1. Intro
While looking for the most effective use cases for Sentinel, it usually makes sense to start with data sources that already exist in some way in the corporate environment, whether due to a previous / third-party SIEM integration or due to an already implemented security stack / solution. The next logical step in this process is to determine preexisting sentinel solutions for the products already in use. Unfortunately, this often occurs only inadequately or is not carried out completely due to lack of resources. In addition, the solutions available (so called Content-Hub-Solutions) continue to evolve and once implemented, necessary updates may be neglected. This is where the Use Case Mapper Workbook can help.
The workbook and the complementary resources (watchlists) can be used to map common Use Cases to the Mitre ATT&CK framework, i.e. the tactics and techniques listed there. This gives you a quick overview of the analysis options available in Sentinel (e.g. Analytic Rules & Hunting Queries) according to these Use Cases.
The identified Use Cases in this context are:
- Credential Exploitation
- Lateral Movement
- Rapid Encryption
- Command and Control Communication
- Insider Risk
- Anomalous Privilege Escalation
- Third-Party Abuses
- Overexposure
- Data Exfiltration
- Mobile Data Security
- Communication Abuse
- Web Application Abuse
NOTE: These can change over time, as attack & defense strategies and techniques are constantly changing as well.
To be able to adapt this information to your own needs, the option of reducing the results to selected Data Sources (Content Hub Solutions) has been implemented as well.
2. Prerequisites
Before getting started, you have to check the prerequisites that should be fulfilled.
- an Azure subscription with a Sentinel equipped Log Analytic Workspace
- The correct RBAC roles assigned - for the sake of simplicity, it should be 'Contributor' or 'Owner'
3. How to deploy/get started
- Go to the following website: Azure-Sentinel/Workbooks/use cases mapper workbook at master · Azure/Azure-Sentinel · GitHub
- Look for the 'Deploy to Azure' button
- Log into a suitable tenant
- Enter the required information (subscription, resource group, region, workspace name) (1) and click 'Review + create' (2)
- Check your entered information again and confirm it by clicking on 'Create'
- The new workbook (Use Case Mapper) should now appear in Sentinel in 'Workbooks' section.
4. How to use & structure
- In the first section of the workbook, you have the option to select one of the predefined Use Cases.
- The next step (2nd step) is to select the right data source/solution.
-
The selection made before is presented in section 3 below.
Based on the selections made, the following information is presented. - Analytical rules - ID | Name | Solution | Technique + graphical representation
-
Hunting Queries - ID | Name | Solution | Technique + graphical representation
-
Workbooks - Name | Solution
5. Conclusion
The Use Case Mapper Workbook is an invaluable tool for identifying gaps in your Sentinel environment and the established Content-Hub-Solutions. It simplifies the process of supplementing your solutions to achieve a complete implementation. Additionally, it helps you stay informed about updates (such as new hunting queries, analytic rules, or workbooks) and makes it possible to integrate them promptly. The workbook also provides a clear picture of the threats and vulnerabilities that should be mitigated with your solutions and where they can be found within the Mitre Att&ck Framework.