

In conclusion, Azure Sentinel is a powerful SIEM fit for the modern technological landscape. It provides a bird’s-eye view of your entire IT estate along with smart analytics supported by advanced artificial intelligence to help detect and respond to threats in near real-time.

As seen in the examples in this blog, Azure Sentinel can integrate seamlessly with your pre-existing Microsoft and non-Microsoft infrastructure, while still providing you the control to customise Sentinel to match your security requirements.

This all contributes toward defending your organisation against the ever-growing cyber security threats of this modern world. Azure Sentinel’s use of automated playbooks can also increase the productivity of IT and support personnel by reducing the amount of trivial and time-consuming remediation tasks required, all while increasing response times to incidents.

We’ve developed an in-depth Azure Sentinel Workshop designed to help you understand how exactly Sentinel would work in your environment.

The workshop will explain the mechanics of Sentinel so that you have a clear view of its capabilities and what you need to put in place to take advantage of it. Get in touch with us to learn more.

Alternatively, watch our dedicated Sentinel webinar where we get under the hood and dive into how Microsoft’s latest security software works.

You may also like...

Blog

iPadOS: Update your conditional access policies and keep your devices secure

Blog

VIP Protection – Providing a digital bodyguard with Microsoft 365

Blog

FIDO2 – Making Microsoft’s passwordless authentication a reality

Recent Blog Articles

View All
Author
Mathew Richards
Head of Mobility & Security
Learn More

Get in touch

If you have any questions about Azure Sentinel – or would like to learn more about our educational workshops – then a member of our team will be happy to help. Get in touch today.

Contact Us
Award-winning solutions Award-winning solutions

Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.

ThirdSpace Please upgrade your browser

You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:

Windows Mac

Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.