Feedback and POIs

15 June 2021 11:43

Issued Encountered
Day 1 - Overview
Section 2 (Getting Started With Sentinel) [Heading Typo]
Gettin started with Azure Sentinel

Day 2 - Designing the Deployment

Section 1 (Cloud [Document Outdated]
Architecture and multi- Controlling access to Azure Sentinel Data: Resource RBAC is now
workspace/tenant support) included in official documentation at:
https://docs.microsoft.com/en-us/azure/sentinel/resource-
context-rbac
Section 1 (Cloud [Incorrect Order]
Architecture and multi- The last two articles should be swapped in order as the
workspace/tenant support) Lighthouse article mentions several concepts already discussed
in the Code article.
Section 2 (Collecting [Document Outdated]
Events) Azure Sentinel: Creating Custom Connectors is now Official
Documentation at: https://docs.microsoft.com/en-
us/azure/sentinel/create-custom-connector

Day 3 - Kusto Query Language (KQL)

Pluralsight Difficulties - Course is actually free
○ Sign up to Pluralsight with your bank details
○ Take the KQL Course within 10 days, 200 min limit does not apply to this course
▪ It doesn’t state anywhere that this is the case however!
▪ Cancel Subscription in billing & information then delete personal data In account
management

Day 4 - Creating Content

Section 2 (Creating Playbooks in Azure Sentinel) [Missing Content]
Presentation slides 404 Error

Additional Recommended Content

Section 2 (Jupyter [Missing Content]
Notebooks) Security Investigation with Azure Sentinel and Jupyter Notebooks – Part
1
https://techcommunity.microsoft.com/t5/azure-sentinel/security-
investigation-with-azure-sentinel-and-jupyter-notebooks/ba-p/432921

Training Notes Page 1

Introduction Videos
14 June 2021 10:01

Azure Sentinel sits on top of all applications and receives information from plugin called
connectors
Selling point of Sentinel is the ease of use and setup

• Cloud native SIEM

• Drowning in alert fatigue, reducing by 93% via machine learning
• Can cover both multiple cloud services including AWS etc as well as on-premises assets using
data connectors you are even able to ingest data that no connectors currently exist for
manually so that there is totally coverage
• O365 can be ingested completely for free
• Use dashboards to view overview of data including partner developments (Palo Alto made
dashboard for sentinel)
• Azure-Sentinel GitHub has rules written by the community and shared with peers so that it
helps everyone
• Sharing detections and best practices across the sentinel community
• Uses KQL Kusto Query Langue
• Machine Learning and AI can filter Billions of logs down to just a handful of cases
• (Example: Anon login + suspicious email forwarder = high level breach)
• Investigation module shows a spider graph to show how the user has done what they have
done and maps the entire attack
• Playbooks built on Azure LogicApps
• Pre-built or Custom playbooks to enbale attack disruption as well as detection
• Integration with third part apps like ServiceNow or Palo Alto to block Ips and Ads

Introduction to Sentinel Page 2

Azure Sentinel Deep Dive Webinar
14 June 2021 11:22

Functionality deep dive looking at features and use cases and focus on new features and Technical Overview

End-to end solution

1. Visibility (Collect)
2. Analytics (Detect)
3. Hunting (Detect)
4. Incidents (Investigate)
5. Automation (Respond)

Microsoft Security Advantage - Investment of $1 billion a year with a team of over 3500 experts

Topic 1 - Collection Topic 2 - Visualisation

Sentinel has the ability to collect from any source, Microsoft products, other clouds like AWS and on - Once data is collected it needs to be visualised in a dashboard
prem collection
Dashboards/Workbooks
On-Premises • Dashboards are now presented in a new way known as workbooks, an engineer can create an app
• Can collect OS logs and streams of data including Linux and Windows as well as Firewalls etc using or tailored workbook
agents • Able to choose from a pre-set gallery
• Remote collection is also possible including syslog from Linux on a VM through TLS, TCP, UDP • Customise workbooks in order to make your own using unique queries
• Can collect using the cloud for branch offices for example • Gain insights and take advantage of rich graphs and visualisation methods
• Logstash has a sentinel plugin • These are interactive similar to Splunk, searches enable to tables and visualise other data that
• WEF - windows event forwarding might not be covered by the dashboard/workbook (uses KQL)
• F5, Barracuda and Symantec can send REST API to Sentinel
• The last option is having the ability to create custom connectors for things that are already
governed by sentinels offerings, Azure functions, Logic Apps or PowerShell can provide the ability
to do this Topic 4 - Incidents & Investigation
Collecting alerts both Microsoft or otherwise as well as alerts detected by sentinel and managed
There are a full collection of blog posts available for different collection methods in sentinel
centrally

Tracking Investigations and Incidents

Topic 3 - Analytics • Incident is a collection of related alerts, events and bookmarks
Leveraging Analytics to detect threats • Management of assignments and tracking of statuses
• Has 100s of pre-built analytics rules, they can be modified and customised and are focused on • Add tags and comments to an incident
being production ready • Integrate with your ticketing system within the business (eg ServiceNow) they can also be synced,
• Create new rules using KQL and are able to contribute to the Sentinel GitHub for example a ticket closed in ServiceNow will close the ticket in Sentinel Also
• Able to use 3rd party CTI and Microsoft provided Threat Int to correlate data
• Then can use triggered automated playbooks Visualise the entire attack
• Navigate between relationships by creating a detailed spider diagram/mind map
Use Machine Learning increase catch rate without the noise • See all related datapoints such as alerts or users etc
ML concepts are used to narrow down activity to things that really need to be seen and helps with the • Able to expand each node so that detailed information can be read by the investigator
reduction of Alert Fatigue • Optional timeline feature to show when each alert, bookmark or event happened

• Able to use built-in models with no ML experience required Gaining Insights with Automated Detonation
• Detects anomalies • Obfuscated URLs can be expanded
• Fuses data sources to detect threats that span kill chain • Enables searcher to see the actual webpage that the user saw on the screen
• Able to import your own ML models
These insight and the spider diagram is very good for triage and making a graph led investigation, it will
allow you to see the full cycle of the kill chain.
Topic 5 - Hunting
Hunting is an alternate way for running a SOC and is a more proactive approach rather than reactive.
Hunting is the art of moving through your system and searching for vulnerabilities that could be
exploited.
Topic 6 - Automation
Hunting through Security Data with fast & flexible Queries Automate and Orchestrate using Azure Logic Apps
• Process and Knowhow rather than a feature • Build automated and scalable playbooks that can be used across multiple tools
• Large sets of pre-built queries developed by the research team in order to help you begin hunting • There is a library available of sample including a community GitHub
for threats (no experience required) Based on the MITRE ATTACK framework and filterable by • Ability to create your own playbooks using over 200 connectors to external systems
tactics • These playbooks can be triggered automatically based on an alert or incident investigation using
• Custom hunting quires can be made and written as well as modification to the pre-built ones the playbook button on the drill down
(KQL)
• Start an investigation from the results of Hunting (Bookmark) it can be marked and returned to Use a workflow/flowchart to create a logical process of response and execute a set of action you want
later for investigation performed in a certain order
• Filters can be name, attack type, tactic type from MITRE ATTACK etc

Exploring Datasets
• Extensive search suite available that can make use of free text or fields
• Table the data
• Visualise the results
• Automatically detect anomalies and outliers

Use Bookmarks and Stream to manage Hunts

• Bookmark notable data and create an artifact from it from either searching or hunting
• That bookmark can be used to create an investigation or you are able to add the bookmark to an
existing investigation
• Use Live Stream to see new threat activity in real time using queries

Use Jupyter Notebooks for Advanced Threat Hunting

• Open source technology that can run in the Azure Cloud, Azure version called algebra notebooks
• Snippets of code and documentation stitched together that can do things and then display them
• Programming based interface so is more powerful than simple Query based analysis
• Saveable and sharable as HTML/JSON
• Able to ingest both Sentinel data and external data sources
• Able to use an language of your choice because it is programmable, python, SQL, KQL etc

Introduction to Sentinel Page 3

Getting Started with Sentinel
14 June 2021 14:38
QuickStart: On-board Azure Sentinel
Workbooks
Able to create interactive reports and use workplace templates too Perquisites
• Azure Subscription (Active)
Analytics • Log Analytics Workspace
Collaborates all alerts and uses AI or ML to create High-fidelity security incidents • Contributor perms
• Contributor or reader perms on RG that sentinel belongs to
Automation & Orchestration • Additional perms may be needed to connect to certain data sources
• Sentinel is a paid service (Service Costs)
Buildable playbooks to automatically function on an alert or incident based on a workflow designed in Azure Logic Apps

Investigation Geographical Availability

Ensure that the data you are ingesting and working on abides by the right residency compliance
Spider graph is able to show relations between events or alerts, drill-down feature included to see more detail
China and Germany are unavailable for hosting Azure Sentinel
Hunting
Allows to proactively search for threats using tactics integrated with the MITRE ATTACK framework

Community
As well as many Microsoft pre-written rules, hunting methods and investigation queries the community is able to QuickStart: Starting with Sentinel
contribute through the Microsoft sentinel GitHub
Visualisation
Look at overview dashboard to see where to start

Malicious traffic map - Orange is Inbound Red is outbound

Azure Security Compass

It is an system used for exploring recommendations from Microsoft about how to go about a decision or Integrating a 3rd party SIEM
best practices. Best practise are formulated from many customers and through research done. Any SIEM solution that uses an Event Hub Ingestion via a Graph Security API. This can be done for
ticketing system too.

QRadar
Splunk
ServiceNow
Jira
ArcSight
etc

Introduction to Sentinel Page 4

Sentinel Pricing
14 June 2021 15:47

In this example the costs shown are for US Central Region and prices shown in US Dollars ($)
Pricing is available for other regions and in different currencies.

Azure Sentinel Azure Monitor

It is important to note that Azure Monitor charges for both ingestion of data as
Tier (per day) Price (per day) $/GB PAYG Saving well as the retention of data.
100GB $123 $1.23 50%
Tier (per day) Price (per day) $/GB PAYG Saving
200GB $222 $1.11 55%
100GB $219.52 $2.20 15%
300GB $320 $1.07 57%
200GB $412.16 $2.07 20%
400GB $410 $1.03 58%
300GB $604.80 $2.02 22%
500GB $492 $0.99 60%
400GB $788.48 $1.98 23%
1000GB $960 $0.96 61%
500GB $968.80 $1.94 25%
2000GB $1821 $0.92 63%
1000GB $1904 $1.91 26%
5000GB $4305 $0.87 65%
2000GB $3718.40 $1.86 28%
5000GB $9016 $1.81 30%
Azure Sentinel Pay-As-You-Go = $2.46 per GB
Free trial is 31 days and will not charge for ingestion of data Azure Monitor Pay-As-You-Go
during this period, data will also be retained after the Trial is First 5GB per billing account per month is free, after this allowance it is charged
finished for the first 90 days then will become billable as per at: $2.76 per GB
retention pricing in Azure Monitor Log Analytics.
Data Retention = $0.12 per GB

There are many more costs associated with Azure Monitor including Data Exports,
SMS notifications and Custom Metrics

Introduction to Sentinel Page 5

Azure Sentinel MSSP & Distributed Organisation Support
Webinar
15 June 2021 09:08

Azure Basics
Microsoft Tenant - Identity management framework

Azure Tree
Management Groups -> Subscriptions -> Resource Groups -> Resources

Azure Sentinel Workspace

This stores the following things:
• Resource Container for Sentinel
○ Event database
○ Rules
○ Incidents
• But Not
○ Playbooks/Logic Apps
○ Workbooks/Dashboards/Reports

These last two are recommended to be in the same resources groups as Sentinel

Sentinel is fully compatible and integrated with the Log Analytics service in Azure

Multi-Workspace Best Practices

Why use Multi Workspaces?
1. Multiple SOCs such as Global and Local
2. MSSP Customers SOC Capability
3. Data Ownership and Compliance
4. Multiple Azure Tenants

Other consideration of Multi-Workspaces: Fine grained retention settings, multi-workspace legacy architecture or for separated billing and reporting

Bottom line is that you want to REDUCE the number of workspaces as much as possible but sometimes it is just required. You ju st want to minimise as much as possible.

Hybrid Model
Use a central hub to manage all the sentinel workspaces then allocate a workspace for each customer/tenant/subsidiary

Advantages
Flexible role Management both Global and local for MSSP customers or your own tenants
No data ownership challenges
Minimize Costs and latency
Easy onboarding and offboarding

How do you?
• Central Monitoring
• Central deployment and configuration
• IP Protection

Implementing Sentinel Across Multiple Workspaces

5 step plan each with multiple sub-steps

1. Consolidate Workspaces
a. Send events to a central workspace using Agent Multi-homing or current solutions could be migrated to a central location
b. Use Azure Security Centre default workspace
c. Use resource RBAC to segregate roles and permissions for each department or SOC vs non-SOC teams
d. Use per Table Retention Period
2. Work Across workspaces
a. Cross Workspace Queries are the easiest way to access data. They will be cumbersome queries due to naming all the workspaces.This can be compressed though using KQL.
b. Cross Workspace Workbooks are available to display alerts and connector status
c. Use the central incidents screen to look at multiple workspaces incidents managed in one location
3. Automate deployment and configuration across workspaces
a. Use API, ARM or PowerShell to deploy and configure everything within the system
b. Operationalize Sentinel using CI/CD with GitHub > Az DevOps > Az Pipelines > Sentinel Workspaces
4. Use Azure Lighthouse to extend to workspaces across tenants
a. Lighthouse extends support for everything discussed so far across tenant boundaries; Queries, workbooks, incident managementand automation.
5. (optional) Integrate with a ticketing system

MSSP Billing Options

Either one of two options:

CSP (Cloud Solution Provider) - you own the service and have the ability to re-sell to the customer
Or
DPOR/CPOR (Digital/Claiming partner of record) - customer manages their environment but you get spiff/commission payments for helping the customer manage their solution direc tly with Microsoft

Protecting IP (Intellectual Property)

How to protect data from your customers

Run content from your own tenant. This can protect Rules, Queries, playbooks and workbooks
Or
Use a CSP subscription so that you hold the master key and the customer by default cannot see anything. You are then able to provide the customer just the right permissions to see what they need to, therefor protecting your content

Designing Deployment Page 6

Multi-Workspace and Multi-Tenants
15 June 2021 11:01

Requirement Description Ways to reduce workspace count

Sovereignty and regulatory A workspace is tied to a specific region. If data needs to be kept in different Azure geographies to satisfy regulatory requirements, it must be split into separate
compliance workspaces.
Data ownership The boundaries of data ownership, for example by subsidiaries or affiliated companies, are better delineated using separate workspaces.
Multiple Azure tenants Azure Sentinel supports data collection from Microsoft and Azure SaaS resources only within its own Azure Active Directory (Azure AD) tenant boundary. Therefore,
each Azure AD tenant requires a separate workspace.
Granular data access An organization may need to allow different groups, within or outside the organization, to access some of the data collected by Azure Sentinel. For example: Use resource Azure RBAC or table level Azure RBAC
control • Resource owners' access to data pertaining to their resources
• Regional or subsidiary SOCs' access to data relevant to their parts of the organization
Granular retention settings Historically, multiple workspaces were the only way to set different retention periods for different data types. This is no longer needed in many cases, thanks to the Use table level retention settings or automate data deletion
introduction of table level retention settings.
Split billing By placing workspaces in separate subscriptions, they can be billed to different parties. Usage reporting and cross-charging
Legacy architecture The use of multiple workspaces may stem from a historical design that took into consideration limitations or best practices which do not hold true anymore. It might Re-architect workspaces
also be an arbitrary design choice that can be modified to better accommodate Azure Sentinel.

Examples include:
• Using a per-subscription default workspace when deploying Azure Security Centre
• The need for granular access control or retention settings, the solutions for which are relatively new

Using Multiple Workspaces as an MSSP Multi-Workspace Architecture Diagram

It is highly recommended that if you are an MSSP (Managed Security Service Provider) then you separate all of your customersinto different
workspaces to make sure they do not have access to other people's data etc.

Cross-Workspace Monitoring
There are several ways that you can work across multiple Workspaces:

Incident Manager
All incidents are able to be viewed from multiple workspaces in a single pane of glass in the form of the
Multiple Workspace Incident View in Sentinel.

Cross-Workspace Queries
This system allows you to makes querying across multiple workspaces easy for example an expression
can be joined into a single statement as well as simplifying long and complex names:

union workspace("hard-to-remember-workspace-name-1").SecurityEvent, workspace("hard-

to-remember-workspace-name-1").SecurityEvent
would become
unionSecurityEvent | where…

Limitations
Cross workspace Queries can only be conducted with a maximum of 20 Workspaces and all of the Azure Lighthouse
workspaces MUST have an instance of Azure Sentinel deployed upon them. Lighthouse is a system that enable all of the functionality covered here in Sentinel to be extended and
executed across not only multiple workspaces but multiple Microsoft tenants
Cross-Workspace Workbooks
Workbooks can provide cross-workspace queries in one of three methods, each of which cater to
different levels of end-user expertise:
1. Write cross-workspace queries
2. Add a workspace selector to the workbook Automation
3. Edit the workbook interactively All of the functionality can be managed through applications such as PowerShell and APIs so that the
whole process can be automated.
Cross-Workspace Hunting
Sentinel has some pre-built cross workspace queries developed by the Microsoft Research team,
however these can be edited and modified to fit your needs.

Designing Deployment Page 7

Cross-Workspace Query in Azure Monitor
15 June 2021 11:32

https://docs.microsoft.com/en-us/azure/azure-monitor/logs/cross-workspace-query

There is a lot of difficult and complex rules to understand when it comes to making queries across
resources as many of the IDs are ambiguous and so they need to be defined by things that are
unique.

The attached link has a full list of all of the rules of what is unique and what is not.

Designing Deployment Page 8

RBAC in Sentinel
15 June 2021 11:42

RBACs is used to limit access to certain users. For example a non-SOC team may only be able to read
a certain resource but cannot see everything within the workspace.

This can also be used to separate customers on a single workspace.

Permissions and Data access are good scenarios where a SOC vs non-SOC team are separated.
A SOC team may have access to the full workspace where as non-SOC could only be able to see a
specific resource.

Explicitly Configure resource-context RBAC

This can be used to group together non-Azure resources and control them using RBACs

If you have lots of external resources being forwarded via a VM (Logs or Collector Agent) make sure
that the VMs are separated, this also stands for external Clouds such as AWS. This means that IDs
can be assigned to these VMs using Azure Arc. They can then be managed using standard Azure
RBACs.

This tagging us used for things such as CEF, Syslog or WEF. These tags are assigned to the Collector
VMs.

Designing Deployment Page 9

Azure Sentinel DevOps and Code Capabilities
15 June 2021 12:09

Huge Code Blogs:

Lighthouse
Using Lighthouse, different customers can select different plans or roles. This can transfer to DevOps
and give certain customer different level of support and security.

DevOps can separate repos. If a master repo has changes then all customers will see the change.
Alternatively, Each customer can have a folder within the repo so that master things can be kept in a
higher level than each individual customers code or developments.

Designing Deployment Page 10

Cloud & On-Premises Architecture Webinar
16 June 2021 09:29

Collection Log Analytics Agent

The SIEM is there to serve as the nerve centre for the whole security operation and has the ability to collect
information from anywhere within your IT Estate. • Can be installed on Linux or Windows
• Collects AD, Sysmon and many other such as SQL server
Sentinel has the ability to collect from all Azure sources, Other Cloud provider such as AWS and finally it has the • Has the ability to pick up on some extra things such as:
ability to monitor any On-Premises equipment or services. ○ DNS events
○ Windows Firewall events
Collecting from external system ○ IIS events
Collecting for a windows or Linux machine on-prem can be done with a installing an agent on the machine a ○ Files
sending that traffic through a proxy VM known as a Collector. That VM will the forward that traffic to sentinel. ○ FluentD plug-ins

Collecting from an external System with no Agent This can be deployed through automation through Azure, it then has
a central management suite and also supports proxies
This could commonly be a security machine sending things such as Syslog or CEF you need to use a Syslog
Connector. This connector will the forward on to a regular collector VM.

Branch Office CEF (Common Event Format)/Syslog Collectors

This would send syslog traffic over TLS to an auto deployed syslog connector in the cloud which would forward the
traffic to sentinel via HTTPS.

How to deploy a CEF connector Scaling CEF/Syslog Collection

1. Set up an Azure Linux VM of your liking Scale to 10k using just 4 cores
Custom Connectors 2. Run a deployment Script (Link is available in Azure) F4_v2 is ~$20/month
• For events or enrichment of data
a. Installs Log Analytics All real processing is in the cloud
• Can use PowerShell with API
b. Configures it
• Use Logic Apps
c. Configures Syslog Daemon Clustering
○ Scheduled or HTTP triggered
3. Support multiple CEF with a single Collector • Static Distribution
○ Files, Databases or API
• HAProxy
○ On-Prem Gateway
○ Simple, Free and Provides Failover
• Direct API Use ○ No UDP Support (TCP only)
Note: WEF (Windows Event Forwarding) deployment is
○ Ruby, Python, PHP, C#
nearly identical, simply replace the Rsyslogd/Syslog NG • Commercial Load balancer
○ Serverless with Azure Functions
with a windows event forwarder!

Designing Deployment Page 11

Sentinel Log Management
16 June 2021 13:33

Designing Deployment Page 12

Sentinel Threat Intelligence Webinar
16 June 2021 13:36
How to bring Threat Intelligence into Sentinel
Threat Intelligence Terminology Sentinel does NOT have Threat Intelligence built in, it has to be imported from another platform.
This is done through Data Connectors. (TAXII or TI Platforms)

Custom connectors can be made with Python, C#, Node.js or through Azure Logic Apps

Setup of a Data Connector (TIP)

1. Register an App to represent your TI Platform of choice
2. Configure the TIP to send threat indicators to Microsoft
3. Enable the Data Connector in Azure Sentinel

TAXII Data Connector

Ensure that a TAXII 2.0 or 2.1 server is chosen (lower versions not supported)
1. Discover TAXII Server collection (X-Force etc)
2. Enable TAXII data connector in Azure Sentinel for each collection

Where to view Indicators

Logs > SecuriryInsights > ThreatIntelligenceIndicator > …

Making Custom Alerts in Analytics

Analytics rules can be made or used from the 26 pre -built templates

Ensure that you Map the activities if making custom rules.

When a rule is mapped then the spider graph investigations window will be available for your alerts.

Azure Sentinel
The main thing that Sentinel focuses on is the Tactical level of Threat Intelligence
Threat Intelligence Workbooks
Threat intelligence is scatter throughout Sentinel and multiple features can be enhanced if you plug in your business There are built in workbooks made for Threat Intelligence or you can make your own (100%
threat intelligence feed. Customisable). They are built using queries.

These Dashboard are nice because you can see lots of charts and graphs providing interesting
information about your threat intelligence feed.

• Threat Overview
https://aka.ms/sentineltiblog • Alert Count by Indicator
Blog for more information including Command Line usage etc • Threat Intelligence Efficacy
• Threat Timing (1 week ahead or 1 week behind)

Designing Deployment Page 13

KQL Practice
18 June 2021 15:15

Resources
Cheat Sheet:
Test Environment: https://aka.ms/lademo
Optimisation:
Data Source References:

Kusto Query Language (KQL) Page 14

KQL from Scratch
22 June 2021 14:42

80 percent operators

Search
Where
Take
Count
Summarize
Extend
Project
Distinct
Top

Kusto Query Language (KQL) Page 15

Writing Rules in Azure Sentinel
29 June 2021 11:14

Correlation Rules Deep Dive Webinar

Correlation is a term from ArcSight

Creating Content Page 16