Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. Azure Log Analytics agent for Linux didn’t support to configure a secondary log analytics workspace.
In this article, let’s look at the new Azure Monitor Agent and data collection approach in Azure that supports multi-homing scenario. The article is based on Azure Monitor Agent preview that might be subject to change in the future.
Data breaches caused by cloud misconfiguration have been seen for the past few years. One of the most common misconfigurations is granting public access to cloud storage service. Such a data is often unprotected, making them to be accessed without any authentication method. Microsoft recently introduced a new protection feature to help avoid public access on storage account. The feature introduces a new property named allowBlobPublicAccess.
In this article, let’s explore the feature as well as how to deploy and monitor it at scale.
I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue.
In this article, let’s explore Azure Incident Relation API that can help find an associated alert for your incident.
Different environments may have special configuration that may trigger the alert. And those false positive alerts keep annoying SecOps team. One of the features that SecOps guys working on Azure Security Center wish to have is the ability to automatically dismiss alerts based on some criteria. After months of working finally Microsoft publicly released a new feature in Azure Security Center to help filter alerts. This feature was originally called Auto-Dismiss and then was changed to Suppression Alert.
In this article, let’s take a look at Suppression Alert then go deeper to creating an advanced suppression alert and simulate it.
As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do kind of query to get Azure Sentinel incident without writing any script to call Azure Sentinel Incident API.
In this article, let’s see how to ingest Azure Sentinel incident data using Logic App to make Azure Sentinel incident data available in Log Analytics workspace.
I recently had some works that required to use Azure Key Vault. Specifically a secret that stored a service principal’s password that contained some special characters (escape ones).
This article just shows you my finding and how to fix it while waiting for Microsoft to work on the fix.
I’ve recently got some questions related to Azure Policy Guest Configuration and an ARM template to deploy pre-requisites in order to work with the feature.
In this article, I’d like to share ARM template to deploy Azure Policy Guest Configuration extension.
I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.
This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.
Azure Policy Guest Configuration allows you to audit configuration inside host. It sounds very much similar to Azure Automation Account Desired State Configuration (DSC). In fact the concept is similar to DSC but Azure Policy uses a dedicated agent called Guest Configuration.
This article is just going to give you a quick note to deploy the Guest Configuration extension manually.
There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do.
The purpose of this article is not to dive into the vulnerability. Instead, it hopefully gives you some notes about this vulnerability especially it is targeted to deployed workloads in Azure cloud.