$30 off During Our Annual Pro Sale. View Details »

Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~

fnifni
December 18, 2019

Azure Sentinel ~ 導入から2ヶ月間の運用の肌感 ~

JAZUG#24で喋った内容を公開します
#AzureSentinel, #Sentinel, #SIEM, #SIEM運用

fnifni

December 18, 2019
Tweet

More Decks by fnifni

Other Decks in Technology

Transcript

  1. Who Am I !?ʢ͓લ୭Αʁʣ • Hirokazu YoshidaˏCloud Native Inc. Security

    Engineer • Community - Security-JAWS • Favorite Azure Service https://www.fnifni.net/
  2. Major services for MS365 and Azure logging and alerting •

    ϩά Azure AD, Azure Activity, Azure Information Protection, Office365(SharePoint, Exchange) • Ξϥʔτ Microsoft Cloud App Security (MCAS) Microsoft Defender ATP (MDATP), Azure ATP, Azure Security Center, Azure Identity Protection
  3. What is Azure Sentinel ? • CloudܕSIEMʢϑϧϚωʔδυͷΠϯϑϥʣ • ๛෋ͳίωΫλͰ؆୯઀ଓ •

    ࣄલఆٛ͞ΕͨՄࢹԽςϯϓϨʔτͱ ΞϥʔτΫΤϦʢਵ࣌ߋ৽தʂʣ • GraphػೳͰGUIͰΞϥʔτͷ૬ؔΛ೺Ѳ
  4. Gap that can be easily found • Login to AWS

    Management Console without MFA • IdPͰผ్MFAΛઃఆ͍ͯ͠ΔͷͰAWS ͷίϯιʔϧʹ͸௚઀MFAͰೖͬͯͳ͍ • IdPͳͲͰSSO͍ͯ͠ͳ͍ਓ͸༗༻
  5. Gap that can be easily found • New UserAgent observed

    in last 24 hours • 24࣌ؒҎ಺ʹར༻͞ΕͨUAΛɺաڈ14೔ؒ ৼΓฦͬͯɺ৽͍͠΋ͷΛ௨஌͢Δ • ΄΅ຖ೔ग़Δ • ϒϥ΢βΞοϓσʔτɺCloudTrail͔Βଟ਺
  6. Amazing Alerts • Attempt to bypass conditional access rule in

    Azure AD • ৚݅෇͖ΞΫηεϧʔϧΛόΠύε͠Α͏ͱ ͍ͯ͠Δ • SEVERITY : Low
  7. Current SOAR Use Cases • ·ͣ͸ɺSlack௨஌͔Β • ΞϥʔτͷύʔϚϦϯΫ͕ૹΕͳ͍ͷͰ μογϡϘʔυͷURLΛϋʔυίʔυ(ٽ) •

    ΞϥʔτҰൃͰΞΧ΢ϯτ΍αʔόʔ͸ࢭΊΒΕͳ͍ • ఆܕతͳ௥Ճௐࠪ݁ՌͰΞϥʔτରԠิॿ͘Β͍ ͍͚ͨ͠Ͳɻɻɻ
  8. The reality is quite difficult • Changes to AWS Security

    Group ingress and egress settings • มߋ಺༰Λಛఆ͢ΔΫΤϦΛ૊ΜͰ΋ɺ ݁ՌΛ࣍ͷΞΫγϣϯʹҾ͖౉ͤͳ͍ʁ • WebhookΛAPI Gateway + LambdaͰड͚ ͯɺCloudTrail EventͷύʔϚϦϯΫΛSlack ʹ౤ߘͱ͔͠ͳ͍ͱμϝʁ
  9. Hunting in Azure Sentinel • ࣄલఆٛͷϋϯςΟϯάΫΤϦʔ͕ 84ొ࿥͞Ε͍ͯΔ (ਵ࣌ߋ৽) • Cyber

    Kill Chainͷ֤ϑΣʔζʹଇͨ͠ ΫΤϦʔ͕༻ҙ͞Ε͍ͯΔ • Ұׅ࣮ߦ͕Մೳ
  10. How to use hunting now • ࣄલఆٛͷΫΤϦʔ͸ɺϋϯςΟϯάͷख͕͔ ΓͱͳΔಎ࡯ΛಘΔ • ॳΊ͸Ұׅ࣮ߦΛͯ͠ΈͯɺΧ΢ϯτ͕ग़ͨΫ

    ΤϦʔͷ಺༰Λ֬ೝ͢Δͱ͜Ζ͔Β • ֤૊৫ͷݸੑ͕৭ೱ͘ग़Δ෦෼ • ϊΠζ΋ؚΉͷͰɺղऍΛ੔ཧ͢Δͱ͜Ζ͔Β
  11. If you want to start now • ։࢝ؒ΋ͳ͍αʔϏεͰ͋Δ͍͔ͤɺ αϙʔτ͕ஸೡͳؾ͕͢Δ •

    Intuneʹ΋ͦΜͳ࣌୅͕͋Γ·ͨ͠ • ͍Ζ͍Ζࢼ͢ͳΒࠓ͔΋