Az-500: Quick notes on AAD hybrid identity

Recently I got a question from a friend regarding Azure Active Directory hybrid identity option. The question was part of his exam in Az-500 Microsoft Azure Security Technologies.

In this article, I’d like to provide a bit about the AAD hybrid identity as well as to clarify something about it.

Continue reading

Posted in Identity & Access Control | Tagged , | Leave a comment

Deny Azure Role Assignment with Azure Policy

Giving unplanned role to users or groups is one of the reasons that lead to a security breach. In this article, let’s just look at how we can use Azure Policy to prevent role assignment from being assigned to unattended target users and groups.

Continue reading

Posted in Governance & Compliance | Tagged , , | Leave a comment

Multi-homing Logging with new Azure Monitor Agent

Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. Azure Log Analytics agent for Linux didn’t support to configure a secondary log analytics workspace.

In this article, let’s look at the new Azure Monitor Agent and data collection approach in Azure that supports multi-homing scenario. The article is based on Azure Monitor Agent preview that might be subject to change in the future.

Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | Leave a comment

Get Alert Relation from an Incident using Azure Sentinel Incident Relation API

I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue.

In this article, let’s explore Azure Incident Relation API that can help find an associated alert for your incident.

Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Everything you need to know about Azure Security Center Alert Suppression

Different environments may have special configuration that may trigger the alert. And those false positive alerts keep annoying SecOps team. One of the features that SecOps guys working on Azure Security Center wish to have is the ability to automatically dismiss alerts based on some criteria. After months of working finally Microsoft publicly released a new feature in Azure Security Center to help filter alerts. This feature was originally called Auto-Dismiss and then was changed to Suppression Alert.

In this article, let’s take a look at Suppression Alert then go deeper to creating an advanced suppression alert and simulate it.

Continue reading

Posted in Azure Security Center | Tagged , | 1 Comment

Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do kind of query to get Azure Sentinel incident without writing any script to call Azure Sentinel Incident API.

In this article, let’s see how to ingest Azure Sentinel incident data using Logic App to make Azure Sentinel incident data available in Log Analytics workspace.

Continue reading

Posted in Security Automation | Tagged , , | 1 Comment

Be careful when you have escape char in Key Vault secret value

I recently had some works that required to use Azure Key Vault. Specifically a secret that stored a service principal’s password that contained some special characters (escape ones).

This article just shows you my finding and how to fix it while waiting for Microsoft to work on the fix.

Continue reading

Posted in Security Automation | Tagged | Leave a comment

ARM template for Azure VM with Guest Configuration

I’ve recently got some questions related to Azure Policy Guest Configuration and an ARM template to deploy pre-requisites in order to work with the feature.

In this article, I’d like to share ARM template to deploy Azure Policy Guest Configuration extension.

Continue reading

Posted in Governance & Compliance | Tagged | Leave a comment

Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article ( is still working by the way.

Continue reading

Posted in Security Automation | Tagged , | 8 Comments