Category Archives: Monitoring & Detection

Laterally move by abusing Log Analytics Agent and Automation Hybrid worker

Azure Automation Hybrid worker is used to manage Azure resources in local environment where compliant connectivity is needed. Normally a hybrid worker needs a certificate installed on it so it can be authorized by Azure AD before it can perform … Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | 1 Comment

Harvest credential from Custom Script Extension on Azure VM

Custom Script Extension is one of the most commonly used extensions for Azure virtual machine deployment. This extension allows you to execute a bootstrapping script during VM deployment to perform some additional tasks.  Those tasks may include Domain Controller on-boarding … Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment

Notes on Azure Backup Soft-delete feature in a cybersecurity context

Backup would be the last hope for you in an attempt of recovering your infrastructure after a cyber attack. Malware doesn’t only steal and exfiltrate data but also scans and deletes your backup. The soft delete feature is designed to … Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged | Leave a comment

Multi-homing Logging with new Azure Monitor Agent

Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. … Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | Leave a comment

Alert Grouping feature in Azure Sentinel

One of the things that SecOps guys needs when working with Azure Sentinel is the ability to group all alerts that have similar characteristics into a single incident in order to better manage and respond. Given an example about Traffic … Continue reading

Posted in Monitoring & Detection | Tagged , | 3 Comments

Export virtual machines with ASC monitoring agent issue

There is a recommendation named “Monitoring agent health issues should be resolved on your machine” in Azure Security Center that provides you list of unhealthy resources (virtual machine resource type). There are several reasons that can cause unhealthy monitoring state … Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment

What Blue Team needs to know about Run Script feature in Azure

Run Script is great feature that help cloud system admin perform command or script execution on target virtual machine without RDP or setting up a PsRemote that may not be allowed in your organization. Nonetheless Run Script also allows bad … Continue reading

Posted in Monitoring & Detection | Tagged , | 2 Comments

An analysis of Suspicious Authentication activity from Azure Security Center

There are some readers after following this article to simulate alerts generated from Azure Security Center approaching me asking about one of the alerts they have seen named Suspicious authentication activity. They don’t know whether their testing virtual machines in … Continue reading

Posted in Monitoring & Detection | Tagged , , | 2 Comments

Security Monitoring and Detection Tips for your Storage Account – Part 4

In part 3, you were introduced some storage account related alerts that are generated by Azure Security Center -Advanced Threat Protection. You also got to know a few ways to manually generate those alerts so you could look into how … Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment

Security Monitoring and Detection Tips for your Storage Account – Part 3

In previous article you learned about different ways to collect Azure Storage account logs. You also learned about a model of centralizing Storage account log. No matter how you want to build, your storage account log should be ready for  … Continue reading

Posted in Monitoring & Detection | Tagged , | 4 Comments