How to setup a Canarytoken and receive incident alerts on Azure Sentinel

How to setup a Canarytoken and receive incident alerts on Azure Sentinel

by | Dec 8, 2020 | Azure, Microsoft, Technology

This article is contributed. See the original author and article here.

With Azure Sentinel you can receive all sorts of security telemetry, events, alerts, and incidents from many different and unique sources. Those sources can be firewall logs, security events, audit logs from identity and cloud platforms. In addition, you can create digital trip wires and send that data to Azure Sentinel. Ross Bevington first explained this concept for Azure Sentinel in “Creating digital tripwires with custom threat intelligence feeds for Azure Sentinel”. Today you can walkthrough and expand your threat detection capabilities in Azure Sentinel using Honey Tokens or in this case Canarytokens.


 


What is a Honey Token? A honey token is a digital artifact like a Word Document, Windows Folder, or JavaScript file that when opened or accessed will act as a digital trip wire and alert you to being used. When used the honey token might make a GET HTTP call to a public facing URL or IP. The so that an attacker would want to investigate and exfiltrate the artifact but also ensuring you reduce false positives from normal users. One way to do this is creating a separate folder from the normal directory structure. This could take the form of naming a Word document High Potential Accounts.docx. And then placing it in a Sales share but inside two more nested directories.


 


The other key is to make the digital artifact searchable or easily found, you want the attacker to see the token and access it. You can also sprinkle these honey tokens through out the network and in different use cases beyond. The key here is ensuring that the honey token is in a visible location and can directory searched upon by normal user credentials.


 


As with most things a balanced approach should be taken with honey token names and placement. Think through where in the cyber kill chain you want the digital trip wire, and ways to make the token enticing to an attacker but will also reduce false positives from normal employees and routines.


 


Honey Tokens are not a new concept but the following approach described to use a service called Canarytokens is a bit newer. Canarytokens is a free service provided by Thinkist that generates different types of tokens and provides the back end trip wire logging and recording. The service allows you to focus on the naming and placement specific to your industry and buisness rather then building a Public facing URL that logs and collects the tokens being tripped. Thinkist also has a paid service as well that includes many useful features.


 


In the below example you will walk through creating a free Canarytoken (honey token as described) but through a Canary service and use it to update Azure Sentinel when it is triggered.


 


To begin with you can deploy a Logic App Ingest-CanaryTokens here. The Logic App will act a listener and will provide a URL you can use in the Canarytoken generation.


 


To Deploy the Logic App fill in your Azure Sentinel Workspace ID and Key.


 


deployla.png


 


Once deployed go to the Logic App and in the Overview click on the blue link: See trigger history


 


laurl.png


 


Copy the URL from the following field: Callback url [POST]


 


laurl2.png


 


With this LogicApp and a Callback listening URL you can now generate a Canarytoken.


 


To create the Canarytoken go to the following website: Canarytokens


 



  1. Choose Microsoft Word Document

  2. Fill out your email address and enter a <SPACE> and paste the Logic App Callback URL

  3. In the final field enter a description, – see below


 


You will use description to also host your Entities for Azure Sentinel. You can use a comma as a separator between the entity information you want to capture upon tripping the wire.


 


Be sure to be descriptive to what ServerShare or OneDrive the Canarytoken will be placed. Because you will generate several different tokens the descriptive notes will come in the alert that is triggered ensuring you will be able to dive further on that Server or Service to investigate further activity of the attacker.


 


In this example you could use:









































Name Descriptor  Azure Sentinel parsed column name  
Computername The Computername where Canarytoken is hosted CanaryHost  
Public IP

the public ip of internet access where token is hosted. Can be used to correlate if token is launched within data center or known public ip of server
CanaryPublicIP

  
Private IP

Private ip of computer where token is hosted could be used to correlate additional logs in Firewalls and other IP based logs


 CanaryPrivateIP  
Share Path

The share path this Canarytoken is hosted at, helps indicate where a scan or data was compromised at.


 CanaryShare  
Description

helps provide addition context for SOC Analyst about purpose of Canarytoken and it’s placement


 CanaryDescription  

 


*EXAMPLE:


 


FS01,42.27.91.181,10.0.3.4,T:departmentssaleshipospecials,token placed on FS01 available to all corporate employees and vendors


 


     4. Once Completed click Create my Canarytoken


 


gentoken.png


 


Check out the further use cases for the Canarytokens to be placed. Go ahead and Download your MS Word file.


 


downloadtoken.png


 


Notice the file name that downloads is the Canarytoken id itself. This word document name really is not that compelling for an attacker to discover, exfiltrate, and investigate. You should rename the file immediately to something more compelling.


 


You want to grab the attention of the attacker searching for valuable information. Remember the overall arching goal for most attackers is obtaining key corporate data. The Canarytoken is helping alert to the violation of confidentiality, integrity and availability of key corporate data. Names like Project Moonshot placed in NextGeneration folder could help entice. Document name like High Potential Account List in a Sales team folder may also do the trick. Be creative to your industry and business as to what data could be valuable.


 


In this example we used White Glove Customer Accounts.docx


 


renametoken.png


 


To make the document seem more legitimate you can use a website Mockaroo – Random Data Generator and API Mocking Tool | JSON / CSV / SQL / Excel to generate random and fictious data easily. Here you can create what appears to be a customer account list with account numbers and email addresses.


 


mockaroogendata.png


 


Once you fill out the fields you want go ahead and download a CSV sample by clicking Download Data green button. Open with Excel and be sure to manipulate the Rows and Columns to make it nicely formatted. With the table looking presentable copy the content in Excel and Open the Word Document Canarytoken and paste the content in and save the document.


 


pastedwordtoken.PNG


 


You now have a Canarytoken that looks authentic and hopefully will not arouse the suspicion of the attacker but will be visible and entice them greatly to exfiltrate and open it. Continue to examine Mockaroo and the data you can generate it is a very easy to use and helpful tool.


 


Now find a home for the word document in a File Share on a File Server, or as an email attachment in your executives mailbox – again think back to the description you gave it and follow that to where it is placed so in the worst case you are attacked this can tip you off to where on your network to focus your investigation further in Azure Sentinel’s logs and events you are collecting.


 


To test this open the Word Document on your computer or on another server or computer with word. When Microsoft Word opens a .1 by .1 header and footer image with a open URL will execute a GET HTTP call to the appropriate CanaryToken endpoint you created earlier. Once this occurs you will receive an email with details like below.


 


email.png


 


Be sure to also check out the More info on this token here link, which will provide more geo information on the public ip that opened the document and also if it came off a known Tor browser or not.


 


canaryhistory.png


 


You can also download a JSON or CSV file of the detailed information found in the Incidents generated when the Canarytoken was opened.


 


In addition to the email the Logic App listener will be invoked which will take the Incident Data and enrich it a little further and send it to Azure Sentinel into a custom logs table named CanaryTokens_CL.


 


lalogsearch.png


 


Some of those enriched fields include geo information on the public ip address that triggered the Canarytoken. There is also parsed information from the memo field to include specifics around the Canarytokens placement in your environment and objectives and some logic to tell you if the canary was triggered on host. Finally string fields for URLs have been populated for you to review the management and history of the Canarytoken if you need to pivot from Azure Sentinel to the Canarytoken specifically while investigating.


 


You can now use Azure Sentinel to raise a High Priority incident and work the incident with case management. You can also correlate logs and data with other Azure Sentinel data collected further helping you investigate the incident.


 


An example Scheduled query rule in Azure Sentinel you can use following along this walkthrough. Step by step instructions Here


 


 


 


 


 


 


 


 

id: 27dda424-1dbe-4236-9dd5-c484b23111a5
name: Canarytoken Triggered
description: |
  'A Canarytoken has been triggered in your enviroment, this may be an early sign of attacker intent and activity, 
    please follow up with Azure Sentinel logs and incidents accordingly along with the Server this Canarytoken was hosted on.
    Reference: https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html'
severity: High
requiredDataConnectors:
  - connectorId: Custom
    dataTypes:
      - CanaryTokens_CL
queryFrequency: 15m
queryPeriod: 15m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Discovery
  - Collection
  - Exfiltration
relevantTechniques:
query: |
CanaryTokens_CL
| extend Canarydata = parse_csv(memo_s)
| extend CanaryHost = tostring(Canarydata[0]), CanaryPublicIP = tostring(Canarydata[1]), CanaryPrivateIP = tostring(Canarydata[2]), CanaryShare = tostring(Canarydata[3]), CanaryDescription = tostring(Canarydata[4])
| extend CanaryExcutedonHost = iif(CanaryPublicIP == src_ip_s, true, false)
| extend timestamp = TimeGenerated, IPCustomEntity = src_ip_s //,AccountCustomEntity = user_s, HostCustomEntity = computer_s
entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity

 


 


 


 


 


 


 


 


 


Once you have created the rule, open the Canarytoken word document one more time to generate an alert.


 


Within 15 minutes or so a new Azure Sentinel Incident for the Canarytoken being trigged will appear, your SOC can now use the Logs fed into Azure Sentinel to correlate and investigate further.


 


incident.png


 


In addition the Investigate Graph is also populated with the Public IP Address of where this was triggered.


 


investigate.png


 


Please tweak the Custom Entities to your liking. Another way is to point where the Canarytoken was placed to bolster the pivot of the Investigation graph. The above alert sample parses the memo field you added early with commas when generating the initial Canarytoken.


 


parsealert.png


 


In this article you learned about honey tokens and a Canary service and how to use Canarytokens in your environment and integrate the enriched alerts into Azure Sentinel raising awareness of a potential attacker and data exfiltration that may have occurred.


 


You have just scratched the surface with the concept of honey tokens. If you are interested in learning more in depth I highly recommend Chris Sander’s book Intrusion Detection Honeypots which is a excellent resource.


 


Special thanks to:


@Ofer Shezaf for reviewing this post


@Chris Sanders for inspiration and information on the topic of Honey Tokens

Holiday Shopping with Microsoft Bing and Microsoft Edge

Holiday Shopping with Microsoft Bing and Microsoft Edge

by | Dec 8, 2020 | Technology

This article is contributed. See the original author and article here.

This year Microsoft has released some features to make shopping a little easier. Today I’ll walk you through how I use Microsoft Edge and Bing in tandem to get my gift-giving done in record time while shopping for my Mom, Dad, and younger brother.


 


First off, I’ve set up a Collection in my MSFT Edge browser to keep my gift ideas straight by using notes. (This is an awesome article about how to use Collections.) I like to organize my collection with Notes first so I can keep on track.


Holiday Shopping Collections Creation with Notes.gif


 


Really-Honey-Just-Send-Me-A-Picture Gift: Mom


Now that I have that out of the way, I’m going to start looking through Microsoft Bing to see if I can find some inspiration for mom’s gift.


Alyxe_1-1607380190802.jpeg


My mom is someone who has excellent taste in fashion but won’t drop money on herself very often. After poking around in the gift guide and selecting “Gifts for Women” I saw “Designer Handbag” in the Gift Ideas for Women carousel at the top of the page—perfect!


Alyxe_2-1607380190810.png


I know my mom loves Michael Kors, I’ll filter my results to show for Michael Kors handbags between $0 and $100. For the first pass, there are some good options, but nothing I think would be quite her style. So, I’ll expand my price range to $150 which brought up a cute clutch at $148.50. Since this is a bit out of my price range, I dragged it to the in Bing Shopping so I can go check on it to see if the price drops into my range later. If dragging and dropping isn’t your thing you can also turn price tracking on in the product overview which will automatically drop the item into your Price Track Collection in Bing Shopping. With that figured out, I can update my note for Mom’s Gift in my Holiday Shopping collection in the Microsoft Edge browser and start searching for dad’s gift.


Alyxe_3-1607380190818.png


 


The-Chef-Who-Has-Everything Gift: Dad


Alright, one down, two to go. Dad is up next. With the pandemic this year, my dad has been playing it safe and not eating out, easy to do when you’re a chef! When it comes to kitchen gadgets, he has them all, but what he doesn’t have is tools to make cocktails at home. The tools I’m looking for are a mixing glass or a set of tins, a mixing spoon, jigger, orange peeler, cocktail strainer, and a set of small tongs. This should be a good assortment of tools for him to use to make just about any cocktail.


Alyxe_4-1607380190897.png


After the first search results pulled up I realized that doing this piece by piece will get expensive quickly since a mixing glass can easily be upwards of $45. I’m going to try and find a Cocktail kit that’s good quality, has the tools I want for my dad and is less than $100. As a bonus, I’m going to try and see if I can find something from a small business. To pinpoint what I’m looking for, I’m going to search for “Cocktail Mixing Kit” and filter by Etsy.


Alyxe_5-1607380190966.png


And there we have it! Within a minute I was able to find the perfect Cocktail Mixing Kit from a small business listed on Etsy. Looking at the comprehensive product information I can see that this 20 piece set is on sale for 15% off. Score! I saved this to my “Holiday Shopping” collection under the sticky Note for dad and now I’m off to the next.


 


The-I-Don’t-Want-Anything Gift: Brother


Finally, it’s time to find something for my brother. When we were younger I’d know months in advance what I was going to get him, but now that we’re adults it’s a bit harder. Since I’m not sure what my brother is into right now, I’d like to find something that is from a store that I know he shops at in case he wants to exchange it. Based on what I can find in the Deal Hub I’m going to check out Kohl’s and as luck would have it, this site has coupons!


 


Bing holiday Shopping - Kohl's has Coupons.png


 


(Learn more about Microsoft Shopping in our Microsoft Edged Insiders.) And there it is, a valet tray! Perfect, it’s useful and simplistic and easy to return/exchange if needed.


 


MSFT Edge Collections-Holiday Shopping-Completed.png


 


Now that I can see what I’m getting for everyone, I rest can easy knowing that I’ve got my holiday shopping completed.


 


 


Happy Holidays,


Alyxandria (she/her)
Community Manager – Bing Insiders


 

Apache Releases Security Update for Apache Struts 2

by | Dec 8, 2020 | Security, Technology

This article is contributed. See the original author and article here.

Original release date: December 8, 2020

The Apache Software Foundation has released a security update to address a vulnerability in Apache Struts versions 2.0.0 to 2.5.25. A remote attacker could exploit this vulnerability to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache Security Bulletin S2-061 and apply the necessary update or workaround.

This product is provided subject to this Notification and this Privacy & Use policy.

Introduction to PowerShell

by | Dec 8, 2020 | Technology

This article is contributed. See the original author and article here.

PowerShell is a command-line shell and a scripting language, all in one. You can use PowerShell for script automation, run batches of commands, control resources in the Cloud and much more. It started out with automation on Windows but nowadays there’s PowerShell core which works on Linux, macOS and Windows. 


 


PowerShell is one of those “great to have” tools if you are considering a career in Ops or DevOps. The LEARN platform, found at aka.ms/learn, have just released the first module dedicated to PowerShell language. The module is meant to be a beginner module and explains, things such as:


 



  • Understand what PowerShell is and what you can use it for.

  • Explore cmdlets.

  • Construct a sequence of cmdlets in a pipeline.

  • Apply sound filtering and formatting principles to your commands.


 


There’s also a PowerShell extension for VS Code that can speed up the authoring process, that I think you should check out. Here the link to learn more and download the PowerShell extension for VS Code 

SAP Releases December 2020 Security Updates

by | Dec 8, 2020 | Security, Technology

This article is contributed. See the original author and article here.

Original release date: December 8, 2020

SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. These include a missing authentication check vulnerability affecting SAP NetWeaver AS JAVA (P2P Cluster Communication).

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the SAP Security Notes for December 2020 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

The “Planner” app name in Teams has changed to “Tasks by Planner and To Do”

The “Planner” app name in Teams has changed to “Tasks by Planner and To Do”

by | Dec 8, 2020 | Technology

This article is contributed. See the original author and article here.

When we first announced the public preview of Tasks in Teams, we also announced a three-stage naming sequence for how the app name would appear in Teams. The timing of that original sequence has since changed, which we noted in an Oct. 30 update to the general availability blog.

 

Today, we’re very pleased to announce that we’ve hit Stage 2 in the sequence. This changes the Tasks in Teams app name to Tasks by Planner and To Do from Planner, the original app name, for all non-government users. The app icon has changed to its final form, too. Both changes also apply to the Planner tab in Teams channels. When adding that tab, you can search “Planner,” “To Do,” or “Tasks” to find it.

 

The goal of this sequence is to help all customers easily find the new hero task management app in Teams. We believe Tasks by Planner and To Do better reflects the app’s functionality—it combines team tasks from Planner and individual tasks from To Do—so that customers who don’t closely follow Microsoft news will start (or continue) using the app with confidence.

 

Here’s where we stand currently.

 

namingsequence_stage2.png

 

Please note, this does not affect the functionality of Tasks in Teams in any way; the name and icon changes are merely cosmetic. The name change also does not impact the Planner or To Do standalone apps.

 

We’ve also added a banner inside the app announcing the name change.

 

namingsequence_banner.png

 

Although this is a big change, it’s a temporary one. Stage 3 is right around the corner, and our goal is to start rolling out the final app name, Tasks, in the coming months. We’ll make sure to communicate that rollout here and in Teams when the time comes.

 

If you have any questions about the current name change, leave a comment below and we’ll get back to you. And keep checking our Tech Community Blog site for the final naming sequence announcement and other product news.

But the hire is not so delightful

by | Dec 8, 2020 | Security

This article was originally posted by the FTC. See the original article here.

On this 3rd day of Consumer Protection, we’re talking about earning some extra cash.

For lots of us, the holiday season is a good time to pick up some part-time work. It’s when retailers and delivery services need extra help. And, especially during the pandemic, many of us could use the cash. So how can you spot and avoid a job scam, whether for a temporary or permanent position?

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

A Developer's Guide to IoT (Online Event)

A Developer's Guide to IoT (Online Event)

by | Dec 8, 2020 | Technology

This article is contributed. See the original author and article here.

Learn to develop real-world Internet of Things solutions built with Microsoft Azure services from experts from around the world!


aaa-iot-large.PNG


In this single-day event, we will cover topics ranging from IoT device connectivity, IoT data communication strategies, use of artificial intelligence at the edge, data processing considerations for IoT data, and IoT solutioning based on the Azure IoT reference architecture.  At the end of this event, you will have the knowledge to begin your journey to become a certified Azure IoT Developer!



No matter your time zone, you can attend the event on January 19, 2021! 































 Asia Pacific

Europe & Africa


  Americas
08:30 – 10:00 IST 11:00 – 13:30 GMT 09:00 – 11:30 PST
14:00 – 16:30 AEDT 16:30 – 19:00 IST 17:00 – 19:30 GMT
03:00 – 05:30 GMT
 22:00 – 00:30 AEDT 22:30 – 01:00 IST

19:00 – 21:30 PST

03:00 – 05:30 PST

04:00 – 06:30 AEDT*

 


Register Now


 

Experiencing Data Access Issue in Azure portal for Log Analytics – 12/08 – Investigating

by | Dec 8, 2020 | Azure, Microsoft, Technology

This article is contributed. See the original author and article here.

Initial Update: Tuesday, 08 December 2020 13:03 UTC

We are aware of issues within Log Analytics and are actively investigating. Some customers may experience data access issues in Australia South East region.
  • Work Around: None
  • Next Update: Before 12/08 17:30 UTC
We are working hard to resolve this issue and apologize for any inconvenience.
-Sandeep