Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace
PART 2 OF A 3 PART SERIES
In my last post, Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context, I discussed how an analyst can use Defender ATP to visualize MITRE ATT&CK and Technique information from Advanced Hunting queries. There are some limitations with Advanced Hunting queries: reports need to manually run and we are limited to 30 days of data. To overcome those limitations this post will demonstrate a way to pull DATP data into an Azure Log Analytics workspace using an Azure Logic App.
In my Azure portal, I will search for and select the Log Analytics icon to create a new Log Analytics workspace as seen in the image below.
Figure 1: Azure Log Analytics workspace creation Basics
Choose your pricing tier.
Figure 2: Azure Log Analytics workspace creation Pricing
Add any tags.
Figure 3: Azure Log Analytics workspace creation Tags
Review and create.
Figure 4: Azure Log Analytics workspace creation Review
Once the workspace is created click Go to resource.
The Overview section of the newly created workspace will show the Subscription ID, Workspace Name and ID.
Figure 4a: Azure Log Analytics workspace creation Review
Next click Advanced settings on the left-hand side and note the Workspace ID and Primary Key when they appear.
Figure 5: New Azure Log Analytics workspace advanced settings
Create a new Logic App using the same Resource group used in the Log Analytic workspace.
Figure 5a: Azure portal Logic Apps selection
Add any necessary parameters, including the Subscription, Resource group, and Logic App Name.
Figure 6: New Azure Log Apps Basics
Add any needed tags if necessary and Create.
Figure 7: New Azure Log Apps Review
Once created, click Go to resource.
Create a Blank Logic App.
Search for schedule and add a recurrence. In this example, I am going to perform an action, once daily starting today.
Figure 8: New Azure Log Apps Review
The scheduled recurrence will trigger once daily, starting on 5-13-2020.
Figure 9: Schedule/Recurrence settings
Next, the recurrence needs to do perform some sort of action at this time. I want the app to perform an Advanced Hunting query from Microsoft Defender ATP.
Choose New step.
Search for Microsoft Defender.
Figure 10: Logic Apps Microsoft Defender Action
You may be prompted to sign into Defender to create the connection.
Figure 11: Logic Apps Microsoft Defender connection prompt
Select Action and choose Advanced Hunting.
Figure 12: Logic Apps Microsoft Defender Action – Advanced Hunting
Now we will add the same query used in DATP, only we will add a where statement to select all events that happened in the last 24 hours to coincide with our daily reoccurrence.
Figure 13: Logic Apps Microsoft Defender Action -Advanced Hunting query
| where Timestamp> ago(24h)
| where Category == "InitialAccess"
or Category == "Execution"
or Category == "Persistence"
or Category == "PrivilegeEscalation"
or Category == "DefenseEvasion"
or Category == "CredentialAccess"
or Category == "Discovery"
or Category == "LateralMovement"
or Category == "Collection"
or Category == "CommandAndControl"
or Category == "Exfiltration"
or Category == "Impact"
Next we need to do something with the results that the Advance Hunting query produces. Search for “Control” and then select “For each” under Actions.
Figure 14: Next Step –> Control –> For Each
Next define the what the “For each” is. In this case, it will be the results of the query.
Figure 15: Control –> For Each -> Results
Within the same frame, we need to add an action.
Search for “Azure Analytics” and select “Azure Log Analytics Data Collector.”
Figure 16: Control –> Next Action -> Azure Log Analytics
Under the Action tab select “Send Data.”
Figure 17: Azure Log Analytics -> Action -> Send Data
The JSON Request body will be the “Current item.” The Custom Log Name will be the name of the new log table that we can search for with KQL.
Figure 18: Send Data Settings
I now get a prompt to create a name for the connection, the Workspace ID and Workspace (Primary) Key will be the information noted in the earlier steps.
Figure 19: Azure Log Analytics Data Collector Settings
After the connection is made, we need to add one additional parameter in the “Time-generated-field.” I choose to use UTC. The “For each” step should look like the one in the picture below. There are no additional steps in creating the Logic App and we can run a test.
Figure 20: Logic App overview
The Logic App that was created can be tested by clicking “Run.”
Note: I choose to change the Timestamp window for this test to (30d), which produces 30 days of data. This was only used to produce more data for later sections. After the initial test, I changed it back to (24h) and saved the app.
Figure 21: Logic Apps Microsoft Defender Advanced Hunting query date change
If all goes well, you will see green checkmarks on the right side of each step.
Figure 21a: Logic Apps initial run
If we move back to the Log Analytics workspace and take a look at the logs, we should see the name of our newly defined custom logs.
Figure 22: Azure Log Analytics workspace with new custom logs
Figure 23: Limit search on custom logs
Running a limit search on the Custom Logs shows that data is being collected. Now once a day the workspace will ingest new log data filtered to include Defender ATP alerts containing MITRE Tactic and Technique information. In the next and last post in this series we will walkthrough creating a workbook to create chats to visualize the data from the log workspace.
Read more from this 3 part series.Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context (Part 1)Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3)
Copyright © 2022 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com
June 11, 2020
This post demonstrates how to pull DATP data into Azure Log Analytics workspaces using a Logic App.
May 20, 2020
This paper helps you understand cloud infrastructure assessment tools provided with Microsoft Azure and other third parties.
Let us know what you need, and we will have an Optiv professional contact you shortly.