Index

A

AAD (Azure Active Directory), 125–127

access and identity

activities, 141–142

Failed Logons, 144–147

Identity Posture, 143–144

Logons Over Time, 147–148

management, 9

restricting, 61–63

Access Control (IAM), 22

ACLs (access control lists), 12

Activity Log, 78

AD Identity Protection, integration with ASC, 148–149

Adaptive Application Controls, 38, 111–114

agents

installing, 26–30

missing and not responding, 52

removing, 35

Amazon EC2 keys, theft, 7

analytics. See Log Analytics

anomaly detection, 20, 106–108

Antimalware installation, 55

application controls, 111–114

application whitelisting, 111–114

applications. See also logic app

firewalls, 68–71

as malware, 5

ASC (Azure Security Center). See also security; SIEM (Security Incident and Event Management); Splunk integration solution

access control, 22

analytics, 20

architecture, 18–21

assessment, 30–32

connectivity, 18

considerations, 22–24

dashboard, 21–22, 142

detection capabilities, 20–21

event evaluation, 20

Failed Logons, 144–147

features, 15–16

Identity Posture, 143–144

incorporating, 24–25

intelligence resources, 104

JIT VIM access feature, 115–119

Logons Over Time, 147–148

Monitoring Agent, 19

next-generation policy, 38–43

onboarding resources, 25–30

overview, 17–18

permissions, 49–50

RBAC (role-based access control), 22–23d

recommendations, 23–24

security operations, 24–25

security policy, 23

storage, 23

subscription, 17–18

tiers, 17–18

assume-breach mentality, 6. See also attacks

atomic detection, 101–102

ATP (Advanced Threat Protection, 155

attack vectors, identifying, 2–3

attacked resources, listing, 77–78

attacks. See also assume-breach mentality; detection capabilities; Trojans

brute force, 85

drive-by download sites, 4

IP addresses, 7

local privilege escalation, 3

RDP brute force, 114

SSH brute-force, 114

attributes, obtaining for VMs, 167

authentication-related issues, investigating, 152

Azure AD Identity Protection

customizing search, 149–152

integration, 148–149

Azure Automation and PowerShell, 30

Azure Log Analytics

customizing searches, 149–152

IntelliSense, 152

query language, 83

query result, 158

website, 19

Azure Monitor add-on

accessible logs, 124

event-hub connection, 136–138

and Splunk, 139

Azure Policy. See also policies; security policies

customizing, 49

definitions and assignments, 44, 48

elements, 47

exploring, 45–48

initiative definitions and assignments, 44–45

JSON configuration, 48

overview, 43–44

scope, 44

Azure Portal, 11–12

Azure security. See also security

Disk Encryption, 14

host protection, 12

network protection, 12–13

overview, 11–12

storage protection, 14

B

behavioral analytics, 20, 104–105

blades, security policies, 35–36

BLOBs (binary large objects), 37

botnets, defined, 2

breaches. See assume-breach mentality; attacks

brute-force attacks, 85

C

C2 (command and control) servers, 4

CAV (counter-antivirus) services, 2

CCE (Common Configuration Enumeration), 25, 52, 56–58

cloud defense

cyber kill chain, 108–111

fusion alerts, 108–111

JIT VM access, 114–119

threat detection, 100–108

threat prevention vs. detection, 99–100

cloud security, rethinking, 31–32

cloud threats

access management, 9

compliance, 8–9

data protection, 10

endpoint protection, 10

identity management, 9

and machine learning, 105–106

operational security, 9

overview, 7–8

risk management, 9

compliance, 8–9

compute recommendations

CCE (Common Configuration Enumeration), 56–58

endpoint protection, 52–56

overview, 51–52

security configurations, 56

compute recommendations, accessing, 30–31

configuration flaws, 7

contextual information alerts, 74

crash-dump analysis, 76

CSPs (cloud solution providers), 8–9

cyber kill chain, 2–4, 108–111

cybercrime, 1–2

D

data and storage

encryption, 66–67

overview, 63–64

protection, 10

server auditing, 64–66

threat detection, 64–66

Data Collection blade, 38–40

database auditing, 64

DCU (Digital Crimes Unit), 153

defense layers, 11

detect, security posture, 5–6

detection capabilities, 74, 154–155. See also attacks

DevOps, 7

DiCola, Nicholas, 71

Disk Encryption policy, 37, 52

domain dominance, 3

drive-by download sites, 4

E

Email Notifications blade, 41–42

encryption, 14. See also Storage Encryption policy

Endpoint Protection policy, 10, 37, 52–56

entities and incidents, 87–88

error codes, website, 173. See also WER (Windows Error Reporting)

ETW (Event Tracking for Windows), 19

Event 4625, 145–147

event hub

connecting to Azure Monitor, 136–138

creating for SIEM, 122, 131–132

shared access key, 133–136

events. See also notable events

correlating with entities, 87

evaluating, 20

filtering, 39

F

Failed Logons section, 144–147

Fender, Sarah, 31–32

financial losses, 1

firewalls, 58, 68–70

G

GitHub public secret attack, 7–8

H

Healthy Databases, 64

host protection, 12

Hunter, Laura E., 15–16

hunting security issues, 159–162

Hyper-V virtualization solution, 12

I

IaaS (Infrastructure as a Service), 17

IAM (Access Control), 22

IC3 (Internet Crime Complaint Center), 1–2

Identity & Access, customizing search, 149–152

identity and access

activities, 141–142

Failed Logons, 144–147

Identity Posture, 143–144

Logons Over Time, 147–148

management, 9

restricting, 61–63

Identity Posture section, 143–144

IExpress self-extractor, 29

inbound security rules, 62–63

Incident Playbook, 162. See also playbooks

incident response. See security incidents

crash-dump analysis, 76

detection scenarios, 75–76

security alerts, 73–75

spam activity, 75

InfoSec Institute, lurking statistic, 5

initiative definitions and assignments, 44–45

install and exploit, 109–110

intel, obtaining, 3

IntelliSense, Log Analytics, 152

internet-facing endpoints, 59, 61–63

Investigation feature, using, 84–88

IP addresses, attacks, 7

IPFIX (Internet Protocol Flow Information Export), 74

IT assets, securing, 99–100

J

JIT Network Access, 37–38, 52

JSON configuration

OS customization, 169–172

policies, 48

Just-in-Time VM access, 114–119. See also VMs (Virtual Machines)

K

Kemnetz, John, 122

Key Vault blade

app password, 130–131

creating, 127–130

Kliger, Ben, 106

Koren, Koby, 142

L

Landau, Miri, 169

legacy security policy, 33–38

Linux agents, installing, 27

local privilege escalation attack, 3

Log Analytics

customizing searches, 149–152

IntelliSense, 152

query language, 83

query result, 158

website, 19

log search, customizing, 150

logic app, creating, 90. See also applications

logon failures, reasons for, 144

Logons Over Time section, 147–148

lurking statistic, 5

M

machine learning and cloud, 105–106

malware

Antimalware installation, 55

apps as, 5

Microsoft

Antimalware installation, 55

Monitoring Agent, 19

Security Intelligence Report/IP-address attacks, 7

Missing Disk Encryption, 52

Missing Scan Data, 52

Missing System Updates, 52

Monitoring Agent, 19

MSRC (Microsoft Security Response Center), 153

MSTIC (Microsoft Threat Intelligence Center), 153

N

network analysis alerts, 74

network protection, 12–13

network recommendations

internet-facing endpoints, 61–63

NSGs on subnets not enabled, 59–61

overview, 58–59

restricting access, 61–63

NGFW (Next-Generation Firewall) policy, 37, 58

Nitol botnet, 2

notable events, 162. See also events

Notepad++, downloading, 170

NSGs (network security groups), 12, 37, 59–61,

O

omsagent daemon, 19

onboarding resources, 25–30

operational security, 9

OS hardening, rules, 169, 172–173

OS security configuration

considerations, 168–169

customizing, 169–173

JSON file, 169–172

uploading rule, 173

OS Version Not Updated, 52

OWASP documentation for cyberattacks, 68

P

permissions

and OS customization, 168

and RBAC, 49–50

Petya ransomware, 1

playbooks. See also Incident Playbook; security alerts

auditing execution, 95–97

creating, 89–91

executing, 94–95

website, 162

workflows, 91–93

policies. See Azure Policy; security policies

Policy Management blade, 40–41

post breach, 109–110

Potential SQL Injection alert, 74. See also SQL databases

PowerShell, script to obtain VM’s attribute, 167

Prakash, Ajeet, 155

prevention, importance of, 71

Pricing Tier blade, 42–43

Privileged Access Workstations, 10

protect, security posture, 5–6

public key secret, 7

Q

QKSee

installation, 3

Trojan, 4

R

ransomware

complaints, 1

financial loss, 1

Petya, 1

WannaCry, 1

RBAC (role-based access control), 11, 22–23, 49–50

RDP brute-force attacks, 114

recon, internal and external, 3

red/blue team simulations, 6

Remediate Security Configurations, 52, 56–58

removing agents, 35

reports, linking to security alerts, 156

resource analysis alerts, 74

resources, onboarding, 25–30

respond, security posture, 5–6

Restart Pending, 52

risk management, 9

rules, OS hardening, 169, 172–173

S

scan data, 52

SDL (Security Development Lifecycle), 68

SecOps (security operations), 24

securing IT assets, 99–100

security. See also ASC (Azure Security Center)

cloud threats, 7–11

incidents, 79–81

resources, 12

security admin role, 22

security alerts. See also playbooks

accessing, 77–84

categories, 74

customizing, 81–84

displaying, 160–161

linking to reports, 156

overview, 73–74

responding to, 89

security assessments, customizing, 169

Security Center

access control, 22

analytics, 20

architecture, 18–21

assessment, 30–32

connectivity, 18

considerations, 22–24

dashboards, 21–22, 142

detection capabilities, 20–21

event evaluation, 20

Failed Logons, 144–147

features, 15–16

Identity Posture, 143–144

incorporating, 24–25

intelligence resources, 104

JIT VIM access feature, 115–119

Logons Over Time, 147–148

Monitoring Agent, 19

next-generation policy, 38–43

onboarding resources, 25–30

overview, 17–18

permissions, 49–50

RBAC (role-based access control), 22–23

recommendations, 23–24

security operations, 24–25

security policy, 23

storage, 23

subscription, 17–18

tiers, 17–18

Security Configurations policy, 36

security data, analyzing, 149–152

security incidents, 110, 160–161. See incident response

security issues

hunting, 159–162

investigating, 84–88

security playbooks. See also Incident Playbook; security alerts

auditing execution, 95–97

creating, 89–91

executing, 94–95

website, 162

workflows, 91–93

security policies. See Azure Policy; policies

blades, 35–36

customizing, 49

legacy, 33–38

overview, 23

security posture, 5–6

security reader role, 22

security rules, 62–63

server auditing, 64–66

SIEM (Security Incident and Event Management), 121–123. See also Splunk integration solution

Slack, integrating playbooks, 97

social engineering, 3

spam activity, detecting, 75

Splunk integration solution. See also ASC (Azure Security Center); SIEM (Security Incident and Event Management)

app password for Key Vault, 130–131

Azure AD application, 125–127

Azure Key Vault, 127–130, 134–135

Azure Monitor add-on, 139

confirming accessible logs, 124

event hub and Azure Monitor, 131–132, 136–138

processes, 123

shared access key, 133–134

Splunk SIEM pipe, 124

VM (Virtual Machine), 138–139

SQL Auditing & Threat Detection, 38

SQL databases, threat detection, 66. See also Potential SQL Injection alert

SQL Encryption, 38

SSE (Storage Service Encryption), 14

SSH brute-force attacks, 114

storage

considering, 23

encryption, 66–67

storage and data

encryption, 66–67

overview, 63–64

protection, 10

server auditing, 64–66

threat detection, 64–66

Storage Encryption policy, 37. See also encryption

storage protection, 14

streaming logs, 122

suspicious process executed alert, 161

System Updates policy, 36, 52

T

target and attack, 109–110

TDE (Transparent Data Encryption), 64

Teller, Tomer, 74

threat detection

anomaly detection, 106–108

atomic, 101–102

behavioral analytics, 104–105

methods, 101

vs. prevention, 64, 99–100

threat-intelligence feeds, 102–104

threat intelligence

dashboard in Security Center, 157–159

hunting security issues, 159–162

integration, 20

overview, 153–155

reports in Security Center, 155–156

VA (Virtual Analyst), 163

threats, 4–5

TLS (Transport Layer Security), 10

Trojans, 1, 4. See also attacks

V

VA (Virtual Analyst), threat intelligence, 163

VAs (vulnerability assessments), 36–37

VHD (virtual hard disk), 63

VM Agent Is Missing or Not Responding, 52

VMBA (Virtual Machine Behavioral Analysis) alerts, 74

VMs (Virtual Machines). See also Just-in-Time VM access

Azure Portal, 12–13

cloud-weaponization, 7

moving to workspaces, 165–167

obtaining attributes, 167

operations, 12

Splunk enterprise, 138–139

VMware virtualization solution, 12

VNets (virtual networks), 12

vulnerabilities, identifying and mitigating, 57, 71

Vulnerability Assessment Not Installed, 52

W

WAF (Web Application Firewall) policy, 37

web applications, 68–70

websites

Activity Log for security alerts, 78

agent installation, 29

application whitelisting, 114

ASC detection capabilities, 21

ASC pricing, 18

Azure AD Identity Protection, 149

Azure network security, 13

Azure Policy, 48

Azure Storage security, 14

CCE rules, 25, 58

cloud threats, 7

compliance, 9

compute recommendations, 51

computer security, 12

cybercrime, 2

Data Collection blade, 39

Disk Encryption, 37

endpoint protection, 53

error codes, 173

event hub for SIEM, 122

IC3 (Internet Crime Complaint Center), 1

IExpress self-extractor, 29

Incident Playbook, 162

Linux agents, 27

Log Analytics, 83

Log Analytics workspaces, 19

Nitol botnet, 2

Notepad++, 170

OWASP documentation for cyberattacks, 68

playbook integration with Slack, 97

Privileged Access Workstations, 10

RBAC (role-based access control), 23

SDL (Security Development Lifecycle), 68

security alerts, 75, 77

Splunk integration solution, 139

SQL database threat detection, 66

threat intelligence map, 159

VAs (vulnerability assessments), 36

Welcome to Azure Policy blade, 46

WER (Windows Error Reporting), 19. See also error codes

whitelisting, 111–114

WinZipper Trojan, 4

workflows, creating for playbooks, 91–94

workspaces

changing defaults, 166

computers and VMs, 165–167

creating, 19, 164–165

data retention, 23

and data storage, 19

ID and primary key, 29

monitoring, 141