Azure Sentinel near-real-time (NRT) Analytics Rule ARM Template

Microsoft just introduced a new type of analytics rule called near-real-time (NRT). This rule provides the capability to up-to-the-minute detection. It basically means you wouldn’t have to worry about ingestion delay especially the five minutes minimum delay.

This article provides you a sample ARM template to deploy a near-real-time (NRT) analytics rule.

Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Azure Sentinel custom alert named based on detected resource

I got a question from a friend today asking if he could customize alert name based on the detected resource. He was in charge of building rule set for monitoring Azure Key Vault resources. He wanted to see something like “SecretGet request on xyz-keyvault resource at 2021-11-01T20:59:50.1370000Z

In this article, we will see how we can customize an alert name based on the detection rule’s output dynamically.

Continue reading

Posted in Security Automation | Tagged | 1 Comment

Azure Sentinel Analytics Rule ARM Template

I have got several people asking if they can develop and deploy Azure Sentinel Analytics rule in form of Azure ARM Template.

This article is simply to provide you a sample template so you can quickly deploy a rule in Azure Sentinel to test. You can also establish analytics rule template in your CICD pipeline if needed.

Continue reading

Posted in Security Automation | Tagged | 1 Comment

Part 3 – Notify container image vulnerability assessment result to email using Azure Logic App

The previous article walked you through some basic steps to upload Docker container’s vulnerability assessment result to a storage account for further review. Now you are asked to send an email notification to your team every time an assessment result is ready.

There are several ways to achieve email notification in Azure. In this article, we are going to explore the Azure Logic App with some common built-in Actions and Triggers to send emails to SecOps or DevOps team.

Continue reading

Posted in Security Automation | Tagged , | 2 Comments

Part 2 – Upload container vulnerability assessment result to Azure Storage Account

Previously I wrote an article to walk people through CI/CD Integration with Azure Security Center. I got a question about uploading vulnerability assessment result to an Azure Storage Account.

In this article, let’s see how to do that with Azure CLI GitHub Action.

Continue reading

Posted in Secure Development | Tagged | 2 Comments

Part 1 – Quick look at CICD Integration in Azure Security Center to scan your docker image

If you are working in a cyber-security field where DevOps is involved, you probably heard about shift-left security. Shift-left security is just basically to move security assessment or verification sooner in the development process so you wouldn’t waste time to remediate security findings before the product or application is released to the production environment.

Specific to Azure, the new CI/CD integration to scan container images in Azure Security Center has come to my attention. In this article, let’s explore this feature and how to perform a PoC to demonstrate it to your team or customer. The article will also provide step-by-step guidance on how to make the PoC done.

Continue reading

Posted in Secure Development | Tagged , | 2 Comments

Notes on Azure SQL Server Auditting should be enabled policy

Recently I was asked to help a colleague of mine on a policy named “Azure SQL Server auditing should be enabled“. He deployed an ARM template to enable auditing but the deployment didn’t reflect the setting in Azure Portal.

In this article, let’s look into the problem the colleague had. We will also modify the built-in policy to make it more useful.

Continue reading

Posted in Secure Development, Security Automation | Tagged | Leave a comment

Notes on Azure Backup Soft-delete feature in a cybersecurity context

Backup would be the last hope for you in an attempt of recovering your infrastructure after a cyber attack. Malware doesn’t only steal and exfiltrate data but also scans and deletes your backup. The soft delete feature is designed to address such a concern of data destruction.

In this article, let’s look into some aspects of the soft delete feature inĀ  Azure Backup.

Continue reading

Posted in Monitoring & Detection, Security Operation | Tagged | Leave a comment

Demystify Azure DDoS Protection Azure Policy

There are two different policies in Azure Security Center/Azure Policy scan virtual network resources and DDoS protection plan. Your virtual network resources may fall into the list of non-compliant resources in one of these policies. In this article, let’s demystify the two policies and remediate or justify them in case you are asked by a compliance guy. Continue reading

Posted in Governance & Compliance | Tagged , | Leave a comment

Create an Azure Role Assignment Watchlist in Azure Sentinel

Watchlist in Azure Sentinel allows you to build your own data from external data sources for correlation with analytics or hunting rules in your Azure Sentinel environment.

In this article, what we are going to do is explore Azure Sentinel Watchlist REST API and then create Azure Role Assignment watchlist.

Continue reading

Posted in Security Automation, Security Operation | Tagged , | 4 Comments