AAD (Azure Active Directory), 125–127
management, 9
Access Control (IAM), 22
ACLs (access control lists), 12
Activity Log, 78
AD Identity Protection, integration with ASC, 148–149
Adaptive Application Controls, 38, 111–114
missing and not responding, 52
removing, 35
Amazon EC2 keys, theft, 7
analytics. See Log Analytics
anomaly detection, 20, 106–108
Antimalware installation, 55
application whitelisting, 111–114
applications. See also logic app
as malware, 5
ASC (Azure Security Center). See also security; SIEM (Security Incident and Event Management); Splunk integration solution
access control, 22
analytics, 20
connectivity, 18
event evaluation, 20
intelligence resources, 104
JIT VIM access feature, 115–119
Monitoring Agent, 19
RBAC (role-based access control), 22–23d
security policy, 23
storage, 23
assume-breach mentality, 6. See also attacks
ATP (Advanced Threat Protection, 155
attack vectors, identifying, 2–3
attacked resources, listing, 77–78
attacks. See also assume-breach mentality; detection capabilities; Trojans
brute force, 85
drive-by download sites, 4
IP addresses, 7
local privilege escalation, 3
RDP brute force, 114
SSH brute-force, 114
attributes, obtaining for VMs, 167
authentication-related issues, investigating, 152
Azure Automation and PowerShell, 30
IntelliSense, 152
query language, 83
query result, 158
website, 19
accessible logs, 124
and Splunk, 139
Azure Policy. See also policies; security policies
customizing, 49
definitions and assignments, 44, 48
elements, 47
initiative definitions and assignments, 44–45
JSON configuration, 48
scope, 44
Azure security. See also security
Disk Encryption, 14
host protection, 12
storage protection, 14
behavioral analytics, 20, 104–105
blades, security policies, 35–36
BLOBs (binary large objects), 37
botnets, defined, 2
breaches. See assume-breach mentality; attacks
brute-force attacks, 85
C2 (command and control) servers, 4
CAV (counter-antivirus) services, 2
CCE (Common Configuration Enumeration), 25, 52, 56–58
threat prevention vs. detection, 99–100
cloud security, rethinking, 31–32
access management, 9
data protection, 10
endpoint protection, 10
identity management, 9
operational security, 9
risk management, 9
CCE (Common Configuration Enumeration), 56–58
security configurations, 56
compute recommendations, accessing, 30–31
configuration flaws, 7
contextual information alerts, 74
crash-dump analysis, 76
CSPs (cloud solution providers), 8–9
cyber kill chain, 2–4, 108–111
protection, 10
database auditing, 64
DCU (Digital Crimes Unit), 153
defense layers, 11
detection capabilities, 74, 154–155. See also attacks
DevOps, 7
DiCola, Nicholas, 71
Disk Encryption policy, 37, 52
domain dominance, 3
drive-by download sites, 4
Email Notifications blade, 41–42
encryption, 14. See also Storage Encryption policy
Endpoint Protection policy, 10, 37, 52–56
error codes, website, 173. See also WER (Windows Error Reporting)
ETW (Event Tracking for Windows), 19
connecting to Azure Monitor, 136–138
creating for SIEM, 122, 131–132
events. See also notable events
correlating with entities, 87
evaluating, 20
filtering, 39
Failed Logons section, 144–147
financial losses, 1
GitHub public secret attack, 7–8
Healthy Databases, 64
host protection, 12
hunting security issues, 159–162
Hyper-V virtualization solution, 12
IaaS (Infrastructure as a Service), 17
IAM (Access Control), 22
IC3 (Internet Crime Complaint Center), 1–2
Identity & Access, customizing search, 149–152
management, 9
Identity Posture section, 143–144
IExpress self-extractor, 29
Incident Playbook, 162. See also playbooks
incident response. See security incidents
crash-dump analysis, 76
spam activity, 75
InfoSec Institute, lurking statistic, 5
initiative definitions and assignments, 44–45
intel, obtaining, 3
IntelliSense, Log Analytics, 152
internet-facing endpoints, 59, 61–63
Investigation feature, using, 84–88
IP addresses, attacks, 7
IPFIX (Internet Protocol Flow Information Export), 74
policies, 48
Just-in-Time VM access, 114–119. See also VMs (Virtual Machines)
Kemnetz, John, 122
Kliger, Ben, 106
Koren, Koby, 142
Landau, Miri, 169
Linux agents, installing, 27
local privilege escalation attack, 3
IntelliSense, 152
query language, 83
query result, 158
website, 19
log search, customizing, 150
logic app, creating, 90. See also applications
logon failures, reasons for, 144
Logons Over Time section, 147–148
lurking statistic, 5
machine learning and cloud, 105–106
Antimalware installation, 55
apps as, 5
Antimalware installation, 55
Monitoring Agent, 19
Security Intelligence Report/IP-address attacks, 7
Missing Disk Encryption, 52
Missing Scan Data, 52
Missing System Updates, 52
Monitoring Agent, 19
MSRC (Microsoft Security Response Center), 153
MSTIC (Microsoft Threat Intelligence Center), 153
network analysis alerts, 74
internet-facing endpoints, 61–63
NSGs on subnets not enabled, 59–61
NGFW (Next-Generation Firewall) policy, 37, 58
Nitol botnet, 2
notable events, 162. See also events
Notepad++, downloading, 170
NSGs (network security groups), 12, 37, 59–61,
omsagent daemon, 19
operational security, 9
OS hardening, rules, 169, 172–173
uploading rule, 173
OS Version Not Updated, 52
OWASP documentation for cyberattacks, 68
and OS customization, 168
Petya ransomware, 1
playbooks. See also Incident Playbook; security alerts
website, 162
policies. See Azure Policy; security policies
Policy Management blade, 40–41
Potential SQL Injection alert, 74. See also SQL databases
PowerShell, script to obtain VM’s attribute, 167
Prakash, Ajeet, 155
prevention, importance of, 71
Privileged Access Workstations, 10
protect, security posture, 5–6
public key secret, 7
installation, 3
Trojan, 4
complaints, 1
financial loss, 1
Petya, 1
WannaCry, 1
RBAC (role-based access control), 11, 22–23, 49–50
RDP brute-force attacks, 114
recon, internal and external, 3
red/blue team simulations, 6
Remediate Security Configurations, 52, 56–58
removing agents, 35
reports, linking to security alerts, 156
resource analysis alerts, 74
respond, security posture, 5–6
Restart Pending, 52
risk management, 9
rules, OS hardening, 169, 172–173
scan data, 52
SDL (Security Development Lifecycle), 68
SecOps (security operations), 24
security. See also ASC (Azure Security Center)
resources, 12
security admin role, 22
security alerts. See also playbooks
categories, 74
linking to reports, 156
responding to, 89
security assessments, customizing, 169
access control, 22
analytics, 20
connectivity, 18
event evaluation, 20
intelligence resources, 104
JIT VIM access feature, 115–119
Monitoring Agent, 19
RBAC (role-based access control), 22–23
security policy, 23
storage, 23
Security Configurations policy, 36
security data, analyzing, 149–152
security incidents, 110, 160–161. See incident response
security playbooks. See also Incident Playbook; security alerts
website, 162
security policies. See Azure Policy; policies
customizing, 49
overview, 23
security reader role, 22
SIEM (Security Incident and Event Management), 121–123. See also Splunk integration solution
Slack, integrating playbooks, 97
social engineering, 3
spam activity, detecting, 75
Splunk integration solution. See also ASC (Azure Security Center); SIEM (Security Incident and Event Management)
app password for Key Vault, 130–131
Azure Key Vault, 127–130, 134–135
Azure Monitor add-on, 139
confirming accessible logs, 124
event hub and Azure Monitor, 131–132, 136–138
processes, 123
Splunk SIEM pipe, 124
SQL Auditing & Threat Detection, 38
SQL databases, threat detection, 66. See also Potential SQL Injection alert
SQL Encryption, 38
SSE (Storage Service Encryption), 14
SSH brute-force attacks, 114
considering, 23
protection, 10
Storage Encryption policy, 37. See also encryption
storage protection, 14
streaming logs, 122
suspicious process executed alert, 161
TDE (Transparent Data Encryption), 64
Teller, Tomer, 74
methods, 101
threat-intelligence feeds, 102–104
dashboard in Security Center, 157–159
hunting security issues, 159–162
integration, 20
reports in Security Center, 155–156
VA (Virtual Analyst), 163
TLS (Transport Layer Security), 10
Trojans, 1, 4. See also attacks
VA (Virtual Analyst), threat intelligence, 163
VAs (vulnerability assessments), 36–37
VHD (virtual hard disk), 63
VM Agent Is Missing or Not Responding, 52
VMBA (Virtual Machine Behavioral Analysis) alerts, 74
VMs (Virtual Machines). See also Just-in-Time VM access
cloud-weaponization, 7
obtaining attributes, 167
operations, 12
VMware virtualization solution, 12
VNets (virtual networks), 12
vulnerabilities, identifying and mitigating, 57, 71
Vulnerability Assessment Not Installed, 52
WAF (Web Application Firewall) policy, 37
Activity Log for security alerts, 78
agent installation, 29
application whitelisting, 114
ASC detection capabilities, 21
ASC pricing, 18
Azure AD Identity Protection, 149
Azure network security, 13
Azure Policy, 48
Azure Storage security, 14
cloud threats, 7
compliance, 9
compute recommendations, 51
computer security, 12
cybercrime, 2
Data Collection blade, 39
Disk Encryption, 37
endpoint protection, 53
error codes, 173
event hub for SIEM, 122
IC3 (Internet Crime Complaint Center), 1
IExpress self-extractor, 29
Incident Playbook, 162
Linux agents, 27
Log Analytics, 83
Log Analytics workspaces, 19
Nitol botnet, 2
Notepad++, 170
OWASP documentation for cyberattacks, 68
playbook integration with Slack, 97
Privileged Access Workstations, 10
RBAC (role-based access control), 23
SDL (Security Development Lifecycle), 68
Splunk integration solution, 139
SQL database threat detection, 66
threat intelligence map, 159
VAs (vulnerability assessments), 36
Welcome to Azure Policy blade, 46
WER (Windows Error Reporting), 19. See also error codes
WinZipper Trojan, 4
workflows, creating for playbooks, 91–94
changing defaults, 166
data retention, 23
and data storage, 19
ID and primary key, 29
monitoring, 141
3.15.237.164