Microsoft Sentinel

  • Published on Jan 23, 2025
  • 8 minute(s) read
  • CD
 Prev Next

Preface

The purpose of this document is to provide a comprehensive overview of the Nasuni and Microsoft Sentinel integration, along with a detailed guide covering the solution’s deployment and utilization. The deployment and utilization are structured into three distinct sections for clarity and ease of understanding:

  • Syslog proxy server setup: Forwarding Nasuni logs and events to Microsoft Sentinel

  • Content hub setup and use: Nasuni pre-configured Microsoft Sentinel tooling

  • Playbook setup: Recommended automated responses/playbooks

Overview

At Nasuni, we are committed to providing our customers with a scalable, performant, and secure solution for files across their entire enterprise. Our goal is to consolidate and simplify file management into a centralized file data platform, enhancing security in the process. To achieve this, we are constantly seeking to integrate with solutions that share our vision of simplification and centralization. Microsoft Sentinel stands out as a prime example in the security domain, offering a platform for monitoring and managing comprehensive and actionable security insights. Our integration with Microsoft Sentinel enhances data security for customers by closely aligning file logs and events with security measures. By enabling customers to leverage Sentinel's capabilities, we aim to facilitate the extraction of crucial security-specific metrics. This helps SecOps teams extend and automate responses to their broader environment based on insights from Nasuni's offerings, thereby delivering added security and value to our users.

Microsoft Sentinel is a SIEM solution that offers a panoramic view of security landscapes. It collects disparate data points to present a cohesive security narrative across entire enterprise IT environments. By harmonizing logs, events, and alerts from a multitude of sources, Sentinel not only centralizes visibility but also empowers organizations to discern patterns, detect anomalies, and preempt potential threats with precision. This holistic approach to security intelligence facilitates a proactive defense mechanism, transforming raw data into actionable insights, and enabling a more dynamic and adaptive security strategy that evolves with the ever-changing threat landscape.

Nasuni offers the ability to send logs and file audit events from Nasuni Edge Appliances to Microsoft Sentinel. Integrating Nasuni with Microsoft Sentinel in this way can significantly bolster security monitoring, elevate threat detection capabilities, and expedite threat response by funneling security alerts from Nasuni systems into Sentinel. When Nasuni logs and alerts are accessible from within Sentinel, customers are empowered to leverage Nasuni-specific critical insights across their broader environment through the use of Sentinel’s various analytic tools and automation capabilities.

Nasuni has created a suite of pre-configured Microsoft Sentinel tools and capabilities for customers, available from within Sentinel’s ‘Content Hub’. The content includes two analytics rules and one hunting query pertaining to catching ransomware attack events from logs and alerts generated by the Nasuni Ransomware Attack add-on. After this content is installed, customers can immediately have incidents created upon any ransomware attack detected by Nasuni and can also create playbooks to automate any further mitigation tasks or threat response activities based on these incidents.

Benefits of Microsoft Sentinel integration

Utilizing Microsoft Sentinel with Nasuni’s Edge appliances offers the following benefits:

  • Provides advanced monitoring and analysis of security metrics for company file shares, which are often targets for ransomware due to the valuable data they contain.

  • Enables SecOps teams to leverage Nasuni’s edge detection capabilities through analytic queries within Microsoft Sentinel. These queries can identify and raise incidents within the Microsoft Sentinel ecosystem based on ransomware attacks, facilitating a range of secondary actions for monitoring and reporting.

  • Offers a hunting query feature to pinpoint directory or file deletions, which can be indicative of a ransomware attack in progress.

  • Allows for security monitoring customization, where users can develop additional queries and responses tailored to their specific security requirements.

  • Allows for the ability to create automated response to security incidents through the use of Microsoft Sentinel Playbooks, extending recovery actions beyond the scope of Nasuni infrastructure.

Deployment and utilization

The Nasuni Solution for Microsoft Sentinel is part of Nasuni Labs: Azure-Sentinel. Nasuni provides a set of Sentinel artifacts via the Sentinel Content Hub (a curated view of the Azure Marketplace). This includes elements such as pre-built Analytics Rules that are capable of interpreting Nasuni’s Ransomware Protection Notifications and generating corresponding Sentinel Incidents.

Syslog Proxy server setup

Prerequisites

Before deploying the Syslog Proxy server, users must create a Log Analytics Workspace to which syslog data is to be sent. There must also be network connectivity between the Nasuni Appliances and the VNET in which the proxy is deployed.

Proxy deployment

  1. Go to the Nasuni Labs GitHub page (https://github.com/nasuni-labs/nasuni-azure-syslog-proxy).

  2. Locate the README file that outlines how to deploy the proxy to your Azure environment.

  3. From within the README file, click “Deploy to Azure”.
     

  4. Walk through the “Custom deployment” screen and fill in the required fields within Azure.
    Then deploy the Syslog Proxy VM to your environment.

     

Configure Nasuni Edge Appliance

Nasuni Edge Appliances need to be configured to send their syslogs and file audit events to the Syslog Proxy, which then forwards them to the log analytics workspace utilized by Sentinel. In order to do so, users must first enable “Volume Auditing” and then turn on “Syslog Exports” from the Nasuni Management Console. Before enabling both features, ensure that the appropriate port is open between each Edge Appliance and the Syslog Proxy server (UDP and TCP port 514).

Turn on volume Auditing

  1. Log in to the Nasuni Management Console.

  2. Go to the “Volumes” tab on the navigation bar.

  3. Go to “Auditing” on the left side of the screen under “Volume Services”.

  4. Select the volume you wish to enable volume auditing for and then click “Edit Volumes”.

     

  5. On the “Edit Volume Auditing Settings” dialog box, turn “Auditing Enabled” switch to “On” and select all of the event types that you wish to track. For ransomware protection specifically, select “Delete”, “Rename”, and “Security”.

  6. Enable “Prune Audit Logs” and change the “Days to Keep” field to 5 or less, in order to save space on the system. (These logs are all going to be stored in the Log Analytics Workspace after being forwarded to Syslog Proxy.)

  7. Scroll down and enable “Send Audit messages to syslog”.

     

  8. Click “Save Audit Settings” to complete turning on the file system auditing.

Turn on Syslog Export

  1. Navigate to the “Filers” tab on the navigation bar.

  2. Select “Syslog Export Settings” on the left side under “Filer Settings”.

  3. On this page, select the check box next to the name of the Edge Appliance that you want to get logs from. Then select “Edit Filer”.

     

  4. In the “Filer Syslog Export Settings” dialog box, in the Servers text box, enter the IP address of the Syslog Proxy VM to receive in host[:port] format. The port used should be port 514.

     

  5. To send auditing events, turn on “Send Auditing Messages”.
    Leave logging facility and log level fields as is.

  6. To send notifications, turn on “Send Notification Messages”.
    Leave logging facility and log level fields as is.

  7. Click “Save Settings”.
    Your settings are saved.
    The Nasuni Edge Appliances can now export their logs to your Syslog Proxy VM.

For further information on Volume Auditing (file system event auditing) and Syslogs, see the NMC Guide.

Content Hub setup and use  (Install analytics rules, incidents, hunting query)

Installing Content Hub

Analytics rules use and incident creation

Analytics rules are rules that can be instantiated to run in Sentinel and analyze all logs that are coming from Nasuni devices. There are two analytics rules that Nasuni provides from the Content Hub package: “Ransomware Attack Detected” and “Ransomware Client Blocked”. These two rules utilize queries that have been constructed to identify syslog activity associated with an ‘attack detected’ and a ‘client blocked’ in the case of a Ransomware event. The rules run every 5 minutes, and, upon a query hit, it triggers an “Incident” within Sentinel and an alert. Incidents enable further threat management within Sentinel per customer incident management workflows. Automation can be attached to these analytics rules which are covered in the “Playbook Setup” section of this document.

Rule deployment

  1. On the Sentinel blade, under Configuration section, go to “Analytics”.

  2. Click “Rule templates”.

  3. Find the Nasuni rules named “Ransomware Attack Detected” and “Ransomware Client Blocked”.
    Deploy one at a time by clicking on the ellipsis on the far right of the table and then selecting “+ Create Rule”.

     

  4. Change the name of the rule and the description as you prefer. Then click “Next: Set rule logic >

     

  5. On the “Set rule logic” tab, adjust fields as necessary for Rule Logic.
    For “Start running”, Nasuni recommends that the Query is scheduled every 5 minutes to look up data from the last 5 minutes.
    Alert threshold” should be set to “Is greater than” and 0.
    On the bottom of the page, click “Next: Incident settings >”.

     

  6. On the “Incident settings” tab, keep “Incident settings” set to Enabled for incident creation.
    Click “Next: Automated response >

     

  7. Do not make changes on the “Automated Response” page at this time. Automation can be added at a later time. Click “Review + Create”.

  8. On the “Review + Create” tab, ensure that the settings are correct, then click “Save” to complete the first Analytics rule creation.

     

  9. Repeat the same process for the second Analytics rule.
    After both Analytics rules are created, they show up as “Enabled” under the “Active Rules” section on the Analytics page.

After these rules are in place, incidents are triggered and show up on the ‘Incidents’ page of the Sentinel blade.

Hunting query use

Hunting queries allow users to search logs by running custom queries on the log analytics workspace for Microsoft Sentinel. Nasuni’s content hub integration provides a custom query which allows users to find file deletion activity on Nasuni Appliances. Upon running this query, you can find the specific log messages for any deleted files and identify the user that deleted it.

Hunting query use [tbd same as previous heading]

  1. On the Microsoft Sentinel blade, navigate to the “Hunting” page.

  2. In the center of the Hunting screen, select “Queries”.

     

  3. You can inspect the details of the query rule by selecting the “Nasuni File Delete Activity” and then expanding the left side tab.

     

  4. Click “Run Query”.

  5. After the query completes running, select “View Results”.
    This takes you to the log inspector screen where you can find the relevant details to the file deletion.

     

Related articles