Forum Discussion
Tips on how to process firewall URL/DNS alerts
Greetings
I've been tossing this around ever since I've started using Sentinel, or Defender XDR rather, a few years ago. How to process events from our firewalls. Specifically all the URL and DNS block alerts generated. I don't want to tune them out completely because they might be an indication of something bigger but as the situation is now it's almost impossible to process them.
All alerts are created by an NDR rule that processes CommonSecurityLog entires based on syslog data and creates incidents with entities for the incident. The way Defender XDR then process these Sentinel incidents seems to be to create "mega incidents" where it dumps all incidents for a specific time.
I can understand the logic behind this thinking where Defender XDR tries to piece together differenct incidents and alerts that have common elements, users, mitre attributes or any combination. But it becomes unmanagable.
I would like some input from the community, or references to best practicies.
- AndrewBlumhardt
Microsoft
You could consider just using these logs for investigations and reporting. MDE monitors network activity for each device and MDCA adds web application activity. Both have good out of the box alert rules. Your solution could be duplicate.
Make sure your alert run can tie this back to device or user entities. This may require a more complex query with a join. If your Sentinel rules do not have entity mapping, XDR cannot perform proper correlation.
I would revise this to be a daily summarization of key entity and URL. I would do something like summarize arg_max(TimeGenerated, *) by DeviceId, URL
Then have a daily alert for the entity that has an event for each entity. This can be performed using event grouping.
You issue is likely a combination of too frequent reporting and entity mapping.After alot of thought and some experimenting with different KQLs I have gone down the path suggested by "ITProfessor", an analytics KQL that does a tough filtering based on occurrence and threat intelligence precense and creates an incident after that.
Anything else is handled by a workbook.
Hello,
I would recommend applying additional logic in here as just seeing blocked connections won't give you any practical steps you can action.
What you can do is to;
- Apply Threat Intelligence to it, you can install free connector in Sentinel and create analytic rule that will flag successful connections where TI matches source IP address from Syslog.
- Move your current alert as a Workbook, this way you can monitor top domains being flagged an action it from there - double-checking whether they are blacklisted in the firewall or if using Defender for Endpoint add them as custom network indicator (block)
- Filter whitelisted domains from the query, you should have some Microsoft ones in there and most likely plenty of others (like Apple or CDN domains)
This way you can filter out the noise and keep only relevant events.
Hello
These are good points and to some extent I apply them already. For example I run several playbooks on firewall blocks to enrich the entities from services like Shodan and VT and close the incidents if no other indications are found. The problem with Defender XDR is there is some process somewhere that reopens the closed incidents and creates threse massive 800+ entities incidents.
I feel things are further complicated by the difference in terms between Sentinel and Defender XDR. For example an incident from Sentinel, containing one or more blocked URLS, is handled as an alert by XDR. It might be presented as-is or included later into an amalgam incident.
