Different SIEMs, Same Challenges? Only Time(Generated) will tell…

I’ve recently joined BlueVoyant where I’m having a great opportunity to be part of a talented team fully dedicated to Threat Detection Engineering and Threat Hunting practices. (we’re hiring!)

Among other things, besides designing detections to run on a much bigger scale (hundreds of customers), I’m finally playing with Microsoft’s Sentinel SIEM and KQL language.

One of the first challenges we face is about standardizing coding practice. As a benefit, it makes it easier and faster to maintain and improve the queries in the long run.

An here’s a quick example I’d like to share, feedback always welcome.

How to make sure all “late arrivals” are checked by detection rules?

Late arrivals are those events that arrive at the SIEM minutes after it was generated. Some extreme cases go beyond one hour (ex.: network/zone restrictions, zip & encrypt before transmit, batches, etc).

Think about an activity performed in an endpoint, registered in the OS logging system, forwarded to a local log relay/concentrator and later shipped to Azure infrastructure. These hops might introduce transport delays and other log processing issues.