A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace (Part 2) June 11, 2020 Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace PART 2 OF A 3 PART SERIES In my last post, Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context, I discussed how an analyst can use Defender ATP to visualize MITRE ATT&CK and Technique information from Advanced Hunting queries. There are some limitations with Advanced Hunting queries: reports need to manually run and we are limited to 30 days of data. To overcome those limitations this post will demonstrate a way to pull DATP data into an Azure Log Analytics workspace using an Azure Logic App. In my Azure portal, I will search for and select the Log Analytics icon to create a new Log Analytics workspace as seen in the image below. Figure 1: Azure Log Analytics workspace creation Basics Choose your pricing tier. Figure 2: Azure Log Analytics workspace creation Pricing Add any tags. Figure 3: Azure Log Analytics workspace creation Tags Review and create. Figure 4: Azure Log Analytics workspace creation Review Once the workspace is created click Go to resource. The Overview section of the newly created workspace will show the Subscription ID, Workspace Name and ID. Figure 4a: Azure Log Analytics workspace creation Review Next click Advanced settings on the left-hand side and note the Workspace ID and Primary Key when they appear. Figure 5: New Azure Log Analytics workspace advanced settings Create a new Logic App using the same Resource group used in the Log Analytic workspace. Figure 5a: Azure portal Logic Apps selection Add any necessary parameters, including the Subscription, Resource group, and Logic App Name. Figure 6: New Azure Log Apps Basics Add any needed tags if necessary and Create. Figure 7: New Azure Log Apps Review Once created, click Go to resource. Create a Blank Logic App. Search for schedule and add a recurrence. In this example, I am going to perform an action, once daily starting today. Figure 8: New Azure Log Apps Review The scheduled recurrence will trigger once daily, starting on 5-13-2020. Figure 9: Schedule/Recurrence settings Next, the recurrence needs to do perform some sort of action at this time. I want the app to perform an Advanced Hunting query from Microsoft Defender ATP. Choose New step. Search for Microsoft Defender. Figure 10: Logic Apps Microsoft Defender Action You may be prompted to sign into Defender to create the connection. Figure 11: Logic Apps Microsoft Defender connection prompt Select Action and choose Advanced Hunting. Figure 12: Logic Apps Microsoft Defender Action – Advanced Hunting Now we will add the same query used in DATP, only we will add a where statement to select all events that happened in the last 24 hours to coincide with our daily reoccurrence. Figure 13: Logic Apps Microsoft Defender Action -Advanced Hunting query DeviceAlertEvents | where Timestamp> ago(24h) | where Category == "InitialAccess" or Category == "Execution" or Category == "Persistence" or Category == "PrivilegeEscalation" or Category == "DefenseEvasion" or Category == "CredentialAccess" or Category == "Discovery" or Category == "LateralMovement" or Category == "Collection" or Category == "CommandAndControl" or Category == "Exfiltration" or Category == "Impact" Next we need to do something with the results that the Advance Hunting query produces. Search for “Control” and then select “For each” under Actions. Figure 14: Next Step –> Control –> For Each Next define the what the “For each” is. In this case, it will be the results of the query. Figure 15: Control –> For Each -> Results Within the same frame, we need to add an action. Search for “Azure Analytics” and select “Azure Log Analytics Data Collector.” Figure 16: Control –> Next Action -> Azure Log Analytics Under the Action tab select “Send Data.” Figure 17: Azure Log Analytics -> Action -> Send Data The JSON Request body will be the “Current item.” The Custom Log Name will be the name of the new log table that we can search for with KQL. Figure 18: Send Data Settings I now get a prompt to create a name for the connection, the Workspace ID and Workspace (Primary) Key will be the information noted in the earlier steps. Figure 19: Azure Log Analytics Data Collector Settings After the connection is made, we need to add one additional parameter in the “Time-generated-field.” I choose to use UTC. The “For each” step should look like the one in the picture below. There are no additional steps in creating the Logic App and we can run a test. Figure 20: Logic App overview The Logic App that was created can be tested by clicking “Run.” Note: I choose to change the Timestamp window for this test to (30d), which produces 30 days of data. This was only used to produce more data for later sections. After the initial test, I changed it back to (24h) and saved the app. Figure 21: Logic Apps Microsoft Defender Advanced Hunting query date change If all goes well, you will see green checkmarks on the right side of each step. Figure 21a: Logic Apps initial run If we move back to the Log Analytics workspace and take a look at the logs, we should see the name of our newly defined custom logs. Figure 22: Azure Log Analytics workspace with new custom logs Figure 23: Limit search on custom logs Running a limit search on the Custom Logs shows that data is being collected. Now once a day the workspace will ingest new log data filtered to include Defender ATP alerts containing MITRE Tactic and Technique information. In the next and last post in this series we will walkthrough creating a workbook to create chats to visualize the data from the log workspace. Read more from this 3 part series.Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context (Part 1)Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3) By: Dan Kiraly Senior Research Scientist | Optiv Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv. Share: SecOps SOC MITRE ATT&CK TTPs Blue Team Defender ATP Microsoft Azure Source Zero® Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com