Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~

251ca4edee830a5e003660245565df66?s=47 fnifni
December 18, 2019

Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~

JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用

251ca4edee830a5e003660245565df66?s=128

fnifni

December 18, 2019
Tweet

Transcript

  1. Azure Sentinel Feeling of operation for two months At JAZUG

    # 24 2019.12.18
  2. Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18

  3. Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security

    Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
  4. Μ͡Όɺຊ୊

  5. ATTENTION !!! • ຊηογϣϯͷ಺༰͸ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ૊৫ɾஂମͷҙݟΛ୅ද͢Δ΋ͷͰ ͸͋Γ·ͤΜ • ӡ༻͢Δ૊৫ʹΑͬͯશ͘ҟͳΔײ૝ʹͳΔ Մೳੑ͕͋Γ·͢ •

    2019/12/16࣌఺ͷݕূ݁Ռʹج͖ͮ·͢
  6. Topics not covered • ϥΠηϯεͷ࿩ • ଞࣾSIEMͱͷൺֱͷ࿩ • ϋϯςΟϯάͷਂ͍࿩ •

    Kustoͷ࿩
  7. օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ

  8. Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰ෼ੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰ෼ੳ෼ੳʂ

  9. Inconvenient fact • ϩάΛ෼ੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛ෼ੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔ܎ੑ͕Θ͔Βͳ͍ • ͦ΋ͦ΋Ξϥʔτ͕ଟ͗͢Δ

    • ΍ͬͱ෼ੳͰ͖͚ͨͲɺରԠ͸͜Ε͔Βɻɻɻ
  10. Ϋϥ΢υαʔϏεͷϩά΍ ΞϥʔτΛऩू/෼ੳͬͯ Ͳ͏͠Α͏ʁ

  11. Major services for MS365 and Azure logging and alerting •

    ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
  12. Α͠ʂSIEMͷಋೖͩʂ

  13. Facts confronted with SIEM • ϩά෼ੳͷଞʹ΍Δ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά

    • Πϯϑϥͷ؂ࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ
  14. ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel

  15. What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛෋ͳίωΫλͰ؆୯઀ଓ •

    ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛ೺Ѳ
  16. ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠࿩Λ͠·͢

  17. ಋೖظ

  18. A fine start • σʔλιʔεͱͷίωΫλͷ઀ଓɺ෼ੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨஌ઃఆ • ෼ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ಺༰ ֬ೝ •

    υΩϡϝϯτಡΈͳ͕Βେମ̏೔͘Β͍ ʢ1೔3ʙ4࣌ؒʣ
  19. a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ๞͖Δʣ • ෼ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠

    • ༗ޮԽͨ͠෼ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ࿥͢Δ᠘͕͋ͬͨ
  20. What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ΍ͬͯͨͷ͕ޭΛ૗ͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏਌੾ • άϩʔόϧ؅ཧऀͷݖݶͰૢ࡞Ͱ͖ͨ

  21. First impression • UI͕γϯϓϧͰɺػೳ͕೺Ѳ͠΍͍͢ (Կछྨ΋ʮϒοΫʯ͕͋ΔͷͰࠞཚ͸͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ

  22. None
  23. Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ

  24. Կ͕ى͖Δ͔ ࣮ྫΛগ͠঺հ

  25. Gap that can be easily found • Login to AWS

    Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹ͸௚઀MFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ͸༗༻
  26. Gap that can be easily found • New UserAgent observed

    in last 24 hours • 24࣌ؒҎ಺ʹར༻͞ΕͨUAΛɺաڈ14೔ؒ ৼΓฦͬͯɺ৽͍͠΋ͷΛ௨஌͢Δ • ΄΅ຖ೔ग़Δ • ϒϥ΢βΞοϓσʔτɺCloudTrail͔Βଟ਺
  27. ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ΋͋Δ

  28. Amazing Alerts • Attempt to bypass conditional access rule in

    Azure AD • ৚݅෇͖ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
  29. None
  30. What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛ௚ײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •

    ؔ࿈෇͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)
  31. ؔ࿈ੑ͸Θ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ

  32. None
  33. None
  34. What does this do? • ৄࡉΛ௥͍ͬͯ࣌͘͸ɺAzure Sentinel͚ͩͰ ͸ͳ͘ɺଞͷػೳ΋ซ༻ͨ͠ํ͕Θ͔Γ΍͢ ͍৔߹͕͋Δ •

    ͢΂ͯΛΫΤϦʔͰ෼ੳ͠ͳͯ͘΋ɺ ൑அ͢Δज़͕ෳ਺͋Δͱָʢ͔΋ʣ
  35. ݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ

  36. SOARʹ͍ͭͯ

  37. What is SOAR ? • Security Orchestration Automation and Response

    • Cyber Security FrameworkͰ͸
  38. SOAR in Azure Sentinel • Logic AppΛ࢖ͬͯΞΫγϣϯΛఆٛͰ͖Δ • ૊ΈࠐΈͷίωΫλ΍ΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺ૊Έ߹ΘͤΔ͚ͩͰ࡞ΕΔ

    • ಈతίϯςϯπΛ૊ΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘஋Λ૊ΈࠐΊΔ
  39. Configuration Example

  40. Current SOAR Use Cases • ·ͣ͸ɺSlack௨஌͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •

    ΞϥʔτҰൃͰΞΧ΢ϯτ΍αʔόʔ͸ࢭΊΒΕͳ͍ • ఆܕతͳ௥Ճௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
  41. The reality is quite difficult • Changes to AWS Security

    Group ingress and egress settings • มߋ಺༰Λಛఆ͢ΔΫΤϦΛ૊ΜͰ΋ɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖౉ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹ౤ߘͱ͔͠ͳ͍ͱμϝʁ
  42. ͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕଍Γͳ͍ʀʀ

  43. ϋϯςΟϯάʹ͍ͭͯ

  44. What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ΍ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత

    • ϋϯςΟϯάʹඇఆܗ
  45. Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ࿥͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber

    Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
  46. How to use hunting now • ࣄલఆٛͷΫΤϦʔ͸ɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎ࡯ΛಘΔ • ॳΊ͸Ұׅ࣮ߦΛͯ͠ΈͯɺΧ΢ϯτ͕ग़ͨΫ

    ΤϦʔͷ಺༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤૊৫ͷݸੑ͕৭ೱ͘ग़Δ෦෼ • ϊΠζ΋ؚΉͷͰɺղऍΛ੔ཧ͢Δͱ͜Ζ͔Β
  47. ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ

  48. I found some interesting data

  49. Ͳ͏࢖͑ͦ͏͔ ߟ͑த

  50. ؓ࿩ٳ୊

  51. SIEMӡ༻ۀ຿ͱ ಇ͖ํվֵ

  52. SIEM operator saw • ӽޙ౬୔ͰӦۀ୲౰ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲౰ͷࣗ୐σεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊه࿥ʣ •

    ઀ଓݩIP͸192.168.1.6
  53. SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά͸1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ͸࠷৽ • ௐࠪ։࢝࣌఺ͰωοτϫʔΫ্ʹ͸౰֘IPΛ Ϧʔε͞Ε͍ͯΔػث͸͍ͳ͍

    • ൃੜ࣌ؒଳʹ৺౰ͨΓ͸ɾɾɾʁ
  54. What was going on? • ๭ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱ΋࢓ࣄ͕Ͱ͖Δ

    Α͏ʹͳΔͱɺݸਓ؀ڥىҼͷΞϥʔτ΍τ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ
  55. ͳΔ΄Ͳ ӡ༻ͷΠϝʔδ͸Θ͔ͬͨ

  56. SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ

  57. SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸ΍σʔλ৵֐Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰ෼ੳ͠ɺΠϯγσϯτରԠɺՊֶ૞ ࠪɺن੍΁ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢΋ͷʢ˞ʣ

    (※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb
  58. Պֶ૞ࠪ || ϑΥϨϯδοΫ

  59. Ϋϥ΢υ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜ΍Ͱʂ

  60. ΞʔΧΠϒͨ͠SyslogΛ ෼ੳ͍ͨ͠

  61. Inconvenient facts • ݱ࣌఺Ͱ͸ɺAzure Sentinelʹ͸ΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩά͸औΓࠐ·Ε

    ͳ͍ʢ͓ͦΒ͘ຆͲͷMW͸ରԠͯ͠ͳ͍ʁʣ
  62. ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε͹ ͍͍Μ͡ΌͶʁ

  63. SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑͹ ͍͍Μ͡ΌͶʁ

  64. ΑΖ͍͠ ͳΒ͹࣮૷ͩ

  65. https://www.fnifni.net/azure-sentinel-cunstomlog/

  66. None
  67. ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ

  68. Inconvenient facts • ΧελϜϩάઃఆ࣌఺ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •

    อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ
  69. ·ͩ·ͩಓͷΓ͸ݥ͍͠

  70. ͓·͚

  71. If you want to start now • ։࢝ؒ΋ͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •

    Intuneʹ΋ͦΜͳ࣌୅͕͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔΋
  72. wrap up • ࢝ΊΔͷ͸ඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ͸֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔ௚ײత • SOAR͸ɺΞϥʔτ෼ੳͷิॿ͔Β

    • աڈσʔλͷ෼ੳ·ͰͷಓͷΓ͸·ͩݥ͍͠
  73. Thank you !