Azure Sentinel, KQL and Azure Playbooks explained

Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It helps organizations to detect, investigate, and respond to security threats across their entire organization by collecting data from various sources and providing a unified view of the organization’s security posture.

Creating an Azure Sentinel workspace and a Playbook in Azure Sentinel can be done by following these steps:

  1. Go to the Azure portal and sign in with your Azure account.
  2. In the Azure portal, click on the “Create a resource” button and search for “Azure Sentinel”.
  3. Select “Azure Sentinel” from the results and click on the “Create” button.
  4. Fill in the required information for the new Azure Sentinel workspace, such as the subscription, resource group, and workspace name.
  5. Once the Azure Sentinel workspace is created, you can navigate to it by clicking on “All resources” and selecting the newly created workspace.
  6. To create a Playbook, navigate to the Azure Sentinel workspace and select “Playbooks” from the left-hand menu.
  7. Click on the “+ New” button to create a new Playbook.
  8. Fill in the required information for the new Playbook, such as the name, description, and select the appropriate triggers.
  9. Now you can add actions, such as sending an email, creating a ticket, or running a script to the Playbook.
  10. Once you have finished creating the Playbook, you can save it and activate it.

It is worth noting that you will need to connect your Azure Sentinel to the data sources like Office 365, Azure AD, Windows Event logs etc. before you can start using it. Also, you can use pre-built connectors or use APIs to connect to other data sources.

Kusto Query Language (KQL)

Azure Sentinel uses a query language called Kusto Query Language (KQL) to search and analyze data. KQL is a powerful language that allows you to query and extract insights from large amounts of data.

Here is an example of a KQL query that can be used to retrieve data from Azure Sentinel:

SecurityEvent
| where TimeGenerated >= ago(7d)
| where AccountType == "Microsoft"
| where EventID == "4624"
| project TimeGenerated, Account, IpAddress, EventData

This query retrieves all security events that have been generated in the last 7 days, where the account type is “Microsoft”, and the event ID is “4624”. The query then projects the TimeGenerated, Account, IpAddress, and EventData fields.

You can use KQL to perform various tasks such as filtering, sorting, and joining data, as well as creating custom alerts and dashboards. Additionally, you can use Azure Sentinel’s built-in analytics and machine learning capabilities to detect anomalies and threats in your data.

Here are a few examples of KQL queries that can be used with Azure services:

  1. Retrieving all security events from Azure Sentinel in the last 24 hours:
SecurityEvent
| where TimeGenerated >= ago(24h)

Retrieving all failed login attempts from Azure Active Directory in the last 7 days:

AzureActiveDirectoryAudit
| where TimeGenerated >= ago(7d)
| where ResultType == "Failure"

Retrieving all network flows from Azure Network Watcher in a specific virtual network:

NetworkFlow
| where VirtualNetwork == "MyVirtualNetwork"

Retrieving all log events from Azure Log Analytics that contain the word “error”:

AzureDiagnostics
| search "error"

Retrieving the top 10 processes that have the highest CPU usage from Azure Monitor:

Perf
| where CounterName == "% Processor Time"
| summarize avg(CounterValue) by InstanceName
| sort by avg_CounterValue desc
| take 10

These are just a few examples of the types of queries that can be run using KQL with Azure services. KQL can be used to perform a wide range of tasks, such as filtering, sorting, and joining data, as well as creating custom alerts and dashboards. Additionally, you can use Azure’s built-in analytics and machine learning capabilities to detect anomalies and threats in your data.

Azure Playbooks

Azure Playbooks in Azure Sentinel are a feature that allows you to automate incident response and investigation tasks by creating runbooks that can be triggered by alerts or other events. These runbooks are called Playbooks, and they are built using Azure Logic Apps, which is a service that allows you to create workflows using a drag-and-drop interface.

Azure Playbooks can be used in conjunction with Log Analytics, a service that allows you to collect, analyze, and visualize large amounts of data. Log Analytics can be used to collect and store data from various sources, such as Azure resources, on-premises servers, and other cloud services.

For example, you can use Log Analytics to collect data from Azure resources, such as Azure VMs, and then use that data to create custom views and dashboards in Azure Sentinel. You can then create a Playbook that is triggered by an alert in Azure Sentinel, and the Playbook can use the data in Log Analytics to perform an automated response, such as shutting down a VM or blocking an IP address.

You can also use Log Analytics to collect data from other sources, such as Syslog or Windows Event logs, and use that data in Azure Sentinel. This allows you to create a comprehensive security solution that can detect and respond to security threats across your entire organization.

In summary, Azure Playbooks in Azure Sentinel can be used to automate incident response and investigation tasks, and Log Analytics can be used to collect and store data from various sources, which can be used in Azure Sentinel to detect and respond to security threats. Together, Azure Playbooks and Log Analytics can help organizations improve their security posture and respond to security incidents more efficiently.

Published by Hesh

Experienced SharePoint Developer & Software Architect with a demonstrated history of working in the Scientific, Airline & Marketing industries. Strong engineering experienced & professionally skilled in SharePoint 2010, 2013, 2016, Office365, Azure, Machine Learning, ASP.Net, .Net core, K2, SCRUM, JavaScript and the likes in the field of Microsoft and FrontEnd development. Microsoft Certified Professional (MCP), Microsoft Certified Solutions Associate (MCSA), Microsoft Certified Solutions Developer (MCSD), Certified Professional Scrum Master and Certified Professional Scrum Product Owner.

Uncategorized

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑