Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
Search
fnifni
December 18, 2019
Technology
2
830
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用
fnifni
December 18, 2019
Tweet
Share
More Decks by fnifni
See All by fnifni
踏み台環境におけるAmazon Maice活用の提案 #secjaws #secjaws08
fnifni21
0
2.3k
Deep Securityの運用TIPS
fnifni21
1
530
Deep Securityのホットデータを活用する ~AWS WAFの場合~
fnifni21
0
840
Other Decks in Technology
See All in Technology
LINE NEWSにおけるバックエンド開発
lycorptech_jp
PRO
0
370
OPENLOGI Company Profile
hr01
0
60k
AIエージェント時代のエンジニアになろう #jawsug #jawsdays2025 / 20250301 Agentic AI Engineering
yoshidashingo
9
4.1k
4th place solution Eedi - Mining Misconceptions in Mathematics
rist
0
150
役員・マネージャー・著者・エンジニアそれぞれの立場から見たAWS認定資格
nrinetcom
PRO
4
6.8k
Pwned Labsのすゝめ
ken5scal
2
570
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
540
AI Agent時代なのでAWSのLLMs.txtが欲しい!
watany
3
370
マルチアカウント環境における組織ポリシーについて まとめてみる
nrinetcom
PRO
2
110
AIエージェント元年@日本生成AIユーザ会
shukob
1
260
生成AI×財務経理:PoCで挑むSlack AI Bot開発と現場巻き込みのリアル
pohdccoe
1
810
サイト信頼性エンジニアリングとAmazon Web Services / SRE and AWS
ymotongpoo
7
1.8k
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
Fashionably flexible responsive web design (full day workshop)
malarkey
406
66k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
How to train your dragon (web standard)
notwaldorf
91
5.9k
Building a Scalable Design System with Sketch
lauravandoore
461
33k
Designing for Performance
lara
605
68k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
27
1.9k
The Invisible Side of Design
smashingmag
299
50k
Facilitating Awesome Meetings
lara
53
6.3k
Practical Orchestrator
shlominoach
186
10k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
A designer walks into a library…
pauljervisheath
205
24k
Transcript
Azure Sentinel Feeling of operation for two months At JAZUG
# 24 2019.12.18
Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18
Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security
Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
Μ͡Όɺຊ
ATTENTION !!! • ຊηογϣϯͷ༰ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ৫ɾஂମͷҙݟΛද͢ΔͷͰ ͋Γ·ͤΜ • ӡ༻͢Δ৫ʹΑͬͯશ͘ҟͳΔײʹͳΔ Մೳੑ͕͋Γ·͢ •
2019/12/16࣌ͷݕূ݁Ռʹج͖ͮ·͢
Topics not covered • ϥΠηϯεͷ • ଞࣾSIEMͱͷൺֱͷ • ϋϯςΟϯάͷਂ͍ •
Kustoͷ
օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ
Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰੳੳʂ
Inconvenient fact • ϩάΛੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔੑ͕Θ͔Βͳ͍ • ͦͦΞϥʔτ͕ଟ͗͢Δ
• ͬͱੳͰ͖͚ͨͲɺରԠ͜Ε͔Βɻɻɻ
ΫϥυαʔϏεͷϩά ΞϥʔτΛऩू/ੳͬͯ Ͳ͏͠Α͏ʁ
Major services for MS365 and Azure logging and alerting •
ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
Α͠ʂSIEMͷಋೖͩʂ
Facts confronted with SIEM • ϩάੳͷଞʹΔ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά
• Πϯϑϥͷࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ
ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel
What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛ͳίωΫλͰ؆୯ଓ •
ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛѲ
ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠Λ͠·͢
ಋೖظ
A fine start • σʔλιʔεͱͷίωΫλͷଓɺੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨ઃఆ • ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ༰ ֬ೝ •
υΩϡϝϯτಡΈͳ͕Βେମ̏͘Β͍ ʢ13ʙ4࣌ؒʣ
a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ͖Δʣ • ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠
• ༗ޮԽͨ͠ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ͢Δ᠘͕͋ͬͨ
What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ͬͯͨͷ͕ޭΛͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏ • άϩʔόϧཧऀͷݖݶͰૢ࡞Ͱ͖ͨ
First impression • UI͕γϯϓϧͰɺػೳ͕Ѳ͍͢͠ (ԿछྨʮϒοΫʯ͕͋ΔͷͰࠞཚ͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ
None
Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ
Կ͕ى͖Δ͔ ࣮ྫΛগ͠հ
Gap that can be easily found • Login to AWS
Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹMFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ༗༻
Gap that can be easily found • New UserAgent observed
in last 24 hours • 24࣌ؒҎʹར༻͞ΕͨUAΛɺաڈ14ؒ ৼΓฦͬͯɺ৽͍͠ͷΛ௨͢Δ • ΄΅ຖग़Δ • ϒϥβΞοϓσʔτɺCloudTrail͔Βଟ
ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ͋Δ
Amazing Alerts • Attempt to bypass conditional access rule in
Azure AD • ͖݅ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
None
What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •
ؔ࿈͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)
ؔ࿈ੑΘ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ
None
None
What does this do? • ৄࡉΛ͍ͬͯ࣌͘ɺAzure Sentinel͚ͩͰ ͳ͘ɺଞͷػೳซ༻ͨ͠ํ͕Θ͔Γ͢ ͍߹͕͋Δ •
ͯ͢ΛΫΤϦʔͰੳ͠ͳͯ͘ɺ அ͢Δज़͕ෳ͋Δͱָʢ͔ʣ
݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ
SOARʹ͍ͭͯ
What is SOAR ? • Security Orchestration Automation and Response
• Cyber Security FrameworkͰ
SOAR in Azure Sentinel • Logic AppΛͬͯΞΫγϣϯΛఆٛͰ͖Δ • ΈࠐΈͷίωΫλΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺΈ߹ΘͤΔ͚ͩͰ࡞ΕΔ
• ಈతίϯςϯπΛΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘ΛΈࠐΊΔ
Configuration Example
Current SOAR Use Cases • ·ͣɺSlack௨͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •
ΞϥʔτҰൃͰΞΧϯταʔόʔࢭΊΒΕͳ͍ • ఆܕతͳՃௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
The reality is quite difficult • Changes to AWS Security
Group ingress and egress settings • มߋ༰Λಛఆ͢ΔΫΤϦΛΜͰɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹߘͱ͔͠ͳ͍ͱμϝʁ
͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕Γͳ͍ʀʀ
ϋϯςΟϯάʹ͍ͭͯ
What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత
• ϋϯςΟϯάʹඇఆܗ
Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber
Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
How to use hunting now • ࣄલఆٛͷΫΤϦʔɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎΛಘΔ • ॳΊҰׅ࣮ߦΛͯ͠ΈͯɺΧϯτ͕ग़ͨΫ
ΤϦʔͷ༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤৫ͷݸੑ͕৭ೱ͘ग़Δ෦ • ϊΠζؚΉͷͰɺղऍΛཧ͢Δͱ͜Ζ͔Β
ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ
I found some interesting data
Ͳ͏͑ͦ͏͔ ߟ͑த
ؓٳ
SIEMӡ༻ۀͱ ಇ͖ํվֵ
SIEM operator saw • ӽޙ౬ͰӦۀ୲ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲ͷࣗσεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊهʣ •
ଓݩIP192.168.1.6
SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ࠷৽ • ௐࠪ։࢝࣌ͰωοτϫʔΫ্ʹ֘IPΛ Ϧʔε͞Ε͍ͯΔػث͍ͳ͍
• ൃੜ࣌ؒଳʹ৺ͨΓɾɾɾʁ
What was going on? • ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱࣄ͕Ͱ͖Δ
Α͏ʹͳΔͱɺݸਓڥىҼͷΞϥʔττ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ
ͳΔ΄Ͳ ӡ༻ͷΠϝʔδΘ͔ͬͨ
SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ
SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸσʔλ৵Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰੳ͠ɺΠϯγσϯτରԠɺՊֶ ࠪɺن੍ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢ͷʢ˞ʣ
(※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb
Պֶࠪ || ϑΥϨϯδοΫ
Ϋϥυ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜͰʂ
ΞʔΧΠϒͨ͠SyslogΛ ੳ͍ͨ͠
Inconvenient facts • ݱ࣌ͰɺAzure SentinelʹΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩάऔΓࠐ·Ε
ͳ͍ʢ͓ͦΒ͘ຆͲͷMWରԠͯ͠ͳ͍ʁʣ
ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε ͍͍Μ͡ΌͶʁ
SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑ ͍͍Μ͡ΌͶʁ
ΑΖ͍͠ ͳΒ࣮ͩ
https://www.fnifni.net/azure-sentinel-cunstomlog/
None
ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ
Inconvenient facts • ΧελϜϩάઃఆ࣌ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •
อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ
·ͩ·ͩಓͷΓݥ͍͠
͓·͚
If you want to start now • ։࢝ؒͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •
IntuneʹͦΜͳ͕࣌͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔
wrap up • ࢝ΊΔͷඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔײత • SOARɺΞϥʔτੳͷิॿ͔Β
• աڈσʔλͷੳ·ͰͷಓͷΓ·ͩݥ͍͠
Thank you !