Allowing Sentinel to be activated in your system is simple. All you need to do is:
An active Azure subscription.
A Log Analytics workstation.
Once you have that you have that, you can go to Sentinel within the Azure portal to install your data connectors. Then you’re ready to start adding connections to data.
You can enable Sentinel on new Azure Monitor Log Analytics workspaces and both log ingestion, and Sentinel costs are waived for 31 days (up the limit of 10GB daily of log information). It’s important to note that you’re limited to a maximum of 20 workspaces for each Azure tenant, but it should be sufficient to get an idea of the system.
If you have an existing workspace, Sentinel fees are waived in the trial period of 31 days. In addition, any charges for additional automated systems or bring-your-own machine-learning are still applicable.
There are currently a variety of Microsoft data connectors readily available and offer near real-time integration, including, Office 365, Azure AD, Microsoft 365 Defender and Defender for Cloud Apps.
Sentinel also provides over 100 connectors to data that can be used in alternatives to Microsoft, including AWS, Barracuda, Cisco and Symantec. Sentinel also supports generic connectors that let you send data via Windows Firewall, Syslog, REST API or Common Event Format (CEF), enabling users to transmit data from any data source. This makes it very flexible to your infrastructure.
When your data connectors have been installed, Sentinel will begin analysing and reporting on any potential security threats in your environment, by using the built-in alert rules.
However, the real value for Microsoft Sentinel is the ability to develop custom alert rules and automated playbooks to help identify and eliminate threats in real-time. These alert rules that are custom-designed and playbooks let you modify Sentinel to safeguard your business against any specific threats it faces.
Microsoft Sentinel in action – A typical scenario…
In this instance the organization’s Azure AD Connect account has been compromised , and their credentials were stolen. We will look into this incident and discuss how Microsoft Sentinel could have been used to warn and limit this attack at different points of the cyber kill chain.
Cyber kill chains are a sequence of eight steps that track an attack’s progress from reconnaissance data exploitation and thereby improving our understanding of the timeline of cyber-attacks.
We will focus on the alerting and remediation process against intrusion, reconnaissance and exfiltration.
Why should you focus on Azure AD Connect?
For those who aren’t aware of Azure AD Connect (AAD Connect), it is an application that allows businesses in connecting their local Active Directory with their Azure Active Directory environment. Most commonly, the authentication configurations for AAD Connect are through Password Hash Sync (PHS) or Pass Through Authentication (PTA).
Password Hash Sync operates by synchronising hashed passwords stored on Active Directory with Azure Active Directory and allowing users to sign-in to cloud services using their existing credentials. While Pass Through Authentication allows users to sign in to cloud services with their on-premises credentials by forwarding authentication requests to an on-premises Active Directory server.
Both of these configurations focus on the management of an organisation’s credentials. As such, it is a frequent opportunity for hackers. This is why it is crucial that you ensure that the AAD Connect service and the server it’s hosted on is secured from theft of your credentials.
Reconnaissance
The first stage of the chain of cyber-attacks is to conduct reconnaissance. Studies show that up to 60 percent of an attacker’s work is spent investigating an organisation and their infrastructure prior to begin the attack. Therefore, reconnaissance isn’t considered a threat or exploit, it is a good idea to be aware of. It is important to remember that reconnaissance is the very first step towards cyber-attacks. It is therefore essential to respond to such security threats whenever they occur.
The most common form of security is to make use of port scanning to identify servers and identify what OS is in use and, possibly, what applications are running. With this information, attackers could exploit vulnerabilities known to be exploited or employ a password spray attack in order to get a position in the system.
By using Managed Microsoft Sentinel, we can create a custom alarm rule that will respond in the event it detects port scanning and trigger an alert to stop the danger.
In order to respond to this alarm, we can create an automated playbook constructed with an Logic Apps framework available in Azure. Logic Apps uses a simple drag-and-drop interface in order to create a sequence of tasks to be completed.
The advantage in Logic Apps is that they can be used to develop complicated workflows that could consume time and energy of IT staff in an organization – thus reducing the amount of time spent doing mundane, repetitive tasks.
Intrusion
An ever-growing form of intrusion that many organisations confront is the password spray attack. This is a kind of attack where an attacker will endeavor to hack into an organization through default or widely used credentials.
Hackers are increasingly employing lists of the most frequently used passwords in order for accessing systems. Based on the NCSC more than 75 percent of companies were using passwords that are in the top 1,000 most commonly used passwords. Therefore, it’s no wonder that attacks using password spray are becoming more commonplace!
Attackers are unlikely to attempt to sign in to an account by hand using their own IP address. Instead, they’ll attempt to automatize the process with botnets. So, when an alert gets alerted for an unusual sign-in, we can look up your IP for the sign-in alert, and determine if it came from a known botnet. Then, block the user from logging into and open a ticket with Service Now to notify IT personnel of the possibility of a breach.
Although most workflows can be created using the basic building blocks that are available in Logic Apps, a more intricate workflow can be required. In this scenario, we cannot quickly create a Logic App to compare the IP address of the alert to the list of botnets that are known to exist. However, Logic Apps allows us to connect with Functions Apps which are tiny pieces of code that are custom designed to be executed. This means that we can design a Logic App that can perform more intricate tasks.
Exfiltration
After an attacker gains initial access to a network, they’ll seek ways to remove data from a system. In our fictional example, this attacker gained access a local administrator account and is now seeking to transfer all credentials for the user to the Active Directory.
Since the attacker has hacked the server which hosts the AAD Connect service, they could compromise the built-in service account which AAD Connect uses to perform its synchronisation, an attack method often referred to DCSync. It is a fake Domain Controller and is able to request password information from the target Domain Controller.
In the Microsoft security stack, Azure Advanced Threat Protection provides out-of-the-box protection against DCSync attacks. However, many security teams face the issue of having to navigate through the various dashboards for every Microsoft security product they’ve installed, like Microsoft Defender ATP, Azure ATP and CAS.
It was the case that in past times, it has resulted in wasted time navigating between different dashboards and consoles with slower responses and the possibility of missing threats and correlations.
With the advent in Microsoft Sentinel, an organisation is now able to view threats and alerts across their entire IT infrastructure. They can also take advantage of incidents within Sentinel to correlate the alerts as well as entities from all sources of data to include contextual information that is relevant to the investigation process.
Conclusion
In conclusion, Microsoft Sentinel is a robust SIEM that is suited to the new technological environment. It provides a bird’s-eye overview of your entire IT estate along with smart analytics supported by advanced artificial intelligence that helps you identify and combat threats in near real-time.
As you can see in the examples on this page, Sentinel is able to seamlessly integrate with your current Microsoft and non-Microsoft infrastructure, while still providing you the flexibility to modify Sentinel to match your security requirements.
All of this helps to protect your business from the ever-growing cybersecurity threats that threaten our contemporary world. Microsoft Sentinel’s automation of playbooks also increases the productivity of IT and support personnel by reducing the number of trivial and time-consuming remediation work required, all while accelerating the response time for incidents.
