{"id":130426,"date":"2023-06-13T09:00:00","date_gmt":"2023-06-13T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=130426"},"modified":"2024-06-26T08:38:55","modified_gmt":"2024-06-26T15:38:55","slug":"how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/","title":{"rendered":"How Microsoft and Sonrai integrate to eliminate attack paths"},"content":{"rendered":"\n<p><em>This blog post is part of the Microsoft Intelligent Security Association&nbsp;<\/em><a href=\"https:\/\/aka.ms\/MISAguestblog\"><em>guest blog series<\/em><\/a><em>.&nbsp;<\/em><a href=\"https:\/\/aka.ms\/MISA\"><em>Learn more about MISA<\/em><\/a><em>.<\/em>&nbsp;<\/p>\n\n\n\n<p>Cloud development challenges conventional thinking about risk. A \u201cperimeter\u201d was always the abstraction that security teams could start from\u2014defining their perimeter and exposing the cracks in firewalls and network access. With more and more infrastructure represented as ephemeral code, protecting your perimeter is no longer a matter of software vulnerabilities and network checks. It\u2019s a complex web of interconnected risks that can exacerbate network gaps or workload vulnerabilities.<\/p>\n\n\n\n<p>When it comes to remediating risks, context is always king, and siloed pillars of cloud security\u2014identity, data, platform, and workloads\u2014kill context. Protecting a broad Microsoft Azure footprint means having a deep understanding of how these risks can combine to create unintended access to your company\u2019s sensitive data, and then prioritizing threats based on potential business impact. This means understanding identity, workload, platform configuration, and data security through a single pane of glass providing visibility across the entire digital estate.<\/p>\n\n\n\n<p>Sonrai integrates with <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-sentinel\">Microsoft Sentinel<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/business\/cloud-security\/microsoft-defender-cloud\">Microsoft Defender for Cloud<\/a> to uncover and remediate sophisticated threats in a timely manner.<\/p>\n\n\n\n<p>Microsoft released Defender for Cloud to protect across hybrid and multicloud environments. Sonrai works with Defender for Cloud\u2019s infrastructure and operational controls for powerful event logging to ingest all information and bring context into one place. Sonrai\u2019s patented analytics evaluate how identity and data risks compound with platform and workload risks to create access to sensitive data within Azure.<\/p>\n\n\n\n<p>To help Azure customers understand the true blast radius of every vulnerability, Sonrai integrates with Microsoft Sentinel to monitor threats across vectors and automate responses by leveraging security orchestration, automation, and response (SOAR) playbooks, and Defender for Cloud to provide visibility across the entire digital estate by identifying possible attack paths and remediating vulnerabilities.<\/p>\n\n\n\n<p>Backed by these insights, an organization can successfully operationalize a risk remediation practice. They are additionally able to enable DevOps and security teams to fully harness the digital transformation and time-to-delivery benefits that Azure can power, without worrying about sacrificing speed for security.<\/p>\n\n\n<div class=\"wp-block-msxcm-cta-block\" data-moray data-bi-an=\"CTA Block\">\n\t<div class=\"card d-block mx-ng mx-md-0\">\n\t\t<div class=\"row no-gutters material-color-brand-dark\">\n\n\t\t\t\n\t\t\t<div class=\"d-flex col-md\">\n\t\t\t\t<div class=\"card-body align-self-center p-4 p-md-5\">\n\t\t\t\t\t<h2>Microsoft Defender for Cloud<\/h2>\n\n\t\t\t\t\t<div class=\"mb-3\">\n\t\t\t\t\t\t<p>Secure multicloud and hybrid environments.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t<div class=\"link-group\">\n\t\t\t\t\t\t\t<a href=\"https:\/\/www.microsoft.com\/security\/business\/cloud-security\/microsoft-defender-cloud\" class=\"btn btn-primary bg-body text-body\" >\n\t\t\t\t\t\t\t\t<span>Learn more<\/span>\n\t\t\t\t\t\t\t\t<span class=\"glyph-append glyph-append-chevron-right glyph-append-xsmall\"><\/span>\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t\t\t\t\t<div class=\"col-md-4\">\n\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"600\" height=\"600\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_Retail_016-1.jpg\" class=\"card-img img-object-cover\" alt=\"Security decision maker checking security posture on a tablet.\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_Retail_016-1.jpg 600w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_Retail_016-1-300x300.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_Retail_016-1-150x150.jpg 150w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/>\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"identity-as-perimeter-data-as-prioritizer\">Identity as perimeter, data as prioritizer<\/h2>\n\n\n\n<p>A consistent research finding is that most cloud data breaches involve a compromised identity\u2014one study cites 81 percent of breaches<sup>1<\/sup> involve exploiting an overprivileged identity, while another claims that 74 percent of breaches<sup>2<\/sup> surveyed started with privileged credential abuse. It\u2019s clear that the way we use identity now in the cloud\u2014as a de facto \u201cperimeter\u201d and locus of privileges and access\u2014makes it imperative to put identity at the center of any enterprise security strategy.<\/p>\n\n\n\n<p>The behavior and management of non-people identities (think: service principles) are conceptually much different than when we managed a list of users from <a href=\"https:\/\/www.microsoft.com\/security\/business\/identity-access\/azure-active-directory\">Microsoft Azure Active Directory<\/a>. The main reason? The majority of identities in a given cloud represent services, devices, and applications\u2014not employees. For example, your cloud may have many identities representing Azure Serverless compute, which may only exist for a few minutes a day, rely on assuming access from a role, and being capable of cross-organization access. The privileges associated with this identity might be in a policy several degrees of separation away through a nested group. Using managed identities and, ideally, the enforcement of the Principle of Least Privilege, is a good place to start. The harder part is the hidden relationships that don\u2019t show in a traditional identity management tool.<\/p>\n\n\n\n<p>Especially as DevOps gets more sophisticated with infrastructure as code (IaC) provisioning, these complex relationships become commonplace. Templatized infrastructure means further nested rights and inheritances through complex relationships.<\/p>\n\n\n\n<p>Continuous monitoring and analytics of identity trust chains become imperative for understanding what privileges any identity truly has. The most important thing is: How do these identities tie back to sensitive data?<\/p>\n\n\n\n<p>Data is the pot of gold at the end of an attacker\u2019s rainbow. In the cloud, identity is the stepping stone attackers can leverage to move laterally and find ways to your data. Exposed data and overprivileged identities are red flags organizations need to look for when considering vulnerabilities and posture misconfigurations. Sonrai Security\u2019s Workload Protection Platform refers to these red flags as \u201cRisk Amplifiers.\u201d In the next section, we\u2019ll address why understanding how threats tie back to identity and data risks matter.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"vulnerabilities-which-are-relevant\">Vulnerabilities: Which are relevant?<\/h2>\n\n\n\n<p>Cloud development has changed how we look at vulnerabilities. Distributed, rapid, and open source-fueled continuous integration and continuous delivery (CI\/CD) pipelines can introduce more vulnerabilities to staging and production environments, lending enterprises to deal with thousands of common vulnerabilities and exposures (CVEs) regularly. If cloud innovation continues at such a rapid pace, and developers leverage public libraries and prioritize speed over security, CVEs will proliferate. The question is: which ones should we care about first?<\/p>\n\n\n\n<p>Traditionally, information about the vulnerability itself would determine its priority for patching. A common vulnerability scoring system score, its age, and known exploits would give you a picture of how likely it was to lead to a breach. But this tells only half the story: the context of the workload that vulnerability is on tells you what the potential blast radius could be, and therefore gives you the true potential impact on the business.<\/p>\n\n\n\n<p>A vulnerability on a deadened workload shouldn\u2019t be prioritized before one with a Service Principal on it that can self-escalate privileges and access sensitive data. This prioritization is critical, otherwise, your security operations center (SOC) team might be chasing alerts that would never impact the business, but meet the traditional definition of a risk. Fixing it will close a ticket, but \u201ctickets closed\u201d is a poor stand-in for real risk reduction.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"connecting-the-dots-analyzing-an-azure-attack-path\">Connecting the dots: Analyzing an Azure attack path<\/h2>\n\n\n\n<p>Let\u2019s piece this story together by examining an example of a typical path that a bad actor might take to access data.<\/p>\n\n\n\n<p>We\u2019ll start with a vulnerability, let\u2019s say one from Microsoft Defender for Cloud\u2019s agentless vulnerability scanner in <a href=\"https:\/\/www.microsoft.com\/security\/business\/cloud-security\/microsoft-defender-cloud-security-posture-management\">Microsoft Defender Cloud Security Posture Management<\/a>.<\/p>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture2.webp\" alt=\"Sonrai platform vulnerability risk detection.\" class=\"wp-image-130447 webp-format\" srcset=\"\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture2.webp\"><\/figure>\n\n\n\n<p><em>Figure 1. Sonrai platform displaying a vulnerability with risk amplifiers including network and identity risks.<\/em><\/p>\n\n\n\n<p>There are a few things to review examining Figure 1. First, Sonrai has detected multiple network-related risk amplifiers, showing a path into the environment from an exposed Azure Virtual Machine open to the internet.<\/p>\n\n\n\n<p>This basic risk aggregation is critical to have network issues detected and remediated through Defender Cloud Security Posture Management (or through Sonrai). You can see a visualization of the \u201cAzure Port 22 Host with Ingress from Internet\u201d in Figure 2.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture3-1024x551.webp\" alt=\"Sonrai platform permissions.\" class=\"wp-image-130448 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture3-1024x551.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture3-300x161.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture3-768x413.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture3.webp 1228w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture3-1024x551.webp\"><\/figure>\n\n\n\n<p><em>Figure 2. Sonrai platform permission chain showing how a machine identity connects to a network misconfiguration.<\/em><\/p>\n\n\n\n<p>Next, this alert is rated with critical severity, but it\u2019s on a sandbox account. Normally, a vulnerability in a sandbox environment without sensitive data wouldn\u2019t trigger critical severity, so there must be something deeper. Looking further at Figure 1, there\u2019s an \u201cadditionally impacted swimlane\u201d (Sonrai\u2019s grouping mechanism for cloud environments) named \u201ccreditapp-production.\u201d Now, looking at the identity-related risk amplifiers from Figure 1, we see there are several sources for this.<\/p>\n\n\n\n<p>One of the identity amplifiers listed is \u201cCompute has access to sensitive data in Azure.\u201d How is it possible that Compute in a sandbox account ends up accessing Production data? Let\u2019s examine Figure 3. There are multiple complex potential routes that could be leading this Compute to sensitive data. Once the Compute is attached to the user, or service principle, it has access to several nested groups and policies. To learn exactly where Sonrai finds data access, let\u2019s go a step further.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture4-1024x531.webp\" alt=\"Complex permission chain.\" class=\"wp-image-130449 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture4-1024x531.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture4-300x156.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture4-768x398.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture4.webp 1240w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture4-1024x531.webp\"><\/figure>\n\n\n\n<p><em>Figure 3. Sonrai platform complex permission chaining, revealing how a machine identity holds covert privileges.<\/em><\/p>\n\n\n\n<p>By examining the piece of Compute in the Sonrai Security Platform \u201cNode\u201d view, the platform tells us exactly the subscriptions the Compute has access to, among them being \u201ccreditapp-production\u201d\u2014what we\u2019re concerned with currently. Within prod, we can see in Figure 4, all the data accessible to the Compute and what actions it can take.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-1024x579.webp\" alt=\"Sonrai platform data node.\" class=\"wp-image-130450 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-1024x579.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-300x170.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-768x434.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-336x189.webp 336w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-189x106.webp 189w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5.webp 1155w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Picture5-1024x579.webp\"><\/figure>\n\n\n\n<p><em>Figure 4. Sonrai platform data node view displaying every asset a particular identity can access.<\/em><\/p>\n\n\n\n<p>Finally, we see in Figure 5 an exact path of how the Compute ended up accessing production data. You can consider this an Azure attack path waiting to be exploited.<\/p>\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-1024x323.webp\" alt=\"Sonrai compute access data.\" class=\"wp-image-130480 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-1024x323.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-300x95.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-768x242.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-1536x484.webp 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-2048x645.webp 2048w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/Sonrai-Guest-blog-fig-5-1024x323.webp\"><\/figure>\n\n\n\n<p><em>Figure 5. Sonrai platform permission chain revealing how compute access data through nested groups and policies.<\/em><\/p>\n\n\n\n<p>Ultimately, we have a typical vulnerability on our hands, but what&#8217;s impactful is knowing how both an identity and platform misconfiguration severely exacerbate the severity of this vulnerability and created an exploitable attack path.<\/p>\n\n\n\n<p>This is useful when you consider the scale of vulnerabilities and security tickets your typical environment is experiencing. It begs the question of how security and cloud ops teams can keep up with remediating them all. When you can understand each security threat\u2019s risk amplifiers and how they tie back to platform, identity, and data risks, your team can chip away at the highest priority threats based on potential business impact.<\/p>\n\n\n\n<p>Microsoft and Sonrai Security make cloud security better together.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"about-sonrai-security\">About Sonrai Security<\/h2>\n\n\n\n<p>Sonrai offers a total public cloud security solution for Microsoft Azure. Sonrai has been a MISA member since 2021 and works with Microsoft Defender for Cloud, Advanced Data Security, Microsoft Sentinel, Azure Active Directory, and many other Azure Services.<\/p>\n\n\n\n<p>The Sonrai Security Platform is available on the <a href=\"https:\/\/azuremarketplace.microsoft.com\/en-us\/marketplace\/apps\/sonraisecurityllc1584373214489.sonrai_sentinel_offer?tab=Overview\">Azure Marketplace<\/a> and offers a <a href=\"https:\/\/sonraisecurity.com\/blog\/azure-shared-responsibility\/\">Shared Responsibility Model with Azure<\/a>.<\/p>\n\n\n\n<p>Sonrai Security has offices in New York and New Brunswick, Canada and is backed by ISTARI, Menlo Ventures, Polaris Partners, and TenEleven Ventures. For more information, <a href=\"https:\/\/sonraisecurity.com\/\">visit their website<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n\n\n\n<p>Learn more about <a href=\"https:\/\/www.microsoft.com\/security\/business\/siem-and-xdr\/microsoft-sentinel\">Microsoft Sentinel<\/a> and <a href=\"https:\/\/www.microsoft.com\/security\/business\/cloud-security\/microsoft-defender-cloud\">Microsoft Defender for Cloud<\/a>. <\/p>\n\n\n\n<p>To learn more about the Microsoft Intelligent Security Association (MISA),&nbsp;<a href=\"https:\/\/aka.ms\/MISA\">visit the website<\/a>&nbsp;where you can learn about the MISA program, product integrations, and find MISA members. Visit the\u202f<a href=\"https:\/\/www.youtube.com\/playlist?list=PL3ZTgFEc7LyuEBQ_f-hBZXpbKHItlAd5-\" target=\"_blank\" rel=\"noreferrer noopener\">video playlist<\/a>\u202fto learn about the strength of member\u202fintegrations\u202fwith Microsoft products.\u202f&nbsp;<\/p>\n\n\n\n<p>To learn more about Microsoft Security solutions, visit our&nbsp;<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\" target=\"_blank\" rel=\"noreferrer noopener\">website<\/a>.&nbsp;Bookmark the&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">Security blog<\/a>&nbsp;to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (<a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Security<\/a>) and Twitter (<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noreferrer noopener\">@MSFTSecurity<\/a>)&nbsp;for the latest news and updates on cybersecurity.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><sup>1<\/sup><a href=\"https:\/\/www.forbes.com\/sites\/louiscolumbus\/2018\/07\/27\/ibms-2018-data-breach-study-shows-why-were-in-a-zero-trust-world-now\/?sh=7a91bbc168ed\" target=\"_blank\" rel=\"noreferrer noopener\">IBM&#8217;s 2018 Data Breach Study Shows Why We&#8217;re In A Zero Trust World Now<\/a>, Louis Columbus. July 27, 2018.<\/p>\n\n\n\n<p><sup>2<\/sup><a href=\"https:\/\/www.forbes.com\/sites\/louiscolumbus\/2019\/02\/26\/74-of-data-breaches-start-with-privileged-credential-abuse\/?sh=5a1273753ce4\" target=\"_blank\" rel=\"noreferrer noopener\">74% Of Data Breaches Start With Privileged Credential Abuse<\/a>, Louis Columbus. February 26, 2019.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cloud development challenges conventional thinking about risk. Sonrai integrates with Microsoft Sentinel to monitor threats across vectors and automate responses by leveraging security orchestration, automation, and response playbooks, and Microsoft Defender for Cloud to provide visibility across the entire digital estate by identifying possible attack paths and remediating vulnerabilities.<\/p>\n","protected":false},"author":162,"featured_media":130460,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3659],"topic":[3667,3677,3685],"products":[3690,3691,3726],"threat-intelligence":[],"tags":[3824],"coauthors":[3878,3879],"class_list":["post-130426","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-best-practices","topic-cloud-security","topic-misa","topic-siem-and-xdr","products-microsoft-defender","products-microsoft-defender-for-cloud","products-microsoft-sentinel","tag-hybrid-work","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-alway-1694638263-571","review-flag-lever-1694638263-909","review-flag-never-1694638263-791","review-flag-new-1694638263-340","review-flag-percent"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How Microsoft and Sonrai integrate to eliminate attack paths | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Learn how Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to identify possible attack paths and remediate vulnerabilities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Microsoft and Sonrai integrate to eliminate attack paths | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Learn how Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to identify possible attack paths and remediate vulnerabilities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-13T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-06-26T15:38:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Eugene Tcheby, Tally Shea\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Eugene Tcheby, Tally Shea\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eugene-tcheby\/\",\"@type\":\"Person\",\"@name\":\"Eugene Tcheby\"},{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/tally-shea\/\",\"@type\":\"Person\",\"@name\":\"Tally Shea\"}],\"headline\":\"How Microsoft and Sonrai integrate to eliminate attack paths\",\"datePublished\":\"2023-06-13T16:00:00+00:00\",\"dateModified\":\"2024-06-26T15:38:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\"},\"wordCount\":1726,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg\",\"keywords\":[\"Hybrid work\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\",\"name\":\"How Microsoft and Sonrai integrate to eliminate attack paths | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg\",\"datePublished\":\"2023-06-13T16:00:00+00:00\",\"dateModified\":\"2024-06-26T15:38:55+00:00\",\"description\":\"Learn how Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to identify possible attack paths and remediate vulnerabilities.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg\",\"width\":1200,\"height\":800,\"caption\":\"Security practitioners at work in a security operations center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How Microsoft and Sonrai integrate to eliminate attack paths\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Microsoft and Sonrai integrate to eliminate attack paths | Microsoft Security Blog","description":"Learn how Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to identify possible attack paths and remediate vulnerabilities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/","og_locale":"en_US","og_type":"article","og_title":"How Microsoft and Sonrai integrate to eliminate attack paths | Microsoft Security Blog","og_description":"Learn how Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to identify possible attack paths and remediate vulnerabilities.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/","og_site_name":"Microsoft Security Blog","article_published_time":"2023-06-13T16:00:00+00:00","article_modified_time":"2024-06-26T15:38:55+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg","type":"image\/jpeg"}],"author":"Eugene Tcheby, Tally Shea","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg","twitter_misc":{"Written by":"Eugene Tcheby, Tally Shea","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/eugene-tcheby\/","@type":"Person","@name":"Eugene Tcheby"},{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/tally-shea\/","@type":"Person","@name":"Tally Shea"}],"headline":"How Microsoft and Sonrai integrate to eliminate attack paths","datePublished":"2023-06-13T16:00:00+00:00","dateModified":"2024-06-26T15:38:55+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/"},"wordCount":1726,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg","keywords":["Hybrid work"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/","name":"How Microsoft and Sonrai integrate to eliminate attack paths | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg","datePublished":"2023-06-13T16:00:00+00:00","dateModified":"2024-06-26T15:38:55+00:00","description":"Learn how Sonrai integrates with Microsoft Sentinel and Microsoft Defender for Cloud to identify possible attack paths and remediate vulnerabilities.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/06\/CLO22_SecOps_015-2.jpg","width":1200,"height":800,"caption":"Security practitioners at work in a security operations center."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/06\/13\/how-microsoft-and-sonrai-integrate-to-eliminate-attack-paths\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"How Microsoft and Sonrai integrate to eliminate attack paths"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/130426"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/162"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=130426"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/130426\/revisions"}],"predecessor-version":[{"id":134781,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/130426\/revisions\/134781"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/130460"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=130426"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=130426"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=130426"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=130426"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=130426"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=130426"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=130426"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}