Azure Security - Day6 - Operations And Risk

Author: Teri Radichel © 2025 2nd Sight Lab
Azure Security
Day 6: Operations & Risk

Original Copyright Notice
All Rights Reserved.
All course materials (the “Materials”) are protected by copyright under U.S. Copyright laws and are the property of 2nd Sight Lab. They
are provided pursuant to a royalty free, perpetual license to the course attendee (the "Attendee") to whom they were presented by 2nd
Sight Lab and are solely for the training and education of the Attendee. The Materials may not be copied, reproduced, distributed,
offered for sale, published, displayed, performed, modified, used to create derivative works, transmitted to others, or used or exploited
in any way, including, in whole or in part, as training materials by or for any third party.
ANY SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
2

Updated Copyright Notice (2025)
All Rights Reserved.
All course materials (the “Materials”) are protected by copyright under U.S. Copyright laws and are the property of 2nd Sight Lab. They
are provided pursuant to a royalty free, perpetual license to anyone who follows Teri Radichel on social media, is subscribed to
her blog via email, or has purchased or been given a copy of her purchased book.
ANY SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please read this post before using these materials. Thank you!
Why I am giving away my class materials for free
https://medium.com/cloud-security/why-im-releasing-my-cloud-security-class-materials-for-free-86546c5a025b
2nd Sight Lab is now focused on penetration testing services. Reach out to Teri Radichel on LinkedIn for more information.
https://2ndsightlab.com/cloud-penetration-testing.html
3

Author: Teri Radichel © 2025 2nd Sight Lab 4
Day 6: Risk Management
Azure Resource Graph
Defender for Cloud
Security Assessments
Compliance
Defender for Cloud Apps
Azure Logging
Azure Monitor
Sentinel
Security Operations
Incident Response
Penetration Testing
Risk Management

5

Extends Azure Resource Management
Enables you to query all your Azure resources
Capabilities:
- Complex filtering, grouping, and sorting by resource properties
- Assess the impact of applying policies
- Query changes to resource properties
Queries are based on the Kusto Query Language (KQL)

az graph
Use the az graph
command to query
Azure resources
using Azure
Resource Graph
from the Azure
CLI.
Note that you’ll
need to install the
extension.

Azure CLI Example
Use all the usual tools.
This example shows
queries for resources
using the Azure CLI.
You’ll need to install the
extension first, and
then you can run
queries.

Query Azure Resource Graph with PowerShell
Install the Az.ResourceGraph
module.
Run commands to query for
resources.

Azure Resource Graph Explorer

Other Options
Many options exist for querying Azure resources.
Find resources with specific configurations and
properties.
Helpful for security professionals …and pentester
and attackers … looking for resources with security
misconfigurations and resources.

Defender for Cloud
12

Microsoft Defender for Cloud
Central point for security
management
- Continuous assessment
- Azure secure score
- Recommendations
- Alerts
Azure’s cloud native CSPM and
Security Monitoring Tool

Getting Started
Search for Defender
On the welcome screen choose
to enable advanced features or
skip.
Scroll down to view cost.
Enabled per tenant and per
subscription.

Overview Page
Default page
Overall security posture
Number of subscriptions, resources, recommendations and alerts.
Note that you can monitor other clouds.
Click on any item to drill down.

Subscription Hierarchy
When you click on
subscriptions
notice that they are
grouped in the
organization
hierarchy.
You could add an
AWS or GCP
environment here.

Workload Protections Dashboard
Click Workload Protections
Here you can view your
Defender for cloud coverage.
See which resources have
Microsoft protections enabled
or not.
Also see related security alerts.

Upgrade DNS Settings
Click Upgrade under any service you want to enable.
Check with subscriptions you want to apply the setting to and click Upgrade.

Updated Coverage
After applying coverage, refresh the page.
In a minute or so, the coverage numbers will update to show your coverage.

Overview Dashboard - Security Posture
Return to the main
dashboard. View top
recommendations on
bottom right.
Click Security posture.

Security Posture Details
A warning appears
when policies are not
assigned
View subscription
secure score
Link to
recommendations

Azure Secure Score
The higher the score, the lower the risk.
The percentage of non-compliant resources.
Note that the secure score is not weighted by a priority you control.

Recommendations
Click the recommendations link on the security posture page.

Get Secure Score with CLI
You can obtain your secure score with the Azure CLI.
You might generate automated reports or trigger actions based on findings.

Power BI Pro Users
Power BI is
Microsoft’s enterprise
solution for business
intelligence
Track secure score
over time if you have
a Power BI Pro
account

View Remediation and Apply

Exempt Resources from Policies
Note that you can exempt
resources from policies.
Ensure you understand
who can create
exemptions and how to
review and track them.
Note the warning about
cost.

View Exemptions
To view exemptions
view the “Not applicable
resources” for a finding.
You’ll see the resources
which are exempted
from the security
control along with a
reason.

View Recommendations for Resources
When viewing a resource click Defender for Cloud in the left menu.

Prioritize with Purview
You can prioritize actions based
on the sensitivity of your data
using integration with Microsoft
Purview.
Purview also has some security
assessment capabilities for
assessing handling of sensitive
data.

Enhanced Security Features
- Microsoft Defender for Endpoint (EDR)
- Vulnerability assessment for VMs,
container registries, and SQL resources
- Multi-cloud security and hybrid security
- Track compliance
- Machine learning recommendations
- JIT access
- Brute force and network attack protection
- Container security
- Threat protection

View Changes to Defender in the Activity Log

Windows Admin Center Integration
If your
organization uses
Windows Admin
Center you can
integrate with
Microsoft
Defender for
Cloud.

Track Policies and Initiatives
Initiatives (discussed in the last class) are groups of security policies.
Track compliance with assigned initiatives in Defender for Cloud:
- Built in Azure Baseline initiative
- Custom initiatives
- Compliance initiatives
Note that Azure users can disable policies to disable recommendations if
they have permissions.

View Policy Definition for a Finding

View Policy Settings
Click on
Environment
settings in
the left menu
to view
initiatives
assigned to
subscriptions
in your
tenant.

Edit Settings

Security Policy Settings
Here you can view
which security
policies and
initiatives are
applied to the
subscription you are
editing. This is
another way to get
to the information
we looked at in the
last class.

Asset Inventory
Click Inventory on the
left to view all your
cloud resources and
related security
recommendations.
Find unregistered
subscriptions as well.
Leverages Azure
Resource Graph.

Click Open query for Azure Resource Graph

Filter on different resources
Use the filter at the top to find resources such as installed applications.

Defender for Servers
To use Defender for Servers you’ll
use Azure Arc
We discussed Azure Arc in the last
class.
Choose from two plans with
different features.

Enable Database Protections
Select the a subscription.
Click Environment Settings in the left meu.
To protect all database types toggle the
Databases plan to On.
Optionally enable protection on certain
database types.

Enable Defender for Other Resources
Use a similar approach to enable Defender for Cloud for the following:
Key Vaults
Storage
Resource Manager
DNS
Alternatively:
Enable all

Defender networking
Query for network resources using the filter at the top of the list of
resources.

Network Map
Click Workload protections. Then click Network map.

Change the Network Map Filters
Get a visual map
of your networks.
By default you’ll
only see public
and networks with
high and medium
recommendations.
Adjust the filters to
see more.

View recommendations
Click the arrow to
the right to view
recommendations.
Inner circle: VNETs
Next: Subnetes
Outer circle: VMs
Lines Connect
Resources

Firewall Manager
Centralized firewall policy
management.
- Virtual WAN Hub
- VNets
- DDOS protection
- WAFs
Apply policies to firewalls
across multiple VNETs

Cross-Tenant Defender for Cloud
Use Azure Lighthouse to enable cross-tenant access to Defender

Automate Onboarding with Powershell
Follow the instruction in the
link in the slide notes to
automate the process of
onboarding subscriptions to
using PowerShell.

Other Class Sections Covering Defender
Find more details about Microsoft Defender for Cloud in these sections:
- Security Assessments
- Compliance
- Vulnerability Management
- Security Operations
- Incident Response

Security Assessments
53

Azure Security Assessments
What to assess:
- Azure Platform Configuration
- Operating Systems
- Containers
- Code, Authentication, Authorization, and Application Logic
- Network Architecture and Implementation
- IAM Design and Permissions for Users, Resources, and Applications
- Deployment and SDLC processes
- Security Operations and Processes
What you assess depends on the organization specific objectives.

CIS Benchmarks
Security Benchmarks for different platforms
Center for Internet Security
- Azure
- Operating Systems
- Docker
- Kubernetes
- Azure Kubernetes Service
Azure Policy and Defender

CIS Benchmarks Checks & Remediation
CIS Benchmarks
documentation explains how to
check each setting and how to
remediate the problem.
Some tools offer auto-
remediation such as VMWare
CloudHealth.

Are the CIS Benchmarks Enough?
Azure Foundation CIS Benchmarks: 117
Azure Services: 201

Azure Security Benchmark
Azure Secure Score is
based on the Azure
Security Benchmark.
Maintained by Microsoft
so likely is updated more
frequently as services
change on the platform.
Assessments can leverage
this benchmark.

Cloud Adoption Framework
The Cloud Adoption Framework
is designed to help customers
moving to the cloud come up
with an appropriate strategy.
The framework also covers
antipatterns, or things you
shouldn’t do when moving to
Azure. An assessment might
evaluate companies against
these issues.

Azure Well-Architected Framework
An assessment may include evaluating an environment against the Well-
Architected Framework.

Azure Best Practices
Azure offers a number of security
patterns for common scenarios.

Cybersecurity Reference Architectures
A security
assessment can
compare a
customer
implementation
against the
Microsoft
Cybersecurity
Reference
Architecture (MCRA)

Azure Security
Best Practices
White Paper
PDF document with best
practices and
implementation.

TOC - Good list for auditing

TOC Cont’d

Azure Security White Papers

Use Microsoft Defender for Assessments
Leverage Microsoft Defender for Assessments

az security assessment

What else might assessments cover?
Sensitive data management
Service specific details
Policy Management and Gaps
Network architecture, traversal, and attack paths
Application security and architecture
Deployment system architecture
IAM and credential architecture
Monitoring and alerts
Backup architecture and testing
Incident Response Processes
DR & BCP

CSA Guidance: CAIQ
The CSA offers an
assessment
questionnaire for cloud
providers (CAIQ).
Can revise to use the
questions internally.
You can also review
Azure’s CAIQ.

Open Source Tools
Some open source
tools can help with
security assessments.
CloudSploit is one that
works with Azure.
Other tools in the
notes.

Commercial Third-Party Tools
Many third-party tools for assessments and CSPM.
Some only check CIS Benchmarks.
Some work better for internal teams than external assessments.
When assessing a customer environment, consider where data gets stored.
If stored in a third-party cloud may need permission first.

Write your Own Queries
The cloud is a huge metadata database as mentioned earlier.
Many options to write your own queries in your language of choice.
Answer questions the other tools don’t answer.
Analyze data in unique ways.
Write your own open source tools!
Offer customers a unique perspective.
Customized reporting aligned with specific organizational objectives.
- Azure Graph
- CLI commands
- Powershell
- Data from Microsoft Defender

Vulnerability Management
74

Azure Cloud Vulnerabilities
From the Microsoft Vulnerabilities Report
2022 by Beyond Trust:
30 Vulnerabilities in Microsoft Azure in 2021
Sign up for Microsoft Security
Notifications
Monitor the news and security research
sources for vulnerabilities.

Approaches to Vulnerability Management
The latter is clearly better but you’ll still need a combination of both.
Insert vulnerability scanning and checks into your deployment pipeline.
Scan for vulnerabilities that may already exist or come to light later.
“Shift left” to find vulnerabilities during the development process.
Two approaches to vulnerability management
Reactive: Find Vulnerabilities that exist on systems
Proactive: Block vulnerabilities from entering your environment (better).

Checks in the Deployment Pipeline
Containers and code don’t run agents - test externally.
Developers should perform code reviews and do initial testing.
Leverage security-trained QA teams and pentesters for logic vulnerabilities.
Scanners can’t find everything!
SAST Static Application Security Testing. Scan the code.
DAST Dynamic Application Security Testing. Scan running app, no code.
IAST Interacts with the application. Provides line of code causing error.
RASP Integrated into the application to monitor for vulnerabilities.

Container Scanning
Microsoft Defender offers
container scanning integrated
with the Azure Container
Registry. Scans occur:
- On push
- Containers pulled in last
30 days
- On import
- Continuously in some
cases

Kubernetes Scans
Defender for cloud also offers scans
for Azure Kubernetes deployments.
Monitor for errors based on MITRE
ATT&CK for Containers and the
Center for Threat-Informed Defense.

GitHub Advanced Security
GitHub Advanced Security offers:
Code scanning
Secret scanning
Dependency review
Configuration review
Integrates with
Azure DevOps

Vulnerability Prevention Through Policies
In the last class we discussed Azure Policy and Azure Arc.
Leverage services such as those to prevent unwanted configurations and
vulnerable software from entering your Azure environment.
With Azure DevOps leverage YAML templates to prevent unwanted
configurations from entering your environment.
Apply Github Policies to your source code repositories.

Microsoft Defender 365
Microsoft documentation:
Microsoft 365 Defender is a unified pre- and post-breach enterprise defense suite that natively coordinates
detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide
integrated protection against sophisticated attacks.
For now we’ll look at Microsoft Defender Vulnerability Management.
Primarily an on-premises tool but can integrate systems with Azure.
Requires Microsoft Intune or Microsoft Endpoint Configuration Manager.

Microsoft Defender Vulnerability Management
Offers:
- Asset discovery & inventory
- Vulnerability & configuration
assessment
- Risk-based prioritization
- Remediation
Offers APIs for automation and
integration.

Plans & Azure Arc
A number of plans exist for
Defender resources
Integrate these servers with Azure
Arc for free.
Applying policies costs money.

Integrated with
Microsoft Defender
Vulnerability
Management.
Leverages the Log
Analytics Agent on
Azure VMs or Arc
Enabled Machines.

View Vulnerabilities in Defender for Cloud
This
screen
shows
integratio
n with
Microsoft
Defender
for
Endpoint.

Remediate Vulnerabilities
To remediate
vulnerabilities, view the
detail pane and then follow
the remediation steps.
If you have automated
deployments with
automated updates, you
can redeploy the system or
code to get get updates.

SQL Vulnerability Assessment
Microsoft offers similar vulnerability assessments for SQL databases.

Compliance
89

Azure Compliance
Azure offers guidance
for compliance with
many different
standards and
regulations.
Part of the
compliance will
belong to Azure due
to the shared
responsibility model.

Choose Standards on Compliance Dashboard
Choose a standard to
understand how you can
comply with it on Azure.
Find out how Azure
complies with the
standard.
Links to customer
responsibilities and
blueprints.

View Audit Reports for Azure
Log into the Azure Portal.
Click on the link in the slide
notes to get to the Audit
Reports blade.
Choose a compliance standard
and download the associated
audit report.

Azure Security Benchmark Compliance Mappings
Azure has added mappings from the
Azure Security Benchmarks to CIS,
NIST, and PCI-DSS.
Drill into benchmark details to see
the alignment of a particular
benchmark with the related security
control in the other compliance
frameworks or standards.

Azure Blueprints
Microsoft provides some
Azure Blueprints to help
customers comply with
standards.
Azure Blueprints were
covered in the last class.

Compliance Strategies
Customers should strive for security in any environment.
However, to reduce the time and cost associated with audits:
- Leverage organizational hierarchy.
- Put resources requiring compliance in separate tenants, management
groups, or resource groups.
- Consider stricter policies that disallow non-compliant resources to those
groups.
- Restrict network and IAM access to these environments to the minimal
requirements to reduce risk of non-compliance.
- Restrict assets requiring compliance from deployment in other groups.

96

Microsoft’s version of a CASB
Cloud Access Security Broker
Monitors certain types of logs and API calls
Helps IT teams find Shadow IT
Discover SAAS applications in use
Who’s using them
Create policies
Competes with more popular tools like Netskope and McAfee

Logging
98

Issues with Logs on Azure
Many logging issues need to be addressed in Azure environments:
- Security teams are not aware the logs exist or do not have access.
- Developers and DevOps teams do not enable logs for all services.
- Logs are not fed into security systems used to track security events.
- Logs on ephemeral resources disappear on termination.
- Short-lived resources don’t configure or enable logs.
- Developers do not log sufficient information in applications.
- Difficult to track transactions and flows in microservices applications.
- Logs are not always real time…or complete…test before you need them.

Types of Logs on Azure
Logs exist at different layers within the cloud platform.
Control / Management Logs: Azure Activity and Audit Logs
Data Plane Logs: Diagnostic Logs related to Azure Resources
Processed Logs: Microsoft Defender for Cloud Logs and Alerts
Remember to capture all log sources you might require.

Activity Logs
Operations
performed on
resources in
your
subscriptions
on cloud
resources
Control Plane

Resource Logs
These are the logs we
configured for specific
resources earlier in class
when we altered the
diagnostic settings.
Data Plane.

Azure AD Audit Logs
Changes to tenant
User, Group, and Application Management

Azure AD Sign-In Logs
Track who has
signed in, failed
and anomalous
sign-in attempts.

VM Insights
Click on a VM. Click Insights on the left.
You will need to associate it with a workspace if the VM is not already.
Click Enable.

View VM Insights Details
After about 10
minutes you’ll be
able to view your
VM insights.

VM Log Agents
Azure Monitor Agent: Sends data to Monitor Metrics and Logs.
Log Analytics Agent: Sends data to Azure Monitor Logs. Same agent for
Systems Center Operations Manager.
Dependency Agent: Processes on machine and dependencies.
Azure Diagnostics Extension: Can send data to Event Hub and Storage
It seems that the Azure Monitor Agent will eventually replace others.

Azure Storage Insights
Enable Storage
insights similar to
the way we just
enabled VM
Insights.
Navigate to your
storage account
and click Insights
in the left menu.

Azure NSG Flow Logs
Enable
Network
Security
Group (NSG)
Flow Logs to
get standard
net flow
network
traffic logs.

Packet Capture
Navigate to
Network Watcher
Click Packet Capture.
Add.

Virtual Network Tap
Stream VM traffic to a network
packet collector or analytics tool
Requires a partner solution for
aggregating the TAP traffic in
the same Azure region and
tenant
Peering must be enabled in
advance

Other Network Watcher Tools
Network Watcher
offers a number of
other tools, some
discussed earlier in
class.
Monitor and
troubleshoot network
connections.

Azure SQL Audit Logs
Azure SQL offers audit logs
including logging actions by
Microsoft support.
You’ll probably want to turn all this
logging on if you have important
data in your database.
Different options exist for sending
logs to different data stores.

Diagnostic Logs for Every Service
Every service has logs.
These are log types available from the Azure App Service.

Azure DNS Metrics and Analytics
Azure does
not provide
detailed DNS
logs but does
provide
metrics
related to
DNS queries.

Azure AD Integration Logs
When integrating with Azure AD or from the cloud to on-premises verify you
get all the logs you need.
While testing a new service in preview on Azure error messages did not
appear in any error logs.
Azure admitted later that there was a bug with the service but make sure
that the services work as expected and all logs are present that may be later
required - including detailed errors with the IP that generated them!

Azure Monitor
117

Azure Monitor
Performance and
availability of
applications.
Applications may run
on ephemeral
resources.
Storage, visualization,
analysis.

What can you monitor
The Azure monitor reference page
lists all the things you can monitor
with Azure Monitor.

Azure Monitor in Azure Portal
Azure monitor
consolidates
certain types of
logs. We’ve
already looked at
some of the
insights you can
configure which
get sent to Azure
Monitor.

VM Insights
We previously enabled VM Insights on a VM.

Storage Account Insights

Network Insights

Application Insights
Application Performance Monitoring for Web Apps
A number of platforms including: .NET, Node.js, Java, and Python.
On-premises or any cloud
Add an instrumentation package (SDK) to app.
Sends telemetry data to Azure Monitor.
- Azure App Service
- VMs
- Scale Sets
- Functions
- Containers

Network Requirements
Second group of domains only required when making changes.

Azure Monitor Insights Hub
Monitor all the
things…

Azure Monitor Workbooks
Azure Monitor Workbooks
allow you to visualize your
data in different ways.
Workbooks are based on data
collected in Azure Monitor.

Choose a template from the gallery.
Pre-defined
workbook
templates
you can use
as-is or
modify to
meet your
needs.

Edit a template.
Click the edit button to edit
a template.
Refer to the link in the
notes which has details for
editing a template and a
demo video.

Sentinel
130

Sentinel
Sentinel is a cloud-hosted SIEM and SOAR solution.
SIEM: Security information and event management
SOAR: Security orchestration automation and response
Allows security teams to:
- Collect security information
- Detect threats
- Investigate
- Respond

Navigate to Sentinel. Click to Create.

Add a workspace

Click to Connect to Collect Data
The first step will be to send data to your SIEM.
Click Collect data to send data to Azure Sentinel.

Choose the data you want to connect.

Add a Workbook

View Your Workbook
Now you can
view your
workbook.
You could add
other
workbooks,
customize this
one, or create
your own.

View your workbooks

Threat Hunting
Create queries
to find the
security IOCs
you seek. Run
them and save
them for later.
Microsoft
provides some
default queries.

Analytics
Create custom
queries to find
security events
and incidents.
- Click Analytics
- Click +Create
- Choose
Scheduled query
rule

Enter general information for your rule

Add a rule query
You can click on the options to the right to use a prior query.
Here the query to select our anomalous logins is selected. Test your query.

Enter a schedule
Here we’ve selected to run our
rule every 5 minutes for data in
the past 5 hours.
Note that we’ve also selected to
turn this rule off as soon as a
match is discovered so we don’t
generate a multitude of alerts.
Click Next.

Create an incident
Choose to create an
incident when your rule
has a finding.
Click next.
Choose all of the rest of
the defaults and create
your rule.

View your findings
Now your rule shows up on the Analytics blade.

Built-in Rules
You can also
choose from
pre-existing
rules.
Click on
Rule
templates.

Incidents
Click on Incidents.
After your rule
runs and matches
log data you’ll have
an incident.
Click on it.
View possible
actions.

Entity Behavior
As logs are collected, baseline behavior is parsed from the logs.
The Entity Behavior function of Sentinel then detects anomalous behavior.

Threat Intelligence
Define IOCs.
Connect to
STIX/TAXII or a
threat intelligence
platform to Sentinel.
Use workbooks to
view intelligence
data.

Content Hub
The Microsoft
Sentinel Content Hub
provides a myriad of
information to help
you get started.
Choose from data
connectors, parsers,
workbooks, sample
rules, and more.

Notebooks
Use Jupyter
Notebooks and
machine
learning in your
threat hunting.
Requires
massive
amounts of data
to be useful.

Repositories
Link to your
source code
repositories to
deploy custom
content.
Consider: Where
are your
credentials
stored to make
this work?

Watchlist
Create a watchlist containing assets or identities you want to monitor.

Automation
Automation is the
SOAR portion of
Sentinel. Create
automated
responses and
workflows to
respond to security
incidents and
events.

Security Operations
156

Security Operations in Azure
SOC processes are
generally the same
as on-premises,
though the tools
change.
One difference is that
it is easier to
automate responses
on a cloud platform
compared to on-
premises.

Cloud Operations Tools
Azure Monitor
Azure Automation
Azure Backup
Azure Site Recovery
Azure AD
Azure Activity Log
Azure Diagnostic Logs
Azure Network Watcher
Cloud Service Provider Transparency
Azure offers a number of
tools to help with operations
in general.
Some of these tools are also
helpful and relevant for
security teams.
We have discussed most of
them already.

Understand What You’re Looking For in Logs
Use resources such as
those already mentioned
in class such as the
Verizon Data Breach
Investigation Report to
understand top threats.
This slide shows at MITRE
ATT&CK Cloud Matrix
which tracks cloud
threats.

MITRE ATT&CK in Sentinel
Click MITRE
ATT&CK (Preview)
in Sentinel.
This screen allows
you to visualize
coverage for
detecting MITRE
ATT&CK threats.

Sample analysis of a cloud threat
When the Solar Winds attack
occurred, I noticed immediately that
the C2 channel was hosted on AWS.
This led to a high level analysis of the
breach, what caused it, and what
could have prevented it.
Note that I linked to deeper dive
analysis because sometimes that level
of detail is not necessary to prevent a
breach.

Threat Hunting
Security operations will likely want access to any logs related to security.
Perform threat hunting on logs and alerts to find suspicious activity such as:
- Repetitive failed logins
- Repetitive blocked network connection attempts
- Excessive connections, long connections, repetitive beacon connections
- Monitor for unexpected and unwanted configuration changes.
- Web application attack alerts from WAFs and other monitoring tools.
- Risky activity alerted by cloud native and other security tools.
Define a process for evaluating and reporting security problems.

Example: ID Risky Accounts
Monitor risky actions with
Azure AD identity protection.
Evaluate:
- Risk detections
- Other risks triggered at
the same time
- Sign-in attempt location
- Link to more detail

Ransomware Defense
Microsoft provides
ransomware
guidance and
explains how
Sentinel provides a
complete view of a
kill chain.
See link in notes.

SOC Sentinel Workbooks and Notebooks
Workbook: 14
Processes and
36 Procedures
for
operationalizing
Sentinel and
applying a SOC
methodology
Notebook for
threat hunting.

Email Notifications
Manually or programmatically configure email alerts

Monitor the Azure Status Map & Down Detector

Investigating an anomaly in Sentinel
Data Source Anomalies listed on the Overview screen. Drill down.

Query Logs for Related Events
Query the logs
for related
events.
View the details.
In this case the
logins come from
the managed
identity created
earlier in class.

Azure Log Analytics
Navigate to
Azure AD.
Click Log
Analytics and
run a query.
Find the
corresponding
logs.

Check the Sign-in logs
Query for
managed
identities sign-ins.
Find
corresponding
logins.
Note the resource:
Azure Key Vault.

Navigate to Managed Identities
Click Activity log
Change timeframe

Review activity for this managed identity
All these events were generated by a user, not the managed identity.

Check the Key Vault Activity Log
No activity here
by the managed
identity either,
even though the
resource says Key
Vault.
What next?
Ask support…

Incident Response
175

Incident Response
Determine that an event is actually a security incident, then respond.
Most of the fundamentals of the process are the same.
What changes about IR on Azure:
- You don’t have access to the full stack for investigations.
- You may be counting on Azure for some aspects of an incident.
- How you capture memory and disks for forensic analysis.
- No ability to perform memory or data capture on terminated resources.

If you are new to IR, Microsoft guidance

SecOps Planning for Incident Response
The first step for incident
response: Planning
For those new to IR
Microsoft documentation
provides guidance to
develop and define an
incident response plan.
Sample consideration to
the right.

Incident Response Activities
Microsoft provides this chart that covers activities with Microsoft 365
Defender. A similar approach would apply with Microsoft Defender for Cloud.

Investigate Incidents in Sentinel
The link in the notes explains how to investigate incidents with Sentinel

Responding to Defender Alerts
Take Action Tab:
Inspect Context
Mitigate the Threat
Prevent Future Attacks
Trigger Automated Response
Suppress Similar Alerts

Sentinel Automation Rules
Automate incident response.

Choose triggers, conditions, and actions

Incident Response Playbooks
Plan ahead for steps to
take when an incident
occurs.
CISA provides a
generalized IR Playbook
which you can find in the
notes.
Use automation
whenever possible.

Sentinel Playbooks
A playbook on Sentinel is a group of automation rules that work together.
Run playbooks automatically or on demand.
Based on workflows built with Azure Logic Apps.
Sentinel playbook templates (in preview) provide sample playbooks.
Find more playbooks in the Azure-Sentinel GitHub Repository.

Simuland
Open-source tool
to help security
researchers stand
up labs and test
the effectiveness
of detections on
Defender and
Sentinel.

Azure Security Benchmark IR Best Practices
Create an IR Guide
Create a scoring and prioritization procedure
Test security response procedures
Provide security incident contact details and configure alert notifications
Incorporate alerts into your incident response plan
Automate the response to security alerts
See the link in the slide notes for documentation on each point.

Build a VM for incident response
Consider building a VM for incident response.
Automate the process for building the VM and updating the tools on it.
Leverage the VM in a dedicated resource group and network.
Better yet, use a separate management group and restrict access.
Microsoft offers step by step guidance in the link in the notes.

Memory Dumps
Similar in some cases, different in others
Some considerations include:
- Once a VM is terminated it’s gone and there’s no way to get it back.
- Snapshots (backups) have different levels of consistency.
- Functions and other short-lived resources may no longer be available.
See resources in notes for memory capture on different types of resources.

Azure support
For some security incidents, you
may need to log a ticket with
Azure Support to obtain
assistance.
The link in the notes covers how
to log a security event support
ticket.

Penetration Testing
191

Rules of Engagement

Azure Scope

Rules of Engagement
Understand the rules you need to follow for pentesting on Azure

Bug Bounty Reports

Pentesting Differences on Azure
Resources are ephemeral; IPs are not consistent.
Many companies don’t have a specific range of IP addresses.
Even those that do leverage BYOIP may have resources not in that range.
Tests are often not scoped by IP address but one of the following:
- Account
- Tenant
- Management group
- Subscription
- Resource group
- Domain names

Leverage Security Assessment Tools
Leverate all the tools mentioned in the security assessment section.
All these tools can find security misconfigurations.
One of the primary sources of data breaches - exposing data to the Internet.
Types of data and administrative exposure:
- Storage resources exposed publicly
- VM and other backups exposed to the Internet
- Databases exposed to the Internet
- Kubernetes and other dashboards
- Administrative ports exposed to the Internet (brute force, vulns)

Applications are the Doorway to the Cloud
Resources in the cloud are assigned permissions to take actions.
An attacker that accesses a resource may be able to use those permissions.
Many ways to leverage those permissions:
- SSRF
- Access to the host to run commands
- Redirect to metadata to obtain credentials
- Access credentials in memory
- Command injection
- Improper authentication and authorization

Azure VM metadata
Azure metadata. Run this command:
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-
version=2017-08-01"
You must supply the correct API version. Run this to get a list of versions
curl -H Metadata:true "http://169.254.169.254/metadata/instance"
Powershell on Windows:
Invoke-RestMethod -Headers @{"Metadata"="true"} -URI
http://169.254.169.254/metadata/instance?api-version=2019-03-11 -Method get
199

Open Redirect to Access Metadata
One of the ways attackers access the metadata service in the cloud is via an
Open Redirect.
Anywhere an application redirects to another URL may be subject to an open
redirect.
For example:
https://website.com?url=https://attackerurl.com
Or
https://website.com?url=http://169.254.169.254/metadata/instance

DNS Rebinding
DNS Rebinding can get
around firewall rules
by leveraging a DNS
server that changes IP
addresses for DNS
names during the
course of an attack.
Attackers can redirect
to the metadata
service.

Network Interfaces
Virtual Machine hosts can have one or more virtual network interfaces.
Multiple network interfaces could lead to data exfiltration….
202

Replay Attacks on SAS
Many cloud services offer time-limited access via a URL
Azure Blob Storage does this.
Sometimes the URL method of authenticating access causes problems.
In one pentest, a website used this method for file upload.
The website tried to prevent malicious uploads, but bypass was possible.
Malware could then be uploaded directly to storage.
View a longer explanation in 2020 RSA presentation by Teri Radichel in notes.
203

Injected code and containers
Try to insert a malicious code or container into the deployment pipeline.
204

Container Vulnerabilities
Check for container exploits that could be leveraged in an attack.
205

Kubernetes UI Misconfigurations
Kubernetes
dashboards exposed
or leveraged in an
attack to obtain
access to and
manage Kubernetes
configuration and
resources.
206

Kubernetes shell
207

PID1
The first process started by the Linux kernel gets PID 1
Running a container as PID 1 exposes all processes on the host to the container
Allows for container escape.
208

Docker Socket
Docker socket is a unix socket to which Docker commands are sent.
Again, this opens up a path to run commands remotely.
Tools like Portainer make use of this capability.
209

var/run/docker.sock
The owner of var/run/docker.sock was root (now you can run rootless)
Mounting var/run/docker.sock inside a container may give root access
Sample Exploit. Privileged option is not necessarily required.
210

Mapping root folders
211

Docker Layers and Squashing
Docker builds in layers each time you make a change and create an image.
If you have some sensitive data in prior layers, it can be exposed.
Squashing tries to hide prior layers - lose cache - but no prior secrets, etc.
Experimental - may not work on Windows.
212

Privilege Abuse and Escalation
Understand how attacks
such as the Solar Winds
breach leveraged
administrative credentials
to create additional
permissions.
See if credentials can
create resources with more
permissions than their
own.

Serverless Attacks
- Ability to change code
- SSRF attacks
- Leveraging applications
- IDOR
- Container and function
escape on Azure (past
research was able to exploit
Azure functions
- Successful attacks on
penetration tests (see
notes)

Much more!
This section listed a few top attacks to test in a cloud environment.
There are many more.
Check prior cloud incidents, security breaches, and researcher findings.
Test applications thoroughly with and without credentials.
Check the specific configurations and functionality related to services.

Testing incident Response
Test your incident response process
Determine if your IR teams can spot an attack
Microsoft offers Red Team guidance in the link in the notes

Other Pentesting Tools and Tactics
Many other penetration testing tools for Azure exist.
You can find many of them with a GitHub search…
But before your use them, review the code.
Make sure you know what they do!
In some cases attack lists contain attacks that redirect your attacks to
another person’s attack site!
The links in the notes offer some additional resources.

Risk Management
218

How can we manage risk in the cloud?
Azure provides many risk management capabilities.
- Inventory by default
- Policy management
- Configuration management
- Security score
- Track security incidents and events
- Automated deployments
- Workbooks, third-party tools, and custom reports
Leverage these tools to monitor and measure risk. Then reduce it.

Policies and Risk
The first step to managing risk is to define what drives risk.
Then create policies to reduce it.
Once you have policies in place, measure what is and is not compliant.
Azure policy allows you to block and alert on non-compliance.
Leverage the non-compliance to policies to report on risk.
Track time to remediate and put a time-limit on exceptions.

Continuous Assessments
Many security assessment checks and scans can be automated.
Run a continuous assessment that reports on risk levels.
Track risk over time to see if it is going up or down.
Use risk tracking to Introduce new policies and controls.
Work to automatically remediate issues where possible.
Leverage penetration tests to validate your scans work!

Consider the validity of your metrics
Number of findings doesn’t work when assets are increasing.
You will never be 100% compliant.
99% compliance is great but not if your most critical asset is exposed.
Consider relevance in relation to recent data breaches and attacks.
Strive to fix things quickly over fixing nothing due to categorization.
Chained vulnerabilities and cumulative risk increases individual risk items.

Continuous Reporting and Improvement
Define key metrics to evaluate that increase risk:
- Configurations that cause data breaches and incidents
- Architecture that increases blast radius
- Visibility gaps that prevent timely discovery of security events
Create a high-level summary of risk findings for executives
Provide detailed backup with actionable fixes
Continuous improvement by fixing findings
Automated policies and remediation for greater efficiency
Track your progress over time - is risk increasing or decreasing?

Summary
Query cloud resources to find non-compliance or unwanted configurations
Vulnerability scanning strategies
Resources for security assessments and penetration tests
Use Microsoft Defender for Cloud - Security Dashboard:
- Track compliance with azure Secure score and initiatives
- Service specific scans and reports
- Integration with Azure Arc, Defender for Cloud Apps (CASB)
Types of Azure logs and Azure Monitor to view and query logs
Incident investigation and response with Azure Sentinel (SIEM and SOAR)
Risk management and metrics through continuous assessment and
reporting

Azure Security - Day6 - Operations And Risk

More Related Content

Similar to Azure Security - Day6 - Operations And Risk

More from 2nd Sight Lab

Recently uploaded

Azure Security - Day6 - Operations And Risk

Editor's Notes