Azure cloud hunting 2.0 - how to automate your way to threat hunting awesomeness within Azure Sentinel

Azure Sentinel has been release on the SIEM market for almost a year and the platform has been consistently improved ever since. Moreover, even though Sentinel offers limited threat hunting capabilities out of the box, with some expert tuning it can be turned into an effective and efficient hunting platform able to cover both on-premise and cloud assets. However, efforts at automating the threat hunting experience within Azure Sentinel have been far and few between.

This talk will condense and share a year’s worth of lessons learnt from building Sentinel ATT&CK, a GitHub project designed to make it easy to deploy an ATT&CK-driven hunting solution within Sentinel. The talk will discuss how to deploy an effective threat hunting capability. It will then delve into specific aspects of the threat hunting process that can be automated within the platform, covering in particular the automation of use case deployment, log whitelisting, threat hunting processes via workbooks and alert response through Logic Apps. It will then conclude with a demonstration of how the updated Sentinel ATT&CK repository can help with leveraging the automation techniques outlined in the talk.