Archives
- January 2022 (3)
- December 2021 (9)
- November 2021 (13)
- August 2021 (1)
- July 2021 (6)
- June 2021 (1)
- May 2021 (1)
- April 2021 (1)
- January 2021 (1)
- August 2020 (1)
- July 2020 (3)
- June 2020 (1)
- March 2020 (5)
- February 2020 (3)
- January 2020 (18)
- December 2019 (22)
- November 2019 (3)
- October 2019 (1)
- July 2019 (1)
- April 2019 (2)
- January 2019 (2)
- October 2018 (2)
- September 2018 (1)
- August 2018 (4)
- July 2018 (4)
- February 2018 (6)
- January 2018 (3)
- November 2017 (1)
- August 2017 (3)
- May 2017 (4)
- April 2017 (4)
- December 2016 (1)
Categories
- Application Security (1)
- Azure Security Center (10)
- Governance & Compliance (19)
- Host Protection (3)
- Identity & Access Control (9)
- Monitoring & Detection (22)
- Network Security (3)
- Secure Development (13)
- Security Automation (53)
- Security Operation (21)
- Service Overview (1)
Category Archives: Monitoring & Detection
Bulk upload Log4Shell IoC to Microsoft Sentinel Threat Intelligence
Log4Shell is an emerging threat and its exploit is still in the wild. As a SecOps analyst your job is to monitor your cloud assets ensure if there is any communication to known IoC you would have a proper action. … Continue reading
Posted in Monitoring & Detection, Security Automation
Tagged azure sentinel log4j ioc, log4j ioc
1 Comment
Detect Azure VM with a Public IP associated
Last week a friend asked me if creating or updating a virtual machine where a public IP address was associated with was detectable. This is a very common requirement in cloud security monitoring. Having a workload (aka virtual machine) with … Continue reading
Detect NSG inbound rule updated to allow All
Network Security Group (NSG) is one of the most common features in Azure to help strengthen your network defense. It allows you to filter network traffic to and from Azure resources. Having NSG in place doesn’t always mean your network … Continue reading
Laterally move by abusing Log Analytics Agent and Automation Hybrid worker
Azure Automation Hybrid worker is used to manage Azure resources in local environment where compliant connectivity is needed. Normally a hybrid worker needs a certificate installed on it so it can be authorized by Azure AD before it can perform … Continue reading
Posted in Monitoring & Detection, Security Operation
Tagged abuse Azure agent, azure laterally move
1 Comment
Harvest credential from Custom Script Extension on Azure VM
Custom Script Extension is one of the most commonly used extensions for Azure virtual machine deployment. This extension allows you to execute a bootstrapping script during VM deployment to perform some additional tasks. Those tasks may include Domain Controller on-boarding … Continue reading
Posted in Monitoring & Detection
Tagged azure custom script extension, harvest credential
2 Comments
Notes on Azure Backup Soft-delete feature in a cybersecurity context
Backup would be the last hope for you in an attempt of recovering your infrastructure after a cyber attack. Malware doesn’t only steal and exfiltrate data but also scans and deletes your backup. The soft delete feature is designed to … Continue reading
Posted in Monitoring & Detection, Security Operation
Tagged soft-delete azure backup
Leave a comment
Multi-homing Logging with new Azure Monitor Agent
Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. … Continue reading
Posted in Monitoring & Detection, Security Operation
Tagged azure monitor agent, azure multi-homing
Leave a comment
Alert Grouping feature in Azure Sentinel
One of the things that SecOps guys needs when working with Azure Sentinel is the ability to group all alerts that have similar characteristics into a single incident in order to better manage and respond. Given an example about Traffic … Continue reading
Posted in Monitoring & Detection
Tagged azure security center, azure sentinel alert grouping
3 Comments
Export virtual machines with ASC monitoring agent issue
There is a recommendation named “Monitoring agent health issues should be resolved on your machine” in Azure Security Center that provides you list of unhealthy resources (virtual machine resource type). There are several reasons that can cause unhealthy monitoring state … Continue reading
What Blue Team needs to know about Run Script feature in Azure
Run Script is great feature that help cloud system admin perform command or script execution on target virtual machine without RDP or setting up a PsRemote that may not be allowed in your organization. Nonetheless Run Script also allows bad … Continue reading