Quick look at CICD Integration in Azure Security Center to scan your docker image

If you are working in a cyber-security field where DevOps is involved, you probably heard about shift-left security. Shift-left security is just basically to move security assessment or verification sooner in the development process so you wouldn’t waste time to remediate security findings before the product or application is released to the production environment.

Specific to Azure, the new CI/CD integration to scan container images in Azure Security Center has come to my attention. In this article, let’s explore this feature and how to perform a PoC to demonstrate it to your team or customer. The article will also provide step-by-step guidance on how to make the PoC done.

Continue reading

Posted in Secure Development | Tagged , | Leave a comment

Notes on Azure SQL Server Auditting should be enabled policy

Recently I was asked to help a colleague of mine on a policy named “Azure SQL Server auditing should be enabled“. He deployed an ARM template to enable auditing but the deployment didn’t reflect the setting in Azure Portal.

In this article, let’s look into the problem the colleague had. We will also modify the built-in policy to make it more useful.

Continue reading

Posted in Secure Development, Security Automation | Tagged | Leave a comment

Notes on Azure Backup Soft-delete feature in a cybersecurity context

Backup would be the last hope for you in an attempt of recovering your infrastructure after a cyber attack. Malware doesn’t only steal and exfiltrate data but also scans and deletes your backup. The soft delete feature is designed to address such a concern of data destruction.

In this article, let’s look into some aspects of the soft delete feature in  Azure Backup.

Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged | Leave a comment

Demystify Azure DDoS Protection Azure Policy

There are two different policies in Azure Security Center/Azure Policy scan virtual network resources and DDoS protection plan. Your virtual network resources may fall into the list of non-compliant resources in one of these policies. In this article, let’s demystify the two policies and remediate or justify them in case you are asked by a compliance guy. Continue reading

Posted in Governance & Compliance | Tagged , | Leave a comment

Create an Azure Role Assignment Watchlist in Azure Sentinel

Watchlist in Azure Sentinel allows you to build your own data from external data sources for correlation with analytics or hunting rules in your Azure Sentinel environment.

In this article, what we are going to do is explore Azure Sentinel Watchlist REST API and then create Azure Role Assignment watchlist.

Continue reading

Posted in Security Automation, Security Operation | Tagged , | 3 Comments

Notes in Azure Storage Network Restriction

By default,  when creating a new Azure storage account it accepts connections from clients on any network. To limit that, Azure allows you to add a trusted list of virtual network subnets or IP ranges.

This article is not going to walk you through step-by-step guidance on how to add firewall rules to the Azure Storage account. Instead, it will mainly focus on deploy network restriction programmatically in a DevOps environment.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Az-500: Quick notes on AAD hybrid identity

Recently I got a question from a friend regarding Azure Active Directory hybrid identity option. The question was part of his exam in Az-500 Microsoft Azure Security Technologies.

In this article, I’d like to provide a bit about the AAD hybrid identity as well as to clarify something about it.

Continue reading

Posted in Identity & Access Control | Tagged , | Leave a comment

Deny Azure Role Assignment with Azure Policy

Giving unplanned role to users or groups is one of the reasons that lead to a security breach. In this article, let’s just look at how we can use Azure Policy to prevent role assignment from being assigned to unattended target users and groups.

Continue reading

Posted in Governance & Compliance | Tagged , , | Leave a comment

Multi-homing Logging with new Azure Monitor Agent

Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. Azure Log Analytics agent for Linux didn’t support to configure a secondary log analytics workspace.

In this article, let’s look at the new Azure Monitor Agent and data collection approach in Azure that supports multi-homing scenario. The article is based on Azure Monitor Agent preview that might be subject to change in the future.

Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | Leave a comment