Filter Azure Security Center alert name in Azure Sentinel incident rule

In the past we learnt on how to connect Azure Security Center to Azure Sentinel so every alert generated from Azure Security Center can be an incident in Azure Sentinel. Not all alerts are true positive and sometime you wouldn’t want to see them in Azure Sentinel Incident page.

While waiting for Azure Security Center Auto-Dismiss feature coming out, there are a few options for you. In this article, let’s explore quickly a simple filtering feature in Microsoft incident creation rule to filter alert.

Continue reading

Posted in Security Operation | Tagged | Leave a comment

Alert Grouping feature in Azure Sentinel

One of the things that SecOps guys needs when working with Azure Sentinel is the ability to group all alerts that have similar characteristics into a single incident in order to better manage and respond. Given an example about Traffic detected from IP addresses recommended for blocking alert or Access from an unusual location to a storage account which may trigger a false positive incident in specific use case.

In this article, let’s have a quick look in Alert Grouping feature in Azure Sentinel to group alerts into a single incident. Continue reading

Posted in Monitoring & Detection | Tagged , | 3 Comments

Add custom Azure Policy to Azure Security Center Recommendation

You know that Azure Security Center recommendation is powered by Azure Policy and you can disable recommendation that may not be applicable to your environment. Along with that, you can even add a custom Azure Policy into Azure Security Center recommendation so you can have a single pan of glass for your security posture in a one-stop shop.

In this article, let’s see how to add a custom Azure Policy to Azure Security Center Recommendation Continue reading

Posted in Governance & Compliance | Tagged , | Leave a comment

Export virtual machines with ASC monitoring agent issue

There is a recommendation named “Monitoring agent health issues should be resolved on your machine” in Azure Security Center that provides you list of unhealthy resources (virtual machine resource type). There are several reasons that can cause unhealthy monitoring state on your virtual machines.

You may wonder if there is a way to get all the unhealthy virtual machines along with monitoring state without opening Azure Portal? In this article, let’s see how to export all unhealthy virtual machines and corresponding monitoring agent state.

Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment

Enable Microsoft Defender ATP integration in Azure Security Center programmatically

If you have worked with Azure Security Center and Microsoft Defender ATP (Advanced Threat Protection) you may know a setting in Azure Security Center called Threat Detection where you can allow Microsoft Cloud App Security (MCAS) or Microsoft Defender ATP to access your data.

In this article, let’s see how we can programtically enable the integration instead of going to Azure Portal to check boxes.

Continue reading

Posted in Azure Security Center, Security Automation | Tagged , | Leave a comment

Threat Detection for Key Vault in Azure Security Center

From this article you may realize that you can enable Key Vault pricing tier in Azure Security Center. However you wouldn’t see it from Azure Portal UI.¬† Microsoft recently released Threat Detection for Azure Key Vault in Azure Security Center a few days ago in Public Preview. With this capability Azure Security Center could detect if a Key Vault is accessed from a TOR exit node, or any kind of anomalous activity on your key vault.

In this article, let’s try to simulate and see what you can get from the alert.

Continue reading

Posted in Azure Security Center | Tagged , | Leave a comment

Get all comments in an Azure Sentinel incident programmatically

For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is not really much helpful it is still play an important role.

In this article, let’s explore a way to extract all comments in an Azure Sentinel incident. You will be playing with both PowerShell and Azure CLI (+ Curl) to work with Azure Sentinel comment API.

Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Query Azure Security Security Recommendation by different ways

If you work with Azure Security Center you probably know about Azure Security Center Recommendation that periodically analyzes security state of Azure resources. In the past Azure Security Center Recommendation was executed by private Azure back-end service internally. Microsoft then made it more configurable by moving it to be integrated with Azure Policy. In a nutshell, Azure Policy does the job of scanning Azure resources and feed results to Recommendation page.

In this article, let’s explore different ways to get recommendation state from Azure Security Center. You will learn not only Azure Security Center API, but also Kusto Query Language as well as Continuous Export.

Continue reading

Posted in Azure Security Center, Governance & Compliance | Tagged , , | Leave a comment

Update Azure Sentinel incident programmatically

There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that are responsible for handling such an incident.

In this article, let’s explore Azure Sentinel Incident API a bit more and see how to update label and assignment on an existing/multiple incidents

Continue reading

Posted in Security Automation | Tagged , | 10 Comments

What Blue Team needs to know about Run Script feature in Azure

Run Script is great feature that help cloud system admin perform command or script execution on target virtual machine without RDP or setting up a PsRemote that may not be allowed in your organization. Nontheless Run Script also allows bad actor to perform a malicious command if he has enough permission. That would become worst if the malcicous execution is succeeded.

As a Blue teamer working on Azure, there should be a deep understanding of how Run Script works as well as how to detect and trace what were run on a compromised virtual machine.

Continue reading

Posted in Monitoring & Detection | Tagged , | 1 Comment