Azure Sentinel webinar: Understanding Azure Sentinel features and functionality deep dive


Valon: welcome everyone we’ll be waiting two to three minutes to get started as a courtesy to those still in the middle of
connecting Valon: welcome everyone thanks for joining us
and thanks for being part of our community we have a great topic to cover
today but first a few reminders note that for today’s call we’re
targeting to go over 60 minutes close to a 90 minute session during this time
please feel free to ask questions at any time by typing them in the ion window be
aware that any questions you pose will be publicly visible however if you
prefer you can post your question anonymously by checking the box right
below where you enter it we often get many questions on these
webinars and we will do our best to respond to all of them in real time but
I want to provide an additional mechanism to ensure any questions we
miss get answered. If you’ll visit us at aka.ms/AzureSentinelCommunity you’ll
be able to ask question on our Azure Sentinel forum if you’re listening to
this after the fact as a recording that’s also a great place to ask a
question we always love to hear your feedback and how we can improve those
these webinars you can do so at akms slash security webinar feedback please
note that this webinar is being recorded and will be shared publicly we will post
the recordings on our community at aka.ms/SecurityWebinars while you are
there please join our community by visiting a kms large security community
that’s the best way to answer you don’t you don’t miss any future webinars or
major announcements on our community you can speak directly to our engineering
teams that create our security products you’ll be able to influence our product
designs and get early access to changes by doing things like participating in
private previews you can sign up for that at aka.ms/SecurityPrivatePreview
requesting features giving feedback reviewing our product roadmaps attending
in-person events or joining webinars like this we believe that the best way
to improve our products is by removing any barriers between you and the people
that create them so we hope you’ll join us we have a great topic for you today
we’ll be talking about as your sentinel specifically about the new features
introduced Microsoft Ignite last week and other Azure
Sentinel functionality I’d like to introduce you to our presenter. Ofer Shezaf is our member of our Azure Sentinel team who has a deep expertise in this topic without further ado I’ll turn it over to him. Ofer floor is yours
Ofer: Thank You Valon, good day everyone thank you for joining me for the webinar today before I start even before I introduce
myself this is part of a series of webinars not all of your questions will
be answered today not because the great online is not capable of dead but
because some topics belong to the next episodes in the series today would be a
the first session so we’ll talk about what the product does you know
functionality it’s a deep dive will go beyond you know just a basic
introduction call but there is way more to learn
next week we’ll touch on an architecture cloud a non-primary textured collection
deployment and such this would be a great opportunity for the architects and
engineers among you to learn more about how to deploy Azure Sentinel will then have a short break a break for the holidays so those that celebrate the Christian
holidays do not need and we’ll reconvene in January to address down
lists to talk about security and talk about how to use Azure Sentinel in real life
to operate your sock and we’ll continue again with the security people talking
about hunting we already had a hunting webinar in September we’ll revisit topic
in January so this is just the first episode the entire season is ahead of us today we will discuss an overview a
technical overview deep dive focusing on new features introduced a microcytic
night last week my name is officers off I’ll be
delivering this overview I joined Microsoft specifically for the Sentinel
project around a year ago my background is SIEM, I came from many
years as a product manager at ArcSight which used to be the leading same
product it means I have met many successful and a few failed same
implementations and I hope to be able to share a bit of that alongside talking
about Azure Sentinel features in this webinar the first few slides are will marketing
I’m not a big fan I’m not a marketing person but it is a good starting point
to understand what Sentinel is about and what it can provide
I will not surprise you if I tell you that the the world you have to protect
is changing there’s just more of it one thing I always find funny about those
two slides is the word cloud is not there apart from the footnote at the
bottom of this page of course cloud is one of the biggest
changes I see many of you are Microsoft customers
which means that you are in your journey to the cloud and a long side other
changes in the idea environment a cloud is creating a big change this over stretches security operations it
means that it takes more time to analyze a breaches there’s less people capable
of doing that and there’s a good chance that things go uncovered in this
presentation I’ll try to show you how something can help you the proof is on
me the six words to put that are and the
rest would be breaking that into actual details that we have introduced a cloud
native sim that should help the security operations team to manage better to
identify threats faster to resolve them faster and to remediate clone an obscene
means that we utilize the cloud and artificial intelligence capabilities
provides in order to help you let’s start breaking the down into way more
practical features and functions so let’s try to discuss what cloud native
implies so first of all I’ll start with the middle one cloud native sim implies
that scale is not an issue if you’ve been doing scene for a while same
security information event management that the nerve center the operating
system for your security operations you know that it has to end a lot of
incoming telemetry from a lot of sources and that requires horsepower there’s
architecting to be done by utilizing a cloud native SIEM we just don’t have
this issue we built our SIEM based on Microsoft existing platform-as-a-service
capabilities and we really don’t care how much data you drive into the system
I asked our engineering team to run a report and we learned we have customers
that use up to 400,000 events per second or in g-going per day
numbers up to 100 gigabytes per day those are large numbers and the amazing
part is that I needed a report for that it’s not something that our engineering
or field teams worked hard with customers to implement that’s easy cloud
native auto scaling whatever comes with that is the promise of the cloud cloud
also means something else that also means it’s very easy to start small
because you don’t deploy any servers you don’t have to worry about size in the
first place if you have a specific use case from what I will present you’re in
the call today that would be best served by Azure Sentinel now you can use it ok you don’t have to scope by servers for each one of the functions set up a form you
just start a service you consume the data that you need for your use case you
build you build your detection rules or use ours and you’re too much respond
might be the one critical element you have to monitor say in your cloud so
scale small and large as I mentioned starting with Sentinel is very easy we
have thousands of users using Azure Sentinel and the service is a month old the
reason is that starting is just a click away as you’d expect from a SAS service it
takes little and the size of our community is a testimony for that I
personally presented in a meet-up in London three weeks ago and I had a
hundred people in the room I assumed they were coming for the pizza but I
learned that they all came because they are using sensing I wanted to ask
questions, Valon mentioned our community online go there read people ask serious
questions and get good answers because there’s no barrier to entry is very
small if you want to use the product so beyond cloud scale and know you know
operational or setup costs we also try to provide you more not just easier by
utilizing cloud in the two areas were the cloud
really helps us first why I’ll point out we’ll discuss that more later is ai ai
is important it’s promise of modern technology it’s hard to do with limited
computing resources it’s also hard to do with limited data by utilizing you know
computer on demand as well as a feasibility into a large amount of data
we are able to provide you Microsoft provided AI that will assist you in
detecting attacks we also enable you to do your own machine learning using our
tools the other area where cloud is really really good is integration
automation we have and we’ll see the built-in source security orchestration
automation response tool which is just very easy to use and tightly integrated
because it’s cloud based automation integration is also easy when you get to
collecting data to the same because anything which is cloud to cloud is
usually a click as opposed to the challenges of collecting on-prem
telemetry I do have to say that it gets to collecting all from telemetry we have
all the capabilities but I’m not sure it’s simpler than what you have today or
Amazon Prem when we’ll discuss all those today we’ll
focus on five to five rolls of the same and the presentation will be broken into
those we’ll talk about collection invisibility the log management part
we’ll show you what Sentinel can provide you and what we introduced in recent
moms at ignite and before that around collection invisibility we’ll talk about
detection we’ll talk about how you can create your own detection and what we
actually provide you using our own ml another way to detect an upcoming use
case for a same product is hunting when you don’t want to purchase to detect
things after they happen but you want to be proactive and try to identify issues
before they happen and we have both on the security
expertise and different funcionality tools to assist you with hunting of course once
you detect an incident it’s just a starting point you have to investigate
to find the root cause and make sure that you you scoped well and you know
what was affected and then you have to respond and I mention automation and we
go through those five in order to understand how something can help you
with those and what we innovated recently reduce before I get to those five areas I do
want to mention one thing I mentioned the security value bring as I mentioned
I came from other security vendors every security vendor has a research team
working to provide security value for the product we actually don’t have one
the reason is that Microsoft invests a lot in security outside of the scope of
Sentinel Microsoft spends a billion dollar here and a large number of people
because we have to protect the largest network on earth well granted maybe the
second largest assure and the same people who make sure that Asia is
protected are the people that develop the security know-how within Sentinel so
it’s not just the team that has to make the customer happy it’s a team that has
to know too hard to really provide security so I mentioned a you know five errors
I’ll describe a I picked eleven topics episodes going back to my TV series
metaphor that I would like to discuss today each one would have you know
something that will be interesting to you a bit of news or thing we introduced
recently and generally will make life easier for you in general and if you use
Sentinel in particular let’s start with the first one collection the first thing
you do when you implement a new scene tool seem too little it collects all
data from systems is to collect data Sentinel is a full feature same it’s
cloud native it’s a sad solution but it’s there to clear from everywhere
including Microsoft sources in the cloud as you can see on the Left including
other clouds in SAS applications very support AWS today and we’re working to
add additional capabilities and of course also on tram correction which is
important all time is usually where people ask but it’s a cloud native see
how I mean what’s on track for you and therefore I do want to spend a bit of
time discussing on-prem collection and the capabilities that we have around
that one thing to do keep in mind and save the people helping me to answer a
bit is that the next week’s session on architecture would include a lot more
information on this topic specifically so if you feel that your questions were
not answered in full today do join me next week for the on tram and cloud
architecture session so from the first method that we have for collecting from
tram is the Microsoft monitoring agent or the local newsagent it’s an agent
that’s part of the Microsoft ecosystem it’s not new to
Sentinel so it’s not a project was introduced last month the agent supports
Linux and Windows systems and can collect a operating system telemetry
from Grove so six o’clock on Linux or Windows events on Windows as well as
additional streams of data from those systems such as Windows Firewall Windows
DNS DHCP or actually even files so if you have log storing files you can read
them using the agent another elements that’s here for completeness is it
optional a collector proxy that enables not to have each agent communicate
through the internet directly to Sentinel but rather for a central exit
location another option would be remote collection if you want to collect from
Linux machines using syslog or for most networking and security devices you’ll
probably need a syslog collector and we provide that as well
it’s a VM we are looking and it’s not easy on a way to provide these local
service this look is really not built to provide that so you’ll you will have to
deploy a VM somewhere to collect those logs this is similar to the traditional
collector that you have with a you’re a current same product if you’re using one
another option will be to place this collector in the cloud even if you
collect from on-prem from branch offices it’s an interesting deployment option
for sites that do not have somewhere to put a VM for the collector you don’t
really want to send from a branch office to your central office just on the way
to the cloud make Center says directly to the cloud
our collector is based on a technology and open-source technology called fluid
D which is very versatile we do find that customers jump I want to talk about
that get back to work in a second the customers sometimes prefer logstash
because they are more accustomed to it and to manipulating data using it so
today we support also logstash as an option for connecting and
collecting therefore Sentinel if you have long started today there is a
plugin for Sentinel that will enable you to send the same data that you collect
today to sent I already present that you know in the middle I was out of order
our wave connector the Cisco connector enables remote collection for Linux
machines if you want to collect remotely from Windows machines a solution for
that would be to use our web connector which use Windows event forwarding
feature within Windows to collect events from a servers and Windows endpoints I
do want to mention this is still in preview you’ll have to contact us if you
want to use it next this night is complex because collecting
from on-premise complex cyst all even where are not built for the cloud and is
a cloud native connector we do very easy collection from cloud sources as the
previous logged in to that and then we have to provide a comprehensive
framework for aligning from one frame we are working with partners to make sure
that they started streaming events directly using the API just and you know
and here you have three that already do that now configure those 2-cent events
of sentinel is just like cloud you go to the appliance in two of the three cases
romantic it’s a portal you specify the Sentinel instance you want to connect to
and events magically appear in the cloud last option always important for same is
custom connectors you’d want to be able to read things which are not covered by
any of the options i listed above the is really inherently use the sentinel
api to send the data but there are a few ways in which you don’t have to directly
program to use the API we have a PowerShell cmdlets that help you to send
data to sentinel logic apps our automation engine which is also used for
our automation with this and you know can be used or agile functions all of
them the last two providing several options to do that for example we have
customers that want to send logs that are stored in S3 buckets and our
function actually even love the functions are a good way to achieve that all that was a long list of technologies
more for the architecture among you naturally there’s also a list of things
that are you know supported out of the box and this is the list of connectors
we introduced at ignite one one that I want to pick out specifically the others
are vendors and you know products that we now can a get
information from the last one is more interesting
it’s a connector but see the connector for threat intelligence there are several
ways to get threat intelligence into Sentinel we’ll discuss a bit of that
later on but the most standard way to get threat intelligence is using a
protocol called taxi with a format called sticks most of your threat
intelligence sources will support this and now Sentinel can natively connect
with those sources to get threat intelligence and enable you to correlate
they just release these friends in challenges lastly a few pointers if you go to the
project self you see the list of connectors in the product for different
reasons is too short and does not actually convey the breadth and depth of
connectors that we are supporting those for blog posts it’s a good moment to
mention blogging we are very active in blogging as in you know several posts a
week sometimes several posts today so a lot of information is provided in our
blog in the second blog that would help you implement and deploy santino the
specific for blog posts focus on the connectivity options
that may not be part of the formal documentation even though all of them
are supported the first one is a list of system and safe sources that you can
connect because we support generic surfaces look even if it’s not in our
gallery today the second one focuses on collecting from markers of services and
apps sending is compatible uses the same transfer mechanism and storage mechanism
as a is log analytics and as a result any Microsoft service that can send data
to log on Linux Microsoft IT operations solution consent also to Sentinel and
marks of services especially in Azure are mandated to provide support for long
analytics and therefore also for Sentinel so if it’s Microsoft good
chances that it already sends telemetry to Sentinel even if it’s not in our
documentation it’s in the sending side documentation and they a the blog post
here would list those for you to make it easier lastly I mentioned our agent our
agent has a large set of capabilities saving you from the need to get through
the backs of documentation which might be massive this the third blog post
would dare hit you the different capabilities and
collection options available with the agent and lastly if you want to create
custom connectors the 4th blog post would address that now that you collect
the data you need to do something with it
of course detection investigation are important but before it makes sense to
visualize – to dashboard to see the data we introduced recently I think it was in
late September a new way to do dashboards which we call workbooks which
we are pretty excited about it essentially is a at the level of
creating apps you can create a user interface if we didn’t do it and you
want to do things differently you and engineer want to provide a new
experience for download list that would better fit your organization this would
be a great way to do that we have predefined workgroups that you
can select from you can create your own or customize that one that we provide
and you can take advantage of a large number of available visualization
capabilities we’ll get to a demo of those in a second workbooks are
interactive I mentioned that there are bit like apps for example the top
pickers here are filters that you can define as many of as you’d like and they
will help you filter so you can search for user I’ll demonstrate in a second
same applies for a the chart here we’ll see in the demo probably better than me
explaining and so it goes for next one I’ll show customization in demo in a
second before we get to the work to the demo I do want to mention that a
visualization is also available as part of searching so when you search the
basic underlying search interface day you know Swiss Army knife didn’t ability
to get to every aspect of the data also enable to you to table eyes and
visualize but that is a good time to get to them this is Sentinel for those that do not
know it does leave with the azure portal it is a standalone system you don’t need
a juror to access it but user management payment for that matter is all governed
as part of a juror for those that use Azure
things here would be a bit more familiar but let’s focus on playbooks I’ll start
with the azure ad sign-in logs playbook I’ll start it you
and you’ll be able to see that things here are interactive I can go and search
just for a specific user I don’t do a lot on that because those are real
massive users that use our demo environment but let’s assume that you
want to just focus on failures if I click on failures I’ll get just failures
okay now I see only 237 failures and I can go and see you know strange
countries you came from well they’re so strange I don’t know I’m Olivia would be
good one now there’s a challenge here you’ll see
that it’s Alex Wilber that failed and if I go to Italy it’s still Alex Wilber
which means that I have too much data there’s a issue is Alex Wilber
I’ll share with you that we know what it is it’s a user netted licked for the
demo portal we blocked it you know we manage our security and
there’ll be failures it is blocked so it’s not interesting it’s not something
you want to see I can update my dashboard to ignore Alex Wilber so that
it doesn’t affect the way I manage things I’ll do edit to really do that
I’ll probably have to go for a few elements here and change the query I’ll
do it just for one and keep in mind that when I’m in edit mode it’s still active
it still works it’s just a bit you know more interactive I’ll edit the signing
details here there is a query here it’s actually the query your first encounter
of our query language which is called clay ok ql is very extensive
for example know is that it actually can have an X icon inside the query first
time I know is that and here I’ll do were that was the wrong language if you
didn’t get it you now know that I’m from Israel that was Hebrew xur is not equal to Alex Wilbur all
around the query just to see that it works fine of course I said were user and it is
right for user that’s why you run a way to check and luckily there are no
records selected because that’s why I was trying to achieve I’ll done editing
and now when I go here I didn’t change this one so the numbers will still be
high but if I go to Italy where I was before well India for that matter
I’ll see there was no one else that failed login apart from Alex Wilbur but
he will go to the US I can investigate real failures for the u.s. star a few
other users that did fail looking like looking to them so that’s an example of
how we can use workbooks another example I’ll share with you something that
actually a colleague of mine called Clive Watson I talked about I think two
weeks ago it’s a neat work group that’s a bait
shows the privacy challenges of a sim it’s available on our you can read the
blog it’s available on our github we generally manage content on github and
it shows you know where was a person recently so I prepared with my own
travel for all these reasons I don’t want to but you can select other users
as well as here I don’t want to go through them because I can share my
information I want to show others and you can see that I’m somewhat of a
traveler I do travel too much you also see the limitations of geolocation so
I’ve been to Canada early this month actually which is true but I’ve been to
North York ever been to Calgary my guest Calgary is were the IP address for Air
Canada is registered next I actually was at ignite the days after and I’m not
true whites register Los Angeles but then I was making Israel which makes
sense and historically if you don’t know it’s a rural very far away city in
Israel you can get it I live near it so that’s
actually you know user-contributed darien our github blogpost on that very
easy to create up to do whatever you want so that was the work looks definite
we’re excited about it because it’s really a way to implement what you want
as well for us to provide you way more value out of the box from the product as
we’ll see later war books are not the many way to do investigation at Santino
but they do add a dimension when you want to report to management or you want
to create your own investigation sequence let’s move on so we discussed
connectivity collection and visualization which I would term as log
management but where is the smart stuff how do you do actually detection that’s
when we get to analytics so we have several way to enable to do
analytics as usual I’ll start music slides and they’ll do a bit of a demo to
show you how it really looks in real life first of all we have a large number
of building analytic rules when I say rules it means that those are rules that
you can get to the actual content of you can modify them if you want there are a
starting point we have as I mentioned our research team is very focused on
making them production ready so not noisy but if you have a challenge you
can build them we also have a designer machine learning based tool which are we
work on behind the scenes and that you are not exposed to the queries for you
can create your own rules we would like to produce as much as you’d like but
every organization has their own it we would love you to contribute to our
GitHub all the rules that we do starting on GitHub we also have partners and
users as I mentioned it’s a very accessible product so larger ever larger
community you’ll find many scented rules also starting starting to appear out
there which is pretty unique I I mentioned I’m coming from SeaWorld I
didn’t see that level of community around detection writing in other
products I’ve seen people writing connectors but no detectors you are able
to use both third party for intelligence that you’re bringing I mentioned the
taxi instincts connector as well as using enrichment you know discuss later
on or the Microsoft provided friend intelligence in order to correlate your
data using rules we spread intelligence to have both the taxi connector and the
Microsoft threat intelligence stream were introduced at Ignite last week so you it
lastly very importantly I mentioned that one of the things that are really easy
with sentinel is to do automation so when an alert triggers you can
three year playbook we’ll discuss those later on in general my experience when
working with customers is that if it was a traditional same the use case is built
from collection and then rules and what to do a bottom is left to a second phase
because in Sentinel automation is very easily accessible a use case design
usually evolves around all three steps so collection detection and response I
didn’t mention that we provide out-of-the-box machine learning in
practice we’ll see in a minute it translated into elements within the
detection gallery that you can turn on and off but you can’t look into the
actual query there is no simple query behind as I mentioned our advanced
machine learning is our experience from protecting a sure as well as a large
volume of signals and on-demand cpu capabilities we’ll take all the signals
available to us through the minds of pipeline will identify attacks that are
relevant to you will filter them will reduce the number of them based on cross
review of the security state across the world and then we’ll provide you chance
doses are real in practice it means the numbers on the right are monthly that we
translate a huge amount of signals into thousands of alerts across our entire
customer base for a month it’s a small high-value numbers were machine learning
really delivers in addition Sentinel is very very useful as a platform for your
own machine learning once it’s well the slide says coming soon
I can verbally say that it’s in private preview so you are all welcome to reach
out and join the private preview and start experimenting in general
our underlying technology the search engine that we use which is the backs of
internal technology called a dead Explorer is the enables our seemed to
tab you’ll also as a date awake you don’t have to maintain two systems you
can directly use the data that you collected you seem also to create your
own machine learning analytics on top of that I did probably sudeva so we’ll skip to
that Linux demo what I want to show you here was mostly how rules look like if
we look into the rules tab you see the rule templates the rule templates are
the rules that we provide out of the box rules are categorized by my three tactic
so you are able to identify your coverage you’ll see here that there are
different types of rules scheduled alerts are we’ll see more of those they
are alert that you create using a query into the data which triggers if
something was found we’ll talk about that in a second I’ll show it to you a
second option for rules is actually a simpler one but he utilizes an important
concept Microsoft provides not just Sentinel we provide a large number of
security tools many of them are market leaders for
example Maxim defender IDP recently according to being a leader in the
Gartner Magic Quadrant for EDR a market of cloud app security is recently
reached the top at the Gartner analysis of Cosme products so we do encourage you
and in many cases you are using additional access products there’s
already do detection we will not replicate that at sending them we don’t
try to do the same again we do want to make sure that if you get an alert from
no systems it is surfaced in Sentinel so that you can centrally manage the
incidents and respond using automation with that in mind
first of all collecting those alerts from those sources is free of charge
we Sentinel and secondly we make sure that you can create incidents based on
alerts easily which is the max of security a a entries in the templates in
the gallery you see here I will not get into how you do that here it’s to click
so it’s sort of less interesting for a demo I’ll actually go into
one of the rules otherwise I’ll use is my example so I’ll focus on LaVon
available log one rules mostly failures and stand such you see there is a
significant coverage of those you’ll see that we also detect essentially brute
force for AWS console not just for our environment but also for us ready so
it’s not just a max of a protection product and for Cisco for that matter
I’ll select one just to show you how it looks to define one so those are
templates they’re not on by default you do have to use them to create a rule to
get things you’ll be able to change everything including this gear analysis
the my tree tactics you want to classify by all this is meta information the
important part would be the second part where we actually run define what the
query does the rule does and you’ll see it’s based on the query the query can be two lines long when we
write it it is not too tight it lines long we take advantage of the fact that
our query language kql is very capable and we do make sure that we create the
best rules for you you can still learn it and modify them also I meet a lot of
people that are getting is that it’s a new query language so initially why it
another people who are working with it for a short time are usually very happy
with it because it’s sort of easier than SQL and targeted parts exactly this use
case next you can select the play books that you want to run based on the alert
and then review and create which I’ll skip for now once rules triggers are
they create incidents which we will look at when we talk about incident
management in a few minutes described data collection and
visualization the log management side we described and talked about analytics
where a rule-based or machine learning based where we provide it or that you do
yourself based on rules or machine learning it’s time to talk about what
happens if incidence triggers detection is partially they’re all the same but as
I mentioned before you have a lot of other systems during detection incident
management is entirely where you want to be within the same you want to collect
alerts from external systems Microsoft otherwise as well as alerts that were
detected by Sentinel and then manage them centrally what does management
means so you’d want to collect related alerts events and bookmarks in a single
incident bookmarks being the artifacts that we can assign we’ll have time to
talk a bit more about bookmarks later on you want to manage them assign them keep
track of status and comments all that is possible so and you can also and it’s
important integrate with your ticketing system as a simple I know that no sim
will ever get to be as elaborate in managing tickets as your ticketing
system and you’ll have to choose between managing the entire lifecycle of the
incident in your ticketing system or splitting between Sentinel and your
ticketing system we provide both options just to share my experience many times
as long as it’s part of the sock maybe it’s worth having it here and once you
need something which is outside of the sock you may want to integrate with say
ServiceNow which is supported we actually support two-way integration you
can we can make sure that tickets are open in service now for an incident in
Sentinel and vice versa when things are closed in service now they are closed
here as well however managing it is – that is just managing is that you you
need to do more actually what series 4 is actually investigating
the incident and investigating the incident is where we actually provide
very interesting innovation our investigation experiences as you can see
it on the right it looks great but it will get individuals to show how it
really helps you behind with besides looking very graphical so first of all
it allows you to navigate between entities when you define and/or when we
create an incident we make sure that there are no entities in it that create
relations we keep those relations and we let you move between those entities to
see related entities you’ll see in the demo how it really helps you in a second
secondly each one of the entities or alerts and able you to run expansion
queries as we call them which are our know-how on what you should investigate
further if you want it’s guided investigation using search behind the
scenes but you don’t have to know how to search we provide you with this failure
a graph based investigation is good to a point it good to some cases you see on
the right the timeline based view is also very important enables you to to
understand how things folded out and lastly for each one of the elements of
course we show additional information you’ll see that in the day wait a second
lastly a neat feature that we introduced at ignite for a alerts that are have a
URL related that are about URLs we actually added a feature to detonate
those URLs so regardless of how obfuscated they are into a shortly we’ll
open that as part of Sentinel and show you the actual page that the user saw on
the screen and let’s go for demo probably would be
much better so we’ll pick the first incident here
and we’ll drill into investigation we see an alert animal slogan that’s why
I selected its well I don’t know if it’s good or bad that’s why I’m here to
investigate after all let’s start with the user mr. Robles and see what are the
top posts that he actually is usually visiting I’ll have to play a bit with
zooms and stuff when I do that because it’s not planned for them once played
for an aha all this big screen we already see that the five top computers
that Darcy is usually accessing are not the computer from which the animals
looking alert was raised so almost login which by the way worth
noting it’s another that came from other securities from Argentina so it’s a rule
that detects that there were many failed login attempts by the rebels to this
server something is wrong because Darcy usually
doesn’t touch this one Hey I’ll close this you’ll have to get if we decided
it’s a real attack we’ll have to go back to those five and see if there’s
anything wrong with them door you know now under investigation but to save
space let’s move on and see you know other alerts that Darcy was involved in
and they’ll pick that here and there’s quite a few something bad is going on
I’ll start with this one it’s connection to a malicious URL so that’s something
that was reported by a ruling sent you know and because it’s about a URL okay
if we look at it really that is we can find this URL and we can look at what it
was and while initially it looks like a shortcut a bitly URL we can see that we
detonated it and we actually can see what it is so we can see wordly the user
go to and it was a Dropbox and obviously it was identified probably a bad file
placed on Dropbox so things are probably not okay but then if I close that we can
see there are too many alerts and probably it’s time to go to the Timeline
view and look at the story as it unfolds so the connection the malicious URL was
the first thing the user accessed a bad place on the web might be harmful might
be blocked but in this case the second thing that happened is that the same
user tried to do an ominous-looking attack on a specific server it’s nothing
but did get to his computer especially since the see that this will might have
been successful because the next one will be suspicious powerful activity in
this case detected by a Windows Defender ATP is an alert from an external source
that would be the privilege escalation here following that a normal sign into
multiple computers now it’s very important to see to were because those
are breached computers we have to continue investigating so we get the
list here as guided investigation and lastly mess download which means there
was probably an infiltration attempt so a classic example of a kill chain
lifecycle we started from run alert we were able to investigate both the it
fold it out he verify that it’s probably a real attack as well as get information
how to go further I think it’s worth mentioning is that probably in most
cases you’ll have to go also to the original interface I’m not a big
believer that there is a totally single pane of glass there’s a single bit for
us to make sure you never miss an alert and you triage and get to initial
investigation this computer once you want to get further you need to
investigate within EDR because EDR will such as the defender ADP would always
have a better capability at visualizing an investigation on a specific end point
what we can’t help you with is to collect to run ddr to collect the
investigation package physical donation which we’ll get to in a few minutes
hunting we discuss investigation and we showed you i showed you how you settle
to do investigation learn more about incidents honey would be an alternative
way to operate your sock very popular these days who’s hunting you start from
scratch not from something that happened and you want to try to find incidence or
a weaknesses within your system in my mind hunting is more a process and
know-how then a feature and that’s how we look at it so the first reading for
value in our hunting screen is a large set of queries that you can use in order
to start hunting this is the contribution of our research team that’s
where they help you those are filtered by tactics and data source so that you
can do target hunting based on the my tree attack a framework and focus on
specific data sources this is a starting point you can add
additional elements you can create your own hunting craze and you could modify
ours if you want to you can start an investigation from a hunting the way you
do it is that you mark the results of your investigation we’ll get to
bookmarks in a second and then this becomes an entity that can be
investigated using the same interface that you saw before so hunting and
detection are not separate worlds both generated an incident that can be
investigated let’s look at the hunt in a bit more detail you can see the reached
our box content I think I don’t have a number but there’s quite a large number
of other box queries there you can filter by name or by tactic already a
source or by favorites you can mark those our favorite you that are
important to you again this is something that someone gets to do once a day or
once a week and they need a starting point this week we focus on brute force
etc you can run all queries or all selected queries whichever you prefer
it’s actually a Google infestation for the horsepower to the cloud brings you
define hundreds of queries you run them and you know immediately get the result
column ok the result column variables you to find the outliers very fast pay
off. Valon: sorry to interrupt I just want to remind everybody that today’s session is
90 minute session since we she near the top of the hour so we still have another
thirty and so many to go thank you thank you Valon the hunting experience is just one way
to hunt it’s guided experience I do want to remind us all that a typical way to
hunt which we also support is using search most hunting in real world is
done using search we have an extensive search interface and the searching
actually has a built-in capability to find outliers so you can search using
free text or fill the text go for available you can tabulate your data you
can chart your data and then you can automatically actually the system
automatically finds for you outliers and explains them to them to you so for
example if I go to research which I need I think today you can see that there are
two elements which are were found by the system once you do the search is
anomalous it’s very easy to see the one here is anomalous of course because it’s
higher the question is why if I just click on it you’ll see the system
automatically finds for me the outlier it separates the traffic into two
patterns the green one is the rest and the blue
one is the pattern that was identified and it explains the pattern in this case
it’s my demo environment and it seems that I think it’s yesterday already this
morning between 9:00 p.m. and later on its UTC as you can see on the right so
it means you know morning time or midday actually on the west coast there was a
lot of activity against our through portal the query this is based on his
sign-in logs as you can see sign-in logs can be for many different applications
probably a lot of demos in this suitcase is the explanation go someone asked if
it was demo time you’re fine but in other cases you’ll find you can
find an offending IP an offending user all that without actually looking into
the base data system ultimately fund for you the root cause analysis lastly talking about a about hunting two
features one of them brand new jerseys that Ignite last week will be bookmarks
in live stream bookmarks are a way to mark notable data and create an artifact
from it you do it as part of search or hunting or any result
once you define the bookmark and I might have time for a demo later on if time
permits I’ll skip it for now if you once you have a bookmark you can start an
investigation for me you can add it to an incident as an artifact
so it’s essentially the way to bookmark as the name suggests any data in a the
event database lastly our livestream feature enables you to in real time
follow stuff so see events or data as they come it’s query driven so it can
run any query but it runs it in real time all the time some examples of
errors it will be good for you know the blue T versus red team you need to
follow you know stick this down phone real-time investigation of anything when
it happens you want to you know something starting to fold on the server
you need to make sure that you see all the security events on several now on a
separate screen that’s for you it’s also a great way to model and you know test
in real time a hunting or a detection queries I’ll get to show that if time
permits in a while lastly all this hunting was based on a the same
technology the same interface used for detection and investigation namely
queries we we are investing a lot and you can use it in a more advanced way to
do hunting which is also the base for our bigger on machine learning
capabilities it’s called to be your notebooks your mineral books are a open
source technology there is a variant which is algebra so called algebra books
which we utilize and juvenile books are essentially snippets of code and
documentation stitched together so you can create a node because they suggest
that would do things that then display them it’s a great way for an advanced
hunter to analyze data and visualize it unlike everything within the features I
described so far which is based on simpler query based interface this is
programming so how is the complexity of say fighter or but also with the
capabilities of a full full full language one thing we introduced at
ignite is that now you can access those we had the capability to integrate
notebooks with Sentinel for a while now but now you can actually access those
notebooks from the interface as you would before workbook for example and in
the near future you’ll also be able to actually edit a of those from our
interface so they’ll be more accessible to anyone still there for advanced users
keep that in mind how are they integrated with innocence you know so we
are providing the library the capabilities for any notebook to query
Sentinel data so you can get data from the store or to write information to the
Sentinel datastore but you can also bring external data so it’s a great way
to combine the data sets and with external data set as I mentioned it’s a
base for a machine learning is bring your machine learning capabilities and
lastly it is programming language centric but it’s whatever programming
language you would like to use a I think I mentioned before I’ll say it again we
are in private preview of our bring your own machine learning capabilities and
our a team developing that would love to talk with you guys if you are doing
video machine learning you’re interested to join that it’s advanced so there are
many organizations and we are really looking for people to pick up and start
using the feature I’m gonna skip the hunting demo for time
reasons I might get back to that at the NFF time it is neat but it’s advanced
let’s put this way Automation so try to summarize the journey we’ve goes
so far and actually we’ll use sometimes it’s good to use that and go back and
show things so we’ve been through that and I think it’s a good time to remind
us all where we are I’m sure something is a fool features same it’s cloud
native it provides all the advantages of the cloud and therefore it provides the
typical capabilities that you bought for the same namely collecting data
envisioning and visualizing it we’ve discussed connectors and workbooks the
detection will vary whether analytics or hunting and then investigation once you
have incidence you want to make sure you minimize the time it takes to
investigate decide if it’s wrong or right but then you have to respond and
one of them important tricks the important advances in the same world in
recent years is the understanding that response is part of the same cycle that
it can’t be just a visual interface to learn and investigate and you know just
data you have to do something to get secured with this in mind I’ll get back
to you motivation so for automation
orchestration we are using logic apps logic apps is a feature of azure that’s
over the GA it enables us to build automated scalable Play Books there is
something very neat about running automation in the cloud because it’s
serverless you don’t have to worry about where does it try now does it run
there’s no VM behind it the over off so you just create you know you visually
program a playbook and magically it actually does its work
we’ll get in a minute to an example of something that would actually be hard
otherwise we have ended actually that’s something that was a and just before
ignite in our github in Lavery of sam’l playbook so you don’t have to start from
scratch it help you with things like blocking a user in Active Directory
interfacing with ServiceNow which I mentioned is a common use case for
automation etc so you don’t have to start from scratch and you cannot create
your own playbooks using a large gallery of connectors for those of your same
people connectors here stands for a very different concept then event collection
connectors connectors here are automation connectors things that not to
reach out to an external system and do something there how are Play Books
integrated within sense you know I did mention that you and I demonstrated that
you can trigger a playbook from the from an alert running triggers you can also
manually trigger it from the alert information so when you look at the
details of an alert you can actually figure a playbook so an analyst can
manually decide now he needs to do something after after investigating and
go here for the interface just for fun of it because it’s you to me it used to
be just in the details view as of today
I think it’s around be a week old you can actually also run play books from
the investigation interface so it’s a small change but for those of you notice
anything else it’s just couple of days all therefore it’s worth mentioning here
within the investigation interface Downs decides that some automation is to be
run on this alert he can do it from here let’s look at the details a bit so what a playbook does so first of all
to be part of Centinela playbook always starts with where a response to Nash’s
get that’s Sentinel that slide I need to fix that one sorry for that that’s the
trigger the trans a sentinel any chance to play book and tells it that it was
run from Sentinel then it has to be within the context of a sentinel
incident the first thing that people usually do
with a playbook is integrate into the workflow of instant management in this
case we see that the playbook will create a ServiceNow incident I mentioned
that you may want to a manager a tickets primary service now it may also post to
a stock channel say teams or stock or you actually monitor for phasing want to
have everybody in so be aware of it the second element here which is very
very typical to a playbook and actually the biggest time-saver
one of the biggest time savers you’ll have from automation is the workflow
element the first thing that Alice does once initial investigation shows that it
might be true is to uh seven something reach out and ask if you do it by email
you’re a broken process automation workflows would help you to automate
things email or otherwise okay this out our list having to go to Outlook and do
things in this case we did use email email is sent automatically for example
you get a geolocation alert somebody is alerted as being now in Manila the
Philippines you send an email to the user are you in Manila
okay another option some breach of the firewall and even to the administrator
was the configuration change today the user will get the email and within the
email body will have the option to select one of the one alternative let’s
say yes it’s me no it’s not me and the playbook will continue left-to-right
based on that now that’s easy to say but hard to do think about
an automation engine that does not live in the cloud has is how does the signal
from the end from their email gets back to the automation engine and continues
the process that was told until a selection in the cloud it’s very simple
there is no server wedding it’s also ever less and the click from the email
was just accident in cloud endpoint regardless of the place in the world
getting right or left based on the answer next of course will have to do
something respond in this case if false we can close the incident in service now
that’s one option another option Ori supported today is to
close the incident in Santino so essentially and instead Corinne was
detected an email was sent answer was given and then it was closed and the
analyst did not spend a second on the other hand it might not be that simple
maybe the user getting the email will say something is wrong here I don’t
think I was in Manila today in this case we have to do something no chances it
will have to get to an analyst but meanwhile we don’t want to do something
such as block the user or move the user to multi-factor authentication
politically also block an IP address things are normally the cloud times you
can use with logic app and on perm gateway to actually do activity on cram
in the customer premises accessing the file API a IP version we have a large
number of connectors we may not involve them in general a logic APS’s goes
around IT automation it may not have all the connectors with security devices
that you may be looking for but extending is easy using either the
generic API connector which is very easy to implement or I should read writing a
connector using logical functions which still the server lets you write a few
lines of code but you don’t have to worry about where are they implemented
a few example of playbooks that might be useful instead management you can assign
this into an analyst so do some checking do some query on the data and decide
that the incident belongs to you an expert in a specific field you just save
time by not going through the wrong analyst as I mentioned you can integrate
in a ticketing system and sync that back instant management is just one option
enrichment is another option one thing that people do a lot with automation is
collect additional data on the alert the example here is for geo information IP
but that might already be available in many cases in sentinel you may want to
have who easy formation and alert you may want to get more data on the user
from a user directory all those are options you can get out and reach to a
secondary source of threat intelligence to find out if the original friend
engines within Sand Hill was accurate enough you can collect a defender ATP
investigation package for example another way to the enrichment animation
validation emails and lastly of course remediation blocking users IPS
conditional access consider with this in mind I’ll do a short demo
around play looks mostly to show you how simple it is I go to the same example
that I’ve written before you pick this one and you see that it looks very much like
what I showed you in a screenshot before the one thing I want to add here would
be I did mention that you that this playbook closes and in service now but
you would want to close the incident essential as well so how do you do that
you had an action and I’ll look for a Centon election
there’s nothing be sent to nil and there are many things you can do
with standard you can add a comment to an incident you can add a label to
incident you can actually manage the incident okay what we really want to do
would be to change the status if you change the status okay we could actually
change the status to closed therefore very easily providing the magic time
saver I promise to you can also and you know why it was closed as well as text
all this will be applied automatically to the incident so all very easily no
programming involved and once somebody was asked and said that’s fine I’m fine
the same would be closed we are getting to the end before I
summarize I want to mention that this is a starting point this is the general I
hope that for someone who was boring because you already know this stuff
I did mention a few things that were new to Sentinel they were introduced with
ignite the next step would be either very recommended the follow-up webinars
next week and after the holidays which are deeper and more technically savvy
one of them about architecture both cloud architecture such as supporting
multiple tenancy – multiple workspaces collecting from on-prem how to build the
connector etc and the one after in January about the workflow of a stock
analyst from creating a rule detection a analyzing in a real security use case so
that’s one track but at our track as Val mentioned is making sure that you are
connected to us on all the different resources that we have I would very much
recommend the tech community we do have an SLA we have a team of experts answer
in there it’s not a place where you’ll post a message and we’ll never get reply
you will get a reply and there are tech blogs it’s where we ongoingly share news
updates tips and tricks and how it is for better or worse it has a lot more
than the actual documentation of the product and if nothing works if you do
find a way to get to us ashes and impacts of the curve is our
email address as I mentioned from time to time we do have meetups around the
world and if you follow the community you will notice them what do you do next
how do you start I hope this was a good overview of both existing as well as you
features introduced by a for sale at ignite
such as your old donation live stream etc if you’re already using I hope that
you’ll enjoy the new features if you
not using sandal still it’s a very short journey to start you need the natural
subscription you can do it using a natural trial subscription if you have
one great might be your MSDN subscription that’s you these days
you created a service instance it’s usually five weeks away and then you can
collect connect several data sources for on-prem you need a collector a bit more
hassle wait for next week if it’s within the cloud usually click away one you
have connect the data sources you can start playing with the stuff thank you
offer so before concluding the call let’s just see if there’s questions that
we did not answer one that I see here from Carrie
I believe he’s asking if there is an automated way to have an azure Sentinel
incident updated when MCAS alert is resolved so synchronizing upwards to
ServiceNow at this point in time there is no built-in way to synchronize
incident status between different Microsoft products and since you know
you can go to it using automation automation is a core element of Sentinel
and a playbook can trigger on a an incident change in defender ATP or MCAS
and update as I described just in a moment ago Sentinel so there is some
effort there but it’s pretty straightforward thank you for that and I know we have
lots of documentation out there in in Azure Sentinel forms but there’s a
specific question from John yeah he’s asking do you have a documentation on
what sets as your Sentinel apart from competition this is important one
discussion with leadership Sentinel will probably not be on Gardner report for a
year so that’s true a I was trying not to be too salesy this goal so I did
not you know splash marketing slides about
why we’re great I will now reiterate we have a few
minutes a few general areas and then I’ll try to send it to the right places
for more we are a cloud native team I think that among the large ones large
since the RFU niche players we’re the only cloud native scene we’re not
running VMs behind the scenes which means that scale is both small and large
it’s something we excel at you can throw as much information it does without
telling us upfront you don’t have to architect things you can also start
small you can use anything alongside your currency if it’s not time to
replace it just for the use cases were saying it makes more sense
usually cloud monitoring so that would be one the second one will be utilizing
AI the cloud enables us to do morning out I out of the box based on a Marxist
research be a resource EP resources on demand and see a visibility into the
larger events from the three VC versus you know a standalone theme that is just
one customer automation would be a third one well there are other automation
engines on the market a few good ones there barely as integrated as ours easy
to send you know and we do find that customers are very fast adapting
automation when they use Sentinel because it’s integrated because it’s
easier to do automation in the cloud which is really really a big cost saver
that’s in a nutshell that’s just you know three elements you know scalability
AI and automation I do suggest I’m not a salesperson I hope that came out clearly
here and naturally if you join extra you’ll see me even more taking and today
if you have such a discussion I will not pull our sales guy that would be but we
do have a team of people that are working in the field closer to wherever
you are in the world in our expert in having those discussions and from the
value of Sentinel I would be happy to connect you
guy most of our exes they know the stuff and they would be created communicating
with you on those topics I hope that’s helpful
thank you offer so to the question were they’re asking about a multi-tenant
implementation I did we mention this that offer we’ll be covering this in our
next week’s webinar that is for the cloud and on-premises architecture and
the next course I do about that there’s one thing I want to mention it might not
be relevant to all of you we did a very specific webinar from managed service
providers it’s a specific type of lieutenancy and if you are a service
provider and you were not aware of this webinar reach out and make sure that you
get it ok and talking about webinars and there’s a question and I did I if I
remember correctly you didn’t mention something about coming up trainings and
all that so we have another question where they would like to understand if
there’s any training coming up for either Sentinel so at this point in time
because we are new because we try to scale fast we focus on webinars if
you’re listening again this was the first one of the three more webinars
that are deeper in nature this is the everyone and we hope that will tell you
cover a lot if you are a premier max of customer we have a premier engagement
five days long it enables you to get your hands on a four or on Sentinel
reach out and we’ll make sure that we connect you with their premier support
people that are relevant and lastly we do run a pretty regular partner
trainings we do not have as of today a regular course that we provide to
customers and that’s why we try to make sure that we provide as many webinars if
webinars the webinars we do do not address your innate valor and I would
love to hear more understand how we need to enhance those and make sure that you
get to all it is you need definitely and the
last question for today will add your Sentinel be added to the AZ 500
certification yes it will I thought it was already added if we ignite it might
be later this month but it’s coming shortly I doodlee say something about
that it’s just part same is a large beast a I don’t expect that to be a
replacement for deep training but you’ll be certified for Sentinel so on that
respect it’s useful. Valon: perfect thank you so just a quick reminders before concluding
this call so as offer mentioned and also have posted the link or next after
Sentinel webinar is next Wednesday November 20th the topic is about cloud
and on-premise connector for details and registration you can go to aka.ms/Security Webinars in case we miss to answer your question for
today you can visit us at aka.ms/AzureSentinelCommunity where
you’ll be able to ask questions on our Sentinel forum if you’re listening to
this after the fact that the recording that’s also a great place to ask a
question and I want to thank all of those who help answering questions
through the IM window during the call thank you Ofer for a fantastic
presentation and most of all i want to thank all of you for being part of our
community and for joining us on these webinars we hope to see you next time
goodbye you

, , , , , , , ,

Post navigation

2 thoughts on “Azure Sentinel webinar: Understanding Azure Sentinel features and functionality deep dive

Leave a Reply

Your email address will not be published. Required fields are marked *