Archives
- January 2022 (3)
- December 2021 (9)
- November 2021 (13)
- August 2021 (1)
- July 2021 (6)
- June 2021 (1)
- May 2021 (1)
- April 2021 (1)
- January 2021 (1)
- August 2020 (1)
- July 2020 (3)
- June 2020 (1)
- March 2020 (5)
- February 2020 (3)
- January 2020 (18)
- December 2019 (22)
- November 2019 (3)
- October 2019 (1)
- July 2019 (1)
- April 2019 (2)
- January 2019 (2)
- October 2018 (2)
- September 2018 (1)
- August 2018 (4)
- July 2018 (4)
- February 2018 (6)
- January 2018 (3)
- November 2017 (1)
- August 2017 (3)
- May 2017 (4)
- April 2017 (4)
- December 2016 (1)
Categories
- Application Security (1)
- Azure Security Center (10)
- Governance & Compliance (19)
- Host Protection (3)
- Identity & Access Control (9)
- Monitoring & Detection (22)
- Network Security (3)
- Secure Development (13)
- Security Automation (53)
- Security Operation (21)
- Service Overview (1)
Category Archives: Security Operation
Extract plain-text password from Azure VM Reset Password feature
Reset password is a common feature that allows you to create or reset a local administrator account on Azure VM. This feature is helpful when you forgot the account used to log into your VM. There would be a question … Continue reading
Acquire Access Token from Azure App Service (Linux) System-Assigned Managed Identity
I got a question from a friend last week if he should enable System-Assigned Managed Identity (SAMI) on an Azure App Service running on a Linux host. He also asked if his developer team could use that SAMI to do … Continue reading
Count number of VMs & VMSS by OS type with Resource Graph Explorer
As part of SOC work you may want to check in your Azure environment the number of VMs or VM Scalesets by Operating System type so you can report to InfoSec leader. Moreover that helps plan security patching better. This … Continue reading
Deploy Microsoft Defender for Servers via VM ARM template
Microsoft Defender for Servers offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux. In this article, let’s quickly check if we can deploy the … Continue reading
Laterally move by abusing Log Analytics Agent and Automation Hybrid worker
Azure Automation Hybrid worker is used to manage Azure resources in local environment where compliant connectivity is needed. Normally a hybrid worker needs a certificate installed on it so it can be authorized by Azure AD before it can perform … Continue reading
Posted in Monitoring & Detection, Security Operation
Tagged abuse Azure agent, azure laterally move
1 Comment
Notes on Azure Backup Soft-delete feature in a cybersecurity context
Backup would be the last hope for you in an attempt of recovering your infrastructure after a cyber attack. Malware doesn’t only steal and exfiltrate data but also scans and deletes your backup. The soft delete feature is designed to … Continue reading
Posted in Monitoring & Detection, Security Operation
Tagged soft-delete azure backup
Leave a comment
Create an Azure Role Assignment Watchlist in Azure Sentinel
Watchlist in Azure Sentinel allows you to build your own data from external data sources for correlation with analytics or hunting rules in your Azure Sentinel environment. In this article, what we are going to do is explore Azure Sentinel … Continue reading
Posted in Security Automation, Security Operation
Tagged azure sentinel, azure sentinel watchlist api
5 Comments
Multi-homing Logging with new Azure Monitor Agent
Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. … Continue reading
Posted in Monitoring & Detection, Security Operation
Tagged azure monitor agent, azure multi-homing
1 Comment
Everything you need to know about allowBlobPublicAccess on Storage Account
Data breaches caused by cloud misconfiguration have been seen for the past few years. One of the most common misconfigurations is granting public access to cloud storage service. Such a data is often unprotected, making them to be accessed without … Continue reading
Guidance for CVE-2020-0796 SMBv3 Compression vulnerability patching on Azure VM
There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do. The purpose of this … Continue reading