Microsoft Azure Sentinel

Praveen Kumar — Tue, 02 May 2023 14:59:21 +0000

IF you are working as SOC or DevSecOps in Cloud environments, we are need to ensure and highly responsible for security management capabilities.

Here some is the topic like SIEM (Security Information and Event Management) SOAR (Security Orchestration and Automated Response).

For above topics like SIEM and SOAR we have Microsoft Azure Sentinel in Public cloud is of the right solution to manage with minimal Administrations and flexible pricing model

SIEM - Tool that an organization uses to collect, analyze, and perform security operations on its computer systems. Those systems can be hardware appliances, applications, or both

Log management: The ability to collect, store, and query the log data from resources within your environment

Alerting: A proactive look inside the log data for potential security incidents and anomalies

Visualization: Graphs and dashboards that provide visual insights into your log data

Incident management: The ability to create, update, assign, and investigate incidents that have been identified

Querying data: A rich query language, similar to that for log management, that you can use to query and understand your data

Microsoft Sentinel in General term, cloud-native SIEM system used by SOC to

Getting insights across by collecting data
Detect and investigate threat by using advanced built in Machine Learning and Microsoft threat Intelligence
Automate response by using playbooks and natively incorporates Azure Logic Apps and Log Analytics which enhances its capabilities
Unlike an traditional Sentinel no worries about installation in servers or on premises.

Microsoft Sentinel is a service that you deploy in Azure. You can get up and running with Sentinel in just a few minutes in the Azure portal

Four Stages of Sentinel

Collect (Visibility)
Detect (Analytics, Hunting)
Investigate (Incidents)
Respond (Automations)

Collect Data

collect data on all users, devices, applications, and infrastructure both on-premises and across multiple cloud environments. It can easily connect to security sources out of the box
There are several connectors available for Microsoft solutions that provide real-time integration
It also includes built-in connectors for third-party products and services (non-Microsoft Solutions) Data connectors are many * Syslog * Common Event Format (CEF) * Trusted Automated eXchange of Indicator Information (TAXII) (for threat intelligence) * Azure * AWS

Detect Threats

can detect threats and minimizes false positives by using analytics and threat intelligence drawn directly from Microsoft. Azure * * Analytics plays a major role in correlating alerts into incidents identified by the security team
It provides built-in templates directly out-of-the-box to create threat detection rules and automate threat responses

Investigation Suspicious Activities

can investigate and hunt suspicious activities across the environment. It helps reduce noise and hunt for security threats
Use Artificial Intelligence to proactively identify threats before an alert trigger across the protected assest to detect suspicious activities

Respond

can react smoothly and respond quickly to built-in orchestration incidents, and common and frequent tasks can easily be converted into automation
capable of creating simplified security orchestration with playbook

Major Key Components we can utilize in Sentinel

Data connectors
(we have seen above)

Log retention

After it's been ingested into Microsoft Sentinel, your data is stored by using Log Analytics
KQL is a rich query language that gives you the power to dive into and gain insights from our data

Workbooks

can use workbooks to visualize your data within Microsoft Sentinel. Think as a Dashboard
Each component in the dashboard is built by using an underlying KQL query of your data
can use the built-in workbooks within Microsoft Sentinel and edit them to meet your own needs, or create your own workbooks from scratch

Analytics alerts

As far as now we have, you have your logs and some data visualization
Now it's great time to have some proactive analytics across your data, so you're notified when something suspicious occurs
can enable built-in analytics alerts within your Sentinel workspace
There are many types alerts are there. Can also create custom, scheduled alerts from scratch
Other alerts are built on machine-learning models that are proprietary to Microsoft

Threat hunting

there are some built-in hunting queries that they can use
can also create their own queries

Incidents and investigations

when an alert that you've enabled is triggered, Incident will be ceated
you can do standard incident management tasks like changing status or assigning incidents to individuals for investigation
Microsoft Sentinel also has investigation functionality, so you can visually investigate incidents by mapping entities across log data along a timeline

Automation playbooks

With the ability to respond to incidents automatically now you can automate some of your security operations and make your SOC more productive
Sentinel allows you to create automated workflows, or playbooks, in response to events and functionality could be used for incident management, enrichment, investigation, or remediation. This capabilities are often referred to as security orchestration, automation, and response (SOAR)

Continue......

Robusta Installation

Praveen Kumar — Wed, 26 Apr 2023 16:59:29 +0000

Robusta is the CNCF member, Which is open source and used on monitoring layer for Kubernetes and automations. Provides valuable insights into Kubernetes clusters and integrates with various monitoring and alerting tools Commonly used with Prometheus but not limited.

First as the source of truth to check parent website for updated templates https://docs.robusta.dev/master/installation.html

Installation steps
There are few ways of installations like Robusta cli and docker, Currently we are using Robusta CLI

By default, on Linux and mac you have python install or else check and install python before the Robusta.

Step 1 :
$ helm repo add robusta https://robusta-charts.storage.googleapis.com && helm repo update

$ pip install -U robusta-cli --no-cache
(check the python version, coz Python 3.7 and higher is required)

Step 2 : Robusta configurations required sink (automations in place to handle alerts in your Kubernetes cluster by sending them to sinks with added enrichments that tell you what is happening in your cluster. It also suggests common fixes that give us better alerts)
Sinks Available : https://docs.robusta.dev/master/catalog/sinks/index.html

$ robusta gen-config

will ask for y or n popup, once y is been choosed on browser ask to add on channel slack.

It will create the generated_values.yaml in current path

Step 3 : Run the following commands to install Helm charts

$ helm install robusta robusta/robusta -n your_namespace -f ./generated_values.yaml \
--set clusterName=

Step 4 : To check the deployments on robusta

$ kubectl get pods -n your_namespace
$ robusta logs

Step 5 : To check the Robusta create some error like crashing pod

$ kubectl apply -f https://gist.githubusercontent.com/robusta-lab/283609047306dc1f05cf59806ade30b6/raw

$ kubectl get pods -n your_namespace

Step 6 : Use Robusta UI that we enabled in Step 2 option

URL : https://platform.robusta.dev/

Two options to choose like Google and Azure, provide the mail id which is given in Step 2

Continue......

DEV Community: Praveen Kumar

Microsoft Azure Sentinel

Robusta Installation