Category Archives: Security Operation

Count number of VMs & VMSS by OS type with Resource Graph Explorer

As part of SOC work you may want to check in your Azure environment the number of VMs or VM Scalesets¬† by Operating System type so you can report to InfoSec leader. Moreover that helps plan security patching better. This … Continue reading

Posted in Governance & Compliance, Security Operation | Tagged , | Leave a comment

Deploy Microsoft Defender for Servers via VM ARM template

Microsoft Defender for Servers¬† offers you a capability for Azure VMs to help detect threat and to add additional defense. Currently it is supported on both Windows and Linux. In this article, let’s quickly check if we can deploy the … Continue reading

Posted in Security Automation, Security Operation | Tagged | Leave a comment

Laterally move by abusing Log Analytics Agent and Automation Hybrid worker

Azure Automation Hybrid worker is used to manage Azure resources in local environment where compliant connectivity is needed. Normally a hybrid worker needs a certificate installed on it so it can be authorized by Azure AD before it can perform … Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | 1 Comment

Notes on Azure Backup Soft-delete feature in a cybersecurity context

Backup would be the last hope for you in an attempt of recovering your infrastructure after a cyber attack. Malware doesn’t only steal and exfiltrate data but also scans and deletes your backup. The soft delete feature is designed to … Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged | Leave a comment

Create an Azure Role Assignment Watchlist in Azure Sentinel

Watchlist in Azure Sentinel allows you to build your own data from external data sources for correlation with analytics or hunting rules in your Azure Sentinel environment. In this article, what we are going to do is explore Azure Sentinel … Continue reading

Posted in Security Automation, Security Operation | Tagged , | 4 Comments

Multi-homing Logging with new Azure Monitor Agent

Sending logs from Azure virtual machine/virtual machine scale set to different Azure Log Analytics workspace (as known as multi-homing) is a common requirement in a large cloud environment. In the past Azure only supported configuring multi-homing on Windows virtual machine. … Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged , | Leave a comment

Guidance for CVE-2020-0796 SMBv3 Compression vulnerability patching on Azure VM

There are discussions around a new CVE coded CVE-2020-0796 that Microsoft indicated a remote code execution vulnerability found in SMBv3.1.1 compression feature. There are questions from people working on Azure environment asking me what to do. The purpose of this … Continue reading

Posted in Security Operation | Tagged , , | 1 Comment

Filter Azure Security Center alert name in Azure Sentinel incident rule

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t … Continue reading

Posted in Security Operation | Tagged | Leave a comment

Get started with Azure Sentinel Notebooks

Hunting in Azure using Kusto Query Language to write query against Log Analytics workspace may not be enough for you. Given an example like this article, you would want to extract all attacker IP addressees and use VirusTotal to verify … Continue reading

Posted in Security Operation | Tagged , | 3 Comments