Transforming raw data to anomalies & Insights with Microsoft Defender and Microsoft Sentinel

Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organization’s entities (users, hosts, IP addresses, applications etc.) across time and peer group horizon. Using a variety of techniques and machine learning capabilities, Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”). Armed with this information, you can effectively prioritize your investigation and incident handling.

Let’s look at how we enrich the raw data and turn it into a anomalies & insight: Here is what we know from the raw data – here’s an example of a 4624 windows security events – An account was successfully logged on The user Jeff_L successfully logged on the Finance SRV, this was a logon type 3 – a network logon, from this public IP address – at March 3rd 2020. – this is all the information that the analyst can extract from that specific event.  We’ll start by adding contextual information:   User: The user Jeff_L is in fact – Jeff Leatherman, This is his email, he’s an IT helpdesk technician. His Blast Radius (Impact on the organization) is high, and I can see he was dormant (i.e. we haven’t seen any activity from him in the last 180 days) up until this activity.   Device: I can the FQDN, the internal IP address, an indication this is a high value asset, I can see the suspected device owner – which is not Jeff, And from Intune I can see this device is unmanaged From the public IP address: we can resolve the geo location to China, and from MS TI service we got an indicator that this is a known ‘Botnet network’ By seeing the context – the SecOps analyst get a better understanding of what’s happening  Now let’s add some behavioral information: In our case This is the first time jeff accessed the finance SRV None of peers accessed it First time jeff connected from China, and no other user in the org has connected from China before  By having the contextual AND the behavioral information the SecOps gets a clearer picture –   We’ve identified an anomaly Jeff Leatherman, an IT helpdesk technician, was recently dormant, High impact of the org Had an unusual accessed the FinanceSRV – HVA (High Value Asset) From an unusual geo-location TI indicators of botnet And we can map it to initial access and Lateral movement MITRE mapping From raw data to anomaly & insights.  

The UEBA capability in Microsoft Sentinel eliminates the drudgery from your analysts’ workloads and the uncertainty from their efforts, and delivers high-fidelity, actionable intelligence, so they can focus on investigation and remediation.

Some links around UEBA:

Microsoft Sentinel UEBA enrichments reference

Tutorial: Investigate incidents with UEBA data

Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s