GraphAZAccess

GraphAZAccess

Inspiration

Microsoft Sentinel provides a multitude of connectors to ingest security events from a wide range of sources. Drawing inspiration from the graph-based approach of tools like Stormspotter and BloodHound, traditionally used in identifying and visualizing attack paths in an organization, our team was set to introduce a similar approach in Sentinel itself; revealing relationships and pivotal points across paths to privilege escalation, a capability that could be used proactively but also enrich security investigations.

What it does

A custom connector ingests data from a graph database, like neo4j. Data can be collected by any tool that works with graph databases. In our prototype, BloodHound is used, utilizing the AzureHound collector to pull data of interest from an Azure tenant
Ingested data is used in a custom workbook, which visualizes nodes and relationships in a graph view that can be filtered as necessary
A Jupyter notebook works against the data store in Log Analytics workspace and transforms the data into graph structures, providing the capability to identify potential attack paths to target nodes. At the same time, it maps security alerts and events across the revealed path to provide additional context during investigation

The underlying value lies in bringing the power of working with graphs against the log analytics schema.

How we built it

Initially, we wanted to enrich the power of tools which work with graph data, like BloodHound, with the capabilities of Sentinel
BloodHound was used for the initial data collection, using the AzureHound collector
We developed a connector that ingests graph schema data exported from a graph database, like neo4j. The connector was coded using .NET 6.0 in C#
We then created a custom workbook that visualizes the ingested data and displays the nodes and relationships which can be further filtered as necessary
We developed an Azure Notebook using Python that transforms data stored in the Log Analytics workspace into graph structures

Challenges we ran into

Approach: Working with graph-based data required us to shift our thinking, so we needed to ramp up fast on related theory and algorithms and set out a plan for potential scenarios that would allow the concept to come across effectively
Timeframe: Time was definitely a limiting factor. Besides working on this project in parallel with day-to-day work, we quickly realized that the original vision required a significant amount of development work, so we set out to create a working prototype in an MVP fashion and continue building on this in future iterations
Tools: Another challenge was picking the right tools while at the same time setting the necessary priorities, to achieve progress and demonstrate effectively the concepts and potential.

Accomplishments that we're proud of

We are really proud for having covered significant ground on graph theory, applying our learnings and seeing our vision coming to life. There were quite a few pieces that needed to come together within a limited period of time, from bringing the relevant data into Sentinel, to manipulating and correlating said data in a way that generates value for a security team. Having already a working prototype is really something we're excited about.

What we learned

This project provided us with ample opportunities to develop skills across the following areas:

Using the collector API to upload custom data
Working with and transforming Graph Data structures in Python
Utilizing Jupyter notebooks to enable the project objectives

What's next for GraphAZAccess

We are really excited for this first iteration that brought our idea into reality. We're already working on the next iteration, developing additional capabilities that will assist in fully realizing our vision. Those include:

Infuse GraphAZAccess with AI and Machine Learning
Leverage the Microsoft Graph API for cloud native data collection
Breakdown the identified paths automatically and map potential event types based on revealed relationships