--- title: Cloud security tags: theme description: Use `{%hackmd theme-dark %}` syntax to include this theme. --- <style> html, body, .ui-content { background-color: #333; color: #ddd; } .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6 { color: #ddd; } .markdown-body h1, .markdown-body h2 { border-bottom-color: #ffffff69; } .markdown-body h1 .octicon-link, .markdown-body h2 .octicon-link, .markdown-body h3 .octicon-link, .markdown-body h4 .octicon-link, .markdown-body h5 .octicon-link, .markdown-body h6 .octicon-link { color: #fff; } .markdown-body img { background-color: transparent; } .ui-toc-dropdown .nav>.active:focus>a, .ui-toc-dropdown .nav>.active:hover>a, .ui-toc-dropdown .nav>.active>a { color: white; border-left: 2px solid white; } .expand-toggle:hover, .expand-toggle:focus, .back-to-top:hover, .back-to-top:focus, .go-to-bottom:hover, .go-to-bottom:focus { color: white; } .ui-toc-dropdown { background-color: #333; } .ui-toc-label.btn { background-color: #191919; color: white; } .ui-toc-dropdown .nav>li>a:focus, .ui-toc-dropdown .nav>li>a:hover { color: white; border-left: 1px solid white; } .markdown-body blockquote { color: #bcbcbc; } .markdown-body table tr { background-color: #5f5f5f; } .markdown-body table tr:nth-child(2n) { background-color: #4f4f4f; } .markdown-body code, .markdown-body tt { color: #eee; background-color: rgba(230, 230, 230, 0.36); } a, .open-files-container li.selected a { color: #5EB7E0; } </style> # Microsoft Sentinel ## Overview Azure Sentinel is a cloud-native SIEM & SOAR solution that collects data from multiple sources to provide a comprehensive picture of what is going on in your organization. - Sentinel is a **SIEM** (Security Information and Event Management) <br> Investigate, Find threats, Incidents, alerts.. - Sentinel is a **SOAR** (Security Orchestration automation response tool) <br>Reacting to SIEM. **SIEM**: Find Things <br> **SOAR**: Do Something About it ## Architecture ![](https://i.imgur.com/DH9xya1.png) Sentinel is built on top of an analytics workspace, with a machine learning layer added (Intelligence Threat) to investigate and find things clearly and meaningfully in these massive amounts of data. ## Core components ### 1- Data Connectors Data connectors are responsible for managing the libraries and configurations required for hosts to connect to various data sources. A data connector includes the type, URI, authentication method, and all libraries required to access the data source. > [Enable a Data Connector](https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources#enable-a-data-connector) ### 2- Analytics (Rules) Analytics rules scan your environment for certain events or groups of events, notify you when particular event thresholds or criteria are met, create incidents for your SOC to analyze and triage, and respond to threats with automated monitoring and remediation procedures. > You can select from a variety of assault categories in the Tactics and tactics field to categorize the rule. These are based on the MITRE ATT&CK framework's strategies and tactics. > ### 3- Playbooks ( for automation) Takes you to create a custom LogicApp. Or you can relay on the [sentinel repo](https://github.com/Azure/Azure-Sentinel) to find a template and do the a logicapp for you. ### 4- WorkBooks Workbooks have a wide range of applications, from simple data presentation to complex graphing and resource investigation maps. ### 5- Hunting (look for something) **Query and get insights using KQL** Run the desired KQL and get results to improve your insights on the data. <br> ### 6- Notebooks **Query and get insights using ML** Built on top of Jupiter Notebooks, a pattern to look for things, security informations. Write machine learning in various programming languages such as Python. > [Sentinel Pricing](https://azure.microsoft.com/fr-fr/pricing/details/microsoft-sentinel/) --- # Scenarios - Use **Azure Event Hub** to **Continuous export of high severity alerts and retrieval from 3rd party SIEM solution** - Use Diagnostics settings in azure AD and stream to an event hub **to Generate alerts from Azure Active Directory** --- # Defender ![](https://i.imgur.com/hVt53xE.png) Azure Defender (CSPM) can be thought of as an upgrade to Azure Security Center (ASC), a dashboard available in the Azure portal that provides an overview of all of your assets in Azure and non-Azure environments, as well as a set of scores and recommendations to properly secure them. **Azure Sentinel** includes a wide range of data connectors. Among them is Azure Defender. > [Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud) Defender comes in a variety of flavors depending on the application; some of them are listed below. - Microsoft Defender for Cloud (Azure Security Center) - Microsoft Defender for Office 365 - Microsoft Defender for Identity - Microsoft Defender for Endpoint > [Microsoft Defender for Cloud pricing](https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/) --- # Project: EventHub > Sending logs and establishing monitoring use cases with Sentinel/Defender. **Decision tree**: Determine how many workspaces are required for this project **❓** ![](https://i.imgur.com/jSOvhdP.jpg) ## The Objective 🥅 ### A: Send logs to Sentinel #### Sentinel Migration: ![](https://i.imgur.com/Y0sfQYZ.png) - Configuring log ingestion from **Sharepoint** - Putting the ingestion into production and validating the correlation of the logs has. <br>**Estimation in hours: 12** - Configuring log ingestion from **Teams** - Putting the ingestion into production and validating the correlation of the logs has. <br>**Estimation in hours: 12** > [Monitor Logs from Azure Sentinel (Sharepoint, Teams)](https://nanddeepnachanblogs.com/posts/2021-03-14-monitor-o365-logs-azure-sentinel/) --- - Configuring log ingestion from **Dynamics 365 Sales** - Putting the ingestion into production and validating the correlation of the logs has. <br>**Estimation in hours: 12** - Configuring log ingestion from **Power Apps** - Putting the ingestion into production and validating the correlation of the log has. <br>**Estimation in hours: 12** > [Office 365 Management API data into Azure Sentinel](https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data) --- - Configuring log ingestion from **AAD** - Putting the ingestion into production and validating the correlation of the logs has. <br>**Estimation in hours: 12** <br> - Configuring log ingestion from **Azure SQL Managed Instance** - Putting the ingestion into production and validating the correlation of the logs has. <br>**Estimation in hours: 12** > N.B: Integrate in the LogicApps part as required. ### B: Develop surveillance use cases > [SIEM – USE CASE WRITING GUIDE]() > The development of use cases and the parameterization of monitoring attributes will be in T&M. Consult the **MITRE ATT&CK® framework.** <br> > [Use cases for implementing the MITRE ATT&CK® framework](https://resources.infosecinstitute.com/topic/use-cases-for-implementing-the-mitre-attck-framework/)