Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace

PART 2 OF A 3 PART SERIES

 

In my last post, Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context, I discussed how an analyst can use Defender ATP to visualize MITRE ATT&CK and Technique information from Advanced Hunting queries. There are some limitations with Advanced Hunting queries: reports need to manually run and we are limited to 30 days of data. To overcome those limitations this post will demonstrate a way to pull DATP data into an Azure Log Analytics workspace using an Azure Logic App.

 

azure atp 1

 

In my Azure portal, I will search for and select the Log Analytics icon to create a new Log Analytics workspace as seen in the image below.

 

azure img 1

 

Figure 1: Azure Log Analytics workspace creation Basics

 

Choose your pricing tier.

 

azure img 2

 

Figure 2: Azure Log Analytics workspace creation Pricing

 

Add any tags.

 

azure img 3

 

Figure 3: Azure Log Analytics workspace creation Tags

 

Review and create.

 

azure img 4

 

Figure 4: Azure Log Analytics workspace creation Review

 

Once the workspace is created click Go to resource.

 

azure img 00

 

The Overview section of the newly created workspace will show the Subscription ID, Workspace Name and ID.

 

azure img 4a

 

Figure 4a: Azure Log Analytics workspace creation Review

 

Next click Advanced settings on the left-hand side and note the Workspace ID and Primary Key when they appear.

 

azure img 5

 

Figure 5: New Azure Log Analytics workspace advanced settings

 

Create a new Logic App using the same Resource group used in the Log Analytic workspace.

 

azure img 5a

 

Figure 5a: Azure portal Logic Apps selection

 

Add any necessary parameters, including the Subscription, Resource group, and Logic App Name.

 

azure img 6

 

Figure 6: New Azure Log Apps Basics

 

Add any needed tags if necessary and Create.

 

azure img 7

 

Figure 7: New Azure Log Apps Review

 

Once created, click Go to resource.

 

azure img 000

 

Create a Blank Logic App.

 

azure img 0000

 

Search for schedule and add a recurrence. In this example, I am going to perform an action, once daily starting today.

 

azure img 8

 

Figure 8: New Azure Log Apps Review

 

The scheduled recurrence will trigger once daily, starting on 5-13-2020.

 

azure img 9

 

Figure 9: Schedule/Recurrence settings

 

Next, the recurrence needs to do perform some sort of action at this time. I want the app to perform an Advanced Hunting query from Microsoft Defender ATP.

 

Choose New step.

 

azure img 00000

 

Search for Microsoft Defender.

 

azure img 10

 

Figure 10: Logic Apps Microsoft Defender Action

 

You may be prompted to sign into Defender to create the connection.

 

azure img 11

Figure 11: Logic Apps Microsoft Defender connection prompt

 

Select Action and choose Advanced Hunting.

 

azure img 12

Figure 12: Logic Apps Microsoft Defender Action – Advanced Hunting

 

Now we will add the same query used in DATP, only we will add a where statement to select all events that happened in the last 24 hours to coincide with our daily reoccurrence.

 

azure img 13

 

Figure 13: Logic Apps Microsoft Defender Action -Advanced Hunting query

 

DeviceAlertEvents
| where Timestamp> ago(24h)
| where Category == "InitialAccess"
or Category == "Execution"
or Category == "Persistence"
or Category == "PrivilegeEscalation"
or Category == "DefenseEvasion"
or Category == "CredentialAccess"
or Category == "Discovery"
or Category == "LateralMovement"
or Category == "Collection"
or Category == "CommandAndControl"
or Category == "Exfiltration"
or Category == "Impact"

 

Next we need to do something with the results that the Advance Hunting query produces. Search for “Control” and then select “For each” under Actions.

 

azure img 14

 

Figure 14: Next Step –> Control –> For Each

 

Next define the what the “For each” is. In this case, it will be the results of the query.

 

azure img 15

 

Figure 15: Control –> For Each -> Results

 

Within the same frame, we need to add an action.

 

azure img 000000

 

Search for “Azure Analytics” and select “Azure Log Analytics Data Collector.”

 

azure img 16

 

Figure 16: Control –> Next Action -> Azure Log Analytics

 

Under the Action tab select “Send Data.”

 

azure img 17

 

Figure 17: Azure Log Analytics -> Action -> Send Data

 

The JSON Request body will be the “Current item.” The Custom Log Name will be the name of the new log table that we can search for with KQL.

 

azure img 18

 

Figure 18: Send Data Settings

 

I now get a prompt to create a name for the connection, the Workspace ID and Workspace (Primary) Key will be the information noted in the earlier steps.

 

azure img 19

 

Figure 19: Azure Log Analytics Data Collector Settings

 

After the connection is made, we need to add one additional parameter in the “Time-generated-field.” I choose to use UTC. The “For each” step should look like the one in the picture below. There are no additional steps in creating the Logic App and we can run a test.

 

azure img 20

 

Figure 20: Logic App overview

 

The Logic App that was created can be tested by clicking “Run.”

 

azure img 0000000

 

Note: I choose to change the Timestamp window for this test to (30d), which produces 30 days of data. This was only used to produce more data for later sections. After the initial test, I changed it back to (24h) and saved the app.

 

azure img 21

 

Figure 21: Logic Apps Microsoft Defender Advanced Hunting query date change

 

If all goes well, you will see green checkmarks on the right side of each step.

 

azure img 21a

 

Figure 21a: Logic Apps initial run

 

If we move back to the Log Analytics workspace and take a look at the logs, we should see the name of our newly defined custom logs.

 

azure img 22

 

Figure 22: Azure Log Analytics workspace with new custom logs

 

azure img 23

 

Figure 23: Limit search on custom logs

 

Running a limit search on the Custom Logs shows that data is being collected. Now once a day the workspace will ingest new log data filtered to include Defender ATP alerts containing MITRE Tactic and Technique information. In the next and last post in this series we will walkthrough creating a workbook to create chats to visualize the data from the log workspace.

 

Read more from this 3 part series.
Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context (Part 1)
Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3)

 


  • Copyright Optiv Security Inc. 2020. All rights reserved.

  • No license, express or implied, to any intellectual property or other content is granted or intended hereby.

  • This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.

  • Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.

  • Complaints / questions should be directed to Legal@optiv.com

Dan Kiraly
Senior Research Analyst
Dan Kiraly is senior research analyst on Optiv’s partner research and strategy team. In this role he responsible for use case development and the vetting of security products for Optiv.