Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
Search
fnifni
December 18, 2019
Technology
2
870
Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~
JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用
fnifni
December 18, 2019
Tweet
Share
More Decks by fnifni
See All by fnifni
踏み台環境におけるAmazon Maice活用の提案 #secjaws #secjaws08
fnifni21
0
2.4k
Deep Securityの運用TIPS
fnifni21
1
550
Deep Securityのホットデータを活用する ~AWS WAFの場合~
fnifni21
0
890
Other Decks in Technology
See All in Technology
赤煉瓦倉庫勉強会「Databricksを選んだ理由と、絶賛真っ只中のデータ基盤移行体験記」
ivry_presentationmaterials
2
360
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
lufthanahelpsupport
0
190
NewSQLや分散データベースを支えるRaftの仕組み - 仕組みを理解して知る得意不得意
hacomono
PRO
2
130
生成AI開発案件におけるClineの業務活用事例とTips
shinya337
0
250
Zephyr RTOSを使った開発コンペに参加した件
iotengineer22
1
220
Sansanのデータプロダクトマネジメントのアプローチ
sansantech
PRO
0
150
開発生産性を測る前にやるべきこと - 組織改善の実践 / Before Measuring Dev Productivity
kaonavi
9
4.2k
Beyond Kaniko: Navigating Unprivileged Container Image Creation
f30
0
130
ネットワーク保護はどう変わるのか?re:Inforce 2025最新アップデート解説
tokushun
0
200
AWS Organizations 新機能!マルチパーティ承認の紹介
yhana
1
280
事業成長の裏側:エンジニア組織と開発生産性の進化 / 20250703 Rinto Ikenoue
shift_evolve
PRO
2
21k
SEQUENCE object comparison - db tech showcase 2025 LT2
nori_shinoda
0
130
Featured
See All Featured
Facilitating Awesome Meetings
lara
54
6.4k
Balancing Empowerment & Direction
lara
1
430
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Bash Introduction
62gerente
613
210k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
181
54k
Six Lessons from altMBA
skipperchong
28
3.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Thoughts on Productivity
jonyablonski
69
4.7k
Building a Modern Day E-commerce SEO Strategy
aleyda
42
7.4k
Visualization
eitanlees
146
16k
Transcript
Azure Sentinel Feeling of operation for two months At JAZUG
# 24 2019.12.18
Azure Sentinel ಋೖ͔Β2ϲ݄ؒͷӡ༻ͷഽײ JAZUG # 24 ʹͯ 2019.12.18
Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security
Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
Μ͡Όɺຊ
ATTENTION !!! • ຊηογϣϯͷ༰ɺݸਓͷҙݟͰ͋Γɺ ॴଐ͢Δ৫ɾஂମͷҙݟΛද͢ΔͷͰ ͋Γ·ͤΜ • ӡ༻͢Δ৫ʹΑͬͯશ͘ҟͳΔײʹͳΔ Մೳੑ͕͋Γ·͢ •
2019/12/16࣌ͷݕূ݁Ռʹج͖ͮ·͢
Topics not covered • ϥΠηϯεͷ • ଞࣾSIEMͱͷൺֱͷ • ϋϯςΟϯάͷਂ͍ •
Kustoͷ
օ͞Μ ϩάͬͯͲ͏ͯ͠·͢ʁ
Common Interactions • ஷΊͯ·͢ʂ • Կ͔͋ͬͨΒݟΕ·͢ʂ • SIEMͰੳͰ͖ΔΑ͏ʹͯ͠ΔΑʂ • Ξϥʔτ͕ग़ͨΒSIEMͰੳੳʂ
Inconvenient fact • ϩάΛੳ͢Δख๏͕ܾ·ͬͯͳ͍ • ϩάΛੳ͢Δܖػ͕ܾ·ͬͯͳ͍ • Ξϥʔτͱϩάͷؔੑ͕Θ͔Βͳ͍ • ͦͦΞϥʔτ͕ଟ͗͢Δ
• ͬͱੳͰ͖͚ͨͲɺରԠ͜Ε͔Βɻɻɻ
ΫϥυαʔϏεͷϩά ΞϥʔτΛऩू/ੳͬͯ Ͳ͏͠Α͏ʁ
Major services for MS365 and Azure logging and alerting •
ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
Α͠ʂSIEMͷಋೖͩʂ
Facts confronted with SIEM • ϩάੳͷଞʹΔ͜ͱ͕ࢁੵ • αʔόʔɺετϨʔδɺωοτϫʔΫͷߏங • εέʔϦϯάɺΫϥελϦϯάɺνϡʔχϯά
• Πϯϑϥͷࢹɺอक • ΠϯϑϥͷηΩϡϦςΟઃܭͱઃఆ
ࡴെͱͨ͠εϨʹݱΕͨͷ͕ Azure Sentinel
What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛ͳίωΫλͰ؆୯ଓ •
ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛѲ
ͦΜͳૉఢͳSentinelͱ 2ϲ݄ؒŘŧŒŘŧŒͨ͠Λ͠·͢
ಋೖظ
A fine start • σʔλιʔεͱͷίωΫλͷଓɺੳςϯϓϨʔτ ͷ༗ޮԽ(74ݸ)ɺϓϨΠϒοΫͰΞϥʔτ௨ઃఆ • ੳςϯϓϨʔτɺϋϯςΟϯάςϯϓϨʔτͷ༰ ֬ೝ •
υΩϡϝϯτಡΈͳ͕Βେମ̏͘Β͍ ʢ13ʙ4࣌ؒʣ
a small stumbling block • جຊతʹϙνϙν࡞ۀʢ͙͢ʹ͖Δʣ • ੳςϯϓϨʔτͷ༗ޮԽ ->ϓϨΠϒοΫͷ ઃఆͱ͍͏ॱͰ࡞ۀΛͨ͠
• ༗ޮԽͨ͠ੳςϯϓϨʔτશͯʹɺ ϓϨΠϒοΫొ͢Δ᠘͕͋ͬͨ
What was good? • ͜Ε·Ͱ֤σʔλιʔεͷઃఆΛνϚνϚ ͬͯͨͷ͕ޭΛͨ͠ • υΩϡϝϯτ͕͚ͬ͜͏ • άϩʔόϧཧऀͷݖݶͰૢ࡞Ͱ͖ͨ
First impression • UI͕γϯϓϧͰɺػೳ͕Ѳ͍͢͠ (ԿछྨʮϒοΫʯ͕͋ΔͷͰࠞཚ͢Δ) • ͙͢σʔλ͕ྲྀΕ͖ͯͯɺ͙͢ಈ͔ͤΔ • ࣄલఆٛՄࢹԽςϯϓϨʔτͰ͙͢ʹՄࢹԽ Ͱ͖Δ
None
Ξϥʔτӡ༻ ։࢝ͯ͠ΈΔ
Կ͕ى͖Δ͔ ࣮ྫΛগ͠հ
Gap that can be easily found • Login to AWS
Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹMFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ༗༻
Gap that can be easily found • New UserAgent observed
in last 24 hours • 24࣌ؒҎʹར༻͞ΕͨUAΛɺաڈ14ؒ ৼΓฦͬͯɺ৽͍͠ͷΛ௨͢Δ • ΄΅ຖग़Δ • ϒϥβΞοϓσʔτɺCloudTrail͔Βଟ
ී௨ʹ(?)͋Γ͕͍ͨ Ξϥʔτ͋Δ
Amazing Alerts • Attempt to bypass conditional access rule in
Azure AD • ͖݅ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
None
What does this do? • GraphػೳͰΤϯςΟςΟΛΩʔʹ Ξϥʔτͷؔ࿈ੑΛײతʹදࣔ • ΞϥʔτͷτϦΞʔδͷखॿ͚ʹͳΔ •
ؔ࿈͚ΔΤϯςΟςΟ • IP, Account, HostName, URL (૿͑Δ༧ఆ)
ؔ࿈ੑΘ͔ͬͨ ͚Ͳɺ͜ͷIPͬͯԿͳΜʁ
None
None
What does this do? • ৄࡉΛ͍ͬͯ࣌͘ɺAzure Sentinel͚ͩͰ ͳ͘ɺଞͷػೳซ༻ͨ͠ํ͕Θ͔Γ͢ ͍߹͕͋Δ •
ͯ͢ΛΫΤϦʔͰੳ͠ͳͯ͘ɺ அ͢Δज़͕ෳ͋Δͱָʢ͔ʣ
݁ہΞϥʔτΛ֬ೝͯ͠ ΞΫγϣϯ͢Δͷʁ
SOARʹ͍ͭͯ
What is SOAR ? • Security Orchestration Automation and Response
• Cyber Security FrameworkͰ
SOAR in Azure Sentinel • Logic AppΛͬͯΞΫγϣϯΛఆٛͰ͖Δ • ΈࠐΈͷίωΫλΞΫγϣϯ͕༻ҙ͞Ε ͍ͯͯɺΈ߹ΘͤΔ͚ͩͰ࡞ΕΔ
• ಈతίϯςϯπΛΈࠐΉ͜ͱͰɺΞϥʔτ ʹجͮ͘ΛΈࠐΊΔ
Configuration Example
Current SOAR Use Cases • ·ͣɺSlack௨͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •
ΞϥʔτҰൃͰΞΧϯταʔόʔࢭΊΒΕͳ͍ • ఆܕతͳՃௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
The reality is quite difficult • Changes to AWS Security
Group ingress and egress settings • มߋ༰Λಛఆ͢ΔΫΤϦΛΜͰɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹߘͱ͔͠ͳ͍ͱμϝʁ
͍Ζ͍Ζࢼ͚ͨ͠Ͳɺ मߦ͕Γͳ͍ʀʀ
ϋϯςΟϯάʹ͍ͭͯ
What is Hunting ? • ͢Ͱʹ৵ೖ͞Εͯ͠·ͬͨڴҖΛɺϩάղੳ ػցֶशͳͲΛ׆༻͢Δ͜ͱͰɺੵۃతʹ ङΓʢϋϯςΟϯάʣ͢Δख๏ • Ξϥʔτʹఆܗత
• ϋϯςΟϯάʹඇఆܗ
Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber
Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
How to use hunting now • ࣄલఆٛͷΫΤϦʔɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎΛಘΔ • ॳΊҰׅ࣮ߦΛͯ͠ΈͯɺΧϯτ͕ग़ͨΫ
ΤϦʔͷ༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤৫ͷݸੑ͕৭ೱ͘ग़Δ෦ • ϊΠζؚΉͷͰɺղऍΛཧ͢Δͱ͜Ζ͔Β
ϋϯςΟϯάͷલʹ σʔλͰ͢ΑͶ
I found some interesting data
Ͳ͏͑ͦ͏͔ ߟ͑த
ؓٳ
SIEMӡ༻ۀͱ ಇ͖ํվֵ
SIEM operator saw • ӽޙ౬ͰӦۀ୲ͱZoomதʹΞϥʔτண৴ • Ӧۀ୲ͷࣗσεΫτοϓ͕Brute ForceΛ ड͚͍ͯΔʢ51ճͷϩάΠϯࣦഊهʣ •
ଓݩIP192.168.1.6
SIEM operator saw • ϗʔϜϧʔλʔͷDHCPϩά1࣌ؒอ࣋ • ϗʔϜϧʔλʔͷϑΝʔϜ࠷৽ • ௐࠪ։࢝࣌ͰωοτϫʔΫ্ʹ֘IPΛ Ϧʔε͞Ε͍ͯΔػث͍ͳ͍
• ൃੜ࣌ؒଳʹ৺ͨΓɾɾɾʁ
What was going on? • ήʔϜػͷͱ͋Δػೳ͕ɺอଘઌΛ୳ͨ͢ ΊʹωοτϫʔΫ্ͷػثʹguestͰϩάΠϯ ͠Α͏ͱ͍ͯͨ͠ʢσϑΥϧτಈ࡞ʣ • ಇ͖ํվֵ͕ਐΜͰɺͲ͜Ͱࣄ͕Ͱ͖Δ
Α͏ʹͳΔͱɺݸਓڥىҼͷΞϥʔττ ϥϒϧ͕ൃੜ͢ΔΑ͏ʹͳΔ
ͳΔ΄Ͳ ӡ༻ͷΠϝʔδΘ͔ͬͨ
SIEMͷϢʔεέʔεͬͯ ͦΕ͚͚ͩͩͬʁ
SIEM Use Cases • λʔήοτΛߜͬͨ߈ܸσʔλ৵Λૣظ ʹݕग़͢ΔͨΊʹΠϕϯτɾσʔλΛϦΞϧ λΠϜͰੳ͠ɺΠϯγσϯτରԠɺՊֶ ࠪɺن੍ͷίϯϓϥΠΞϯεͷͨΊʹϩ άɾσʔλΛऩूɺอଘɺௐࠪɺϨϙʔτ͢ ΔχʔζΛຬͨ͢ͷʢ˞ʣ
(※)Magic Quadrant for Security Information and Event Management 2019 https://www.gartner.com/doc/reprints?id=1-5WEZABX&ct=181205&st=sb
Պֶࠪ || ϑΥϨϯδοΫ
Ϋϥυ͚ͩ͡Όͳ͍ αʔόʔͷϩάͩͬͯ ͋ΔΜͰʂ
ΞʔΧΠϒͨ͠SyslogΛ ੳ͍ͨ͠
Inconvenient facts • ݱ࣌ͰɺAzure SentinelʹΞʔΧΠϒͨ͠ ϩάΛऔΓࠐΉΑ͏ͳίωΫλ͕ͳ͍ • ετϦʔϜͰྲྀΕͯ͘Δϩά͕લఏ • SyslogεΩʔϚʹద߹͠ͳ͍ϩάऔΓࠐ·Ε
ͳ͍ʢ͓ͦΒ͘ຆͲͷMWରԠͯ͠ͳ͍ʁʣ
ΞʔΧΠϒͨ͠SyslogΛ ετϦʔϜʹ͢Ε ͍͍Μ͡ΌͶʁ
SyslogεΩʔϚ͕৯͑ͳ͍ͳΒ ΧελϜϩάͰ৯͑ ͍͍Μ͡ΌͶʁ
ΑΖ͍͠ ͳΒ࣮ͩ
https://www.fnifni.net/azure-sentinel-cunstomlog/
None
ΦϦδφϧͷλΠϜελϯϓͰ ΫΤϦʔͰ͖ͨʂ
Inconvenient facts • ΧελϜϩάઃఆ࣌ͰɺλΠϜελϯϓΛઃఆ ͢ΔͱTimeGeneratedʹΦϦδφϧͷ࣌ࠁ͕ઃఆ Ͱ͖Δ • ΧελϜϑΟʔϧυΛઃఆͰ͖ͳ͍τϥϒϧ ͕ൃੜதʀʀ •
อଘظؒͱͷઓ͍͕࢝·Γͦ͏ɻɻɻ
·ͩ·ͩಓͷΓݥ͍͠
͓·͚
If you want to start now • ։࢝ؒͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •
IntuneʹͦΜͳ͕࣌͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔
wrap up • ࢝ΊΔͷඇৗʹ؆୯ • ΠϯϑϥΛҙࣝ͢Δ͜ͱ֨ஈʹݮͬͨ • Ξϥʔτͷ૬͕ؔײత • SOARɺΞϥʔτੳͷิॿ͔Β
• աڈσʔλͷੳ·ͰͷಓͷΓ·ͩݥ͍͠
Thank you !