Detect Network beaconing via Intra-Request time delta patterns in Azure Sentinel
This article will discuss the use case of detecting network beaconing via intra-request time delta patterns using KQL (Kusto query language) in Azure Sentinel. The logic or technique of the use-case was originally discussed at threat hunting project here and also blogged with the open source network analytics tool (flare) implementation by huntoperator here. Implementing this technique natively using KQL allows defenders to quickly apply it over multiple network data sources and easily set up alerts within Azure Sentinel.Export Historical Log Data from Microsoft Sentinel
Big data security analytics and ML requires data ETL that is both flexible and highly performant and scalable. In this blog, we'll show you how to orchestrate the export of Sentinel logs directly from our new Sentinel notebook, making data ready for use in big data security analytics with Azure Synapse.Anomaly detection and Explanation with Isolation Forest and SHAP using Microsoft Sentinel Notebooks
In this blog, we will demonstrate how you can identify anomalous Windows logon sessions using an Isolation Forest algorithm with an Azure ML studio notebook connected to a Microsoft Sentinel workspace. Furthermore, we will use SHAP (Shapley Additive exPlanations) library to explain the output generated by model and provide reasoning for the anomalies to accelerate investigation process for SOC Analysts, rather than manually investigating cause of the anomalous score by black box model.
