Category Archives: Security Automation

Script to audit managed identities on VM and their role assignment

Managed Identity in Azure is not new. Everyone loves it. People use it more often these days. Managed Identity would reduce the overhead of managing secrets or kind of certificate. However, the Managed Identity feature also introduces a new risk … Continue reading

Posted in Identity & Access Control, Security Automation | Tagged , | 1 Comment

Scan Azure VMs in the same subnet with Nmap

Last weekend I made a small PoC to use Nmap to scan an Azure VM. I then came up with an idea to write a script to get scan all live hosts in the same subnet from the given VM. … Continue reading

Posted in Network Security, Security Automation | Tagged | 2 Comments

Bulk upload Log4Shell IoC to Microsoft Sentinel Threat Intelligence

Log4Shell is an emerging threat and its exploit is still in the wild. As a SecOps analyst your job is to monitor your cloud assets ensure if there is any communication to known IoC you would have a proper action. … Continue reading

Posted in Monitoring & Detection, Security Automation | Tagged , | 1 Comment

Detect Azure VM with a Public IP associated

Last week a friend asked me if creating or updating a virtual machine where a public IP address was associated with was detectable. This is a very common requirement in cloud security monitoring. Having a workload (aka virtual machine) with … Continue reading

Posted in Monitoring & Detection, Security Automation | Tagged , | Leave a comment

Detect NSG inbound rule updated to allow All

Network Security Group (NSG) is one of the most common features in Azure to help strengthen your network defense. It allows you to filter network traffic to and from Azure resources. Having NSG in place doesn’t always mean your network … Continue reading

Posted in Monitoring & Detection, Security Automation | Tagged , | Leave a comment

Query vulnerable VMs against Log4Shell vulnerability in Azure

I was asked from people if Microsoft Defender for Cloud had any information related to the CVE-2021-44228 (Log4Shell) vulnerability which is currently the hottest vulnerability right now. In this article, I would like to share a Resource Graph Query to … Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Use Azure Resource Graph to query Microsoft Defender for Cloud Plan on all subscriptions

As part of SOC work you may want to get information of Microsoft Defender for Cloud plan on each subscription so you can plan to roll out a defender plan on one that doesn’t have yet. While Azure PowerShell, REST … Continue reading

Posted in Governance & Compliance, Security Automation | Tagged | Leave a comment

Quickly test Microsoft Sentinel REST API

There are several ways to test Microsoft Sentinel REST API with GET method. You can test directly (from Try It button) on the REST API docs page. Postman is another option. I have developed a simple PowerShell script to help … Continue reading

Posted in Security Automation | Tagged , | 1 Comment

Create an alert with custom entity mapping using Microsoft Sentinel REST API

As you may know the latest stable Microsoft Sentinel Alert API version 2020-01-01 doesn’t allows you to create an analytics rule in which you can add custom entity mapping, custom detail or incident grouping configuration. It isn’t too helpful for … Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Migrate alert rules to another Azure Sentinel in the same tenant

In a large deployment, having a non-production environment to test Microsoft Sentinel analytics rule is recommended. Now when everything is ready you would need to copy your rules over to the production environment. This article provides you a script to … Continue reading

Posted in Secure Development, Security Automation | Tagged , | Leave a comment