The document discusses Security Incident and Event Management (SIEM) systems and Microsoft Sentinel. It provides an overview of what a SIEM system is and what functionality it typically includes, such as log management, alerting, visualization, and incident management. It then describes Microsoft Sentinel specifically and how it is a cloud-native SIEM system that security operations teams can use to collect security data from various sources, detect threats using machine learning and analytics, and investigate and respond to security incidents.

1. Chanthapat Themanan (Pol)
Business Development Manager

3. Cloud + Artificial Intelligence
Security
Operations Team

4. Focus on security, unburden
SecOps from IT tasks
© Microsoft Corporation Azure
No infrastructure setup or maintenance
SIEM Service available in Azure portal
Scale automatically, put no limits
to compute or storage resources

5. Microsoft Sentinel
What is Security Incident and Event Management (SIEM) ?
A SIEM System is a tool that an Organization uses to Collect, Analyze, and Perform Security
Operations on its computer systems. Those systems can be hardware appliances, applications,
or both.
In its simplest form, a SIEM System enables you to:
• Collect and Query Logs.
• Do some form of correlation or anomaly detection.
• Create Alerts and Incidents based on your findings.

6. Microsoft Sentinel
A SIEM system might offer functionality such as:
• Log management: The ability to collect, store, and query the log data from resources
within your environment.
• Alerting: A proactive look inside the log data for potential security incidents and
anomalies.
• Visualization: Graphs and dashboards that provide visual insights into your log data.
• Incident management: The ability to create, update, assign, and investigate incidents
that have been identified.
• Querying data: A rich query language, similar to that for log management, that you
can use to query and understand your data.

7. Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM system that a security
operations team can use to:

8. Pre-wired integration with Microsoft solutions
Connectors for many partner solutions
Standard log format support for all sources
Collect security data at cloud scale from all sources across your
enterprise
Proven log platform with more than 10
petabytes of daily ingestion
Microsoft 365

9. Correlated
rules
User Entity
Behavior Analysis
integrated with
Microsoft 365
Bring your own
ML models
Pre-built Machine
Learning models
Threat Detection and
Analysis
ML models based on decades of Microsoft
security experience and learnings
Millions of signals filtered to few correlated and
prioritized incidents
Insights based on vast Microsoft threat
intelligence and your own TI
Reduce alert fatigue by up to 90%
Detect threats and analyze security data quickly with AI

10. Enrichment with Intelligence (Geo location, IP Reputation)
Core capabilities
© Microsoft Corporation Azure
Microsoft
Services
Public
Clouds
Security
solutions
Integrate
ServiceNow
Community
Other tools
Apps, users,
infrastructure
Collect
Automate &
orchestrate response
Playbooks
Investigate & hunt
suspicious activities
Interactive Attack Visualization,
Azure Notebooks
Analyze &
detect threats
Machine learning,
UEBA
Data Search
Data Repository
Azure Monitor
(log analytics)
Data Ingestion

12. The latest
annual State of
Phishing report
from SlashNext
Image source: SlashNext.

13. Brand
Phishing
report – Q4
2022
Below are the top 10 brands ranked by their overall appearance in brand
phishing events during Q4 2022:

14. Instagram Phishing Email – Account Theft
Example
Figure 1: The malicious email which contained the subject “blue badge form”
Figure 2: fraudulent login page
“https://www[.]verifiedbadgecenters[.]xyz/contact/”

15. Microsoft
Teams Phishing
Email –
Account Theft
Example
Figure 1: The malicious email which contained the subject “you have been added to a new team

16. Mail
Phishing

17. Mail Phishing

22. AiTM (Adversary in The Middle) Phishing attack
Figure : below illustrates the AiTM phishing process:

23. AiTM (Adversary in The Middle) Phishing attack

24. AiTM (Adversary in The Middle) Phishing attack

26. Investigation Phase 1
Initial access with phishing email
Workstation8
192.168.2.20
Dan Williams
dwilliams@seccxp.ninja
(Cloud Architect Manager)
Polly Watkins
pwatkins@seccxp.ninja
(Cloud Architect)
Sender: sbeavers1@proton.me
Subject: New Azure Firewall
URL: http[:]//gbnplqhllkafpaggc.companyportal.cloud/
Cloud Admin Account
adm_pwatkins@seccxpninja.onmicrosoft.com
Attacker
Polly received an email, and
clicked on a malicious link
https[:]//login.antoinetest.ovh/xxxx
20.127.144.13
Polly gets redirected to a
malicious proxied
Microsoft login page
Email Traffic
Authentication Traffic
*Highlighted entities are subject to change for every attack execution

27. Investigation Phase 2
Suspicious login
Attacker
Email Traffic
Authentication Traffic
Azure Active Directory
(SECCXPNINJA)
Tor Browser
Successful MFA
Polly Watkins
adm_pwatkins@seccxpninja.onmicrosoft.com
(Cloud Architect)
Suspicious access from multiple Tor
Ips with Polly’s account
Office 365 Azure

28. Investigation Phase 3
Suspicious activities in cloud application
Email Traffic
Authentication Traffic
Azure Active Directory
(SECCXPNINJA)
Email containing bank/credential info
forwarded to external user
Inbox forwarding rule
• Rule name: itcleanup
• Rule:
Subject or Body Contains:
iban;secret;password;transfer;bank;account
• Forward to: itmonitoring@contosodoesnotexist.com
Office 365 Azure
Azure activity
• Operation: ListKeys StorageAccounts
• Target Resource: contosohotelsassets
Activity seen in Azure Storage account

29. Investigation Phase 4
Suspicious email link & backdoor persistence
Email Traffic
Download
Karla Dickens
kdickens@seccxp.ninja
(Account Manager)
Workstation6
192.168.2.6
Download and execute generateAccountPlan.doc
https[:]//contosohotelsassets.blob.core.
windows.net/automation/generateAccountPlan.doc
Download & execute .exe
Karla received an email, and clicked on a malicious
link, downloads word file an executes
Backdoor (Task Scheduler)
VBA: Powershell -executionpolicy bypass -windowstyle hidden -EncodedCommand
UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAHA
Backdoor persistence on workstation
https://xdrstaticstorage.blob.core.windows.net/xdrscript/ConsoleApplicat
ion1.exe

30. Investigation Phase 4
Suspicious activity in Azure
Attacker
Email Traffic
Authentication Traffic
Azure Active Directory
(SECCXPNINJA)
Tor Browser
Polly Watkins
adm_pwatkins@seccxpninja.onmicrosoft.com
(Cloud Architect)
Azure
Storage Account
contosohotelsassets
File
generateAccountPlan.doc
Polly Watkins uploaded a malicious word file to
Azure Blob Storage accessing from a suspicious IP
Document was later downloaded by Karla Dickens to
execute malicious activities on workstation6

31. Investigation Phase 5
Internal phishing email
Email Traffic
Download
Karla Dickens
kdickens@seccxp.ninja
(Account Manager)
Workstation6
192.168.2.6
Email with link to malicious file was an internal
phishing email, sent from Polly
Attacker
Sender: adm_pwatkins@secccxpninja.onmicrosoft.com
Subject: Account plan automation
URL: https[:]//contosohotelsassets.blob.core. windows.net/
automation/generateAccountPlan.doc
Polly Watkins
adm_pwatkins@seccxpninja.onmicrosoft.com
(Cloud Architect)

32. Summary
Investigation done in Microsoft 365 Defender
T
Phishing email sent
(Link is safe)
T+10
Link is weaponized
Workstation8
192.168.2.20
Dan Williams
dwilliams@seccxp.ninja
(Cloud Architect Manager)
T+18=
Polly’s ESTSAUTH Cookies stolen
Polly Watkins
pwatkins@seccxp.ninja
(Cloud Architect)
MDO sandbox
(Inline + Time of Click)
T+15
Polly clicks on the link
T+30
Polly’s ESTSAUTH Cookies imported
Logs in as Polly
Azure Active Directory
(SECCXPNINJA)
Tor Browser
T+35
Create inbox forwarding rule in
Polly’s email account
T+38
ListKeys operation in Azure
Storage account
Sender: sbeavers1@proton.me
Subject: New Azure Firewall
URL: http[:]//gbnplqhllkafpaggc.companyportal.cloud/
T+45
Attacker (as Polly) sends internal phishing email
including link to file in Azure container
Workstation6
192.168.2.6
Karla Dickens
kdickens@seccxp.ninja
(Account Manager)
Sender: adm_pwatkins@seccxpninja.onmicrosoft.com
Subject: Account Plan automation
URL:
https://contosohotelsassets.blob.core.windows.net/automation/genera
teAccountPlan.doc<SAS>
T+65
Karla clicks on the link, downloads
file, and executes the payload
Network Boundary
Email Traffic
Authentication Traffic
Lateral Movement Path
Office 365
Azure
Attacker
Cloud Admin Account
adm_pwatkins@seccxpninja.onmicrosoft.com
T+70
Backdoor persistence
File
generateAccountPlan.doc
PowerShell
-> ConsoleApplication.exe
-> Scheduled Task
Storage Account
contosohotelassets
Need further investigation
AiTM phishing site
20.127.144.13

35. PowerShell
-> ConsoleApplication.exe
-> Scheduled Task
Remediation
T+40
Uploads malicious file to the container,
and generate URL w/ SAS key
T
Phishing email sent
(Link is safe)
T+10
Link is weaponized
Workstation8
192.168.2.20
Dan Williams
dwilliams@seccxp.ninja
(Cloud Architect Manager)
AiTM phishing site
20.127.144.13
T+18=
Polly’s ESTSAUTH Cookies stolen
Polly Watkins
pwatkins@seccxp.ninja
(Cloud Architect)
MDO sandbox
(Inline + Time of Click)
T+15
Polly clicks on the link
T+30
Polly’s ESTSAUTH Cookies imported
Logs in as Polly
Azure Active Directory
(SECCXPNINJA)
Tor Browser
T+35
Create inbox forwarding rule in
Polly’s email account
T+38
Creates a new container in an
Azure Storage account
Storage Account
contosohotelassets
File
generateAccountPlan.doc
T+45
Attacker (as Polly) sends internal phishing email
including link to file in Azure container
Workstation6
192.168.2.6
Karla Dickens
kdickens@seccxp.ninja
(Account Manager)
Sender: adm_pwatkins@seccxpninja.onmicrosoft.com
Subject: Account Plan automation
URL:
https://contosohotelsassets.blob.core.windows.net/automation/genera
teAccountPlan.doc<SAS>
T+65
Karla clicks on the link, downloads
file, and executes the payload
Network Boundary
Email Traffic
Authentication Traffic
Lateral Movement Path
Office 365
Azure
Attacker
Cloud Admin Account
adm_pwatkins@seccxpninja.onmicrosoft.com
T+70
Backdoor persistence
File
generateAccountPlan.doc
Sender: sbeavers1@proton.me
Subject: New Azure Firewall
URL: http[:]//gbnplqhllkafpaggc.companyportal.cloud/
Microsoft 365 Defender Automatic Investigation & Response
Microsoft Sentinel Playbook
Deleted email Deleted email
Blocked IP
Deleted File
Stop process,
quarantine file
Blocked User

36. ติดตามงานสัมมนาอื่น ๆ ไดทาง Facebook MISO Digital
https://facebook.com/misocoth

37. Business Development Manager
MISO Digital
Boonthawee Tangsoonthornthum (Thor)
Microsoft Valuable Professional (MVP) : Business Applications
Microsoft Certified Trainer (MCT)
Microsoft 365 Certified: Enterprise Administrator Expert
Microsoft 365 Certified: Security Administrator Associate
Microsoft Certified: Azure Fundamentals
http://www.mvpskill.com/kb/author/boonthawee
https://www.youtube.com/powerappsguruthailand
https://www.facebook.com/groups/D365PowerPlatCommunityTH