Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
Search
fnifni
December 18, 2019
Technology
2
870
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用
fnifni
December 18, 2019
Tweet
Share
More Decks by fnifni
See All by fnifni
踏み台環境におけるAmazon Maice活用の提案 #secjaws #secjaws08
fnifni21
0
2.5k
Deep Securityの運用TIPS
fnifni21
1
550
Deep Securityのホットデータを活用する ~AWS WAFの場合~
fnifni21
0
910
Other Decks in Technology
See All in Technology
Geospatialの世界最前線を探る [2025年版]
dayjournal
0
160
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
3
5.5k
データエンジニアがこの先生きのこるには...?
10xinc
0
470
【Oracle Cloud ウェビナー】クラウド導入に「専用クラウド」という選択肢、Oracle AlloyとOCI Dedicated Region とは
oracle4engineer
PRO
3
120
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
sansan_randd
0
130
from Sakichi Toyoda to Agile
kawaguti
PRO
1
100
三菱電機・ソニーグループ共同の「Agile Japan企業内サテライト」_2025
sony
0
100
カンファレンスに託児サポートがあるということ / Having Childcare Support at Conferences
nobu09
1
430
そのWAFのブロック、どう活かす? サービスを守るための実践的多層防御と思考法 / WAF blocks defense decision
kaminashi
0
110
Why React!?? Next.jsそしてReactを改めてイチから選ぶ
ypresto
10
4.6k
20201008_ファインディ_品質意識を育てる役目は人かAIか___2_.pdf
findy_eventslides
2
560
関係性が駆動するアジャイル──GPTに人格を与えたら、対話を通してふりかえりを 習慣化できた話
mhlyc
0
130
Featured
See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
[RailsConf 2023] Rails as a piece of cake
palkan
57
5.9k
Making the Leap to Tech Lead
cromwellryan
135
9.6k
Site-Speed That Sticks
csswizardry
11
890
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
Facilitating Awesome Meetings
lara
56
6.6k
Unsuck your backbone
ammeep
671
58k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
970
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
140
34k
Making Projects Easy
brettharned
119
6.4k
Being A Developer After 40
akosma
91
590k
We Have a Design System, Now What?
morganepeng
53
7.8k
Transcript
Azure Sentinel Feeling of operation for two months At JAZUG
# 24 2019.12.18
Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18
Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security
Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
Μ͡Όɺຊ
ATTENTION !!! • ຊηογϣϯͷ༰ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ৫ɾஂମͷҙݟΛද͢ΔͷͰ ͋Γ·ͤΜ • ӡ༻͢Δ৫ʹΑͬͯશ͘ҟͳΔײʹͳΔ Մೳੑ͕͋Γ·͢ •
2019/12/16࣌ͷݕূ݁Ռʹج͖ͮ·͢
Topics not covered • ϥΠηϯεͷ • ଞࣾSIEMͱͷൺֱͷ • ϋϯςΟϯάͷਂ͍ •
Kustoͷ
օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ
Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰੳੳʂ
Inconvenient fact • ϩάΛੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔੑ͕Θ͔Βͳ͍ • ͦͦΞϥʔτ͕ଟ͗͢Δ
• ͬͱੳͰ͖͚ͨͲɺରԠ͜Ε͔Βɻɻɻ
ΫϥυαʔϏεͷϩά ΞϥʔτΛऩू/ੳͬͯ Ͳ͏͠Α͏ʁ
Major services for MS365 and Azure logging and alerting •
ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
Α͠ʂSIEMͷಋೖͩʂ
Facts confronted with SIEM • ϩάੳͷଞʹΔ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά
• Πϯϑϥͷࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ
ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel
What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛ͳίωΫλͰ؆୯ଓ •
ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛѲ
ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠Λ͠·͢
ಋೖظ
A fine start • σʔλιʔεͱͷίωΫλͷଓɺੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨ઃఆ • ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ༰ ֬ೝ •
υΩϡϝϯτಡΈͳ͕Βେମ̏͘Β͍ ʢ13ʙ4࣌ؒʣ
a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ͖Δʣ • ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠
• ༗ޮԽͨ͠ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ͢Δ᠘͕͋ͬͨ
What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ͬͯͨͷ͕ޭΛͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏ • άϩʔόϧཧऀͷݖݶͰૢ࡞Ͱ͖ͨ
First impression • UI͕γϯϓϧͰɺػೳ͕Ѳ͍͢͠ (ԿछྨʮϒοΫʯ͕͋ΔͷͰࠞཚ͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ
None
Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ
Կ͕ى͖Δ͔ ࣮ྫΛগ͠հ
Gap that can be easily found • Login to AWS
Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹMFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ༗༻
Gap that can be easily found • New UserAgent observed
in last 24 hours • 24࣌ؒҎʹར༻͞ΕͨUAΛɺաڈ14ؒ ৼΓฦͬͯɺ৽͍͠ͷΛ௨͢Δ • ΄΅ຖग़Δ • ϒϥβΞοϓσʔτɺCloudTrail͔Βଟ
ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ͋Δ
Amazing Alerts • Attempt to bypass conditional access rule in
Azure AD • ͖݅ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
None
What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •
ؔ࿈͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)
ؔ࿈ੑΘ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ
None
None
What does this do? • ৄࡉΛ͍ͬͯ࣌͘ɺAzure Sentinel͚ͩͰ ͳ͘ɺଞͷػೳซ༻ͨ͠ํ͕Θ͔Γ͢ ͍߹͕͋Δ •
ͯ͢ΛΫΤϦʔͰੳ͠ͳͯ͘ɺ அ͢Δज़͕ෳ͋Δͱָʢ͔ʣ
݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ
SOARʹ͍ͭͯ
What is SOAR ? • Security Orchestration Automation and Response
• Cyber Security FrameworkͰ
SOAR in Azure Sentinel • Logic AppΛͬͯΞΫγϣϯΛఆٛͰ͖Δ • ΈࠐΈͷίωΫλΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺΈ߹ΘͤΔ͚ͩͰ࡞ΕΔ
• ಈతίϯςϯπΛΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘ΛΈࠐΊΔ
Configuration Example
Current SOAR Use Cases • ·ͣɺSlack௨͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •
ΞϥʔτҰൃͰΞΧϯταʔόʔࢭΊΒΕͳ͍ • ఆܕతͳՃௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
The reality is quite difficult • Changes to AWS Security
Group ingress and egress settings • มߋ༰Λಛఆ͢ΔΫΤϦΛΜͰɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹߘͱ͔͠ͳ͍ͱμϝʁ
͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕Γͳ͍ʀʀ
ϋϯςΟϯάʹ͍ͭͯ
What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత
• ϋϯςΟϯάʹඇఆܗ
Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber
Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
How to use hunting now • ࣄલఆٛͷΫΤϦʔɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎΛಘΔ • ॳΊҰׅ࣮ߦΛͯ͠ΈͯɺΧϯτ͕ग़ͨΫ
ΤϦʔͷ༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤৫ͷݸੑ͕৭ೱ͘ग़Δ෦ • ϊΠζؚΉͷͰɺղऍΛཧ͢Δͱ͜Ζ͔Β
ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ
I found some interesting data
Ͳ͏͑ͦ͏͔ ߟ͑த
ؓٳ
SIEMӡ༻ۀͱ ಇ͖ํվֵ
SIEM operator saw • ӽޙ౬ͰӦۀ୲ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲ͷࣗσεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊهʣ •
ଓݩIP192.168.1.6
SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ࠷৽ • ௐࠪ։࢝࣌ͰωοτϫʔΫ্ʹ֘IPΛ Ϧʔε͞Ε͍ͯΔػث͍ͳ͍
• ൃੜ࣌ؒଳʹ৺ͨΓɾɾɾʁ
What was going on? • ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱࣄ͕Ͱ͖Δ
Α͏ʹͳΔͱɺݸਓڥىҼͷΞϥʔττ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ
ͳΔ΄Ͳ ӡ༻ͷΠϝʔδΘ͔ͬͨ
SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ
SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸσʔλ৵Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰੳ͠ɺΠϯγσϯτରԠɺՊֶ ࠪɺن੍ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢ͷʢ˞ʣ
(※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb
Պֶࠪ || ϑΥϨϯδοΫ
Ϋϥυ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜͰʂ
ΞʔΧΠϒͨ͠SyslogΛ ੳ͍ͨ͠
Inconvenient facts • ݱ࣌ͰɺAzure SentinelʹΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩάऔΓࠐ·Ε
ͳ͍ʢ͓ͦΒ͘ຆͲͷMWରԠͯ͠ͳ͍ʁʣ
ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε ͍͍Μ͡ΌͶʁ
SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑ ͍͍Μ͡ΌͶʁ
ΑΖ͍͠ ͳΒ࣮ͩ
https://www.fnifni.net/azure-sentinel-cunstomlog/
None
ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ
Inconvenient facts • ΧελϜϩάઃఆ࣌ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •
อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ
·ͩ·ͩಓͷΓݥ͍͠
͓·͚
If you want to start now • ։࢝ؒͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •
IntuneʹͦΜͳ͕࣌͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔
wrap up • ࢝ΊΔͷඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔײత • SOARɺΞϥʔτੳͷิॿ͔Β
• աڈσʔλͷੳ·ͰͷಓͷΓ·ͩݥ͍͠
Thank you !
fnifni21
dayjournal
oracle4engineer
10xinc
sansan_randd
kawaguti
sony
nobu09
kaminashi
ypresto
findy_eventslides
mhlyc
keavy
palkan
cromwellryan
csswizardry
lemiorhan
lara
ammeep
irinanazarova
eileencodes
brettharned
akosma
morganepeng
