Microsoft SC-200 Practice Test - Questions Answers, Page 14

msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: query log data from multiple sources. enrich the data with Threat Intelligence, geolocations and Azure resource data.

extract Indicators of Activity (IoA) from logs and unpack encoded data.

MSTICPy reduces the amount of code that customers need to write for Microsoft Sentinel, and provides:

Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint, Splunk, and other data sources.

Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.

Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction, and WhoIs lookups.

Visualization tools using event timelines, process trees, and geo mapping.

Advanced analyses, such as time series decomposition, anomaly detection, and clustering.

Reference:

https://docs.microsoft.com/en-us/azure/sentinel/notebook-get-started

https://msticpy.readthedocs.io/en/latest/

Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound (red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.

You can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.

Note: To create a rule directly in the Azure portal:

1. From Defender for Cloud's security alerts page:

Select the specific alert you don't want to see anymore, and from the details pane, select Take action.

Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:

2. In the new suppression rule pane, enter the details of your new rule.

Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.

Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or location.

3. Enter details of the rule.

4. Save the rule.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules

Box 1: Owner

Only the Owner can assign initiatives.

Box 2: Contributor

Only the Contributor or the Owner can apply security recommendations.

Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions

Box 1: Turn on Live Response Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.

Box: 2 : Add a network assessment job

Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/networkdevices?view=o365-worldwide

Box 1: join

An inner join.

This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.

This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.

DeviceInfo

//Query for devices that the potentially compromised account has logged onto | where LoggedOnUsers contains '<account-name>' | distinct DeviceId

//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables | join kind=inner AlertEvidence on DeviceId | project AlertId

//List all alerts on devices that user has logged on to

| join AlertInfo on AlertId

| project AlertId, Timestamp, Title, Severity, Category

DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"

Box 2: project

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingquery-emails-devices?view=o365-worldwide

Step 1: From Logic App Designer, create a logic app.

Create a logic app and define when it should automatically run

1. From Defender for Cloud's sidebar, select Workflow automation.

2. To define a new workflow, click Add workflow automation. The options pane for your new automation opens.

Here you can enter:

A name and description for the automation.

The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.

The Logic App that will run when your trigger conditions are met.

3. From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.

4. Etc.

Step 2: From Logic App Designer, run a trigger.

Manually trigger a Logic App

You can also run Logic Apps manually when viewing any security alert or recommendation.

Step 3: From Workflow automation in Defender for cloud, add a workflow automation.

Configure workflow automation at scale using the supplied policies

Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

Box 1: AzureActivity The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

Box 2: autocluster()

Example: description: | 'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source IP address from which it is being done is anomalous.

The query below generates known clusters of ip address per caller, notice that users which only had single operations do not appear in this list as we cannot learn from it their normal activity (only based on a single event). The activities for listing storage account keys is correlated with this learned clusters of expected activities and activity which is not expected is returned.

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"

| where ActivityStatusValue == "Succeeded"

| join kind= inner (

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"

| where ActivityStatusValue == "Succeeded"

| project ExpectedIpAddress=CallerIpAddress, Caller

| evaluate autocluster()

) on Caller

| where CallerIpAddress != ExpectedIpAddress

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds =

make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller,

CallerIpAddress

| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

Reference: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml

Step 1: From the Investigation blade, select Insights

The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel Incidents or individual IP/Account/Host/URL entities.

Step 2: From the Investigation blade, select the entity that represents VM1.

The Investigation Insights workbook is broken up into 2 main sections, Incident Insights and Entity Insights.

Incident Insights The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including alerts and entity information.

Entity Insights The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about that entity. This workbook presently provides view of the following entity types:

IP Address

Account

Host

URL

Step 3: From the details pane of the incident, select Investigate.

Choose a single incident and click View full details or Investigate.

Reference:

https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview

https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases