Azure Sentinel Normalization?

%3CLINGO-SUB%20id%3D%22lingo-sub-1487182%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20Normalization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1487182%22%20slang%3D%22en-US%22%3EComing%20from%20a%20general%20SIEM%20background%20I%20understand%20that%20Sentinel%20approaches%20things%20in%20a%20different%20way%20however%20I%20am%20really%20struggling%20to%20understand%20how%20we%20can%20use%20sentinel%20from%20an%20MSSP%20standpoint.%20From%20my%20(very%20limited)%20experience%20with%20Sentinel%2C%20depending%20on%20the%20log%20source%20and%20log%20source%20type%20the%20fields%20can%20be%20different.%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20can%20cause%20alot%20of%20problems%20when%20you%20try%20to%20create%20rules%20that%20span%20multiple%20log%20sources%20or%20have%20analysts%20that%20need%20to%20query%20across%20the%20whole%20environment.%3CBR%20%2F%3E%3CBR%20%2F%3EHas%20anyone%20run%20into%20the%20same%20situation%20and%20addressed%20it%3F%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1487182%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enormalization%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1494752%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Normalization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1494752%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709348%22%20target%3D%22_blank%22%3E%40ajiwanand%3C%2FA%3E%26nbsp%3Bwe%20have%20started%20a%20private%20preview%20for%20a%20normalized%20schema.%26nbsp%3BJoin%26nbsp%3B%3CSPAN%3Eour%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%20data-cke-saved-href%3D%22%2Fteams%2FAzureSentinelProductInfo%2FSitePages%2FAzure-Sentinel-General-FAQ.aspx%23my-customer-or-i-want-to-join-a-private-preview%22%3EPrivate%20Previews%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bprogram%3C%2FSPAN%3E%26nbsp%3Bif%20you%20want%20to%20review%20and%20provide%20feedback.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThat%20said%2C%20normalization%20is%20a%20broad%20topic.%20It%20would%20be%20great%20to%20learn%20what%20value%20you%20are%20looking%20for%20from%20normalization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1516542%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Normalization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1516542%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20definitely%20sign%20up%20for%20the%20preview!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20clarification%2C%20like%20I%20said%20above%20my%20experience%20lies%20mostly%20with%20traditional%20SIEM%20technologies%2C%20but%20the%20idea%20here%20is%20that%20we%20have%20a%20large%20amount%20of%20log%20sources%20reporting%20into%20your%20platform%20and%20the%20real%20benefit%20of%20SIEM%20technology%20is%20that%20we%20can%20search%20one%20field%20(e.g%20username)%20and%20that%20field%20is%20translated%20to%20all%20the%20username%20fields%20of%20each%20log%20sources%2C%20effectively%20giving%20the%20analyst%20the%20ability%20to%20query%20across%20multiple%20log%20sources%20using%20a%20common%20information%20schema.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20do%20know%20that%20there%20is%20the%20possibility%20of%20aliases%20or%20even%20parsing%20into%20new%20fields%20is%20quite%20easy%20with%20sentinel%2C%20however%20the%20manual%20work%20and%20maintenance%20required%20to%20keep%20this%20up%20to%20date%20makes%20it%20really%20tough%20to%20achieve.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20essentially%2C%20we%20are%20looking%20for%20a%20common%20information%20schema%20which%20allows%20users%20to%20query%20across%20multiple%20log%20sources%20easily.%20I%20should%20also%20add%2C%20my%20perspective%20on%20this%20is%20also%20from%20a%20service%20provider(MSSP)%20and%20while%20we%20may%20be%20able%20to%20build%20out%20the%20aliases%20or%20fields%20required%20for%20one%20customer%2C%20if%20we%20are%20trying%20to%20use%20sentinel%20for%20multiple%20customers%20you%20can%20probably%20see%20the%20amount%20of%20effort%20required%20to%20get%20this%20standardized%20set%20of%20fields%20on%20all%20customers.%20Not%20to%20mention%20the%20other%20main%20issue%20which%20is%20the%20training%20we%20need%20to%20give%20all%20analysts%20if%20we%20dont%20have%20a%20standardized%20set%20of%20fields.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20makes%20sense%2C%20and%20let%20me%20know%20if%20im%20missing%20a%20concept%20of%20sentinel%20or%20a%20feature%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1519345%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Normalization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1519345%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%2C%20I%20will%20definitely%20join%20the%20preview%20program.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20clarification%2C%20like%20i%20said%20most%20of%20my%20background%20have%20been%20in%20traditional%20SIEMs%20so%20forgive%20me%20if%20im%20missing%20a%20concept%20or%20something%20like%20that%2C%20but%20the%20idea%20is%20that%20if%20you%20have%20a%20large%20amount%20of%20data%20sources%20(e.g%20CEF%2C%20Security%20Events%2C%20other%20syslog%2C%20audit%20events)%20reporting%20to%20the%20platform.%20You%20should%20be%20able%20to%20utilize%20a%20standardized%20information%20schema%20to%20search%20and%20correlate%20across%20all%20these%20log%20sources.%20Usually%20a%20list%20of%20predefined%20fields%20like%20Username%2CIP%20Address%2C%20Host%2C%20and%20some%20more%20are%20parsed%20to%20the%20same%20field%20names%2C%20allowing%20the%20user%20whether%20it%20be%20an%20analyst%20or%20content%20creator%20to%20either%20search%20across%20all%20log%20sources%20or%20create%20rules%20that%20span%20multiple%20log%20sources.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20vendors%20even%20go%20so%20far%20as%20to%20classify%20a%20%22common%20event%22%20that%20is%20a%20field%20that%20will%20explain%20what%20the%20event%20means%20(and%20is%20the%20same%20for%20all%20log%20sources).%20I%20know%20we%20can%20have%20field%20aliases%20or%20even%20parse%20our%20own%20fields%20quite%20easily%20however%20the%20management%20and%20manual%20effort%20required%20to%20keep%20this%20up%20to%20date%20is%20a%20lot.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20makes%20sense%2C%20let%20me%20know%20if%20i%20need%20to%20clarify%20further.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Ajay%20J%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1520516%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Sentinel%20Normalization%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1520516%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F709348%22%20target%3D%22_blank%22%3E%40ajiwanand%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%20makes%20sense.%20Exctracting%20sepcific%20requirements%3A%3C%2FP%3E%0A%3CP%3E-%20Microsoft%20provided%20parsers%20to%20a%20standard%20schema%3C%2FP%3E%0A%3CP%3E-%20Easy%20search%20across%20multiple%20occurences%20of%20simlar%20values%20in%20the%20schema%20(IP%20Address%2C%20User)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHappy%20if%20you%26nbsp%3B%3CSPAN%3Ejoin%20our%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityPrP%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20data-interception%3D%22on%22%20data-cke-saved-href%3D%22%2Fteams%2FAzureSentinelProductInfo%2FSitePages%2FAzure-Sentinel-General-FAQ.aspx%23my-customer-or-i-want-to-join-a-private-preview%22%3EPrivate%20Previews%3C%2FA%3E%3CSPAN%3E%26nbsp%3Bprogram%20to%20give%20feedback%20on%20our%20normalization%20project.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor
Coming from a general SIEM background I understand that Sentinel approaches things in a different way however I am really struggling to understand how we can use sentinel from an MSSP standpoint. From my (very limited) experience with Sentinel, depending on the log source and log source type the fields can be different.

This can cause alot of problems when you try to create rules that span multiple log sources or have analysts that need to query across the whole environment.

Has anyone run into the same situation and addressed it?
4 Replies
Highlighted

@ajiwanand we have started a private preview for a normalized schema. Join our Private Previews program if you want to review and provide feedback.

 

That said, normalization is a broad topic. It would be great to learn what value you are looking for from normalization.

 

~ Ofer

Highlighted

@Ofer_Shezaf 

 

I will definitely sign up for the preview!

 

As for clarification, like I said above my experience lies mostly with traditional SIEM technologies where we have a large amount of log sources reporting into a platform. These log sources are then mapped to a common information schema/format where we can search one field (e.g username) and that field is translated to all the username fields of each log sources, effectively giving the analyst the ability to query across multiple log sources using a common information schema.

 

I do know that there is the possibility of aliases or even parsing into new fields is quite easy with sentinel, however the manual work and maintenance required to keep this up to date makes it really tough to achieve.

 

So essentially, we are looking for a common information schema which allows users to query across multiple log sources easily. I should also add, my perspective on this is also from a service provider(MSSP) and while we may be able to build out the aliases or fields required for one customer, if we are trying to use sentinel for multiple customers you can probably see the amount of effort required to get this standardized set of fields on all customers. Not to mention the other main issue which is the training we need to give all analysts if we dont have a standardized set of fields.

 

Hope this makes sense, and let me know if im missing a concept of sentinel or a feature :)

 

 

Highlighted

@Ofer_Shezaf, I will definitely join the preview program.

 

As for clarification, like i said most of my background have been in traditional SIEMs so forgive me if im missing a concept or something like that, but the idea is that if you have a large amount of data sources (e.g CEF, Security Events, other syslog, audit events) reporting to the platform. You should be able to utilize a standardized information schema to search and correlate across all these log sources. Usually a list of predefined fields like Username,IP Address, Host, and some more are parsed to the same field names, allowing the user whether it be an analyst or content creator to either search across all log sources or create rules that span multiple log sources.

 

Some vendors even go so far as to classify a "common event" that is a field that will explain what the event means (and is the same for all log sources). I know we can have field aliases or even parse our own fields quite easily however the management and manual effort required to keep this up to date is a lot.

 

Hope this makes sense, let me know if i need to clarify further.

 

- Ajay J

Highlighted

@ajiwanand 

 

Thanks, makes sense. Exctracting sepcific requirements:

- Microsoft provided parsers to a standard schema

- Easy search across multiple occurences of simlar values in the schema (IP Address, User)

 

Happy if you join our Private Previews program to give feedback on our normalization project.