Interesting Truth about Threat Hunting using Microsoft Sentinel

Microsoft Sentinel performs the following activities related to logs:

• Collect
• Detect
• Investigate
• Respond

Detection is done with the help of Analytics rules written in the KQL query. User Entity Behavior Model (UEBA) detects compromised/malicious users. If detection using the above methods skips any anomalous situation, the hypothesis-based search can be initiated using collected logs. Such search is termed as “Hunting”.

Hypothesis

To search collected logs, motive/aim/idea/assumption is used as a starting point. Different activities, as per MITRE ATT&CK framework, are queried. Results of different queries are correlated to check the starting point of the search and the motive/aim/idea/assumption is satisfied. This brings a proactive approach towards security. The hunting process flow described by Microsoft is as follows:

Microsoft’s Threat Hunting Process [1]

The Hunting feature of Microsoft sentinel is located at Sentinel–>Threat management–>Hunting as shown below:

Microsoft Sentinel Hunting Dashboard [2]

The Hunting feature of Microsoft Defender is located at Microsoft Defender–>Hunting–>Advanced hunting as shown below:

Microsoft Defender Hunting Dashboard [3]

Explore the hunt creation process from portal.azure.com. Log analytics workspace, with Sentinel instance deployed, is connected with all data collection sources using data connectors. Once the logs start streaming in the log analytics workspace, start the hunt creation process.

Explore results of all hunting queries pre-filled in Sentinel’s hunting dashboard. Queries generating results can be clubbed and saved under one hunt. Running this saved hunt provides a result-delta. Use this parameter to keep watch on the increase/decrease in results.

Microsoft Sentinel pre-filled Hunting Queries results [4]

A new hunt, with a single query, can also be created. Referring to the MITRE ATT&CK framework, queries can be written for different techniques under the tactic of interest. Once the query is found to be generating evidence, it can be added to the hunt created.

Microsoft Sentinel Hunt Creation [5]

Knowledge of KQL (Kusto Query Language) is required to be able to hunt. Hunt creation and hunting should be a continuous process. Different features related to the created hunt are:

• Bookmarks
• Entities
• Queries

Microsoft Sentinel created Hunt features [6]

Bookmarks: Bookmarked results of hunting queries are displayed.

Entities: Selected hunt-related entities are displayed. Click on the entity directs to the UEBA page related to that entity. Actions taken include running a playbook and creating a threat indicator.

Queries: Selected hunt-related queries are displayed.

Livestream

Sentinel > Threat management > Hunting > Queries tab > Right-click on query > Select Add to livestream

Microsoft Sentinel Hunt Bookmarks Tab [7]

To monitor the result of a query added to the hunt as the related event occurs, add a query to Livestream. Queries without a time parameter included in the query are eligible to be added.

Sentinel > Threat management > Hunting > Livestream tab needs a play button to be clicked to show results live.

Microsoft Sentinel Hunt Livestream Tab [8]

Notebook

Microsoft Sentinel Hunt using Notebook [9]

To explore analysis and visualization with machine learning models implemented in Python, Notebook is a Threat management feature in Sentinel. Hunting with machine learning concepts gives more flexibility to the hunting process.

1. 1. Azure ML workspace creation

1. Notebook creation from Template and Saving.
2. Saved Notebook is launched to open it in Azure AML workspace.
3. To use Notebook, click on Compute instance.

Hunting Queries from the Community Centre

Explore Sentinel queries at www.github.com/azure/azure-sentinel–>Hunting Queries folder.

GitHub Community Microsoft Sentinel Hunting Queries [11]

Hunting Queries from Data Connectors

Explore Sentinel queries at Sentinel–>Content management–>Content hub–>use filter Content Type–>select Hunting queries.

Microsoft Sentinel Content Hub Hunting Queries [12]

Hunting query

Example: Port opened for an Azure Resource. Go to Log Analytics and run the query


let lookback = 1d;
AzureActivity
| where TimeGenerated >= ago(lookback)
| where OperationNameValue has_any ("ipfilterrules", "securityRules", "publicIPAddresses", "firewallrules") and OperationNameValue endswith "write"
// Choosing Accepted here because it has the Rule Attributes included
| where ActivityStatusValue == "Accepted"
// If there is publicIP info, include it
| extend parsed_properties = parse_json(tostring(parse_json(Properties).responseBody)).properties
| extend publicIPAddressVersion = case(Properties has_cs 'publicIPAddressVersion', tostring(parsed_properties.publicIPAddressVersion), "")
| extend publicIPAllocationMethod = case(Properties has_cs 'publicIPAllocationMethod', tostring(parsed_properties.publicIPAllocationMethod), "")
// Include rule attributes for context
| extend access = case(Properties has_cs 'access', tostring(parsed_properties.access), "")
| extend description = case(Properties has_cs 'description', tostring(parsed_properties.description), "")
| extend destinationPortRange = case(Properties has_cs 'destinationPortRange', tostring(parsed_properties.destinationPortRange), "")
| extend direction = case(Properties has_cs 'direction', tostring(parsed_properties.direction), "")
| extend protocol = case(Properties has_cs 'protocol', tostring(parsed_properties.protocol), "")
| extend sourcePortRange = case(Properties has_cs 'sourcePortRange', tostring(parsed_properties.sourcePortRange), "")
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
ResourceIds = make_set(_ResourceId, 100)
by
Caller,
CallerIpAddress,
Resource,
ResourceGroup,
ActivityStatusValue,
ActivitySubstatus,
SubscriptionId,
access,
description,
destinationPortRange,
direction,
protocol,
sourcePortRange,
publicIPAddressVersion,
publicIPAllocationMethod
| extend
Name = tostring(split(Caller, '@', 0)[0]),
UPNSuffix = tostring(split(Caller, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = CallerIpAddress

Port opened for an Azure Resource [12]

Summary

A reactive approach is a traditional way to handle anomalous situations with respect to an organization’s security. A proactive approach secures the organization in a better way. Hunting follows a proactive security approach. Hunting logs round the clock predicts possible anomalous situations. KQL provides all the necessary commands required. Microsoft Sentinel’s hunting feature provides bookmarking and the live streaming of query results. Created hunts can be updated with newer queries whenever required. Export-import options introduce ease of hunting. With community support, at a great level, Microsoft’s Threat Hunting feature, implemented using Sentinel as well as Microsoft Defender, introduces much required proactiveness to security measure implementations.

References

[1] Understand cybersecurity threat hunts – Training | Microsoft Learn

[2][ 4][5][6][7][8][9] portl.azure.com/sentinel

[3] security.microsoft.com/Hunting/advanced hunting

[10] www.github.com/azure/azure-sentinel

[11] portal.azure.com/sentinel/content management

[12] Sentinel content hub

About CloudThat