Extract all Azure Sentinel incidents

I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers.

In this article, let’s see if we can get all incidents and put them in a friendly CSV report.

Continue reading

Posted in Security Automation | Tagged , | 2 Comments

Update Azure Sentinel incident programatically

There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that are responsible for handling such an incident.

In this article, let’s explore Azure Sentinel Incident API a bit more and see how to update label and assignment on an existing/multiple incidents

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

What Blue Team needs to know about Run Script feature in Azure

Run Script is great feature that help cloud system admin perform command or script execution on target virtual machine without RDP or setting up a PsRemote that may not be allowed in your organization. Nontheless Run Script also allows bad actor to perform a malicious command if he has enough permission. That would become worst if the malcicous execution is succeeded.

As a Blue teamer working on Azure, there should be a deep understanding of how Run Script works as well as how to detect and trace what were run on a compromised virtual machine.

Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment

Parse ExtendedProperty in Azure Sentinel alert for Logic App use

I got a few questions from readers about processing data in ExtendedProperties in alert data. They didn’t want to send a full JSON format. Instead they wanted to extract piece of information from helpful field like ExtendedProperties to compose a friendly format email.

In this article, let’s explore Parse JSON action in Azure Logic App to help extract some information from ExtendedProperties field in SecurityAlert table.

Continue reading

Posted in Security Automation | Tagged , | 1 Comment

Notify Azure Sentinel alert to your email automatically

Currently there is not any built-in functionality that notifies you via email if there is an incident that is generated in Azure Sentinel. Checking Azure Sentinel every time wouldn’t be an idea while working with email is simply a habit.

In this article, I’d like to share with you a step-by-step guidance on how to set up an Azure Logic App playbook to send incident information to your email.

Continue reading

Posted in Security Automation | Tagged , , | 1 Comment

Guidance for CVE Crypto and RDG vulnerability patching on Azure VM

There are a lot of buzz these days around the most recent Microsoft Tuesday Patch January 2020.  There are critical vulnerabilities found in the core Windows crypto functionality as well as Remote Desktop Gateway (RDG).  While the crypto related vulnerability (CVE-2020-0601) may let attacker to abuse the signing certificate, the RDG vulnerability (CVE-2020-0609 & 2020-0610) sounds very dangerous as it is classified in Remote Code Execution (RCE).

Patching these vulnerabilities is undeniably imperative. For those who have Windows virtual machines especially Windows Server hosting directory service or business productivity application may have some questions that need answers. This article would hopefully give you a bit of information about vulnerability patching in Azure – these vulnerabilities are brought as example.

Continue reading

Posted in Security Automation | Tagged , , | 7 Comments

Enable storage account analytics logging on all storage accounts

Storage Analytics logging allows you to track down operation activity at the blob level (e.g. download, upload…). You might want to enable it to all storage accounts to you could acquire log that would supports security incident investigation.

This article just simply provides you a simple PowerShell script to enable Storage Analytics logging to every storage account in every subscription.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks

One of the common steps before a SecOps analyst starts investigating and writing hunting query is to authenticate with the Log Analytics workspace where security data and event log are stored, using kqlmagic. Most common way is to let Azure Notebooks to read a configuration file where secrets are there, or directly initialize a plain-text password constant.

In this article, let’s explore another way to get secret information from Azure Key Vault and interactively connect to your Log Analytics workspace, without much of worry about Python module dependency. You wouldn’t have to store any secret in either configuration file or install another Python module that would represent as a masking text box.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Get started with Azure Sentinel Notebooks

Hunting in Azure using Kusto Query Language to write query against Log Analytics workspace may not be enough for you. Given an example like this article, you would want to extract all attacker IP addressees and use VirusTotal to verify if those are bad known sources.

This article is not going to introduce Azure Sentinel notebooks. Instead it provides a simple guidance and key takeaways for beginners who would like to use and explore Azure Notebooks for hunting.

Continue reading

Posted in Security Operation | Tagged , | 1 Comment

Demystify alert generated by Azure Sentinel versus other 3rd products

There is a question in the community asking about alert field in Incident page, along with the question about what it meant.

In this article, let’s talk about that and see how to distinguish between alert generated from Azure Sentinel versus one from Azure Security Center.

Continue reading

Posted in Security Operation | Tagged , , | Leave a comment

An analysis of Suspicious Authentication activity from Azure Security Center

There are some readers after following this article to simulate alerts generated from Azure Security Center approaching me asking about one of the alerts they have seen named Suspicious authentication activity. They don’t know whether their testing virtual machines in Azure have been compromised or not.

This article is not going to provide you in-depth analysis to answer the question: has the virtual machine been compromised? because your environment is not similar to mine, as well as to give the concrete answer we would need to involve DFIR process. This article is going to explain analyst about what the alert is as well as what you should do to trace the event back. You will learn on how to write Kusto Query Language (KQL) to do an analysis.

Continue reading

Posted in Monitoring & Detection | Tagged , , | 2 Comments