WHAT IS MICROSOFT SENTINEL SIEM?
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that helps detect, respond to, and manage security threats in real time across hybrid environments.
It leverages AI and automation to enhance threat detection and streamline incident response, integrating with both Azure services and third-party tools.
Key Features:
- Centralised security management across cloud and on premises
- AI-powered incident detection and automation
- Built-in integrations with Azure services and third-party tools
WHY USE MICROSOFT SENTINEL SIEM?
- Benefits Rapid deployment with cloud-native architecture
- Efficient automation for repetitive tasks
- Comprehensive visibility across the system
SUPPORTED INTEGRATION
Azure Services
- Integrates seamlessly with Azure Active Directory, Azure Security Center, and Azure Monitor for enhanced security management.
Third-Party Tools
- Supports popular security solutions like Palo Alto, Cisco, Fortinet, and AWS, allowing for comprehensive monitoring across diverse environments.
SIEM and SOAR
- Works with various SIEM tools like Splunk and security orchestration solutions like ServiceNow for streamlined incident response.
Custom Data Connectors
- Allows custom connectors to ingest data from virtually any source using REST APIs or Logstash
MICROSOFT SENTINEL QUERY (KQL EXAMPLE)
Microsoft Sentinel uses Kusto Query Language (KQL) to search and analyze security logs. Powerful query capabilities allow you to filter, aggregate, and visualize security data.
Example Query: Detect Suspicious LoginAttempts
Explanation:
- Filters failed logins (ResultType != 0)
- Aggregates the count of failed logins by user and IP address
- Lists the most frequent failed login attempts to detect potential threat
1.BRUTE FORCE ATTACK DETECTION
Goal :- Identify brute force login attempts on Windows systems through repeated failed login attempts.
Example query:-
3.PALO ALTO SUSPICIOUS DNS QUERIES
Goal:- Flags suspicious DNS queries, detecting potential data exfiltration or command-and-control activity.
Examplequery:-
PaloAltoNetwork_CL | where action == "dns-query" | where query contains "suspicious-domain"
Outcome :- Detect unusual DNS queries, which may indicate malware or exfiltration attempts via DNS tunneling.
4.CROWDSTRIKE MALWARE DETECTION
Goal :- Detects and alerts on any malware detected by CrowdStrike, allowing quick containment of infected endpoints.
Examplequery:-
CrowdStrikeEvent_CL | where EventType == "malware-detected"
Outcome :- Detects and alerts on any malware detected by CrowdStrike, allowing quick containment of infected endpoints.
5.UNAUTHORIZED FIREWALL CONFIGURATION CHANGES
Goal:- Detects and flags unauthorized changes in firewall settings, preventing accidental or malicious configuration tampering.
Examplequery:-
PaloAltoNetwork_CL | where action == "configuration-change"
Outcome :- Identify unauthorized changes to Palo Alto firewall configurations, which may weaken security controls.
6.SUSPICIOUS LATERAL MOVEMENT
Goal :- Detect any device isolation activity initiated by CrowdStrike as part of an incident response.
Examplequery:-
Sysmon | where EventID == 3 and DestinationIP != "internal_IPs"
Outcome:-Identifies lateral movement by alerting on unusual remote connections to unauthorized IP addresses.
7.REMOTE DESKTOP PROTOCOL (RDP) LOGIN MONITORING
Goal:- Monitor and detect unusual RDP login activities from unfamiliar IP addresses on Windows servers.
Examplequery:-
SecurityEvent | where EventID == 4624 and LogonType == 10
Outcome :- Detects successful RDP logins, helping identify potentially unauthorized access via remote desktop.
8.MALICIOUS POWERSHELL ACTIVITY
Goal:-Detect suspicious PowerShell commands execution that may indicate an attack or malicious script execution.
Examplequery:-
Sysmon | where EventID == 4104 and CommandLine contains "Invoke-Mimikatz"
Outcome:- Identifies the use of known malicious PowerShell commands like Mimikatz, a common tool for credential theft.
9.UNAUTHORIZED FILE ACCESS
Goal:-Detect unauthorized access to sensitive files and directories on Windows systems.
Examplequery:-
SecurityEvent | where EventID == 4663 and ObjectName contains "sensitive_file"
Outcome:- Alerts on unauthorized file access attempts, highlighting potential insider threats or data theft activities.
10.SUSPICIOUS WEB TRAFFIC (PALO ALTO)
Goal:- Monitor for outbound traffic to suspicious or blacklisted domains from the network using Palo Alto logs.
Examplequery:-
PaloAltoNetwork_CL | where action == "web-browse" and URL in ("suspiciousURL")
Outcome:- Detects outbound web traffic to suspicious domains, which could indicate malware communication or exfiltration.
11.CROWDSTRIKE HIGH SEVERITY THREATS
Goal:- Detect high severity threats as flagged by CrowdStrike on endpoints for prioritized response.
Examplequery:-
CrowdStrikeEvent_CL | where Severity == "High"
Outcome:- Provides alerts on high severity threats identified by CrowdStrike, ensuring prompt attention to critical incidents.
12.SUSPICIOUS REGISTRY CHANGES (SYSMON)
Goal:- Detect unauthorized or suspicious changes to the Windows registry that may indicate persistence techniques.
Examplequery:-
Sysmon | where EventID == 13 and TargetObject contains "run\\"
Outcome:- Detects modifications to auto-start registry keys, commonly used by attackers for persistence.
13.EXCESSIVE FAILED LOGIN ATTEMPTS (PALO ALTO)
Goal:-Detect repeated failed login attempts across Palo Alto firewalls that may indicate brute force attacks.
Examplequery:-
PaloAltoNetwork_CL | where action == "login-failed" | summarize count() by UserName, bin(TimeGenerated, 5m)
Outcome:- Flags multiple failed login attempts over a short period, signaling a potential brute force attack.
14.ABNORMAL PROCESS EXECUTION
Goal:- Detect the execution of uncommon or suspicious processes that could indicate malware or insider threats.
Examplequery:-
Sysmon | where EventID == 1 and ProcessName contains "suspicious.exe"
Outcome:- Identifies unusual process execution, helping detect malware or unauthorized software running on systems.
15.INTERNAL PHISHING DETECTION
Goal:- Detect employees sending or receiving internal phishing emails using Windows event logs.
Examplequery:-
EmailEvents | where Subject contains "urgent request"
Outcome:- Detects potential phishing attempts by flagging emails with common phishing keywords or phrases.
16.CROWDSTRIKE THREAT INTELLIGENCE CORRELATION
Goal:- Correlate CrowdStrike threat intelligence with current incidents to detect known malicious IPs or hashes.
Examplequery:-
CrowdStrikeEvent_CL | where ThreatType == "KnownMalware"
Outcome:- Matches endpoint data with CrowdStrike’s threat intelligence, identifying systems infected by known malware.
17.UNAUTHORIZED APPLICATION INSTALLATION
Goal:-Detect unauthorized installation of new software or applications on Windows systems
Examplequery:-
SecurityEvent | where EventID == 4688 and ProcessName contains "setup.exe"
Outcome:- Alerts on any new application installations, identifying potential unauthorized software on the system.
18.FIREWALL PORT SCANNING DETECTION
Goal:-Detect internal or external port scanning attempts using Palo Alto firewall logs.
Examplequery:-
PaloAltoNetwork_CL | where action == "scan" and ApplicationProtocol == "TCP"
Outcome:-Detects and alerts on port scanning activity, which could indicate reconnaissance efforts by an attacker.
19.CROWDSTRIKE LATERAL MOVEMENT DETECTION
Goal:-Detect lateral movement attempts identified by CrowdStrike logs across the network.
Examplequery:-
CrowdStrikeEvent_CL | where EventType == "lateral-movement"
Outcome:-Alerts when CrowdStrike detects lateral movement behavior, allowing for swift investigation and containment.
20.SUSPICIOUS POWERSHELL EXECUTION (SYSMON)
Goal:- Detect any suspicious PowerShell commands executed on a system via Sysmon logs.
Examplequery:-
Sysmon | where EventID == 4104 and CommandLine contains "- nop"
Outcome:- Identifies PowerShell commands that disable logging, commonly used in obfuscated or malicious scripts.
21.EXTERNAL ACCESS TO SENSITIVE DATA
Goal:-Detect external access attempts to sensitive data using Windows security logs.
Examplequery:-
SecurityEvent | where EventID == 4663 and ObjectType contains "confidential"
Outcome:-Detects access to sensitive files by external IPs or unauthorized accounts, signaling data exfiltration risks.
22.VPN LOGIN FROM UNUSUAL LOCATION (PALO ALTO)
Goal:-Detect unusual VPN logins from suspicious or unknown geographic locations using Palo Alto VPN logs.
Examplequery:-
PaloAltoNetwork_CL | where action == "vpn-login" and geo_location != "trusted_countries"
Outcome:- Flags unusual VPN logins from unfamiliar regions, which could indicate compromised credentials.
23.CROWDSTRIKE DEVICE ISOLATION ALERTS
Goal:-Detect any device isolation activity initiated by CrowdStrike as part of an incident response.
Examplequery:-
CrowdStrikeEvent_CL | where EventType == "device-isolation"
Outcome:-Provides alerts when CrowdStrike isolates a device, allowing SOC teams to investigate the root cause quickly.
24.SUSPICIOUS INBOUND CONNECTIONS (SYSMON)
Goal:-Detect any device isolation activity initiated by CrowdStrike as part of an incident response.
Examplequery:-
Sysmon | where EventID == 3 and DestinationPort == 3389
Outcome:- Identifies inbound connections to RDP ports, commonly targeted for remote exploitation.
These queries provide robust detection capabilities across various attack vectors in Windows and network environments. Identify brute force attacks on Windows systems. Detect privilege escalation attempts using Sysmon logs. Flag suspicious DNS queries for potential exfiltration. Monitor unauthorized firewall configuration changes. Detect suspicious lateral movement in Windows environments. Alert on unusual VPN login attempts from unfamiliar regions.
Post a Comment