azure sentinel 101 - catapult...
TRANSCRIPT
![Page 1: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/1.jpg)
Azure Sentinel 101Presenter: Joe Kuster
![Page 2: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/2.jpg)
22
IntroducingCatapult
Transforming organizations for today’s modern
world
15,000 projects
completed over 25 years
Top .01% of Microsoft Partners with 14 Gold & 2 Silver
Competencies
Serving all 50 states, Mexico, Canada and the Caribbean
![Page 3: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/3.jpg)
33
Our Partnershipwith Microsoft
• National Solutions Provider (NSP) in top .01% of Microsoft’s partner ecosystem
• 2019 Microsoft Partner of the Year Awards
• Modern Workplace – Security and Compliance -Winner
• PowerApps - Winner
• Modern Desktop - Finalist
• PowerBI - Finalist
• 2018 Microsoft Partner Award Azure Compete (United States)
• 2017 Microsoft Global Cloud Partner of the Year Finalist
• 2016 Microsoft Partner of the Year Winner (United States)
• On-staff experts awarded Microsoft’s “Most Valuable Professional” (MVP)
• 20+ Years of experience working with the Microsoft technology stack
![Page 4: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/4.jpg)
44
Security & Compliance Services
SecurityEnvironment
Analysis
▪ Analyze existing technology stack
▪ Map to compliance needs to identify gaps
▪ Identify overlapping solutions & opportunities for ROI improvement
▪ Recommend best practice technology adoption
Tool Optimization & Implementation
▪ Demonstrate art of the possible
▪ Deploy new technologies, such as Microsoft M365 E5
▪ Optimize implemented technologies, such as Azure Identity Protection
ContinuousPosture
Improvement
▪ Security Coach provides ongoing insight & support
▪ Dashboard connects disparate signals into dashboard for improved insight
▪ Technical experts available on demand
Spyglass
![Page 5: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/5.jpg)
55
Security and Compliance Challenges
93%of cyber attacks target user identity
50% of business cloud adoption is led by Shadow IT
63%of businesses are understaffed in security expertise $3.9M
average cost of a successful security breach
51%can’t find and keep the needed skillsets
62% of cloud adopters nervous about cloud security
80%of security
incidents occur
from within
![Page 6: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/6.jpg)
Agenda
What is Sentinel?
What does it connect to?
Common Use Cases
Getting Started
Understanding Pricing / Licensing
Example Walk Through
![Page 7: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/7.jpg)
77
SIEM solutions aggregate events and alerts from numerous solutions to correlate intelligence. The consolidated view streamlines threat hunting as well as allows for automated remediations, or assisted investigations.
SOAR solutions are a stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.
What is Azure Sentinel and Why You Need It
Sentinel is Microsoft’s Security Information and Event Management
(SIEM) and Security Orchestration, Automation and Response (SOAR)
![Page 8: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/8.jpg)
88
• Find your alerts in one place.
• Makes repeatable searches easier.
• Centralized place for investigations.
• Machine learning surfaces unusual activity.
• Ability for semi-automated or automated response.
That’s nice, but what does it really mean?
![Page 9: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/9.jpg)
99
Example: Ransomware hit employees via email and their cloud files were impacted
• Cloud App Security (What files were infected?)
• Azure AD Sign In Activity (Who logged in, from what IP?)
• Office 365 Activity (What else did they do during that session?)
• Symantec Malware Logs (Was AV patched and up to date when it slipped through?)
• Azure AD Identity Protection (Did an attacker come in from a breached account?)
• Azure Security Center (Did the payload change their device configuration, or just encrypt the files?)
#1 Sentinel is a place to ship your events and alerts. (Single Pane for Investigations)
![Page 10: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/10.jpg)
1010
• Machine Learning systems (Microsoft’s, or your own custom ML) analyze data for anomalies.
• Repeatable Threat Hunting Queries and Automatic Analytic Triggers find issues faster.
#2 Sentinel Speeds Up Investigations
![Page 11: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/11.jpg)
1111
• Allows investigators to tag events / alerts / notes as they go.
• Playbooks allow for automated or semi-automated response.
• Investigator identifies false positive, triggers event that logs it, whitelists IP, and closes ticket.
• Impossible Travel Scenario = Automatically create a ticket and lock account if not on a corp device.
#3 Sentinel Streamlines Response
![Page 12: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/12.jpg)
1212
• Most organizations don’t have their cloud data integrated yet.
• Those that do pay an exorbitant amount to import it (database bloat).
• Few orgs have meaningful SIEM/SOAR maturity for O365, Azure, Amazon Web Services, or Enterprise Mobility + Security solutions.
• Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert fatigue and automatically surface anomalous data.
• Also… it’s free for O365/Azure basic threat hunting, so there’s that ☺
What if you already have a SIEM
![Page 13: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/13.jpg)
1313
Getting Started
![Page 14: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/14.jpg)
1414
What’s needed?
Azure Subscription •Account must have access to source system data to be analyzed.
Azure Log Analytics
•Recommend Standard Tier. Free logging lacks many critical security data points.
Azure Logic Apps •Necessary for some
remediations
Azure Automation
•Necessary for some remediations
Azure Security Center
•Optional, but streams great data!
![Page 15: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/15.jpg)
Navigating Sentinel
• Overview: Automatic reports generated based on your
data
• Logs: Manual queries for threat hunting / correlation
• Cases: SOC Burn Down List (Tickets) – Created by
Analytics
• Dashboards: Common reports sorted by source type
• Hunting: Reusable Queries for Investigations
• Notebooks: Jupyter notebooks w/ Markdown Text
• Data Connectors: Connect to data sources.
• Analytics: Trigger conditions that create cases.
• Playbooks: Logic App playbooks to remediate / manage
issues.
• Workspace settings: where Sentinel data is stored. Can
pull data ingestion and cost data. Adjust retention here!
![Page 16: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/16.jpg)
1616
Follow the Wizard
Once workspace is ready:
• https://portal.azure.com
• Search for Azure Sentinel
• Follow Getting Started Wizard
![Page 17: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/17.jpg)
1717
Creating Data Connectors
Data connectors are usually:
1. Cloud based and you only need your
admin credentials.
2. Agent based and you use the Microsoft
Monitoring Agent for the log upload.
3. Most common scenarios are turn-key
(Syslog, Endpoint Protection, etc.)
![Page 18: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/18.jpg)
1818
Workbooks
![Page 19: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/19.jpg)
1919
• Attacker IP Query / Investigation
OfficeActivity | where ClientIP == '13.64.199.41’
Table | clause Column operand value
• Starter Tip: Browse tables, find the data,and add column to the query. Delete the excess.
Building a Query with Kusto Query Language
![Page 20: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/20.jpg)
2020
Tracking the Investigation (Bookmarks & Notebooks)
![Page 21: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/21.jpg)
2121
Investigations – Sample: Login Attempts from Blacklisted IP
![Page 22: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/22.jpg)
2222
• Azure Logic Apps
• Tons of connectors to web services or on-prem apps
• Similar to MS Flow/Power Automate or IFTTT, but different.
• Remember that it’s log analysis based, not real time! (Not a replacement for proactive protection)
Building Responses
![Page 23: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/23.jpg)
![Page 24: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/24.jpg)
2424
![Page 25: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/25.jpg)
![Page 26: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/26.jpg)
2626
• Fusion – must be manually enabled via PowerShellhttps://docs.microsoft.com/en-us/azure/sentinel/connect-fusion
• AI Investigation is a Private Preview (Request form is online).
• HTTP Post = Graph API & Many, Many Other Things!
• Workspace / Source System Pricing Tiers Matter.
• It can take an experienced eye to identify what is going on.
Things they don’t tell you
![Page 27: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/27.jpg)
2727
• Data import from Office 365 and Azure is free.
• Charges occur for: Data Ingestion, Automation Workflows or custom Machine Learning Models
• Data ingestion / retention will be the largest charge for typical deploy.
• Free tier is available (500 mb / day).
• 31 days retention is free.
• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month retention.
How is it priced?
![Page 28: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/28.jpg)
2828
• There will be no charges specific to Azure Sentinel during the preview.
• Data import from Office 365 is free.
• Even during preview, charges occur for: Data Ingestion, Automation Workflows or custom Machine Learning Models
• Data ingestion / retention will be the largest charge for typical deploy.
• 5GB per customer per month is free.
• 31 days retention is free.
• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month retention.
How is it priced?
![Page 29: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/29.jpg)
2929
Example from the field (Skype Hybrid Brute Force)
![Page 30: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/30.jpg)
3030
Example from the field
![Page 31: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/31.jpg)
3131
Example from the field
![Page 32: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/32.jpg)
Successful Sign-ins(30 days)
40 Countries
![Page 33: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/33.jpg)
Q&A
Joe Kuster
Director, Security & Compliance Solutions
Catapult Systems
![Page 34: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/34.jpg)
3636
Catapult’s Security Services
Spyglass is a Catapult’s Security Coaching Service
There are Several Ways We Assist Clients:
• Assessments: Office 365, Azure, Greenfield, Planning
• Monthly Subscriptions: Right-sized to meet your needs, environment, and budget.
• Flexible On-Demand Expertise: Assistance when you need it and as much as you need across the entire Microsoft stack.
![Page 35: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/35.jpg)
3737
Spyglass, Office 365 Security Assessment
O365 Assessment Insights:
• Identifying risky user and administrator behavior
• Evaluates environment against common regulatory standards (e.g., PCI DSS 3.2, SOC)
• Provides Actionable Insight on:
• Identity & Access
• Data & Storage, Leakage
• Phishing & Malware
• Threat Protection
• SecureScore
• Review results and roadmap in-person
![Page 36: Azure Sentinel 101 - Catapult Systemspages.catapultsystems.com/rs/998-YNO-494/images/Azure...•Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert](https://reader030.vdocument.in/reader030/viewer/2022041004/5ea817e57ac47318a9604b49/html5/thumbnails/36.jpg)
Thank you.