Information about SharePoint, Microsoft 365, Azure, Mobility and Productivity from the Computer Information Agency
In this month’s Business Dojo we take a look at create a security offering with Microsoft Sentinel. These are virtual events, hosted using Microsoft Teams, that will provide you with deep dive into a business topic from the Microsoft Cloud.
Costs:
Non CIAOPS Patrons = AU$99 inc GST
Date:
Wednesday December 22nd 0930 – 1100 Sydney AU time
If you are interested in attending please complete the expression of interest application here to be considered for the event:
and you’ll be sent more details.
There a public threat intelligence feeds available that Azure Sentinel can take advantage of. Think of these as providing information around entities that represent threats such as compromised IP addresses, botnet domains and so on. Typically, these feeds will support the TAXII connector inside Azure Sentinel.
Select the Data connectors option from the Azure Sentinel menu on the left. Next search for TAXII. Finally, select Threat Intelligence as shown above, then the Open connector page in the lower right.
On the right hand side of the page, you see the Configuration area as shown above. Here you’ll require information on the following items:
– API root URL
– Collection ID
– Username
– Password
If you have a look at the bottom of this article:
Connect Azure Sentinel to STIX/TAXII threat intelligence feeds
you’ll find the details for the free Anomali Limo threat feed, which is:
– API root URL = https://limo.anomali.com/api/v1/taxii2/feeds/
– Collection ID = see list in article (i.e. 107, 135, 136, etc)
For the username and password of all these feeds use:
guest
Complete the details for each Collection ID, like what is shown above. When you have completed each feed select the Add button.
The feed will be validated and if successful, an alert will confirm this at the top of the page as shown above.
The entered feed will appear in a list at the bottom of the page. At this point, feed information will start flowing into your environment depending on the Polling Frequency you selected for the feed.
Once the feed has started to import data select the Threat intelligence from the main Sentinel menu as shown above. You should see a range of entries. These entries can now be utilised throughout your Sentinel environment. This is detailed here:
Work with threat indicators in Azure Sentinel
This data is stored in a table called ThreatIntelligenceIndicator as shown above, which can be used directly in hunting queries.
Keep in mind that any threat indicator data incurs an ingestion and data storage cost. However, this is not a great amount and the value they provide is well worth that minor cost. You can track threat indicator costs using workbooks that Sentinel provides. You can add more feeds if you wish and details about what is available can be found at:
Threat intelligence integration in Azure Sentinel
Having additional threat data provides more signal information for Sentinel when it examines your environment. If information from these threat indicators is detected in your environment, then alerts will be generated. For a small ingest and storage cost having these threat indicators flow into your Sentinel environment provided a huge amount of value and increase your security.
A recent article:
detailed how to get Azure Lighthouse working across different tenants (a ‘master’ and multiple ‘clients’). It is now time to look at how to use that capability inside the ‘master’ tenant with Azure Sentinel.
Log into your ‘master’ Azure tenant. Select the user in the top right and from the menu that is displayed select Switch directory.
You’ll typically see only the current ‘master’ tenant listed in Current + delegated directories. Select the pull down arrow on the left of the Current + delegated directories option as shown.
You should now see all the ‘client’ tenants you connected with Azure Lighthouse now appear. However, you’ll will notice they are currently not selected.
Ensure that all the directories are selected.
With All directories now selected in Current + delegated directories, clock on the pull down arrow on the right of Subscription as shown above.
Again, you will probably see that the subscriptions in the ‘client’ tenants are not selected.
Ensure these are all selected and the Subscription option displays All subscriptions as shown above.
With all the ‘client’ tenant selections now complete it means they will be displayed just like any other in the ‘master’ tenant. Navigate to Azure Sentinel in the ‘master’ tenant and look at the list of workspaces that are displayed. If you don’t see ‘client’ Sentinel workspaces, select the Subscription filter at the top of the page and ensure it is set to All as shown.
With all the workspaces selected, click the View incidents button from the menu along the top as shown above.
You should now see a list of all the incidents across all the tenants. You can see this by looking at the Directory column as shown in the output. You can, of course, view at individual Sentinel workspaces if you want by just clicking on them in the previous screen. This provides the same experience as if you viewed the results inside that ‘client’ tenant but you are doing that now inside the ‘master’ tenant.
This process now provides you a single pane of glass across all your Azure Sentinel environments. Depending on the permissions you have configured in the ‘client’ tenants, you get much the same capability across other Azure resources in the ‘master’ tenant now. This is the benefit of using Azure Lighthouse to manage multiple tenants and exactly how I use it with Azure Sentinel.
Recently, I have seen my Azure Sentinel overview look like the above. I was puzzled why I had so many hours without any data being ingested? In short, it turned out that I had exceeded my storage tier capacity. Here’s where to look if you see something similar.
From the menu on the left of the Azure Sentinel workspace scroll to the bottom and select Settings as shown. Then from the pane that appears on the right select Workspace settings at the top as shown.
This will take you to the Azure Log Analytics workspace that underpins Sentinel. From the menu on the left here select Usage and estimated costs. Note on the right what is highlighted under Free pricing tier I was using:
(The log data ingestion includes the 500 MB/VM/day data allowances from Azure Security Center.)
That is the limit for my current tier. Any ingested data over that quota was not being ingested. Not ingested data, nothing recorded in the Sentinel overview report.
If you select the Daily cap button at the top of the page you’ll get more information appear from the right as shown.
The two important things to note are that the daily volume cap is 0.5 GB/day and that the limit is reset at 2am UTC (12pm Sydney time).
When I checked the Workspace Pricing tier details, shown above, there is indeed a daily cap of 512MB.
Then when I looked at the overview report in Sentinel I see that data did indeed start begin re-ingest at 12pm local time (2am UTC) as expected.
So the next question was, how is it going to cost me avoid this situation and ingest all my data? Looking at the Pay-as-you-go pricing tier I see the estimated cost per month would only be AU$4.79. Easy choice. SELECT.
The important thing to remember with this ingested data is that you always get the initial 512MB per day free. Anything above that you won’t get any captured data unless you upgrade your pricing tier. But then you’ll only pay for the amount above the 512MB per day, which in my case was only about 34MB per day on average.
A good way to keep track of this sort of data, before it becomes and issue as it did for me, is to use the Workspace usage Report workbook which you can access from the Sentinel console as shown above.
Here you’ll see everything you need to keep on top of this total data you are ingesting and where it is coming from.
The reason I’m so much data is that I’m pulling security events from local devices. Most Microsoft cloud services include free ingestion, which is the place you should start. However, I had added a number of demo devices to my tenant which pushed me over the free 512MB limit. Most people should be able to stay well below this quota by default, at least to start with. However, if you ever need to upgrade, like I have, it’s still cheap for it provides!
I recently did a presentation for the Brisbane Azure User Group on Azure Sentinel, which you can find above or here:
https://www.slideshare.net/directorcia/introduction-to-azure-sentinel-246191172
Yes Virginia, it is now possible to use PowerShell with Azure Sentinel. Microsoft has made available the Az.Security insights module that allows you to work with Azure Sentinel. You’ll find the module here:
https://www.powershellgallery.com/packages/Az.SecurityInsights/0.1.0
and you install it in your elevated PowerShell environment via the command:
Install-Module -Name Az.SecurityInsights –AllowClobber
To use the module commands you’ll also need to login to Azure. You can do that by using my connection scripts which are here:
An easier way to connect using PowerShell
However, what I’ve done to make it even easier for you by creating a complete script here:
https://github.com/directorcia/Office365/blob/master/az-sentinel-ruleget.ps1
You run the script in your environment like so:
You’ll then be prompted to login to your Azure tenant like so:
You’ll then be prompted to select your Azure subscription where Sentinel is configured:
You should see a list of all the subscriptions in your tenant as shown above. Select the one where Azure Sentinel is configured and select OK to continue.
You’ll then be prompted to select which workspace Azure Sentinel is configured with. Again, just select the appropriate workspace and then OK to continue.
The script will now display a list of all the available Rule Templates in Sentinel as shown above, sorted by most recently added (handy to see what’s new!).
This list is what you see in the Azure Sentinel portal when you select Analytics, then Rule templates as shown above. In effect, this is every analytics rule Sentinel makes available to you.
The next part of the script output will show you every rule in use.
This corresponds with the Active rules area in the web portal as shown above.
The next section of the script output will show you all the available rules and whether they are in use or Active as shown above.
You’ll see something similar if you return to the Rule templates, and note the rules “IN USE”, as shown above.
If you have a close look here, you’ll see rules that have no display name. I’ll cover that a bit further on, as it is still a bit of a mystery to me at this stage.
The last listing in script will show you all the rules that are NOT in use in date order. This is handy as I don’t see anything like this in the web portal.
Finally, the script will give you a summary as shown above.
It is interesting to note that 11 scripts report errors? These seem to be the ones with no names? Still haven’t quite worked that one out yet. You might also see this mismatch in the rules in use as I have above. I need to dig into this a little more. Also a bit strange is the fact that I have 191 scripts reporting in total but if I add the 104 templates in use with the 112 not in use I come to a total of 216! If I then look in the web interface I see:
only 182 templates in total??
This new Azure Sentinel module is only a month old as of writing this article, so early days. Hopefully, these items are minor bugs that will get fixed soon. You can also double check my code to ensure I haven’t something silly. If I have, let me know so I can fix it and share.
However, that considered, I can see this new Azure Sentinel PowerShell module being pretty handy if I’m honest. This script allows me to see when Microsoft adds new rules that I need to go and configure for one. I’ll be spending more time with this PowerShell module to automate how I deploy Azure Sentinel, which I reckon will save me a bucket-load of time.
Looking forward to future updates to this module, but there is no reason you can’t start automating Azure Sentinel yourself today!
If you have a look at the available workbooks in Azure Sentinel, you should find a Data collection health monitoring workbook under Templates as shown above. It is easy to Save this to your environment (in the lower right after selecting the workbook).
If you View the workbook. You’ll need to select the Subscription and Workspace at the top of the page. Once you have done this you should start seeing the values for your environment as shown above.
If you have a look in the Overview section and then the Is billable field as shown above. That is something that is handy to know as not all services ingested into Azure Sentinel incur a cost.
Pricing can be found here:
https://azure.microsoft.com/en-us/pricing/details/azure-sentinel/
If you scroll down to the bottom of the screen you see the above:
What data can be ingested at no cost with Azure Sentinel?
Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Center, Microsoft Cloud App Security, and Azure Information Protection can be ingested at no additional cost into both Azure Sentinel, and Azure Monitor Log Analytics.
Please Note: Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics.
and
What other charges should I be aware of when using Azure Sentinel?
Any Azure services that you use in addition to Azure Sentinel are charged per their applicable pricing. For example – Log Analytics, Logic Apps, Machine Learning, etc.
For a good introduction to Sentinel have a look at my previous article:
Another great security add on for Microsoft 365
and an online course I created:
Getting started with Azure Sentinel
Using the Data collection health monitoring workbook now makes it easy to see what you are exactly you are being billed for. All you need to do is just add it to your own workbooks. Here is great video overview:
If you have a look inside your Azure Sentinel console you should some new options.
The first is a new option in the Office 365 Data connector to allow you to bring Teams data from the Office 365 Unified Audit Log into Sentinel. All you need to do to enable this is open the Office 365 connector and select the Teams check box as shown above.
Once the data starts flowing in, the you’ll be able to run Kusto queries on the log data as shown above. This query will produce a quick report of all the Teams sessions over the last day. The KQL for this is:
OfficeActivity
| where TimeGenerated >= ago(1d)
| where RecordType == “MicrosoftTeams”
| summarize count () by UserId
| sort by count_
With Teams data now flowing into Sentinel you can start creating all sorts of interesting reports.
The next new item is the Entity behavior as shown above. Here is what it does:
Basically, it is going to give you the ability to be more granular when looking at data as well as providing more AI (Artificial Intelligence) across that data looking for anomalies.
Just scroll down the page and Turn it on.
Now when you visit the link you’ll see:
and selecting an account will show you information like:
Which is a great summary for that user over the time period you selected.
The Threat intelligence option provides the above options, which to be honest, I haven’t fully figured out how to use effectively yet. I may not as yet have enough data in this tenant to make full use of it. I’ll have to wait and see.
Overall some really handy additions to Azure Sentinel that I’d be encouraging you to take advantage of to improve you security analysis. If you are looking to get started with Azure Sentinel, don’t forget my online course:
https://www.ciaopsacademy.com/p/getting-started-with-azure-sentinel
CIAOPS 