Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
Search
fnifni
December 18, 2019
Technology
2
880
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用
fnifni
December 18, 2019
Tweet
Share
More Decks by fnifni
See All by fnifni
踏み台環境におけるAmazon Maice活用の提案 #secjaws #secjaws08
fnifni21
0
2.5k
Deep Securityの運用TIPS
fnifni21
1
560
Deep Securityのホットデータを活用する ~AWS WAFの場合~
fnifni21
0
920
Other Decks in Technology
See All in Technology
GPUをつかってベクトル検索を 扱う手法のお話し ~NVIDIA cuVSとCAGRA~
fshuhe
0
360
パフォーマンスチューニングのために普段からできること/Performance Tuning: Daily Practices
fujiwara3
2
200
AIとの協業で実現!レガシーコードをKotlinらしく生まれ変わらせる実践ガイド
zozotech
PRO
2
300
AWS re:Invent 2025事前勉強会資料 / AWS re:Invent 2025 pre study meetup
kinunori
0
1.1k
2025/10/27 JJUGナイトセミナー WildFlyとQuarkusの 始め方
megascus
0
110
Databricks Free Editionで始めるMLflow
taka_aki
0
760
abema-trace-sampling-observability-cost-optimization
tetsuya28
0
460
AI時代の発信活動 ~技術者として認知してもらうための発信法~ / 20251028 Masaki Okuda
shift_evolve
PRO
1
140
日本のソブリンAIを支えるエヌビディアの生成AIエコシステム
acceleratedmu3n
0
120
Amazon Q Developer CLIをClaude Codeから使うためのベストプラクティスを考えてみた
dar_kuma_san
0
320
猫でもわかるAmazon Q Developer CLI 解体新書
kentapapa
1
300
初海外がre:Inventだった人間の感じたこと
tommy0124
1
180
Featured
See All Featured
Mobile First: as difficult as doing things right
swwweet
225
10k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
658
61k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
192
56k
The Invisible Side of Design
smashingmag
302
51k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
9
950
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
46
2.5k
Agile that works and the tools we love
rasmusluckow
331
21k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
36
6.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
355
21k
Git: the NoSQL Database
bkeepers
PRO
431
66k
Typedesign – Prime Four
hannesfritz
42
2.8k
Transcript
Azure Sentinel Feeling of operation for two months At JAZUG
# 24 2019.12.18
Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18
Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security
Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
Μ͡Όɺຊ
ATTENTION !!! • ຊηογϣϯͷ༰ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ৫ɾஂମͷҙݟΛද͢ΔͷͰ ͋Γ·ͤΜ • ӡ༻͢Δ৫ʹΑͬͯશ͘ҟͳΔײʹͳΔ Մೳੑ͕͋Γ·͢ •
2019/12/16࣌ͷݕূ݁Ռʹج͖ͮ·͢
Topics not covered • ϥΠηϯεͷ • ଞࣾSIEMͱͷൺֱͷ • ϋϯςΟϯάͷਂ͍ •
Kustoͷ
օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ
Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰੳੳʂ
Inconvenient fact • ϩάΛੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔੑ͕Θ͔Βͳ͍ • ͦͦΞϥʔτ͕ଟ͗͢Δ
• ͬͱੳͰ͖͚ͨͲɺରԠ͜Ε͔Βɻɻɻ
ΫϥυαʔϏεͷϩά ΞϥʔτΛऩू/ੳͬͯ Ͳ͏͠Α͏ʁ
Major services for MS365 and Azure logging and alerting •
ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
Α͠ʂSIEMͷಋೖͩʂ
Facts confronted with SIEM • ϩάੳͷଞʹΔ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά
• Πϯϑϥͷࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ
ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel
What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛ͳίωΫλͰ؆୯ଓ •
ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛѲ
ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠Λ͠·͢
ಋೖظ
A fine start • σʔλιʔεͱͷίωΫλͷଓɺੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨ઃఆ • ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ༰ ֬ೝ •
υΩϡϝϯτಡΈͳ͕Βେମ̏͘Β͍ ʢ13ʙ4࣌ؒʣ
a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ͖Δʣ • ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠
• ༗ޮԽͨ͠ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ͢Δ᠘͕͋ͬͨ
What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ͬͯͨͷ͕ޭΛͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏ • άϩʔόϧཧऀͷݖݶͰૢ࡞Ͱ͖ͨ
First impression • UI͕γϯϓϧͰɺػೳ͕Ѳ͍͢͠ (ԿछྨʮϒοΫʯ͕͋ΔͷͰࠞཚ͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ
None
Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ
Կ͕ى͖Δ͔ ࣮ྫΛগ͠հ
Gap that can be easily found • Login to AWS
Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹMFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ༗༻
Gap that can be easily found • New UserAgent observed
in last 24 hours • 24࣌ؒҎʹར༻͞ΕͨUAΛɺաڈ14ؒ ৼΓฦͬͯɺ৽͍͠ͷΛ௨͢Δ • ΄΅ຖग़Δ • ϒϥβΞοϓσʔτɺCloudTrail͔Βଟ
ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ͋Δ
Amazing Alerts • Attempt to bypass conditional access rule in
Azure AD • ͖݅ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
None
What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •
ؔ࿈͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)
ؔ࿈ੑΘ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ
None
None
What does this do? • ৄࡉΛ͍ͬͯ࣌͘ɺAzure Sentinel͚ͩͰ ͳ͘ɺଞͷػೳซ༻ͨ͠ํ͕Θ͔Γ͢ ͍߹͕͋Δ •
ͯ͢ΛΫΤϦʔͰੳ͠ͳͯ͘ɺ அ͢Δज़͕ෳ͋Δͱָʢ͔ʣ
݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ
SOARʹ͍ͭͯ
What is SOAR ? • Security Orchestration Automation and Response
• Cyber Security FrameworkͰ
SOAR in Azure Sentinel • Logic AppΛͬͯΞΫγϣϯΛఆٛͰ͖Δ • ΈࠐΈͷίωΫλΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺΈ߹ΘͤΔ͚ͩͰ࡞ΕΔ
• ಈతίϯςϯπΛΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘ΛΈࠐΊΔ
Configuration Example
Current SOAR Use Cases • ·ͣɺSlack௨͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •
ΞϥʔτҰൃͰΞΧϯταʔόʔࢭΊΒΕͳ͍ • ఆܕతͳՃௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
The reality is quite difficult • Changes to AWS Security
Group ingress and egress settings • มߋ༰Λಛఆ͢ΔΫΤϦΛΜͰɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹߘͱ͔͠ͳ͍ͱμϝʁ
͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕Γͳ͍ʀʀ
ϋϯςΟϯάʹ͍ͭͯ
What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత
• ϋϯςΟϯάʹඇఆܗ
Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber
Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
How to use hunting now • ࣄલఆٛͷΫΤϦʔɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎΛಘΔ • ॳΊҰׅ࣮ߦΛͯ͠ΈͯɺΧϯτ͕ग़ͨΫ
ΤϦʔͷ༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤৫ͷݸੑ͕৭ೱ͘ग़Δ෦ • ϊΠζؚΉͷͰɺղऍΛཧ͢Δͱ͜Ζ͔Β
ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ
I found some interesting data
Ͳ͏͑ͦ͏͔ ߟ͑த
ؓٳ
SIEMӡ༻ۀͱ ಇ͖ํվֵ
SIEM operator saw • ӽޙ౬ͰӦۀ୲ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲ͷࣗσεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊهʣ •
ଓݩIP192.168.1.6
SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ࠷৽ • ௐࠪ։࢝࣌ͰωοτϫʔΫ্ʹ֘IPΛ Ϧʔε͞Ε͍ͯΔػث͍ͳ͍
• ൃੜ࣌ؒଳʹ৺ͨΓɾɾɾʁ
What was going on? • ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱࣄ͕Ͱ͖Δ
Α͏ʹͳΔͱɺݸਓڥىҼͷΞϥʔττ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ
ͳΔ΄Ͳ ӡ༻ͷΠϝʔδΘ͔ͬͨ
SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ
SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸσʔλ৵Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰੳ͠ɺΠϯγσϯτରԠɺՊֶ ࠪɺن੍ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢ͷʢ˞ʣ
(※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb
Պֶࠪ || ϑΥϨϯδοΫ
Ϋϥυ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜͰʂ
ΞʔΧΠϒͨ͠SyslogΛ ੳ͍ͨ͠
Inconvenient facts • ݱ࣌ͰɺAzure SentinelʹΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩάऔΓࠐ·Ε
ͳ͍ʢ͓ͦΒ͘ຆͲͷMWରԠͯ͠ͳ͍ʁʣ
ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε ͍͍Μ͡ΌͶʁ
SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑ ͍͍Μ͡ΌͶʁ
ΑΖ͍͠ ͳΒ࣮ͩ
https://www.fnifni.net/azure-sentinel-cunstomlog/
None
ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ
Inconvenient facts • ΧελϜϩάઃఆ࣌ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •
อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ
·ͩ·ͩಓͷΓݥ͍͠
͓·͚
If you want to start now • ։࢝ؒͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •
IntuneʹͦΜͳ͕࣌͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔
wrap up • ࢝ΊΔͷඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔײత • SOARɺΞϥʔτੳͷิॿ͔Β
• աڈσʔλͷੳ·ͰͷಓͷΓ·ͩݥ͍͠
Thank you !
fnifni21
fshuhe
fujiwara3
zozotech
kinunori
megascus
taka_aki
tetsuya28
shift_evolve
acceleratedmu3n
dar_kuma_san
kentapapa
tommy0124
swwweet
lemiorhan
irinanazarova
soudai
smashingmag
addyosmani
bcantrill
rasmusluckow
kevinliebholz
jeffersonlam
bkeepers
hannesfritz
