Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. For more information about Azure Sentinel, you can go to the below link: https://azure.microsoft.com/en-us/resources/videos/introducing-microsoft-azure-sentinel/
To allow customers to leverage the security experience in Azure China Cloud, this project is extracting the security detection/hunting queries, workbooks and notebooks from Azure Sentinel project which can be used in Azure China Cloud environment (mooncake with Url https://portal.azure.cn): https://github.com/Azure/Azure-Sentinel
You may follow the introduction in the below section to use the queries.
The idea for this solution is to extract detection and hunting queries from Sentinel project. Then build workbook and dashboard based on such queries to help customer do threat detection and analytics based on those detection and hunting queries.
Those detection and hunting queries, dashboard, workbooks are packed as ARM templates which is categorized by common monitoring scenarios like AAD authentication, Azure Activities, Network Flows, Virtual Machine identity and Access. Azure Logic app is defined to run Azure automation runbook which will execute security queries based on enabled monitoring categories. Notification email will be formatted and send out as expected.
You may follow the steps in the below deployment guide:
For example, you will see the related detection rule which has data returned in the Detection Rule triggered form.
- list alerts by category
- list alerts and show details for selected alerts
- run hunting queries for selected category to find more potential risky
- Network exploration for selected public IP (potential malicious IP)
- AD operations and AAD signing exploration for selected public IP (potential malicious IP)
- Network exploration for selected internal IP (potential effected VM IP)
- Trace details from selected VM and internal IP (potential effected VM)
Notification format is defined in the logic app workflows with CSS format.
You may change the content if required.
Sample notification format as:
- Sample data analytics to look for unexpected AAD sign-in or activities.
- Sample data analytics to look for network watcher logs.
- Sample data analytics to look for VM update and CCE report.
- Dashboard show which can share with other users
Below is the detailed forms for categorized ARM template
You may use the below forms to get the details of the security rules:
You may use the below forms to get the details of the workbooks:
| category | description | required data source | template |
|---|---|---|---|
| Azure AD Signing | Azure dashboard which will show overview of Azure AD signin operations | SigninLogs | azureadsignins.json |
| Azure AD Operations | Azure dashboard which will provide overview of sensitive Azure AD operations like grant permissions or add new users etc | AuditLog | Azure_AD_Audit_logs.json |
| Azure Activity | Azure dashboard which will show overview of Azure activities like resource creation, updating and deletion | AzureActivity | Azure_Activity.json |
| Network Flows | Azure Dashboard which will show overview analysis on network flows such as: 1) Malicious traffic over IPs and Protocols, 2) Allowed and Denied flows trends over NSG, 3) Most Attacked resources |
AzureNetworkAnalytics_CL | azurenetworkwatcher.json |
| Virtual Machine Performance | Azure Dashboard which will show performance overview on monitored Azure VMs | Perf | PerformLATemplate.json |
| Windows Security Events | Azure Dashboard which will show overview analytics on collected Windows Security Events from Windows VM with Azure Security Center license | SecurityEvent | identity_and_access.json |
| Application Gateway - WAF | Azure Dashboard which will show overview analytics on collected WAF access logs | AzureDiagnostics | Microsoft_WAF.json |
| category | description | required data source | optional data source | ARM template Conent |
|---|---|---|---|---|
| Azure Identity and Activity | Provide security analysis for unabnormal AAD signgs and Azure Actiities such as: 1) brute attacks and password spray attacks on AAD account, 2) Suspicioous permission granting, 3) anomalous change in signing location, 4) unexpected resource deployments |
AuditLogs SigninLogsAzure Activity |
Identity_Activity.json | |
| Network Flows | Provide security analysis on network flows such as: 1) Malicious traffic over IPs and Protocols, 2) Allowed and Denied flows trends over NSG, 3) Most Attacked resources |
AzureNetworkAnalytics_CL | AzureActivity | networkwatcher.json |
| Virtual Machine | Provide security analysis on VMs such as: 1) Linux/Windows logon analytics, 2) Linux/Windows VM complainces and update analytics, 3) Windows VM Security Event Aanlytics, 4) Windows VM process execution analytics 5)Access on Windows VM by protocol like SMB/Kerberos/NTLM |
SecurityEvent Syslog Update |
Event SecurityBaseline SecurityBaselineSummary SecurityAlert ProtectionStatus |
azurevm.json |
| Azure Diagnostic | Provide security analysis on Azure Resource Diagnostic log such as: 1) Azure KeyVault sentive operatins analytics, 2) WAF (Web Application Firewall) access log analytics, 3) Azure Firewall trace anlytics |
AzureDiagnostics | azurediagnostics.json | |
| Common Event Format | Provide security analysis on CEF log such as: 1) Cisco CEF logs, 2) Hardware WAF CEF logs |
CommonSecurityLog | SecurityAlerts | CEF.json |
| name | description | required API connector | template |
|---|---|---|---|
| block-bruteforceattackip | Logic App used to block malicious IP where has raised brute force attack | 1) Azure Security Center 2) Office 365 |
logicapp_blockbruteforceattachip.json |
| isolate-infectedVM | Logic App used to isolate infected VM | 1) Azure Security Center 2) Office 365 |
logicapp_blockbruteforceattachip.json |
| none | template used to create customized user role for logic app | logicapp_approledefinition.json |
As an advanced usage, we can also use azure notebooks for theat hunting. You can go to the below page for more details:
You may use the below sample scripts to cleanup the imported Log Analytics searches:
$resourcegroupname = "<resource_group_of_target_workspace>"
$workspacename = "<workspace_name>"
$savedsearches = $(get-AzOperationalInsightsSavedSearch -resourcegroupname $resourcegroupname -workspacename $workspacename).value
foreach ($search in $savedsearches ) {
if($search.properties.Category.contains("Sentinel")) {
$targetid = $search.id.split("/")[-1]
Remove-AzOperationalInsightsSavedSearch -ResourceGroupName $resourcegroupname -WorkspaceName $workspacename -SavedSearchId $targetid
}
}To clean the imported workbooks, you can go to the Azure Portal. Go to the target resource group and filter with Azure Workboos resource type. Select the workbooks you want to delete (Sentinel like workbooks will be started with security - in name), and choose Delete from the top actions menu:
To clean the imported dashboard, you can go to the Azure Portal. Go to the target resource group and filter with shared dashboard resource type. Select the dashboard you want to delete, and choose Delete from the top actions menu:
