Everything you need to know about Azure Security Center Alert Suppression

Posted on 07/11/2020 by azsec

Different environments may have special configuration that may trigger the alert. And those false positive alerts keep annoying SecOps team. One of the features that SecOps guys working on Azure Security Center wish to have is the ability to automatically dismiss alerts based on some criteria. After months of working finally Microsoft publicly released a new feature in Azure Security Center to help filter alerts. This feature was originally called Auto-Dismiss and then was changed to Suppression Alert.

In this article, let’s take a look at Suppression Alert then go deeper to creating an advanced suppression alert and simulate it.

Continue reading

Posted in Azure Security Center | Tagged , | Leave a comment

Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

Posted on 07/08/2020 by azsec

As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do kind of query to get Azure Sentinel incident without writing any script to call Azure Sentinel Incident API.

In this article, let’s see how to ingest Azure Sentinel incident data using Logic App to make Azure Sentinel incident data available in Log Analytics workspace.

Continue reading

Posted in Security Automation | Tagged , , | 1 Comment

Be careful when you have escape char in Key Vault secret value

Posted on 06/12/2020 by azsec

I recently had some works that required to use Azure Key Vault. Specifically a secret that stored a service principal’s password that contained some special characters (escape ones).

This article just shows you my finding and how to fix it while waiting for Microsoft to work on the fix.

Continue reading

Posted in Security Automation | Tagged | Leave a comment

ARM template for Azure VM with Guest Configuration

Posted on 03/22/2020 by azsec

I’ve recently got some questions related to Azure Policy Guest Configuration and an ARM template to deploy pre-requisites in order to work with the feature.

In this article, I’d like to share ARM template to deploy Azure Policy Guest Configuration extension.

Continue reading

Posted in Governance & Compliance | Tagged | Leave a comment

Quick look at new Azure Sentinel Incident API

Posted on 03/18/2020 by azsec

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.

This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.

Continue reading

Posted in Security Automation | Tagged , | 5 Comments

Quick notes in deploying Guest Configuration Extension on Azure VM

Posted on 03/14/2020 by azsec

Azure Policy Guest Configuration allows you to audit configuration inside host. It sounds very much similar to Azure Automation Account Desired State Configuration (DSC). In fact the concept is similar to DSC but Azure Policy uses a dedicated agent called Guest Configuration.

This article is just going to give you a quick note to deploy the Guest Configuration extension manually.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Guidance for CVE-2020-0796 SMBv3 Compression vulnerability patching on Azure VM

Posted on 03/13/2020 by azsec

There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do.

The purpose of this article is not to dive into the vulnerability. Instead, it hopefully gives you some notes about this vulnerability especially it is targeted to deployed workloads in Azure cloud.

Continue reading

Posted in Security Operation | Tagged , , | 1 Comment

Filter Azure Security Center alert name in Azure Sentinel incident rule

Posted on 03/05/2020 by azsec

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.

While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.

Continue reading

Posted in Security Operation | Tagged | Leave a comment

Alert Grouping feature in Azure Sentinel

Posted on 02/24/2020 by azsec

One of the things that SecOps guys needs when working with Azure Sentinel is the ability to group all alerts that have similar characteristics into a single incident in order to better manage and respond. Given an example about Traffic detected from IP addresses recommended for blocking alert or Access from an unusual location to a storage account which may trigger a false positive incident in specific use case.

In this article, let’s have a quick look in Alert Grouping feature in Azure Sentinel to group alerts into a single incident. Continue reading

Posted in Monitoring & Detection | Tagged , | Leave a comment

Add custom Azure Policy to Azure Security Center Recommendation

Posted on 02/10/2020 by azsec

You know that Azure Security Center recommendation is powered by Azure Policy and you can disable recommendation that may not be applicable to your environment. Along with that, you can even add a custom Azure Policy into Azure Security Center recommendation so you can have a single pan of glass for your security posture in a one-stop shop.

In this article, let’s see how to add a custom Azure Policy to Azure Security Center Recommendation Continue reading

Posted in Governance & Compliance | Tagged , | Leave a comment