Separating the wheat from the chaff in cybersecurity is hard. Often you find yourself handling enormous volumes of events. And more than not, data quality is an issue. False positives often lead to triage fatigue.
Being able to do triage quickly is important. The time window to respond when under attack is short, advanced adversaries typically only need hours to gain access, elevate privileges and exfiltrate data.
Azure Sentinel just released their Investigation feature (as a preview). But what is the difference between investigating and hunting? And how exactly does Azure Sentinel help my SOC with both?
How does a SOC operate?
Before we dive into Azure Sentinel’s new investigation features, let’s rewind and first look at how a Security Operations Center (SOC) operates. Most SOC’s will have two critical functions: (1) setting up and maintaining security monitoring and related tooling. And (2) find suspicious or malicious activity by analyzing alerts.
For the latter, typically a SOC will have a 3-tier model. Tier 1 is where security analysts do the triaging; they review the latest alerts to determine relevancy and urgency. Alerts that signal an incident will be forwarded to Tier 2 analysts. The second tier reviews those cases and uses threat intelligence (IOC’s, etc.) to identify affected systems and the scope of the attack. Tier 3 are often the most experience people on the team, mostly referred to as Threat Hunters. They explore the environment to identify stealthy threats and conduct continuous vulnerability tests.
In most SOC’s the Tier 2 folks will do the investigations, and Tier 3 folks will do the hunting. And while there is no clear line, most people refer to the term Investigation when they are following up with a (by Tier 1 forwarded) case. Robert M. Lee has a great quote on this:
“Threat hunting exists where automation ends”. Threat hunting is large manually, performed by SOC analysts, trying to find a ‘needle in the haystack’. And in the case of cybersecurity, that haystack is a pile of ‘signals’.
Investigation UI in Azure Sentinel
Microsoft just released an investigation experience in Azure Sentinel as a preview. Before, you would find an investigation UI in Azure Security Center, but as Azure Sentinel is becoming the central place to aggregate security the investigations will likely happen from there, and therefore Microsoft is deprecating the investigation UI in ASC.
To get to the new Investigation Experience in Azure Sentinel you will need navigate to a Case. For every Case you’ll find two buttons: View Full Details and Investigate. Previously, the Investigate button would show a placeholder page of Coming Soon, but today you’ll be launched into a new window.
The investigation experience window has three sections: the top will show the Case name, and other Case details. On the right you’ll find four buttons: Timeline, Info, Entities and Help. The main window will show all the entities related to this Case in a graph style manner.
Clicking an entity will show the details, hovering over the entity will give you some quick actions, for instance these: Related Alerts, Hosts the Account Failed on, Hosts which the Account Logged On to.
Clicking these will show these results as extra entities in your graph, expanding on your search.
There is also the opportunity to dive into the raw results, pivoting from the graph to a KQL query window:
The timeline button on the right allows you to ‘bookmark’ items/results during your investigation and have them readily available as information on this ‘notebook’.
Entity mapping is important!
When you’re creating Alert Rules in Azure Sentinel, that will then trigger Cases when the criteria is met, you have the option to do Entity Mapping. From the underlying KQL query, you can pick any field and map it into either ‘Account’, ‘Host’ or ‘IP addresses.
This allows Azure Sentinel to recognize that data as such and provide the right Quick Investigation items, and more importantly link data/Cases together. More entities are coming soon, but for now these three are available.
OK, so what about hunting and supporting Tier 3 SOC analysts?
I wrote about that in a previous blog called ‘Threat Hunting in the cloud with Azure Notebooks’. I talked about how you could take the ‘Kqlmagic’ extension that Microsoft wrote, and use KQL queries in Jupyter notebooks to hunt for malicious actors.
Something I did not mention in that blog is the built-in support for Hunting that Azure Sentinel has. Microsoft provides you with pre-compiled KQL queries to find known indicators in your environment. These are available in the Hunting node under the Threat Management section and are mapped back to the Tactics of the MITRE ATT&CK framework. You can add your own favorite Hunting to the workspace as well.
Directly from this section of Azure Sentinel you can run the query by using the Run Query button.
When running the query, you can expand (one of) the results and use the [..] button to access the Bookmark function. This saves results and allows you to relate them to an ongoing campaign by using the Tags field.
You’ll find these Saved Queries in the Hunting section of Azure Sentinel under the Bookmarks tab.
The new Investigation Experience in Azure Sentinel is an easy way to start your investigations, for instance by your Tier-1 SOC analysts. It visualizes your Case in a graph, which makes it easy to find connections between data points.
It will replace the investigation functionality Azure Security Center, but compliments the fact that your Tier-2 an Tier-2 SOC analysts can use their favorite investigation and hunting tools in combination with Azure Sentinel, like for instance Jupyter Notebooks.
— Maarten Goet, MVP & RD