Microsoft Sentinel for more efficient and fewer security alerts

Microsoft 365 Defender, Identity Protection and Microsoft Sentinel create an avalanche of security incidents that require attention. In this article, I provide an overview of what tools are at your disposal, which incidents are useful, and how you can make Microsoft Sentinel reduce notifications.

Management of security incidents on one screen

Today’s security systems are not perfect. They generate many false positive reports, which should be investigated to verify that they are actually malicious. Some incidents are more useful than others, complicating your work.

When you’re just starting out, it’s hard to get an overview. There are so many different portals and screens. Most importantly, know how to see an overview of all open security incidents in your environment. There are two options for this: Microsoft 365 Defender and Microsoft Sentinel.

Microsoft 365 Defender

Microsoft 365 Defender is Microsoft’s XDR (Extended Detection and Response) tool that monitors the following elements in your environment:

• Email and file collaboration tools (Exchange, SharePoint, Teams and OneDrive)
• Cloud applications such as Dropbox and Google Drive
• Antivirus and Endpoint Detection and Response (EDR).
• On-premises Active Directory (AD)
• Cloud identities and their logins

In the Microsoft 365 Defender portal, you can navigate to the Incidents panel to see all active security incidents in your environment.

Microsoft Sentinel

When using Microsoft 365 Defender, you are limited to the incidents and data sources provided by Microsoft. If you want to go further, you need to deploy Microsoft Sentinel.

Microsoft Sentinel is a cloud-based security information and event management (SIEM) product from Microsoft. It is built on top of Microsoft Azure.

In the SIEM, you can add custom data sources such as ERP systems, network logs and more. Microsoft Sentinel is a completely open system, which means it is possible to customize all detections and build custom integrations.

Microsoft Sentinel versus Defender

Choosing between Sentinel and Defender is important because you have to choose what you will use as your only framework.

Defender offers simplicity for smaller organizations that do not have a large security team. Microsoft Sentinel adds more complexity, but allows for more customization, data sources and custom integrations, which is great for larger organizations with larger teams.

Quality of incidents

Not all incidents are equal; some are more useful than others. And it’s important to get your priorities straight. There are only 24 hours in a day, and it is impossible to examine every single alert. Therefore, it is important to prioritize some of the standard notifications over others.

Avoiding false positives

A good example is the “unknown login” alert, which is generated when a user makes a suspicious login from a previously unknown device or location. While this sounds great in theory, the alarm generates false positives when users travel or use a VPN service. This type of incident is not as useful as incidents generated by Microsoft Defender for Endpoint, the AV and EDR product.

Incidents from Microsoft Defender for Endpoint have much higher reliability, which means they should be given higher priority. These types of incidents will indicate malicious activity on endpoints (laptops, desktops and mobile devices) and servers.

Almost all incidents will generate false positives at some point. It is important then to adapt them as much as possible. Most built-in detections allow you to add exceptions to ensure you don’t receive the same incident over and over again. Your security tool should continuously evolve to avoid such false positives. By doing this work, you avoid repeated examinations.

Automation for profit

To minimize average response time (the time it takes to take action on an incident, such as resetting a password), automation is essential. Automation helps us in two different scenarios: enrichment and automated actions.

Enrichment of incidents

Enrichment is the process of adding as much context to the incident as possible, including:

• User information.
• Information about their previous and current activity.
• Information about the indicators (IP addresses, file hashes, etc.) is not available.
• And much more.

Through enrichment, a Security Operations Center (SOC) analyst has all the information in one place and can quickly understand the full scope of the incident.

Automated actions

Automated actions aim to minimize the time it takes to perform recovery actions. Examples of these actions include resetting a user password or isolating a host. By automating actions, we ensure that they happen in a predefined flow, and they can be automated to remove dependence on a SOC analyst.

How Microsoft 365 Defender and Microsoft Sentinel can reduce notifications

Although both Microsoft 365 Defender and Microsoft Sentinel offer many built-in detections, both products allow you to add custom rules.

Custom rules

Adding custom rules is important to monitor specific threats in your environment. A system like Defender for Endpoint is shared across thousands of customers. When a new detection is added, Microsoft must validate it for all these customers.

We have the advantage that detection should only fit in our own environment. By creating a custom detection rule, we can create our own exclusions and exclude expected behavior.

Let’s take the example of an administrator disabling 50 user accounts at once. This is suspicious activity that we want to monitor. However, there may be a background process in your environment that clears inactive accounts. This means that the incident will generate many false positives.

By building the use case ourselves, we can add our own exclusions to ensure we receive only the incidents we want to see.

Kusto Query Language

Building custom detections in both products is done in KQL. KQL stands for Kusto Query Language, and it is a query language often compared to SQL. KQL allows you to retrieve data from the huge data sets that Defender and Sentinel collect.

KQL is an important language to master because it can perform statistical functions on your data to identify outliers. Although most of the data found in KQL is also available in the portal, retrieving the data with KQL will be much faster once you learn the language.

Reduce the time it takes to identify malicious behavior
Microsoft 365 Defender and Microsoft Sentinel are products with a steep learning curve. They are both complex and capable, but it takes time to master them. If you are serious about security, it is important to spend time on the stack and learn what incidents are generated.

Incidents should be thoroughly investigated, and their output used to improve detection. By continuously improving detections, you reduce the time it takes to identify malicious behavior.