Scribd
Upload
110 views47 pages

Down in The Weeds, Up in The Cloud: Security: Azure, Microsoft 365 and All Things Security, With Splunk!

splunk down in the weed

Uploaded by

Dodo winy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
110 views47 pages

Down in The Weeds, Up in The Cloud: Security: Azure, Microsoft 365 and All Things Security, With Splunk!

splunk down in the weed

Uploaded by

Dodo winy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 47

© 2020 SPLUNK INC.

© 2020 SPLUNK INC.

Down In the
Weeds, Up In the
Cloud: Security
Azure, Microsoft 365 and all things
Security, with Splunk!
socially-distant edition!
Ryan Lait
Senior Sales Engineer | Splunk
Forward- During the course of this presentation, we may make forward‐looking statements regarding
future events or plans of the company. We caution you that such statements reflect our

Looking current expectations and estimates based on factors currently known to us and that actual
events or results may differ materially. The forward-looking statements made in the this

Statements presentation are being made as of the time and date of its live presentation. If reviewed after
its live presentation, it may not contain current or accurate information. We do not assume
any obligation to update any forward‐looking statements made herein.

In addition, any information about our roadmap outlines our general product direction and is
subject to change at any time without notice. It is for informational purposes only, and shall
not be incorporated into any contract or other commitment. Splunk undertakes no obligation
either to develop the features or functionalities described or to include any such feature or
functionality in a future release.

Splunk, Splunk>, Data-to-Everything, D2E and Turn Data Into Doing are trademarks and registered trademarks of Splunk Inc. in the United States
and other countries. All other brand names, product names or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved
© 2020 SPLUNK INC.

Ryan Lait 🇦🇦🇦🇦


Senior Sales Engineer | Splunk
🦘🦘
• Former cyber security analyst and Splunk customer
• Likes: Obstacle course racing, home automation
• Dislikes: Pie Charts
© 2020 SPLUNK INC.

Agenda 1. Microsoft 365


What’s new and interesting?
Stay safe and wash your
hands
2. Microsoft Teams
Call Record data and other juicy security data

3. Microsoft Azure
What’s the latest?

4. Microsoft Azure
No more hating NSG flow logs!

5. Appendix
Download the slides for this!
© 2020 SPLUNK INC.

Firstly..
conf.splunk.com
© 2020 SPLUNK INC.

Secondly…
A Word About Azure Active Directory
Identity and Access Management (IAM)

User
AAD
IAM

AAD
IAM
AAD
IAM
© 2020 SPLUNK INC.

Office Microsoft 365


Azure © 2020 SPLUNK INC.

Active
Directory Message
Center
Data
Silos
Exchange
Admin
Center

An Admin Security &

Center for All Compliance


Reports

Occasions! Teams
Admin
Center

SharePoint
Admin Center
© 2020 SPLUNK INC.

Microsoft 365
App for Splunk
splunkbase.splunk.com/app/3786

• M365 Service Status


• Azure Active Directory
• Exchange Online
• OneDrive
• SharePoint
• Microsoft Teams
• PowerBI
• Security & Compliance Center
© 2020 SPLUNK INC.

Microsoft 365 App for Splunk


splunkbase.splunk.com/app/3786
© 2020 SPLUNK INC.

Microsoft Teams
© 2020 SPLUNK INC.

Microsoft
Teams
The Sentinel
Way…
1. Create app registration
2. Register API subscription
3. Deploy logic app
4. Parse data
5. Write query
5.1 Understand query
5.2 Write another query…
© 2020 SPLUNK INC.

Microsoft
Teams
The Splunk way

• External users added


• Short-lived external
accounts
• Bot & Connector activity
• Team ownership activity
• Team deletions and
modifications
• Aligned to Mitre ATT&CK!
© 2020 SPLUNK INC.

Microsoft
Teams
Call Record
Forensics

• External user calls


• Device analysis
• Participant locations
• User-based analysis of
activity
© 2020 SPLUNK INC.

Microsoft Azure
© 2020 SPLUNK INC.

Don’t Forget!
conf.splunk.com
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.

Pre-Built Add-ons for Microsoft Azure


Azure Resource
Graph
Splunk Supported Community Supported
Azure Topology
splunkbase.splunk.com/app/3110/ splunkbase.splunk.com/app/3757/

Azure Storage Azure AD Sign-Ins Azure Metrics Azure Virtual


Table Network
Azure Security Azure Compute
Azure Storage Azure AD Users
Center
Blob
Azure Azure Billing &
Azure Audit Azure AD Audit Subscriptions Consumption

Azure Resource Azure Reservation


Azure Resources Azure Event Hub Recommendation
Groups
© 2020 SPLUNK INC.

Azure AD App Registration Permission Configuration


Granular permission requirements for each input

https://docs.google.com/spreadsheets/d/1zI8gGlEJ1KOKdGYSrYahigYJzrShTssmKtylf6d9y9U
© 2020 SPLUNK INC.

Azure NSG
Flow Logs
How customers currently
Splunk NSG flow logs

1. Configure NSG logging


2. Send flow logs to Azure
Storage Blob
3. Configure MS Cloud Services
Add-on to ingest storage blob
data
4. Use complex props/transforms
to pull apart flow tuples
© 2020 SPLUNK INC.

Azure NSG
Flow Logs
How you SHOULD Splunk
NSG flow logs!

1. Configure NSG logging

2. Send flow logs to Azure


Storage Blob

3. Deploy Azure function app - 1


click via GitHub >

4. Send to Azure Event Hub or


directly to Splunk using HEC
© 2020 SPLUNK INC.

Microsoft Azure
App for Splunk
splunkbase.splunk.com/app/4882

• User auditing
• Subscription tracking
• Resource monitoring
• Performance metrics
• Security Center insights
• Billing & usage analytics
• Data onboarding guides
© 2020 SPLUNK INC.

Please provide feedback via the

SESSION SURVEY
© 2020 SPLUNK INC.

Appendix
© 2020 SPLUNK INC.

Microsoft 365
© 2020 SPLUNK INC.

Connecting the Dots


3 simple steps to be up and running in a matter of minutes

1 2 3

Azure AD App Splunk Add-on for Microsoft 365 App


Registration Microsoft 365 for Splunk
Give Splunk permission GUI wizard to collect Dashboards & Pre-built
to access M365 API data from M365 Splunk content
Azure Active
Directory

• Geo-based login
tracking
• Login failure details
• Suspicious login
activity
• Non-existent account
login attempts
© 2020 SPLUNK INC.

User Audit
Track user activity across multiple workloads in an instant
© 2020 SPLUNK INC.

Exchange Online
Audit Activity logs

• Mailbox Logins
• Exchange operation activity
• Mailbox permission changes
• On-Prem to M365 mailbox
migrations
• Bot and Connector details

Note
• M365 Add-on does not ingest
message tracking logs
• These are ingested separately using
Microsoft Office 365 Reporting Add-on for
Splunk
© 2020 SPLUNK INC.

SharePoint Online
Audit Activity logs

• Active users
• Site creations
• Top sites / pages
• Access activity
• Item audit
• Geographical
access
© 2020 SPLUNK INC.

OneDrive
Audit Activity logs

• Active users
• Data transfer volumes
• Geo-based activity
• Duplicate file uploads
• Items shared with
external users
© 2020 SPLUNK INC.

Microsoft Teams
Usage, Adoption,
Auditing

• Active users
• Team creations /
edits
• External user activity
• Device type info
• Bot and Connector
details
• Meeting and call
data
• Chat message
details
© 2020 SPLUNK INC.

PowerBI
Audit Activity logs

• Active users
• Dashboard activity
• Dataset activity
• Dataset creations
• Externally shared
reports
© 2020 SPLUNK INC.

Getting Started

• Full step-by-step
documentation

• Creating an Azure App


registration

• Configuring the Splunk


Add-on for Microsoft 365
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.

Go mobile!
Splunk Mobile + SplunkTV
© 2020 SPLUNK INC.

Microsoft Azure
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.
© 2020 SPLUNK INC.

Pre-Built Add-ons for Microsoft Azure


Azure Resource
Graph
Splunk Supported Community Supported
Azure Topology
splunkbase.splunk.com/app/3110/ splunkbase.splunk.com/app/3757/

Azure Storage Azure AD Sign-Ins Azure Metrics Azure Virtual


Table Network
Azure Security Azure Compute
Azure Storage Azure AD Users
Center
Blob
Azure Azure Billing &
Azure Audit Azure AD Audit Subscriptions Consumption

Azure Resource Azure Reservation


Azure Resources Azure Event Hub Recommendation
Groups
© 2020 SPLUNK INC.

Splunk Add-on for Microsoft


Cloud Services Splunk Supported
https://splunkbase.splunk.com/app/3110/
Inputs (4)

Azure Storage Azure Storage Azure Audit Azure Resource


Table Blob
Structured NoSQL data Binary Large OBject storage Management / Control Stateful resource events
storage location for large unstructured data Plane Audit Events
sets. • Virtual Machine
Native logging output for Azure Portal Logins • State: Powered On
Azure resource Native logging destination for
monitoring NSG Flow logs (firewall logs) Resource Modifications • Virtual Network
• Provisioning State: Succeeded
Not S3 compliant Subscription Activity
• Windows Event Logs • Network Interface Card
• Performance Counters • NSG Flow logs CRUD activities • enable IP Forwarding: False
• Infrastructure Diag Logs • Custom app logging
• Public IP Address
• Allocation Method: Dynamic
© 2020 SPLUNK INC.

Microsoft Azure Add-on for Splunk Community Supported


https://splunkbase.splunk.com/app/3757/
Inputs (15)

Azure AD Azure AD Azure AD Azure Event Hub


Sign-Ins Users Audit
Tenant-level authentication Stateful list of Azure AD Azure AD specific audit Subscribe to an event
data. users and AD attributes. activities. hub stream of information

Captures detailed auth AD Attributes including CRUD-type events for users Scalable method to
events across all MS cloud applied licences, status. and groups. collect data from multiple
environments. Azure, M365, subscriptions, resources
etc. Useful for ES identity Device enrolments, user
framework! creations, etc. Native configuration
MFA Details, interactive options in Azure to send
logins, locations, Use agents data like << directly to an
etc. Event Hub and into
Splunk!
© 2020 SPLUNK INC.

Microsoft Azure Add-on for Splunk


https://splunkbase.splunk.com/app/3757/ Community Supported

Inputs (15)

Azure Metrics Azure Security Azure Azure Resource


Center Subscriptions Groups
Performance and availability List of active subscriptions Stateful list of
Alerts, Tasks and provisioned resource
metrics of almost everything inside the specified tenant
recommendation events groups in the specified
in Azure from Azure Security Center
A customer can have 1, subscription
Hundreds of metrics dozens, even hundreds of
Alerts for suspicious activity Provides overview of
available with a simple input subscriptions.
on a VM, storage account, Resource Group Name,
configuration. etc.
Useful to track activities availability zone, etc.
Performance metrics of across subscriptions, billing
Tasks to suggest proactive
Azure PaaS services info, new, old, unused
changes to increase security
subscriptions etc.
postutre

Useful to correlate with other


events already in Splunk.
Don’t reinvent the wheel!
© 2020 SPLUNK INC.

Microsoft Azure Add-on for Splunk


https://splunkbase.splunk.com/app/3757/ Community Supported

Inputs (15)

Azure Virtual Azure Azure Billing & Azure Reservation


Network Compute Consumption Recommendation
Stateful compute object events Details billing charges for Recommendation events
Stateful list of
individual resources and to optimise and lower
provisioned virtual
• VM services Azure running costs.
networks in the specified
• OS, storage, No power state!
subscription
Meter details and costs Cost of running a
• Disk incurred standard VM as
Provides overview of
• Size, IOPS, state (attached) compared to running it as
vnet name, availability
Does not include any post- a reserved instance.
zone, network details, IP
• Image billing discounts. (MSP
configurations, vnet
• OS image details arragengements, MEA’s Shows cost savings and
peering etc.
etc.) benefits.
• Snapshot
Details DDoS protection • Disk snapshot details Billing periods to align billing
and VM protection details cycles
• VM Instance View
• Power state, Agent status, OS
details
© 2020 SPLUNK INC.

Microsoft Azure Add-on for Splunk


https://splunkbase.splunk.com/app/3757/ Community Supported

Inputs (15)

Azure Resource Azure Topology Azure Topology


Graph (auto) (manual)
• Run queries from a Correlated resource details to align resources in a hierarchical fashion.
Splunk input to access E.g., a VM inside a resource group, with details of its assigned vnet, storage
properties returned by account, NSG, OS Disk, etc.
resource without needing
to make individual calls
to each resource
provider.

• Advisories
• Alerts
• Azure platform health
• Maintenance
• Resource
• Security
© 2020 SPLUNK INC.

Permission Configuration
1 single App Registration for all permissions

API Permissions IAM Roles

You might also like