Hunting
64 TopicsQuerying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions
With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. By researching the domains our users are accessing and generating alerts on potentially suspicious activity, we can be more aware of the risks and hopefully get ahead of the problem. This blog post covers and example of extending Azure Sentinel using Azure Functions to call the Registration Data Access Protocol (RDAP) to gather information on the domains that are being accessed in an environment.14KViews2likes4CommentsUsing KQL functions to speed up analysis in Azure Sentinel
Security Operations can often be a very repetitive role. As a security analyst, you will often find yourself conducting the same actions and tasks as you work through an investigation. KQL functions in Azure Sentinel provide a way in which analysts can build up a collection of investigation tools to call upon quickly and simply.34KViews3likes4CommentsAutomating the deployment of Sysmon for Linux 🐧 and Azure Sentinel in a lab environment 🧪
Today, we celebrate25 years of Sysinternals,a set of utilities to analyze, troubleshoot and optimize Windows systems and applications.Also,as part of this special anniversary,we arereleasingSysmon for Linux,an open-sourcesystem monitor tooldevelopedto collect security eventsfrom Linux environmentsusingeBPF (Extended Berkeley Packet Filter)andsendingthem to Syslogfor easy consumption.Sysmon for Linux is built onalibrary also released today named sysinternalsEBPF which is built onlibbpfincluding a library of eBPF inline functions used as helpers. In this post, I will show you how to automatically deploy a research lab environment withanAzureSentinelinstance andafew Linux virtual machineswith Sysmon for Linuxalreadyinstalled and configured totake it foradrive and exploreitscoverage.199KViews2likes4CommentsTesting the New Version of the Windows Security Events Connector with Azure Sentinel To-Go!
Last week, onMonday June 14th,2021,anew version of theWindows Security Events data connectorreached public preview. This is thefirstdataconnectorcreated leveragingthe new generallyavailableAzure Monitor Agent (AMA)andData Collection Rules (DCR)features from the Azure Monitorecosystem.Asany other new feature in Azure Sentinel, I wanted toexpedite the testing process and empower others in the InfoSec communitythrough a lab environment to learn more about it.35KViews6likes10CommentsMonitoring Zoom with Azure Sentinel
In a recent blogwe talked about the explosion in usage we had seen with Microsoft Teams as the world has moved to working from home. However, Microsoft Teams is not the only application to see such as surge, Zoom is another remote productivity tool that has seen a massive increase in users, with more than 200 million daily meeting participants being reported in March. Just as Security OperationCenters (SOCs) need to monitor Microsoft Teams activity they also need to be able to secure and monitor other productivity applications such as Zoom. One of the great features of Azure Sentinel is its ability to ingest and analyze data from any source not just from Microsoft products. In this blog I will show you how you can collect logs from Zoom, ingest them into Azure Sentinel, and how a SOC team can start to hunt in the logs to find potentially malicious activity.36KViews7likes8Comments