Lets Do More! with the tools we have. Microsoft Sentinel
As the title says, this blog post will take you through details on how to get the most out of your sentinel workspace with the tools that come for free with Microsoft Sentinel.
In the current economic climate, the tech space is seeing budgets reduced and layoffs have been see across the tech industry. This means companies and MSSPs need to ensure they are using their security tools, such as Microsoft Sentinel, the best way possible.
Whether Microsoft Sentinel has been used for a long time or has just been configured, it is a good idea to complete a gap analysis. A gap analysis is a method of identifying gaps in monitoring that an attacker could use to go undetected by a security team during their attack. It is critical for any security teams to understand where there are gaps to make a detailed case for adding additional rules or additional log sources to sentinel to improve the detection possibilities of the SIEM.
To help with performing a gap analysis within Microsoft Sentinel, the MITRE ATT&CK section can be used to quickly identify areas that are missing rules/ log sources to detect attacks which can be used to identify log sources that should be prioritized to ingest.
With this view, it can be used to infer the areas for improvement. Not all areas will be able to be covered by all organizations due to the devices the network uses and how they may integrate with the Sentinel SIEM. However, where there are areas for improvement you can take the technique and go to the Analytics section and filter in the rule templates for the technique you are missing and what log sources would populate these alerts.
With this information you can prioritize the logs to ingest and the rules to enable if a log source is already being ingesting into the Sentinel SIEM.
Although I would love to see new abilities added to this section such as: drilling down into each technique and with the click of a button enabling rules that an enabled log source ingesting logs or to be able to see the log sources that could be used to detect these techniques added to the details page of each tile. The current MITRE ATT&CK section still provides a great heat map to understand the environment and where the gaps may be to improve the detection possibility of an attack by Microsoft Sentinel.
Remember always act as if a network is breached and go hunting for the proof! Don’t be lazy and wait for the alert!