Moving to the cloud and a mobile workforce means your data, users, and systems are everywhere. Meanwhile, the frequency and sophistication of attacks are ever growing. With more and more people working from home, the increased security risk has risen significantly.
Azure Sentinel enables you to collect data, detect threats, investigate incidents and alerts, and rapidly respond to those cyber security threats and alerts.
One of my customers wanted their SOC Team to know immediately when a critical alert appeared in the dashboard within Sentinel. Instead of receiving an email alert or ServiceNow Ticket or Teams message, they wanted to receive a text message in case this critical alert was out of hours. But what do you class as critical? A successful RDP Brute Force Attempt? A SQL Injection? DDoS? DNS Flooding? Malware Installation? MFA disabled for a user?
To first establish a successful cyber security frame work for your SIEM (Sentinel), you need to understand the CIA Triad.
The CIA Triad is a set of security principal controls which stand for confidentiality, integrity and availability.
- Confidentiality is the promise that data is not unveiled to unauthorized users, applications or processes.
- Integrity means that the systems and data remain accurate, complete and protected from unauthorized modification.
- Availability states that systems, applications and data must be available to users without impacting their productivity.
Once we establish which business applications and infrastructure are the most critical to be alerted on, we put the plan together to set-up our incident based alerting around those services on Azure Sentinel.
As a demonstration, I will be using an existing alert which will capture any users doing multiple RDP Hops between virtual machines, which would suggest a lateral movement using the MITRE ATT@CK tactic (FYI: This is only for the demonstration; I wouldn’t normally class this attack vector as critical).
First, some pre-requisites:
- Sentinel (already set-up and configured)
- Twilio Account (already set-up and configured)
Let’s assume you already have everything set-up in Twilio and Sentinel apart from the playbook. Let’s go ahead and create the playbook.
First we need to create the playbook. Navigate to your Sentinel dashboard and underneath the Configuration pane click “Playbooks”, then click “Add Playbook”.
Once our playbook is created, we need to configure it so that when an alert is triggered in Azure Sentinel it “does something.”
If we click the “+” in the designer, we now need to add an action.
Let’s search for Twilio and click “Send a Text Message.”
Create your connection API Key and authorization code with your Twilio account then set-up the parameters.
So below I want my text message to contain the Start Time, the Entities (this has a lot of useful information), the Severity and the Alert Display Name (I know I could have organized this better!).
I then populated my American Twilio number and my own personal number (blocked out on purpose).
Once you have set this up, configuring it for an alert you wish to test, simply trigger the playbook manually or wait for the magic to happen. Then you should receive a text message, as seen below.
New Signature has the expertise and services you need to get ahead of threats. Connect with us to learn more.
About the Author
Craig Fretwell is a New Signature Azure Solutions Architect located in our United Kingdom region. He’s spent the last 12 years focusing on helping customers overcome challenges with cloud-based solutions. His primary focus is on architecting and designing cloud and hybrid solutions in Azure. He loves to troubleshoot problems he’s faced and write about those challenges to help others find success.