Category Archives: Security Automation

Azure Sentinel Threat Intelligence API

Microsoft Sentinel (formerly aka Azure Sentinel) has a feature that allows you to create and manage custom Threat Intelligence (TI) indicators (aka IoC – Indicators of Compromise). There are requests from avid readers asking AzSec to write something about Microsoft … Continue reading

Posted in Secure Development, Security Automation | Tagged , , | 2 Comments

Trigger an on-demand Azure Policy evaluation scan at Management Group scope

If you are working with Azure Policy you must know about the on-demand Azure Policy evaluation scan that Azure allows you to trigger. Currently, you can only trigger the compliance evaluation at your current subscription context or for a resource … Continue reading

Posted in Governance & Compliance, Security Automation | Tagged | Leave a comment

Get Vulnerability Assessment Setting of Azure SQL Server in tenant with PowerShell

Enabling and configuring vulnerability assessment (VA) feature on Azure SQL Server is needed in an environment where security and compliance is strictly followed. And now you are asked by InfoSec leader to provide status of VA configuration on all of … Continue reading

Posted in Governance & Compliance, Security Automation | Tagged | Leave a comment

Deploy Microsoft Defender for Servers via VM ARM template

Microsoft Defender for ServersĀ  offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux. In this article, let’s quickly check if we can deploy the … Continue reading

Posted in Security Automation, Security Operation | Tagged | 7 Comments

Azure Sentinel near-real-time (NRT) Analytics Rule ARM Template

Microsoft just introduced a new type of analytics rule called near-real-time (NRT). This rule provides the capability to up-to-the-minute detection. It basically means you wouldn’t have to worry about ingestion delay especially the five minutes minimum delay. This article provides … Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Azure Sentinel custom alert named based on detected resource

I got a question from a friend today asking if he could customize alert name based on the detected resource. He was in charge of building rule set for monitoring Azure Key Vault resources. He wanted to see something like … Continue reading

Posted in Security Automation | Tagged | 1 Comment

Azure Sentinel Analytics Rule ARM Template

I have got several people asking if they can develop and deploy Azure Sentinel Analytics rule in form of Azure ARM Template. This article is simply to provide you a sample template so you can quickly deploy a rule in … Continue reading

Posted in Security Automation | Tagged | 1 Comment

Part 3 – Notify container image vulnerability assessment result to email using Azure Logic App

The previous article walked you through some basic steps to upload Docker container’s vulnerability assessment result to a storage account for further review. Now you are asked to send an email notification to your team every time an assessment result … Continue reading

Posted in Security Automation | Tagged , | 2 Comments

Notes on Azure SQL Server Auditting should be enabled policy

Recently I was asked to help a colleague of mine on a policy named “Azure SQL Server auditing should be enabled“. He deployed an ARM template to enable auditing but the deployment didn’t reflect the setting in Azure Portal. In … Continue reading

Posted in Secure Development, Security Automation | Tagged | Leave a comment

Create an Azure Role Assignment Watchlist in Azure Sentinel

Watchlist in Azure Sentinel allows you to build your own data from external data sources for correlation with analytics or hunting rules in your Azure Sentinel environment. In this article, what we are going to do is explore Azure Sentinel … Continue reading

Posted in Security Automation, Security Operation | Tagged , | 5 Comments