{"id":990034,"date":"2024-12-30T16:12:22","date_gmt":"2024-12-30T14:12:22","guid":{"rendered":"http:\/\/16.171.239.15\/?p=990034"},"modified":"2025-01-10T15:59:07","modified_gmt":"2025-01-10T13:59:07","slug":"microsoft-sentinelin-analyysisaantojen-ihmeellinen-maailma","status":"publish","type":"post","link":"https:\/\/www.tekve.fi\/en\/microsoft-sentinelin-analyysisaantojen-ihmeellinen-maailma\/","title":{"rendered":"Kuinka luoda tehokkaita tunnistuss\u00e4\u00e4nt\u00f6j\u00e4?"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Microsoft Sentinel<\/b> on SIEM\/SOAR j\u00e4rjestelm\u00e4, jonka teht\u00e4v\u00e4n\u00e4 on tunnistaa kyberpoikkeamia normaalin liikenteen seasta ja ratkaista niist\u00e4 aiheutuneet h\u00e4lytykset. Datal\u00e4htein\u00e4 voi toimia yrityksen pilviresurssit (Entra ID, palvelimet, virtuaalikoneet yms.), p\u00e4\u00e4telaitteet, sovellukset ja on-premises j\u00e4rjestelm\u00e4t. Kuinka n\u00e4it\u00e4 uhkia tunnistetaan analyysis\u00e4\u00e4nn\u00f6ill\u00e4 (analytic rules), miten analyysis\u00e4\u00e4n\u00f6tj\u00e4 luodaan ja miten organisaatio voi pysy\u00e4 kehittyvien uhkatoimijoiden edell\u00e4? N\u00e4it\u00e4 asioita k\u00e4ymme t\u00e4ss\u00e4 artikkelissa l\u00e4pi.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t\t

Analyysis\u00e4\u00e4nn\u00f6t<\/h3>\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Uhkien tunnistaminen Sentineliss\u00e4 tapahtuu analyysis\u00e4\u00e4nt\u00f6jen avulla. Yksi analyysis\u00e4\u00e4nt\u00f6 luodaan aina tietyn tapahtuman tunnistamista varten. Seurattavia tapahtumia on useita, joten luonnollisesti yhdess\u00e4 Sentinel ymp\u00e4rist\u00f6ss\u00e4 on useita analyysis\u00e4\u00e4nt\u00f6j\u00e4 aktiivisena samanaikaisesti.<\/p>

Teknisesti analyysis\u00e4\u00e4nn\u00f6t sis\u00e4lt\u00e4v\u00e4t KQL-kielell\u00e4 (Kusto Query Language) kirjoitetun haun, joka m\u00e4\u00e4rittelee mit\u00e4 lokidataa haetaan ja mill\u00e4 perusteilla t\u00e4st\u00e4 datasta luodaan h\u00e4lytyksi\u00e4. T\u00e4m\u00e4 haku suoritetaan Sentinelin alla olevaan Log Analytic Workspaceen, joka siis sis\u00e4lt\u00e4\u00e4 kaiken Sentineliss\u00e4 k\u00e4sitellyn lokidatan. Yksinkertaistettuna KQL-haku on lista kriteerej\u00e4 tapahtumille ja kun n\u00e4m\u00e4 kriteerit t\u00e4yttyv\u00e4t, niin s\u00e4\u00e4nt\u00f6 luo h\u00e4lytyksen valvontan\u00e4kym\u00e4\u00e4n.<\/p>

\u00a0<\/p>

Esimerkki yksinkertaisesta s\u00e4\u00e4nn\u00f6st\u00e4:<\/b><\/p>

Tavoitteena halutaan tiet\u00e4\u00e4 onko organisaation Entra ID tenanttiin kirjauduttu Suomen ulkopuolelta viimeisen 14 p\u00e4iv\u00e4n aikana. Tavoitteen pohjalta luodaan KQL-haku, jossa m\u00e4\u00e4ritell\u00e4\u00e4n seuraavat askeleet tapahtuman tunnistamiseksi.<\/p>

  1. Haetaan kirjautumislokit<\/li>
  2. M\u00e4\u00e4ritell\u00e4\u00e4n ajanjakso viimeiselle 14 p\u00e4iv\u00e4lle<\/li>
  3. Filtter\u00f6id\u00e4\u00e4n pois onnistuneet kirjautumiset<\/li>
  4. Filtter\u00f6id\u00e4\u00e4n pois Suomesta tehdyt kirjautumiset<\/li><\/ol>

    Jos t\u00e4m\u00e4 haku tuottaa tuloksia, niin voimme luoda h\u00e4lytyksen valvontan\u00e4kym\u00e4\u00e4n.<\/p>

    Esimerkki koodina:\u00a0<\/b><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t

    \n\t\t\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\n\t\t\t\t\tSigninLogs                       \/\/ M\u00e4\u00e4ritell\u00e4\u00e4n kirjautumisp\u00f6yt\u00e4\n| where TimeGenerated > ago(14d) \/\/ Viimeiset 14 p\u00e4iv\u00e4\u00e4\n| where Location != \"FI\"         \/\/ Sijainti ei saa olla Suomi\n| where ResultType != 0          \/\/ Kirjautuminen ei ole ep\u00e4onnistunut (yksinkertaistettu)\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-73dda18 elementor-widget elementor-widget-text-editor\" data-id=\"73dda18\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"fj fk fl fm fn\"><div class=\"ab cb\"><div class=\"ci bh ev ew ex ey\"><p id=\"e5e6\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">S\u00e4\u00e4nt\u00f6 n\u00e4ytt\u00e4\u00e4 melko yksinkertaiselta, koska siin\u00e4 ei olla otettu huomioon muita mahdollisia \u201cResultType\u201d arvoja, jotka viittaavat onnistuneeseen kirjautumiseen. Siin\u00e4 ei my\u00f6sk\u00e4\u00e4n muokata lokien muotoa lis\u00e4\u00e4m\u00e4ll\u00e4 ja poistamalla tiettyj\u00e4 lokikentti\u00e4 tuloksesta.<\/p><p id=\"1a46\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">KQL-haun lis\u00e4ksi analyysis\u00e4\u00e4nn\u00f6t sis\u00e4lt\u00e4v\u00e4t seuraavat ominaisuudet:<\/p><ul class=\"\"><li id=\"d015\" class=\"ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Kuvauksen s\u00e4\u00e4nn\u00f6st\u00e4<\/li><li id=\"32b0\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Syntyv\u00e4n h\u00e4lytyksen kriittisyyden (informational, low, medium, high)<\/li><li id=\"510a\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Logiikan eli KQL-haut<\/li><li id=\"bc74\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">H\u00e4lytyksen tutkintaohjeet<\/li><li id=\"8696\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Mahdolliset automatisaatiot<\/li><\/ul><\/div><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a6770c4 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"a6770c4\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1a49492 elementor-widget elementor-widget-text-editor\" data-id=\"1a49492\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p id=\"ae87\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Analyysis\u00e4\u00e4nt\u00f6j\u00e4 on kolmea tyyppi\u00e4 (englanniksi):<\/p><ul class=\"\"><li id=\"118f\" class=\"ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx pb og oh bk\" data-selectable-paragraph=\"\"><strong class=\"mc fr\">Scheduled Analytic Rule<\/strong>: Ajetaan tietyin aikav\u00e4lein, kuten kerran p\u00e4iv\u00e4ss\u00e4. T\u00e4m\u00e4 s\u00e4\u00e4nt\u00f6tyyppi on yleisin.<\/li><li id=\"7722\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\"><strong class=\"mc fr\">NRT Query Rule(Near Real Time)<\/strong>: Ajaa kerran minuutissa, t\u00e4ten tunnistaa uhkat melkein reaaliajassa.<\/li><li id=\"e957\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\"><strong class=\"mc fr\">Microsoft Incident Creation Rule<\/strong>: Mahdollistaa incidenttien synkronisoinnin muiden Microsoft tietoturvatuotteiden v\u00e4lill\u00e4. T\u00e4m\u00e4 s\u00e4\u00e4nt\u00f6tyyppi on poistunut jos organisaatiosi on yhdist\u00e4nyt Sentinelin uuteen\u00a0<em><span style=\"text-decoration: underline;\"><a class=\"af pk\" href=\"https:\/\/blog.tekve.fi\/microsoft-defender-xdr-keskitetty-tietoturvan-hallinta-01b86f44726f\" target=\"_blank\" rel=\"noopener ugc nofollow\">Microsoft Defender XDR portaaliin<\/a>.<\/span><\/em><\/li><\/ul><p id=\"8dc3\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Yll\u00e4 mainituista s\u00e4\u00e4nt\u00f6tyypeist\u00e4 Scheduled Analytic Rule on ylivoimaisesti yleisin johtuen siit\u00e4, ett\u00e4 NRT-s\u00e4\u00e4nt\u00f6j\u00e4 voi olla maksimissaan 50 samanaikaisesti aktiivisena ja Microsoft Incident Creation s\u00e4\u00e4nn\u00f6t voivat synkronisoida vain tiettyjen tietoturvatuotteiden h\u00e4lytykset Sentineliin.<\/p><p id=\"025f\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Seuraavaksi n\u00e4yt\u00e4n hieman erikoisemman ja monimutkaisemman analyysis\u00e4\u00e4nn\u00f6n Microsoftin yhteis\u00f6lt\u00e4.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-028c6ca elementor-widget elementor-widget-text-editor\" data-id=\"028c6ca\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p data-selectable-paragraph=\"\">\u00a0<\/p><p data-selectable-paragraph=\"\"><strong>Esimerkki edistyneest\u00e4 analyysis\u00e4\u00e4nn\u00f6st\u00e4:<\/strong><\/p><p id=\"f895\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">T\u00e4ss\u00e4 etsit\u00e4\u00e4n Azure Key Vault operaatioiden m\u00e4\u00e4r\u00e4n ep\u00e4tavallista piikki\u00e4, jonka on suorittanut yksi IP-osoite. Kysely k\u00e4ytt\u00e4\u00e4 KQL-kieleen sis\u00e4\u00e4nrakennettua poikkeamantunnistus algoritmia, jolla tunnistetaan normaalista poikkeavia tilanteita (t\u00e4ss\u00e4 tapauksessa operaatioiden m\u00e4\u00e4r\u00e4\u00e4). \u00c4killinen kasvu Azure Key Vaultin k\u00e4ytt\u00f6kerroissa voi viitata hy\u00f6kk\u00e4\u00e4j\u00e4n automatisoituun toimintoon, jonka avulla yritet\u00e4\u00e4n varastaa tunnistetietoja.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a0e8ef elementor-widget elementor-widget-code-highlight\" data-id=\"3a0e8ef\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard\">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-sql line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-sql\">\n\t\t\t\t\t<xmp>let starttime = 14d;\nlet timeframe = 1d;\nlet scorethreshold = 3;\nlet baselinethreshold = 25;\n\n\/\/ Tunnettu sovellus (Azure Resource Graph), jonka toimintaan kuuluu suuri m\u00e4\u00e4r\u00e4 Key Vault operaatioita\n\/\/ Kyseinen sovellus filtter\u00f6id\u00e4\u00e4n pois\nlet Allowedappid = dynamic([\"509e4652-da8d-478d-a730-e9d4a1996ca4\"]);\n\n\/\/ Seurattavat operaatiot\nlet OperationList = dynamic(\n[\"SecretGet\", \"KeyGet\", \"VaultGet\"]);\n\n\/\/ Luodaan data, josta anomaliaa etsit\u00e4\u00e4n\nlet TimeSeriesData = AzureDiagnostics\n| where TimeGenerated between (startofday(ago(starttime))..startofday(now()))\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n | where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend ResultType = column_ifexists(\"ResultType\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\")\n| where ResultType !~ \"None\" and isnotempty(ResultType)\n| where CallerIPAddress !~ \"None\" and isnotempty(CallerIPAddress)\n| project TimeGenerated, OperationName, Resource, CallerIPAddress\n\/\/ KQL:n sis\u00e4\u00e4nrakennettu ominaisuus, joka valmistelee datan algoritmia varten\n| make-series HourlyCount=count() on TimeGenerated from startofday(ago(starttime)) to startofday(now()) step timeframe by CallerIPAddress;\n  \n\/\/ Filtter\u00f6i anomalioiden pohjalta\nlet TimeSeriesAlerts = TimeSeriesData\n\/\/ \"series_decompose_anomalies\" on KQL-kieleen sis\u00e4\u00e4nrakennettu anomaliaa\n\/\/ tunnistava funktio\n| extend (anomalies, score, baseline) = series_decompose_anomalies(HourlyCount, scorethreshold, -1, 'linefit')\n| mv-expand HourlyCount to typeof(double), TimeGenerated to typeof(datetime), anomalies to typeof(double),score to typeof(double), baseline to typeof(long)\n| where anomalies > 0 | extend AnomalyHour = TimeGenerated\n| where baseline > baselinethreshold \/\/ Filtter\u00f6id\u00e4\u00e4n vain useat m\u00e4\u00e4r\u00e4t mukaan per baselinethreshold\n| project CallerIPAddress, AnomalyHour, TimeGenerated, HourlyCount, baseline, anomalies, score;\nlet AnomalyHours = TimeSeriesAlerts | where TimeGenerated > ago(2d) | project TimeGenerated;\n  \n\/\/ Valitaan h\u00e4lytykset tietylt\u00e4 ajanjaksolta\nTimeSeriesAlerts\n| where TimeGenerated > ago(2d)\n\/\/ Yhdistet\u00e4\u00e4n \"normaaleihin\" lokeihin, joka n\u00e4ytt\u00e4\u00e4 anomaliaa ymp\u00e4r\u00f6iv\u00e4t lokit \n| join kind = innerunique (\nAzureDiagnostics\n| where TimeGenerated > ago(2d)\n| where not((identity_claim_appid_g in (Allowedappid)) and OperationName == 'VaultGet')\n| where ResourceType =~ \"VAULTS\" and ResultType =~ \"Success\"\n| where OperationName in (OperationList)\n| extend DateHour = bin(TimeGenerated, 1h) \n| where DateHour in ((AnomalyHours))\n| extend ResultType = column_ifexists(\"ResultType\", \"NoResultType\")\n| extend requestUri_s = column_ifexists(\"requestUri_s\", \"None\"), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g = column_ifexists(\"identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g\", \"None\"),identity_claim_oid_g = column_ifexists(\"identity_claim_oid_g\", \"\"),\n identity_claim_upn_s = column_ifexists(\"identity_claim_upn_s\", \"\")\n| extend\n   CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n   CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| extend id_s = column_ifexists(\"id_s\", \"None\"), CallerIPAddress = column_ifexists(\"CallerIPAddress\", \"None\"), clientInfo_s = column_ifexists(\"clientInfo_s\", \"None\")\n| summarize PerOperationCount=count(), LatestAnomalyTime = arg_max(TimeGenerated,*) by bin(TimeGenerated,1h), Resource, OperationName, id_s, CallerIPAddress, identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g, requestUri_s, clientInfo_s\n) on CallerIPAddress\n| extend\n   CallerObjectId = iff(isempty(identity_claim_oid_g), identity_claim_http_schemas_microsoft_com_identity_claims_objectidentifier_g, identity_claim_oid_g),\n   CallerObjectUPN = iff(isempty(identity_claim_upn_s), identity_claim_http_schemas_xmlsoap_org_ws_2005_05_identity_claims_upn_s, identity_claim_upn_s)\n| summarize EventCount=count(), OperationNameList = make_set(OperationName,1000), RequestURLList = make_set(requestUri_s, 100), AccountList = make_set(CallerObjectId, 100), AccountMax = arg_max(CallerObjectId,*) by Resource, id_s, clientInfo_s, LatestAnomalyTime\n| extend timestamp = LatestAnomalyTim<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aa6afe9 elementor-widget elementor-widget-text-editor\" data-id=\"aa6afe9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p id=\"1522\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Huh! Siin\u00e4p\u00e4 vasta on koodia. KQL-kielell\u00e4 kirjoittaminen vaatii tiettyj\u00e4 prosesseja, joiden avulla hakutuloksista saadaan kaivettua t\u00e4rkeimm\u00e4t tapahtumat esille.<\/p><p class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Yll\u00e4 oleva koodip\u00e4tk\u00e4 on l\u00e4ht\u00f6isin Microsoftin yhteis\u00f6lt\u00e4, jossa on useita valmiiksi rakennettuja analyysis\u00e4\u00e4nt\u00f6j\u00e4 julkisesti saatavilla. T\u00e4ss\u00e4 linkki:\u00a0<a class=\"af pk\" href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Key%20Vault\/Analytic%20Rules\/TimeSeriesKeyvaultAccessAnomaly.yaml\" target=\"_blank\" rel=\"noopener ugc nofollow\">https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Key%20Vault\/Analytic%20Rules\/TimeSeriesKeyvaultAccessAnomaly.yaml<\/a>\u00a0.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-31eaddc elementor-widget-mobile__width-inherit elementor-blockquote--skin-border elementor-blockquote--button-color-official elementor-widget elementor-widget-blockquote\" data-id=\"31eaddc\" data-element_type=\"widget\" data-widget_type=\"blockquote.default\">\n\t\t\t\t\t\t\t<blockquote class=\"elementor-blockquote\">\n\t\t\t<p class=\"elementor-blockquote__content\">\n\t\t\t\tYhteis\u00f6n luomat s\u00e4\u00e4nn\u00f6t vaativat yleens\u00e4 muovailua ja kiillotusta kun niit\u00e4 integroidaan olemassa olevaan j\u00e4rjestelm\u00e4\u00e4n.\t\t\t<\/p>\n\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e4daf1f elementor-widget elementor-widget-text-editor\" data-id=\"e4daf1f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p id=\"19a7\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">KQL-hakujen t\u00e4rkein teht\u00e4v\u00e4 on saada selv\u00e4ksi, ett\u00e4<\/p><ul class=\"\"><li id=\"e10c\" class=\"ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Onko uhka olemassa?<\/li><li id=\"fdf1\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Miss\u00e4 uhka on olemassa?<\/li><li id=\"ab63\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Miksi uhka on olemassa?<\/li><\/ul><p id=\"383b\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">N\u00e4m\u00e4 tiedot voidaan kaivaa yksinkertaisillakin hauilla esille.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bed859d elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"bed859d\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3628ad5 elementor-widget elementor-widget-heading\" data-id=\"3628ad5\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Analyysis\u00e4\u00e4t\u00f6jen luominen uhkal\u00e4ht\u00f6isesti<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6fdc62b elementor-widget elementor-widget-text-editor\" data-id=\"6fdc62b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p id=\"e5c9\" class=\"pw-post-body-paragraph ma mb fq mc b md nw mf mg mh nx mj mk ml ny mn mo mp nz mr ms mt oa mv mw mx fj bk\" data-selectable-paragraph=\"\">Olemme k\u00e4yneet l\u00e4pi analyysis\u00e4\u00e4nt\u00f6jen anatomiaa, mutta on kuitenkin t\u00e4rke\u00e4 tiet\u00e4\u00e4 mill\u00e4 tavalla tehokkaita ja toimivia s\u00e4\u00e4nt\u00f6j\u00e4 luodaan. Analyysis\u00e4\u00e4nt\u00f6jen luomisprosesseja on rajaton m\u00e4\u00e4r\u00e4, mutta yleisesti ne kaikki noudattavat seuraavanlaista prosessia:<\/p><ol class=\"\"><li id=\"cd24\" class=\"ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx of og oh bk\" data-selectable-paragraph=\"\">M\u00e4\u00e4ritell\u00e4\u00e4n\u00a0<strong class=\"mc fr\">skenaario<\/strong>\u00a0<strong class=\"mc fr\">tai uhkamalli<\/strong><\/li><li id=\"9e30\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx of og oh bk\" data-selectable-paragraph=\"\">M\u00e4\u00e4ritell\u00e4\u00e4n\u00a0<strong class=\"mc fr\">mit\u00e4<\/strong>\u00a0halutaan tunnistaa ja\u00a0<strong class=\"mc fr\">mist\u00e4<\/strong>\u00a0datal\u00e4hteist\u00e4 data voidaan hakea<\/li><li id=\"63d5\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx of og oh bk\" data-selectable-paragraph=\"\">Luodaan\u00a0<strong class=\"mc fr\">KQL-haku<\/strong>\u00a0ja analyysis\u00e4\u00e4nt\u00f6<\/li><li id=\"51d1\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx of og oh bk\" data-selectable-paragraph=\"\">Testataan analyysis\u00e4\u00e4nn\u00f6n toimivuus<\/li><li id=\"9260\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx of og oh bk\" data-selectable-paragraph=\"\">Hienos\u00e4\u00e4det\u00e4\u00e4n s\u00e4\u00e4nt\u00f6\u00e4 h\u00e4lytysten pohjalta (esimerkiksi sallitut k\u00e4ytt\u00e4j\u00e4t voidaan suodattaa h\u00e4lytyksist\u00e4 pois)<\/li><\/ol><p id=\"0999\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Parhaisiin k\u00e4yt\u00e4nteisiin kuuluu s\u00e4\u00e4nt\u00f6jen uhkal\u00e4ht\u00f6inen kehitt\u00e4minen, joka voi perustua\u00a0<strong class=\"mc fr\">liiketoiminnalliseen vaatimukseen<\/strong>,\u00a0<strong class=\"mc fr\">kyberhy\u00f6kk\u00e4yksien est\u00e4miseen<\/strong>\u00a0tai\u00a0<strong class=\"mc fr\">uhkatietojen hy\u00f6dynt\u00e4miseen<\/strong>.<\/p><p data-selectable-paragraph=\"\">\u00a0<\/p><p data-selectable-paragraph=\"\"><strong>Liiketoiminnalliset vaatimukset<\/strong><\/p><p id=\"046c\" class=\"pw-post-body-paragraph ma mb fq mc b md nw mf mg mh nx mj mk ml ny mn mo mp nz mr ms mt oa mv mw mx fj bk\" data-selectable-paragraph=\"\">Liiketoiminnallisiin vaatimuksiin voi liitty\u00e4 tapahtumia, joiden tunnistaminen on t\u00e4rke\u00e4\u00e4 liiketoiminnan kannalta. N\u00e4iden tapahtumien pohjalta voidaan luoda yritysjohdolle automatisoituja raportteja ja kehitt\u00e4\u00e4 liiketoimintaa. T\u00e4ss\u00e4 muutama esimerkki:<\/p><ul class=\"\"><li id=\"e76f\" class=\"ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">K\u00e4ytt\u00e4jien seuranta (ulkoiset k\u00e4ytt\u00e4j\u00e4t, palvelutunnukset)<\/li><li id=\"250e\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Vaatimustenmukaisuus ja s\u00e4\u00e4ntely (ulkomaan kirjautumiset, MFA:n k\u00e4ytt\u00e4minen, yll\u00e4pit\u00e4jien toiminta)<\/li><li id=\"2652\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Sovellusten k\u00e4ytt\u00e4minen<\/li><\/ul><p>\u00a0<\/p><p><strong>Kyberhy\u00f6kk\u00e4yksien est\u00e4minen<\/strong><\/p><p id=\"a8e0\" class=\"pw-post-body-paragraph ma mb fq mc b md nw mf mg mh nx mj mk ml ny mn mo mp nz mr ms mt oa mv mw mx fj bk\" data-selectable-paragraph=\"\">Kyberhy\u00f6kk\u00e4yksist\u00e4 luodaan uhkamalleja, joiden pohjalta tunnistetaan niihin yhdistettyj\u00e4 tapahtumia kuten uusien prosessien luontia, haittaohjelman lataamista internetist\u00e4 ja oikeuksien muutoksia.<\/p><p id=\"db0b\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Muutama esimerkki yleisist\u00e4 kyberhy\u00f6kk\u00e4yksiin linkitetyist\u00e4 tapahtumista:<\/p><ul class=\"\"><li id=\"8158\" class=\"ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Kirjautumisyritysten \u00e4killinen kasvu (V\u00e4sytyshy\u00f6kk\u00e4ys)<\/li><li id=\"247b\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Ep\u00e4ilytt\u00e4vien prosessien luominen<\/li><li id=\"48d2\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">K\u00e4ytt\u00f6oikeuksien korottaminen<\/li><li id=\"d285\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Uusien k\u00e4ytt\u00e4jien luominen ja poistaminen<\/li><li id=\"cf3f\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Kirjautumisyritykset samaan k\u00e4ytt\u00e4j\u00e4\u00e4n useista IP-osoitteista<\/li><li id=\"e91e\" class=\"ma mb fq mc b md oi mf mg mh oj mj mk ml ok mn mo mp ol mr ms mt om mv mw mx pb og oh bk\" data-selectable-paragraph=\"\">Suoritettavien tiedostojen lataaminen internetist\u00e4 (esimerkki alla)<\/li><\/ul><p id=\"45ad\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">T\u00e4ss\u00e4 KQL-haussa tunnistetaan HTTP-pyynn\u00f6ll\u00e4 ladattu suoritettava tiedosto, joka voi viitata haittaohjelman automatisoituun toimintoon.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3d55e09 elementor-widget elementor-widget-code-highlight\" data-id=\"3d55e09\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard\">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-sql line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-sql\">\n\t\t\t\t\t<xmp>let ExecutableFileExtentions = dynamic(['bat', 'cmd', 'com', 'cpl', 'ex', 'exe', 'jse', 'lnk','msc', 'ps1', 'reg', 'vb', 'vbe', 'ws', 'wsf']);\nDeviceNetworkEvents\n| where ActionType == \"NetworkSignatureInspected\"\n| extend\n     SignatureName = tostring(parse_json(AdditionalFields).SignatureName),\n     SignatureMatchedContent = tostring(parse_json(AdditionalFields).SignatureMatchedContent),\n     SamplePacketContent = tostring(parse_json(AdditionalFields).SamplePacketContent)\n| where SignatureName == \"HTTP_Client\"\n| extend HTTP_Request_Method = tostring(split(SignatureMatchedContent, \" \/\", 0)[0])\n| where HTTP_Request_Method == \"GET\"\n| extend DownloadedContent = extract(@'.*\/(.*)HTTP', 1, SignatureMatchedContent)\n| extend DownloadContentFileExtention = extract(@'.*\\.(.*)$', 1, DownloadedContent)\n| where isnotempty(DownloadContentFileExtention) and string_size(DownloadContentFileExtention) < 8\n| where DownloadContentFileExtention has_any (ExecutableFileExtentions)\n| project-reorder TimeGenerated, DeviceName, DownloadedContent, HTTP_Request_Method, RemoteIP<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2255f61 elementor-widget elementor-widget-text-editor\" data-id=\"2255f61\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"eq er es et eu l\"><article><div class=\"l\"><div class=\"l\"><section><div><div class=\"fj fk fl fm fn\"><div class=\"ab cb\"><div class=\"ci bh ev ew ex ey\"><p id=\"49fd\" class=\"pw-post-body-paragraph ma mb fq mc b md nz mf mg mh oa mj mk ml ob mn mo mp oc mr ms mt od mv mw mx fj bk\" data-selectable-paragraph=\"\"><em class=\"oe\">L\u00e4hde:\u00a0<\/em><a class=\"af pk\" href=\"https:\/\/github.com\/Bert-JanP\/Hunting-Queries-Detection-Rules\/blob\/main\/Defender%20For%20Endpoint\/HTTPExecutableFilesDownloaded.md\" target=\"_blank\" rel=\"noopener ugc nofollow\"><em class=\"oe\">https:\/\/github.com\/Bert-JanP\/Hunting-Queries-Detection-Rules\/blob\/main\/Defender%20For%20Endpoint\/HTTPExecutableFilesDownloaded.md<\/em><\/a><\/p><\/div><\/div><\/div><\/div><\/section><\/div><\/div><\/article><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c33e4de elementor-widget elementor-widget-text-editor\" data-id=\"c33e4de\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<p><strong>Uhkatietojen hy\u00f6dynt\u00e4minen<\/strong><\/p><p id=\"e868\" class=\"pw-post-body-paragraph ma mb fq mc b md nw mf mg mh nx mj mk ml ny mn mo mp nz mr ms mt oa mv mw mx fj bk\" data-selectable-paragraph=\"\">Uhkatietojen ker\u00e4\u00e4minen avoimista l\u00e4hteist\u00e4 on paras tapa pysy\u00e4 uusien kyberuhkien per\u00e4ss\u00e4. Sentineliin voidaan luoda listoja (watchlist) uhkatiedoista, jotka saadaan k\u00e4tev\u00e4sti KQL-haussa k\u00e4ytt\u00f6\u00f6n. Uhkatietojen yll\u00e4pit\u00e4mist\u00e4 voi ostaa Microsoftilta (<em class=\"oe\">Microsoft Threat Intelligence<\/em>) ja kolmansilta osapuolilta (<em class=\"oe\">vink vink Tekve Oy<\/em>).<\/p><p data-selectable-paragraph=\"\">Esimerkki:<\/p><p id=\"ac4f\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">T\u00e4m\u00e4 KQL-haku k\u00e4ytt\u00e4\u00e4\u00a0<em class=\"oe\">DeviceFileEvents<\/em>\u00a0datap\u00f6yt\u00e4\u00e4 eli p\u00e4\u00e4telaitteiden tiedostotapahtumia ja etsii sielt\u00e4 uhkatietoon liittyvi\u00e4 tiedoston tunnistetietoja. K\u00e4yt\u00e4mme t\u00e4ss\u00e4 esimerkiss\u00e4 viime viikolla\u00a0<span style=\"text-decoration: underline;\"><a class=\"af pk\" href=\"https:\/\/www.rewterz.com\/rewterz-news\/rewterz-threat-alert-formbook-malware-active-iocs-98\" target=\"_blank\" rel=\"noopener ugc nofollow\">uutisoitua<\/a><\/span>\u00a0\u201cFormBook\u201d -haittaohjelman tiedosto tunnisteita uhkatietona.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a30012 elementor-widget elementor-widget-code-highlight\" data-id=\"3a30012\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard\">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-sql line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-sql\">\n\t\t\t\t\t<xmp>let dt_lookBack = 1h; \n\/\/ Watchlist, joka sis\u00e4lt\u00e4\u00e4 csv muodossa FormBook haittaohjelman tiedosto tunnisteita\nlet FormBookHashes = (_GetWatchlist(\"FormBookFileHashes\")| project fileHash);\nlet DeviceFileEvents_ = (union\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1),\n(DeviceFileEvents | where TimeGenerated > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256));\nDeviceFileEvents_\n| where FileHashValue in (FormBookHashes)\n<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d333ec2 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"d333ec2\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-92b3e10 elementor-widget elementor-widget-heading\" data-id=\"92b3e10\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Jatkuva kehitys<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-edbc4e8 elementor-widget elementor-widget-text-editor\" data-id=\"edbc4e8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"eq er es et eu l\"><article><div class=\"l\"><div class=\"l\"><section><div><div class=\"fj fk fl fm fn\"><div class=\"ab cb\"><div class=\"ci bh ev ew ex ey\"><div class=\"eq er es et eu l\"><article><div class=\"l\"><div class=\"l\"><section><div><div class=\"fj fk fl fm fn\"><div class=\"ab cb\"><div class=\"ci bh ev ew ex ey\"><p id=\"1888\" class=\"pw-post-body-paragraph ma mb fq mc b md nw mf mg mh nx mj mk ml ny mn mo mp nz mr ms mt oa mv mw mx fj bk\" data-selectable-paragraph=\"\">Useat organisaatiot asentavat Microsoft Sentinelin ja ajattelevat, ett\u00e4 nyt on suurin ty\u00f6 tehty eik\u00e4 sen kehitt\u00e4mist\u00e4 ajatella enemp\u00e4\u00e4. Se on suuri virhe, sill\u00e4 kyberuhkat kehittyv\u00e4t joka p\u00e4iv\u00e4 ja l\u00f6yt\u00e4v\u00e4t uusia keinoja p\u00e4\u00e4st\u00e4 organisaatioon k\u00e4siksi. T\u00e4st\u00e4 syyst\u00e4 on t\u00e4rke\u00e4 jatkuvasti yll\u00e4pit\u00e4\u00e4 s\u00e4\u00e4nn\u00f6st\u00f6j\u00e4 ja IOC (Indicator of Compromise) tietokantoja. Ilman n\u00e4it\u00e4 Sentinelin toiminta menett\u00e4\u00e4 tarkoituksen.<\/p><p id=\"4c27\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">On my\u00f6s t\u00e4rke\u00e4\u00e4 luoda prosesseja organisaatioissa, jotta Sentinelin valvonta pysyy aktiivisena eik\u00e4 h\u00e4lytyksi\u00e4 mene ohi ilman vaadittavia jatkotoimia. Tekve Oy tarjoaa j\u00e4rkev\u00e4ll\u00e4 kuukausihinnalla palvelua, jossa yrityksesi Sentinelin tehokkuus pidet\u00e4\u00e4n ajan tasalla. Palveluun voi liitty\u00e4 my\u00f6s analyysis\u00e4\u00e4nt\u00f6jen ja uhkatietojen pit\u00e4mist\u00e4 ajan tasalla uhkatoimijoiden kanssa.<\/p><p id=\"7af8\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\">Lue lis\u00e4\u00e4 palveluistamme ja ota rohkeasti yhteytt\u00e4 jos her\u00e4si mielenkiinto!<\/p><\/div><\/div><\/div><\/div><\/section><\/div><\/div><\/article><\/div><div class=\"ab cb\"><div class=\"ci bh ev ew ex ey\"><div class=\"qe ab\"><div class=\"eq er es et eu l\"><article><div class=\"l\"><div class=\"l\"><section><div><div class=\"fj fk fl fm fn\"><div class=\"ab cb\"><div class=\"ci bh ev ew ex ey\"><p id=\"ff77\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\"><strong class=\"mc fr\">Kirjoittaja<\/strong>: Petter Kauppi (petter@tekve.fi)<\/p><p id=\"1d81\" class=\"pw-post-body-paragraph ma mb fq mc b md me mf mg mh mi mj mk ml mm mn mo mp mq mr ms mt mu mv mw mx fj bk\" data-selectable-paragraph=\"\"><strong class=\"mc fr\">Contact<\/strong>:\u00a0<a class=\"af oe\" href=\"mailto:toimisto@tekve.fi\" target=\"_blank\" rel=\"noopener ugc nofollow\">toimisto@tekve.fi,<\/a> +358 41 311 9277<\/p><\/div><\/div><\/div><\/div><\/section><\/div><\/div><\/article><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/section><\/div><\/div><\/article><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<div class=\"vamtam-has-theme-widget-styles elementor-element elementor-element-6937bfb elementor-widget__width-inherit elementor-widget-mobile__width-inherit elementor-widget-tablet__width-auto elementor-widget elementor-widget-button\" data-id=\"6937bfb\" data-element_type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t\t\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"#form\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Contact us<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Microsoft Sentinel on SIEM\/SOAR j\u00e4rjestelm\u00e4, jonka teht\u00e4v\u00e4n\u00e4 on tunnistaa kyberpoikkeamia normaalin liikenteen seasta ja ratkaista niist\u00e4 aiheutuneet h\u00e4lytykset. Datal\u00e4htein\u00e4 voi toimia yrityksen pilviresurssit (Entra ID, palvelimet, virtuaalikoneet yms.), p\u00e4\u00e4telaitteet, sovellukset ja on-premises j\u00e4rjestelm\u00e4t. Kuinka n\u00e4it\u00e4 uhkia tunnistetaan analyysis\u00e4\u00e4nn\u00f6ill\u00e4 (analytic rules), miten analyysis\u00e4\u00e4n\u00f6tj\u00e4 luodaan ja miten organisaatio voi pysy\u00e4 kehittyvien uhkatoimijoiden edell\u00e4? N\u00e4it\u00e4 asioita k\u00e4ymme t\u00e4ss\u00e4&#8230;<\/p>","protected":false},"author":2,"featured_media":990039,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[14],"tags":[77,78],"class_list":["post-990034","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tietoturvavalvonta","tag-csoc","tag-microsoft-sentinel"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/www.tekve.fi\/wp-content\/uploads\/2024\/12\/msts-kansi.webp","_links":{"self":[{"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/posts\/990034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/comments?post=990034"}],"version-history":[{"count":19,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/posts\/990034\/revisions"}],"predecessor-version":[{"id":991537,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/posts\/990034\/revisions\/991537"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/media\/990039"}],"wp:attachment":[{"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/media?parent=990034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/categories?post=990034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tekve.fi\/en\/wp-json\/wp\/v2\/tags?post=990034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}