How to threat hunt effectively with Microsoft Azure Sentinel

According to Microsoft’s research, an average of 44% of security alerts that are raised by security solutions are not investigated because organisations lack the time, talent, or tools to investigate every single alert. Instead organisations choose to focus on alerts that are flagged as “critical” or “very important” and the lower severity alerts are ignored.

This is a concern because investigating those lower severity alerts could help reveal attacker behaviours that would otherwise go unnoticed and prevent more critical attacks. While traditional SIEMs exist to alleviate this security predicament, they are often too expensive to own and operate. They require you to commit up front and incur a high cost for infrastructure maintenance and data ingestion. That is why Azure Sentinel from Microsoft provides you with SIEM (Security Information and Event Management) -as-a-service and SOAR (Security Orchestration, Automation and Response)-as-a-service.

Microsoft Azure Sentinel is a powerful tool and as the first SIEM solution built directly into a major public cloud platform, it delivers intelligent security analytics across enterprise environments and offers automatic scalability to meet changing needs. Sentinel saves significant time in the cloud automatically investigates potential vulnerabilities and will automatically flag which threat alerts are important enough to follow up on. Sentinel collects security data across your entire hybrid organization from devices, users, apps, servers, and any cloud service. This data can help you to build a more complete picture of the threats that your organization faces, conduct deep threat hunts across your environment, and use the power of automation and orchestration in the cloud to help free up your security analysts to focus on more critical tasks.

A particularly useful feature of Azure Sentinel is its extensive proactive threat hunting capabilities that work to seek out attacks before alerts have even been raised. The hunter looks for irregularities that were not detected by the individual organisations’ security products and solutions. To do so, the hunters need to write, edit, and execute queries against the large volumes of data being logged and stored in their environment. Azure Sentinel has built-in hunting queries and guidance to help you ask the right questions about finding anomalies in that data.

Many security organisations are interested in adopting machine learning as part of their threat hunting capability. Azure security offers a build-your own machine learning platform for you to get all the flexibility to develop models for your unique business problem.

Further threat hunting techniques includes hunting using notebooks – Azure Sentinel has integrated the Jupyter notebook experience into the Azure portal. It provides full programmability and a huge collection of libraries for machine learning, visualisation, and data analysis. The core of Azure sentinel is the data store in Log Analytics, with Jupyter notebooks, this becomes a powerful hunting tool.

Log analytics’ bookmarks are used in threat hunting with Sentinel. Threat hunting typically requires reviewing colossal amounts of log data looking for evidence of malicious behaviour. During this exercise, hunters can use bookmarks to flag events that they want to remember, revisit, and analyse to aid security investigations.

Lastly, hunting in Azure Sentinel using livestream lets you create interactive sessions where you can test newly created queries as events occur against live data. They can be quickly created using any Log Analytics query.

Watch The TechTalk