This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.
Today, we are announcing a new Network Sessions Essential solutions in Public Preview. This is a domain solution and the first Microsoft Sentinel solution to leverage Advanced Security Information Model (ASIM). Hence this solution provides a set of generic OOTB (out-of-the-box) content, specific to network security scenarios that supports ~16etwork products and services including Azure Firewall, Palo Alto Firewall, Corelight,, Cisco Meraki, Fotinet Fortigate and more. This means the same content from this solution can work with multiple network products deployed in your organization hence delivering more value to protect your network with less.
Sentinel has 280+ solutions in Content hub. These enable customers to not only connect their data sources to ingest data in Microsoft Sentinel, but also provide out-of-the-box (OOTB) analytic rules, hunting queries, workbooks, playbooks, and more to help customers realize their E2E scenarios in Sentinel. Even though this approach enables customers to integrate different products in Microsoft Sentinel, there are certain challenges customers face. For example, there are multiple product solutions for the Security-Network domain category, like Azure Firewall, Palo Alto Firewall, Corelight, etc. These have differing data ingest components by design, but there’s a certain pattern to the analytics, hunting, workbooks, etc. within the same category. To take a specific example, most of the major Network products have a common basic set of Firewall alerts that includes malicious threats coming from unusual IP addresses. Currently, this analytic rule template is pretty much duplicated for each of the Security-Network category of product solutions. Customers need to check and then configure multiple analytic rules individually if they are running multiple network products, which is inefficient. Furthermore, this results in alert fatigue when alerts do fire which is contrary to Sentinel’s value proposition.
Key Capabilities: -
- Data normalization using ASIM schema
- Query time or ingestion time parsing
- At scale data / incident handling
- easier usecase deployment and incident handling
- More value with less content to manage
- Consolidated workbook views
- Source agnostic content
Prerequisite: -
Network sessions essential solution like other Microsoft Sentinel domain solutions don't have a connector of their own. It depends on the source specific connectors in Microsoft Sentinel product solutions to pull in the logs. Install one or more of the prerequisite product solutions below. Configure the data connectors to meet the underlying product dependency needs and to enable better usage of this solution content.
- Amazon Web Services
- Azure Firewall
- Azure Network Security Groups
- Check Point
- Cisco ASA
- Cisco Meraki Security Events
- Corelight
- Fortinet FortiGate
- Microsoft Defender for IoT
- Microsoft Defender for Cloud
- Microsoft Sysmon For Linux
- Windows Firewall
- Palo Alto PANOS
- Vectra AI Stream
- WatchGuard Firebox
- Zscaler Internet Access
Note: As the parser coverage for this solution increases this list will also increase.
Out of box content offered: -
This solution comes with seven analytic rules, four hunting queries, one playbook, one workbook, and one watchlists.
Analytics rules:
- Network session traffic anomaly
- Anomaly in port usage
- More than defined port usage
- Excessive number of failed connections from a Single source
- Possible external to internal port sweep
- Possible port scan
- Potential Beaconing activity
Hunting queries:
- Detect Anomaly in port usage
- Detect More than defined port usage
- Detect multiple users with same MAC address
- Destination App and associated standard port mismatch
Summarization playbook:
The Network session essential domain solution is expected to handle data of very high events per seconds (EPS), and when we have content that is using such high EPS of data there can be some performance impact that can cause slow loading of workbooks or query results. To overcome this, we have created this summarization playbook that will summarize the source logs and store it into a predefined table all the content of essential domain solutions does not query this table unless one has enabled the summarization playbook.
Note: Because playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps which create separate resources, additional charges might apply. For more information, see the Azure Logic Apps pricing page. Additional charges might also apply for storage of the summarized data.
Workbook:
This solution provides one workbook Network session solution workbook which covers details for the following listed events.
- Traffic visibility
- Security visibility
- Policy rule
- Network security event viewer
Watchlist: -
The solution supports one watchlist ‘NetworkSession_Monitor_Configuration’ which includes more than 70 different sets of conditions that contribute towards analytic rule detection and hunting query. Following are the advantages that this watchlist would provide:
- The watchlist contains a list of Ports on which monitoring is required with feasibility to filter on Destination Application, Network Protocol, Network Direction and Device Action.
- Type of monitoring can be switched between Hunting and Detection for each row item.
- Threshold type can be kept to Static to leverage Threshold based alerting while Anomaly based alerts would learn from last few days of data (maximum 14 days).
- Alert Name, Description, Tactic and Severity can also be modified using this watchlist for individual row items.
- Detection can be disabled by setting Severity as Disabled.
Getting started: -
This solution will be available in content hub like any other solution search the solution and click on install, make sure any of the below listed prerequisite source specific solution is already installed before installing this solution.
All the content like analytical rule template, hunting query, playbook, workbook will get loaded in respective content galleries and it is expected that one will enable relevant content for all these available templates.
