Microsoft Sentinel¶
About¶
Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response
Product Details¶
Vendor URL: Microsoft Sentinel
Product Type: SOAR
Product Tier: Tier I
Integration Method: Custom
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 90-100%
Data Label: MICROSOFT_SENTINEL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| AlertLink | metadata.url_back_to_product |
| AlertName | security_result.summary |
| AlertSeverity | security_result.severity_details |
| AlertSeverity | security_result.severity |
| AlertType | security_result.rule_type |
| ClientIPAddress | principal.ip |
| CompromisedEntity | principal.user.email_addresses |
| CompromisedEntity | principal.hostname |
| Description | metadata.description |
| DisplayName | metadata.product_event_type |
| EntityHostName | principal.hostname |
| EntityIPAddress | principal.ip |
| ExtendedProperties.AccountSessionId | network.session_id |
| ExtendedProperties.CompromisedHost | target.hostname |
| ExtendedProperties.DomainName | principal.administrative_domain |
| ExtendedProperties.ParentProcess | principal.process.parent_process.file.full_path |
| ExtendedProperties.ProcessName | target.process.file.full_path |
| ExtendedProperties.SuspiciousCommandLine | principal.process.command_line |
| ExtendedProperties.SuspiciousProcess | principal.process.file.full_path |
| ExtendedProperties.SuspiciousProcessId | principal.process.pid |
| ExtendedProperties.SuspiciousScript | security_result.about.process.command_line |
| ExtendedProperties.UserDisplayName | principal.user.user_display_name |
| ExtendedProperties.UserName | principal.user.userid |
| ExtendedProperties.UserSID | principal.user.windows_sid |
| IsIncident | additional.fields.key.IsIncident |
| ProductName | metadata.product_name |
| Status | security_result.about.investigation.status |
| SystemAlertId | metadata.product_log_id |
| Tactics | security_result.detection_fields.key.Tactics |
| Techniques | security_result.detection_fields.key.Techniques |
| TenantId | metadata.product_deployment_id |
| Type | security_result.description |
| VendorName | metadata.vendor_name |
Product Event Types¶
| DisplayName | UDM Event Classification |
|---|---|
| all others | SCAN_HOST |
| Connections | SCAN_UNCATEGORIZED |
| execution | PROCESS_LAUNCH |
| sign-in | USER_UNCATEGORIZED |
| travel | USER_UNCATEGORIZED |
Log Sample¶
{"AlertName":"Unfamiliar sign-in properties","AlertSeverity":"High","AlertType":"UnfamiliarLocation","CompromisedEntity":"john@domain.com","Description":"Sign-in with properties we have not seen recently for the given user","DisplayName":"Unfamiliar sign-in properties","EndTime":"2022-06-11T18:11:12.3600000Z","Entities":"[{\"$id\":\"2\",\"Name\":\"john\",\"UPNSuffix\":\"domain.com\",\"AadTenantId\":\"6q5rf2\",\"AadUserId\":\"sad2w5d\",\"DisplayName\":\"John Doe [john]\",\"Type\":\"account\"},{\"$id\":\"3\",\"SessionId\":\"flp213\",\"Account\":{\"$ref\":\"2\"},\"UserAgent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36\",\"StartTimeUtc\":\"2022-06-11T18:11:12.360942Z\",\"Type\":\"cloud-logon-session\"},{\"$id\":\"4\",\"Address\":\"10.1.1.10\",\"Location\":{\"CountryCode\":\"US\",\"State\":\"Washington\",\"City\":\"Washington\",\"Longitude\":sd,\"Latitude\":sd,\"Asn\":65yls},\"Type\":\"ip\"}]","ExtendedProperties":"{\"User Name\":\"John Doe [john]\",\"User Account\":\"john@domain.com\",\"Client IP Address\":\"10.1.1.10\",\"Client Location\":\"Washington, Washington, US\",\"Request Id\":\"flp213\",\"Detail Description\":\"This risk event type considers past sign-in properties (e.g. device, location, network) to determine sign-ins with unfamiliar properties. The system stores properties of previous locations used by a user, and considers these \\\"familiar\\\". The risk event is triggered when the sign-in occurs with properties not already in the list of familiar properties. The system has an initial learning period of 30 days, during which it does not flag any new detections. We also run this detection for basic authentication (or legacy protocols). Because these protocols do not have modern properties such as client id, there is limited telemetry to reduce false positives. We recommend our customers to move to modern authentication. For more information - url\",\"Alert Timing\":\"RealTime\",\"Detection Subcategory\":\"UnfamiliarLocation\",\"Tenant Login Source\":\"AzureActiveDirectory\",\"ProcessedBySentinel\":\"True\",\"Alert generation status\":\"Full alert created\"}","IsIncident":false,"ProcessingEndTime":"2022-06-11T18:14:05.3140000Z","ProductName":"Azure Active Directory Identity Protection","ProviderName":"IPC","SourceSystem":"Detection","StartTime":"2022-06-11T18:11:12.3600000Z","Status":"New","SystemAlertId":"8asq","Tactics":"InitialAccess","TenantId":"as25w51","TimeGenerated":"2022-06-11T18:11:12.3600000Z","Type":"SecurityAlert","VendorName":"Microsoft","VendorOriginalId":"vendor1","_Internal_WorkspaceResourceId":"/subscriptions/subscription1"}
Sample Parsing¶
metadata.product_log_id = "8asq"
metadata.event_timestamp = "2022-06-11T18:11:12.360Z"
metadata.event_type = "USER_UNCATEGORIZED"
metadata.vendor_name = "Microsoft"
metadata.product_name = "Azure Active Directory Identity Protection"
metadata.product_event_type = "Unfamiliar sign-in properties"
metadata.description = "Sign-in with properties we have not seen recently for the given user"
metadata.product_deployment_id = "as25w51"
additional.IsIncident = "false"
principal.user.userid = "john"
principal.user.user_display_name = "John Doe"
principal.user.email_addresses = "john@domain.com"
principal.ip = "10.1.1.10"
principal.asset.ip = "10.1.1.10"
security_result.about.investigation.status = "NEW"
security_result.summary = "Unfamiliar sign-in properties"
security_result.description = "SecurityAlert"
security_result.severity = "HIGH"
security_result.confidence = "HIGH_CONFIDENCE"
security_result.severity_details = "High"
security_result.rule_type = "UnfamiliarLocation"
security_result.detection_fields.key = "Tactics"
security_result.detection_fields.value = "InitialAccess"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon