Quickly test Microsoft Sentinel REST API

There are several ways to test Microsoft Sentinel REST API with GET method. You can test directly (from Try It button) on the REST API docs page. Postman is another option.

I have developed a simple PowerShell script to help you test Microsoft Sentinel REST API. The script cover the most commonly used APIs including alert, incident, threat intelligence, watchlist, bookmark and connector.

Continue reading

Posted in Security Automation | Tagged , | 1 Comment

Create an alert with custom entity mapping using Microsoft Sentinel REST API

As you may know the latest stable Microsoft Sentinel Alert API version 2020-01-01 doesn’t allows you to create an analytics rule in which you can add custom entity mapping, custom detail or incident grouping configuration. It isn’t too helpful for you in the case you would like to do more with the analytics rule or to copy testing rules over to a new Microsoft Sentinel workspace. Fortunately Microsoft has been working on a newer API version to help you enrich the analytics rule.

In this article, I would like to share with you the latest script to help create an analytic rule that you can include custom entity mapping or incident configuration.

Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Migrate alert rules to another Azure Sentinel in the same tenant

In a large deployment, having a non-production environment to test Microsoft Sentinel analytics rule is recommended. Now when everything is ready you would need to copy your rules over to the production environment.

This article provides you a script to help you get the copy done. The script still has several limitations currently that you need to know too.

Continue reading

Posted in Secure Development, Security Automation | Tagged , | Leave a comment

Azure Sentinel Threat Intelligence API

Microsoft Sentinel (formerly aka Azure Sentinel) has a feature that allows you to create and manage custom Threat Intelligence (TI) indicators (aka IoC – Indicators of Compromise).

There are requests from avid readers asking AzSec to write something about Microsoft Sentinel REST API for Threat Intelligence. To give back to the community as a thanksgiving gift, this article is going to share with you the latest script for creating a new TI indicator in Azure Sentinel.

Continue reading

Posted in Secure Development, Security Automation | Tagged , , | Leave a comment

Count number of VMs & VMSS by OS type with Resource Graph Explorer

As part of SOC work you may want to check in your Azure environment the number of VMs or VM Scalesets  by Operating System type so you can report to InfoSec leader. Moreover that helps plan security patching better.

This article is just to share with you a simple Resource Graph Explorer to get the job done.

Continue reading

Posted in Governance & Compliance, Security Operation | Tagged , | Leave a comment

Trigger an on-demand Azure Policy evaluation scan at Management Group scope

If you are working with Azure Policy you must know about the on-demand Azure Policy evaluation scan that Azure allows you to trigger. Currently, you can only trigger the compliance evaluation at your current subscription context or for a resource group. If your policy is applied at the management group level that contains a lot of subscriptions, triggering the compliance scan for every subscription manually sounds painful.

In this article, let’s see how we can get a list of respective subscriptions under a management group and trigger Azure Policy compliance evaluation at a management group scope.

Continue reading

Posted in Governance & Compliance, Security Automation | Tagged | Leave a comment

Get Vulnerability Assessment Setting of Azure SQL Server in tenant with PowerShell

Enabling and configuring vulnerability assessment (VA) feature on Azure SQL Server is needed in an environment where security and compliance is strictly followed. And now you are asked by InfoSec leader to provide status of VA configuration on all of your Azure SQL Server.

This article is NOT going to tell you on how to audit VA setting which can be done quite easily with Azure Policy. This article is simply to share a PowerShell script to help you retrieve VA setting so you can verify if any of your Azure SQL Server has VA configured and which storage account it uses to store the VA scanning result.

Continue reading

Posted in Governance & Compliance, Security Automation | Tagged | Leave a comment

Deploy Microsoft Defender for Servers via VM ARM template

Microsoft Defender for Servers  offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux.

In this article, let’s quickly check if we can deploy the MDE agent via Azure ARM template.

Continue reading

Posted in Security Automation, Security Operation | Tagged | Leave a comment

Laterally move by abusing Log Analytics Agent and Automation Hybrid worker

Azure Automation Hybrid worker is used to manage Azure resources in local environment where compliant connectivity is needed. Normally a hybrid worker needs a certificate installed on it so it can be authorized by Azure AD before it can perform any administrative tasks defined in the runbook.

In this article, we will take a look at a real-world scenario where an attacker with compromised Azure VM in a non-production subscription to gain Log Analytics workspace information then trick Azure cloud administrator to laterally move to a production subscription and gain service principal credential.

Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | 1 Comment

Harvest credential from Custom Script Extension on Azure VM

Custom Script Extension is one of the most commonly used extensions for Azure virtual machine deployment. This extension allows you to execute a bootstrapping script during VM deployment to perform some additional tasks.¬† Those tasks may include Domain Controller on-boarding or security sensor/agent installation or 3rd software installation. While the extension is left used, there is still a question like “Can someone do something to see my sensitive configuration or secret such as AD domain join account I use in Custom Script Extension?

In this article, we are going to analyze how Custom Script Extension works generally and how to gather credentials and secrets if any from the extension.

Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment