Archive

Posts Tagged ‘SIEM’

Becoming a Azure Sentinel expert

April 23, 2020 Leave a comment

I have been working on Azure Sentinel projects for the past 12 months and writing IP which uses Azure Sentinel, a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

Azure Sentinel

Recently, while working on a Sentinel project for a major enterprise I became aware of a training that Ofer Shezaf from Microsoft has shared and I highly recommend for those who would like to learn and become an expert on Azure Sentinel to check out the the material and curriculum.

The training program includes 16 modules and includes presentations, relevant product documentation, blog posts, and other resources and if you are already familiar with Sentinel, check out the module 9, my preferred one.

Overview

– Module 1: Technical overview

– Module 2: Azure Sentinel role

Designing  Your Deployment

– Module 3: Cloud architecture and multi-workspace/tenant support

– Module 4: Collecting events

– Module 5: Log Management

– Module 6: Integrating threat intelligence

Creating Content

– Module 7: Kusto Query Language (KQL) – the starting point

– Module 8: Writing rules to implement detection

– Module 9: Creating playbooks to implement SOAR

– Module 10: Creating workbooks to implement dashboards and apps

– Module 11: Implementing use cases

Security Operations

– Module 12: A day in a SOC analyst’s life, incident management, and investigation

– Module 13: Hunting

Advanced Topics

– Module 14: Automating and integrating 

– Module 15: Roadmap – since it requires an NDA, contact your Microsoft contact for details.

– Module 16: Where to go next?

You can find the training material here

Image sources: Source image: https://docs.microsoft.com/en-us/azure/sentinel/overview

Categories: Cloud, Microsoft Tags: , ,

Tips to help you take appropriate action to catch illegal activity

April 26, 2018 1 comment

Below are some tips to help you take appropriate action to catch illegal activity:

Azure AD reporting API

Use the Azure Active Directory Reporting API’s, which provide programmatic access to the data through a set of REST-based APIs and the data of these reports is very useful to your applications, such as SIEM systems, audit, and business intelligence tools.

Azure AD reporting API can be used to extract data from Azure AD and Azure B2C

Note: You can call these APIs from a variety of programming languages and tools.

For more information on how to use and samples see:

Enable Audit Recording for O365

sccauditlogsearch

Source: https://blogs.technet.microsoft.com/office365security/finding-illicit-activity-the-old-fashioned-way/

Even the best automated detection systems will fight to catch all illegal activity and they need your help to detect anomalies.

Some audit logging is automatically enabled for you in Office 365; however, mailbox audit logging is not turned on by default

So, if you are a serious about security, Office 365 offers a wide variety of security related reports and data that you can review to manually find illegal activities:

It only takes a few minutes to configure and it will dramatically improve your security posture: To turn it on, just click Start recording user and admin activity on the Audit log search page in the Security & Compliance Center.

Note: If you don’t see this link, auditing has already been turned on for your organization. You only have to do this once.

After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete.

For more information, follow the instructions here: https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&rs=en-US&ad=US.

After you’ve enabled audit logging you can Search the audit log in the Office 365 Security & Compliance Center to find out who has logged into your user mailboxes, sent messages, and other activities performed by the mailbox owner, a delegated user, or an administrator.

You can Download all results as raw data from the Office 365 audit log to a CSV file.

The table below describe the activities that are audited in Office 365. You can search for these events by searching the audit log in the Security & Compliance Center. Click one of the following links to go to a specific table.

File and page activities Folder activities Sharing and access request activities
Synchronization activities Site administration activities Exchange mailbox activities
Sway activities User administration activities Azure AD group administration activities
Application administration activities Role administration activities Directory administration activities
eDiscovery activities Power BI activities Microsoft Teams activities
Yammer activities Exchange admin activities

 

 

 

 

 

Categories: Cloud Tags: , , , , , ,