Blog Post

Microsoft Sentinel Blog
4 MIN READ

What’s New: Introducing Microsoft Sentinel Network Session Essentials solution

kavishbakshi's avatar
kavishbakshi
Icon for Microsoft rankMicrosoft
Mar 20, 2023

Today, we are announcing a new Network Session Essentials solutions in Public Preview. This is a domain solution and the first Microsoft Sentinel solution to leverage Advanced Security Information Model (ASIM). Hence this solution provides a set of generic OOTB (out-of-the-box) content, specific to network security scenarios that supports over 15 network products and services including Azure Firewall, Palo Alto Firewall, Corelight, Cisco Meraki, Fortinet Fortigate and more. This means the same content from this solution can work with multiple network products deployed in your organization hence delivering more value to protect your network with less.  Learn more about domain solutions that leverages ASIM. 

Microsoft Sentinel has 280+ solutions in Content hub. These enable customers to not only connect their data sources to ingest data in Microsoft Sentinel, but also provide out-of-the-box (OOTB) analytic rules, hunting queries, workbooks, playbooks, and more to help customers realize their E2E scenarios in Sentinel. Even though this approach enables customers to integrate different products in Microsoft Sentinel, there are certain challenges customers face. For example, there are multiple product solutions for the Security-Network domain category, like Azure Firewall, Palo Alto Firewall, Corelight, etc. These have differing data ingest components by design, but there’s a certain pattern to the analytics, hunting, workbooks, etc. within the same category. To take a specific example, most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. Currently, this analytic rule template is pretty much duplicated for each of the Security-Network category of product solutions. Customers need to check and then configure multiple analytic rules individually if they are running multiple network products, which is inefficient. Furthermore, this results in alert fatigue when alerts do fire. With the OOTB content built using ASIM, the same alert rule can work across multiple networking solutions deployed in your organization.  

 

Key Capabilities: -  

  1.  Data normalization using ASIM schema  
  2.  Query time parsing  
  3. At scale data / incident handling  
  4. Easier deployment based on specific use cases and incident handling  
  5. More value with less content to manage 
  6. Consolidated workbook views 
  7. Source agnostic content  

 

Prerequisite: -   

Network session essentials solution like other Microsoft Sentinel domain solutions don't include a data connector. It depends on the source specific connectors in respective Microsoft Sentinel product solutions to pull in the logs. Install one or more of the prerequisite product solutions listed below. Configure the respective data connectors to meet the underlying product dependency needs and to enable better usage of this solution content.

  1. Amazon Web Services 
  2. Azure Firewall 
  3. Azure Network Security Groups 
  4. Check Point 
  5. Cisco ASA 
  6. Cisco Meraki Security Events 
  7. Corelight 
  8. Fortinet FortiGate 
  9. Microsoft Defender for IoT 
  10. Microsoft Defender for Cloud 
  11. Microsoft Sysmon For Linux 
  12. Windows Firewall 
  13. Palo Alto PANOS 
  14. Vectra AI Stream 
  15. WatchGuard Firebox 
  16. Zscaler Internet Access 

Note: As the parser coverage for this solution increases, this list will also increase.  

 

Out of box content offered: - 

  This solution comes with seven analytic rules, four hunting queries, one playbook, one workbook, and one watchlist. 

 

Analytics rules: 

  • Network session traffic anomaly 
  • Anomaly in port usage 
  • More than defined port usage 
  • Excessive number of failed connections from a Single source 
  • Possible external to internal port sweep 
  • Possible port scan 
  • Potential Beaconing activity 

Hunting queries: 

  • Detect Anomaly in port usage 
  • Detect More than defined port usage 
  • Detect multiple users with same MAC address 
  • Destination App and associated standard port mismatch

Summarization playbook:   

     The Network session essential domain solution is expected to handle data of very high events per seconds (EPS), and when we have content that is using such high EPS of data there can be some performance impact that can cause slow loading of workbooks or query results. To overcome this, we have created this summarization playbook that will summarize the source logs and store it into a predefined table all the content of essential domain solutions does not query this table unless one has enabled the summarization playbook. 

 

Note: Additional charges might apply for Azure Logic apps. For more information, see the Azure Logic Apps pricing page. Additional charges might also apply for storage of the summarized data.

        

Workbook 

This solution provides one workbook Network session solution workbook which covers details for the following listed events. 

  • Traffic visibility 
  • Security visibility 
  • Policy rule 
  • Network security event viewer 

Watchlist: -  

The solution supports one watchlist ‘NetworkSession_Monitor_Configuration’ which includes more than 70 different sets of conditions that contribute towards analytic rule detection and hunting query.  Following are the advantages that this watchlist would provide: 

  • The watchlist contains a list of Ports on which monitoring is required with feasibility to filter on Destination Application, Network Protocol, Network Direction and Device Action. 
  • Type of monitoring can be switched between Hunting and Detection for each row item. 
  • Threshold type can be kept to Static to leverage Threshold based alerting while Anomaly based alerts would learn from last few days of data (maximum 14 days). 
  • Alert Name, Description, Tactic and Severity can also be modified using this watchlist for individual row items. 
  • Detection can be disabled by setting Severity as Disabled. 

Getting started: - 

 

This solution is available on content hub like any other solution. Search the solution and click on install, make sure any of the below listed prerequisite source specific solution(s) are already installed and the respective data connector(s) configured, before installing this solution.  

 

 

 

 

All the content like analytical rule template, hunting query, playbook, workbook can be managed from content hub manage view and will also be available in respective content galleries. Let us know your feedback using any of the channels listed in the questions or feedback section 

 

 

Updated Mar 23, 2023
Version 3.0
  • SocInABox's avatar
    SocInABox
    Iron Contributor

    I've already told kavishbakshi  directly, but again thanks very much for you and your team's hard, hard work on this.

    IMO it's a very big deal.

    This will do great things for normalizing like-vendor log sources and reduce the number of necessary correlations.