Allowing Sentinel to be activated in your system is simple, all you require is:
An active Azure subscription.
A Log Analytics workspace.
Once you’ve done that access, you are able to browse to Sentinel from your Azure portal to install – then you are ready to add the data connectors.
You can enable Sentinel on the Azure Monitor Log Analytics workspaces and both data ingestion and Sentinel charges are waived for the first 31 days (up up to 10GB logs per day). It’s worth noting that you’re limited to a maximum of 20 workspaces for each Azure tenant, but it’s more than sufficient to get an idea of the platform.
In the case of existing workspaces only the Sentinel fees are waived in this trial period of 31 days. Furthermore, any fees related to further machines or automation will still be charged.
Currently, there are several Microsoft data connectors that are accessible out of the box and provide immediate integration, including, Office 365, Azure AD, Microsoft 365 Defender and Defender for Cloud Apps.
Sentinel also provides more than 100 connectors in the box for data for alternatives to Microsoft, including AWS, Barracuda, Cisco and Symantec. Sentinel also supports generic connectors, allowing you to transmit data using Windows Firewall, Syslog, REST API and common event format (CEF), enabling you to transfer data from any source of data. This makes it very flexible to adapt to your network.
When your data connectors have been set, Sentinel will begin analysing and reporting on possible dangers in your environment through the built-in alert rule.
However, the real power to Managed Microsoft Sentinel is the ability to write custom alert rules and playbooks that automate to identify and eliminate risks in real-time. These custom alert rules and playbooks allow you to personalize Sentinel to defend your organization against any specific threats that it may face.
Microsoft Sentinel in action – A typical scenario…
In this example the company’s Azure AD Connect instance was compromised, and the credentials have been exfiltrated. We will examine this attack and discuss how Microsoft Sentinel could have been used to alert and mitigate this attack at different points of the chain of cyber-attacks.
It is made up of 8 steps which trace the attack’s progression from reconnaissance to data exploitation – enhancing our understanding of the timeline of a cyber-attack.
We will be focusing on the alerting and remediation process against intrusion, reconnaissance and exfiltration.
Why target Azure AD Connect?
For those unaware of Azure AD Connect (AAD Connect) is an application that allows organizations to link their existing on-premises Active Directory with their Azure Active Directory environment. The most common authentication configurations for AAD Connect can be done using Password Hash Sync (PHS) or Pass Through Authentication (PTA).
Password Hash Sync operates by synchronising hashed passwords that sits on Active Directory with Azure Active Directory, allowing users to sign into cloud services with their on-premises credentials. While Pass Through Authentication allows users to sign up for cloud services using their existing login credentials. It does this by forwarding the authentication request to an Active Directory server.
Both of these configurations are concerned with managing an organization’s credentials, and as such is often a attack target for hackers. Therefore, it is essential to ensure that you ensure that the AAD Connect service and the server it’s hosted on is secured to stop the loss of passwords.
Reconnaissance
The first step in the chain of cyber-attacks is to conduct reconnaissance. Research suggests that as much as 60 percent of an attacker’s work is spent investigating an organisation and their infrastructure prior to start their attack. So, while reconnaissance is not a risk, or exploit, it is a good idea to be aware of. It is important to remember that reconnaissance is the very first step in the process of an attack on the cyberspace. As such it is vital to be prepared to deal with such threats as they arise.
The most common form of security is to make use of port scanning in order to scan servers and find out what OS is in use and, possibly, what applications are running. Armed with this information, hackers could exploit vulnerabilities known to be exploited or use a password spray attack in order to get a position in the system.
With Microsoft Sentinel, we can create a custom alert rule that will react in the event it detects port scanning , and then trigger playbooks to address the danger.
In order to respond to this alarm, we can create an automated playbook which is developed with an Logic Apps framework available in Azure. Logic Apps uses a simple drag and drop interface to make a set of tasks to complete.
The advantage that Logic Apps is that they can be employed to design complex workflows that would normally take up valuable time of the IT department of an enterprise – thus reducing the amount of time they spend in mundane tasks.
Intrusion
One of the most frequent types of security breach that many businesses confront is the attack on passwords. It is an attack in which an attacker would seek to access into the system by using default or commonly used credentials.
The hackers are also using lists of the most popular passwords in order to access systems. Based on the NCSC, over 75% of organizations used passwords that were included in the top ten thousand most commonly used passwords. It’s not a surprise that password spray attacks are becoming commonplace!
It is unlikely that attackers will attempt to sign in to an account manually from their own IP address, but instead they’ll try to automatize the process with botnets. When an alert is raised for an unusual sign-in, we can look up your IP for the sign-in alert to determine if it’s from a reputable botnet. If so, we can block the user from logging in and raise a ticket in Service Now to notify IT personnel of the possibility of a breach.
While most workflows can be created using the basic building blocks provided by Logic Apps, a more complex workflow is sometimes required. In this instance, we are unable to build an Logic App to compare the IP address of the alert against a list of known botnets. However, Logic Apps allows us to integrate with Functions Apps which are tiny blocks of code that are custom designed to be executed. This means that we can build a Logic App that can perform more intricate tasks.
Exfiltration
After an attacker is granted initial access in a network, they’ll be searching for ways to extract data from the system. In the fictional scenario this attacker gained access an administrator account local to them and is now trying to delete all the credentials of the user stored in Active Directory.
Since the attacker has hacked the server which hosts AAD Connect, and has accessed the server hosting AAD Connect service, they may compromise the built-in account that AAD Connect uses to perform its synchronisation process, a method commonly referred to as DCSync. It impersonates a Domain Controller and requests password information from the targeted Domain Controller.
In the Microsoft security stack, Azure Advanced Threat Protection provides out-of-the-box protection against DCSync attacks. However security teams are often faced with the issue of having to traverse the different dashboards for each Microsoft security solution they’ve implemented, including Microsoft Defender ATP, Azure ATP, and CAS.
The past has resulted in wasted time switching between dashboards and consoles that have slower response times and potentially missed dangers and correlations.
With the advent of Microsoft Sentinel, an organisation can now see threats and alerts across their entire IT estate. It is also possible to make use of events within Sentinel to correlate alarms, entities and alerts across all sources of data to include contextual information that is relevant to the process of investigation.
Conclusion
In the end, Microsoft Sentinel is a strong SIEM that can be used in the current technological landscape. It provides a bird’s-eye view of your entire IT estate along with smart analytics supported by advanced artificial intelligence, which helps identify and combat threats in close-to-real-time.
As you can see in the examples on this page, Sentinel will seamlessly connect with your existing Microsoft and non-Microsoft technology but still provide you with the control to customise Sentinel to match your security needs.
All this contributes to defending your business from the ever-growing cybersecurity threats that threaten our modern world. Microsoft Sentinel’s use for automated playbooks can also increase the efficiency of IT and support personnel by reducing the number of trivial and time-consuming remediation tasks needed, all while speeding up response times to issues.