What is Microsoft Sentinel?

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics and threat intelligence across the enterprise.

What are the prerequisites for building Sentinel?

You need an active Azure subscription, contributor role access to the subscription, and a Global administrator account for certain Microsoft logs.

How does Microsoft Sentinel integrate with XDR?

Sentinel serves as a single pane of glass for alerts and data from Microsoft Defender and Azure services, enabling correlation of security data across various platforms.

What data connectors can be utilized with Microsoft Sentinel?

You can utilize data connectors for Azure activity logs, Microsoft 365 Defender alerts, and several third-party sources, including firewalls and identity protection services.

Can third-party logs be integrated into Sentinel?

Yes, Sentinel can pull in logs from third-party sources via APIs, Syslog, or other methods such as using the Log Analytics agent.

What is KQL and why is it important?

Kusto Query Language (KQL) is used for querying data in Azure's log analytics and Sentinel, facilitating complex queries to analyze logs.

How can automation be implemented in Sentinel?

Automation can be set through automation rules and playbooks, enabling orchestration of responses to security incidents.

How long can Sentinel retain logs?

By default, Sentinel retains logs for 30 days, but you can extend this to 90 days at no extra cost.

What are analytic rules in Sentinel?

Analytic rules in Sentinel are predefined queries that detect unusual behavior, threats, or security incidents based on the incoming logs.

How can one start using Microsoft Sentinel?

One can start using Microsoft Sentinel by creating a free Azure account and following guidance for setting up log analytics and Sentinel.

Microsoft Sentinel: Step by Step Full Tutorial (follow along)

00:54:45

https://www.youtube.com/watch?v=L_EIuIPaVYM

摘要

TLDRThe webinar provides a detailed overview of building Microsoft Sentinel in one hour, including the prerequisites, configuration of a log analytics workspace, and integration of data sources. Leaders Joe Stalker and Lamar emphasize the importance of Sentinel as a SIEM solution that aggregates alerts from Microsoft Defender and Azure services, incorporating third-party log sources. Attendees learn how to set up data connectors, utilize Kusto Query Language for querying events, and implement automation with rules and playbooks to enhance security operations.

心得

🔍 Introduction to Microsoft Sentinel and its capabilities
⚙️ Prerequisites for building Sentinel
📊 Setting up a log analytics workspace
🛠️ Connecting third-party data sources
📈 Using Kusto Query Language (KQL) for querying
📑 Implementing analytic rules for threat detection
⚡ Automating responses through playbooks
🔒 Importance of log retention policies
📅 Overview of free trials and limits in Sentinel
👥 Collaboration with Microsoft for security practices

时间轴

00:00:00 - 00:05:00
In the webinar introduction, Joe Stalker, founder of Patriot, highlights the agenda, including an overview of Microsoft Sentinel, prerequisites for building, and a detailed walkthrough on setting up Sentinel.
00:05:00 - 00:10:00
Joe introduces himself and his team member Lamar, emphasizing their vast experience with Microsoft Sentinel and the support they provide to clients as a Microsoft cybersecurity partner.
00:10:00 - 00:15:00
Lamar explains the integration of Microsoft Sentinel with Defender services, illustrating how various Microsoft security solutions contribute to a comprehensive security posture.
00:15:00 - 00:20:00
Lamar discusses the incident lifecycle in Microsoft Sentinel, explaining how an attack usually begins with email and describing the interaction of security services like Defender for Cloud and Defender for Identity during an attack.
00:20:00 - 00:25:00
Lamar elaborates on integrating third-party log data into Sentinel, mentioning various methods for log ingestion and highlighting the importance of correct configuration for effective monitoring.
00:25:00 - 00:30:00
Joe outlines the setup process for Microsoft Sentinel, starting with creating a Log Analytics Workspace and setting up the necessary prerequisites like Azure subscriptions and permissions.
00:30:00 - 00:35:00
The team discusses the importance of setting data caps during the evaluation period, helping to avoid unexpected charges as users familiarize themselves with Sentinel.
00:35:00 - 00:40:00
Joe details the process of installing data connectors for Azure activity logs and Microsoft 365 audit logs from the Content Hub, emphasizing the distinction between free and paid data sources.
00:40:00 - 00:45:00
In the setup process, Joe highlights the configuration of various data connectors, including necessary permissions, and mentions how to ensure only alerts are ingested during the evaluation phase.
00:45:00 - 00:54:45
The session wraps up by discussing automation rules and playbooks in Sentinel, showcasing how these features allow users to automate responses and orchestration within their security operations.

显示更多

思维导图

视频问答

What is Microsoft Sentinel?
Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that provides intelligent security analytics and threat intelligence across the enterprise.
What are the prerequisites for building Sentinel?
You need an active Azure subscription, contributor role access to the subscription, and a Global administrator account for certain Microsoft logs.
How does Microsoft Sentinel integrate with XDR?
Sentinel serves as a single pane of glass for alerts and data from Microsoft Defender and Azure services, enabling correlation of security data across various platforms.
What data connectors can be utilized with Microsoft Sentinel?
You can utilize data connectors for Azure activity logs, Microsoft 365 Defender alerts, and several third-party sources, including firewalls and identity protection services.
Can third-party logs be integrated into Sentinel?
Yes, Sentinel can pull in logs from third-party sources via APIs, Syslog, or other methods such as using the Log Analytics agent.
What is KQL and why is it important?
Kusto Query Language (KQL) is used for querying data in Azure's log analytics and Sentinel, facilitating complex queries to analyze logs.
How can automation be implemented in Sentinel?
Automation can be set through automation rules and playbooks, enabling orchestration of responses to security incidents.
How long can Sentinel retain logs?
By default, Sentinel retains logs for 30 days, but you can extend this to 90 days at no extra cost.
What are analytic rules in Sentinel?
Analytic rules in Sentinel are predefined queries that detect unusual behavior, threats, or security incidents based on the incoming logs.
How can one start using Microsoft Sentinel?
One can start using Microsoft Sentinel by creating a free Azure account and following guidance for setting up log analytics and Sentinel.

查看更多视频摘要

即时访问由人工智能支持的免费 YouTube 视频摘要！

字幕

自动滚动:

00:00:02
welcome to today's webinar on building
00:00:04
Sentinel in one hour we'll go ahead and
00:00:07
go through the agenda here so we'll give
00:00:09
you an overview of
00:00:10
Sentinel uh we'll discuss the
00:00:12
prerequisites for building uh Sentinel
00:00:16
and then uh you'll be following along as
00:00:19
we actually go through all the steps uh
00:00:21
just by way of introduction my name is
00:00:23
Joe stalker I'm the founder and CEO of
00:00:25
patriot um so I started Patriot um
00:00:27
almost 10 years ago and uh have written
00:00:30
a book on securing Microsoft
00:00:33
365 I also help lead our managed uh
00:00:36
Sentinel practice which is uh 247 xdr uh
00:00:41
service
00:00:42
offering and I'm joined today uh by
00:00:45
Lamar no Lamar would you mind um sharing
00:00:47
a little bit about yourself hi everyone
00:00:50
nice to have you on today my name's
00:00:52
Lamar now um been working in Microsoft
00:00:55
Consulting for several years it's a
00:00:57
passion of mine to especially around the
00:00:59
senal
00:01:00
area um it's been a fun learning
00:01:02
experience and always learning something
00:01:04
new a little bit more about Patriots so
00:01:06
we are a Microsoft cyber security
00:01:08
partner uh we partner very closely with
00:01:10
Microsoft it's the only partner we have
00:01:13
and uh they've ranked this one of their
00:01:14
top three Partners in the US uh based on
00:01:17
the number of uh projects uh that we've
00:01:19
completed about 2,000 since
00:01:22
2015 uh last year we deployed over 4
00:01:24
million seats of the defender xdr stack
00:01:28
and on average we're helping close to 4
00:01:29
400 clients per year and we do offer a a
00:01:33
247 sock uh so if you for example build
00:01:36
Sentinel and and you need help after
00:01:38
hours or weekend or even frankly during
00:01:41
the day but you know we do offer a a
00:01:43
weekend and after hour um coverage plan
00:01:45
as well uh but we can help uh monitor
00:01:49
your Sentinel that you
00:01:51
build uh Lamar would you mind just
00:01:53
giving us a high level overview of you
00:01:55
know what kind of stuff feeds into
00:01:57
Microsoft Sentinel especially as it
00:02:00
relates to what Microsoft refers to is
00:02:02
their uh their xdr
00:02:04
service yeah thanks Joe so yeah Sentinel
00:02:08
is your single pane of glass for for all
00:02:12
things in the Microsoft uh Defender
00:02:15
Suite as well as your Azure side of the
00:02:18
house so if we notice here right we have
00:02:20
all the all the SAS apps fly come into a
00:02:23
Defender for cloud apps we have M365
00:02:27
Defender for endpoint Defender for
00:02:29
identity that it's kind of your Defender
00:02:30
stack you can of course see these things
00:02:33
in your Defender xdr portal um there's
00:02:36
there's some interesting and and
00:02:38
exciting things happening on the
00:02:40
combination of Sentinel and xdr these
00:02:42
days too which we can get to later we
00:02:44
also have the entra ID side of the house
00:02:46
where it's your proactive uh protections
00:02:50
on your identities so all that can flow
00:02:53
into your Defender xdr but then we also
00:02:55
have the all the Azure stuff right your
00:02:58
your VMS your cloud your SQL your app
00:03:01
Services those things also generate
00:03:04
alerts those alerts need to be managed
00:03:07
they need to be investigated and
00:03:10
preferably automated as well so those
00:03:13
things are powered by Defender for cloud
00:03:15
but then really the the main way to deal
00:03:18
with those the best way is to make sure
00:03:20
they come over to Sentinel and that's
00:03:22
where you have all of your supporting
00:03:24
data as well you can have correlation
00:03:27
across identities end points Cloud you
00:03:31
can really see the full picture of of an
00:03:33
entire incident from one
00:03:35
spot
00:03:37
awesome so walk us through like a a
00:03:40
typical you know security event and how
00:03:42
that would kind of play out in
00:03:45
Sentinel yeah so this is a great slide
00:03:47
for that as we know most attacks start
00:03:50
with email so there's an email that
00:03:53
comes in uh that's where we have our
00:03:55
Defender for office right can can start
00:03:58
tracking that hopefully blocking it
00:04:00
right at the beginning um if that
00:04:02
doesn't happen something gets clicked on
00:04:05
and there's there's something that gets
00:04:07
installed on an
00:04:08
endpoint um that endpoint can either be
00:04:11
for example a user's laptop or it could
00:04:14
be a VM in Azure so depending on where
00:04:17
that's at you have Defender for cloud
00:04:19
you have Defender for endpoint there to
00:04:21
catch that as
00:04:22
well moving on if that user's identity
00:04:25
gets compromised you'll have Defender
00:04:28
for identity
00:04:30
that's where we can uh track your active
00:04:32
directory side of the house to see uh
00:04:35
what type of lateral movement attempts
00:04:37
they having what are they doing with
00:04:40
those
00:04:41
identities um you also have across the
00:04:44
top there Defender for cloud apps so you
00:04:47
know did they access sensitive data did
00:04:50
they exfiltrate it um another path is
00:04:53
instead of active directory if they come
00:04:55
in from the ENT side that's that top
00:04:57
gray area there we have identity
00:05:00
protection there as well so that's
00:05:02
another area that we can we can block
00:05:04
and make sure that that we stop them at
00:05:05
that level and you have Defender for iot
00:05:09
so it's growing and growing a new area
00:05:11
of of attacks for a lot of Bad actors so
00:05:16
Defender also can integrate into your
00:05:18
iot and OT
00:05:20
environments and if an incident touches
00:05:23
all of these you'll get the entire
00:05:25
picture right from Sentinel so of course
00:05:27
we want to block it proactively this
00:05:29
Paints the entire picture for us got it
00:05:32
so so the xdr stack it's all the
00:05:35
prevention capabilities as well as
00:05:37
detection capabilities and then that's
00:05:39
flowing into Microsoft Sentinel which is
00:05:41
a Sim solution uh what what about uh
00:05:45
third party sources how do we get those
00:05:47
in yeah so if it produces logs we can
00:05:50
bring it in right so depending on the
00:05:53
third party itself uh many many third
00:05:56
parties are are giving us access to apis
00:06:00
where Sentinel can go and pull the logs
00:06:03
um that makes it pretty easy generate an
00:06:05
authorization a key and depending on the
00:06:08
vendor you know may need a couple more
00:06:10
pieces of data and once we have that we
00:06:12
pull data in there's another way of
00:06:15
doing it is through your uh if they
00:06:17
produce CIS log or CF type data those
00:06:21
are more commonly used for things like
00:06:24
firewalls
00:06:25
switches uh and those types of things if
00:06:29
it produces those datas we can use a CIS
00:06:31
log forwarder to then uh install Arc and
00:06:35
the AMA agent on there and that will
00:06:37
forward them off to Sentinel in a secure
00:06:40
manner 443 encrypted over the over the
00:06:43
internet to Sentinel you can also do it
00:06:46
a couple other ways but you can do it
00:06:49
via uh private space as well so there's
00:06:53
there's tons of options however that log
00:06:55
gets created even if it's a flat file
00:06:57
somewhere Sentinel can pick it up your
00:06:59
machine produce files we can bring those
00:07:01
in so wherever the log happens to be
00:07:03
created or exist we can grab
00:07:05
it so today you know just for um you
00:07:09
know building out Sentinel getting data
00:07:11
to flow uh we'll show you how to pull
00:07:13
data in using just the native data
00:07:15
connectors from the uh xdr stack so um
00:07:18
the Azure activity logs uh we'll show
00:07:21
you how to bring in um all of these um
00:07:25
you know xdr uh components so those will
00:07:28
come in show you to bring in the Office
00:07:30
365
00:07:32
logs and uh so these are currently the
00:07:35
the the free sources right the alert
00:07:38
data um we'll also bring in the
00:07:40
Microsoft inro logs uh we'll show you
00:07:42
how to do that and uh so that'll that'll
00:07:45
kind of get you started today with your
00:07:46
Sentinel setup now you'll notice
00:07:49
Microsoft Sentinel sits on top of a
00:07:53
what's called a log analytics
00:07:55
workspace so that'll be the very first
00:07:58
thing we create today that's kind of the
00:08:01
you know this is the solution that pulls
00:08:03
all the logs into it and then Sentinel
00:08:06
is kind of that solution that reasons
00:08:08
over it and also provides uh security
00:08:12
orchestration and response and
00:08:14
automation uh so we'll kind of walk
00:08:16
through that today as well so some of
00:08:18
the
00:08:19
prerequisites uh to build your Sentinel
00:08:22
environment you will need an active
00:08:24
Azure
00:08:25
subscription um if you don't have one uh
00:08:29
we paste this link here uh in the chat
00:08:32
for you to be able to to get started and
00:08:35
and create one uh but this will be a a
00:08:38
prerequisite and again don't worry if
00:08:40
you don't have that uh Azure
00:08:42
subscription right this moment again
00:08:43
this meeting is recorded so you can
00:08:46
simply uh when you get the recording you
00:08:49
can then follow along um but if you um
00:08:52
wanted to you can actually check out
00:08:54
this quick start great little
00:08:56
guide to get your Sentinel uh up and
00:08:58
running so so we'll kind of um you know
00:09:01
start there
00:09:03
today if you want to bring in the
00:09:05
Microsoft audit logs from say SharePoint
00:09:09
and one drive and teams and email then
00:09:13
you will need a uh Global administrator
00:09:17
account to a Microsoft tenant now if you
00:09:21
don't have a like a lab tenant or if
00:09:23
you're okay in in installing and
00:09:25
production you know since again this is
00:09:27
just read only we're just getting the
00:09:28
logs not going to affect anything in in
00:09:32
your production environment um then you
00:09:34
can certainly do that with your um you
00:09:37
know production
00:09:38
environment so if you do follow the
00:09:41
principle of lease privilege you know
00:09:43
the role-based access controls um at a
00:09:46
minimum within your Azure
00:09:48
subscription you're going to need a uh
00:09:51
the contributor role um at the
00:09:54
subscription level in which Microsoft
00:09:56
Sentinel workspace is going to reside so
00:09:58
that would be like one permission now if
00:10:01
if you spin up your own kind of lab
00:10:03
environment and you have an Azure
00:10:05
subscription created you're already
00:10:07
going to have the owner permission so
00:10:10
this principle of lease privilege is
00:10:11
just for those of you that really need
00:10:13
to follow very strict you know
00:10:15
permission
00:10:16
modeling you'll need the uh Sentinel
00:10:18
contributor or Microsoft Sentinel reader
00:10:20
permissions on the resource Group uh
00:10:23
that the workspace the log analytics
00:10:25
workspace belongs to so those are uh the
00:10:28
prere
00:10:30
so today um we're going to show you how
00:10:34
to set up Sentinel which consists of
00:10:36
creating a log analytics
00:10:38
workspace adding Sentinel on top of that
00:10:42
workspace then we're going to start to
00:10:44
show you how to pull data in uh using
00:10:46
the content Hub which is kind of like a
00:10:48
catalog of over 300 different sources so
00:10:52
if you have like paloo or foret or
00:10:56
Cisco um you know those kinds of uh
00:10:59
connectors you know you can pull those
00:11:01
in there we'll show you how to manage
00:11:03
the data
00:11:05
connector and then deploying the
00:11:06
analytic rules is typically The Next
00:11:09
Step um we'll also show you how to
00:11:11
enable the user and entity behavior um
00:11:14
analytics and anomaly
00:11:16
detections we'll go over some kql Basics
00:11:19
and some basic incident manage
00:11:21
management and then some reporting
00:11:23
Basics so that's really what's on the
00:11:26
agenda uh for today so to get started to
00:11:29
set up Microsoft Sentinel you'll browse
00:11:32
to portal. azure.com
00:11:35
and again uh feel feel free to follow
00:11:38
along so I'm here in Portal azure.com so
00:11:41
up in the top you'll type in um Sentinel
00:11:45
and you'll search for Microsoft
00:11:48
Sentinel you'll notice I have a couple
00:11:50
of these um lab environments already
00:11:53
here but for you it should be probably
00:11:55
blank unless you've also got one uh
00:11:58
created so so you're going to go and
00:11:59
click on
00:12:01
Create and uh the first thing that
00:12:03
you're going to do is create a new
00:12:05
workspace because again Sentinel sits on
00:12:08
top of uh log
00:12:11
analytics you'll choose your
00:12:13
subscription that hopefully you have
00:12:14
access to if not you'll need to create a
00:12:16
subscription and again you'll follow
00:12:17
that quick start guide that we put in
00:12:19
the chat uh for you we do recommend
00:12:23
creating a resource Group a fresh clean
00:12:26
Resource Group uh for this to be cre in
00:12:30
so we'll give it like a acronym like
00:12:33
RG and then um you know Sentinel lab
00:12:39
three okay and of course you can follow
00:12:41
your own naming convention
00:12:43
there and uh so that's the name of the
00:12:46
resource Group and then the log
00:12:47
analytics workspace I'll call it like
00:12:49
log
00:12:52
analytics
00:12:54
Sentinel
00:12:57
three and then we'll just go Ahad and
00:12:59
click on review and
00:13:01
create now creating this log analytics
00:13:04
workspace um should only take 10 seconds
00:13:08
or so should be pretty quick you can
00:13:10
kind of monitor the progress
00:13:13
here once this uh gets created we'll
00:13:16
actually go back to
00:13:18
Sentinel and then we'll add Sentinel
00:13:20
into this uh log analytics
00:13:27
workspace yeah Joe so starting this here
00:13:29
gives us the the 30-day free trial right
00:13:32
that's a great point so you'll have 31
00:13:34
days to evaluate and one of the very
00:13:37
first things we're going to do is we're
00:13:39
going to show you um how to enable a uh
00:13:46
a data cap um because one of the really
00:13:49
important things during your 31-day free
00:13:51
trial is um you want to make sure you
00:13:55
know that you're not uh exceeding what
00:13:57
is free so what's is they're going to
00:13:59
give you the first 10 gigs per day of
00:14:02
ingestion so we can set a cap so that
00:14:07
Sentinel will stop ingesting data once
00:14:10
it reaches the 10 gig that way you don't
00:14:13
get any surprise charges now once you're
00:14:16
ready to go into production obviously
00:14:18
you'll want to you know remove that cap
00:14:20
so that way you're able to
00:14:22
get you know all the alerts that you
00:14:24
need to but uh yeah so to set the cap
00:14:28
you go down to in your log analytics
00:14:30
workspace you go to usage and estimated
00:14:32
costs then you go to daily cap you'll
00:14:36
turn on the
00:14:39
cap and
00:14:42
uh this is because we haven't created
00:14:45
The Sentinel instance on it so I skipped
00:14:47
uh one step so inside of Sentinel when
00:14:50
we go back to Sentinel we're going to
00:14:52
now create Sentinel and we're going to
00:14:54
put it on top of that log analy
00:14:56
workspace and then we'll be able to
00:14:57
create the data cap so I'm going to go
00:14:59
go ahead and go to create here I'm going
00:15:01
to choose that new um workspace that I
00:15:04
created in the previous step going to
00:15:06
click add again this should take about
00:15:09
seven to 10 seconds here it's pretty
00:15:11
quick for this to get created to get
00:15:13
added into that okay that's done now in
00:15:16
order to get to the data cap section
00:15:18
we're going to go down to settings at
00:15:20
the
00:15:21
bottom then we're going to click on
00:15:22
workspace
00:15:24
settings usage and estimated costs
00:15:29
uh daily cap now we can turn on that
00:15:32
daily cap okay so we're going to set it
00:15:34
to 10 gig so that'll be the cap another
00:15:37
thing kind of worth pointing out is the
00:15:39
retention policy so by default when you
00:15:43
first create uh log
00:15:45
analytics um it's going to retain your
00:15:47
logs for 30 days but Microsoft actually
00:15:51
gives you an additional 60 days for free
00:15:53
when you're using Sentinel on top of log
00:15:55
analytics so to take advantage of that
00:15:58
just bump that up to 90 there's no
00:15:59
additional fee to do that um so that is
00:16:02
a good practice to to take advantage of
00:16:04
and you know if you have any regulatory
00:16:07
requirements um you know you may need to
00:16:09
go longer so for example PCI the payment
00:16:12
card industry um I last I checked they
00:16:15
want you to keep your security logs for
00:16:17
one year so that you'd go ahead and bump
00:16:19
that up now once you go above 90 days
00:16:22
you know there there are some additional
00:16:24
uh costs for log retention past 90 days
00:16:27
and you could read about that in the
00:16:29
learn more length there but I'll just go
00:16:31
ahead and set that to
00:16:33
90 Okay so we've got our uh data cap set
00:16:38
now what we want to talk about next is
00:16:41
the um now that we've created the log
00:16:44
analytics workspace we've enabled
00:16:46
Sentinel we've set the data cap and the
00:16:49
retention policy the next step is to
00:16:51
import some content from the content Hub
00:16:55
now what we recommend enabling are what
00:16:58
are called the always free data sources
00:17:01
so your Azure activity
00:17:05
logs your Office 365 audit logs which
00:17:08
include SharePoint exchange and and
00:17:11
teams and the uh security alerts from
00:17:15
the Microsoft Defender xdr stack so all
00:17:18
of these Defender xdr products all the
00:17:20
alerts uh from these products those are
00:17:22
all free so in the content Hub you'll
00:17:25
search um for each of these so azure
00:17:28
acity Microsoft
00:17:30
365 Defender xdr and then you'll just
00:17:34
simply click the install button and
00:17:37
that'll start uh pulling that data in or
00:17:40
at least getting the connector installed
00:17:42
there's a second step to uh to pull the
00:17:45
data in but let's start there so we're
00:17:47
going to find the Azure audit logs first
00:17:51
by going over to getting back into
00:17:54
Sentinel we'll refresh here we'll get
00:17:56
into our new lab
00:18:00
and it's this is where it's telling you
00:18:01
the free trial's been activated um
00:18:04
you'll have some time and uh you
00:18:08
know we set that cap so no worries there
00:18:11
so we go down to Content
00:18:13
Hub and we'll go ahead and search for
00:18:16
the
00:18:18
um Azure activity which is shown
00:18:21
here we'll go Ahad and install
00:18:24
that it should take about 5 seconds or
00:18:27
so to install it's usually pretty
00:18:33
quick that's installed now we're going
00:18:35
to look for the uh
00:18:38
Microsoft uh
00:18:42
365 and this one's pretty quick as well
00:18:44
should be about 5 seconds or so and
00:18:47
install
00:18:50
that and uh while this is installing
00:18:53
you'll notice some details in the
00:18:55
content Hub um this particular content
00:18:58
pack
00:18:59
includes 15 analytics rules a data
00:19:02
connector uh 21 hunting queries and
00:19:05
three
00:19:06
workbooks um we're going to discuss
00:19:09
analytic rules and workbooks um here in
00:19:11
a
00:19:11
moment uh but installing the content Hub
00:19:15
basically creates a data connector and
00:19:18
data connectors you know we we'll go and
00:19:20
configure those in a moment we have one
00:19:22
more to uh configure here which is the
00:19:25
uh the defender
00:19:27
xdr uh
00:19:29
component so we'll go and install this
00:19:32
say install yeah and a common thing
00:19:34
there Joe is clients will ask well just
00:19:37
by installing that are the logs flowing
00:19:41
now what would we say to that yeah so we
00:19:44
need to go into the connector and um
00:19:46
configure each of those connectors and
00:19:48
that allows you to choose like we were
00:19:51
talking about before you know when we're
00:19:54
configuring this um this xdr connector
00:19:58
if we want the only the free data
00:20:00
sources we need to make sure we only get
00:20:02
the security alerts and maybe not like
00:20:05
the the raw data from say Defender for
00:20:08
endpoint so the raw data like the
00:20:10
registry changes the network events you
00:20:13
know that stuff's not free but the
00:20:15
alerts coming from Defender for endpoint
00:20:17
uh would be free so that next step um
00:20:20
that Lamar is kind of bringing up there
00:20:21
that's what we'll uh configure
00:20:24
next now I want to I want to bring in a
00:20:27
fourth connector um that I that I feel
00:20:29
is pretty important um so the Microsoft
00:20:32
entra ID connector this is super
00:20:35
important because most of the alerts
00:20:37
that we're investigating in our sock
00:20:39
typically are attacks against the
00:20:41
identity so I do recommend bring this
00:20:44
one in now just be advised you know the
00:20:47
um data from Microsoft entri ID is is
00:20:49
not free um after your 31 Day free tral
00:20:53
you know during your 31-day free tral
00:20:55
you know there's there's no cost to this
00:20:57
but after that um if you're continuing
00:20:59
to use sentinel um you know you'll need
00:21:03
to look at the uh costs uh for this
00:21:06
table which you can do under under
00:21:07
settings it'll show you the cost um but
00:21:10
that'll be something to kind of keep in
00:21:11
mind here but I'm going to go ahead and
00:21:12
install the Microsoft entri ID connector
00:21:15
because I do feel like that one's pretty
00:21:16
important that's going to give us our
00:21:18
signin logs um
00:21:21
our um you know different uh attacks
00:21:25
against the identity you'll notice that
00:21:27
there's 63 three analytics
00:21:30
rules that come with this
00:21:32
particular uh connector okay so let's
00:21:35
actually go in
00:21:37
and uh you know configure a data
00:21:39
connector here so in the data connectors
00:21:42
uh the ones that we've installed are are
00:21:44
showing here so if I wanted to like
00:21:46
configure for example the you know
00:21:48
Microsoft entry
00:21:49
ID come in here to open the connector
00:21:54
page it's going to check our permissions
00:21:56
make sure that we have permissions to
00:21:58
the tenant that we're you know bringing
00:22:00
the signin data uh from of course that
00:22:02
makes you know perfect sense and then um
00:22:06
you uh you also do need uh access to the
00:22:10
uh Microsoft entra diagnostic settings
00:22:12
so you would come in here and check all
00:22:14
these boxes uh to enable that
00:22:17
connector similarly you'll go through
00:22:19
each of these connectors and you'll
00:22:21
check the boxes like you know if you
00:22:23
want to bring in the exchange logs the
00:22:24
SharePoint logs the team logs you'd hit
00:22:27
apply and then it's going to start
00:22:28
bringing in uh that log data so just
00:22:32
kind of repeat that for each of these go
00:22:33
through them uh enable uh the settings
00:22:36
you know on
00:22:37
those and once those once the data is
00:22:41
Flowing the next thing to do if we kind
00:22:43
of go back to our menu
00:22:45
here is to deploy the analytic rules and
00:22:50
uh ubaa so let's actually talk about
00:22:53
that so the first thing I'll do is I'll
00:22:57
go ahead and go down to settings and
00:23:01
I'll show you where the uh the ubaa is
00:23:04
so um user and entity Behavior analytics
00:23:07
um this is going to let you know that
00:23:09
there's okay there's anomalies related
00:23:11
to uh a user or you know uh an entity's
00:23:14
Behavior it's using machine learning
00:23:16
models it's looking at pure analysis uh
00:23:20
blast radius and uh it's really great at
00:23:22
detecting uh behavioral anomalies so you
00:23:25
just simply come in here and you click
00:23:27
the set button and then you come in and
00:23:29
enable it for the um sources so once you
00:23:33
um you know turn it
00:23:34
on um in our case we're using Microsoft
00:23:37
enter ID as a is a cloud only kind of
00:23:39
tenant uh if you do use uh Defender for
00:23:43
identity uh against your on premise
00:23:45
active directory then you can go ahead
00:23:47
and check active directory as well okay
00:23:51
uh you would hit apply um and then you
00:23:54
enable these that effectively enables
00:23:57
these log sources for for
00:23:59
ubaa you'll notice anomalies is already
00:24:01
on by default um there so now we get
00:24:05
into um the topic of analytics rules now
00:24:08
what is an analytic rule uh if we come
00:24:10
over here to the templates what we're
00:24:12
noticing here is we've got already uh 63
00:24:17
analytic
00:24:18
rules but they're all off by default
00:24:21
notice that they're not enabled so
00:24:25
there's two ways to get these enabled
00:24:27
you can kind of go through them one by
00:24:29
one and enable them so if I can select
00:24:31
one like login attempts to disabled
00:24:35
accounts so if I create this rule
00:24:38
because I want to be notified if
00:24:39
someone's attempting to sign into a
00:24:41
disabled account I have an opportunity
00:24:44
to uh to review uh you know what's going
00:24:48
to happen now by default Microsoft kind
00:24:49
of assigns their own severity levels so
00:24:51
they're going to say that if somebody
00:24:53
signs into a disabled account that's a
00:24:55
medium now you can override that here as
00:24:58
your publishing this rule if you like
00:25:00
you also notice that it's um indexed
00:25:03
against the miter attack uh framework so
00:25:06
this is kind of a lexicon of hacker
00:25:08
techniques and tactics um and there's a
00:25:11
purpose for doing this mapping so that
00:25:13
you can visualize it later uh which will
00:25:16
show you how to
00:25:17
do but then the analytic rule is using
00:25:21
kql so csto query language uh to search
00:25:25
the logs for certain Behavior so it's
00:25:28
looking um at as an example for signin
00:25:33
events where the result type is
00:25:36
50057 which means you know the the user
00:25:39
account is disabled so someone is
00:25:41
attempting to sign into disabled
00:25:43
accounts and then it's summarizing that
00:25:45
and uh and mapping that so when the
00:25:48
security analyst goes into to look at
00:25:50
the incident later um the log data is
00:25:53
then mapped to uh entity data for easy
00:25:56
triaging for the analyst
00:25:59
now you'll notice by default the query
00:26:01
would run every one days but you can
00:26:02
override that and have that run as
00:26:04
frequently as say uh every five minutes
00:26:08
if you need it to run more frequently uh
00:26:10
than every five minutes you can do so um
00:26:13
by simply querying or copying this data
00:26:16
so I can copy this I can hit cancel and
00:26:19
I can create my own what's called a a
00:26:21
near real time query so in near real
00:26:24
time instead of running it on a
00:26:26
scheduled basis like every five minutes
00:26:28
a near realtime query rule is going to
00:26:29
run it nearly instantaneously so I can
00:26:31
say you know notify if someone signs
00:26:36
into a disabled
00:26:38
account right I go next and then here I
00:26:42
paste the
00:26:44
query validates the query and then on
00:26:47
the incident notice that I don't run it
00:26:50
every five minutes because it's simply
00:26:51
going to run in uh near real time now I
00:26:54
believe you can have up to 50 uh near
00:26:56
real time rules in any one instance so
00:26:59
use them carefully because you only have
00:27:01
50 whereas the uh scheduled rules you
00:27:05
can have up to 512 of these and we're
00:27:08
not even scratching the surface with the
00:27:11
63 uh that we've uh imported from the
00:27:14
content Hub but if I want to go back and
00:27:17
and and finish the uh the sequence of
00:27:19
you know getting this thing published
00:27:21
here let's say I was satisfied with
00:27:23
running it every five
00:27:25
minutes I'm going to go ahead and go
00:27:27
next
00:27:29
and then you'll notice your automated
00:27:31
response if this was the kind of
00:27:33
activity that you wanted something to
00:27:35
happen like hey I wanted to send me a
00:27:37
teams message or an email whenever that
00:27:40
event occurs this is where you would
00:27:43
actually have an automation rule um be
00:27:45
applied you know based on that activity
00:27:47
so that can just kind of run behind the
00:27:49
scenes um other automation rules that
00:27:52
you might consider would be you know if
00:27:54
this was some kind of a malware incident
00:27:56
maybe you want to automate you know
00:27:58
disabling um or I'm sorry isolating that
00:28:01
machine or running an AV scan or
00:28:03
something like that so A bunch of stuff
00:28:05
you can automate uh Lamar will kind of
00:28:07
go through automation here uh once I
00:28:11
finish up my sequence I'll hand it over
00:28:13
him he'll kind of show how to create a
00:28:14
Playbook and how that ties
00:28:17
in okay so I'm going to go ahead and
00:28:20
save that now it would be pretty tedious
00:28:24
to go through all 63 one at a
00:28:29
time to activate all of them that'd be
00:28:32
kind of tedious right so what we've done
00:28:35
here is we've actually found a
00:28:38
script uh where you can now Mass enable
00:28:41
those uh analytic
00:28:44
rules uh I created a a URL shortener
00:28:48
link um that actually takes you to this
00:28:50
full article um so for the purposes of
00:28:55
this um which I knew I had a security
00:28:58
uh audience here that they wouldn't just
00:29:01
you know click on any old you're all
00:29:04
shortener but
00:29:06
um let me go ahead and uh paste that
00:29:09
into the chat here for you
00:29:11
all okay so what we just pasted into the
00:29:15
chat uh allows you to to mass enable all
00:29:19
of those uh analytic rules that um you
00:29:23
know that you have there so deploying
00:29:25
those analytic rules uh enabling the
00:29:27
ubaa
00:29:29
you know that's uh kind of that step now
00:29:32
we we showed you some kql and we showed
00:29:35
you the fact that the analytic rules are
00:29:37
based on kql so it's pretty important to
00:29:39
know you know kql and how to work with
00:29:42
incidents
00:29:43
right so if we hop over into
00:29:49
um the SEL portal we'll kind of uh show
00:29:52
you a couple of Basics
00:29:55
here so if I go into
00:29:59
um logs once your connectors are up and
00:30:02
running you can now interact directly
00:30:06
with the logs that are um being imported
00:30:11
so for example if I kind of look at the
00:30:13
schema here I've got my audit logs my
00:30:16
signin logs my URL click events so if
00:30:20
somebody clicks on a link in their email
00:30:24
we have a record of that link click and
00:30:26
that could be really really useful when
00:30:29
we're trying to scope a incident
00:30:31
response you know how many other people
00:30:33
clicked on that same link uh we'll show
00:30:36
you how to identify
00:30:38
that so we're looking at all the logs
00:30:41
that the data connectors are bringing
00:30:43
into
00:30:44
Sentinel and then uh so these are kind
00:30:47
of the raw tables that you can actually
00:30:50
you know query against natively now what
00:30:52
are some examples of uh of a query well
00:30:56
if I'm querying like the um
00:30:58
security uh incidents um so you put in
00:31:01
the name of the table you put in this
00:31:03
pipe command kind of like Powershell
00:31:05
right and then I can use something like
00:31:07
count right now how would I know uh the
00:31:11
syntax um you know how would I know how
00:31:13
to uh how this all works there is a
00:31:17
simple mode so I don't have to know
00:31:19
necessarily the query language I can go
00:31:21
to simple mode and this actually allows
00:31:23
me to build out a query um using the uh
00:31:27
the query Builder so I can actually just
00:31:30
kind of select a table so I'll pick you
00:31:32
know audit logs I can then um you know
00:31:36
just jump in here and actually interact
00:31:37
with uh simple mode in in this way so I
00:31:40
can actually change okay I want the last
00:31:42
30 minutes and I want to do uh limits
00:31:46
and I want to add some filters so I can
00:31:48
maybe do some
00:31:49
aggregation um here maybe I want to uh
00:31:52
sum a particular um or grab a particular
00:31:57
uh
00:31:58
display name and do a count by that
00:32:01
right so if you don't know the kql
00:32:05
syntax the simple mode is new it allows
00:32:07
you to kind of add your own filter in
00:32:09
kind of like an Excel
00:32:11
spreadsheet if you want to learn a
00:32:13
little bit more about Sentinel um we've
00:32:17
uploaded a couple of uh resources so one
00:32:19
of the resources that we put was this
00:32:22
PowerPoint that we're actually going
00:32:23
through and on one of the slides here uh
00:32:28
are some of the resources to learn custo
00:32:30
query language so uh there's a great
00:32:33
resource Rod Trent must learn kql link
00:32:38
um there's a kind of a gamified site
00:32:40
that uh is called kc7 Cy cyber so
00:32:43
patriate is actually a corporate sponsor
00:32:46
uh we pay for the uh Azure costs uh for
00:32:50
this and it allows you to kind of go in
00:32:51
there kind of like a capture the flag
00:32:53
game to learn kql really fantastic uh
00:32:57
for security operations folks that need
00:32:59
to learn custo query language and then
00:33:02
uh kind of the deao standard of learning
00:33:04
kql is this book that came out called
00:33:06
the definitive guide to uh kql which you
00:33:08
can you can get on
00:33:11
U on Amazon but uh let me go ahead and
00:33:14
show you uh an example of uh the first
00:33:19
one the must learn kql so when you uh
00:33:21
and I'll put this in the chat here for
00:33:23
you as
00:33:24
well for you to navigate to
00:33:28
okay that is now in the in the
00:33:31
chat so you know must learn kql so I
00:33:34
showed you the count operator you know
00:33:36
we had just used that so um you can
00:33:38
either read the article or you can watch
00:33:40
the video um but if I click on the count
00:33:43
operator I can scroll down and he's got
00:33:46
he explains the syntax of how the
00:33:48
account operator is used and uh you know
00:33:51
how exactly that
00:33:53
functions um you know really nice
00:33:55
samples right so I can actually you know
00:33:58
grab the sample here I can copy that and
00:34:01
I could just paste that right in uh in
00:34:04
kql
00:34:05
mode so I'm going to go and run
00:34:08
that and uh so it's uh me go ahead and
00:34:15
clear okay security event so security
00:34:18
event is a table for on premise active
00:34:20
directory which I'm not bringing into
00:34:21
this lab but if I want to get into uh
00:34:25
you know the sign and logs
00:34:28
where the result uh
00:34:32
type Z summarize
00:34:36
count or just
00:34:43
count so last 24 hours 16,000 you know
00:34:46
successful so zero is is
00:34:49
Success um another type of successful
00:34:52
signin is actually um the uh keep me
00:34:57
signed
00:34:59
in so keep me signed in is a uh is an
00:35:03
event
00:35:11
of
00:35:13
5014 and that's kind of important
00:35:15
because if you're only querying on zero
00:35:17
which are successful signin but you're
00:35:19
not querying on keep me signed in events
00:35:21
you actually won't get the full um uh
00:35:24
count so 16776 and I run that again
00:35:29
16806 so you could see there there would
00:35:31
have been additional sign-ins I would
00:35:33
have missed so there are there is some
00:35:35
kind of inside baseball you need to know
00:35:37
uh when you're acquiring specific log
00:35:39
tables now how would you know that you
00:35:43
need to essentially be very comfortable
00:35:45
with this uh take 10 operator so take 10
00:35:49
allows you to quer a table and get the
00:35:52
first 10 rows and then you can kind of
00:35:53
inspect the content of that data right
00:35:57
so I can now get much more familiar with
00:36:00
um you know every uh element uh that's
00:36:04
in there and then another kind of tip is
00:36:07
if you're not familiar with the
00:36:08
different type of uh
00:36:11
Fields uh for a particular column you
00:36:15
can
00:36:15
summarize
00:36:17
um the the column using um or using the
00:36:22
summarize function you can actually
00:36:24
summarize a column and it will give you
00:36:26
okay 16 ,000 signin that were successful
00:36:30
but what are all these other you know
00:36:31
event
00:36:33
types well we can actually find out by
00:36:36
adding the result
00:36:39
description so now we can actually uh
00:36:42
get to know our table a little bit
00:36:43
better
00:36:45
right so we've got you know a
00:36:48
conditional access policy required a
00:36:49
compliant device okay that's that's uh
00:36:52
code
00:36:53
530000 so again this allows you to kind
00:36:56
of explore with it a little bit um once
00:37:00
you um understand uh the kql and let's
00:37:04
say you wanted to get a signin result uh
00:37:08
where the
00:37:11
location uh was like in in Russia or
00:37:15
something right so you can actually
00:37:19
uh do something where we go back so
00:37:22
where the time generated is greater than
00:37:25
say
00:37:27
90 days
00:37:31
ago and we want to maybe um where the
00:37:35
location is equal to
00:37:40
Russia now we'll get a couple hits here
00:37:44
uh but it's important to find out if
00:37:45
these are successful hits so we have
00:37:47
three hits three signin signin attempts
00:37:50
in the last 90 days from Russia but we
00:37:52
need to find out you know are those
00:37:55
successful or not so now we add that
00:37:57
summarized to the
00:38:03
end and so here we can see those three
00:38:06
signin attempts from Russia are invalid
00:38:09
password attempts so there were attempts
00:38:11
but they uh failed to successfully sign
00:38:13
in so now you might you know take
00:38:17
that and maybe you actually go to your
00:38:20
analytic
00:38:21
Rule and you want to create a new
00:38:23
analytic rule
00:38:27
Whenever there are you know successful
00:38:31
signin from Russia so you go next paste
00:38:36
your syntax in
00:38:38
here where the
00:38:41
result uh
00:38:46
type is zero or
00:38:51
result
00:38:53
type is
00:38:55
5014 keep me signed in
00:38:58
okay and then you map um the resulting
00:39:03
entities so that later on when we show
00:39:05
you um the investigation you want to be
00:39:08
able to map um The Entity ID uh to a
00:39:13
user so that it actually shows up um for
00:39:17
the person investigating
00:39:19
it these are princip
00:39:23
okay you would click next and you'd
00:39:25
schedule this to run and then this would
00:39:27
send you an alert anytime that that
00:39:29
happened so that's that's an example of
00:39:31
you know the benefit um of working with
00:39:35
the logs and the kql building those
00:39:36
analytic rules um you know at Patriot
00:39:39
we've actually built over 200 of our own
00:39:43
Uh custom
00:39:44
rules um because based on our testing
00:39:48
even though the outof the boox ones are
00:39:49
pretty good when you actually use the
00:39:51
miter attack to kind of map out where
00:39:54
your holes are this is effectively kind
00:39:57
of showing you show me all of my
00:39:59
analytic rules and how does that relate
00:40:01
to the coverage of minor attack right
00:40:05
you'll notice that the outof thebox
00:40:07
rules there's a gap on maybe um
00:40:10
detecting interprocess communication or
00:40:12
shared modules or browser extensions so
00:40:16
this would kind of inform your team okay
00:40:19
maybe we need to write an analytic rule
00:40:21
where a browser extension is getting
00:40:23
abused or where a bits job is firing you
00:40:27
know bits jobs can be used to download
00:40:29
content from the internet as a dropper
00:40:31
to bring in Mau onto an endpoint so
00:40:34
that's why we had to build our own Uh
00:40:36
custom analytic rules to kind of fill
00:40:38
some of these
00:40:40
gaps so let's kind of take a step back
00:40:42
here and see where we are um so we
00:40:46
talked about you know using kql to look
00:40:48
for you know sign-ins we talked about
00:40:50
using the uh summarizing count we looked
00:40:54
at you know detecting sign-ins from
00:40:56
Russia um this one's kind of
00:40:58
interesting um show me where people
00:41:02
traveled uh to two different countries
00:41:05
in the same day and in this particular
00:41:08
case you can also look for specific
00:41:10
countries as
00:41:12
well uh you can also look for email
00:41:14
events uh so this one might be kind of
00:41:16
interesting uh show me all the email
00:41:18
events where um this particular uh
00:41:21
recipient who had more uh than one or at
00:41:25
least one attachment or at least uh you
00:41:28
know one uh hyperlink where a URL was
00:41:33
clicked and tell me the domain names
00:41:36
that were clicked
00:41:38
on so that might be a fun one to kind of
00:41:40
play with here so we'll go ahead and
00:41:43
grab that
00:41:46
syntax and you can follow along too if
00:41:49
you have uh that data flowing in your
00:41:53
tenant go to our
00:41:56
logs to kql
00:41:59
mode create new query
00:42:06
here
00:42:08
okay so a let statement it's kind of
00:42:11
like a join statement we're basically um
00:42:13
creating this variable called emails so
00:42:16
show me all the email events and return
00:42:19
the network message ID which is the
00:42:21
unique identifier for the messages where
00:42:24
Joe received uh an email containing at
00:42:26
Le at least one attachment and at least
00:42:28
one hyperlink show me um where those
00:42:31
were clicked on so where the network
00:42:33
message ID and this click events table
00:42:36
is actually from this variable and then
00:42:38
from that then send it over to the email
00:42:41
URL info table and uh again show me
00:42:46
information uh give me the domain names
00:42:49
uh that were clicked on so you can then
00:42:51
run
00:42:52
that and so here's some of the URLs that
00:42:55
this recipient clicked on so maybe
00:42:57
clicked on you know um a looks like a
00:43:01
meeting in teams and and some domains
00:43:04
and this could be kind of helpful if you
00:43:05
wanted to know well who else other than
00:43:08
Joe you know maybe clicked on you know
00:43:11
one of these uh domains so you can then
00:43:15
you know basically copy this um
00:43:20
and you know add an additional wear
00:43:23
Clause here right so where the uh
00:43:29
domains it's equal to
00:43:33
this then you remove the
00:43:37
recipient So in theory this should tell
00:43:40
me anyone in the organization who uh
00:43:42
also clicked on that
00:43:45
link and uh just just me apparently um
00:43:51
but yeah so that's the you know an
00:43:53
example of uh you know interacting with
00:43:56
identities inter ING with email the
00:43:59
power of uh this xdr you know Sentinel
00:44:02
kind of sitting on top of this is that
00:44:05
you can literally query you can write
00:44:07
one kql query that can look for an email
00:44:10
that made it onto an endpoint where the
00:44:13
identity was then compromised so you
00:44:15
could actually construct a kql to query
00:44:18
all those tables uh in the same uh query
00:44:21
and then build an analytic role to you
00:44:23
know send you an alert when that occurs
00:44:26
um so when when an incident is created
00:44:29
uh you're going to find that in Sentinel
00:44:31
uh so if you're a sock analyst you're
00:44:33
going to work most of your day is going
00:44:34
to be over here in
00:44:36
incidents so here's a couple incidents
00:44:38
that were created so you know in
00:44:40
incident handling basic um you might
00:44:43
come in here and say okay well here's a
00:44:46
multi-stage incident on an
00:44:49
endpoint so as a as an analyst um here's
00:44:52
the entities that I was showing you
00:44:54
during the analytic rule creation that
00:44:56
you map so it's kind of important when
00:44:58
you're writing a kqu query that you map
00:45:01
that to an entity so that the analysts
00:45:04
when they're looking at it they can very
00:45:05
quickly summarize you know what's
00:45:07
involved okay there's the desktop
00:45:09
involved they can click on it learn more
00:45:11
information about that desktop so if I
00:45:14
go to view full details
00:45:17
here I can see what's involved so all
00:45:20
the entities uh in this incident are
00:45:23
going to be shown here in a list so I
00:45:25
can quickly kind of see okay okay
00:45:27
there's this there's a process a file
00:45:30
hash and a hyperlink but what's kind of
00:45:32
the full story like what actually
00:45:34
happened here um now you could you could
00:45:37
click investigate and it will kind of
00:45:38
give you a big picture so especially if
00:45:40
there's you know multiple machines
00:45:42
involved you can kind of see you know um
00:45:45
how everything was kind of connected
00:45:46
that's kind of helpful and and for each
00:45:48
of these things you know you can
00:45:49
actually um drill in and correlate and
00:45:53
and query off that data um you can uh
00:45:57
kind of do quite a bit of pivoting here
00:45:58
too in an investigation but what what we
00:46:01
often do is we like to investigate this
00:46:05
in the defender xdr
00:46:08
portal and um I think less than a year
00:46:12
ago this portal got unified with
00:46:15
Sentinel so that you no longer really
00:46:18
start your day in Sentinel anymore you
00:46:21
basically start your day in this xdr
00:46:23
portal that way you don't have to click
00:46:26
on this button investiga and Defender
00:46:28
because that would mean you'd have to
00:46:29
swap back and forth between your xdr
00:46:32
software and the Sim now you can stay in
00:46:35
xdr and you'll notice that uh Sentinel
00:46:39
is now natively integrated inside of the
00:46:43
Microsoft Defender xdr portal so I can
00:46:46
work all of my incidents now in this
00:46:49
unified portal I don't have to come back
00:46:51
here I can actually stay here um back to
00:46:54
this event so if I click on these URLs
00:46:57
and and go okay well what is qq.com
00:46:59
right so I I looked it up um it's
00:47:02
actually a uh a Chinese kind of instant
00:47:05
messaging uh software but why is this
00:47:10
Intel uh you know process involved in
00:47:13
communicating uh with this so if you
00:47:15
click on the actual you know attack
00:47:17
story um so there's a UR all um you know
00:47:22
uh visited there's uh communication here
00:47:25
but if I want to really in and this is
00:47:28
really the power of the xdr and and
00:47:30
really kind of a different you know
00:47:33
um uh you know story here but if if I
00:47:36
wanted to actually uh you know see more
00:47:39
details about the process and and uh you
00:47:43
know investigate this you're able to um
00:47:46
click on this and then you'll be able to
00:47:48
see that this process launched uh but
00:47:51
then the network filter um detected this
00:47:57
communication and then it was blocked
00:48:00
which is cool right it's great that the
00:48:02
xdr software didn't like the fact that
00:48:05
this process attempted to make an
00:48:07
outbound communication with uh a pretty
00:48:10
weird you know um you know uh
00:48:14
Chinese uh you know uh service the a
00:48:19
instant messaging
00:48:20
service now from here you could run a
00:48:23
Playbook and this would be a good segue
00:48:26
over to Lamar
00:48:27
if I run this Playbook that allows me to
00:48:30
maybe kick off a isolation right where I
00:48:33
can isolate this endp point technically
00:48:35
I can do it here as well um if I go back
00:48:38
um into the uh device I can click on the
00:48:43
uh
00:48:45
actions and I can uh click on isolate
00:48:49
device so I could do it right here but
00:48:51
if I had a Playbook of maybe other steps
00:48:53
like maybe I wanted to you know create
00:48:56
ticket in my service now or or My
00:48:59
ticketing system send a teams message
00:49:02
maybe there's a bunch of things I I
00:49:03
always want to do that's why we call it
00:49:05
a Playbook um for sure I could isolate
00:49:08
it here or I can run this kind of uh
00:49:10
sequence of
00:49:11
events um and so those um the automation
00:49:15
rules inside of Sentinel you know they
00:49:18
can be used to suppress noisy alerts but
00:49:20
they can also be used uh to run
00:49:22
playbooks so where you would find that
00:49:25
in Sentinel is if you go back out to
00:49:30
automation you'll notice that Sentinel
00:49:33
comes with a bunch of kind of templetes
00:49:34
here so you don't have to create them
00:49:36
from scratch right so you can actually
00:49:39
enrich the incident with virus total
00:49:41
information so I don't have to then
00:49:43
leave and browse to a different site to
00:49:45
look up uh qq.com I can look up the IP
00:49:48
and abuse
00:49:50
ipdb um I can send an email I could um
00:49:55
you know block the user from signing in
00:49:58
I can revoke their signin
00:50:00
sessions um or I can create my own kind
00:50:02
of custom automation rule but Lamar um
00:50:05
let me hand it over to you maybe a quick
00:50:07
demo of uh you know a Playbook and kind
00:50:10
of what that looks
00:50:12
like perfect sounds good
00:50:15
Joe me cue that up
00:50:21
here so with automation there's really
00:50:24
there's kind of two components to it you
00:50:26
have what are the automation rules
00:50:29
automation rules I consider these your
00:50:32
orchestration so what things do we want
00:50:34
to happen automatically and under what
00:50:37
conditions so for example if we were to
00:50:40
say um you know we want something to run
00:50:44
when an incident is created uh the
00:50:46
severity is
00:50:48
High um you can get as specific as you
00:50:50
want here with your conditions you could
00:50:53
also do um you know title
00:50:57
contains uh
00:51:00
aitm or in the middle right you could be
00:51:04
real specific as to when you want this
00:51:06
to fire off automatically then you have
00:51:09
the actions that it can do so the most
00:51:11
powerful one is run Playbook aside from
00:51:14
that one these other ones are things
00:51:15
that happen within the Sentinel incident
00:51:17
itself you can change the status
00:51:19
severity owner Etc but in this case we'd
00:51:22
want to say run a Playbook and I'll show
00:51:23
you a little bit more about playbooks in
00:51:25
a sec um but the point I want to make
00:51:27
here is that you you can run multiple
00:51:30
playbooks in a row as well so that
00:51:32
really shows the power of that
00:51:33
orchestration so maybe we want to uh
00:51:37
block the user and then we also want to
00:51:40
revoke the the sessions right so we want
00:51:43
to do both of those in sequence when
00:51:45
something like this happens you also
00:51:48
have um when this rule expires if you
00:51:50
want to put that and the order they do
00:51:52
fire off in order and any rule that
00:51:54
meets the criteria of your conditions
00:51:56
will will be fired off so again
00:52:00
automation is that orchestration what
00:52:02
happens and when
00:52:03
automatically your playbooks are more of
00:52:06
that containerized uh logic flow of
00:52:09
things that you want to happen so you
00:52:12
get more more complex and more uh Rich
00:52:16
type of uh responses in here so for
00:52:19
example if you want to look in here I
00:52:21
have a a couple examples I like to
00:52:23
Tinker in here quite a bit so there's
00:52:26
this one here Defender but let's say we
00:52:29
want to isolate the device and run
00:52:31
antivirus scan in one
00:52:34
step so you can set that up so the nice
00:52:38
thing is that Sentinel uh playbooks are
00:52:40
built on logic apps from Azure it's a
00:52:43
wellestablished well-known platform been
00:52:45
around for many years so the fact that
00:52:47
Sentinel can leverage that is amazing so
00:52:50
we have a a very mature automation
00:52:52
platform here has all sorts of things
00:52:55
you could do for each loops on each
00:52:57
incident you could do conditions so you
00:53:00
could see I built this one out with a
00:53:01
little bit of error handling so if if
00:53:04
any of these steps fail then I have a a
00:53:06
branch that would then add comments to
00:53:09
the incident letting me know what was
00:53:11
succeeded what failed and sending an
00:53:13
email down at the
00:53:15
bottom and to your point Joe you can
00:53:17
also integrate many other third parties
00:53:19
in here so if I wanted to create
00:53:22
something in itsm you know we have jira
00:53:25
we have uh server it's
00:53:27
now um if we wanted to uh send any type
00:53:32
of email or teams or if we're using
00:53:34
slack instead of
00:53:36
teams um there's just tons and tons of
00:53:38
Integrations out there since this has
00:53:40
been around for so long so this is one
00:53:44
example this is a kind of a a device
00:53:47
related
00:53:48
response there's also things that you
00:53:51
could do like we we mentioned earlier
00:53:53
around disabling accounts resetting
00:53:55
passwords
00:53:57
um sending emails sending teams messages
00:54:01
so really disguise the limit on what you
00:54:03
can do here with u
00:54:05
playbooks no it's it's it's really a
00:54:08
great kind of walk through um I think
00:54:11
what's what's great is that uh senel is
00:54:13
pretty um affordable compared to third
00:54:16
party Solutions where you have to buy a
00:54:17
separate security
00:54:19
orchestration you know service and try
00:54:21
to integrate that plug that in this is
00:54:23
all just
00:54:24
natively you know inside of uh Sentinel
00:54:27
so it's it's super clean right um so let
00:54:31
me let me go ahead and kind of wrap it
00:54:33
up a little bit here today and
00:54:36
definitely want to you know thank
00:54:38
everyone for attending if you again if
00:54:40
you have any questions please shoot us
00:54:41
an email and hope you all have a
00:54:43
wonderful day

标签

Microsoft Sentinel
SIEM
XDR
Automation
Log Analytics
KQL
Data Connectors
Incident Management
Cybersecurity
Threat Detection