Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~

Transcript

1. Azure Sentinel Feeling of operation for two months At JAZUG

   # 24 2019.12.18

2. Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18

3. Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security

   Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/

4. Μ͡Όɺຊ୊

5. ATTENTION !!! • ຊηογϣϯͷ಺༰͸ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ૊৫ɾஂମͷҙݟΛ୅ද͢Δ΋ͷͰ ͸͋Γ·ͤΜ • ӡ༻͢Δ૊৫ʹΑͬͯશ͘ҟͳΔײ૝ʹͳΔ Մೳੑ͕͋Γ·͢ •

   2019/12/16࣌఺ͷݕূ݁Ռʹج͖ͮ·͢

6. Topics not covered • ϥΠηϯεͷ࿩ • ଞࣾSIEMͱͷൺֱͷ࿩ • ϋϯςΟϯάͷਂ͍࿩ •

   Kustoͷ࿩

7. օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ

8. Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰ෼ੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰ෼ੳ෼ੳʂ

9. Inconvenient fact • ϩάΛ෼ੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛ෼ੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔ܎ੑ͕Θ͔Βͳ͍ • ͦ΋ͦ΋Ξϥʔτ͕ଟ͗͢Δ

   • ΍ͬͱ෼ੳͰ͖͚ͨͲɺରԠ͸͜Ε͔Βɻɻɻ

10. Ϋϥ΢υαʔϏεͷϩά΍ ΞϥʔτΛऩू/෼ੳͬͯ Ͳ͏͠Α͏ʁ

11. Major services for MS365 and Azure logging and alerting •

    ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection

12. Α͠ʂSIEMͷಋೖͩʂ

13. Facts confronted with SIEM • ϩά෼ੳͷଞʹ΍Δ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά

    • Πϯϑϥͷ؂ࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ

14. ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel

15. What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛෋ͳίωΫλͰ؆୯઀ଓ •

    ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛ೺Ѳ

16. ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠࿩Λ͠·͢

17. ಋೖظ

18. A fine start • σʔλιʔεͱͷίωΫλͷ઀ଓɺ෼ੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨஌ઃఆ • ෼ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ಺༰ ֬ೝ •

    υΩϡϝϯτಡΈͳ͕Βେମ̏೔͘Β͍ ʢ1೔3ʙ4࣌ؒʣ

19. a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ๞͖Δʣ • ෼ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠

    • ༗ޮԽͨ͠෼ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ࿥͢Δ᠘͕͋ͬͨ

20. What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ΍ͬͯͨͷ͕ޭΛ૗ͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏਌੾ • άϩʔόϧ؅ཧऀͷݖݶͰૢ࡞Ͱ͖ͨ

21. First impression • UI͕γϯϓϧͰɺػೳ͕೺Ѳ͠΍͍͢ (Կछྨ΋ʮϒοΫʯ͕͋ΔͷͰࠞཚ͸͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ

22. None

23. Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ

24. Կ͕ى͖Δ͔ ࣮ྫΛগ͠঺հ

25. Gap that can be easily found • Login to AWS

    Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹ͸௚઀MFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ͸༗༻

26. Gap that can be easily found • New UserAgent observed

    in last 24 hours • 24࣌ؒҎ಺ʹར༻͞ΕͨUAΛɺաڈ14೔ؒ ৼΓฦͬͯɺ৽͍͠΋ͷΛ௨஌͢Δ • ΄΅ຖ೔ग़Δ • ϒϥ΢βΞοϓσʔτɺCloudTrail͔Βଟ਺

27. ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ΋͋Δ

28. Amazing Alerts • Attempt to bypass conditional access rule in

    Azure AD • ৚݅෇͖ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
29. None

30. What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛ௚ײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •

    ؔ࿈෇͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)

31. ؔ࿈ੑ͸Θ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ

32. None
33. None

34. What does this do? • ৄࡉΛ௥͍ͬͯ࣌͘͸ɺAzure Sentinel͚ͩͰ ͸ͳ͘ɺଞͷػೳ΋ซ༻ͨ͠ํ͕Θ͔Γ΍͢ ͍৔߹͕͋Δ •

    ͢΂ͯΛΫΤϦʔͰ෼ੳ͠ͳͯ͘΋ɺ ൑அ͢Δज़͕ෳ਺͋Δͱָʢ͔΋ʣ

35. ݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ

36. SOARʹ͍ͭͯ

37. What is SOAR ? • Security Orchestration Automation and Response

    • Cyber Security FrameworkͰ͸

38. SOAR in Azure Sentinel • Logic AppΛ࢖ͬͯΞΫγϣϯΛఆٛͰ͖Δ • ૊ΈࠐΈͷίωΫλ΍ΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺ૊Έ߹ΘͤΔ͚ͩͰ࡞ΕΔ

    • ಈతίϯςϯπΛ૊ΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘஋Λ૊ΈࠐΊΔ

39. Configuration Example

40. Current SOAR Use Cases • ·ͣ͸ɺSlack௨஌͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •

    ΞϥʔτҰൃͰΞΧ΢ϯτ΍αʔόʔ͸ࢭΊΒΕͳ͍ • ఆܕతͳ௥Ճௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ

41. The reality is quite difficult • Changes to AWS Security

    Group ingress and egress settings • มߋ಺༰Λಛఆ͢ΔΫΤϦΛ૊ΜͰ΋ɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖౉ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹ౤ߘͱ͔͠ͳ͍ͱμϝʁ

42. ͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕଍Γͳ͍ʀʀ

43. ϋϯςΟϯάʹ͍ͭͯ

44. What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ΍ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత

    • ϋϯςΟϯάʹඇఆܗ

45. Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ࿥͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber

    Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ

46. How to use hunting now • ࣄલఆٛͷΫΤϦʔ͸ɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎ࡯ΛಘΔ • ॳΊ͸Ұׅ࣮ߦΛͯ͠ΈͯɺΧ΢ϯτ͕ग़ͨΫ

    ΤϦʔͷ಺༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤૊৫ͷݸੑ͕৭ೱ͘ग़Δ෦෼ • ϊΠζ΋ؚΉͷͰɺղऍΛ੔ཧ͢Δͱ͜Ζ͔Β

47. ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ

48. I found some interesting data

49. Ͳ͏࢖͑ͦ͏͔ ߟ͑த

50. ؓ࿩ٳ୊

51. SIEMӡ༻ۀ຿ͱ ಇ͖ํվֵ

52. SIEM operator saw • ӽޙ౬୔ͰӦۀ୲౰ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲౰ͷࣗ୐σεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊه࿥ʣ •

    ઀ଓݩIP͸192.168.1.6

53. SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά͸1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ͸࠷৽ • ௐࠪ։࢝࣌఺ͰωοτϫʔΫ্ʹ͸౰֘IPΛ Ϧʔε͞Ε͍ͯΔػث͸͍ͳ͍

    • ൃੜ࣌ؒଳʹ৺౰ͨΓ͸ɾɾɾʁ

54. What was going on? • ๭ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱ΋࢓ࣄ͕Ͱ͖Δ

    Α͏ʹͳΔͱɺݸਓ؀ڥىҼͷΞϥʔτ΍τ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ

55. ͳΔ΄Ͳ ӡ༻ͷΠϝʔδ͸Θ͔ͬͨ

56. SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ

57. SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸ΍σʔλ৵֐Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰ෼ੳ͠ɺΠϯγσϯτରԠɺՊֶ૞ ࠪɺن੍΁ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢΋ͷʢ˞ʣ

    (※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb

58. Պֶ૞ࠪ || ϑΥϨϯδοΫ

59. Ϋϥ΢υ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜ΍Ͱʂ

60. ΞʔΧΠϒͨ͠SyslogΛ ෼ੳ͍ͨ͠

61. Inconvenient facts • ݱ࣌఺Ͱ͸ɺAzure Sentinelʹ͸ΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩά͸औΓࠐ·Ε

    ͳ͍ʢ͓ͦΒ͘ຆͲͷMW͸ରԠͯ͠ͳ͍ʁʣ

62. ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε͹ ͍͍Μ͡ΌͶʁ

63. SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑͹ ͍͍Μ͡ΌͶʁ

64. ΑΖ͍͠ ͳΒ͹࣮૷ͩ

65. https://www.fnifni.net/azure-sentinel-cunstomlog/

66. None

67. ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ

68. Inconvenient facts • ΧελϜϩάઃఆ࣌఺ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •

    อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ

69. ·ͩ·ͩಓͷΓ͸ݥ͍͠

70. ͓·͚

71. If you want to start now • ։࢝ؒ΋ͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •

    Intuneʹ΋ͦΜͳ࣌୅͕͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔΋

72. wrap up • ࢝ΊΔͷ͸ඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ͸֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔ௚ײత • SOAR͸ɺΞϥʔτ෼ੳͷิॿ͔Β

    • աڈσʔλͷ෼ੳ·ͰͷಓͷΓ͸·ͩݥ͍͠

73. Thank you !