Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue.

In this article, let’s explore Azure Incident Relation API that can help find an associated alert for your incident.

Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Everything you need to know about Azure Security Center Alert Suppression

Different environments may have special configuration that may trigger the alert. And those false positive alerts keep annoying SecOps team. One of the features that SecOps guys working on Azure Security Center wish to have is the ability to automatically dismiss alerts based on some criteria. After months of working finally Microsoft publicly released a new feature in Azure Security Center to help filter alerts. This feature was originally called Auto-Dismiss and then was changed to Suppression Alert.

In this article, let’s take a look at Suppression Alert then go deeper to creating an advanced suppression alert and simulate it.

Continue reading

Posted in Azure Security Center | Tagged , | Leave a comment

Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do kind of query to get Azure Sentinel incident without writing any script to call Azure Sentinel Incident API.

In this article, let’s see how to ingest Azure Sentinel incident data using Logic App to make Azure Sentinel incident data available in Log Analytics workspace.

Continue reading

Posted in Security Automation | Tagged , , | 1 Comment

Be careful when you have escape char in Key Vault secret value

I recently had some works that required to use Azure Key Vault. Specifically a secret that stored a service principal’s password that contained some special characters (escape ones).

This article just shows you my finding and how to fix it while waiting for Microsoft to work on the fix.

Continue reading

Posted in Security Automation | Tagged | Leave a comment

ARM template for Azure VM with Guest Configuration

I’ve recently got some questions related to Azure Policy Guest Configuration and an ARM template to deploy pre-requisites in order to work with the feature.

In this article, I’d like to share ARM template to deploy Azure Policy Guest Configuration extension.

Continue reading

Posted in Governance & Compliance | Tagged | Leave a comment

Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.

Continue reading

Posted in Security Automation | Tagged , | 7 Comments

Quick notes in deploying Guest Configuration Extension on Azure VM

Azure Policy Guest Configuration allows you to audit configuration inside host. It sounds very much similar to Azure Automation Account Desired State Configuration (DSC). In fact the concept is similar to DSC but Azure Policy uses a dedicated agent called Guest Configuration.

This article is just going to give you a quick note to deploy the Guest Configuration extension manually.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Guidance for CVE-2020-0796 SMBv3 Compression vulnerability patching on Azure VM

There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do.

The purpose of this article is not to dive into the vulnerability. Instead, it hopefully gives you some notes about this vulnerability especially it is targeted to deployed workloads in Azure cloud.

Continue reading

Posted in Security Operation | Tagged , , | 1 Comment

Filter Azure Security Center alert name in Azure Sentinel incident rule

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.

While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.

Continue reading

Posted in Security Operation | Tagged | Leave a comment