COVID-19 is forcing many organizations to adapt almost overnight to the new reality of social distancing and orders to stay home. As organizations act quickly to enable remote workers, students, customers, and other constituents, many are turning to cloud services and platforms for solutions. For many organizations, this includes enabling new cloud technologies or significantly increasing use of existing solutions almost overnight.
For Security Operations Centers tasked with protecting organizations, this can create significant challenges. First, logs and security data from newly deployed cloud services need to be collected and analyzed to identify and investigate potential threats. For some, connecting and scaling on-premises Security Information and Event Management (SIEM) systems to support new cloud data sources can be very difficult, especially if new hardware is required. Second, SOC teams will need to quickly adapt their detection and response efforts to support cloud solutions that are either new or that have become increasingly critical. Our team is here to help.
To that end, Azure Sentinel will provide the following:
Guidance on how to quickly start collecting cloud security data
Ability to ingest many cloud data sources for free in Azure Sentinel
30-day free trial for new customers, which includes free ingestion of all security data
Built-in workbooks, hunting queries, analytics rules, and more to help gain insights from this data right away
Proactive monitoring of new COVID-19 related threats by Microsoft security experts and development of new Azure Sentinel detections
Rapid, low cost cloud data collection
If you aren’t already using Azure Sentinel, it only takes a few minutes to set up in the Azure portal. There is no cost for creating an Azure Sentinel workspace; you only pay for the data you ingest. A free 30-day trial combined with a number of free cloud data sources will help keep your costs down – more on that later. With Azure Sentinel, there is no hardware to procure, configure, or manage and the service will scale automatically as you add new data sources.
In Azure Sentinel, you will find a gallery of data connectors which simplify the process of collecting data from a variety of sources. There are connectors for Microsoft 365 and Azure, as well as other clouds services, along with networks, endpoints, and more. With the correct permissions, you can enable the Microsoft 365 and Azure data sources in a single click. Other cloud data sources, like AWS, require minimal additional configuration. For data sources that do not have a connector in Azure Sentinel yet, data ingestion may be supported via Azure Logic Apps and Azure Functions.
Connect cloud data sources
We recommend you start by connecting activity and audit logs from your cloud services. If you have security solutions deployed for these services, enable those as well. You can augment this with network or other data sources at a later date. For a complete list of built-in data connectors see the documentation. For information about connecting other data sources, see this blog post.
The chart below provides information about the most common cloud data sources.
How to Connect
Microsoft 365 and Azure Logs
Azure Activity Logs
Office 365 SharePoint Activity and Exchange Admin Activity Logs
Gain insights into threats using your cloud data Once your data is flowing into Azure Sentinel, you can begin using it to identify and investigate potential threats. A combination of workbooks (interactive dashboards), hunting queries, analytics rules templates, and even Jupyter notebook samples are available out of the box to help you quickly visualize and analyze your data in Azure Sentinel. For sources with built-in data connectors, you can easily access these related assets from the ‘next steps’ tab for each connector, or from within the Workbooks, Hunting, Notebooks, and Analytics blades.
Security analysts from the Microsoft Threat Intelligence Center (MSTIC) are continuously monitoring the threat landscape to identify new threats. When new threats are identified, MSTIC builds analytics rules and Jupyter notebooks samples for Azure Sentinel customers can use to hunt for these threats in their environments. They recently released a guided hunting notebook for COVID-19 themed threats, and will continue to leverage their unique insights and intelligence to help you protect against emerging threats in Azure Sentinel.
In addition, MSTIC is working closely with specialized groups like the Microsoft Threat Protection Intelligence Team. Earlier this week, the two teams partnered on guidance to help essential services protect against popular ransomware attacks, which are known to target the healthcare industry.
Call to action for the Azure Sentinel community
Our team is committed to helping customers enable critical protections for their organizations and users during these challenging times, but we cannot do it alone. We have an amazing community of Threat Hunters that share their expertise by contributing workbooks, queries, analytics, notebooks, automation playbooks and so much more on our GitHub. Thank you for those who have already contributed. We hope other community members will do the same. Here are some examples of areas where you can help include:
Parsers and functions for cloud data sources not already supported by built-in data connectors
Hunting queries, analytics, and Jupyter notebooks to detect emerging threats designed to capitalize on COVID-19 fears or target remote workers and cloud applications
Playbooks to automatically remediate the above threats
Together, we hope to minimize risks to organizations and users. Please stay in touch on our TechCommunity forum and blog. Personally, I will try to keep you posted on twitter (@sarahfender) as well.
Sarah Fender, on behalf of the entire Azure Sentinel product team