This module guides you through the SOC Analyst experience using Azure Sentinel's incident management capabilities.
This module assumes that you have completed Module 1, as the data and the artifacts that we will be using in this module need to be deployed on your Azure Sentinel instance.
As a SOC analyst the entry point to consume Security incidents(tickets) in Sentinel is the Incident page.
-
In the left navigation menu press on the incident and open the incident page. This page will show by default all the open incident in the last 24hr.
-
When we want to change the time window, present only incident from specific severity or to see also closed incident, we can use the filters bar:
-
On the incident page select the "Model Evasion in Critical ML model" incident. In the right pane you can see the incident preview with the high level information about the incident.
-
As you are the SME SOC analyst that deal and investigate fraud tickets, you need to take ownership on this incident. On the right page change the unassigned to "Assign to me" and also change the status from New to active.
- Another way to consume incidents and also get high level view on the general SOC health is through the Security Operations Efficiency Workbook(we will have separated module on workbook)
We have 2 options to open the workbook:
- Through the top navigation, this will open the workbook general view, where we see overall statistics on the incidents.
- Through the incident itself, that will open the same workbook on a different tab, and present the information and lifecycle for the given incident.
- Review the dashbaord.
- Open Azure Sentiel incident page.
- Locate the incident "Sign-ins from IPs that attempt sign-ins to disabled accounts"
- Press on the incident and look on the right pane for the incident preview, please notice that in this pane we are surfacing the incident entities that belong to this incident.
- Take ownership on the incident and change its status to Active
- Navigate to incident full details by pressing View full details and execute playbook to bring Geo IP data (user will notice tags being added).
- Navigate to the Alerts tab and press the number of Events. This action will redirect you to Raw logs that will present the alert evidence to support the investigation
- In raw log search, expend the received event and review the column and data we received, this properties will help us to decide if this incident is correlated to other events.
- To get more context for this IP, we want to add GEO IP enrichment. In a real life SOC this operation will run automatically, but for this lab we want you to run it manually.
- Navigate back to the incident full page to the alert tab and scroll to the right
- To view the relevant automation that will assist us with the enrichment opertion, Press view playbook
-
Locate the playbook Get-GeoFromIpAndTagIncident and press Run. If the playbook is configured correctly, it should finish in a couple of seconds.
-
Navigate back to the main incident page and notice to new tags that added to the incident.
** Bonus : Open the resource group for Sentinel deployment, locate the playbook and look on the last playbook run to review the execution steps.
-
As this enrichment information increases your concern, you want to check other traces of this IP in your network. For this investigation you want to use the investigation workbook.
-
In the left navigation press Workbooks and select My Workbooks
-
To open the Investigation Insights - sentinel-training-ws saved Workbook, in the right page press View saved workbook
-
Validate that in the properties selector, your workspace is set on sentinel-training-ws and the subscription is the subscription that hosts your Azure Sentinel Lab.
-
As the subject of the investigation is the suspicious IP from North Koriea. we want to see all the activity done by this IP so in the properties selector, switch on the investigate by to Entity.
-
in the Investigate IP Address Tab, add the suspicious IP.
-
Under the activity Detail we see many successful logins from this IP with the user Adele, and also some failed logins to disabled account from last day/hours
-
We copy the User [email protected] and validate it in our internal HR system, from the information we collected its seems that Adele is part of the security Red team, and this suspicious is part of the exercise.
-
As the red team exercise discovered by us, the SOC manager ask us to add this IP to the whitelisting IP's, that we will not trigger incident on it any more.
-
On the main incident page, select the relevant incident and press Actions - > Create automation Rule
- In the new screen, we will see all the incident identifiers ( the IP, and the specific Analytics rule), as the Red Team exercise will finish in 48 hr., adapt the rule expiration till the end of the drill, and press Apply.
- As this incident concider as benign, we go back to the main incident page, and close the incident with the right classifiction.
M5-close-incident
Congratulations, you have completed Module 4!. You can now continue to Module 5 - Hunting