This article is contributed. See the original author and article here.
Azure Sentinel is a cloud native SIEM that provides various ways to import Threat Intelligence data and use it in various parts of the product like hunting, investigation, analytics, workbook etc. It enables customers to harness the power of threat intelligence to find actionable threats.
Anomali Match is a high–performance security solution that detects threats within Sentinel observed data and identifies the point of origin of an attack, going back more than 5 years. With this intelligence, Match gives security teams the ability to investigate associated global threats, actors, techniques and potential future attacks and their impact on an organization’s security posture.
Today we want to highlight the availability of a new integration between Azure Sentinel and Anomali Match, which will allow you to:
- Bring in logs using a simple Kusto Query from Azure Sentinel into Anomali Match
- Correlate logs with millions of Threat Intelligence records imported within Anomali Match to create detection alerts
- Export the alerts created by these matches back into Azure Sentinel in form of Common Security (CEF) logs, and then create incidents on top of them for triage by the Security Operation Center analyst team in your organization.
Anomali Match + Microsoft Azure Sentinel Solution
The Anomali match and Azure Sentinel integration provides a bi-directional flow of data between them. With this integration Azure Sentinel users can export log data out of Sentinel into Anomali match. This can be done simply by registering an application in Azure Active Directory to access the log analytics workspace and then configuring the Azure Sentinel log source on the Universal Link through the Anomali Match Interface. Once the log data is imported into Anomali Match, it can be used for matching against the threat intelligence in Anomali Match and generating alerts. These alerts can then be pushed back to Azure Sentinel using a CEF over Syslog collector. This allows importing high fidelity alerts from Anomali Match into the Common Security table of Azure Sentinel from where customers can generate incidents using simple KQL based scheduled rules for making them available for triage in Azure Sentinel. The device vendor for all these alerts is set to Anomali match.
This blog will give a walkthrough of the process of importing event data from Azure Sentinel into Anomali Match and then exporting alerts generated in Anomali Match back to Azure Sentinel for triage.
Importing logs from Azure Sentinel into Anomali Match
Collecting logs from Azure Sentinel and importing into Anomali Match involves the follows 2 steps:
1. Register an application in Azure Active Directory to access the log analytics workspace.
2. Configure the Azure Sentinel log source on the Universal Link through the Anomali Match Interface.
Register an application in Azure Active Directory to access the Log Analytics Workspace
To import logs from Azure Sentinel to Anomali match, you need to register an application which will enable access to the log analytics workspace of Azure Sentinel. The following steps can be used for doing so:
1. Open the Azure Portal and navigate to the Azure Active Directory.
2. Navigate to the App Registration option under Manage menu.
3. Select New Registration.
4. Enter the following information:
a. Name: This is a user-friendly name of the application. For example, Anomali Match for Log Analytics.
b. Supported account types: This is to decide who can use the application and access it.
c. Redirect URL: This can be left blank.
5. Click Register
6. Once the app is registered, copy the Application (client) ID and Directory (tenant) ID. You will need these later to configure the Azure Sentinel log sources in Anomali Match.
7. Select Certificates & secrets from the Manage menu.
8. Click the New client secret option.
9. Enter a Description and select the Time-to-live for the new secret and click Add.
10. Copy the Value of the key. You will need this later to configure the Azure Sentinel log sources in Anomali Match.
11. Select the API permissions from the Manage menu.
12. Click Add a permission.
13. Navigate to the APIs my organization uses tab on the dialogue box that opens and search for Log analytics API.
14. Select Delegated Permissions and enter the permissions below in the Select permissions text box. Permissions that need to be added are Data.Read. Select the permission and click Add.
15. Navigate to the Log Analytics workspace that contains Sentinel Logs. To do so search Log Analytics Workspaces in the Azure Portal and select the workspace that contains Azure Sentinel Logs. Copy the Workspace ID from the Overview page. You would need this to configure Sentinel log sources in Anomali match.
16. Navigate to the Access Control (IAM) menu. Click on Add -> Add role assignment. Select Log Analytics Reader from the role dropdown. Enter the name of your application in the Assign access to > Select text box. Once the name is visible in the list, select it. Click Save.
Configure the Azure Sentinel log source on the Universal Link through the Anomali Match Interface
Now that the application to access the Log analytics workspace is configured, we can use the Anomali Match Universal Link to add log sources in the Anomali Match user interface. To add logs sources, follow the below steps:
Add Azure Sentinel as a log source to Match
1. Click on the gear icon () from the top right.
2. Click Links from the left side. The list of configured links is displayed.
3. Identify and click the Universal Link to which you want to add the new log source. The link must be online.
4. Click the plus () icon on the top right. The Add a Log Source popup displays the available log sources from the Link.
5. Click on the Azure Sentinel icon.
6. Enter a Data Source Name for the log source. Enter the Data Source Description which is a short description of the source and is an optional field.
7. Configure settings related to your application as registered in Azure Active Directory (steps to which are given in the section Register an application in Azure Active Directory to access the Log Analytics Workspace above).
8. Click Use Proxy if you wish to use a proxy.
9. Click Next.
10. Enter the query string in the Search Query 1 field. This defines what data will be retrieved from the log source. The query syntax is:
A sample query is below:
Click the plus sign () to add another query for the same table. Then enter the additional query statement in the field on the same table in Sentinel.
11. Enter the Interval Schedule. This is the time between each query run. Default value for this is 10 minutes.
12. Click Backfill Enabled if you want to specify how far back in time to go to the log
source to get data. This is an optional field.
Use one of the following formats to specify your backfill period:
13. Enter the Drilldown Settings as mentioned below:
14. Click Save.
Now the configuration for pulling data from Azure Sentinel into Anomali match is complete. Once the data is imported in Anomali match it is matched against Threat Intelligence indicators in Anomali Match to generate alerts. You can view these alerts in the Anomali match portal :
You can also drill down indicator details from the alerts to see additional context information about the indicator in the Anomali Match portal:
Exporting alerts from Anomali Match into Azure Sentinel
If you would like to import the Anomali Match alerts back into Azure Sentinel for further investigation and hunting, you can do so by setting up the CEF over Syslog connector. For doing so you will have to follow the below steps:
1. Create a Workflow for exporting alerts to Azure Sentinel in the Anomali Match portal. This can be done by clicking the Alerts option on the top bar.
2. In the Rule Workflow window, enter a Rule Name and Source. You can add Filters to decide which alerts you would like to export back to Azure Sentinel. In the Actions tab, you can configure forwarding using Syslog.
Once the alerts are imported into the Common Security table of Azure Sentinel, you can generate incidents using simple KQL based scheduled rules for making them available for triage in Azure Sentinel under the Incidents tab. This can be done by using the scheduled rule to look for the device vendor as the device vendor for all these alerts is set to Anomali. In order to do so, the following steps can be used:
1. Open the Azure Portal and navigate to the Azure Sentinel.
2. Navigate to the Analytics tab under the Configuration menu.
3. Click on the Create -> Scheduled query rule option.
4. Add a Name for the analytics rule and make sure that the rule is Enabled. You can also add a Description for the rule and Tactics.
5. Click on the Next : Set Rule Logic button and add the KQL query. A sample query that you can use to generate incidents from the Anomali match alerts is as follows:
| where DeviceVendor == “Anomali”
6. Enable Alert grouping on the Incident settings page and playbooks (if any) on the Automated response page.
7. Create the rule on the Review and Create tab.
This unique integration between Azure Sentinel and Anomali match allows you to use the power of Threat Intelligence in Anomali for matching against log data from Azure Sentinel to find actionable threats. The bi-directional capabilities allow you to bring all the security insights gained from Anomali Match into Azure Sentinel for triage and analysis by your security operations team.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.