4. Entity Behaviour Analytics in Microsoft Sentinel
Everyone and welcome back to my course, Security Operations Analyst, SC 200. In this lesson, we are going to talk about a capability in Microsoft Sentinel called entity behavioral analytics. cheval cheval Identifying threats within an organisation and their potential impact, whether a compromised entity or malicious insider, has always been a time-consuming and labor-intensive process, requiring sifting through alerts, connecting the dots, and active hunting. Expanded with minimal returns and the possibility of sophisticated threats evading this type of discovery.
Now elusive threats like zero-day attacks, targeted attacks, and advanced persistent threats can be the most dangerous to an organization, making their detection, let’s say, all the more critical. Now, user entity behaviour analytics in Microsoft Sentinel, also known as UEBA (U-E-B-A), basically eliminates the drudgery from your analysis workloads and the uncertainty, to put it mildly, from the efforts involved, and delivers a high-fidelity actionable. Intel, as Microsoft Sentinel Connect, collects data from its sources.
As I’ve mentioned, it builds these baselines of behavioural profiles, right? And it does so over time and across peer group horizons. Sentinel can then identify anomalous activity and assist you in determining if an asset has been compromised by using various techniques and machine-learning capabilities. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, or evaluate the potential impact of any given compromised asset. Now, armed with this information, you can imagine that you can effectively priorities the investigation and incident handling, right? So in this slide over here, you have an overview of the Microsoft Sentinel workflow, how the data gets in, and the user behavioural analytics engine that basically sniffs through the data, analyses it, creates baselines, and then alerts you to any kind of anomalies that it discovers. Here we have the security-driven analytics, and here, inspired by Gartner’s paradigm for user anti-behavioural solutions, Microsoft Sentinel provides an, let’s say, outside-in approach based on three frames of reference.
The first category is use cases. As a result of prioritizing relevant attack vectors and scenarios based on security research that is aligned with the Miter attack framework of tactics, techniques, and sub techniques, Basically, Microsoft Sentinel focuses specifically on the most valuable logs each data source provides. While first and foremost supporting Azure datasources, Microsoft Sentinel also selects third-party datasources to provide data that matches the threat scenarios in user anti-behavioural analytics. And then lastly, we have the analytics piece because in Sentinel, they’re using various machine learning algorithms that basically identify anomalous activities and present evidence clearly and concisely in the form of contextual enrichments. And there are some examples on the slide. Here we go. It triggers anomalies based on mapping to mitosis user and entity baselines, contextual, and behavioral analytics. It also filters the data based on industry-wide security research. And basically, this is the raw data ingestion, and I can see from the raw data ingestion of 100% that it is basically going through all of these filters over here. It essentially reduces false positives and returns a number of anomalous events of less than 1%. cheval And of course, in comparison with the user’s baseline profile, actions performed by a user, a host, or an IP address are evaluated contextually, where a true outcome indicates an identified anomaly.
And this can be across geographical locations, devices, or environments; across time and frequency horizons compared to a user’s own history, for example; compared to peers’ behavior; or compared to an organization’s behavior. Overall, each entity is scored with an investigation priority score, which basically determines the probability of a specific user performing a specific activity based on the behavioral learning of the user and their peers. Now let’s take a quick look at exploring the user entity behaviour information. So the entity behaviour page allows you to search for entities or select them from a list of already displayed entities. Once selected, the entity page is displayed with information and a timeline of alerts and activities. The incident investigation graph now includes an option for insights, which display information from the entity behaviour data. So, as you can see here from the slide, the entity pages are designed to be part of multiple usage scenarios.
So entity entity pages can be accessed from the incident page, from within the investigation graph, from bookmarks, and from the entity behavioural analytics blade from Microsoft Sentinel where you can actually search for entities, and all of these sources lead to the same actual page, which is the entity page. Now, when you display the entity timeline, basically you are presented, and let me change the slide over here very quickly, but we’ll also get into the portal, and I’ll show you there as well. So when you encounter an entity and select it, you are basically conducting a search, an alert, or an investigation. You can select the entity, and you will be taken to an entity page where you’ll find a data sheet full of useful information about that particular entity. Now, the types of information you’ll find include basic facts about the entity itself, a timeline of notable events related to this entity, and insights about the entity’s behavior. As you can see here on the page you even have a graph of the entity’s activities, a timeline of alerts and here on the right side we will see in the portal immediately you will have basically behavioural insights of this entity that you are looking for.
Now let’s get in the portal, and I’ll show you exactly how it looks live. So over here in Microsoft Sentinel, if we go to the entity behavioural blade over here, as you can see here, you can search for entities or you can directly select entities from the list. Now again, you can use accounts as hosts or IPS. So let’s select this account, for example, which is the one I’m using. And, as you can see, you are immediately presented with information, say, on the left side with the security identifiers and everything from Asia Ad. Then in the middle, you have a graph of the entity alerts and events over time. You also have a timeline of the alerts over here. And here are some insights. But again, we kind of don’t have any insights into our talent yet because we don’t have any data to work with. However, when you begin doing the hands-on labs from Section 1 to this section, you should already have data flowing into the tenant in your trial tenant. Of course, you should have an increasing amount of data in your tenant to play with and display. But again, here’s how the entity page looks like.
If I go back and we select the IP address as well, again, we will have a timeline of events and alerts. And here we go. We have more information here about this IP address. the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the This is my current city, Romania, Europe, first scene, last scene, and other information over here. and the more the lst, and the more the lst, and the more the lst, and the more the lst, and the more the lst, and the more the lst, and the more the lst, and the more the l And here again, we have no results, but you would have other detailed information and insights in regards to this IP address entity. Now, this brings our discussion to an end. I will see everyone in the next lesson, where we all talk about querying, visualizing, and monitoring data in Sentinel. And specifically, we are going to talk about workbooks. Until then, I hope this has been informative for you, and I thank you.
5. Workbooks in Microsoft Sentinel
Hello everyone and welcome back to my course, Microsoft Security Operations Analyst, SC 200. Now, in this last lesson of this section, we’re going to discuss using workbooks in Microsoft Sentinel. Microsoft Sentinel workbooks basically provide interactive reports or dashboards, however you want to call them, that help you visualize important signals by combining text, tables, charts, and tiles. cheval But you can use these templates to create your own workbooks and then modify them as needed for the specific requirements of your organization. Most of the data connectors that Microsoft Sentinel uses to ingest data come with their own workbooks. You can get better insight into the data that is being ingested by using tables and visualizations, including bar and pie charts.
You can also make your own workbooks, as I mentioned, from scratch instead of using the predefined templates. But again, it’s better to use a template and then adjust or modify it as per your requirements. Now, the Workbooks page contains the templates for the workbooks and the workbooks themselves. Let me get into the portal, and let me show you exactly what I’m talking about. So here on Microsoft Sentinel, if we go to the Workbooks page over here, as you can see, you have at the time of the recording of this course 116 available templates, right? And as soon as you see the workbook, it will go into your My Workbooks tab over here. Now these templates again have to do with any type of data connector that you already have connected. As an example, consider Microsoft 365 Defender.
Let’s see. Okay. Microsoft 365 security posture, right? But as you can see, we only have this data flowing in instead of all of these over here that have this workbook configured as data sources. But let’s take an easier workbook as an example. And let’s take a look at the Azure ad sign-ins. And here it is: the Azure ad sign-in logs workbook. What this does is basically present you with a nice way of visualizing your sign inactivity across your Azure advertising talent. This is because we already connected the Azure AD sign-in logs to our Microsoft Sentinel Workspace. As you can see here, the required data type is signing logs from the Microsoft Sentinel connector. So let’s click on “view template.” And here again, you will be presented with an overview of signing trends over time, all sign-ins, successful sign-ins, pending user actions, and more information. We can see that if we scroll down, and we can even see the detailed sign in the operating system from which the user signed in. And this would be available for all your users through your talent. Before we go back and edit this workbook, we have filters like “from the last 14 days” and “from the last 30 days.” You can use a custom time period. You can choose what apps you are interested in. To see the signings for, youcan choose specific name prefixes.
You can choose a user name that you’re interested in or any type of category. Okay, again, before you can actually edit this template or make adjustments to it, you need to save the template for that.I’m going to go back over here. I’m going to keep this template, select the Azure ad signing logs, and save it. Now we need to specify a location where we want this workbook to be saved. I’m going to choose the same location as the sentinel workspace, and I’m going to click on OK. Now once this workbook is saved, you will see that we have a button to view the saved workbook. And again, if I go over here, you will see Workbook over here. Now, if we click on Save Workbook, we will see that we have additional options here on the top right.
And I’ll return to the slides in a moment to show you what these actions do because I’ve put them all in a table. However, if you click on Edit Workbook, you will see that an edit button is available for each element in the workbook, such as the header, this graph over here below it, or this dashboard, let’s say over here, right. And once we click on it, this will open the actual query that’s behind this visual representation because all of these workbooks basically have a log analytics query in the backend behind them have a log analytics query.Again, you can change the appearance of the dashboard of the chart, you can choose what tiles you want, you can choose what size you want the tiles to be displayed, or even you can customise the Cousteau query over here, and you will basically change the workbook itself. Now, once you are done editing, don’t worry, you will have documentation. I’m not going to go into too much detail regarding this because I’ll leave you links with documentation in regards to workbooks and how to change them and customise them in the downloadable resources for this particular lesson. And you will also have a task in the hands-on lab at the end of the section to actually create a workbook from scratch and an Amanda workbook from a template. So once you’re done editing, you click on Done Editing or on Cancel if you don’t want to, of course, save the changes. You can even remove this tile from the workbook itself. This one with the sign in, you can removeit by clicking the Remove button over here.
Let’s say I’m done editing, and then, of course, you would want to save your workbook because you might want to save the changes that you’ve made to this particular workbook. Now, creating a workbook from scratch entails returning here and clicking on “Add Workbook,” after which you will begin building your workbook based on the cube queries you want to use or the data you want to visualise in your workbook. But from my point of view, it’s easier to take a template and then modify it as per your requirements. Because, once again, if I go to the templates over here and remove this search filter, you can see that there are 116 templates available for any type of connector within the environment, as well as many, many more workbooks to look at and go through. So again, please go through the workbooks and see what they all do and what insights they provide, because you have plenty of templates to choose from. And again, in the hands-on lab, you’ll have the opportunity to modify workbooks to work with them on your own. Now, this brings our discussion about workbooks to an end—not before going back to the slides and actually showing you the table that I wanted to show you.
And let me just go back to the slides very quickly over here and go to my last slide from the deck. And here is a table that summarises every action that you can do on a workbook from that top tile bar of actions. very important after you save your workbook. So you cannot edit a template, but you can edit a workbook of your own. So once you save a template as your own workbook, you will have all of these options available on the right-hand side of the workbook. Take a moment, go through the table, and see what each action does. This brings us to the end of our discussion for this lesson. And this also brings our section to an end. Please go through the lab for this section. Complete the hands-on lab. Of course, complete the review questions available for this section as well because they are meant to, let’s say, test your knowledge on the topics that we’ve discussed throughout the section. And I’ll see everyone in the next and final sections of the course, where we’ll talk about threat hunting capabilities in Microsoft Sentinel. Until then, I’ll just hope this has been informative for you and thank you for viewing.
