ARM template for Azure VM with Guest Configuration

I’ve recently got some questions related to Azure Policy Guest Configuration and an ARM template to deploy pre-requisites in order to work with the feature.

In this article, I’d like to share ARM template to deploy Azure Policy Guest Configuration extension.

Continue reading

Posted in Governance & Compliance | Tagged | Leave a comment

Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.

Continue reading

Posted in Security Automation | Tagged , | 1 Comment

Quick notes in deploying Guest Configuration Extension on Azure VM

Azure Policy Guest Configuration allows you to audit configuration inside host. It sounds very much similar to Azure Automation Account Desired State Configuration (DSC). In fact the concept is similar to DSC but Azure Policy uses a dedicated agent called Guest Configuration.

This article is just going to give you a quick note to deploy the Guest Configuration extension manually.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Guidance for CVE-2020-0796 SMBv3 Compression vulnerability patching on Azure VM

There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do.

The purpose of this article is not to dive into the vulnerability. Instead, it hopefully gives you some notes about this vulnerability especially it is targeted to deployed workloads in Azure cloud.

Continue reading

Posted in Security Operation | Tagged , , | 1 Comment

Filter Azure Security Center alert name in Azure Sentinel incident rule

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.

While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.

Continue reading

Posted in Security Operation | Tagged | Leave a comment

Alert Grouping feature in Azure Sentinel

One of the things that SecOps guys needs when working with Azure Sentinel is the ability to group all alerts that have similar characteristics into a single incident in order to better manage and respond. Given an example about Traffic detected from IP addresses recommended for blocking alert or Access from an unusual location to a storage account which may trigger a false positive incident in specific use case.

In this article, let’s have a quick look in Alert Grouping feature in Azure Sentinel to group alerts into a single incident. Continue reading

Posted in Monitoring & Detection | Tagged , | Leave a comment

Add custom Azure Policy to Azure Security Center Recommendation

You know that Azure Security Center recommendation is powered by Azure Policy and you can disable recommendation that may not be applicable to your environment. Along with that, you can even add a custom Azure Policy into Azure Security Center recommendation so you can have a single pan of glass for your security posture in a one-stop shop.

In this article, let’s see how to add a custom Azure Policy to Azure Security Center Recommendation Continue reading

Posted in Governance & Compliance | Tagged , | Leave a comment

Export virtual machines with ASC monitoring agent issue

There is a recommendation named “Monitoring agent health issues should be resolved on your machine” in Azure Security Center that provides you list of unhealthy resources (virtual machine resource type). There are several reasons that can cause unhealthy monitoring state on your virtual machines.

You may wonder if there is a way to get all the unhealthy virtual machines along with monitoring state without opening Azure Portal? In this article, let’s see how to export all unhealthy virtual machines and corresponding monitoring agent state.

Continue reading

Posted in Monitoring & Detection | Tagged , | Leave a comment

Enable Microsoft Defender ATP integration in Azure Security Center programmatically

If you have worked with Azure Security Center and Microsoft Defender ATP (Advanced Threat Protection) you may know a setting in Azure Security Center called Threat Detection where you can allow Microsoft Cloud App Security (MCAS) or Microsoft Defender ATP to access your data.

In this article, let’s see how we can programtically enable the integration instead of going to Azure Portal to check boxes.

Continue reading

Posted in Azure Security Center, Security Automation | Tagged , | Leave a comment

Threat Detection for Key Vault in Azure Security Center

From this article you may realize that you can enable Key Vault pricing tier in Azure Security Center. However you wouldn’t see it from Azure Portal UI.¬† Microsoft recently released Threat Detection for Azure Key Vault in Azure Security Center a few days ago in Public Preview. With this capability Azure Security Center could detect if a Key Vault is accessed from a TOR exit node, or any kind of anomalous activity on your key vault.

In this article, let’s try to simulate and see what you can get from the alert.

Continue reading

Posted in Azure Security Center | Tagged , | Leave a comment