Oct 14 2019 04:42 AM
Oct 14 2019 04:42 AM
I've been looking at Sentinel today for the first time for a company I've been employed at, and having had past experience with SIEM solutions I have a few concerns that maybe someone in the community could address, even if it's just a no or a maybe in the future.
My first issue is with the lack of data normalization. I see this as a huge issue as you're now writing queries based on the format the ingested data is stored on and not in a standard format. E.g. you can't simply query all logs from multiple sources for a single known malicious IP picked up somewhere. You now have to write complex Kusto queries, make assumptions about which sources you need to look at, and need to know the format of each data source.
My second concern is that with many SIEMs you expect some value add and to give part of the solution to business services like Help Desks to monitor (where a SoC is not viable). To do this you generally have a simple GUI search form with standardized field names (which requires normalization). For this SIEM to be used in this way it appears that every user consuming it will either have to know how to write Kusto (or use Jupyter) and know the structure of the target data or use saved searches.
My third concern is that there doesn't seem to be any deep analytics (at least that the adminstrator can customize) where you can create baselines on certain data and detect anomalous logs. There seems to be some of this capability but it seems to be listed as "Microsoft propriety" and "hidden logic". There is mention of Machine Learning Studio but I'm not sure how this would integrate to generate alarms.
And it continues (sorry) with my fourth concern. There doesn't seem to be a differentiation between alerts and alarms/incidents. I think an issue here is that there would need to be another data store for this capability but in other SIEMs you can create an alert from a rule which isn't seen by the user and then use that rule to corroborate with other alerts to finally raise an alarm that the user sees.
A further concern is the lack of ability to pivot, this relates closely with my first and second concern, but to provide insight into alarms you should be able to pivot off of a normalised field and return all data that contains that same entry, e.g. click username and get everywhere the user has logged in or carried out an action (e.g. Workstation, VPN, Office 365 audit logs, proxy access logs etc.).
I'm also concerned rules aren't processed on the ingest pipeline and are through scheduled intervals. I'm hopinng this has minimal impact on the time to alarm.
I think there's more but I'll leave it at that for now, looking forward to (hopefully) hearing the solutions!
Oct 15 2019 04:21 AM
@illuzian I cannot address all your concerns but I have an answer for some
First Concern: You can use the "search" command to search across all logs. This article uses it for just the type of scenario you describe: https://techcommunity.microsoft.com/t5/Azure-Sentinel/Security-Investigation-with-Azure-Sentinel-and...
Second concern: While there is not one out of the box you can create a workbook that can provide basic data like what you need using a text parameter for the input value.
Third concern: On the overview page is a description of how ML will be used in Sentinel and a link that takes you to this page which provides a good overview. https://azure.microsoft.com/en-us/blog/reducing-security-alert-fatigue-using-machine-learning-in-azu...
Fourth concern: Not sure why that is a concern. It is strictly a different way of working with alerts and incidents. And, if you have not noticed, there are times when an incident is comprised of multiple alerts so it does sort of work the way you described.
Last concern: If you look at the incident graphical investigation you will see that you can do exactly what you stated in an easy to use graphical view. And if that does not work, you can go directly to the logs from that page or use threat hunting with Juypter notebooks to get even more advanced analysis
Oct 15 2019 05:02 AM