6ae298a60f
ReadMe Image Updates |
||
|---|---|---|
| .. | ||
| Analytic Rules | ||
| Hunting Queries | ||
| Package | ||
| Playbooks | ||
| Workbooks | ||
| data | ||
| SolutionMetadata.json | ||
| readme.md | ||
readme.md
Overview
The Microsoft Sentinel: Insider Risk Management Solution demonstrates the “better together” story between Microsoft 365 Insider Risk Management and Microsoft Sentinel. The solution includes (1) Workbook, (5) Hunting Queries, (5) Analytics Rules, (1) Playbook, and (1) Data Connector. Insider risk management helps minimize internal risks by enabling you to detect, investigate, and act on malicious and inadvertent activities in your organization. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including acting on cases and act on cases including the ability to escalate cases to Microsoft Advanced eDiscovery. Risk analysts in your organization can quickly take appropriate actions to make sure users are compliant with your organization's compliance standards. Insider risks come in various forms including both witting (intentional) and unwitting (unintentional).This workbook provides an automated visualization of Insider risk behavior cross walked to Microsoft security offerings. This solution is enhanced when integrated with complimentary Microsoft Offerings such as💡 Microsoft 365 Insider Risk Management, 💡 Communications Compliance, 💡 Microsoft Information Protection, 💡 Advanced eDiscovery, and 💡 Microsoft Sentinel Notebooks. This workbook enables Insider Risk Teams, SecOps Analysts, and MSSPs to gain situational awareness for insider risk management, UEBA, device indicators, physical access, and HR signals. This workbook is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, and visualizations. For more information, see 💡 Microsoft 365 Insider Risk Management.
Try on Portal
You can deploy the solution by clicking on the buttons below:
Getting Started
- Onboard Microsoft Sentinel and Microsoft 365 Insider Risk Management
- Enable the Microsoft 365 Insider Risk Management Export alerts feature
- Enable the Microsoft Sentinel IRM Connector Preview via feature flag
- Enable the Microsoft Sentinel IRM Connector • Navigate to Microsoft Sentinel > Connectors > Microsoft 365 Insider Risk Management (Preview) > Open Connector Page > Connect
- Enable Microsoft Sentinel UEBA
- Configure an Microsoft Sentinel Watchlist via SearchKey Columns
- This workbook leverages 25+ Microsoft Security products. Only Microsoft Sentinel and Microsoft 365 Insider Risk Management are mandatory for this content, but Microsoft 365 Communications Compliance, Advanced eDiscovery, Microsoft Information Protection, Azure Security Center, Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft 365 Defender, Microsoft Defender for Office, Azure Lighthouse, Azure Active Directory and many more offerings enhance this workbook with alignment to insider risk management.
Workbook
The Microsoft Insider Risk Management Workbook integrates telemetry from 25+ Microsoft security products to provide actionable insights into insider risk management. Reporting tools provide “Go to Alert” links to provide deeper integration between products and a simplified user experience for exploring alerts. A filter set provides custom reporting for Guide, Subscription, Workspace, and Time. The workbook can be exported as a PDF or print report via the Print Workbooks feature. Content sections include Overviews, Insider Risk Management, Watchlist, and User Forensics. The Overview tab provides recommendations for building insider risk program architectures. The Insider Risk tab provides alert reporting by both insider risk scenarios such as Sensitive Data Leaks, Security Violations, and MITRE ATT&CK tactics. The Watchlist tab provides filtering by Microsoft Sentinel Watchlists and the User Forensics tab collects logging telemetry by user. The user experience includes designing insider risk management architectures and streamlining telemetry from all users > watchlist > specific users while transitioning to M365 Insider Risk Management to investigate/resolve activity of interest.
Analytics Rules
1) High User Security Alert Correlations
This alert joins SecurityAlerts from Microsoft Products with SecurityIncidents from Microsoft Sentinel and Microsoft 365 Defender. This join allows for identifying patterns in user principal names associated with respective security alerts. A machine learning function (Basket) is leveraged with a .001 threshold. Baset finds all frequent patterns of discrete attributes (dimensions) in the data. It returns the frequent patterns passed the frequency threshold. This query evaluates UserPrincipalName for patterns in SecurityAlerts and Reporting Security Tools. This query can be further tuned/configured for higher confidence percentages, security products, or alert severities pending the needs of the organization. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information on the basket plugin, see basket plugin.
2) High User Security Incidents Correlations
This alert joins SecurityAlerts to SecurityIncidents to associate Security Alerts and Incidents with user accounts. This aligns all Microsoft Alerting Products (MCAS, MDE, ASC, etc.) with Microsoft Incident Generating Products (Microsoft Sentinel, M365 Defender) for a count of user security incidents over time. The default threshold is 5 security incidents, and this is customizable per the organization's requirements. Results include UserPrincipalName (UPN), SecurityIncident, LastIncident, ProductName, LastObservedTime, and Previous Incidents. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Investigate incidents with Microsoft Sentinel.
3) Microsoft 365 Insider Risk Management Alert Observed
This alert is triggered when a Microsoft 365 Insider Risk Management alert is recieved in Microsoft Sentinel via the Microsoft 365 Insider Risk Management Connector. The alert extracts usernames from security alerts to provide UserPrincipalName, Alert Name, Reporting Product Name, Status, Alert Link, Previous Alerts Links, Time Generated. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Learn about insider risk management in Microsoft 365.
4) Sensitive Data Access Outside Organizational Geo-location
This alert joins Azure Information Protection Logs (InformationProtectionLogs_CL) with Azure Active Directory Sign in Logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include User Principal Name, Label Name, Activity, City, State, Country/Region, and Time Generated. Recommended configuration is to include (or exclude) Sign in geo-locations (City, State, Country and/or Region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review. For more information see Sign-in logs in Azure Active Directory: Location Filtering.
5) Risky User Access By Application
This alert evaluates Azure Active Directory Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Tutorial: Use risk detections for user sign-ins to trigger Azure AD Multi-Factor Authentication or password changes.
Hunting Queries
1) Entity Anomaly Followed by IRM Alert
This query joins Microsoft Sentinel UEBA with Microsoft 365 Insider Risk Management Alerts. There is also an option for configuration of correlations against watchlists. For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.
2) Internet Service Provider Anomaly followed by Data Exfiltration
This query joins UEBA to Security Alerts from Microsoft products for a correlation of Internet Service Provider anomalies to data exfiltration (watchlist options). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.
3) Multiple Entity-Based Anomalies
This query returns entity counts by anomaly and user principal name including ranges for start/end time observed (watchlists configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.
4) Possible Sabotage
This query correlates users with entity anomalies, security alerts, and delete/remove actions for identification of possible sabotage activities (watchlists configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.
5) Sign In Risk Followed By Sensitive Data Access
This query correlates a risky user sign ins with access to sensitive data classified by data loss prevention capabilities (watchlist configurable). For more information, see https://docs.microsoft.com/azure/sentinel/watchlists.
Playbook
This solution includes the Notify-Insider Risk Management Team playbook. Playbooks are a Security Orchestration, Automation, & Response (SOAR) capability to automate manual tasks. This playbook should be configured as an automation action with the Insider Risk Management Analytics Rules. Upon triggering an Analytic Rule, this playbook captures respective details and both emails and posts a message in a Teams chat to the Insider Risk Management team. This automation increases response times while reducing the need to return to the workbook for monitoring.