MS Sentinel and Cygna Auditor
Morgan Holm
03. Aug. 2022
Sentinel is a SaaS based security information and event manager (SIEM) platform used for threat detection and analysis. Raw log data is collected and stored in the cloud for analysis by security operations center (SOC) personnel.
Cygna Auditor is a comprehensive, integrated auditing, alerting, reporting, and recovery platform that provides insight for your organization’s key hybrid and multi-cloud infrastructure for analysis by security operations center (SOC) and operations (OPS) personnel.
Cygna Auditor gathers audit events and wherever possible transcribes values such as GUIDs and UPNs to make them human readable. These plain language events are also normalized to show the who, what where and when information simplifying both the understanding and filtering of events. This is especially important when there is a need to find out information quickly for a potential security breach or an operational interruption.
Example Azure AD Event
The following is an example of a raw Azure AD audit event in JSON that displays the data in name value pairs with several cryptic entries:
[{“id”:“Directory24215103-7885-4e29-93e7-fb4f84d0db1b_Q60SD_75566166”, “category”:“GroupManagement”, “correlationId”:“24215103-7885-4e29-93e7-fb4f84d0db1b”, “result”:“success”, “resultReason”:"", “activityDisplayName”:“Update group”, “activityDateTime”:“2022-04-12T19:40:42.9289636+00:00”, “loggedByService”:“Core Directory”, “initiatedBy”:{“user”:{“id”:“aae7a22a-2f5e-4ee1-8959-a7d49c4fb763”, “displayName”:null, “userPrincipalName”:“Sync_MEM-01********@cygnacore.onmicrosoft.com”, “ipAddress”:"", “homeTenantId”:null, “homeTenantName”:null}}, “userAgent”:null, “targetResources”:[{“id”:“e050775a-9c29-4266-a8e9-ba3239177d17”, “displayName”:“Accountants”, “type”:“Group”,“userPrincipalName”:null, “groupType”:“unknownFutureValue”, “modifiedProperties”:[{“displayName”:“LastDirSyncTime”, “oldValue”:”[“2022-04-10T23:27:31Z”]”, “newValue”:”[“2022-04-12T19:40:42Z”]”}, {“displayName”:“Included Updated Properties”, “oldValue”:null,“newValue”:""LastDirSyncTime""}, {“displayName”:“Action Client Name”, “oldValue”:null, “newValue”:""DirectorySync""}, {“displayName”:“TargetId.GroupType”, “oldValue”:null,“newValue”:""""}]}], “additionalDetails”:[{“key”:“GroupType”, “value”:""}]}
In the Microsoft Sentinel console, it would appear similar to the following screenshot (note: not the same event) with most of the data in name value pairs with several cryptic entries:
Creating queries against audit data in Sentinel requires specialized technical resources. The queries are created with Kusto Query Language (KQL), (see screencap below for an example) and require in depth technical knowledge of both the query language and the specific raw events to get at the desired information.
Example KQL Query
AzureActivity | sort by TimeGenerated desc | where TimeGenerated > datetime(01-01-2021) and TimeGenerated < datetime(19-05-2022) | where Level == ‘Critical’ | project TimeGenerated, Level, OperationNameValue, ResourceGroup, _ResourceId
Creating queries against audit data in Cygna Auditor is straight forward, no need to know a special data query language. It can all be done in the UI with drop down lists and auto complete on many fields.
Sorts can be set by simply clicking on the desired column in the audit grid which can then be toggled for ascending or descending or even changing columns without rerunning the query.
Setting the “when” condition is also accomplished with drop downs quantifiers and a calendar / time selection control (if applicable).
Along with the normalized standard event data there are data source specific event details available. These can be selected from drop down lists for filter creation alleviating the need to know the correct syntax, case sensitivity and kinds of information available for different types of events.
Depending on the selection there could be additional aids such as type ahead searching or other event specific criteria such as selecting the desired levels with no need to know the correct syntax or worrying about case sensitivity.
It also straightforward to select the columns of event data for both normalized and data source specific events details.