Azure Active Directory (AD)

Azure AD is a cloud-based identity and access management service. While it's similar to the traditional Windows AD, Azure AD is not a cloud version of that service—it is an independent service. Azure AD allows employees (or anyone on the on-premises network) to access external resources, including Microsoft 365, the Azure portal, and software-as-a-service (SaaS) applications. It can help users in Azure's cloud environment to access resources on your corporate network and intranet. You can also integrate this service with your on-premises Windows AD server, connect it to Azure AD, and extend your on-premises directories to Azure. Doing so allows users to use the same login credentials to access local and cloud-based resources.

Microsoft Authenticator App

This application helps you sign into your accounts when you're using two-factor verification, which helps you to use your accounts more securely, since passwords can be forgotten, stolen, and so on. Using two-factor verification that employs verification via your phone makes it much harder for your account to be compromised.

Authenticator is simple to use. The standard verification method is where one factor is a password. After you sign in using your username and password, you would need to either approve the notification or enter the provided verification code, usually via your smartphone.

Azure API Management

Azure API Management is a management platform for all APIs across all your Azure environments. APIs are important for simplifying application integrations and making data and services reusable and universally accessible to users. The Azure API is designed to make API usage easy for applications on the Azure platform.

Azure API Management consists of three elements: an API gateway, a management plane, and a developer portal. All these components are hosted in Azure and are fully managed by default.

Azure Firewall

Azure Firewall is a cloud-native and intelligent network firewall service designed to protect against threats to your cloud workloads. It's a stateful firewall since it's a service with high availability and unrestricted scalability. You can obtain it in either the standard or premium editions.

Azure Firewall Manager

Azure Firewall Manager is a security management service that allows you to create central security policies and enforce route management for cloud-based security. You can use it to provide security management for the following two types of network architectures:

• Secured Virtual Hub: The Azure Virtual WAN Hub is a managed resource that allows you to create hub-and-spoke architectures. When security and routing policies become associated with one of these hubs, it is then referred to as a secured virtual hub.
• Hub Virtual Network: This hub is the normal Azure VNet that you will create and manage for your cloud environment.

Now that you understand what Azure Firewall Manager is, let's look at some of its key features:

• Azure Firewall deployment and configuration: The first feature allows you to deploy and configure instances of Azure Firewall across different regions and subscriptions, which is important for enforcing proper network segmentation. These firewall instances allow you to control traffic between subnets and between your cloud environment and the Internet. Azure Firewall Manager gives you one central hub from which you can deploy and manage these firewall instances.
• Ability to create global and local firewall policies: You can use Azure Firewall Manager to create global and local firewall policies. It's important to understand the difference between a firewall and a firewall policy. While a firewall is a logical/physical device that filters traffic, a firewall policy is a top-level resource that contains the security and operational settings for Azure Firewall. You can think of a policy as the rules that govern how a firewall functions in Azure. The firewall policy organizes, prioritizes, and processes the rule sets based on a hierarchy of subcomponents of rule collection groups, rule collections, and rules. See Figure A.1.

  

• Rule collection groups: This rule set is the highest in the hierarchy and is used to group rule collections. They are the first unit to be processed by Azure Firewall and follow a priority order based on their associated values. By default, there are three rule collection groups with a preset priority value for each (see Table A.1).

  Rule collection group name	Priority
  Default DNAT (Destination Network Address Translation) rule collection group	100
  Default Network rule collection group	200
  Default Application rule collection group	300

  By default, you can't delete a default group or change their priority values, but you can add new groups and give them the priority value of your choice.

• Rule collections: A rule collection falls under a rule collection group and contains one or more rules. These rules are processed second by the firewall and follow a priority order based on values (similar to those listed previously). All rule collections must have a defined action that either allows or denies traffic and a priority value. The defined action will apply to all rules within that rule collection. Same as the previous rule, the priority values will determine the order in which the rule collections are processed. There are three types of rule collections:
  • DNAT
  • Network
  • Application

    Each of the rule collection types must match their parent rule collection group category. For example, DNAT rule collection must be part of the DNAT rule collection group.

  • Rules: Last on the list are rules, which belong to a rule collection that specifies that traffic is allowed or denied in your network. Unlike the past elements, these do not follow a priority order based on values. Instead, they follow a top-down approach where all traffic that passes through the firewall is evaluated by defined rules for an allow or deny match. If there is no rule allowing the traffic, it will be denied by default.
• Integration with a third-party security-as-a-service (SaaS): Azure Firewall Manager supports the integration of third-party security providers, allowing you to bring in many of your favorite security solutions into your Azure environment. Currently, the supported security partners are Zscaler, Check Point, and iboss.

  Integration is done through the use of automated route management, which doesn't require the setting up or managing of user-defined routes (UDRs). You can deploy secure hubs that are configured with the security partner of your choice in multiple Azure regions to get connectivity and security for your users. See Figure A.2.

• Route management: Route management is the ability to route traffic through your secured hubs for filtering or logging without needing to set up UDRs.

Azure Application Gateway

The Azure Application Gateway is Azure's web traffic load balancer that enables you to manage the amount of traffic going to your application, thus preventing it from becoming overloaded. Azure's Application Gateway is more advanced than a traditional load balancer. Traditionally, load balancers operate at the Transport layer of the OSI model (i.e., Layer 4 TCP and UDP) and can only route traffic based on the source IP address and port to a destination IP address and port. However, Azure's Application Gateway operates at Layer 7 of the OSI model and can make decisions based on additional attributes found in an HTTP request, such as URL-based routing. From a security viewpoint, this is very important for protecting against DDoS attacks and ensuring high uptimes for all of your network resources. In addition to load balancing, this tool comes with other useful features for security and scalability. Here are some of the most important features to remember:

• Secure Sockets Layer (SSL/TLS) termination: To ensure that information is transported securely over the Internet, it's common to use encryption protocols like SSL/TLS. However, doing the encryption and decryption is extra overhead for the web server. Azure Application Gateway handles the encryption/decryption and allows data to flow unencrypted to the backend servers, thus reducing the work that the backend servers must do.
• Autoscaling: Azure Gateway supports autoscaling, which means it can scale up or down in the number of instances depending on your environment's traffic needs. This saves your company money because you won't have more resources provisioned than you actually need. You must specify a minimum and optionally maximum instance count, though, which will ensure that the application gateway doesn't fall below the minimum instance count, even without traffic.
• Zone redundancy: Azure Gateway can span across multiple availability zones, so there's no need to provision separate application gateways for different zones. This also means that you have zone redundancy because all of your gateway instances can be used to handle traffic in other zones as needed.
• Static VIP: This static virtual IP address enables the IP address connected to the application gateway to remain static (i.e., not change) over its lifetime, thus reducing the chances of misconfigurations and misdirection due to a change in IP addresses.
• Web Application Firewall (WAF): This feature gives you centralized protection for your web application from publicly known exploits. For example, it will filter out SQL injection attacks, cross-site scripting, directory traversals, and other attacks that come in through the web application itself. The WAF solution can also react by patching a known vulnerability once it is discovered. A single instance of Application Gateway can host up to 40 websites that are protected by a WAF.

  The WAF also offers monitoring to detect any potentially malicious activity. It uses real-time WAF logs, which are integrated with Azure Monitor to track WAF alerts and monitor trends. It also integrates with Defender for Cloud, which gives you a central view of the security state of all your Azure, hybrid, and multicloud resources. See Figure A.3.

  • Ingress controller for AKS: This feature allows you to use the application gateway as an ingress for an Azure Kubernetes Service (AKS). AKS is a service that allows you to deploy a managed Kubernetes cluster in Azure to offload the operational overhead to Azure.
  • URL-based routing: This feature allows you to route traffic to backend server pools based on the URL paths in the request.
  • Multiple-site hosting: Using this feature, you can configure routing based on a host or domain name for multiple web applications on the same application gateway.
  • Redirection: This feature allows you to support automatic HTTP to HTTPS redirection. It ensures that all communications between an application and its users will be encrypted.

  

• Session affinity: When using this feature, you can use gateway-managed cookies that allows the application gateway to direct traffic from a user session to a server and maintain user sessions on the same server.
  • WebSocket and HTTP/2 traffic: Azure's Application Gateway provides support for WebSocket and HTTP/2 protocols over ports 80 and 443.
  • Connection draining: If you ever have a need to change the backend servers that your application uses (the backend pool), this feature ensures that all deregistering instances won't receive any new requests while allowing the existing requests to be sent to the appropriate servers for completion within the configured time limit. This includes instances that have been explicitly removed and those that have been reported as unhealthy by Azure's health probes.
  • Custom error pages: Azure's Application Gateway allows you to display custom error pages instead of the defaults, which prevents you from displaying information that should be kept confidential. Also, it gives you the chance to use your own branding and layout in the custom error page.
  • Ability to rewrite HTTP headers and URL: HTTP headers are used to allow the client and server to pass additional information with a request or response. By rewriting HTTP headers, you can add security-related information protection. You can remove header fields that may contain sensitive information and strip port information from the header. You can also rewrite URLs, and when you combine this with URL path-based routing, you can route requests to your desired backend pool of servers.

Azure Front Door

Azure Front Door is great for building, operating, and scaling out your web applications. It is a global, scalable entry point used to create fast, secure, and widely scalable web applications using Microsoft's global network. It's not limited to just new applications; you can use Azure Front Door with your existing enterprise applications to make them widely available on the web. Azure Front Door providers have a lot of options for traffic routing, and it comes with backend health monitoring so that you can identify any backend instances that may not be working correctly. Here's some of the key features that come with Azure Front Door:

• Better application performance using split TCP-based anycast protocol
• Intelligent health monitoring for all backend resources
• URL path-based routing for application requests
• Hosting of numerous websites via an efficient application infrastructure
• Cookie-based session affinity
• SSL/TLS offloading and certificate management
• Ability to define a custom domain
• Application security via an integrated web application firewall (WAF)
• Ability to redirect HTTP traffic to HTTPS seamlessly with a URL redirect
• A custom-forwarding path with an URL rewrite
• Native support for end-to-end IPv6 connectivity and support for HTTP/2 protocol

Web Application Firewall

A web application firewall (WAF) is a specific type of application firewall that monitors, filters, and, if necessary, blocks HTTP traffic to and from a web application. Azure's WAF uses Open Web Application Security Project (OWASP) rules to protect applications against common web-based attacks, such as SQL injection, cross-site scripting, and hijacking attacks. In Azure, WAFs are part of your Application Gateway, which we just discussed in the last section. All of WAF's customizations are contained in a WAF policy that must be associated with your Application Gateway. There are three types of WAF policies in Azure: global, per-site, and per-URI policies. Global WAF policies allow you to associate the policy with every site behind your Application Gateway with the same managed rules, custom rules, exclusions, or any other rules you define. A per-site policy allows you to protect multiple sites with different security needs. Lastly, the path-based rule (per URI) allows you to set rules for specific website pages. It's also important to know that a more specific policy will always override a more general one in Azure. That means you can have a global policy that applies to all machines and have per-site policies for specific instances, and the per-site policy will override the global policy.

Azure Service Endpoints

VNet service endpoints provide secure and direct connectivity to Azure services over an optimized route via the Azure backbone network. This network is a connection of hundreds of datacenters located in 38 regions around the world that are designed to provide near-perfect availability, high capacity, and the flexibility required to respond to unpredictable demand spikes, which provides you with a more secure and efficient route for sending and receiving traffic. It allows private IP addresses on a VNet to reach the endpoint of an Azure service without needing a public IP address on the VNet.

Azure Private Links

Azure Private Links allow you to access Azure PaaS services and Azure hosted customer-owned/partner services over a private endpoint. A private endpoint is simply any network interface that uses a private IP address from your virtual network. It simplifies network architecture and secures the connection between endpoints by keeping the traffic on the Microsoft global network and eliminating the potential for data exposure over the Internet. Here are the key benefits of using Azure Private Links:

• Ability to privately access services on Azure: Using a private link ensures that traffic between your virtual network and the service will occur along Microsoft's backbone network rather than exposing the service to the public Internet. Service providers can host their services in their own virtual network and consumers will be able to access those services in their local virtual network, which helps to ensure that their communications remain private and protected against potential eavesdropping attacks from people on the Internet.
• On-premises and peered networks: You can also access services running in Azure from your on-premises network over ExpressRoute private peering, VPN tunnels, and peered virtual networks. This structure gives you a secure way to migrate workloads from on-premises to Azure without needing to traverse the Internet to reach that service, helping to prevent any potential attacks or data leakages by keeping all communications on networks that you trust.
• Prevent data leakage: When using a private endpoint with a private link, consumers will be mapped to an instance of the PaaS resource instead of the whole service. Access to any other resource is blocked, which helps to prevent data leakage because you are only providing the access needed by the customer and nothing extra. See Figure A.4.
• Global reach: Using private links, you can connect to the services running in other regions, which allows you to provide secure connectivity to resources/services anywhere in the world.

Azure DDoS Protection

Azure DDoS Protection is Azure's default DDoS protection service. Unlike other tools in the list, this tool doesn't need to be configured by an administrator; every endpoint in Azure is protected by Azure's DDoS Protection basic version, free of cost. The important thing is to understand is the difference in features among the basic version and the paid version of DDoS Protection, which comes with two main features:

• Always-on traffic monitoring: This tool monitors your application traffic patterns 24 hours a day, 7 days a week, looking for indicators of DDoS attacks. Once an attack is detected, DDoS Protection Basic instantly and automatically mitigates the attack, with no actions required by the end user.
• Extensive mitigation scale: The basic version of this tool can detect over 60 different attack types and mitigate those attacks with global capacity, meaning that it can defend against attacks that come from/target resources in any part of the globe. This ability lends your applications protection against the largest known DDoS attacks.

Now, let's look at the features of the standard Azure DDoS protection tool, which is a paid-for resource:

• Native platform integration: Azure DDoS protection is natively integrated into Azure, which makes it extremely easy to use. You apply configurations through the Azure portal. DDoS Protection Standard also has the ability to understand your resources and resource configurations without the need for user input.
• Turnkey protection: As soon you enable DDoS Protection Standard, it automatically begins to protect all resources on your virtual network without any need for user intervention.
• Adaptive tuning: This allows for Azure DDoS protection to learn your application's traffic profile over time and then select the profile that best suits your service. A traffic profile is simply a set of measures over a specific period of time that allows Azure DDoS to understand what type of traffic is normal for your application and what isn't. Azure DDoS continues to observe your traffic and changes the profile accordingly over time so that it flags fewer false positives and misses fewer false negatives.
• Multilayered protection: Whenever you deploy a WAF, Azure DDoS Protection Standard provides additional security protection at Layers 3, 4, and 7 of the OSI model (i.e., the Network, Transport, and Application layers), helping to ensure that your application is protected by multilayers of security and a defense-in-depth approach.
• Attack analytics: Once the DDoS protection tool determines that an attack has started, it provides you with a detailed report every 5 minutes during the attack and a complete summary of the attack once it has completed. This way, you have documentation of what has occurred without having to do any manual work. Also, you can stream the flow logs that are created into Azure Sentinel or an offline SIEM for near-real-time monitoring of the attack against your systems.
• Attack metrics: This feature allows you to view summarized metrics for every attack against your resources via the Azure Monitor dashboard.
• Attack alerting: With this feature, you can configure alerts to be created at the start, at the stop, or over the duration of an attack using built-in metrics, which tell DDoS protection what the thresholds are for considering traffic to be an attack, allowing for customization on your end. These alerts can be integrated into an operational software of your choosing, such as Azure Monitor logs or Splunk for further analysis/monitoring.
• DDoS Rapid Response: You have the option of engaging the DDoS Protection Rapid Response (DRR) team to aid you with an attack investigation if the standard features aren't sufficient. This dedicated team of security experts within Microsoft can provide you with personalized support in an emergency situation.
• Cost guarantee: You can receive data transfer and application scale-out service credits for resource costs incurred due to documented DDoS attacks. So, in the event that DDoS protection doesn't deliver on its promised protection, you can obtain financial reimbursement from Microsoft to cover the costs of the attack, giving you another line of defense behind just the software itself.

Microsoft Defender for Cloud

Azure's endpoint protection feature has been integrated into a tool called Microsoft Defender for Cloud, which provides antimalware protection to Azure VMs in three primary ways:

• Real-time protection: In this way, endpoint protection acts similar to any other antimalware solution that alerts when you attempt to download a piece of software that might be malware or when you attempt to change important Windows security settings.
• Automatic and manual scanning: Endpoint protection comes with an automatic scanning feature that alerts you of any detected malware on your VMs. This feature can be turned on or off at your discretion.
• Detection/remediation: For severe threats, some actions will automatically be taken in an attempt to remove the malware and to protect your VMs from a potential or further infection. It can also reset some Windows settings to more secure settings.

Defender for Cloud also generates a secure score for all of your subscriptions, based on its assessment of your connected resources compared to the Azure security benchmark. This secure score helps you to understand at a quick glance how good your security is, and it provides a compliance dashboard that allows you to review your compliance using the built-in benchmark. Using the enhanced features, you can customize the standards used to assess compliance and add other regulations that your organization is subject to, such as NIST, Azure Center for Information Security (CIS), or other organization-specific security requirements.

Defender for Cloud also gives you hardening recommendations based on the security misconfigurations and weaknesses that it has found. You can use these recommendations to improve your organization's overall security.

Azure Container Registry

A container is a form of operating system virtualization. Think of this container as a package of software components. A container houses all of the necessary executables, code, libraries, and configuration files to run an application. However, a container doesn't house the operating system images, which makes it more lightweight and portable with less overhead. To support larger application deployments, you must combine multiple containers to be deployed as one or more container clusters.

The Azure Container Registry is a service for building, storing, and managing container images and their related artifacts and allows for the easy and quick creation of containers. When it comes to security, the Azure Container Registry supports a set of built-in Azure roles. These roles enable you to assign various permission levels to an Azure Container Registry, which allows you to use RBAC to assign specific permissions to users, service principals, or other identities that may need to interact with a container in that particular registry or the service itself. You can also create custom roles with a unique set of permissions. Here are some specific features of Azure Container Registry:

• Registry service tiers: This feature allows you to create one or more container registries in your Azure subscription and comes in three tiers: Basic, Standard, and Premium. It provides local, network-close storage of your container images by creating registries in the same Azure location as your deployments.
• Security and access: You can log into a registry via the Azure CLI or the standard Docker login command. To ensure good security, Azure Container Registry transfers container images over HTTPS and supports TLS to provide secure client connections.

  When it comes to access control for container registries, you can use an Azure identity, an Azure Active Directory–backed service principal, or a provided admin account. Use Azure role-based access control (RBAC) to assign users or systems fine-grained permissions to a given registry.

• Content trust feature: In the premium version of Registry, you can use the Content Trust feature, which is a tool for verifying the source and integrity of data entering the system to ensure that it hasn't been improperly modified. There's also the option of integrating Defender for Cloud to allow for scanning of images whenever they are pushed to a registry to ensure they are safe before use.
• Supported images and artifacts: Azure Container Registries can include both Windows and Linux images. You can use Docker commands to push or pull images from a repository.
• Automated image builds: Azure allows you to automate many of the tasks related to building containers. You can use Azure Container Registry Tasks to automate building, testing, pushing, and deploying images in Azure. This is done through the use of task steps, which define the individual container image build and operations needed.

Azure App Service

Azure App Service quickly and easily creates enterprise-grade web and mobile applications for any platform or device and then deploys them with a reliable cloud infrastructure. Azure App Service Environment (ASE) allows you to have an isolated and dedicated hosting environment to run your functions and web applications. There are two ways to deploy an ASE: you can use an external IP address (External ASE), or you can use an internal IP address (ILB ASE). Doing so allows you to host both public and private applications in the cloud. It's important that you understand the following security features that Azure App Service offers for securing your cloud-hosting applications:

• App Service Diagnostics: This interactive tool helps with troubleshooting your application with no required configuration. When you run into application issues, you can use App Service Diagnostics to identify what went wrong, troubleshoot, and resolve the issue.
• Integration with Azure Monitor and Application Insights: This feature allows you to view the application's performance and health to make quick decisions about your application.
• Azure Autoscale and Azure Front Door: This feature allows your application to automatically react to traffic loads and perform traffic routing and load balancing.
• Azure Content Delivery Network: This feature reduces latency to your applications by moving your content assets closer to your customers.
• Azure Web Application Firewall: Azure App Service integrates with Azure Web Application Firewall to protect your applications against common web-based attacks.

Azure Policy

Azure Policy is a tool that helps enforce the standards of your organization and ensures the compliance of your Azure resources. An Azure Policy gives you the ability to define a set of properties that your cloud resources should have, and then it compares that defined list of properties to your resource's actual properties to identify those that are noncompliant. When defining these rules in an Azure policy, you describe them using the JavaScript Object Notation (JSON) format; the policy rules are known as policy definitions. You can assign policy definitions to any set of resources that Azure supports. These rules may use functions, parameters, logical operators, conditions, and property aliases to match the exact standards you want for your organization.

You can also control the response to a noncompliant evaluation of a resource with those policy definitions. For example, if a user wants to make a change to a resource that will result in it being noncompliant, you have multiple options: you can deny the requested change, you can log the attempted/successful change to that resource, and you can alter the resource before/after the change occurs, among other options. All these options are possible by adding what's called an effect in the policies in which you create.

You can create the policies from scratch, or you can use some of Azure's prebuilt policies that are created and available by default:

• Allowed Storage Account SKUs (Deny): This policy determines whether a storage account being deployed is within a predetermined set of stock keeping unit (SKU) sizes that's defined by your organization. It will deny all storage accounts that do not meet the set of defined SKU sizes.
• Allowed Resource Type (Deny): This policy defines the resource types that you are allowed to deploy. Any resources that aren't on this list will be denied.
• Allowed Locations (Deny): This policy allows you to restrict the location that your organization can select when deploying new resources and allows you to enforce geo-compliance for all new resources.
• Allowed Virtual Machine (VM) SKUs (Deny): This policy allows you to specify a set of VM SKUs that you are able to deploy in your organization. All others will be blocked.
• Add a Tag to Resources (Modify): This policy adds a required tag and its value to any resource that's created.
• Not Allowed Resource Types (Deny): This policy prevents a specified list of resource types from being deployed.

Microsoft Threat Modeling Tool

Threat modeling is the process of identifying risks and threats that are likely to affect an organization. Microsoft has created its own threat modeling tool to allow for the easy creation of threat-modeling diagrams. This tool helps you plan your countermeasures and security controls to mitigate threats. When you are threat modeling, you need to consider multiple elements in order to obtain a good overview of your company's complete threat landscape, which consists of all threats pertaining to your organization.

Microsoft Sentinel

Microsoft Sentinel is the cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) technology that leverages AI to provide advanced threat detection and response based on the information collected across your company's environment. First, let's look at the SIEM aspect of it.

A SIEM is responsible for collecting and analyzing security data, which is collected from the different systems within a network to discover abnormal behavior and potential cyberattacks. Some common technologies that feed data into a SIEM for analysis are firewalls, endpoint data, antivirus software, applications, and network infrastructure devices. The second aspect of Microsoft Sentinel is that it acts as a SOAR, which is designed to coordinate, execute, and automate tasks between different people and tools within a single platform. For example, using SOAR, you can define an automated playbook that tells the system what actions it should take when a certain condition is met. If it suspects a file is malicious, it may automatically quarantine or delete that file. In the following sections, we will look at the features of Azure Sentinel broken down into its SIEM and SOAR features:

How Does Microsoft Sentinel Work?

Microsoft Sentinel ingests data from services and applications by connecting to the service and forwarding the events and logs of interest to itself. To obtain data from physical and virtual machines, you can install a log analytics agent to collect the logs and to forward them to Microsoft Sentinel. For firewalls and proxies, you will need to install the log analytics agency agent on a Linux syslog server, and from there the agent will collect the log files and forward them to Microsoft Sentinel.

Once you have connected all of the data sources you want to Microsoft Sentinel, you can begin using it to detect suspicious behavior. You can do this in two ways: you can either use Microsoft's prebuilt detection rules, or you can create custom detection rules to suit your needs. Microsoft recommends that people leverage their prebuilt rules because they have been created to allow for the easy detection of malicious behavior and are regularly updated on Microsoft's security teams. These templates were designed by Microsoft's in-house security experts and analysts and are based on known threats and patterns of suspicious activity and common attack vectors. You also have the option of customizing them to your liking, which is usually easier than creating a new one from scratch.

Automation

Automated responses in Microsoft Sentinel are facilitated by automation rules. An automation rule is a set of instructions that allow you to perform actions around incidents without the need for human intervention. For example, you can use these rules to automate processes like assigning incidents to certain people, closing noisy incidents/false positives, and changing an incident's severity or adding tags to incidents based on predetermined characteristics. Automation rules also allow you to run playbooks in response to incidents.

A playbook is a set of procedures that can be executed by Sentinel as an automated response to an alert or an incident. Playbooks are used to automate and orchestrate your response and can be configured to run automatically in response to specific alerts or incidents. This automated run is configured by attaching the playbook to an analytics rule or an automation rule. Playbooks can also be triggered manually if need be.

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. Microsoft defines a secret as anything to which you want to tightly control access. Some common examples of this are API keys, passwords, certificates, and cryptographic keys. The compromise of company secrets could provide an attacker with highly privileged access to your company's environment and cause major data breaches, which is why you want to ensure that they are properly protected. Here is a summary of the security features of Azure Key Vault:

• Encryption of Data: Azure Key Vault enforces the Transport Layer Security (TLS) protocol to protect data when it's traveling between Azure Key Vault and any client. TLS is the successor of SSL and is a cryptographic protocol designed to provide communications security over a computer network. TLS provides strong authentication, message privacy, and integrity, combined with the fact that it's easy to deploy and use. Another aspect of encryption is perfect forward secrecy (PFS), specific key agreement protocols that give assurances that session keys will not be compromised. PFS protects data on the Transport layer of a network that uses TSL protocols. When PFS is used, encrypted communications and sessions that occurred in the past cannot be retrieved or decrypted even if long-term secret keys or passwords are compromised in the future. This protection significantly reduces the risk associated with hackers compromising keys.
• Secure Authentication: Azure Key Vault allows you to store your secrets and securely access them by authenticating in one of three ways:

• 1. Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn't managing the rotation of the first secret. Instead, Azure automatically rotates the identity. Microsoft recommends this approach as a best practice.
  2. Service principal and certificate: You can use a service principal and an associated certificate that has access to Azure Key Vault. Microsoft doesn't recommend this approach, however, because the application owner or developer must rotate the certificate.
  3. Service principal and secret: Although you can use a service principal and a secret to authenticate to Azure Key Vault, Microsoft doesn't recommend it. It's hard to automatically rotate the bootstrap secret used to authenticate to Azure Key Vault.
     • Key Vault access policies: A Key Vault access policy determines whether a given security principal can perform different operations on Azure Key Vault secrets, keys, and certificates. Security principals, in this context, will primarily be users, applications, or user groups. Currently, Azure Key Vault supports up to 1,024 access policy entries. Each of these entries grants a distinct set of permissions to a particular security principal. Due to these restrictions, it's advised that you assign access policies to groups of users when possible, rather than assigning them to individuals, to preserve as many of these access policies as you can. Using groups also makes it much easier to manage permission for multiple people in your organization.
     • Network security: You can reduce the exposure of your vaults by specifying what IP addresses can have access to them. You can also reduce access to Azure Key Vault to a specified virtual endpoint or address range. Once configured, only the users whose requests originate from the allowed virtual networks or IP addresses can read/access data.
     • Central management of your vaults: You can control access to a key vault through two interfaces: the management plane and the data plane. The management plane is what you use to manage Azure Key Vault itself. Here you can do things like creating and deleting key vaults, retrieving Key Vault properties, and updating your access policies. The data plane is where you will interact with data that is stored in a key vault. You can add, delete, and modify keys, secrets, and certificates there. Authentication to the planes themselves is managed by Azure Active Directory. Authorization to the management plane uses Azure RBAC, while the data plane uses a Key Vault access policy and Azure RBAC, which helps to ensure that it's very difficult for someone to gain unauthorized access to the management console.
     • Logging and monitoring: Key Vault logging saves information about the activities performed on your vaults. It also allows you to monitor the health of your key vault to ensure that they are running as intended by setting up monitoring and alerts for your key vaults.
     • Backup and Recovery: Azure Key Vault has a feature called soft-delete and purge protection that both give you the ability to recover deleted vaults and vault objects.