Connecting Cloud to On-premises Networks

While Microsoft Sentinel is best known for its SIEM (Security information and event management) capabilities, it also boasts some SOAR (Security orchestration, automation and response) capabilities that will let you spend less time executing manual actions.

In the previous articles, we focused on using Microsoft Sentinel’s SIEM capabilities to ingest networking data and create incident alerts. This final chapter will explain how to use Microsoft Sentinel’s SOAR capabilities to build automation on top of networking data.

We will focus on three techniques to add automation on top of networking data:

  • Enrichments
  • Automated actions
  • Threat intelligence integrations

Enrichments

When I refer to enrichments, I mean using Microsoft Sentinel to provide additional context to an alert or incident. As a SOC analyst, having context is crucial. By efficiently adding context to an incident, the SOC analyst can investigate it more easily, reducing the amount of manual work required. The amount of additional context you can apply will depend on the product you are integrating with. Some third-party integrations only support adding context about a specific entity in the scope of the environment, while others can provide a broader context.

An example of adding context for a specific entity is a FortiGate template playbook that uses API integration to enrich incidents about a specific IP address by providing information from the firewall about the address group tied to the IP address. This highlights the benefits of data enrichment. Modern firewalls like Meraki, Palo Alto, and FortiGate support API integrations, enabling effective interaction with playbooks. An example that provides broader context is retrieving a PCAP file that contains network traffic data for the time period surrounding a specific incident. A PCAP file contains details on all network packets that were captured during the event. By using automation to add relevant context on the fly instead of ingesting all networking events, we avoid increasing our ingestion cost while still allowing a SOC analyst to have all of the information available within the SIEM.

Microsoft Sentinel GitHub contains many example templates on networking enrichment, including templates from Meraki, Cisco Umbrella, zScaler, and Palo Alto.

Automated Actions

While enrichments allow us to add context to an incident, automated actions allow us to run custom actions from Sentinel that affect networking equipment.

One example of an automated action is isolating devices exhibiting suspicious activity. Typically, isolating a device within the Microsoft Security ecosystem is done using the native integration from Defender XDR, which works well for onboarded Microsoft Defender for Endpoint devices, but doesn’t work that well for non-onboarded devices, preventing Defender XDR from completely blocking a device on the network. This is where integrating Microsoft Sentinel into your firewall or Network Access Control (NAC) comes in, allowing you to run an automated action. Through this integration, we can ensure that a potentially compromised device residing on the corporate network is completely blocked from interacting with other devices. Vendors publish sample integrations, such as the Cisco Meraki playbook that can utilize your policies to block devices on the corporate network exhibiting suspicious activity.

Another example of an automated action is blocking network traffic from a single IP address or URL. Consider a scenario where an incident is created for a potential brute-force attack on a firewall from a specific IP address. If our investigation indicates that the traffic is indeed malicious, we can choose to block further network traffic from the IP address. Instead of manually logging into the firewalls and blocking the IP, we can run a playbook to automatically configure the IP blocking on top of all our firewalls. Since the playbook will have a predefined configuration and automation logic, you can count on a standardized blocking process, even when different analysts are executing the action. Some example integrations are available from Azure Firewall and Cisco.

Threat Intelligence Integrations

While the previous section focuses on blocking a single IP address, your threat intelligence processes that identify and analyze cyber threat data might indicate multiple IP addresses that should be blocked. Whether your existing threat intelligence processes are well established or non-existent, I recommend integrating your networking equipment with the threat intelligence module of Microsoft Sentinel. The Microsoft Defender Threat Intelligence connector is free and will add threat indicators into your workspace for networking data.

While we can use threat intelligence queries to alert us if a hit is found on top of networking data, Microsoft Sentinel can also share threat indicator data with the firewalls to block this traffic completely.

Most firewall vendors support integrating a cloud-based CSV file into your firewall policies. We can use this CSV file integration to load indicator files that will cause the firewall to dynamically block network traffic from specific IP addresses. For example, you can configure a Check Point firewall to retrieve a CSV file from an accessible location, on a set schedule, which contains threat indicator data. If we add an IP address to this CSV file, it will be automatically blocked on our Check Point firewall.

In order to connect this feature to Microsoft Sentinel, we simply need to export our threat intelligence table to a CSV file on a public location like an Azure Storage Account.

While the above-mentioned integration is not a native solution or is available as an open-source project, it can provide you with some ideas on the possibilities.

Start to Automate!

When I talk with fellow security professionals, they are often unaware of the integration possibilities from Microsoft Sentinel into their on-premises networking equipment. You should not underestimate the recent developments firewalls vendors have made to make their products ‘cloud-ready’. By using their APIs, we can integrate networking equipment into our cloud SOAR platform, enabling us to retrieve additional context or take actions such as blocking an IP address or isolating a host.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply