Symbols

+ operator, KQL, 189

– operator, KQL, 189

* operator, KQL, 189

/ operator, KQL, 189

% operator, KQL, 189

< operator, KQL, 189

> operator, KQL, 189

-- operator, KQL, 189

!- operator, KQL, 189

<- operator, KQL, 189

>- operator, KQL, 189

A

Actions menu, incidents, 149

ADX (Azure Data Explorer), 96

aggregation functions, KQL (Kusto Query Language), 192

alerts

exploring for incidents, 72–73

and schemas, 54, 65

AML (Azure Machine Learning) workspaces, configuring, 109–116. See also workspace design

analysis and investigation, 6–7

analytic rules

Alert Details section, 41

alert simulation graphic, 39

Alert threshold section, 41

Automated response section, 43

configuring, 36–44

creating, 46–50

Custom Details section, 40

Entity Mapping section, 40, 48

Event grouping section, 42

General section, 47

Incident settings section, 43

Logic section, 38

MSSPs (managed security service providers), 206–207

Query Language Reference, 38

Query scheduling section, 41

Review And Create tab, 44

Review And Update tab, 49

Suppression setting, 42

types of, 44–46

validating, 50–51

analytics, 15, 31–32

Analytics blade, 33–36, 50

Analytics dashboard, accessing, 32–33

anomaly rules, 44

any() aggregation function, KQL, 192

APT (Advanced Persistent Threat), 9

arg_max() function, KQL, 192

arg_min() function, KQL, 192

ARM (Azure Resource Manager), 22, 167–170

ARM templates, MSSPs (managed security service providers), 212–213

ASIM (Advanced Security Information Model), 178

authenticating to Microsoft Sentinel, 118

automation rules

completing and testing, 143–146

conditions and actions, 128

creating, 61, 128–130

triggering, 128

automation with Playbooks. See also Playbooks gallery

adding actions, 134–135

Azure AD user, 136–137

completing, 142

condition for evaluation, 139

configuring, 130–133

Dynamic Content, 135

If true action area, 140

Microsoft Teams action, 141

Office 365 action, 137

Send Approval email action, 138

automations, 15

automation/SOAR, MSSPs (managed security service providers), 210. See also SOAR (security orchestration and automated response)

avg() function, KQL, 192

AWS (Amazon Web Services) S3 connector, 171–172

Azure Activity blade, 23

Azure Activity Log, 22

Azure AD (Active Directory) B2B, MSSPs (managed security service providers), 203–204

Azure AD (Active Directory), connecting to, 26–27

Azure Key Vault honeytokens, using Livestream with, 94–96

Azure Lighthouse, MSSPs (managed security service providers), 199–203

Azure Logic Apps, 44

Azure Policy, 24

Azure portal, using with data connectors, 169–170

Azure RBAC (role-based access control), 15–16

Azure Sentinel, 13–14

Azure Workbook, 14

B

backdoor, calling, 2–3

big data problem, security as, 8–9

bookmarks

adding to hunting queries, 85–88

adding to incidents, 91

bool data type and KQL, 186

brute-force attacks

attempts, 81–82

hunting query result, 84–85

buildschema() function, KQL, 192

bulletproof hosting services, 2

C

CAV (counter-antivirus) services, 2

CCP (Codeless Connector Platform), 166

CD (continuous deployment), MSSPs (managed security service providers), 212–213

CDOC (Cyber Defense Operations Center), 7–8

CEF and Syslog connectors, 19

CI (continuous deployment), MSSPs (managed security service providers), 212–213

CISO (Chief Information Security Officers), 1

code injection methods, 2

Colonial Pipeline attack, 2

columns

adding and removing, 192–193

choosing for incidents, 58

compute instance, creating, 115–116

count() function, KQL, 192

countif() function, KQL, 192

CTI (cyber threat intelligence), 9–11, 14, 97. See also TI (threat intelligence)

custom logs, 53

CVE-2021-44228 vulnerability, 5

cybersecurity professionals, number of, 8

D

DART (Detection and Response Team), 6

data, summarizing, 190–192

Data Collection Anomalies View, 174

data connectors. See also environment and data

availability, 163–165

AWS (Amazon Web Services) S3, 171–172

Azure portal, 169–170

CCP (Codeless Connector Platform), 166

configuring for TAXII, 98–100

Content Hub, 177–182

enabling and configuring, 167–170

health monitoring, 173–176

ingestion methods, 165

Microsoft 365 Defender, 170

normalization, 163

Office 365, 167–169

preparing for, 166–167

repositories feature, 177

REST APIs, 166

using, 15, 17–18, 22

data ingestion, 22–27. See also ingested data

data sources, 18

data types and KQL, 186–187

data visualization. See also visualizations

custom Workbooks, 156–159

Microsoft Sentinel Workbooks, 151–156

datetime data type and KQL, 186

dcount() function, KQL, 192

Deception solution, 94

decimal data type and KQL, 186

Defender for Cloud, connecting, 25–26

DevOps, 212–214

Discovery Tactics, MITRE ATT&CK knowledge base, 4

dynamic data type and KQL, 186

E

Edit API Connection blade, 148

entities

exploring for incidents, 72–73

searching for, 62

Entity page, opening for incidents, 66–67

environment and data, knowing, 76. See also data connectors

evaluate operator, KQL (Kusto Query Language), 195–196

Excel visualizations, 162

extend, KQL (Kusto Query Language), 193

F

failed logins, looking at, 81–82, 90. See also logins

fileless techniques, 2

filters, adding, 79

forensics and hunting, 7, 11, 14. See also threat hunting

FROM keyword, using with SQL, 184

fullouter join, KQL, 195

fusion center model, SOCs, 7

fusion rule, 44

configuring, 68

G

git clone command, using with Notebooks, 119–120

GitHub repository

hunting queries, 84

repositories connection, 177

sample queries, 4

testing Notebooks from, 118–120

graphical investigation, incidents, 71–74

guid data type and KQL, 186

H

hardening considerations, 18

Honeytokens Deception solution, using Livestream with, 94–96

hunting See also threat hunting

and forensics, 7, 11, 14

hypothesis example, 81–91

MSSPs (managed security service providers), 207–209

Hunting blade, accessing, 76–77

hunting bookmark, creating incident from, 89

hunting queries

adding bookmarks, 85–87

adding to Livestream, 91

creating, 89–91

GitHub repository, 84–85

Investigation graph, 88

hunting queries (continued)

running, 79–81

searching for, 78

I

IIoT (Industrial Internet of Things), 8

in operator, KQL, 189

!in operator, KQL, 189

incident actions, invoking, 61–62

incident management, MSSPs (managed security service providers), 209–210

Incident Overview Workbook, 61. See also Workbooks

incidents. See also Incident Overview Workbook; Investigation graph; post-incident automation

actions, 60–61, 149

adding bookmarks to, 91

comments added to, 61, 65

creating from hunting bookmarks, 89

details, 63–68

Entity page, 66–67

explained, 14

graphical investigation, 71–74

IoCs (Indicators of Compromise), 103

overview, 53–54

searching for, 62–63

Teams integration, 69–70

timeline, 64

triaging, 60–62, 125–126

viewing, 60, 64

Incidents blade, Guides & Feedback pane, 59

Incidents view, configuring, 54–58

ingested data. See also data ingestion

accessing, 28–30

categories, 53–54

inner join, KQL, 195

innerunique join, KQL, 195

int data type and KQL, 186

IntelliSense suggestions, ingested data, 29

investigation and analysis, 6–7

Investigation graph, using with hunting, 88. See also incidents

Investigation Insights Workbook, 106

IOA (indicators of attack), 32

IoCs (Indicators of Compromise). See also Ransomware IoCs

analytics, 31

CTI (cyber threat intelligence), 97

incidents, 103

TimeGenerated field, 101

(ISC)2 nonprofit, 8

ISVs (independent software vendors), 166

J

JBS Foods REvil ransomware, 2

JNDI (Java Naming and Directory Interface), 5

join operators, KQL (Kusto Query Language), 194–195

joining tables, 193–195

Jupyter notebooks, 14

K

Key Vault, using, 110

keyboard shortcuts, cells in Notebooks, 116

KQL (Kusto Query Language), 14–15, 28, 81

adding and removing columns, 192–193

aggregation functions, 192

data types, 186–187

evaluate operator, 195–196

extend, 193

filtering data, 189–190

getting data, 187

join operators, 194–195

joining tables, 193–195

learning resources, 197

let statements, 196–197

limiting data, 188

numerical operators, 189

order operator, 188

PowerShell, 184–185

project and project-away, 192–193

query structure, 183

sorting data, 188

SQL, 184

summarizing data, 190–192

take operator, 188

union operator, 194

where operator, 189–190

KQL queries, MSSPs (managed security service providers), 205

L

leftanti join, KQL, 195

leftouter join, KQL, 195

leftsemi join, KQL, 195

let statements, KQL (Kusto Query Language), 196–197

Livestream feature, 91–96. See also Query Language Reference

Log Analytics workspace, 17

creating, 20

Log Analytics workspaces, MSSPs (managed security service providers), 205

Log4j vulnerability, 31

Log4Shell, CVE-2021-44228 vulnerability, 5

Logic App Designer, 148

Logic Apps

Create Playbook Blade, 131

Create Playbook/Connections Options, 132

Designer blade, 133

Save button, 141

and SOAR, 127–128

logins, investigating, 90. See also failed logins

long data type and KQL, 186

M

machine learning behavioral rule, 45

Machine Learning Workspace, creating, 112

make_bag() function, KQL, 192

make_list() function, KQL, 192

make_set() function, KQL, 192

max() function, KQL, 192

Microsoft 365 Defender connector, 170

Microsoft DART (Detection and Response Team), 6

Microsoft Defender for Cloud, connecting, 25–26

Microsoft Defender for Endpoint, 5

Microsoft Digital Defense Report 2021, Acer REvil ransomware, 2

Microsoft Security rules, 45

Microsoft Sentinel

architecture, 13–15

authenticating to, 118

configuring with PowerShell, 167

considerations, 18–19

core capabilities, 12

enabling, 19–21

hardening considerations, 18

News & Guides page, 21

overview, 12

pricing, 19

repositories, 213–214

scenarios and considerations, 16

workspace design, 17–18

Microsoft Sentinel Community, 46

Microsoft Sentinel Deception solution, 94

Microsoft Sentinel Notebooks, 108

Microsoft Sentinel Workbooks

Azure Activity blade, 153

customizing, 156–159

data collection anomalies view, 156

Data Collection Health Monitoring, 155

data visualization, 151–156

editing, 157

graphical representation of query, 158

series_decompose_anomalies() function, 156

templates, 154–155

Templates tab, 152

visualization for time chart, 159

Microsoft Sentinel workspaces

interaction with Notebooks, 116–118

querying, 117

Microsoft SentinelHealth table, 175–176

Microsoft Teams, automation with Playbooks, 141. See also Teams integration

min() function, KQL, 192

MITRE ATT&CK

knowledge base, 3–4

NRT rules, 14

website, 32

MITRE Tactics, filtering hunting queries, 78

MSSPs (managed security service providers), 17, 166, 210

analytic rules, 206–207

ARM templates, 212–213

automation/SOAR, 210

Azure AD (Active Directory) B2B, 203–204

Azure AD entitlement management, 204

Azure Lighthouse, 199–203

CD (continuous deployment), 212–213

CI (continuous deployment), 212–213

customer environment, 199–204

hunting, 207–209

incident management, 209–210

KQL queries, 205

Log Analytics workspaces, 205

multi-tenant management, 205

Notebooks, 208

PIM (Privileged Identity Management), 202

repositories, 213–214

security content management, 212–214

watchlists, 209

Workbooks, 211

MSTIC (Microsoft’s Threat Intelligence Center), 116

MSTICpy library, 118–120

msticpyconfig.yanml file, 117

N

NIST (National Institute of Standards and Technology), 53

normalization, 163

normalized logs and events, 53

Notebooks

configuring AML workspaces, 109–116

creating from templates, 112–113

documentation, 107

enrichment examples, 121–126

features, 107–109

GeoIP lookup, 125–126

git clone command, 119–120

hunting examples, 121–126

interaction with workspaces, 116–118

interactive cells, 125–126

and Key Vault, 110

MSSPs (managed security service providers), 208

MSTICpy library, 118–120

MSTICpy query listing, 121

running, 109

running cells, 116, 118

signinlog table, 122–123

sign-ins and MFA challenge, 121–124

testing from GitHub repo, 118–120

using, 14

VirusTotal lookup, 123–124

versus Workbooks and Playbooks, 108

NRT (near-real-time) rule, 45

numerical operators, KQL (Kusto Query Language), 189

O

Office 365 data connector, 167–169

Operation WilySupply, 5

order operator, KQL (Kusto Query Language), 188

P

percentiles() function, KQL, 192

permissions and roles, 15–16

phishing emails, 6

PIM (Privileged Identity Management), 202

Playbook gallery, 147. See also automation with Playbooks

Playbooks versus Workbooks and Notebooks, 108

post-incident automation, 146–150. See also incidents

Power BI

visualizations, 159–162

Workbooks, 211

PowerShell

configuring Microsoft Sentinel with, 167

and KQL, 184–185

using, 2

project and project-away, KQL (Kusto Query Language), 192–193

Q

Query Language Reference, 38. See also Livestream feature

querying Microsoft Sentinel workspaces, 117

QueryProvider object, 117

R

RaaS (Ransomware as a Service), 1–2

Ransomware IoCs, displaying, 99. See also IoCs (Indicators of Compromise)

RBAC (role-based access controls), 16

real data type and KQL, 186

remediation, 6–7

Remediation tab, 24

repositories

connections, 177

Microsoft Sentinel, 213–214

REST APIs, 166

REvil ransomware, 2

rightanti join, KQL, 195

rightouter join, KQL, 195

rightsemi join, KQL, 195

role aggregation scenarios, 16

roles and permissions, 15–16

S

SaaS (Software as a Service), 166

scheduled analytics, 46

searching

for hunting queries, 78

for incidents, 62–63

for indicators of compromise, 96

SecOps (Security Operations)

features, 6

resource challenges, 8

security, as big data problem, 8–9

Security Efficiency Workbook, accessing, 57. See also Workbooks

SELECT keyword, using with SQL, 184

Sentinel. See Microsoft Sentinel

SentinelHealth table, 175–176

series_decompose_anomalies() function, 156

settings, 15

SIEM (Security Incident and Event Management), 1

and Microsoft Sentinel, 12

“single pane of glass,” 9

SOAR (security orchestration and automated response), 12, 127–128. See also automation SOAR

SOC team, helping, 3–4

SOCs (security operations centers)

and CDOC (Cyber Defense Operations Center), 7–8

CTI (cyber threat intelligence), 10

staffing shortages, 8

Tiers, 6–7

SolarWinds Orion, 4

Solorigate supply chain attack, 2–3

SQL and KQL, 184

stdev() function, KQL, 192

STIX (Structured Threat Information Expression), 10–11, 98

string data type and KQL, 186

sum() function, KQL, 192

summarizing data, 190–192

Sunburs supply chain attack, 2–3

supply-chain attacks, 2, 5–6

support engineers and SOCs, 7

Syslog and CEF connectors, 19

T

tables, joining, 193–195

Tactics, filtering, 78

take operator, KQL (Kusto Query Language), 188

TAXII (Trusted Automated Exchange of Intelligence Information), 11, 98–100

Teams integration, incidents, 69–70. See also Microsoft Teams

Terminal, opening for Notebooks, 119

threat detection signatures, 9

threat hunting. See also hunting

fundamentals, 81

overview, 11, 75–76

threat indicators, customizing, 101–103

threat intelligence, 9–11, 14

rule, 46

Threat Intelligence Platforms, connecting, 97

Threat Intelligence Workbook, 104–105

ThreatIntelligenceIndicator table, 103

threats, landscape, 1–5

TI (threat intelligence). See also CTI (cyber threat intelligence)

enabling rules, 100–101

integration, 97

Tier 1 analyst, function of, 60

Tiers of SOCs (Security Operations), 6–7

timespan data type and KQL, 186–187

TTPs (tactics, techniques, procedures), 4, 9

U

union operator, KQL (Kusto Query Language), 194

V

variance() function, KQL, 192

visualizations. See also data visualization

changing for time charts, 159

Excel, 162

Power BI, 160–161

VM (virtual machine), creating and deleting, 143–144

VM Insights, configuring, 100

W

watchlists

described, 15

MSSPs (managed security service providers), 209

where operator, KQL (Kusto Query Language), 189–190

Workbooks. See also Incident Overview Workbook; Security Efficiency Workbook

Investigation Insights, 106

MSSPs (managed security service providers), 211

versus Notebooks and Playbooks, 108

Power BI, 211

Threat Intelligence, 104–105

using, 14

workspace design, 17–18, 20. See also AML (Azure Machine Learning) workspaces

workspaces

interaction with Notebooks, 116–118

querying, 117

Y

Yara threat detection signature, 9