Category Archives: Security Operation

Guidance for CVE-2020-0796 SMBv3 Compression vulnerability patching on Azure VM

There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do. The purpose of this … Continue reading

Posted in Security Operation | Tagged , , | 1 Comment

Filter Azure Security Center alert name in Azure Sentinel incident rule

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t … Continue reading

Posted in Security Operation | Tagged | Leave a comment

Get started with Azure Sentinel Notebooks

Hunting in Azure using Kusto Query Language to write query against Log Analytics workspace may not be enough for you. Given an example like this article, you would want to extract all attacker IP addressees and use VirusTotal to verify … Continue reading

Posted in Security Operation | Tagged , | 3 Comments

Demystify alert generated by Azure Sentinel versus other 3rd products

There is a question in the community asking about alert field in Incident page, along with the question about what it meant. In this article, let’s talk about that and see how to distinguish between alert generated from Azure Sentinel … Continue reading

Posted in Security Operation | Tagged , , | 1 Comment

VM Security Log to Event Hub for SIEM integration

Streaming VM security log to Event Hub and add Event Hub to an Event Hub listener in SIEM is a common step in building SOC. Microsoft has separate articles for Windows and Linux where they give information on diagnostics agent … Continue reading

Posted in Security Operation | Tagged , | 2 Comments

Thoughts on Azure Sentinel

I got bunch of questions regarding what is the purpose or strategy of using Azure Sentinel when we have Azure Security Center (ASC). Giving the fact that everything Azure Sentinel has can be built within ASC technically. However the purpose of … Continue reading

Posted in Security Operation | Tagged | 3 Comments

Query private IP Address using Azure CLI

You’d probably guess that querying IP address using Azure CLI could not be easier with az vm list-ip-addresses. It should work if the environment is small and you don’t have virtual machine using the same name. In a large environment specially … Continue reading

Posted in Security Operation | Tagged , | Leave a comment

Quick note on RunCommand feature on Azure VM

As a SecOps guy you are asked to perform audit on your virtual machines in Azure. The audit would be checking security patch (where Update Management hasn’t been enabled), or just simply a vulnerability verification like Spectre and Meldown. Run … Continue reading

Posted in Security Operation | Tagged , | 1 Comment

A note behind Get-AzureKeyVaultSecret

First look at Get-AzureKeyVaultSecret   you would head to think about this cmdlet to retrieve secret information in Azure Key Vault secret. However, during my test this cmdlet also returns certificate information and its private key which is pretty much like … Continue reading

Posted in Security Operation | Tagged | Leave a comment

Notes with cross-subscription Event Hub

Event Hub is an event processing cloud service which provides the ability to process millions of message per second and make them readable by external services. In the security monitoring scenario, you may see a use case that external consumer like … Continue reading

Posted in Security Operation | Tagged | Leave a comment