What's new: User and Entity Behavior Analytics (UEBA) insights in the entity page!

by Contributed | Feb 17, 2021 | Technology

This article is contributed. See the original author and article here.

This blog post covers a new feature of the Azure Sentinel entity pages: four new UEBA-related insights to the insights panel.

When you encounter any entity (currently limited to users and hosts) in a search, an alert, or an investigation, you can select the entity and be taken to an entity page, a datasheet full of useful information about that entity. The types of information you will find on this page include basic facts about the entity, a timeline of notable events related to this entity, and insights into the entity’s behavior.

Entity pages consist of three parts:

• Entity info – located in the left-side panel, contains the entity’s identifying information, collected from data sources like Azure Active Directory, Azure Monitor, Azure Security Center, and Microsoft Defender.


• Activity timeline – The center panel shows a graphical and textual timeline of notable events related to the entity, such as alerts, bookmarks, and activities.


• Insights – The right-side panel presents behavioral insights on the entity. These insights help to identify anomalies and security threats quickly.

We’ve added four UEBA-related insights to the insights panel that this post will describe.

UEBA Insights

This insights section summarizes anomalous user activities – across geographical locations, devices, and environments; across time and frequency horizons (compared to user’s own history); compared to peers’ behavior, and compared to organization’s behavior.

Clicking on “See all anomalies” will present you with the specific anomalies associated with the user and the evidence.

UEBA Insights

User Peers Based on Security Group Membership

This insight presents the user’s peers based on Azure AD Security Groups membership. This provides the SecOps analysts with visibility to other users who share similar permissions as the user.

User Peers Based on Security Group Membership

User Access Permissions to Azure Subscription

This insight shows a user’s access permissions to the Azure subscriptions that it can access directly or transitively (via Azure AD groups or service principals). Clicking on “View detailed information” will present the Azure subscriptions’ names and the access method (directly or via which group/service principal).

User Access Permissions to Azure Subscription

Threat Indicators Related to The User

This insight shows the collection of known threats by threat type and family and enriched by Microsoft’s threat intelligence service, relating to IP addresses represented in the user’s activities.

Threat indicators related to the user

Going Forward

Try out the new insights provided by Sentinel UEBA and let us know your feedback using any of the channels listed in the Resources. We’re working on surfacing more interesting insights that will help you investigate entities faster. 

 Many thanks to Payal Rani & Rajvardhan Oak for contributing to the insights work

How to send Adaptive Cards with CLI Microsoft 365

by Contributed | Feb 17, 2021 | Technology

This article is contributed. See the original author and article here.

In this blog post I want to explain how you can send an Adaptive Card with CLI Microsoft 365. I will guide you from zero to hero :rocket:, so even if you don’t know anything about the CLI Microsoft 365 or about Adaptive cards, don’t stop reading, you will be able to do that in a few minutes- I promise!

What is CLI Microsoft 365?

Lets first get us all on the same page and clarify, what CLI Microsoft 365 is and why we should use it: It is a CLI (Command Line Interface) which let’s us manage Microsoft 365 from any kind of OS: It doesn’t matter if we work on Windows, MacOS or Linux. Previously, some configurations were only possible by PowerShell for Windows, which limited a lot of admins. But even if you work on Windows and are pretty fine with using PowerShell, CLI might be a nice alternative to try out.

How to use CLI Microsoft 365

I will now describe your first steps:

Install Node.js

To use the CLI Microsoft 365, you will need to install Node.js – Please follow these steps:

* go to https://nodejs.org/en/
* download the LTS version of Node.js
* install Node.js

If in doubt, if you have the correct version installed or if you need to use different versions of Node.js, please read Use Node Version Manager to develop your SPFx apps by Toni Pohl 

Install CLI Microsoft 365

Now that you have Node.js installed, we can continue with installing the CLI Microsoft 365. You can choose any shell you like: If you want to, you can use PowerShell or PowerShell in the Terminal in Visual Studio Code or whatever makes you happy. I like to use the PowerShell terminal in Visual Studio Code, because links render to be clickable and this saves me copy/pasting links into a new browser tab. But if you like to any other shell, that is perfectly fine as well. To install CLI Microsoft 365, run the command:

npm i -g @pnp/cli-microsoft365

In case you wonder:

* the `i` is an alias for `install`
* the `-g` means that we want to install this package globally
* it will take about 2 minutes

Login

Now that we installed CLI Microsoft 365, it’s time to actually do something here. But before we can get or post anything, we will need to log into our tenant. Pro Tip: You can use your your Developer tenant for this. If you don’t know, what this is, please go read What is a “Dev Tenant” and why would you want one? by Julie Turner

Run the following command:

m365 login

In response you will be asked to open a web browser and login with a code. If you are using Visual Studio Code, you can click on the link, please copy the code upfront.

After you pasted the code,

* click Next
* pick an account out of the list of accounts

You will be seeing this message and can close this browser tab- we won’t need it anymore.

Yay! You successfully logged in! You don’t believe that? Let’s check with CLI Microsoft 365 and run this command to get your status:

m365 status

and it will get your status for you:

If you want some inspiration, what you could do now, run this command:

m365 help

which gives you a list of things you can try, these are called command groups, as each of them can contain several commands. When you now choose one of the command groups and run for example this one:

m365 outlook

you will get the commands, that are available to you in this command group. Sometimes, you can go several levels deep-Just try them out!

What are Adaptive Cards?

Next thing we need to know is, what are Adaptive Cards and why would we want to use them? When we look at adaptivecards.io we can read the definition Adaptive Cards are platform-agnostic snippets of UI, authored in JSON, that apps and services can openly exchange. When delivered to a specific app, the JSON is transformed into native UI that automatically adapts to its surroundings. It helps design and integrate light-weight UI for all major platforms and frameworks. This means, that we get a nice method to share and display information without needing to know how to use HTML/CSS to render them correctly in different host applications. If you like to know more, please read Get started with Adaptive Cards by Tomasz Poszytek

How do we send an Adaptive Card with CLI Microsoft 365?

Now that we know what is an Adaptive Card, let’s have a look on how we get this sent by CLI. The documentation provides us with a sample and this sample needs to have a URL. Where do we get this from? This depends on where you want to send this Adaptive Card to. In this example, I want to use Microsoft Teams as host application and therefore we will need to create an incoming webhook in Teams.

Create the Webhook

If you have no clue what is a webhook, no problem, Rabia Williams got you covered with How to configure and use Incoming Webhooks in Microsoft Teams

* Open Microsoft Teams
* Click the ellipsis icon on the Teams channel that you want to send the Adaptive Card to
* Click Connectors
* Search for ‘webhook’

* Click Add
* Click Add (yes, yet again)
* Give your webhook a name
* If you like to, you can upload a picture- messages sent via this webhook (our Adaptive Card) will have this image then as Profile Pic – this step is optional.
* Click Create
* Copy the generated URL
* Click Done

This URL is the URL we will need in the command later – If you want to, paste it into a notepad or similar.

Author your Card

Now it’s time to author your card. You can do this in a lot of editors, I use either the Adaptive Cards Designer or the Adaptive Cards Viewer Extension in Visual Studio Code, but recently also found Adaptive Card Studio. You can also use one of the provided samples and use them as-is or adjust them to your needs.

If you feel like authoring your Card in Designer or Visual Studio Code is fine for you right now, go ahead with this, otherwise you can also use the examples that are provided in the documentation of CLI Microsoft 365. I used the last one, ‘Send custom card with card data’.

For everyone not very familiar writing and understanding code: We can make more sense of the snippet by copy/paste this into Visual Studio Code, and then press Alt+z to soft-wrap this and then separate the Adaptive Card from the rest:

* Select JSON in Language Mode
* Insert somenew lines right before the first `{`
* Delete the `’` at the beginning and the end of the snippet
* Format with Shift + Alt + f

Now go ahead and adjust the sample to work in your environment:

* replace the URL in the code with the URL that we copied when we added the webhook connector to Teams
* copy the whole code
* run it

!! Turned out, that there are some differences how to use quotes `’` or `”` – please consider which shell you are using before you copy/paste the code from CLI Microsoft 365 documentation.

Congratulations :rocket:- you sent your first adaptive Card with CLI.

## Feedback and what’s next?

I hope you liked this little post on how to get started with CLI Microsoft 365 and learning how to send an Adaptive Card with it. I would like to learn, for which use cases you would do this? Please comment below!

The Toolkit for Data-Driven SOCs

by Contributed | Feb 17, 2021 | Technology

This article is contributed. See the original author and article here.

Gauge the performance of your team and detections using our new out-of-the-box workbooks

Building a Security Operations Center (SOC) from scratch or revamping one is a daunting challenge. We have developed a “Toolkit” to help SOC managers and analysts improve performance. The toolkit is a powerful set of 3 workbooks, all customizable and easily accessible, that help you gauge the most fundamental metrics. With these workbooks, you can measure analysts’ efficiency, detection coverage, alert performance, and more.

We have enhanced the workbooks to provide cross-workspace support allowing for an effective single pane of glass view even in multi-workspace use cases. Each workbook gauges specific performance metrics.

The three workbooks are;

• Detection efficiency


• SOC efficiency


• Incident overview

Detection efficiency

The modern SOC handles multiple data sources and needs to detect threats and provide insights to the analyst. Since SOC resources are limited, a delicate balance must be struck between maximizing the detection of threats and minimizing the occurrence of false positives.

In the detection efficiency workbook, we try to provide different perspectives on detections.

• Alert rules – a holistic view of our detections provides us with insights into the detections’ overall coverage. In this section, we can see our MITRE ATT&CK framework coverage, overall rules status, rules that require attention, and a view of the detections suite.


• Alerts – in this view, we will look at the alerts created from our detections. Since not all rules will create incidents, we can monitor the noisiness of the detections and see which ones require tuning. In the alerts insights section, we provide insights into detections that are not firing and might require attention and track the load from different providers.


• Incidents – The load on the SOC is determined by the number of incidents we create. Here we can monitor which detections created incidents and the reasons incidents are closed. When looking at the incident load and the closing reason, we can deduce which detections require attention and tuning.

Iterating on all 3 views in a repetitive process will improve our detection efficiency, SOC performance, and, ideally, the organization’s detection suite. This continuous process should adapt our detections to the ever-changing security threat landscape.

There are two ways to access this workbook –

1. The workbooks gallery – You can find this new workbook template by choosing Workbooks from the Azure Sentinel navigation menu and selecting the Templates tab. Choose Detection efficiency from the gallery and click one of the View saved workbook and View template buttons.


2. The Analytics pane – You can find the new workbook in the Alert rules action panel at the top of the pane. If a saved workbook were created from the workbook template, the button would lead to the saved workbook. If not, it will lead to the workbook template. More details can be found in the documentation.

SOC efficiency

With the out-of-the-box security operations efficiency workbook template, you can monitor your SOC operations. The workbook contains the following metrics:

• Incident created over time.


• Incidents created by closing classification, severity, owner, and status


• Mean time to triage


• Mean time to closure


• Incidents created over time by severity, owner, status, product, and tactics.


• Time to triage percentiles


• Time to closure percentiles


• Mean time to triage per owner


• Recent activities


• Recent closing classifications

There are two ways to access this workbook –

1. The workbooks gallery – You can find this new workbook template by choosing Workbooks from the Azure Sentinel navigation menu.


2. The incidents pane:  You can find the new workbook in the Incidents action panel at the top of the pane. If a saved workbook was created from the workbook template, the button would lead to the saved workbook. If not, it will lead to the workbook template. More details can be found in the documentation.

Incident overview

With this out-of-the-box Incident overview workbook template, you can customize the data your analysts get on a given incident, including a view of auditing data, recommendations, and more on a given incident. The workbook contains the following metrics:

• Incident’s title, alerts, status, bookmark, severity, owner, etc.


• Closing reasons of similar incidents


• Recent actions that were taken on the incident


• Incident’s comments


• Time to closure/triage

There are 2 ways to access this workbook –

1. The workbooks gallery – You can find this new workbook template by choosing Workbooks from the Azure Sentinel navigation menu.


2. The incidents pane – You can find the new workbook in the Incident preview panel on the incidents list’s right side. If a saved workbook was created from the workbook template, the button would lead to the saved workbook. If not, it will lead to the workbook template.

Thanks to all the reviewers @Ofer_Shezaf, @Yechiel_Levin, @mariasvc, @krisquick, and @Sarah_Young, and special thanks to @romarsia for the collaboration