Detecting threats with Microsoft Sentinel (creating rules and alerts)

Detecting threats with Microsoft Sentinel (creating rules and alerts)

03/01/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in proactively detecting threats using Microsoft Sentinel, Microsoft cloud-native SIEM (Security Information and Event Management), and SOAR (Security Orchestration, Automation, and Response). Microsoft Sentinel provides a unified view of security across the enterprise by collecting data from multiple sources, detecting threats, investigating incidents, and responding to them in an automated way [1].

Introduction

In an increasingly complex and voluminous cyber threat landscape, organizations need tools that not only collect security data, but also intelligently analyze it to identify malicious activity. Microsoft Sentinel bridges this gap by enabling security teams to monitor, detect, and respond to threats in real time. Creating analytics rules and alerts is the heart of Sentinel's detection capabilities, transforming vast volumes of logs into actionable insights [2].

This practical guide will cover configuring analytics rules in Azure Sentinel, from ingesting data to creating custom alerts and validating their effectiveness. Step-by-step instructions, example KQL (Kusto Query Language) queries, and descriptions will be provided so that the reader can implement and optimize threat detection in their environment, strengthening their security posture and speeding incident response.

Why Azure Sentinel for Threat Detection?

  • Cloud Scalability: Based on Azure, it offers unlimited scalability for log ingestion and storage.
  • Integrated Threat Intelligence: Utilizes threat intelligence from Microsoft and partners to enrich detection.
  • Behavioral Analysis (UEBA): Identifies anomalies and suspicious behaviors of users and entities.
  • Automation (SOAR): Allows you to automate responses to incidents through playbooks.
  • Comprehensive Visibility: Connects to multiple data sources, including Microsoft 365, Azure, AWS, Google Cloud, and third-party security solutions.

Prerequisites

To configure threat detection with Azure Sentinel, you will need the following items:

  1. Azure Subscription: An active Microsoft Azure subscription.
  2. Administrative Access: An account with Sentinel Contributor or Log Analytics Administrator permissions in the Azure portal (portal.azure.com).
  3. Log Analytics Workspace: A configured Log Analytics workspace that serves as the data repository for Sentinel.
  4. Microsoft Sentinel Active: Microsoft Sentinel must be enabled in the Log Analytics workspace.
  5. Configured Data Connectors: Security data (logs) must be ingested into the Log Analytics workspace from sources such as Azure AD, Microsoft 365, Microsoft Defender for Endpoint, firewalls, etc. [3].

Step by Step: Creating Analysis Rules and Alerts

Let's create a scheduled analysis rule to detect a common threat scenario: multiple login failures in a short period of time, indicating a brute force attempt.

1. Check Data Connectors

Before creating rules, ensure that the relevant data is being ingested. For login failure detection, we need logs from Azure Active Directory (Microsoft Entra ID).

  1. Go to the Azure portal: https://portal.azure.com.
  2. Navigate to Microsoft Sentinel.
  3. In the left navigation pane, select Data Connectors.
  4. Search for Azure Active Directory and verify that the status is Connected.

2. Create a Scheduled Analysis Rule

Let's create a rule that detects 5 or more login failures from the same IP within 10 minutes.

  1. In Azure Sentinel, in the left navigation pane, select Analytics.
  2. Click + Create > Scheduled Query Rule.

Step 1: General

  1. Name: Azure AD Brute Force Attempt
  2. Description: Detects multiple Azure AD login failures from the same IP address within a short period of time, indicating possible brute force attack.
  3. Tactics: Select Credential Access.
  4. Severity: Medium.
  5. Status: Enabled.
  6. Click Next: Defidefine rule logic.

Step 2: Define rule logic

  1. Rule Query: Enter KQL query:
SigninLogs
| where ResultType == "50126" // Credential validation failed
| summarize FailedLogins = count() by IPAddress, UserPrincipalName, bin(TimeGenerated, 10m)
| where FailedLogins >= 5
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress

  1. Entity mapping: Map entities to enrich alerts. Under Entity Mapping, add:

    • Account: AccountCustomEntity
    • IP Address: IPCustomEntity

  2. Scheduling an appointment:

    • Run query every: 10 Minutes
    • Latest search data: 10 Minutes

  3. Alert limit: Leave the default Generate alert when the number of query results is greater than 0.

Step 3: Incident Settings

  1. Create incidents from alerts triggered by this analysis rule: Enabled.
  2. Alert Grouping: Group alerts into a single incident if all alerts are generated from the same entity.

Step 4: Automated response

Optionally, you can attach a playbook (based on Logic Apps) to automate actions such as blocking the IP address in the firewall or disabling the user account.

Step 5: Review and create

Review all settings and click Create.

Investigating Alerts and Incidents

When the rule detects suspicious activity, an incident is created.

  1. In Azure Sentinel, go to Incidents.
  2. Click the incident generated by your rule.
  3. On the incident details page, you will see:
    • Timeline: A chronology of alerts.
    • Entities: The mapped entities (user and IP), which can be investigated further.
    • Investigation graph: A graphical visualization of the connections between entities.

Use these tools to understand the scope of the attack and take necessary response actions.

Using Analytics Rule Templates

Microsoft Sentinel comes with hundreds of pre-built rule templates from Microsoft and its security community. Using them is a quick way to increase your detection capacity.

  1. In Analysis, go to the Rule Templates tab.
  2. Filter by data sources, MITER ATT&CK® tactics, etc.
  3. Select a relevant template (e.g. Anomalous sign-in location).
  4. Click Create rule in the details pane. The wizard will populate with template logic and settings, which you can customize before creating the active rule.

Conclusion

Creating custom analytics rules in Azure Sentinel is an essential capability for any security team. By transforming raw data into actionable detections, organizations can proactively identify threats such as brute force attacks, lateral movement, and data exfiltration. Combined with response automation and existing rules templates, Sentinel empowers analysts to focus on what matters most: protecting the organization.

References

[1] Microsoft. (2023). What is Microsoft Sentinel? [2] Microsoft. (2023). View and investigate incidents in Microsoft Sentinel. [3] Microsoft. (2023). Work with Microsoft Sentinel data connectors.