Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ultimate Combo - Azure Sentinel and Cloud Attac...

Kennedy Torkura
April 18, 2025
0
3

Ultimate Combo - Azure Sentinel and Cloud Attack Emulation

What happens when you combine attack emulation and threat detection? 🤔

👉 TLDR; your quality of life drastically improves. 😆

Without any doubt, we know that SOC teams are burnt out with alerts today.

While threat detection tools are designed to surface attacks, they often generate a large number of useless alerts for SOC teams. 🥵

Alerts that are false positives or false negatives, lacking environmental context. Furthermore, detection gaps are a considerable challenge, unfortunately these are not discovered until when sh*t hits the fan 💥 .

🤺 Attack emulation provides huge opportunities for overcoming these challenges. That is precisely what you get when you leverage Mitigant Cloud Attack Emulation for Microsoft Sentinel.

How ? 🤔

In the attached document, I walk you through some interesting use cases, e.g., attackers often maliciously export an Azure VM disk by creating shared links that can be accessed externally. There aren't OOTB Sentinel rules for detecting this attack 🙀

The Mitigant advantage: you get the attack to emulate the corresponding MITRE ATT&CK TTPs and also receive custom detection logic to detect it. That's an ultimate combo right there 🦾

🔥 So, whether you are early in your detection engineering journey or much down the path, we've got you covered! Mitigant supercharges your threat detection & response capabilities, helping you operate with high-quality alerts -> higher quality of life 🎉

Kennedy Torkura

April 18, 2025
Tweet

More Decks by Kennedy Torkura

See All by Kennedy Torkura
Agentic AI Threat Modeling - Part I
ktorkura
0
29
Cloud Attack Emulation: Analyzing Entra ID Logs with GenAI
ktorkura
0
12
🤺 Cloud Attack Emulation: Azure Monitor Logs Analysis with GenAI⚡
ktorkura
0
28
GenAI Red Teaming Unique Challenges – Part I
ktorkura
0
31
Emerging GenAI Security Solutions
ktorkura
0
30
The Cyber Resilience Chasm
ktorkura
0
33
Outcome vs Output Security Approaches
ktorkura
0
290
Cloud Attack Emulation for Mere Mortals
ktorkura
0
110
Fast-tracking DevSecOps Maturity With Security Chaos Engineering
ktorkura
0
370

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
99
5.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
It's Worth the Effort
3n
184
28k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.6k
Writing Fast Ruby
sferik
628
61k
A better future with KSS
kneath
239
17k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
23
2.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Designing for humans not robots
tammielis
252
25k
Building Flexible Design Systems
yeseniaperezcruz
329
38k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.5k

Transcript

  1. 1 Microsoft Sentinel <> Mitigant Cloud Attack Emulation Ultimate Combo

  2. 2 @run2obtain Microsoft Sentinel is a scalable, cloud-native SIEM that

    delivers an intelligent & comprehensive solution for SIEM and SOAR. Additionally, Sentinel provides cyberthreat detection, investigation, response, and proactive hunting, with a bird's-eye view across your enterprise. https://learn.microsoft.com/en-us/azure/sentinel/overview?tabs=azure-portal Microsoft Sentinel - Quick Overview

  3. 3 @run2obtain Mitigant CAE provides a powerful API for integrating

    into Detection-as-Code via the Attack-as-Code feature. Attacks can be also easily launched from the Mitigant user interface. Launch immediately or schedule for a later time -> you choose Emulating Cloud Attacks with Mitigant CAE https://www.mitigant.io/en/blog/feature-release-january-2025#attack-as-code

  4. 4 @run2obtain Mitigant Cloud Attack Emulation (CAE) is the industry’s

    most comprehensive, agentless adversary emulation platform built for cloud-native infrastructure. Security teams can safely & efficiently emulate sophisticated attacks suitable for enhancing threat detection efficiency, validating security controls, and supercharging incident response etc Mitigant CAE aligns with MITRE ATT&CK and MITRE ATLAS. Also, the integration of Cyber Threat Intelligence enables emulating several threat actor TTPs. https://www.mitigant.io/en/platform/cloud-attack-emulation Mitigant Cloud Attack Emulation – Quick Overview

  5. 5 @run2obtain • Sentinel provides detection rules, expressed in KQL

    allowing for very power search capabilities over logs e.g. Azure Activity Logs. • However, SOC teams still suffer from alert fatigue and rule tuning is imperative. • Detection engineers can leverage environmental requirements and other contextual insights to customize KQL queries for optimal alerting. Detecting Threats with Microsoft Sentinel

  6. 6 @run2obtain Sentinel ships with some detection rules available in

    the Content Hub aka Out of the Box (OOTB) rules. Several alerts are seen in the Incidents panel following the execution of several to emulated attacks. The alert pointed in the image is “User Assigned New Privileged Role” Let’s explore Sentinel detection rules available in Content Hub. Alerts detected in Sentinel based on OOTB rules Alert: User assigned new privileged role

  7. 7 @run2obtain So, what can go wrong ? There are

    less than 30 OOTB rules available in the Sentinel content hub. SOC team would require much more rules to effectively detect attacks ! For example, the attack to pictured here maliciously exports a VM disk by creating a shared link that can be accessed externally. There are is no OOTB Sentinel rule for detecting this attack. Attacks create shareable links for exfiltrating VM disks

  8. 8 @run2obtain Lets’ fix that ! We create a custom

    rule using KQL query. Now we can detect the attack and its visible in Sentinel Incidents view. KQL query Attack detected

  9. 9 @run2obtain We also created other rules e.g. for detecting

    when VMs are spawned for mining crypto-currency. But attackers can use such VMs for other reasons e.g. as a staging area for further attacks aka Rogue VMs How about detecting rogue VMs!

  10. 10 @run2obtain Ultimately, Mitigant CAE affords several use cases that

    result in huge advantages: - Reduction of alert fatigue for SOC teams - Optimization of detection engineering efforts. - Leverage for effective threat hunting e.g. easily craft and validate hypotheses - Red/Purple teaming without managing attack scripts - ……. But we just scratched the surface !

  11. Easily Emulate Cloud Attacks using Mitigant 11 Read more about

    Azure Attacks: https://www.mitigant.io/en/blog/feature-release-cloud-attack-emulation-for-azure

  12. https://www.mitigant.io/en/sign-up https://www.linkedin.com/feed/update/urn:li:activity:7289444027857338368/ @run2obtain Mature your detection engineering capabilities Mitigant Cloud

    Attack Emulation Sign Up for your free trial TODAY