Microsoft Azure Sentinel

Microsoft Azure Sentiel is fasting becoming a very powerful SIEM and IMO, I think its going to take the lead for the following reasons;

• Most Enterprise organisations are using Windows Operating Systems for Desktops and Servers, and these large fleets require Threat Detection.
• SYSMON and Windows Event Collection is the de facto option to monitor Windows Operation system giving access to Digital Forensic information. No need for a expensive EDR solutions, you can also use other Opensource tools for deep diving/remote control of Windows OS. (Also, Windows provides SCCM for Windows fleet management. )
• Windows Defender and Advanced Threat Protection is built-into Window for Endpoint Antimalware.
• All Microsoft software integrates Microsoft Threat Intelligence MTP
• Azure Sentinel has standardised on CEF format
  • https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-syslog-cef-logstash-and-other-3rd-party/ba-p/803891
  • https://docs.microsoft.com/en-us/azure/sentinel/connect-checkpoint
• Most organisations either have a ELA for Office 365 and making it much more cost effective to adopt and move to Azure. (See my Public Cloud war comparison.)
• Azure Sentinel provides OOB support for Attack Mitre
• Connect to MISP and built in Microsoft MISA
• Azure also provides SOAR capability via Azure Logic Apps. Becoming a open marketplaces – https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks / https://my.socprime.com/integrations/Run-AWS-VM-PacketCapture
• Azure Secure Score – https://www.youtube.com/watch?v=_USW01vBQws&feature=emb_title

For all of the above reason, I am going to learn Azure Sentinel in more depth, hopefully build a cyber range using my MSDN subscription.

Gaps

• Certification
  • PCI
  • SOC2
  • Common Common Criteria ( ISO/IEC 15408) EAL 3+
    • https://www.commoncriteriaportal.org/products/
  • FIPS 140-2 Compliance
  • WCAG 2.1 (Section 508)
• Multi-tenancy / MSSP
• Local customer references
• Transfer of logs from on-prem to Cloud is complicated networking, if you need to send SYSLOG via UDP to a Public cloud, its not going to work.
• Assessing all your data sources and method to Azure Sentil is vital om-prem SIEM this isn’t as critical although you should do this as best practice, you can assumes experience SIEM vendor will support all obvious formats.
• Encryption and Data Masking.
• How do you get your Data out, priority lock is a huge problem for a SIEM platform, what happens to your data when if you decided to break the contract. Also, if you wish to access that data via a different platform
• Datasources
• Azure monitor and sentinel take up to 8 hours to populate a suspicious log.
• I recall when everyone moved to Office 365 and didn’t bother to maintain a strong Email Security Gateway and just went with Office 365, allot of customers got hit with Crytolockers because of this decision. All for DX transformation. You need proper security experience people in your DX transformation or building SecOps as you will end up paying the price

Research

• https://www.linkedin.com/learning/implementing-and-administering-azure-sentinel/an-introduction-to-azure-sentinel?u=16620580
• https://www.appliedis.com/azure-sentinel-a-tip-of-the-microsoft-security-iceberg/
• Attack simulation training in Microsoft Defender for Office 365 now Generally Available
  • https://techcommunity.microsoft.com/t5/azure-sentinel/categorizing-microsoft-alerts-across-data-sources-in-azure/ba-p/1503367
• Level 400 – https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310
• https://techcommunity.microsoft.com/t5/microsoft-security-and/attack-simulation-training-in-microsoft-defender-for-office-365/ba-p/2037291
• Data Connectors
  • https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

Azure Sentinel

 

Reference

• https://www.managedsentinel.com/

Azure Security Monitoring

 

Monitoring Azure and or Cloud is not straight forward, you have to consider if logs are actually available via the cloud service and has security information. Its also necessary to consider, the Control Pane, Data Pane, Application and VM.

• Azure Log Monitoring – https://docs.microsoft.com/en-us/azure/security/azure-log-audit
• Security Centre Partner integration – https://docs.microsoft.com/en-gb/azure/security-center/security-center-partner-integration
• Azure Log FAQ – https://docs.microsoft.com/en-gb/azure/security/security-azure-log-integration-faq
• Stream Azure Diagnostic Logs to an event hub – https://docs.microsoft.com/en-gb/azure/azure-monitor/platform/diagnostic-logs-stream-event-hubs
• Analyze log data in Azure monitor –  https://docs.microsoft.com/en-gb/azure/azure-monitor/log-query/log-query-overview
• Use Azure Monitor to integrate with SIEM tools –  https://azure.microsoft.com/en-gb/blog/use-azure-monitor-to-integrate-with-siem-tools/
• Azure Log Integration with Azure Diagnostics logging and Windows event forwarding – https://docs.microsoft.com/en-gb/azure/security/security-azure-log-integration-get-started
• Azure Log Integration SIEM configuration steps –https://blogs.msdn.microsoft.com/azuresecurity/2016/08/23/azure-log-siem-configuration-steps/
• Integrate security solutions in Azure Security Center – https://docs.microsoft.com/en-gb/azure/security-center/security-center-partner-integration
• What’s inside Microsoft security architecture recommendations – https://docs.microsoft.com/en-us/security/compass/microsoft-security-compass-introduction

 

Sources

• VMs
• Azure Resources
• Azure Office 365
• Azure AD