Jake Quirke, Senior Security Consultant.
Logs are the bread and butter of a Security Operations Centre (SOC). An absence of logs means no visibility, and no visibility means analysts are unable to analyse. No analysis means what was once the final bastion of defence against the Dark Arts, can now be a very expensive hole into which you pour money.
We recently had an issue in one of our clients’ Azure subscriptions where, while reviewing the beautifully designed Overview blade in Azure Sentinel, an analyst noticed a drastic reduction in the number of logs being received. With the aforementioned ‘Logs are bread and butter’ premise in mind, this caused some consternation amongst the SOC team. After a bit of digging, we discovered this had been caused by a rolling restart of our Domain controllers! A quick reboot of some MMA agents and we are away, receiving logs again.
However, given it had taken most of the day for this to become noticed, the scenario highlighted an interesting and urgent problem.
In this query, we have used the find operator as opposed to the search function. This is because, at the time of writing, the search function is not supported within analytics.
This query is by no means a perfect solution, but from our testing over the last six months it has proven reliable and has significantly improved our response time to feed outages.
At Bridewell, we are always looking to improve our SOC and Security Orchestration, Automation and Response (SOAR) offering by finding gaps in the toolset and taking on challenges like this one to close that gap.
If you or your business are struggling with automated responses to security events, or perhaps you find the day-to-day demands of operating a SOC are hindering your ability to develop a more streamlined and effective solution, then we will be more than happy to help.