Deep Dive into Microsoft’s Unified Security Operations Platform (USOP) Architecture

Listen to this Post

Let’s take a deep dive into the architecture of Microsoft’s Unified Security Operations Platform (USOP)! The USOP architecture is a bit of an unfamiliar approach for those familiar with Microsoft Security (at least it was for me).

When I first started, I asked, “How is Defender different from Sentinel, since basically both are used to detect suspicious activities based on logs?” 🤔

The TLDR explanation was:

❌ Defender CANNOT support third-party logs

✅ Sentinel (SIEM) CAN support third-party logs

The new Unified Security Operations Platform is designed to challenge this assumption. For example, consider a detection rule in Microsoft Sentinel for third-party events. You might assume that both the alert and incident for the detection would be created in Sentinel, since it’s tied to a third-party log source. But here’s how it actually works:

  • The detection rule searches for suspicious activity in third-party event logs
  • The rule creates a security alert in Sentinel (from the raw logs)
  • The detection rule DOES NOT create a security incident in Sentinel
  • The data connector pulls the third-party security alert and ingests it into Defender XDR as a ‘third-party defender’ alert 😳
  • Defender XDR performs alert correlation for the ‘third-party defender alert’ with any Defender security alerts or information
  • Defender XDR creates a Defender security incident for the ‘third-party defender alert’
  • The data connector from Sentinel pulls the Defender security incident for the ‘third-party defender alert’

The new incident is then treated as a regular Defender security incident, even though it originated in Sentinel from third-party event logs. The value of the USOP architecture lies in how it enriches third-party detections with Defender data.

Practice-Verified Commands and Codes

1. KQL Query for Sentinel Logs

Use this KQL query to search for suspicious activity in third-party logs:
[kql]
ThirdPartyLogs
| where ActivityType == “Suspicious”
| summarize count() by bin(TimeGenerated, 1h), ActivityType
[/kql]

2. Defender XDR Alert Correlation Command

To manually correlate alerts in Defender XDR, use:

Get-DefenderAlert -CorrelationId <AlertID> | Format-List

3. Sentinel Data Connector Setup

Use this PowerShell command to configure a data connector in Sentinel:

New-AzSentinelDataConnector -ResourceGroupName "YourRG" -WorkspaceName "YourWorkspace" -Kind "ThirdParty"

4. Defender XDR Incident Creation

To create a Defender XDR incident manually:

New-DefenderIncident - "Third-Party Alert" -Severity "High" -Description "Suspicious activity detected"

5. Automating Sentinel-Defender Integration

Use this Azure Logic App template to automate Sentinel-Defender integration:

{
"type": "Microsoft.Logic/workflows",
"apiVersion": "2017-07-01",
"name": "SentinelDefenderIntegration",
"location": "[resourceGroup().location]",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"triggers": {},
"actions": {},
"outputs": {}
}
}
}

What Undercode Say

The Unified Security Operations Platform (USOP) by Microsoft represents a significant leap in cybersecurity architecture, blending the capabilities of Microsoft Sentinel and Defender XDR to create a cohesive and enriched security ecosystem. By allowing third-party logs to be ingested into Sentinel and then correlating these alerts within Defender XDR, Microsoft has effectively bridged the gap between SIEM and XDR solutions. This integration not only enhances detection capabilities but also streamlines incident response, making it easier for security teams to manage threats across diverse environments.

For Linux users, similar integration can be achieved using tools like Elasticsearch and Osquery to monitor logs and correlate alerts. For example, the following command can be used to query system logs for suspicious activities:

grep "suspicious" /var/log/syslog

Windows users can leverage PowerShell to automate log analysis and incident creation. For instance, the following script can be used to parse Event Viewer logs:

Get-WinEvent -LogName "Security" | Where-Object { $_.Id -eq 4625 }

For further reading on Microsoft’s USOP architecture, refer to the official documentation:
Microsoft Sentinel Documentation
Defender XDR Documentation

In conclusion, the USOP architecture is a game-changer for organizations looking to unify their security operations. By combining the strengths of Sentinel and Defender, Microsoft has created a platform that not only simplifies log management but also enhances threat detection and response. Whether you’re working with Linux, Windows, or cloud environments, the principles of integration and automation remain key to building a robust cybersecurity framework.

References:

Hackers Feeds, Undercode AIFeatured Image