Category: Products

Microsoft Sentinel UEBA

If you’re an Azure customer and are using Sentinel, then you’ll definitely want to check out Sentinel User and Entity Behavior Analytics (UEBA). It’s an add-on application that works right on top of Sentinel and can be easily setup without any major integrations or customizations. It integrates well with Sentinel SIEM and other Azure security products, allowing you to aggregate your various security use cases and create higher-fidelity alerts.

Sentinel User and Entity Behavior Analytics works by aggregating multiple Azure data sources and finds rarities and outliers within those sources. The data sources are:

  • Azure AD
  • Audit Logs (User and group management activity)
  • Azure Activity (Common Azure operational event logs)
  • Security Events (Windows Security Event Log events)
  • SignIn Logs (Authentication Activity)

The rarities and outliers discovered by Sentinel UEBA are known as “Insights”, which are uncommon actions, devices, peer activity, and other events of interest within your environment. Sample Insights produced are:

  • User performed uncommon action among peers
  • First time user performed this particular action
  • User connected from country uncommonly connected from peer group
  • Unusual number of logon failures performed by user

Sentinel UEBA will automatically produce these Insights based on the activity in your organization, which can flag someone using a new browser, connecting from a new location, or performing an abnormal amount of actions. This type of information can not only help alert on suspicious activity, it can also help an investigator determine events of interest performed by the user when performing an investigation, as many of the Insights would be something an investigator would query manually.

While these can be notable activities, you can also see why these are “Insights” and not “Alerts.” Larger organizations especially will find a lot of this “noisy,” which is why these alone may not be sufficient to justify an investigation without additional context. Behavior Analytics will catch someone still using Internet Explorer, but you may have staff using it to access a legacy application. If you have staff that travel, it will flag their phones connecting to your network as soon as they walk off a plane.

To obtain more value from Behavior Analytics, you can aggregate it with other analytics such as your Sentinel Use Cases, Anomalies, Identity Protection, MCAS, and other Azure alerts. Since the Insight will have the user that performed the action, you can simply aggregate it with your other sources by username.

Most Azure security products will produce an Entity automatically with each alert. For Sentinel use cases, you need to ensure an Entity is set when a rule is configured. For example, your user name field, e.g. AccountName, UserPrincipalName, should be mapped to the Account Entity.

Challenges

Especially for large organizations, Insights will simply be normal activities within your environment. Thus, like with other security products, you may want to filter out those that are common and benign.
Behavior Analytics also provides a priority from zero to ten for each Insight. The least abnormal activities will produce a lower numeric value (0-4), while more rare or uncommon Insights will produce a higher numeric score on the scale (5-10).

If you are going to aggregate Sentinel UEBA with other Azure security products, you may want to explore a weighting or scoring system that ensures Insights don’t outweigh other security alerts. For example, if one user consistently triggers one Insight multiple times, they can repeatedly trigger alerts or appear at the top of your dashboards. Thus, you can cap the score derived from Insights so that it allows other products to equally provide a risk score for the user, so that other high-risk users can generate alerts or appear at the top of dashboards.

Some Insights do not contain numerical values that indicate what baseline and deviations were observed. For example, an Insight that determines an “uncommon number of actions were observed,” the common and uncommon values may not be provided, leaving the analyst unclear if there was a significant deviation from the standard.

Summary

Overall, Sentinel UEBA is a great way to automatically flag suspicious behavior in your environment. Doing the equivalent manually within your organization would require a team of data scientists. Behavior Analytics provides additional criteria you can use to create higher-fidelity alerts, and as well automatically provide investigators will information pertinent to an investigation. If you’re an Azure customer and are using Sentinel then it’s definitely worth checking out.

Step into the ring with SIEM heavyweight Sumo Logic

While it has been around for over a decade, Sumo Logic is still unknown to many information security departments. Its absence from the Gartner SIEM Magic Quadrant has likely contributed to its SIEM popularity challenges, but changes in the industry may be in its favour as many organizations migrate to the cloud.

Sumo Logic has mainly been a log management-only solution with limited event management capabilities, but it now offers a full SIEM solution via the JASK acquisition. In addition to common SIEM capabilities, Sumo Logic also provides infrastructure monitoring and business analytics, giving organizations the opportunity to use it for multiple business functions. With a strong client base of over 2,000 clients and many organizations looking to build in the cloud, this “Continuous Intelligence” platform is definitely worth consideration.

I was able to demo Sumo Logic and explore many of the features of its base log management product.

Here are some of the things I liked about it:

Cloud-focused SIEM

One of the things that stood out with Sumo Logic was its direct integrations with many common cloud vendors. Its integrations with AWS, Netskope, and Cloudflare were the simple clicks of a few buttons, and data was ingesting within minutes.

Practical Searching

Sumo Logic has a Lucene-like search language that makes it easy to obtain common security search results. Aggregations and common security searches for IPs, hostnames, and usernames were easy to learn. If you’re familiar with Splunk, picking up Sumo Logic’s search syntax will be easy.

Option to structure data during ingestion or search-time

Structuring data is a critical function of a SIEM. Some SIEMs parse data during ingestion, while others at search time. It’s debatable as to which approach is better, but Sumo Logic has taken an approach that gives you the best of both worlds. Sumo Logic is designed to parse at search time, but you can parse up to fifty fields during ingest. This allows you to structure and quickly search your commonly used fields such as IPs, hostnames, URLs, usernames, and many others, giving you fast search response times, while limiting the amount of parsers you need to create and maintain. Any other fields can be parsed as needed during search-time.

Infrastructure Monitoring and Business Intelligence Capabilities

While providing many SIEM capabilities, Sumo Logic also provides infrastructure monitoring and business analytics. You can monitor and alert on system resource utilization on your servers and applications, and its query language makes it easy to calculate sales, profits and other common business metrics, and turn them into charts and other visualizations.

So if you’re looking for infrastructure monitoring or business analytics in addition to a SIEM, or to simply consolidate applications, Sumo Logic can be used to for all three functions.

Good Documentation

For anything I wanted to know about Sumo Logic regarding data source integrations, search operators, or using lookup tables, I found the documentation helpful, accurate and up to date.

Common SIEM functionality

  • Real-time and scheduled alerts
    You can create your use cases via a search, and then schedule it on a real-time basis or at a regular interval (hourly, daily). The results of a search can be emailed, sent via a Webhook, written to an index, or forwarded to a SOAR.
  • Ability to export a significant amount of data to a file
    During a security incident, you may need to export a significant amount of data to a CSV file for further analysis, or to share with other staff. With Sumo Logic you can export up to 100,000 search results from the web interface, and up to 200,000 results via the API.
  • Supports lookup tables
    Lookup tables are commonly used by security staff to compare large amounts of IPs, usernames, hostnames in firewall, proxy and other data. Security teams often get large lists of suspicious IPs/domains that need correlated against network traffic. You can import lookup tables in Sumo Logic directly via the web interface, and then use it in your searches.
  • Manually importing data from a file (csv, text)
    A common use case is to perform an ad-hoc analysis of a log file from another security application. With Sumo Logic you can import a file directly via the web interface, and then analyze it using common search functions, aggregations, and as well to correlate the data against other data sources.
  • Useful search operators (parse, parse regex, JSON)
    Sumo Logic has practical search operators that allow you to extract data for matching, counting, and sorting. You can search via regex, and two useful operators such as parse (which lets you easily match on any characters), and the JSON operator, which easily allows you to parse JSON values.

Concerns/Considerations:

Doesn’t support many legacy systems

This would only be a “concern” if you have legacy systems and a significant on-prem presence. However, on-prem clients don’t appear to be part of Sumo Logic’s strategy.

Maximum 99.9% Uptime

While nine hours a year may not seem like much, it can be an eternity if these nine hours happen to be during an incident or other critical event.

Base product is more of a log management tool than SIEM

The base product comes close to being a full SIEM, but lacks a basic incident management app, and provides a limited use case library. So if you’re only going with the base product, you’ll have to use another app, excel, or your SOAR for case management.

While there are dashboards for many of the supported data sources, there doesn’t appear to be a significant library of real-time alerts, so much of it would have to be developed internally by your security team or Sumo Logic professional services.

Base product and SIEM product are separate apps

The base log management and SIEM applications are different products, so data has to be forwarded from the Collectors to both.


Summary

Overall, I found the product stable, intuitive, integrations easy to setup, and the query language easy to learn. The product provided fast search response times in general, and even better performance from searches on fields parsed during ingestion. Common security functions such lookup tables, data exports to a file, and manually uploading a log file were all intuitive and can be done directly via the web interface.

So if your next SIEM is going to be in the cloud, be sure to check out Sumo Logic.