How to Use Azure Sentinel to Detect SolarWinds SUNBURST

The teams at Microsoft have been working over the past several days to put together some content for Azure Sentinel customers who may be affected by the recent SolarWinds ORION hack.

UPDATE: After this original post, the Microsoft teams delivered a more comprehensive post and is continually updating it. See that here: SolarWinds Post-Compromise Hunting with Azure Sentinel

Here’s the current list of collateral.

Detections and Hunting queries specific to the SolarWinds hack:

Workbook for the SolarWinds hack:

Notebook for the SolarWinds hack:

New and existing detections and hunting queries that will help expose similar compromise in the future:

UPDATE: Since this blog release, Microsoft has now released the Detections as Analytics Rules automatically and directly in the Azure Sentinel console for all customers.

New Analytics Rules

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors

2 thoughts on “How to Use Azure Sentinel to Detect SolarWinds SUNBURST

  1. Pingback: MicrosoftTouch