Cloud security, Microsoft Security

5 Mins Read

Interesting Truth about Threat Hunting using Microsoft Sentinel

Microsoft Sentinel performs the following activities related to logs:

  • Collect
  • Detect
  • Investigate
  • Respond

Detection is done with the help of Analytics rules written in the KQL query. User Entity Behavior Model (UEBA) detects compromised/malicious users. If detection using the above methods skips any anomalous situation, the hypothesis-based search can be initiated using collected logs. Such search is termed as “Hunting”.

Hypothesis

To search collected logs, motive/aim/idea/assumption is used as a starting point. Different activities, as per MITRE ATT&CK framework, are queried. Results of different queries are correlated to check the starting point of the search and the motive/aim/idea/assumption is satisfied. This brings a proactive approach towards security. The hunting process flow described by Microsoft is as follows:

Microsoft’s Threat Hunting Process [1]

The Hunting feature of Microsoft sentinel is located at Sentinel–>Threat management–>Hunting as shown below:

Microsoft Sentinel Hunting Dashboard [2]

The Hunting feature of Microsoft Defender is located at Microsoft Defender–>Hunting–>Advanced hunting as shown below:

Microsoft Defender Hunting Dashboard [3]

Explore the hunt creation process from portal.azure.com. Log analytics workspace, with Sentinel instance deployed, is connected with all data collection sources using data connectors. Once the logs start streaming in the log analytics workspace, start the hunt creation process.

Explore results of all hunting queries pre-filled in Sentinel’s hunting dashboard. Queries generating results can be clubbed and saved under one hunt. Running this saved hunt provides a result-delta. Use this parameter to keep watch on the increase/decrease in results.

Microsoft Sentinel pre-filled Hunting Queries results [4]

A new hunt, with a single query, can also be created. Referring to the MITRE ATT&CK framework, queries can be written for different techniques under the tactic of interest. Once the query is found to be generating evidence, it can be added to the hunt created.

Microsoft Sentinel Hunt Creation [5]

Knowledge of KQL (Kusto Query Language) is required to be able to hunt. Hunt creation and hunting should be a continuous process. Different features related to the created hunt are:

  • Bookmarks
  • Entities
  • Queries

Microsoft Sentinel created Hunt features [6]

Bookmarks: Bookmarked results of hunting queries are displayed.

Entities: Selected hunt-related entities are displayed. Click on the entity directs to the UEBA page related to that entity. Actions taken include running a playbook and creating a threat indicator.

Queries: Selected hunt-related queries are displayed.

Livestream

Sentinel > Threat management > Hunting > Queries tab > Right-click on query > Select Add to livestream

Microsoft Sentinel Hunt Bookmarks Tab [7]

To monitor the result of a query added to the hunt as the related event occurs, add a query to Livestream. Queries without a time parameter included in the query are eligible to be added.

Sentinel > Threat management > Hunting > Livestream tab needs a play button to be clicked to show results live.

Microsoft Sentinel Hunt Livestream Tab [8]

Notebook

Microsoft Sentinel Hunt using Notebook [9]

To explore analysis and visualization with machine learning models implemented in Python, Notebook is a Threat management feature in Sentinel. Hunting with machine learning concepts gives more flexibility to the hunting process.

    1. Azure ML workspace creation

  1. Notebook creation from Template and Saving.
  2. Saved Notebook is launched to open it in Azure AML workspace.
  3. To use Notebook, click on Compute instance.

 

 

 

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Hunting Queries from the Community Centre

Explore Sentinel queries at www.github.com/azure/azure-sentinel–>Hunting Queries folder.

GitHub Community Microsoft Sentinel Hunting Queries [11]

 

Hunting Queries from Data Connectors

Explore Sentinel queries at Sentinel–>Content management–>Content hub–>use filter Content Type–>select Hunting queries.

Microsoft Sentinel Content Hub Hunting Queries [12]

Hunting query

Example: Port opened for an Azure Resource. Go to Log Analytics and run the query


let lookback = 1d;
AzureActivity
| where TimeGenerated >= ago(lookback)
| where OperationNameValue has_any ("ipfilterrules", "securityRules", "publicIPAddresses", "firewallrules") and OperationNameValue endswith "write"
// Choosing Accepted here because it has the Rule Attributes included
| where ActivityStatusValue == "Accepted"
// If there is publicIP info, include it
| extend parsed_properties = parse_json(tostring(parse_json(Properties).responseBody)).properties
| extend publicIPAddressVersion = case(Properties has_cs 'publicIPAddressVersion', tostring(parsed_properties.publicIPAddressVersion), "")
| extend publicIPAllocationMethod = case(Properties has_cs 'publicIPAllocationMethod', tostring(parsed_properties.publicIPAllocationMethod), "")
// Include rule attributes for context
| extend access = case(Properties has_cs 'access', tostring(parsed_properties.access), "")
| extend description = case(Properties has_cs 'description', tostring(parsed_properties.description), "")
| extend destinationPortRange = case(Properties has_cs 'destinationPortRange', tostring(parsed_properties.destinationPortRange), "")
| extend direction = case(Properties has_cs 'direction', tostring(parsed_properties.direction), "")
| extend protocol = case(Properties has_cs 'protocol', tostring(parsed_properties.protocol), "")
| extend sourcePortRange = case(Properties has_cs 'sourcePortRange', tostring(parsed_properties.sourcePortRange), "")
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
ResourceIds = make_set(_ResourceId, 100)
by
Caller,
CallerIpAddress,
Resource,
ResourceGroup,
ActivityStatusValue,
ActivitySubstatus,
SubscriptionId,
access,
description,
destinationPortRange,
direction,
protocol,
sourcePortRange,
publicIPAddressVersion,
publicIPAllocationMethod
| extend
Name = tostring(split(Caller, '@', 0)[0]),
UPNSuffix = tostring(split(Caller, '@', 1)[0])
| extend Account_0_Name = Name
| extend Account_0_UPNSuffix = UPNSuffix
| extend IP_0_Address = CallerIpAddress

Port opened for an Azure Resource [12]

 

Summary

A reactive approach is a traditional way to handle anomalous situations with respect to an organization’s security. A proactive approach secures the organization in a better way. Hunting follows a proactive security approach. Hunting logs round the clock predicts possible anomalous situations. KQL provides all the necessary commands required. Microsoft Sentinel’s hunting feature provides bookmarking and the live streaming of query results. Created hunts can be updated with newer queries whenever required. Export-import options introduce ease of hunting. With community support, at a great level, Microsoft’s Threat Hunting feature, implemented using Sentinel as well as Microsoft Defender, introduces much required proactiveness to security measure implementations.

References

[1] Understand cybersecurity threat hunts – Training | Microsoft Learn

[2][ 4][5][6][7][8][9] portl.azure.com/sentinel

[3] security.microsoft.com/Hunting/advanced hunting

[10] www.github.com/azure/azure-sentinel

[11] portal.azure.com/sentinel/content management

[12] Sentinel content hub

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.

WRITTEN BY Sheetal Thakare

Share

PREV

NEXT

Comments

    Click to Comment

Related Resources

Upcoming Webinar

Demystifying Generative BI: A Deep Dive with Amazon QuickSight

By divya

Apr 25, 2024

Power Platforms

How to Employ Pipelines in Power Platform to Elevate

By Daliya V K

Apr 23, 2024

Case Study

Advanced HRMS Chatbot using AWS GenAI for Enhanced User

By gopi

Apr 22, 2024

Case Study

Automated Email Replies for a FinTech Firm Enhancing Customer

By gopi

Apr 22, 2024

Case Study

Scaler Achieves Near Real-Time Audio Transcription, Driving Productivity with

By gopi

Apr 22, 2024

Azure

A Comprehensive Study Plan for AZ-104 Certification the Key

By CloudThat

Apr 22, 2024

Azure

How to Prepare for the Exam AZ-900 Microsoft Azure

By CloudThat

Apr 22, 2024

Big Data, Cloud Computing

How to Secure Microsoft Fabric Data Warehouse?

By Pankaj Choudhary

Apr 19, 2024

Case Study

Real-time Threat Prevention and Maximizing Protection by Leveraging AWS

By gopi

Apr 16, 2024

Case Study

Effective Threat Protection with AWS WAF Configuration Resulting in

By gopi

Apr 16, 2024

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!