[MUSIC PLAYING] Hey. Welcome to my presentation at TEC 2022, Virtual TEC. My session is today about how to protect Microsoft Teams and SharePoint against cybersecurity threats using Microsoft Sentinel. My name is Ragnar Heil. I'm a Microsoft MVP and also partner channel account manager at Quest Software for the region of EMEA.
I'm living with my family here in Germany, middle of Europe, and I'm also a blogger. I blog at ragnarheil.de. I've got a hybrid virtual work tour membership, and also I have a biweekly news show around the modern workplace at Microsoft Teams called Alex and Ragnar Show, and also I'm a Viva Explorer, in case you're interested in Microsoft Viva.
And today's agenda is to explain you what Microsoft Sentinel is. What are the main differences to a classic SIEM solution? What are the big major phases in a Sentinel project? What are the configuration steps, analytics logs, incidents, hunting? I will show you the difference between playbooks, workbooks, and notebooks, and what's in for you in case you're using Teams and SharePoint, and how you can visualize your cybersecurity reports and visualizations here using Power BI. And finally, I will wrap up with the resources.
Let's start with the introduction to Microsoft Sentinel. And the most important question, maybe not for you, but I had this question, is Microsoft actually a SIEM solution with Sentinel? Because Sentinel is running in the cloud. It's fully scalable and extremely scalable, and it is really using low administration overhead.
No installation required. It just runs pay as you go, and the installation can be done within a few minutes. I checked it. It didn't take longer than just getting a fresh cappuccino out of my coffee machine.
In case, you want to try it immediately, there are free trials available. And it's only going to be commercial, and you'll have to pay for it in case you want to use more data sources, commercial data sources, and also premium connectors. In case you want to make sure that you're not running out of costs, there is a monitoring tool available to help you to stay in your budget.
Microsoft Sentinel is a tool-- is a holistic solution designed for a specialist working in a SOC center, security and operations center. So very specialized product. So maybe you are working in Microsoft Teams and SharePoint Teams, or you definitely have to talk to your SOC colleagues, or maybe your SOC team and your modern workplace team are working closely together. That will be the best case.
And Sentinel starts and harvesting, collecting, and querying log files. It is going to detect later correlations, patterns, and anomalies and then create alerts and incidents. So it's starting from creating visibility by collecting and then going from the collection phase into the detection phase, analyzing, hunting, and then investigating incidents and then responding, automation, and help you to save time and be faster by detecting threats.
The architecture looks like this. There is the core of threat management and it's configuration. Threat management has got modules like incidents, workbooks, hunting, threat intelligence, notebooks, and so on, and they're using Azure workbooks. They're also using a query language called Kusto, KQL, and it's based on the MITRE ATT&CK framework.
It can be configured on the connector side, automation side, watch list, settings, using third party tools, using Microsoft-native tools, using logic apps from Azure and then also always Log Analytics. If you want to go deeper and more advanced things, then you can also use Python and external libraries using the Jupyter Notebooks.
A few recommendations what I can give to you around workplace design is that you want to have conversations and discussions around data sovereignty and the compliance standards from your regulators in case you're in a regulated industry. You'll also want to think about multi-tenant environments. Maybe your organization is going to acquire other organizations. You're currently in an M&A project, or you want to carve out. These are all very important topics which you have to consider when using Sentinel.
Data ownership. Who owns the data? What are data boundaries? Which subsidiaries in which department is using which kind of data and who has official ownership? Then make sure that you also talk about the different data retention policies in each department in each subsidiary. And in case you are a partner, you are working here in services, and you also have MSP requirements, then make sure that your MSP requirements fulfilling the workplace settings here and the design settings and recommendations.
Access, permissions, and role are always very important. We are going to have a conversation about which roles I can recommend to you. They shouldn't be too fine.
They shouldn't be too broad and wide. So here, you need to find a right good mixture of access controls. Not to give to less and not to give to less permissions. Not to give to less and not to give too many permissions.
A quick start in data source and connectors, so how you can easily and quickly start using Microsoft Sentinel would be to use Azure activity logs. That is actually the main basic foundation of data sources. In the Office 365 audit logs, you can use SharePoint Activities, Exchange Admin activities, Teams activities.
You can also use the Security Alerts from Defender for Office 365, Defender for Cloud, Defender for Identity, for Endpoint, and for cloud apps. And if you're not really sure about the quality of the vectors, there is a tool called Connector Health Checks, which will ensure that the connectors are robust, and are working, and are stable.
The connector for third party products are available. There are many. That's a big value of using Sentinel. And if you're not happy with the current offering of third party connectors, you can also ride your own connectors. Codeless connector platform is available, or the custom connectors with more code than just codeless.
Let's talk about how a query looks like in KQL. So here we have a syntax, which is a mixture of data like security event, a condition, a where condition. Where event is one, two, three, four, and then the evidence, like by account, and then pipe limit to 10.
If you want to know more about it, about the KQL language, go to aka.ms/KQLDocs, or aka.ms/KQLCheatSheet. It's free and helps you to create your first Sentinel queries. But you don't need to start from a white, vanilla, blank paper sheet. You can use the user interface of Sentinel and just go to the log section, go to Security and Audit, and then go deeper into the alerts.
So here I was choosing an alert by column then going deeper and pick it, and have a query window open, and then choose the right column, choose the right filter, let's say 24 hours, or seven days, or 21 or 31 days, and then you get the query results depending on the account types. So for Azure AD, I recommend to use sign in logs. For Azure AD, I use audit logs, and for Defender for Cloud, security alert where alert names contain, let's say, suspicious. That's a very good start. So you don't need to stop-- work here and start from the scratch with the zero white paper.
Sentinel for Microsoft Teams. Let's check a few use cases and please also check for you now if they are relevant for you or if you have others to add. Please let me know. One use case could be for Teams, I want to know if an external user from a new organization has been added to my Teams, or to our Teams at our organization.
Or a bot was added to multiple Teams. Users were made owner of multiple Teams at the same time, or a bot or application was added, and nobody has noticed it, to a Team. Files were uploaded to Teams and there was an access at this behavior. So the amount of files which were uploaded or downloaded were suspicious. End users were added to Teams immediately uploads files.
To work with the Sentinels, there are many different roles available, and currently we have created a new role called Microsoft Teams Security Analyst and Microsoft Teams Security Engineer. The difference is that the analyst has got a Sentinel responder role and Logic Apps contributor role, and the engineer has got the Sentinel contributor role and Logic Apps Contributor role. And they also need access to the Sentinel resource groups and to the storage of the playbook. Other roles, for example, for your compliance colleagues, could be a reader role for Sentinel. These colleagues usually don't want writing roles.
One thing which is usually extremely helpful is just go into the log files and then you have the mixture of Sentinel, log queries, log management queries, custom logs, but you definitely want to make sure to go to the right column called Office workloads and then just filter on Teams. And then you see clearly what's happening in your time range, let's say the last 24 hours, and then you just filter it down to Microsoft Teams and you see what's happening in your log files.
That's one thing which is helping you directly. But you can also create your queries and run your queries, and create alerts based on this query. So let's take this example. You go here into the logs and you just write into this search filter into the search form Teams. And then you get all different queries available for Teams.
Of course, you can write your own queries, that's for sure. But if you want to start learning how to use KQL and these queries, then just write in Teams and then you get some recommendations. As I mentioned, I want to see which Teams are multiply deleted by a single user. And then you just pick it, and then you run it, or modify it, or create your own queries.
The next one would be Teams hunting. So in the hunting part of Sentinel, you can also go there into the search form in the same like we did one slide before. We just enter Teams and then we see all hunting technologies and tactics here, which can be impact tactics, or persistence, or privilege escalation, and then we can see what's currently changing, what is with the current trend here. But see the overview about hunting techniques using Sentinel and looking at Microsoft Teams. The same could be done for SharePoint.
You can also start with your own custom hunting. We're not only picking one single technique or technique, you make a combination. You also choose different NRT types and you write your query. So it's a mixture of query, [INAUDIBLE] types, and then the technologies, the techniques, and tactics.
Let's go and discuss the difference between a playbook, a workbook, and a notebook. All three books are designed for SOC engineers, but the notebooks are more for deeper, more tier three, tier two level threat analysts and hunters. They are designed for, on the one hand, visualizations and reports, but the playbooks are more for automation of repeatable tasks.
So let's say you want to add external data remediations investigations, so repeatable tasks where you don't want to write code. No coding is needed. You just want to automate a repeatable task, then a playbook would be your preferred choice. If you would like to go more into the visualization, then you consider to use workbooks. Best thing is no coding is needed, but they're also limited.
And if you know how to write Python coding, you know how to write-- how to work with rich Python libraries and you want very complex scenarios, and you are a data scientist, and you know how to work with machine learning, then you can use notebooks, which are designed here for very advanced visualizations and advanced reports. There are two different rules for one playbook. There's the automation rule and the analytics rule.
And the automation rule, it's managed under the automation rules, not under the playbook blade, and it's very flexible. Let's say one rule could be called security incident were modified by accounts is automation. And the analytics rules, which are designed for the types called Anomaly, Fusion Machine Learning, ML Behavior Analytics, Security, and NRT, Scheduled, or Threat Intelligence.
If you want to start with the Teams Connector for Sentinel, then you just go here and install and deploy the Office 365 connector for Sentinel. And you just have to checkbox Teams, and also do it all the same for SharePoint in exchange. That's the way how it can start working with Teams for Sentinel working with the Office 365 connector out of the box, delivered by Microsoft.
The next thing, the next step would be to accept the terms and conditions here, and to create it, there is a rich orchestration available for all resources. What's happening in the background with Logic apps and the API access, reading and writing. And by the way, when we talk about Logic apps, it's very important to see that logic apps can help you together with Power Automate to create a SOAR experience. And SOAR would be security orchestration automation and response.
That's the way how it can collaborate using Microsoft Sentinel and Teams. So a security alert would not only reach your mailbox, would not only reach you, because then there's always the risk and danger that you're currently on vacation, on the beach, PTO, or you're busy and away it goes directly into your Teams where your SOC team, where your colleagues are, and they can help you. And you can have a conversation, a discussion, a collaboration around this security alert and it's not only stored and pushed into your Outlook mailbox.
Triggers for the SOAR Logic apps can be when an incident is created or updated, when status was changed, like new, active, or closed, severity has changed, owners changed, playbook is run, or texts are added. Go to GitHub and get the latest, freshest, and free source code around Identity protection. There is a great playbook.
But you need a P2 license here. That's something what you need to consider. But this is a great place, GitHub.com/azure/azure-sentinel. Maybe it's going to rename to Microsoft Sentinel soon, but Google Search will help you.
Let's switch gears and go to SharePoint. SharePoint has published a-- or the SharePoint marketing team has published a blog post recently about the file activity schema, ASIM, and that's something where Sentinel can help SharePoint administrators. It helps to detect ransomware detection and file activities.
And that's how it can be audited. You can go directly into Sentinel. You go into to the log parts of Sentinel and just enter SharePoint in the search query, and then it offers you a few audits. For example, here the failed updating of Office 365 where it displays all the logs of failed attempts to update SharePoint here.
So these are the ways how you can get pre-defined queries, but also you can go to the KQL cheat sheet and other documentation to learn how to query SharePoint. But the most important favorites are displayed here in Sentinel. Just enter SharePoint as a search query. And then it can look like this. Here, I'm currently trying to find out which files were accessed in the last 24 hours in SharePoint and onedrive, and it will-- if I'm going to click on Run, then immediately I'm going to see the results.
I talked a lot about connectors. Default, Office 365, here for Teams and for SharePoint relevant, but there are also third party connectors and also custom connectors, which are written by you or by your service provider, or somebody on the internet who shared it on GitHub. So it's important to control the quality.
And therefore, we have a Control Connector Quality report which shows what's happening with the connector, what are the up times and down times in the last seven days, 31 days. You can see the quality, the table size, heartbeat, wire data, whatever you would like to find out. But make sure to have a look into the connector quality and don't assume that everything runs fine. You need to control this connector quality in your Sentinel environment.
I love visualizations. They're very helpful for me. I can definitely go here and go directly into Microsoft Teams and use Power BI in my Microsoft Teams environment and read out the value of Microsoft Sentinel. And that's the way how I can visualize table data, which maybe look like Excel sheets, but here you visualize it into very nice Power BI dashboards and diagrams, and everything is embedded inside of Microsoft Teams using Power BI integration. Read more about at learn.microsoft.com/azure/sentinel/powerbi.
The architecture looks like there is connector sources, third party sources, and solutions. They go into records of the Azure monitor. It's connected through the log analytics workspace and read through the data sets of Power BI and then visualized. If you would like to know more about it, there's a strong recommendation to read the new book from Yuri Diogenes, Nicholas DiCola, Tiander Turpijn from the Microsoft Sentinel team. That's my favorite book, which I can definitely recommend to you.
Other way of practical investigations and visualizations with Sentinel would be to go on incident, and you need to click on every single incident and then you would also get a graphical visualization here. So that's not a complete holistic picture of your environment like you would get from SpectorOps BloodHound. You need to go deeper on incident level and then see the graphical investigations.
Let's talk about alert fatigue. Maybe you're also getting too many alerts about cybersecurity threats, configuration changes, log file entries, and you just have everything stored in your Outlook and you don't read them anymore. You just click on the emails. You ignore them or you just delete them because you're getting too many security alerts. What to do against this kind of alert fatigue?
Recommendation number one is to have a native connector which are relevant for you. So don't install 20, 30, 40, 50 connectors which are overwhelming. They sound interesting, but at the end, they will create an overwhelming amount of alerts. Rather, use the ones you really need for your projects for your customer for your focus. So it's all about focus and threat intelligence is going to help you also to focus.
Machine learning is helpful for you. Make sure to use this. And also automation with Microsoft Teams. Use Teams and delegate work in case you have a PTO time, you're on vacation. Use Microsoft Teams that your colleagues can help with the cybersecurity alerts and that not everything goes into your personal email box. And then you come back from the vacation, you have hundreds of alerts. That's not the way how it should look like.
Use watchlist and then also use these user and NRT behavior analytics called UEBA. They also help you with this funnel to reduce the large amount of raw events and raw data and just find out what's really relevant in case of dangerous and normal. So that's helping you to reduce the amount of alerts, UEBA.
At the end, I would like to share some resources around Microsoft Sentinel. There's a quick start, there's also learning resources, a playbook, how to post messages to Teams, playbooks on incidents, Sentinel blog posts. And the book I can really recommend from Yuri Diogenes and his colleagues.
Please let me know which questions here you have. Happy to answer them. You can also find me on social media. And Thanks for being here and thanks for joining Virtual TEC 2022.
[MUSIC PLAYING]