Microsoft
recently blogged about the Recent Nation-State Cyber Attacks that has impacted high
value targets both across the government and private sector. This attack is
also known as Solorigate or Sunburst. This threat actor is believed to be highly
sophisticated and motivated. Relevant security data required for hunting and
investigating such a complex attack is produced in multiple locations – cloud,
on-premises and across multiple security tools and product logs. Being
able to analyze all the data from a single point makes it easier to spot trends
and attacks. Azure Sentinel has made it easy to collect data from multiple data
sources across different environments both on-premises and cloud with the goal of
connecting that data together more easily. This blog post contains guidance and
generic approaches to hunt for attacker activity (TTPs) in data that is
available by default in Azure Sentinel or can be onboarded to Azure Sentinel.
The
goal of this article is post-compromise investigation strategies and is focused
on TTPs and not focused on specific IOCs. Azure Sentinel customers are
encouraged to review advisories and IOC’s shared by Microsoft MSRC and security
partners to search on specific IOC’s in their environment using Azure Sentinel.
Links to these IOC’s are listed in the reference section at the end.
Link to article: