From 5a5d5df8b1aa6da5d06af4e9579cbcf53e5ae34b Mon Sep 17 00:00:00 2001 From: Adon Metcalfe Date: Tue, 7 Nov 2023 16:39:08 +0000 Subject: [PATCH] data sources / sentinel cleanup --- docs/README.md | 4 +- docs/baselines/data-sources.md | 130 ++++++++++++++---- docs/guidelines/observables-gap-analysis.md | 79 ----------- docs/guidelines/supply-chain-risk-mgmt.md | 11 ++ docs/onboarding/onboarding-support.md | 36 ----- docs/onboarding/sentinel-guidance.md | 143 ++++---------------- docs/threat-activity.md | 12 +- main.py | 16 ++- mkdocs.yml | 6 +- requirements.txt | 3 +- 10 files changed, 167 insertions(+), 273 deletions(-) delete mode 100644 docs/guidelines/observables-gap-analysis.md create mode 100644 docs/guidelines/supply-chain-risk-mgmt.md delete mode 100644 docs/onboarding/onboarding-support.md diff --git a/docs/README.md b/docs/README.md index 4e411eeac..ae4670529 100644 --- a/docs/README.md +++ b/docs/README.md @@ -15,9 +15,8 @@ Baselines are for use as self-assessment checklists, and guidelines are for gene !!! abstract "Baselines" - The WA SOC has developed a [Baseline for Event Ingestion](baselines/data-sources.md). It's currently under review to align with [MITRE ATT&CK®](https://attack.mitre.org) and develop detection coverage/quality into a standalone baseline. See [MITRE Data Sources](https://attack.mitre.org/datasources/) for SIEM (sensors/events) coverage and [MITRE Tactics](https://attack.mitre.org/tactics/enterprise/) for SIEM automated detection coverage. - - [Security Operations Baseline](baselines/security-operations.md) - aligned with [MITRE 11 Strategies of a World-Class Cybersecurity Operations Center](pdfs/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf) and [ACSC's Cyber Incident Response Plan Resource](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/publications/cyber-incident-response-plan). + - [Detection Coverage Baseline](baselines/data-sources.md) - *[telemetry collection](https://attack.mitre.org/datasources/)* and *[detection analytics](https://attack.mitre.org)* aligned to the [MITRE ATT&CK Framework](https://attack.mitre.org). - [Vulnerability Management Baseline](baselines/vulnerability-management.md) - focused on undertaking operational **Identify** and **Protect** capabilities. !!! danger "Critical Infrastructure Entities" @@ -26,6 +25,7 @@ Baselines are for use as self-assessment checklists, and guidelines are for gene !!! tip "Guidelines" + - [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md) - Implementation guidance for [ACSC Cyber Supply Chain Risk Management](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/cyber-supply-chains/cyber-supply-chain-risk-management). - [Guide to Securing Remote Access Software (CISA)](https://www.cisa.gov/resources-tools/resources/guide-securing-remote-access-software) - remote access software overview, including the malicious use of remote access software, detection methods, and recommendations for all organizations. - [#StopRansomware Guide (CISA)](https://www.cisa.gov/resources-tools/resources/stopransomware-guide) - one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. - [Microsoft Sentinel Guidance](onboarding/sentinel-guidance.md) - Implementation guidance for using Sentinel for [ACSC Guidelines for System Monitoring](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-monitoring) diff --git a/docs/baselines/data-sources.md b/docs/baselines/data-sources.md index 5b79bb108..8bc712174 100644 --- a/docs/baselines/data-sources.md +++ b/docs/baselines/data-sources.md @@ -1,27 +1,22 @@ -# Baseline for Event Ingestion +# Baseline for Detection Coverage (MITRE ATT&CK) -This document and associated checklist is intended to be used as a high-level self assessment to determine coverage quality of an operational SIEM environment for a typical organisation. +This document and associated checklist is intended to be used as a high-level self assessment against an organisations *[telemetry collection](https://attack.mitre.org/datasources/)* and *[detection analytics](https://attack.mitre.org)* aligned to the [MITRE ATT&CK Framework](https://attack.mitre.org). -## 1. Service Model Context +## 1. Shared Responsibility Model -Most organisations are strategically migrating services not unique to their specific business to shared common service models as below (diagram from [CISA Cloud Security Technical Reference Architecture](https://www.cisa.gov/sites/default/files/publications/Cloud%20Security%20Technical%20Reference%20Architecture.pdf)). This typically results in the **Identity, Credential and Access Management** and **Data** relevant observables having the greatest value. +For service providers see [Supply Chain Risk Management](../guidelines/supply-chain-risk-mgmt.md) (vendors should report detection coverage monthly and incidents within 24 hours). Otherwise ensure the [Security Operations](../baselines/security-operations.md) team is resourced to collect the below telemetry and manage detection, triage and response activities over them based on the organisations risk profile. -![Service Models](../images/servicemodels.png) +## 2. Data Sources -The above diagram should be used as a reference to determine which systems/services are relevant for capturing security logs (i.e. if utilising IaaS, the service provider should facilitate the collection of security logs in bulk, while On-Premise infrastructure would require additional resources to capture security logs from hypervisors, physical servers, storage and physical security). +Below are the highest priority MITRE Data Sources to ensure telemetry and analytics are available for: -## 2. Detection Observables - -Referencing the [STIX 2.1 Cyber Observable Objects](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html) library, the below observables are intended to represent an organisation detection scope of potential threat indicators. The observables objects are ordered based on feasibility of ingestion of all relevant activities external to an organisation. - -1. [IPv4Address](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.IPv4Address), [IPv6Address](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.IPv6Address) -2. [UserAccount](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.UserAccount), [EmailAddress](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.EmailAddress) -3. [DomainName](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.DomainName), [URL](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.URL) -4. [EmailMessage](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.EmailMessage) (date, subject, from, to most relevant) -5. [File](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.File) (SHA256 hash most relevant) -6. [HTTPRequestExt](https://stix2.readthedocs.io/en/latest/api/v21/stix2.v21.observables.html#stix2.v21.observables.HTTPRequestExt) (Inbound HTTP requests through e.g. Web Application Firewalls) - -> Further information of the purpose of STIX 2.1 and the observable objects can be found [here](https://oasis-open.github.io/cti-documentation/stix/intro.html). +1. [DS0002 User Account](https://attack.mitre.org/datasources/DS0002/) - A profile representing a user, device, service, or application used to authenticate and access resources +2. [DS0025 Cloud Service](https://attack.mitre.org/datasources/DS0025/) - Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs +3. [DS0009 Process](https://attack.mitre.org/datasources/DS0009/) - Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures +4. [DS0017 Command](https://attack.mitre.org/datasources/DS0017/) - A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task +5. [DS0022 File](https://attack.mitre.org/datasources/DS0022/) - A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media). +6. [DS0029 Network Traffic](https://attack.mitre.org/datasources/DS0029/) - Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP) +7. [DS0015 Application Log](https://attack.mitre.org/datasources/DS0015/) - Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform) ## 3. Detection Assets @@ -33,6 +28,7 @@ The below is a high level summary of assets and services from where security log - **Servers** - Hypervisors, Servers, Container Platforms - **Network Firewalls (Firewalls)** - Network egress and internal network control points - **Web Application Firewalls (WAFs)** - Network ingress control points +- **Applications and Databases** - Application logs and query logs from application runtimes (e.g. stack traces) and databases ## 4. Detection Checklist @@ -59,7 +55,7 @@ These are available as integrations with some deployment requirements on Windows - [ ] **Endpoints** - Query a `IPv4Address`, `IPv6Address`, `DomainName` or `URL` across all outbound [Network Traffic](https://attack.mitre.org/datasources/DS0029/). - E.g. [Defender Network Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide), [Defender Web Protection](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-worldwide) -- [ ] **Endpoints** - Query a `SHA256 Hash (File)`, `Name (File)` or `FileOriginUrl (File)` across all [Files](https://attack.mitre.org/datasources/DS0022/) and [Processes](https://attack.mitre.org/datasources/DS0009/). +- [ ] **Endpoints** - Query a `SHA256 Hash (File)`, `Name (File)` or `FileOriginUrl (File)` across all [Files](https://attack.mitre.org/datasources/DS0022/), [Processes](https://attack.mitre.org/datasources/DS0009/) and [Commands](https://attack.mitre.org/datasources/DS0017/). - E.g. [Defender Real-time protection](https://learn.microsoft.com/en-us/mem/intune/protect/antivirus-microsoft-defender-settings-windows#real-time-protection) ### 4.3. High return on investment @@ -74,14 +70,19 @@ Agent based network protection is relatively straightforward to ingest from appl ## 5. Detection Analytics -Once the above checklist is validated, an organisation should schedule regular security exercises to detect for suspicious behaviour based on indicators collected from threat intelligence sources and to detect for deviations against known behaviour baselines. A simple example would be to determine a subset of users that are allowed to use legacy authentication protocols (NTLM, LDAP, HTTP Basic Auth), and alerting security analysts whenever a user outside of that list attempts to sign in with a legacy authentication protocol. - -[Sigma](https://github.com/SigmaHQ/sigma) is a flexible rule format that is easy to write and applicable to any type of log file. The project provides a structured library and an open specification in which researchers or analysts can describe and share their detection methods. The WA SOC is actively investing into [sigma rule development](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide) and a [pySigma](https://github.com/SigmaHQ/pySigma) [backend/pipeline for Sentinel](https://github.com/wagov/python-squ/blob/main/sigma/pipelines/azure/azure.py), and can provide assistance in converting rules to/from sigma formats. +The security tools collecting telemetry should be capable of running both built-in and custom analytics on a regular basis. Some repositories and tools to build high quality detection analytics are below: -![Sigma Conversion](https://github.com/SigmaHQ/pySigma/raw/main/docs/images/pipelines.png) +- [Sigma](https://github.com/SigmaHQ/sigma/) - Sigma main rule repository. The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost. +- [Microsoft Sentinel Solutions](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) - combinations of data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Microsoft Sentinel. +- [reprise99 Sentinel Queries](https://github.com/reprise99/Sentinel-Queries) - Some tips, tricks and examples for using KQL for Microsoft Sentinel. +- [Sentinel custom content CI/CD](https://learn.microsoft.com/en-us/azure/sentinel/ci-cd?tabs=github) - How to create and manage connections between Microsoft Sentinel and GitHub or Azure DevOps repositories. Managing your content in an external repository allows you to make updates to that content outside of Microsoft Sentinel, and have it automatically deployed to your workspaces. ### 5.1 Microsoft Sentinel Detection Pack +!!! note "Under Review" + + The below detection pack is currently being converted into an external content repository to enable better change management with git. + The WA SOC has curated a pack of over 100 [analytics rules](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-built-in) from [the unified Microsoft Sentinel and Microsoft 365 Defender repository](https://github.com/Azure/Azure-Sentinel) for rapid deployment (last updated Feb 2023): [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fsoc.cyber.wa.gov.au%2Fonboarding%2Fwasoc-sentinel-rules-deployment.json) @@ -114,9 +115,12 @@ Example [code is available](https://github.com/wagov/python-squ/blob/main/exampl - **How can I contact DGov if I have questions about this?** - We're always contactable via our monitored mailbox: - ### 5.2 Microsoft Sentinel Automation Pack +!!! note "Under Review" + + The below automation pack is currently being converted into an external content repository to enable better change management with git. + !!! note "WASOC Automation Rules" The following package is designed to automatically add task lists to the incidents generated by their paired WASOC Sentinel analytic rules in the Detection Pack. These task lists are intended as a baseline for generalised investigation and remediation steps commonly undertaken for each kind of associated incident: @@ -125,3 +129,81 @@ Example [code is available](https://github.com/wagov/python-squ/blob/main/exampl [![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.svg?sanitize=true)](http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2Fwagov%2FWASOCAutomationPlaybook%2Fmain%2FCollatedDeployment.json) *Note: This package does not yet cover the Microsoft Defender for IoT Analytic Rules and is under development. Feedback is appreciated.* + +## 6. Sentinel Telemetry Gap Analysis (KQL) + +The following listed queries help identify missing telemetry for endpoints in Microsoft Sentinel. The chart below depicts most seen observables per [MITRE ATT&CK®](https://attack.mitre.org/) (source: [OSSEM project](https://github.com/OTRF/OSSEM)) + +![image](../images/MitreAttackTTPChart.png) + +### 6.1 Process Creation + +The following are common log sources for Process Creation events and relating kql queries to identify number of endpoints providing these observables. + +| Log source | KQL | +|-------------|-----------| +| Audit Policy (SecurityEvent) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4688 \| summarize count_distinct(Computer) | +| Sysmon (Event) | Event \| where TimeGenerated > ago(7d) \| where Source == "Microsoft-Windows-Sysmon" \| where EventID == 1 \| summarize count_distinct(Computer) | +| Defender (DeviceProcessEvents) | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName) | +| AzureAD (VMProcess) | VMProcess \| where TimeGenerated > ago(7d) \| where isnotempty(ExecutableName) \| summarize count_distinct(Computer) | + +### 6.2 Process Command Line + +The following kql queries will provide number of endpoints with [Command Line logging enabled](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). + +| Log type | KQL | +|---------|-----------| +| Audit Policy (SecurityEvent) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4688 \| where isnotempty(CommandLine) \| summarize count_distinct(Computer) | +| AzureAD: VMProcess | VMProcess \| where TimeGenerated > ago(7d) \| where isnotempty(CommandLine) \|summarize count_distinct(Computer) | +| DeviceProcessEvents | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) \| summarize count_distinct(DeviceName) | + +### 6.3 Parent Process + +| Log type | KQL | +|------------|----------| +| Audit Policy (SecurityEvent) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4688 \| where isnotempty(ParentProcessName) \| summarize count_distinct(Computer) | + +### 6.4 Microsoft Defender Device Logs + +[Connect Microsoft 365 Defender to Micrososft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE) + +#### Techniques: [Microsoft Defender for Endpoint | Microsoft Security](https://www.microsoft.com/en-au/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1) + +| Log type | KQL | +|-----------------------|-------------| +|Process creation and related events | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| +|Network connection and related events | DeviceNetworkEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| +|Parent Process | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| where isnotempty(InitiatingProcessParentFileName) \| summarize count_distinct(DeviceName)| +|Named Pipes | DeviceEvents \| where ActionType == "NamedPipeEvent" \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| +|File creation, modification, and other file system events| DeviceFileEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| +|Creation and modification of registry entries | DeviceRegistryEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| +|DLL loading events | DeviceImageLoadEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| + +### 6.5 Microsoft Defender Office 365 Logs Monitoring + +[Connect Microsoft 365 Defender to Micrososft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDO) + +| Log type | KQL | +|----------------------------|-------------------------------------------------------------------------------------------------| +| Email Events | EmailEvents \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated) | +| Email Attachment Info | EmailAttachmentInfo \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated) | +| Email Url Info | EmailUrlInfo \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated) | +| Email Post Delivery Events | EmailPostDeliveryEvents \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated)| + +### 6.6 Important activities + +The table presented below provides a comprehensive list of significant Event IDs that can potentially signify noteworthy activities associated with malicious actions. + +| Type | KQL | +|-----------------------|----------------------------------| +| Local Authentication | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4624 \| summarize count_distinct(Computer)| +| DC Authentication | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4776 \| summarize count_distinct(Computer)| +| Group Enumeration | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4799 \| summarize count_distinct(Computer)| +| Kerberos | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4769 \| summarize count_distinct(Computer)| +| Certificate Usage (Kerb) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4768 \| summarize count_distinct(Computer)| +| Replication | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4662 \| summarize count_distinct(Computer)| +| New Scheduled Task | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4698 \| summarize count_distinct(Computer)| +| Powershell Execution | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4104 \| summarize count_distinct(Computer)| +| Registry Value Modification | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4657 \| summarize count_distinct(Computer)| +| RunAs | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4648 \| summarize count_distinct(Computer)| +| Windows Firewall Rule Deletion | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4948 \| summarize count_distinct(Computer)| diff --git a/docs/guidelines/observables-gap-analysis.md b/docs/guidelines/observables-gap-analysis.md deleted file mode 100644 index 43a634f89..000000000 --- a/docs/guidelines/observables-gap-analysis.md +++ /dev/null @@ -1,79 +0,0 @@ -# **Observables Gap Analysis** -The following listed queries would help identify observables per endpoints - - -The chart below depicts most seen observables per [MITRE ATT&CK®](https://attack.mitre.org/) tactic source: ([OSSEM project](https://github.com/OTRF/OSSEM)) - -![image](../images/MitreAttackTTPChart.png) - -## 1. Process Creation -The following are common log sources for Process Creation events and relating kql queries to identify number of endpoints providing these observables. - -| Log source | KQL | -|-------------|-----------| -| Audit Policy (SecurityEvent) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4688 \| summarize count_distinct(Computer) | -| Sysmon (Event) | Event \| where TimeGenerated > ago(7d) \| where Source == "Microsoft-Windows-Sysmon" \| where EventID == 1 \| summarize count_distinct(Computer) | -| Defender (DeviceProcessEvents) | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName) | -| AzureAD (VMProcess) | VMProcess \| where TimeGenerated > ago(7d) \| where isnotempty(ExecutableName) \| summarize count_distinct(Computer) | - -## 2. Process Command Line -The following kql queries will provide number of endpoints with [Command Line logging enabled](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing). - -| Log type | KQL | -|---------|-----------| -| Audit Policy (SecurityEvent) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4688 \| where isnotempty(CommandLine) \| summarize count_distinct(Computer) | -| AzureAD: VMProcess | VMProcess \| where TimeGenerated > ago(7d) \| where isnotempty(CommandLine) \|summarize count_distinct(Computer) | -| DeviceProcessEvents | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| where isnotempty(InitiatingProcessCommandLine) or isnotempty(ProcessCommandLine) \| summarize count_distinct(DeviceName) | - -## 3. Parent Process - -| Log type | KQL | -|------------|----------| -| Audit Policy (SecurityEvent) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4688 \| where isnotempty(ParentProcessName) \| summarize count_distinct(Computer) | - -## 4. Microsoft Defender Device Logs -[Connect Microsoft 365 Defender to Micrososft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE) - -#### Techniques: [Microsoft Defender for Endpoint | Microsoft Security](https://www.microsoft.com/en-au/security/business/endpoint-security/microsoft-defender-endpoint?rtc=1) - - -| Log type | KQL | -|-----------------------|-------------| -|Process creation and related events | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| -|Network connection and related events | DeviceNetworkEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| -|Parent Process | DeviceProcessEvents \| where TimeGenerated > ago(7d) \| where isnotempty(InitiatingProcessParentFileName) \| summarize count_distinct(DeviceName)| -|Named Pipes | DeviceEvents \| where ActionType == "NamedPipeEvent" \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| -|File creation, modification, and other file system events| DeviceFileEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| -|Creation and modification of registry entries | DeviceRegistryEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| -|DLL loading events | DeviceImageLoadEvents \| where TimeGenerated > ago(7d) \| summarize count_distinct(DeviceName)| - - - -## 5. Microsoft Defender Office 365 Logs Monitoring -[Connect Microsoft 365 Defender to Micrososft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDO) - -| Log type | KQL | -|----------------------------|-------------------------------------------------------------------------------------------------| -| Email Events | EmailEvents \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated) | -| Email Attachment Info | EmailAttachmentInfo \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated) | -| Email Url Info | EmailUrlInfo \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated) | -| Email Post Delivery Events | EmailPostDeliveryEvents \| where TimeGenerated > ago(7d) \| summarize Time = max(TimeGenerated)| - -## 6. Important activities - -The table presented below provides a comprehensive list of significant Event IDs that can potentially signify noteworthy activities associated with malicious actions. - -| Type | KQL | -|-----------------------|----------------------------------| -| Local Authentication | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4624 \| summarize count_distinct(Computer)| -| DC Authentication | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4776 \| summarize count_distinct(Computer)| -| Group Enumeration | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4799 \| summarize count_distinct(Computer)| -| Kerberos | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4769 \| summarize count_distinct(Computer)| -| Certificate Usage (Kerb) | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4768 \| summarize count_distinct(Computer)| -| Replication | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4662 \| summarize count_distinct(Computer)| -| New Scheduled Task | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4698 \| summarize count_distinct(Computer)| -| Powershell Execution | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4104 \| summarize count_distinct(Computer)| -| Registry Value Modification | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4657 \| summarize count_distinct(Computer)| -| RunAs | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4648 \| summarize count_distinct(Computer)| -| Windows Firewall Rule Deletion | SecurityEvent \| where TimeGenerated > ago(7d) \| where EventID == 4948 \| summarize count_distinct(Computer)| - diff --git a/docs/guidelines/supply-chain-risk-mgmt.md b/docs/guidelines/supply-chain-risk-mgmt.md new file mode 100644 index 000000000..1edf0fcd1 --- /dev/null +++ b/docs/guidelines/supply-chain-risk-mgmt.md @@ -0,0 +1,11 @@ +# Supply Chain Risk Management Guideline + +Agencies should review [ACSC's Questions to Ask Managed Service Providers](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/questions-ask-managed-service-providers), especially service providers managing their **network**, **compute** and **file/email (Microsoft 365)** resources. A supporting extract from page 16 and 17 of the [NIST CSF 2.0 Initial Public Draft](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf) is below, identifying what should be addressed as part of procurement and **contract management**. + +!!! note "Managing Cybersecurity Risk in Supply Chains (NIST)" + + - **Identify:** Identifying, validating, and recording vulnerabilities associated with the supplier’s product or service [ID.RA-01] + - **Protect:** Authenticating users, services, and hardware [PR.AA-03]; applying appropriate configuration management practices [PR.PS-01]; generating log records and having the logs available for continuous monitoring [PR.PS-04]; and integrating secure software development practices into the supplier’s software development life cycles [PR.PS-07] + - **Detect:** Monitoring computing hardware and software for potentially adverse events [DE.CM-09] + - **Respond:** Executing incident response plans when compromised products or services are involved [RS.MA-01] + - **Recover:** Executing the recovery portion of the organization’s incident response plan when compromised products or services are involved [RC.RP-01], and restoring compromised products or services and verifying their integrity [RC.RP-05] diff --git a/docs/onboarding/onboarding-support.md b/docs/onboarding/onboarding-support.md deleted file mode 100644 index 66bcba5cc..000000000 --- a/docs/onboarding/onboarding-support.md +++ /dev/null @@ -1,36 +0,0 @@ -# Onboarding support service - -As part of the onboarding process to the WA SOC agencies are offered additional support free of cost as listed in the flowing services: - -
- -## Onboarding Assessment - -The Onboarding Assessment is the first assessment after the MOU is signed and the onboarding scripts have been employed. This includes evaluation of the agency's logging quality and coverage, as well as the Sentinel SIEM implementation addressing the data connectors, activated rules and recommendations for uplift. - -### Method - -- Gather information related to the logging posture of an agency as per the Baseline for Event Ingestion model. This includes: - - On premise server and workstation infrastructure - - On premise security controls - - Cloud environments for both infrastructure and services -- Perform assessment on logging quality and overall environmental coverage -- Create coverage heatmaps as a visual guide to aid prioritisation -- For any quality or coverage issues provide tailored guidance on remediation -- Repeat process from beginning in order to provide metrics on the improvements made. - -
- -## Posture Assessment - -Posture assessments are an active engagement to identify detection gaps on common attack paths and misconfigured components. - -### Method - -- Meet with key stakeholders to demonstrate the assessment and understand about any existing issues. -- Gather information related to services commonly leveraged by attackers within an environment -- Perform assessment on data for the following; - - Commonly exploited attack paths - - Commonly misconfigured items -- Implement detections that require agencies to perform configuration such as the creation of accounts used solely to detect malicious activity. -- Repeat process from the information gathering phase and present updated findings. diff --git a/docs/onboarding/sentinel-guidance.md b/docs/onboarding/sentinel-guidance.md index 569813bb5..ffe810919 100644 --- a/docs/onboarding/sentinel-guidance.md +++ b/docs/onboarding/sentinel-guidance.md @@ -1,131 +1,46 @@ -# WA SOC Microsoft Sentinel Connector Guidance +# WA SOC Microsoft Sentinel Guidance -Microsoft Sentinel _Collect => Detect => Investigate => Respond_ overview. - -![Sentinel Incident](../images/sentinel-incident.png) - -The below guide has been constructed by the WA Security Operations Centre (SOC) to prioritise connectors and configuration based on cost and complexity. There are several [free data sources](https://docs.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources) for [Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/), however the best approach is to connect as much as you can, then monitor costs and [run queries to understand your data ingestion](https://docs.microsoft.com/en-us/azure/sentinel/billing-monitor-costs#run-queries-to-understand-your-data-ingestion) to reduce your costs where possible. +The below guide has been developed by the WA SOC to expedite a SIEM implementation with Microsoft Sentinel. ## 1. Sentinel Deployment Notes -![Sentinel Region](../images/azure-regions.png) - -It is recommended to deploy Microsoft Sentinel in the **Australia East** region. If you have not already done so, you can follow the steps below: - -- [Create a Log Analytics Workspace](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace) -- [Enable Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard#enable-microsoft-sentinel-) - -If you have Log Analytics setup in another region, it is recommended to [move it to Australia East](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/move-workspace-region) where possible, as query performance is reduced when spanning multiple regions, and the majority of existing deployments are in Australia East. - -## 2. High value / low-cost connections - -These connectors are largely built into the cost of the services they protect, and provide a high value in terms of assets protected. The [WA SOC Baseline for Event Ingestion](../baselines/data-sources.md) can be used to self-assess and correlate how effective SIEM event collection is in contrast to the STIX 2.1 standard, and the below guidance is intended to make reaching a baseline cost effective on the Sentinel platform. - -### 2.1. [Connect Azure Active Directory (Azure AD)](https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory) - -Ensure that Identity management activities are picked up, including [Audit logs, Sign-in logs, Provisioning logs, Risky users logs, Risk detections logs](https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics#send-logs-to-azure-monitor) - -### 2.2. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/en-us/microsoft-365/security/defender/m365d-enable?view=o365-worldwide) - -This includes Office 365, Endpoint, Identity and Cloud Apps - -#### 2.2.1. [Protect against Threats using Defender for Office 365](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/protect-against-threats?view=o365-worldwide) - -Align with the [ACSC Essential Eight Maturity Model](https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model) - -![Defender for Office 365](../images/Defender365.png) - -- Start with [Microsoft Defender for Office 365 step-by-step guides](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview?view=o365-worldwide) if unfamiliar with the Defender for Office 365 platform -- Use Exchange Online and SharePoint Online for all staff email & file services -- [Integrate with Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/integrate-office-365-ti-with-mde?view=o365-worldwide) - -#### 2.2.2. [Configure Microsoft Defender for Endpoint in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure) - -![Defender for Office 365](../images/DefenderEndpoint.png) - -- Use Intune for endpoint management and mobile device management -- Windows, macOS and Linux servers should also be onboarded into Microsoft 365 Defender for Endpoint unless they are separately sending the above data to Sentinel via another connector (e.g. [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud) or [Container Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview)) -- [Windows devices in Defender for Endpoint](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints?view=o365-worldwide) - Windows 7+, Windows Server 2008 R2+ -- [Defender for Endpoint on Mac](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide) - macOS 10.15+ (Catalina) -- [Defender for Endpoint on Linux](https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) - Debian 9+, Ubuntu 16.04+, RHEL6+, SLES12+, CentOS6+, OEL7+, Fedora33+ -- Align with the [ACSC Strategies to Mitigate Cyber Security Incidents](https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents) by moving endpoints to [Windows cloud configuration](https://docs.microsoft.com/en-us/mem/intune/fundamentals/cloud-configuration) which includes [Security Baseline for Windows](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all), then [configure WDAC policy for Application Control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy), [Defender for Endpoint Baseline](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp) and [Edge Baseline](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-edge). - -This is the lowest cost way per device to get baseline monitoring in place. - -#### 2.2.3. [Install Identity Sensors](https://docs.microsoft.com/en-us/microsoft-365/security/defender-identity/sensor-health?view=o365-worldwide#add-a-sensor) - -![Defender for Identity](../images/defender-identity.png) - -Install on all domain controllers and ADFS servers - -- This is only relevant where on-premise Active Directory syncs to Azure AD, if entirely using Azure AD this is not required -- [Configure RADIUS Accounting on 802.1X networks & VPNs](https://docs.microsoft.com/en-us/microsoft-365/security/defender-identity/vpn-integration?view=o365-worldwide) - Capture 802.1X events via RADIUS accounting traffic forwarded to Identity Sensors (VPNs, wireless, 802.1X ports) - -#### 2.2.4. [Integrate Defender for Cloud Apps](https://docs.microsoft.com/en-us/defender-cloud-apps/mde-integration) - -![Defender CASB](../images/defender-casb.png) - -#### 2.2.5. [Connect Microsoft 365 Defender](https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-to-microsoft-365-defender) - -Collect events from [Defender for Office 365](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/defender-for-office-365?view=o365-worldwide#getting-started) and Defender for Endpoint - -- Enable collection of events from all Advanced Hunting tables ([Defender](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDE#connect-events), [Office 365](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDO#connect-events), [Identity](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDI#connect-events), [Cloud Apps](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDCA#connect-events) & [Alerts](https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDA#connect-events)) - -### 2.3. [Connect Azure Activity log](https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log#send-to-log-analytics-workspace) - -Ensure all azure activity is logged and retained. - -### 2.4. [Ingest WAF events into Sentinel](https://docs.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel) - -![Azure Front Door](../images/azure-frontdoor-waf.png) - -WAF events are a high quality security event source for monitoring ingress to applications. Third party WAF integration options are listed on [the Sentinel content hub](https://docs.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog) - -### 2.5. [Review the Sentinel content hub](https://docs.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog) - -![Sentinel Content Hub](../images/sentinel-content.png) - -Check and enable security relevant connections to other services or products your organisation is using. - -## 3. Complex connections - -These are good for querying manually, however most require some work to [Normalise using the Advanced Security Information Model (ASIM)](https://docs.microsoft.com/en-us/azure/sentinel/normalization) to be incorporated into automatic incident generation using standard Sentinel rules. - -1. [AWS S3 Connector](https://docs.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3) - This collects data via S3 buckets so has some delays compared to higher level integrations like [Microsoft 365 Defender](https://docs.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender) or [Container Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview) -1. [Logstash to connect data sources to Microsoft Sentinel](https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash) - For third party platforms without microsoft documented connection guidance, this is the best integration option. -1. [CEF-formatted logs from your device or appliance](https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format) -1. [Linux-based sources using Syslog](https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog) +It is recommended to deploy Microsoft Sentinel in the **Australia East** region following the [Deployment guide for Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/deploy-overview) -## 4. Potentially high-cost connections +## 2. Telemetry to collect (prioritised) -1. [Container Insights](https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-overview) - Centrally monitor [Kubernetes cluster performance](https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-analyze) and [query logs](https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-log-query) -1. [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud) - If possible [Enable all Microsoft Defender plans](https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security#enable-enhanced-security-features-from-the-azure-portal) for your high value systems (such as Domain Controllers and SQL Databases, approx. 2-3% of total servers usually) - - [Microsoft Defender for Cloud CSPM](https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-cloud-security-posture-management) - Recommended enabling **Foundational** Cloud Security Posture Management (CSPM) +Below is a rapid approach to get Microsoft workloads covered rapidly using Sentinel. -![Defender for Cloud](../images/defender-cloud.png) +1. [Turn on auditing and health monitoring](https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring) +2. [Enable User and Entity Behavior Analytics (UEBA)](https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics) +3. [Microsoft 365 Defender connector](https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/microsoft-365-defender) + 1. [Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview?view=o365-worldwide) + 2. [Microsoft Defender for Identity](https://learn.microsoft.com/en-us/defender-for-identity/quick-installation-guide) + 3. [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mde-planning-guide?view=o365-worldwide) +4. [Connect Microsoft Defender for Cloud (servers)](https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud) -### 4.1. Operational Technology Monitoring +## 3. Third party solutions (Telemetry re-ingestion) -![Defender for IoT](../images/defender-iot.png) +[Deploy domain solutions with ASIM analytic rules](https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog#domain-solutions) and connect associated telemetry for relevant products. Note for large environments this can be costly, so moving to incident synchronisation only may be more effective (see next section). -Use [Microsoft Defender for IoT/OT](https://docs.microsoft.com/en-us/azure/defender-for-iot/organizations/tutorial-onboarding) for passive network monitoring for devices not supported by Defender for Endpoint/Cloud via TAP/packet broker (previously [CyberX](https://www.microsoft.com/security/blog/2020/11/25/go-inside-the-new-azure-defender-for-iot-including-cyberx/)), this is a very high quality egress monitoring event source. Microsoft makes significant volume discounts available. +- [Endpoint Threat Protection Essentials](https://azuremarketplace.microsoft.com/en-GB/marketplace/apps/azuresentinel.azure-sentinel-solution-endpointthreat?tab=Overview) +- [Security Threat Essentials](https://azuremarketplace.microsoft.com/en-GB/marketplace/apps/azuresentinel.azure-sentinel-solution-securitythreatessentialsol?tab=Overview) +- [DNS Essentials Solution](https://azuremarketplace.microsoft.com/en-GB/marketplace/apps/azuresentinel.azure-sentinel-solution-dns-domain?tab=Overview) +- [Web Session Essentials](https://azuremarketplace.microsoft.com/en-gb/marketplace/apps/azuresentinel.azure-sentinel-solution-websession-domain?tab=Overview) +- [Network Session Essentials](https://azuremarketplace.microsoft.com/en-GB/marketplace/apps/azuresentinel.azure-sentinel-solution-networksession?tab=Overview) -- To manage costs it is recommended to use policy based routing or L3 segmentation to separate your endpoint traffic from OT devices, and utilise a packet broker to push OT traffic into the OT sensor, enterprise firewall packet broker config guides are listed below: - - Firewalls (best option): [Palo Alto Packet Broker](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/network-packet-broker), [Checkpoint Mirror and Decrypt](https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/Mirror-and-Decrypt.htm) - - Switches: [Cisco SPAN](https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html), [Cisco Meraki Port Mirror](https://documentation.meraki.com/MS/Monitoring_and_Reporting/Packet_Captures_and_Port_Mirroring_on_the_MS_Switch), [Fortinet SPAN](https://docs.fortinet.com/document/fortiswitch/7.0.1/administration-guide/428704/mirror) - - A scalable architecture supporting SD-WAN's would be using IPSEC to route OT egress traffic via a public cloud provider ([Azure Site to Site](https://docs.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal), [AWS Site to Site](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html)) and then monitor the egress using a cloud firewall supporting packet brokering (e.g. [Palo Alto VM Series](https://www.paloaltonetworks.com.au/cloud-security/vm-series)) to a sensor hosted on the public cloud environment itself. -- If passively monitoring over 1K devices using a per Gbps metric sensor such as [Corelight](https://corelight.com/integrations/iot-security) may be a more cost effective option +## 4. Third party integrations (Incident synchronisation only) -![Corelight Overview](../images/corelight.png) -![Defender Corelight](../images/defender-corelight.png) +[Create incidents based on events from systems whose logs are not ingested into Microsoft Sentinel.](https://learn.microsoft.com/en-us/azure/sentinel/create-incident-manually) -## 5. Cost optimisation +The above guide supports the below incident creation flows from third party systems: -![Sentinel Workspace Plans](../images/sentinel-workspace-plans.png) +- [Create an incident using Azure Logic Apps](https://learn.microsoft.com/en-us/azure/sentinel/create-incident-manually#create-an-incident-using-azure-logic-apps) + - Create incident with Microsoft Form + - Create incident from shared email inbox +- [Create an incident using the Microsoft Sentinel API](https://learn.microsoft.com/en-us/azure/sentinel/create-incident-manually#create-an-incident-using-the-microsoft-sentinel-api) -Microsoft Sentinel has builtin [queries to understand your data ingestion](https://docs.microsoft.com/en-us/azure/sentinel/billing-monitor-costs#run-queries-to-understand-your-data-ingestion) at a per table level. To get further granularity you can look at specific devices sending a lot of data using [additional usage queries](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-workspace-insights-overview#additional-usage-queries) or directly run manual queries from [Investigate your Log Analytics usage](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-cost-storage#investigate-your-log-analytics-usage). +Including **severity**, **classification** and **mitre tactic / technique** attributes helps the WA SOC triage and prioritise incidents. -Once you have identified the high cost items, you can reduce the events generated at the source, using a [Logstash filter](https://docs.microsoft.com/en-us/azure/sentinel/connect-logstash) for a custom source or with configuration in Sentinel itself: +## 5. Performance and cost optimisation -- [Ingestion time transformations](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/ingestion-time-transformations) - should be used to eliminate low value logs before they are persisted within Log Analytics & Sentinel -- [Basic Logs](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/basic-logs-configure?tabs=cli-1%2Cportal-1) - should be used for high volume tables that aren't queried regularly (approx 1/4 cost per GB ingested) +The [Microsoft Sentinel Optimization Workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-microsoft-sentinel-optimization-workbook/ba-p/3901489) aims to empower security teams by providing invaluable insights into your Microsoft Sentinel environment and offering recommendations to enhance cost efficiency, operational effectiveness, and overall management overview. diff --git a/docs/threat-activity.md b/docs/threat-activity.md index a732ca767..747748210 100644 --- a/docs/threat-activity.md +++ b/docs/threat-activity.md @@ -19,17 +19,7 @@ Recent WA SOC advisories this month worth staying across include: - [QRCode Phishing](https://soc.cyber.wa.gov.au/advisories/20230922003-Increase-in-QR-Code-Phishing-Technique/) - [Cisco IOS Web Vulnerabilities](https://soc.cyber.wa.gov.au/advisories/20231027004-Multiple-Vulnerabilities-in-Cisco-IOS-XE-Software-Web-UI-Feature/) -Agencies should review [ACSC's Questions to Ask Managed Service Providers](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/outsourcing-and-procurement/managed-services/questions-ask-managed-service-providers), especially service providers managing their **network**, **compute** and **file/email (Microsoft 365)** resources. A supporting extract from page 16 and 17 of the [NIST CSF 2.0 Initial Public Draft](https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.ipd.pdf) is below, identifying what should be addressed as part of procurement and **contract management**. - -!!! note "Managing Cybersecurity Risk in Supply Chains (NIST)" - - - **Identify:** Identifying, validating, and recording vulnerabilities associated with the supplier’s product or service [ID.RA-01] - - **Protect:** Authenticating users, services, and hardware [PR.AA-03]; applying appropriate configuration management practices [PR.PS-01]; generating log records and having the logs available for continuous monitoring [PR.PS-04]; and integrating secure software development practices into the supplier’s software development life cycles [PR.PS-07] - - **Detect:** Monitoring computing hardware and software for potentially adverse events [DE.CM-09] - - **Respond:** Executing incident response plans when compromised products or services are involved [RS.MA-01] - - **Recover:** Executing the recovery portion of the organization’s incident response plan when compromised products or services are involved [RC.RP-01], and restoring compromised products or services and verifying their integrity [RC.RP-05] - -Additionally agencies should prioritise remediating vulnerabilities in any internet-facing **remote access** services due to ongoing threat activity. +Agencies should ensure their procurement and vendor management processes are aligned to the [Supply Chain Risk Management Guideline](guidelines/supply-chain-risk-mgmt.md). Additionally agencies should prioritise remediating vulnerabilities in any internet-facing **remote access** services due to ongoing threat activity. **Phishing activity remains high** across all organisations with multiple incidents detected weekly. Please refer to the below guides to ensure all external and internal sign-ins are appropriately monitored. diff --git a/main.py b/main.py index da967dc11..018ce25af 100644 --- a/main.py +++ b/main.py @@ -1,9 +1,11 @@ -import os from pathlib import Path from itertools import groupby from dateutil.parser import parse import requests from bs4 import BeautifulSoup +from diskcache import Index + +macro_cache = Index() def define_env(env): """ @@ -25,6 +27,9 @@ def date_index(glob, prefix="", expand=3, include=None): """ Insert an index to a glob pattern relative to top dir of documentation project. """ + cachekey = f"date_index.{glob}.{prefix}.{expand}.{include}" + if cachekey in macro_cache: + return macro_cache[cachekey] files = Path(env.project_dir).glob(glob) mdtext = [] # Reverse order, sorted by first 6 characters (year + month) @@ -46,7 +51,8 @@ def date_index(glob, prefix="", expand=3, include=None): if include is not None: if month_count > include: break - return "\n".join(mdtext) + macro_cache[cachekey] = "\n".join(mdtext) + return macro_cache[cachekey] def getCategory(mitreID): @@ -67,6 +73,9 @@ def getCategory(mitreID): @env.macro def mitre(mitreId): + cachekey = f"mitre.{mitreId}" + if cachekey in macro_cache: + return macro_cache[cachekey] try: techRef = mitreId.replace(".","/") # Prep for url @@ -88,7 +97,8 @@ def mitre(mitreId): combinedText = ''.join(mitreId) + ' -' + ''.join(heading) # Return it as a link - return f"[{combinedText}]({url})" + macro_cache[cachekey] = f"[{combinedText}]({url})" + return macro_cache[cachekey] else: return f"Failed to fetch content from the {mitreId}. Status code: {response.status_code}" diff --git a/mkdocs.yml b/mkdocs.yml index 2cfcfbe9e..3eb4f85ae 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -50,6 +50,7 @@ plugins: 'docs/collecting-evidence.md': 'guidelines/collecting-evidence.md' 'docs/analyst-induction.md': 'training/analyst-induction.md' 'docs/azure-basics.md': 'training/azure-basics.md' + 'guidelines/observables-gap-analysis.md': 'baselines/data-sources.md' markdown_extensions: - pymdownx.highlight: linenums: true @@ -73,21 +74,20 @@ markdown_extensions: permalink: true nav: - Home: README.md -- Sentinel Connector Guidance: onboarding/sentinel-guidance.md - SOC Onboarding: onboarding.md - Advisories (TLP:CLEAR): advisories.md - ACSC Strategies to Mitigate: guidelines/further-five.md +- Threat Hunting (TTPs): guidelines/TTP_Hunt/ttp-detection-guidelines.md - Baselines: - Data Sources: baselines/data-sources.md - Security Operations: baselines/security-operations.md - Vulnerability Management: baselines/vulnerability-management.md - Guidelines: - Incident Reporting: guidelines/incident-reporting.md + - Vendor Management: guidelines/supply-chain-risk-mgmt.md - Network Management: guidelines/network-management.md - Patch Management: guidelines/patch-management.md - Configuration Assessment: guidelines/secure-configuration.md - - Observable Gap Analysis: guidelines/observables-gap-analysis.md - - TTP Detection Guideline: guidelines/TTP_Hunt/ttp-detection-guidelines.md - Annual Implementation Report: guidelines/annual-implementation-reporting.md - Training: - Security Analyst Induction: training/analyst-induction.md diff --git a/requirements.txt b/requirements.txt index e86034a3b..34ade2da6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,4 +3,5 @@ mkdocs-redirects mkdocs-macros-plugin mkdocs-git-revision-date-localized-plugin mkdocs-linkcheck -beautifulsoup4 \ No newline at end of file +beautifulsoup4 +diskcache \ No newline at end of file