Different environments may have special configuration that may trigger the alert. And those false positive alerts keep annoying SecOps team. One of the features that SecOps guys working on Azure Security Center wish to have is the ability to automatically dismiss alerts based on some criteria. After months of working finally Microsoft publicly released a new feature in Azure Security Center to help filter alerts. This feature was originally called Auto-Dismiss and then was changed to Suppression Alert.
In this article, let’s take a look at Suppression Alert then go deeper to creating an advanced suppression alert and simulate it.
As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do kind of query to get Azure Sentinel incident without writing any script to call Azure Sentinel Incident API.
In this article, let’s see how to ingest Azure Sentinel incident data using Logic App to make Azure Sentinel incident data available in Log Analytics workspace.
I recently had some works that required to use Azure Key Vault. Specifically a secret that stored a service principal’s password that contained some special characters (escape ones).
This article just shows you my finding and how to fix it while waiting for Microsoft to work on the fix.
I’ve recently got some questions related to Azure Policy Guest Configuration and an ARM template to deploy pre-requisites in order to work with the feature.
In this article, I’d like to share ARM template to deploy Azure Policy Guest Configuration extension.
I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new script to work with the new Azure Sentinel Incident API.
This article is going to give some notes, as well as a new script to extract all Azure Sentinel incidents. The API used in this article (http://azsec.azurewebsites.net/2019/12/16/extract-all-azure-sentinel-incidents/) is still working by the way.
Azure Policy Guest Configuration allows you to audit configuration inside host. It sounds very much similar to Azure Automation Account Desired State Configuration (DSC). In fact the concept is similar to DSC but Azure Policy uses a dedicated agent called Guest Configuration.
This article is just going to give you a quick note to deploy the Guest Configuration extension manually.
There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do.
The purpose of this article is not to dive into the vulnerability. Instead, it hopefully gives you some notes about this vulnerability especially it is targeted to deployed workloads in Azure cloud.
In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.
While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.
One of the things that SecOps guys needs when working with Azure Sentinel is the ability to group all alerts that have similar characteristics into a single incident in order to better manage and respond. Given an example about Traffic detected from IP addresses recommended for blocking alert or Access from an unusual location to a storage account which may trigger a false positive incident in specific use case.
In this article, let’s have a quick look in Alert Grouping feature in Azure Sentinel to group alerts into a single incident. Continue reading
You know that Azure Security Center recommendation is powered by Azure Policy and you can disable recommendation that may not be applicable to your environment. Along with that, you can even add a custom Azure Policy into Azure Security Center recommendation so you can have a single pan of glass for your security posture in a one-stop shop.
In this article, let’s see how to add a custom Azure Policy to Azure Security Center Recommendation Continue reading