Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Azure sentinel

160 views

Published on

How to use Azure Sentinel and Microsoft Defender ATP architecture

Published in: Technology
  • Be the first to comment

Azure sentinel

  1. 1. How to Catch the Bad Guys with Azure Sentinel and Microsoft Defender ATP Marius Sandbu Cloud Tech Lead @ EVRY @msandbu https://msandbu.org
  2. 2. Agenda • Evolution • Attacks and the landscape in 2019 • A Overview on Microsoft Security Ecosystem • Azure Sentinel & Defender ATP • Enabling data sources and collection • Designing a security solution • Connecting the dots and automation
  3. 3. It’s hunting season!
  4. 4. • Active Directory • Group Policy • AD based clients • On-premises Collaboration • System Management tools • Traditional Antivirus Once Upon a time…….
  5. 5. Lockergoga • Entrypoint trough Email or drive-by download • Distributed using Group Policy • Each Payload was Unique • Digitally signed by trusted third party
  6. 6. BARIUM • Infected Trusted Sources and using drive-by download • CCleaner and ASUS Update • Compromised endpoints with ransomware
  7. 7. Landscape 2019 • Azure Active Directory • Mobile Device Management • Endpoint Protection • SaaS • Web-based collaboration • Multiple OS and devices • + The existing legacy stuff
  8. 8. Attacks by the numbers 300% Increase in Identity Attacks over the past year 350 Thousand Compromised Accounts detected in April 2018 46 Billion Attacker driven sign-ins May 2018 23 Million High Risk Enterprise Sign- in attempts March 2018 1,29 Billion Authentications Blocked in August 2018 Source: Microsoft Ignite 2018
  9. 9. AAD • Dump users and groups with Azure AD • Password Spray: MailSniper • Password Spray: CredKing O365 • Get Global Address List: MailSniper • Find Open Mailboxes: MailSniper • User account enumeration with ActiveSync • Harvest email addresses • Verify target is on O365, [DNS], [urls], [list], [getuserrealm] • Enumerate usernames, 2FA status via ActiveSync [o365userenum] • Role, group, admin enumeration with Get-MsolRoleMember [RainDance] • Bruteforce of Autodiscover: SensePost Ruler • Phishing for credentials • Phishing using OAuth app • 2FA MITM Phishing: evilginx2 [github] • Add Mail forwarding rule • Add Global Admin Account • Delegate Tenant Admin • MailSniper: Search Mailbox for credentials • Search for Content with eDiscovery • Account Takeover: Add- MailboxPermission • Pivot to On-Prem host: SensePost Ruler • Exchange Tasks for C2: MWR • Send Internal Email • MailSniper: Search Mailbox for content • Search for Content with eDiscovery • Exfil email using EWS APIs with PowerShell • Download documents and email • Financial/wire fraud EndPoint • Search host for Azure credentials: SharpCloud • Ransomware • Persistence through Outlook Home Page: SensePost Ruler • Persistence through custom Outlook Form • Create Hidden Mailbox Rule [tool] On-PremExchange • Portal Recon • Enumerate domain accounts using Skype4B, [LyncSmash] • Enumerate domain accounts: OWA & Exchange • Enumerate domain accounts: OWA: FindPeople • OWA version discovery • Password Spray using Invoke-PasswordSprayOWA, EWS, Atomizer • Bruteforce of Autodiscover: SensePost Ruler • PasswordSpray Lync/S4B [LyncSniper] • Exchange MTA • Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B) • Delegation Prepared by @JohnLaTwC, May 2019, v1.06 Microsoft
  10. 10. Password Spray attacks in ~15 Minutes Attack leveraging Legacy Protocols* Email addresses = UPN – Easy to find online (mailhunter or https://www.rapid7.com/db/modules/auxiliary/gather/search_e mail_collector) *Microsoft disabling legacy authentication protocols in Office365 – in 2020 http://bit.ly/2ktycIC No Easy way to block authentication attempts from «known IP’s»
  11. 11. Azure Sentinel SQL Encryption & Data Masking The Azure Security Ecosystem
  12. 12. Logging sources in the Cloud Audit Item Category Enabled by Default Retention User Activity Office 365 Security No 90 Days Admin Activity Office 365 Security No 90 Days Mailbox Audit Exchange Online Yes 90 Days Sign-In Activity Azure AD Yes 30 Days (AAD P1) Users at Risk Azure AD Yes 7 Days (30 Days, P1/P2) Risky Sign-ins Azure AD Yes 7 Days (30 Days, P1/P2) Azure MFA Usage Azure AD Yes 30 Days Directory Audit Azure AD Yes 7 Days (30 Days, P1/P2) Intune Activity Log Intune Yes 1 Year (Graph API)
  13. 13. Logging sources in the Cloud Audit Item Category Enabled by Default Retention Azure Resource Manager Azure Yes 30 Days Network Security Group Flow Logs Azure No Depending on Configuration Azure Diagnostics Logs* Azure No Depending on Configuration Azure Application Insight Azure No Depending on Configuration VM Logs OS Yes Size defined in Group Policy Custom Logs OS N/A Application specific logs Azure Security Center Azure No (Cost per host/PaaS) SaaS Usage N/A No Requires Cloud App Discovery Custom Sources** N/A No Depending on Configuration • Diagnostics logs available for most Azure Services • ** Custom Connectors https://techcommunity.microsoft.com/t5/Azure- Sentinel/Azure-Sentinel-Creating-Custom-Connectors/ba-p/864060
  14. 14. Azure Sentinel ● Cloud Native SIEM and SOAR Solution ● Provides unified view and dashboards to the different data sources ● Utilizes Machine Learning to collerate data from multiple sources – Fusion* ● Threat Intelligence integration * Fusion will soon be enabled by default
  15. 15. Azure Sentinel - Capabilities ● Data stored in data lake using Log Analytics ● Supports multiple data sources ● Predefined Connectors with dashboards ● Integrateable with Jupyter for in-depth analysis ● Playbooks using Azure Logic Apps ● Alerts available using Security Graph API (GET/PATCH/SUBSCRIBE) - https://graph.microsoft.com/v1.0/security/alerts?$top=1
  16. 16. Azure Sentinel - Capabilities Log Analytics Settings Logic App Automation Incident Creation Rules Data Sources and status Jupyter Notebooks Predefined Queries Dashboards Incidents based upon rules Log Analytics Workspace
  17. 17. Microsoft Defender ATP 3 Party SIEM and Log Analytics Platforms Azure Services Office 365 Azure ATP 3 Party providers Client Endpoints Windows Server Azure Security Center Windows Server Cloud App Security Intune Azure AIP Data Connectors Kusto Queries Logs / Custom Logs Log Analytics Workspace Automation Remidiation Azure Security Graph Threat Intelligence Power BI Automation Layer Data Management Layer Data Sources User Interaction Layer Dashboards Visualization Hunting Queries Jupyter Notebooks● EDR powered by Sense Agent (agentless) ● Security Center Agent for Server Registry (Values, Changes) Files (Value, Changes, Hash, Name) Processes (Creation, Hash, Name) Memory dump Network Connections Local User information OS and Computer Information ● Memory forensics ● Hunting and Automated response ● Supported by Logic Apps / Flow
  18. 18. Microsoft Defender ATP - Capabilities ● Support for Windows 10 (Mac Preview coming*) ● Support for Windows Server trough Security Center (but limited capabilities) ● Support for 2008 R2 came yesterday ● Support for other OS trough Partner Ecosystem ● Microsoft Threat Protection Integration (Cloud App Security, AIP, Azure ATP, Office 365) ● Microsoft Threat Experts ● *PREVIEW* Live Reponse / Threat & Vulnerability Management *PREVIEW*
  19. 19. Azure Sentinel and Defender ATP Security Center Azure ADMicrosoft Defender ATP Azure Sentinel Endpoints Azure AD System activity Office 365 Other Sources Hunting Kusto / Jupyter / Dashboards Logic Apps Partner Ecosystem Automation Cloud App Security Conditional Access Cloud App Discovery Data Sources Alerts Threat Intelligence * * Internal Connector coming soon (Custom alerts playbook (https://www.linkedin.com/pulse/azure-sentinel-custom-logs- getting-your-mdatp-alerts-paul-huijbregts/) ITSM
  20. 20. #ExpertsLiveNO So how to get started? Create a Log Analytics Workspace Create a Sentinel Workspace Azure Sentinel Connect Data Sources • Supported Data Sources are based upon Log Analytics • Only way to delete a Sentinel instance is to remove the module from Log Analytics • Define Role based access Control Azure Sentinel Contributor Azure Sentinel Reader Azure Sentinel Responder Combined with Table based RBAC https://docs.microsoft.com/en-us/azure/azure-monitor/platform/manage-access#table- level-rbac Create Hunting Queries Create Automation Rules Get Windows 10 E5 lisense Onboard Machines (Using Onboarding script) Onboard Servers (Azure Security Center) Add Integrations (Requires licenses) Defender ATP Azure Sentinel Setup ATP Workspace
  21. 21. #ExpertsLiveNO Architecting a Sentinel solution Log Analytics Workspace Log Analytics Workspace • Retention (1 Year)* • Location (West Europe) • Avoid Multiple Log Analytics Workspace • Multihoming possible for Windows Agents • Not Linux or Azure Data Sources  • Use Azure Policy or ARM to deploy Agents • Adjust how often data is collected (Perf Metrics) * Table level retention on roadmap Logs & Performance Metrics
  22. 22. #ExpertsLiveNO Architecting a Sentinel solution Agent collect 30-second interval performance metrics TimeGenerated Agent Upload (30 sec – 2 minutes) Azure Diagnostics 2 – 15 Minutes Surge Protection <1 minute Temporary Storage 5-15 seconds _TimeReceived Temporary Storage 5-15 seconds _TimeReceived Network Performance Monitoring 3 Minutes Temporary Storage 5- 15 Seconds _TimeReceived Indexing <5 Minutes Sentinel Workspace Export ELK / SPLUNK
  23. 23. Enabling data sources Log Table name Permissions
  24. 24. Enabling data sources Insecure Protocols Dashboard 1: Enable Audit in Group Policy 2: Enable Collection of Security Events https://blogs.technet.microsoft.com/jonsh/azure-sentinel-insecure-protocols- dashboard-setup/
  25. 25. Enabling data sources Threat Intelligence Security Center Azure Security Center – Standard NB: Remember Cost for the service Define Log Analytics Workspace and Auto Provisioning Machines onboarded to Defender ATP https://securitycenter.windows.com
  26. 26. Enabling data sources Custom Logs and log sources * Utilize Sysmon from Sysinternals to collect process information on Infrastructure Workspace - Advanced Settings - Data - Event Logs
  27. 27. Enabling data sources Azure PaaS Services https://docs.microsoft.com/en-us/azure/governance/policy/samples/audit-diagnostic-setting Azure Monitor – Diagnostics – Services – Log Analytics
  28. 28. Enabling data sources Network Traffic - Azure NSG Flow Logs Bug – Delete old Flow Logs  https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-delete-nsg-flow-log-blobs • Enable Network Watcher • Enable Flow Logs NSG* • Integrate with Azure Sentinel Workspace
  29. 29. Enabling data sources ● Microsoft Defender ATP data is not available in Sentinel ● No simple way to sanitize data only available trough REST API ● Microsoft.OperationalInsights/workspaces/{workspaceName}/purge?api-version=2015-03-20 ● Data Purger Role Required or higher
  30. 30. #ExpertsLiveNO Configuring detection rules • Automate Threat Detection Rules • https://github.com/wortell/AZSentinel • Big Thanks to Wortell! • Or find predefined rules • https://github.com/netevert/sentinel-analytics-library • https://github.com/BlueTeamLabs/sentinel-attack • Then add automated response
  31. 31. Creating Automated Response
  32. 32. Example hunting Sentinel & Defender ATP ● Attack techniques defined by MITRE ATT&CK Knowledge base -- https://attack.mitre.org/ ● Universal but adapted using Kusto queries by Microsoft https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries https://github.com/Azure/Azure-Sentinel
  33. 33. Kusto Query Language ● Read only request to process data and results from a dataset ● Queries are built defining the source and statements with defined filters Office365 • Column1 • Column2 VMConnection • Column1 • Column2 Table1 | where Column1 == «value1» | count Read-only Query Example:
  34. 34. Example hunting Sentinel • Looking after failed authentication attempts to virtual infrastructure SecurityEvent | where EventID == 4625 | where AccountType == "User" | summarize CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress • Looking after failed authentication attempts to Azure portal SigninLogs | where TimeGenerated >= timeRange | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails) | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city) | where AppDisplayName contains "Azure Portal" | where ResultType !in ("0", "50125", "50140") Requires Security Center enabled Requires integration with Azure AD Azure AD Sign-in ID’s https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference- sign-ins-error-codes
  35. 35. Example hunting Sentinel • Mass Download Office 365 SharePoint let historicalActivity= OfficeActivity | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") | where TimeGenerated between(ago(30d)..ago(7d)) | summarize historicalCount=count() by ClientIP; let recentActivity = OfficeActivity | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") | where TimeGenerated > ago(1d) | summarize recentCount=count() by ClientIP; recentActivity | join kind= leftanti ( historicalActivity ) on ClientIP; Requires integration with Office 365
  36. 36. Example hunting Microsoft Defender ATP • Use of Tor Client on Endpoint NetworkCommunicationEvents | where EventTime < ago(3d) and InitiatingProcessFileName in~ ("tor.exe", "meek-client.exe") // Returns MD5 hashes of files used by Tor, to enable you to block them. // We count how prevalent each file is (by machines) and show examples for some of them (up to 5 machine names per hash). | summarize MachineCount=dcount(ComputerName), MachineNames=makeset(ComputerName, 5) by InitiatingProcessMD5 | order by MachineCount desc
  37. 37. Azure Sentinel and Defender ATP moving forward ● Heavily integrated solution across the Microsoft ecosystem ● Unified Approach to logging and threat hunting across plattforms ● (Identity, SaaS, Endpoint, PaaS and Infrastructure) ● More Intelligence built-in using Machine Learning and threat intelligence ● Having Automated response that can work across solutions ● Providing a decent set of capabiliites to catch the bad buys
  38. 38. Questions and more information? Article / Source URL Best Pratice Workspace Design http://bit.ly/2mlUhJE Azure Sentinel Github Repository http://bit.ly/2m6TSdU Azure Sentinel and MSP https://docs.microsoft.com/en- us/azure/sentinel/multiple-tenants-service-providers Azure Sentinel price calculator http://bit.ly/2mrGTns Defender ATP Github Repo https://github.com/microsoft/WindowsDefenderATP- Hunting-Queries Jupyter and Python Security Tools https://github.com/microsoft/msticpy Defender ATP Hunting Queries https://github.com/Microsoft/WindowsDefenderATP- Hunting-Queries Email: msandbu@gmail.com Twitter: @msandbu Blog: msandbu.org
  39. 39. Pricing Example: 2 Virtual Machines running in Azure • Collecting Network Flow Logs and Traffic Analysis • Collecting Security Events (Requires Security Center) • 1 Year Retention on Log Analytics Workspace • Collecting Custom Logs (3 GB a month) • Collecting Azure AD and Activity Logs (Activity Logs are free) • Outbound ITSM Calls • Sentinel enabled and Logic Apps Example cost per month Security Center x2 VM’s = $29,20 Log Analytics (Security Events free + VM logs (3 GB) + + Retention) = $ 49,17 Network Watcher (Logs ingested and traffic analysis = $25,50 Azure Sentinel (GB analyzed) = $2,60 Outbound ITSM (Within 1000 units free tier) Total Cost = $106 per month Log Analytics Workspace Azure Monitor Application Insight Azure Sentinel Logic App Action Groups  Retention (< Default 31 Days Retention free) (< Sentinel 90 Days Retention free) (< Above 90 Days, Log Analytics Retention fees)  Storage (< Default 5 GB Storage free  Location Price SKU Azure Monitor Price SKU SentinelPrice SKU Logic Apps Price SKU Azure Automation Azure Security Center Azure Automation Price SKU Security Center  500 MB free log ingestion per day to Log analytics  Per Hour cost per vm  Per hour cost for PaaS  Billed for data analyzed (Not Ingested)  Activity Log, Office365 analyzed is free  Price per action run Price SKU Application Insight Price SKU Network Watcher Network Watcher  Log ingestion + Log Analytics cost  (< Default 5 GB Log data free per month)  Cost for probes and Traffic Analysis  500 Minutes prosess automation free per month  5 Nodes free  Custom Metrics (Cost Per metrics)  Logs (Alert rule cost  Activity Log (Free)  Notification ITSM, SMS, Phone,Webhook, Email Some free units per month  5 GB Free per month  Web Test cost per month  Ping probes free
  40. 40. Pricing • Sentinel pricing is based upon data analyzed not ingested • The more data that is in the datasets defined in a hunting query the higher the cost will be • Use timefilter or scoping queries to ensure that you can control cost • Some of the predefined queries have date limits defined but not all! • Still unsure if regular Log Analytics Search Queries will affect the cost. • Some data is free for ingesting analyzing • Pay nothing extra when you ingest data from Office 365 audit logs, Azure activity logs, and alerts from Microsoft threat protection solutions.
  41. 41. MSP Approach Log Data Azure Office 365 Azure Active Directory Virtual Machines Network Devices Microsoft Cloud EMS Microsoft Azure Log Data Azure Log Data Azure Customer 0 - Subscription Customer 1 - Subscription Customer 2 - Subscription Custom Log Sources Office 365 Azure Active Directory Microsoft Azure Network Devices Virtual Machines Defender ATP Delegated Access (Lighthouse) Delegated Access (Lighthouse) Delegated Access (Lighthouse) Azure Portal MSP Azure Active Directory Rules & Automation Rules & Automation Rules & Automation MSP Approach • Delegated Access using Lighthouse • All Rules and logic defined within each workspace • No way to search across multiple tenants • Cost still going directly to subscription owner

×