Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
Search
fnifni
December 18, 2019
Technology
2
870
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用
fnifni
December 18, 2019
Tweet
Share
More Decks by fnifni
See All by fnifni
踏み台環境におけるAmazon Maice活用の提案 #secjaws #secjaws08
fnifni21
0
2.4k
Deep Securityの運用TIPS
fnifni21
1
550
Deep Securityのホットデータを活用する ~AWS WAFの場合~
fnifni21
0
890
Other Decks in Technology
See All in Technology
ゼロからはじめる採用広報
yutadayo
3
920
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
260
Claude Code に プロジェクト管理やらせたみた
unson
6
4k
怖くない!はじめてのClaude Code
shinya337
0
400
What’s new in Android development tools
yanzm
0
310
United Airlines Customer Service– Call 1-833-341-3142 Now!
airhelp
0
170
マネジメントって難しい、けどおもしろい / Management is tough, but fun! #em_findy
ar_tama
7
1.1k
Lazy application authentication with Tailscale
bluehatbrit
0
210
改めてAWS WAFを振り返る~業務で使うためのポイント~
masakiokuda
2
250
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
49
19k
関数型プログラミングで 「脳がバグる」を乗り越える
manabeai
1
190
成長し続けるアプリのためのテストと設計の関係、そして意思決定の記録。
sansantech
PRO
0
120
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
Embracing the Ebb and Flow
colly
86
4.7k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
130
19k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
510
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
How STYLIGHT went responsive
nonsquared
100
5.6k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
How to Think Like a Performance Engineer
csswizardry
25
1.7k
Transcript
Azure Sentinel Feeling of operation for two months At JAZUG
# 24 2019.12.18
Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18
Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security
Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
Μ͡Όɺຊ
ATTENTION !!! • ຊηογϣϯͷ༰ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ৫ɾஂମͷҙݟΛද͢ΔͷͰ ͋Γ·ͤΜ • ӡ༻͢Δ৫ʹΑͬͯશ͘ҟͳΔײʹͳΔ Մೳੑ͕͋Γ·͢ •
2019/12/16࣌ͷݕূ݁Ռʹج͖ͮ·͢
Topics not covered • ϥΠηϯεͷ • ଞࣾSIEMͱͷൺֱͷ • ϋϯςΟϯάͷਂ͍ •
Kustoͷ
օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ
Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰੳੳʂ
Inconvenient fact • ϩάΛੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔੑ͕Θ͔Βͳ͍ • ͦͦΞϥʔτ͕ଟ͗͢Δ
• ͬͱੳͰ͖͚ͨͲɺରԠ͜Ε͔Βɻɻɻ
ΫϥυαʔϏεͷϩά ΞϥʔτΛऩू/ੳͬͯ Ͳ͏͠Α͏ʁ
Major services for MS365 and Azure logging and alerting •
ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
Α͠ʂSIEMͷಋೖͩʂ
Facts confronted with SIEM • ϩάੳͷଞʹΔ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά
• Πϯϑϥͷࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ
ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel
What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛ͳίωΫλͰ؆୯ଓ •
ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛѲ
ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠Λ͠·͢
ಋೖظ
A fine start • σʔλιʔεͱͷίωΫλͷଓɺੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨ઃఆ • ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ༰ ֬ೝ •
υΩϡϝϯτಡΈͳ͕Βେମ̏͘Β͍ ʢ13ʙ4࣌ؒʣ
a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ͖Δʣ • ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠
• ༗ޮԽͨ͠ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ͢Δ᠘͕͋ͬͨ
What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ͬͯͨͷ͕ޭΛͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏ • άϩʔόϧཧऀͷݖݶͰૢ࡞Ͱ͖ͨ
First impression • UI͕γϯϓϧͰɺػೳ͕Ѳ͍͢͠ (ԿछྨʮϒοΫʯ͕͋ΔͷͰࠞཚ͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ
None
Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ
Կ͕ى͖Δ͔ ࣮ྫΛগ͠հ
Gap that can be easily found • Login to AWS
Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹMFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ༗༻
Gap that can be easily found • New UserAgent observed
in last 24 hours • 24࣌ؒҎʹར༻͞ΕͨUAΛɺաڈ14ؒ ৼΓฦͬͯɺ৽͍͠ͷΛ௨͢Δ • ΄΅ຖग़Δ • ϒϥβΞοϓσʔτɺCloudTrail͔Βଟ
ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ͋Δ
Amazing Alerts • Attempt to bypass conditional access rule in
Azure AD • ͖݅ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
None
What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •
ؔ࿈͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)
ؔ࿈ੑΘ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ
None
None
What does this do? • ৄࡉΛ͍ͬͯ࣌͘ɺAzure Sentinel͚ͩͰ ͳ͘ɺଞͷػೳซ༻ͨ͠ํ͕Θ͔Γ͢ ͍߹͕͋Δ •
ͯ͢ΛΫΤϦʔͰੳ͠ͳͯ͘ɺ அ͢Δज़͕ෳ͋Δͱָʢ͔ʣ
݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ
SOARʹ͍ͭͯ
What is SOAR ? • Security Orchestration Automation and Response
• Cyber Security FrameworkͰ
SOAR in Azure Sentinel • Logic AppΛͬͯΞΫγϣϯΛఆٛͰ͖Δ • ΈࠐΈͷίωΫλΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺΈ߹ΘͤΔ͚ͩͰ࡞ΕΔ
• ಈతίϯςϯπΛΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘ΛΈࠐΊΔ
Configuration Example
Current SOAR Use Cases • ·ͣɺSlack௨͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •
ΞϥʔτҰൃͰΞΧϯταʔόʔࢭΊΒΕͳ͍ • ఆܕతͳՃௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
The reality is quite difficult • Changes to AWS Security
Group ingress and egress settings • มߋ༰Λಛఆ͢ΔΫΤϦΛΜͰɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹߘͱ͔͠ͳ͍ͱμϝʁ
͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕Γͳ͍ʀʀ
ϋϯςΟϯάʹ͍ͭͯ
What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత
• ϋϯςΟϯάʹඇఆܗ
Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber
Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
How to use hunting now • ࣄલఆٛͷΫΤϦʔɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎΛಘΔ • ॳΊҰׅ࣮ߦΛͯ͠ΈͯɺΧϯτ͕ग़ͨΫ
ΤϦʔͷ༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤৫ͷݸੑ͕৭ೱ͘ग़Δ෦ • ϊΠζؚΉͷͰɺղऍΛཧ͢Δͱ͜Ζ͔Β
ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ
I found some interesting data
Ͳ͏͑ͦ͏͔ ߟ͑த
ؓٳ
SIEMӡ༻ۀͱ ಇ͖ํվֵ
SIEM operator saw • ӽޙ౬ͰӦۀ୲ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲ͷࣗσεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊهʣ •
ଓݩIP192.168.1.6
SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ࠷৽ • ௐࠪ։࢝࣌ͰωοτϫʔΫ্ʹ֘IPΛ Ϧʔε͞Ε͍ͯΔػث͍ͳ͍
• ൃੜ࣌ؒଳʹ৺ͨΓɾɾɾʁ
What was going on? • ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱࣄ͕Ͱ͖Δ
Α͏ʹͳΔͱɺݸਓڥىҼͷΞϥʔττ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ
ͳΔ΄Ͳ ӡ༻ͷΠϝʔδΘ͔ͬͨ
SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ
SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸσʔλ৵Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰੳ͠ɺΠϯγσϯτରԠɺՊֶ ࠪɺن੍ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢ͷʢ˞ʣ
(※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb
Պֶࠪ || ϑΥϨϯδοΫ
Ϋϥυ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜͰʂ
ΞʔΧΠϒͨ͠SyslogΛ ੳ͍ͨ͠
Inconvenient facts • ݱ࣌ͰɺAzure SentinelʹΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩάऔΓࠐ·Ε
ͳ͍ʢ͓ͦΒ͘ຆͲͷMWରԠͯ͠ͳ͍ʁʣ
ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε ͍͍Μ͡ΌͶʁ
SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑ ͍͍Μ͡ΌͶʁ
ΑΖ͍͠ ͳΒ࣮ͩ
https://www.fnifni.net/azure-sentinel-cunstomlog/
None
ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ
Inconvenient facts • ΧελϜϩάઃఆ࣌ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •
อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ
·ͩ·ͩಓͷΓݥ͍͠
͓·͚
If you want to start now • ։࢝ؒͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •
IntuneʹͦΜͳ͕࣌͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔
wrap up • ࢝ΊΔͷඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔײత • SOARɺΞϥʔτੳͷิॿ͔Β
• աڈσʔλͷੳ·ͰͷಓͷΓ·ͩݥ͍͠
Thank you !