Detecting Security Incidents with Azure Sentinel

Overview of Sentinel and my experience...

Cam, Senior Cyber Security Analyst

This article is a short one, which discusses detecting security incidents with Microsoft's (relatively) new SIEM solution, Azure Sentinel, which uses the Kusto Query Language (KQL).

For those of you in higher places than me that might want to know some ups and downs coming straight from an analyst with direct experience:

The Ups:

  • Ingestion of many generic log sources is beyond easy and is usually one-click
  • Integration with MSFT products, like ATP, O365 is the best its ever been
  • ML and XDR actually works on this SIEM and isn't just a hotword
  • MSFT release new rules to deal with ongoing threats anyway
  • New features are in the works 24/7, many SIEM providers release big features once a year whereas Azure releases them almost monthly

The Downs:

  • You'll absolutely be roped into an ecosystem here, so if you're already committed that'll be a problem
  • Sentinel might possibly be 'cornering the market' with all its abilities and relatively low pricing
  • Integrating MSFT partners and MSFT own log sources is easy, otherwise not so much
  • Learning KQL will be difficult for your analysts/ team, it is nothing like Lucene/or the other KQL (Kibana).

In my experience in using Sentinel, I have no doubt that it is currently the best offering on the market in terms of its abilities in both detecting, integrating and active response playbooks that can be created on its UI which slots nicely into Azure's pre-built Flow and Power Automate systems.

However, coming from a different SIEM (which many people will be right now) can be quite daunting since the query language is fairly different to most other SIEM's, and if you're thinking well I already know KQL, I'll be fine since I've used the Elastic Stack, well that's a different KQL, as I too made that mistake.

Kusto derives mostly from SQL so if you have knowledge in SQL you'll probably do just fine in Kusto, if not for a few touch ups, in any case it is regardless of being advanced for a query language, best in class for its detections since it has data manipulation tools that can just dig much deeper when compared to for example the other (Kibana)QL and Lucene.

TL;DR of this article:

In any case - I've made a GitHub repository of some rules that I'll publish around major vulnerabilities as well as abuse of some Windows System binaries (LOLBAS/LOLBINS/LOLLIBS), which are surprisingly overlooked by much of the community despite many APT's using LOLBAS style exploits from weaponization to command and control, exfiltration (etc) since they are also usually overlooked by security products, and inherently by security teams too.

So essentially the resource will provide you with how to mitigate these threats, a Sentinel KQL query that the SIEM can use to detect these threats (given the log ingestion is in place) as well as currently working on breaking down those rules into tables, functions, columns, explanations of literally the entire thing so that it isn't one big scary chunk of KQL.

The GitHub repository can be found at https://github.com/basedfir/detection-rules

or if like me you're a little paranoid like me and don't want to click links you can head to the GitHub repo basedfir/detection-rules.

Clone: git clone https://github.com/basedfir/detection-rules.git

If this isn't how you like to learn - with a rule that you can copy into Sentinel and see the breakdown of how it works, attempt to edit it to see the results you don't have to use only my resource, believe it or not there are others out there like Kusto King, which is actually really good, they use tiers so wherever you think you lie be it noob or ninja there's something there for you, for me it was always understanding how regex worked, string literals and how to capture as much as possible under one query:

https://www.kustoking.com/