Microsoft Sentinel SOC 101: How to Detect and Mitigate Advanced Persistent Threats (APTs) with Microsoft Sentinel

Slaying Gorgon

Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101

Advanced persistent threats (APTs) are stealthy and sophisticated cyberattacks that aim to gain and maintain unauthorized access to a target network for a long period of time, often with the intention of stealing sensitive data or conducting espionage. APTs are usually carried out by well-resourced and skilled threat actors, such as nation-state or state-sponsored groups, or organized cybercrime syndicates. APTs can pose a serious threat to the security and reputation of any organization, especially those with high-value information or critical infrastructure.

To effectively combat APTs, organizations need a comprehensive and scalable security solution that can provide visibility, detection, investigation, and response capabilities across their entire enterprise. Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you can:

• Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.

• Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft.

• Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft.

• Respond to incidents rapidly with built-in orchestration and automation of common tasks.

In this post, I’ll talk about how to use Microsoft Sentinel to detect and mitigate APTs in your environment. Let’s dig into the following steps:

• Connect your data sources to Microsoft Sentinel.

• Use workbooks to monitor your data and identify anomalies.

• Use analytics rules to correlate alerts into incidents.

• Use playbooks to automate and orchestrate common tasks.

• Use hunting queries to proactively search for threats.

Connect your data sources to Microsoft Sentinel

The first step to use Microsoft Sentinel is to connect your data sources to the solution. Microsoft Sentinel comes with many connectors for Microsoft solutions that are available out of the box and provide real-time integration. Some of these connectors include:

• Microsoft sources like Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, and more.

• Azure service sources like Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more.

Microsoft Sentinel also has built-in connectors to the broader security and applications ecosystems for non-Microsoft solutions. You can also use common event format (CEF), Syslog, or REST-API to connect your data sources with Microsoft Sentinel.

To connect your data sources to Microsoft Sentinel, follow these steps:

1. Sign into the Azure portal.

2. Search for and select Microsoft Sentinel.

3. Select the workspace that you want to use or create a new one.

4. In the navigation pane, select Data connectors.

5. Browse or search for the connector that you want to use and select it.

6. Follow the instructions on the connector page to configure it.

Use workbooks to monitor your data and identify anomalies

After you connect your data sources to Microsoft Sentinel, you can use workbooks to monitor your data and identify anomalies. Workbooks are interactive reports that provide insights into your data using charts, tables, maps, timelines, and more. You can use pre-built workbooks that are provided by Microsoft or create your own custom workbooks.

To use workbooks in Microsoft Sentinel, follow these steps:

1. In the Azure portal, select Microsoft Sentinel > Workbooks.

2. Browse or search for the workbook that you want to use and select it.

3. Configure the parameters of the workbook as needed.

4. Explore the workbook tabs and visuals to analyze your data.

For example, you can use the Threat Intelligence - Overview workbook to get an overview of the threat intelligence indicators (TIIs) in your environment. You can see the distribution of TIIs by severity, confidence, source type, category, file type, domain type, IP type, URL type, email type, etc. You can also see the top malicious entities by TIIs count and drill down into specific entities for more details.

Use Analytics Rules to correlate alerts into Incidents

To detect APTs in your environment, you need to correlate alerts from different data sources into incidents that represent potential security breaches. Analytics rules are the core detection logic in Microsoft Sentinel that enable you to do this. Analytics rules run automated queries over your data at regular intervals and generate alerts when certain conditions are met. You can use pre-built analytics rules that are provided by Microsoft or create your own custom analytics rules.

To use analytics rules in Microsoft Sentinel, follow these steps:

1. In the Azure portal, select Microsoft Sentinel > Analytics.

2. Browse or search for the rule that you want to use and select it.

3. Review the rule details and enable it if needed.

4. Optionally, customize the rule logic, alert details, incident settings, and automation options as needed.

For example, you can use the Potential DGA detected rule to detect potential domain generation algorithm (DGA) activity in your environment. DGA is a technique used by some malware to generate random domain names for command and control (C2) servers. This rule runs a query over your DNS data and generates an alert when it detects a high number of requests to domains with high entropy or low popularity.

Use Playbooks to automate and orchestrate common tasks

To respond to incidents rapidly and efficiently, you need to automate and orchestrate common tasks that are part of your incident response process. Playbooks are the automation component of Microsoft Sentinel that enable you to do this. Playbooks are based on Azure Logic Apps and allow you to create workflows that can perform actions such as sending an email, creating a ticket, blocking an IP address, running a script, etc. You can use pre-built playbooks that are provided by Microsoft or create your own custom playbooks.

To use playbooks in Microsoft Sentinel, follow these steps:

1. In the Azure portal, select Microsoft Sentinel > Automation.

2. Browse or search for the playbook that you want to use and select it.

3. Review the playbook details and enable it if needed.

4. Optionally, customize the playbook trigger, actions, parameters, and logic as needed.

For example, you can use the Block IP with Azure Firewall playbook to block an IP address that is associated with an incident in your environment. This playbook is triggered when an incident is created or updated in Microsoft Sentinel and has a specific tag. The playbook then retrieves the IP address from the incident entity and adds it to a deny list in Azure Firewall.

Use Hunting queries to proactively search for threats

To proactively hunt for threats in your environment, you need to run queries over your data and look for suspicious activities or indicators of compromise (IOCs). Hunting queries are the proactive hunting component of Microsoft Sentinel that enable you to do this. Hunting queries are based on Kusto Query Language (KQL) and allow you to create custom queries that can run over your data sources and return results that can be further investigated or added to incidents. You can use pre-built hunting queries that are provided by Microsoft or create your own custom hunting queries.

To use hunting queries in Microsoft Sentinel, follow these steps:

1. In the Azure portal, select Microsoft Sentinel > Hunting.

2. Browse or search for the query that you want to use and select it.

3. Review the query details and run it if needed.

4. Explore the query results and take actions such as bookmarking, adding to incidents, or creating new incidents as needed.

For example, you can use the Detect SSH Brute Force Attack query to detect SSH brute force attack attempts in your environment. This query runs over your Syslog data and returns results that show the source IP address, destination IP address, destination port, number of failed attempts, and number of unique usernames used for each SSH brute force attempt.

See: Microsoft Sentinel SOC 101: How to Detect and Mitigate Brute Force Attacks with Microsoft Sentinel

Summary

In this post, I’ve talked about how to use Microsoft Sentinel to detect and mitigate APTs in your environment. We have covered how to connect your data sources, use workbooks, analytics rules, playbooks, and hunting queries in Microsoft Sentinel. By using these features, you can leverage the power of cloud-native SIEM and AI to enhance your security posture and protect your organization from sophisticated threats.

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Subscribe to the Weekly Azure OpenAI Newsletter]

[Learn KQL with the Must Learn KQL series and book]

[Learn AI Security with the Must Learn AI Security series and book]