App Assure’s promise: Migrate to Sentinel with confidence
In today's evolving cyber-threat landscape, enterprises need the most up-to-date tools for detection, investigation, and response. Cloud-native, AI-driven solutions like Microsoft's Sentinel provide businesses with faster implementation, greater integration and automation capabilities, and intelligent event correlation. But when moving from on-prem to the cloud, or from one SIEM to another, migrating can seem risky and complex for Security Operations Centers (SOCs) that have spent years investing in customized solutions. One challenge businesses face is how to port over third-party connectors, especially ones processing large data volumes, which can reach terabytes per day. For customers with such needs, Microsoft has built the Codeless Connector Framework (CCF) in Microsoft Sentinel. Microsoft Sentinel’s Codeless Connector Framework reduces friction for enterprises migrating to the cloud For enterprises ready to modernize their security operations, Microsoft recommends leveraging integrations built on CCF. These integrations are built to handle large data workloads and provide a number of powerful benefits: CCF connectors are a scalable and reliable SaaS offering, capable of handling high-volume data ingestion effortlessly. Its Data Collection Rules (DCRs) enable log filtering and transformation at ingestion, reducing data volume and lowering costs. CCF also streamlines installation and deployment. What formerly took hundreds of lines of code to configure, now takes a few simple mouse clicks. CCF communication is conducted privately between Microsoft services without being exposed to the public internet, thus aligning with Microsoft's security best practices to provide a secure and robust integration environment. What makes CCF an even more compelling and powerful tool is that our App Assure team stands behind the platform to uphold Microsoft’s Sentinel compatibility promise. Microsoft’s Sentinel promise How App Assure delivers on this promise Backed by Microsoft engineering, App Assure is here to help. If a Microsoft Sentinel ISV solution is not yet available or you have an issue with a solution already published by an ISV, App Assure may be able to assist with the following customer scenarios: Working with ISVs to develop new CCF solutions. Working with ISVs to add new features to existing CCF solutions. For supported scenarios, an App Assure Manager will be assigned to guide you through the process, ensuring you can leverage the full power of Sentinel. For customer scenarios that are not supported, App Assure will help you identify available resources. To engage App Assure and learn more about what we support, submit a request for assistance. Partner Testimonials App Assure has already been working with many ISVs on behalf of our customers to fulfil Microsoft’s Sentinel promise. Two recent engagements where we facilitated the integration of tools that our customers rely on include: 1Password NetskopeAnnouncing the enhanced Microsoft Sentinel AWS CloudTrail solution, powered by new MITRE-Based Rules
Use the updated Microsoft Sentinel AWS CloudTrail solution to better protect your AWS environment. The updated solution includes over 70 MITRE-based rules, and monitoring and alerting capabilities to detect suspicious activity in your environment.Common scenarios using Watchlists (with query examples)!
Watchlists in Microsoft Sentinel allow you to correlate data with events in your Microsoft Sentinel environment. Watchlists can be used for searching, detection rules, threat hunting, and in response playbooks. This blog highlights the 4 common Use-cases for watchlists then goes on to describe sample scenarios associated with each.Automating Azure Resource Diagnostics Log Forwarding Between Tenants with PowerShell
As a Managed Security Service Provider (MSSP), there is often a need to collect and forward logs from customer tenants to the MSSP's Sentinel instance for comprehensive security monitoring and analysis. When customers acquire new businesses or operate multiple Azure tenants, they need a streamlined approach to manage security operations across all tenants. This involves consolidating logs into a single Sentinel instance to maintain a unified security posture and simplify management. Current Challenges: Forwarding logs across tenants can be done manually by setting up logging for each resource individually, like Storage accounts, Key Vaults, etc. using Lighthouse. However, this method is cumbersome. Automation through Azure Policy would be ideal, but it is not feasible in this case because Azure Policy is tied to managed identities. These identities are confined to a single tenant and cannot be used to push logs to another tenant. In this article, we will explore how we can forward the Azure resources diagnostics logs from one tenant to another tenant Sentinel instance using PowerShell script. High Level Architecture: Approach: Resources Creation This section describes the creation of resources necessary for log forwarding to Log Analytic Workspace. Lighthouse Enablement Refer to the below links to learn more about Lighthouse configuration for Sentinel: Managing Microsoft Sentinel across multiple tenants using Lighthouse | Microsoft Community Hub Manage Microsoft Sentinel workspaces at scale - Azure Lighthouse | Microsoft Learn Create Multitenant SPN On the customer tenant, create the multitenant application registration and sets up a client secret for it. An admin on the customer side provisions a service principal in its tenant. This service principal is based on the multitenant application that the provider created. The customer applies role-based access control (RBAC) roles to this new service principal so that it's authorized to enable the diagnostic settings on customer tenant and able to forward the logs to MSSP log analytic workspace. Required Permission: Monitoring Contributor at Customer Tenant & Log Analytic Contributor at MSSP Tenant Access Delegation Provide the Monitoring contributor role for the multitenant SPN created on step 1.2 on customer tenants to enable the logging of diagnostic settings for all the required scope of azure resources on subscription level using the azure lighthouse delegation. Delegate Log Analytic Contributor Role in the MSSP tenant to the multitenant SPN created on step 1.2 using the azure lighthouse delegation to forward the logs to Microsoft Sentinel on MSSP tenant. Logging Configuration PowerShell Script: PowerShell script used to enable logging on Azure resources across all subscriptions in the customer tenant. The solution involves the following components: - Master PowerShell Script (Mainfile.ps1): This script lists and executes child scripts for different Azure resources depending on logging requirement. - Child PowerShell Scripts: Individual scripts for enabling diagnostic settings on specific Azure resources (e.g., Child_AzureActivity.ps1, Child_KeyVault.ps1, etc.). - Configuration Script (Config.ps1): Contains SPN details, diagnostic settings, and destination Sentinel instance details. Master PowerShell Scripts Details: This file contains the list of child Azure resource PowerShell scripts that need to be executed one by one. Comment on the child file name where logging is not required. Logging Configuration PowerShell Scripts Details: This file holds SPN details like Tenant ID, Client ID, Client Secrets and diagnostic settings name and destination sentinel instance details along with logging category for each resource logs. Change the values according to the environment and as per requirement. Child PowerShell Scripts Details: Child_AzureActivity.ps1 Child_KeyvVault.ps1 Child_NSG.ps1 Child_AzureSQL.ps1 Child_AzureFirewall.ps1 Child_PublicIPDDOS.ps1 Child_WAF_AppGateway.ps1 Child_WAF_FrontDoor.ps1 Child_WAF_PolicyDiagnostics.ps1 Child_AKS.ps1 Child_StorageAccount.ps1 Execution: Run the main PowerShell script at scheduling interval, which executes the child scripts to enable diagnostic settings for various resources such as Azure Activity, Azure Firewall, Azure Key Vault, etc. Main file executes the child PowerShell scripts one by one as configured. Below is the logic of how the child file works: Import the config.ps1 file to gather information about SPN & destination Sentinel instance & logging information. Login to tenant using the SPN. Get the list of subscriptions in the tenant. Get the list of resources details (Ex.: NSG or Key vault) from each subscription one by one. Check if the diagnostic setting is enabled for the resource with certain key words. If enabled, it will skip and go to the next resource. If it is not enabled, it will enable the logging and forward the logs to the MSSP Sentinel. Expected Result & Log Verification Once the script is executed successfully, logging configuration will be enabled on Azure activity & Azure resources diagnostic settings and log will be shipped to destination Sentinel in different tenant. On MSSP Microsoft Sentinel, verify the logs have been collected properly in AzureActivity & AzureDiagnostics table. Sample PowerShell scripts: scripts/Enabling cross tenant logging using PowerShell script at main · SanthoshSecurity/scriptsMicrosoft Sentinel Solution for SAP® Applications - New data exfiltration detection rules
On August 2022, Microsoft Sentinel solution for SAP was made generally available (GA). Together with releasing the Microsoft Sentinel Solution for SAP® Applications, new additional OOTB content has been added. This blog covers five new data exfiltration detection rules included with the Microsoft Sentinel Solution for SAP® Applications (these rules are currently in preview).Protect critical information within SAP systems against cyberattacks
SAP systems and applications handle massive volumes of business-critical data that is hosted on cloud or on-premises infrastructure. The SAP ecosystem is complex and difficult for security operations (SecOps) teams to effectively monitor and protect against growing threats. A breach of the SAP system could result in data loss, disruption to business processes, loss of revenue and major reputation damage. Microsoft Sentinel solution for SAP allows you to monitor, detect, and respond to suspicious activities within the SAP environment, protecting your sensitive data against sophisticated cyberattacks.Anomaly detection on the SAP audit log using the Microsoft Sentinel for SAP solution
Organizations who use the Microsoft for SAP solution obtain valuable security insights from events in the SAP security audit log as it contains trail on many important activities on both standard SAP and customer enhanced events. The current Sentinel solution encapsulates a variety of out of the box detections and visualization based on the valuable information in the SAP security log. We are proud to announce that the new Microsoft Sentinel for SAP Solution is enhanced with a feature designed to detect suspicious events in the SAP security audit log based on deviation from the norm, meaning anomalies, in addition to the existing deterministic detection patterns previously included with the solution.
