Azure Security Center – Detecting and Responding to Threats

  Azure, Security Center

Main Menu

Detecting and Responding to Threats

https://mva.microsoft.com/en-US/training-courses/hybrid-cloud-workload-protection-with-azure-security-center-18173?l=xGLWo42jE_4806218965

Detection Capabilities

Detection Capabilities

Threat Intelligence

Looks for malicious actors

  • Network traffic to malicious IP addresses
  • Malicious process executed

Behavioral analytics

Looks for known patterns and malicious behaviors

  • Process executed in a suspicious manner

Anomaly detection

Uses statistical profiling to build historical baselines.  Alert on deviations that confirm to a potential attack vector.

  • Remote desktop connections to a specific VM typically occur 5 times a day, today there were 100 connection attempts.

Fusion

Combine events and alerts from across the kill chain to map the attack timeline

  • SQL injections (WAF + Azure SQL Logs)
  • Malicious process (Crash dump… and later… suspicious process execution)
  • Breach detection (Brute force attempt… and later… suspicious VM activity)

Detection throughout the kill chain

Target and Attack

  • Inbound brute fource, RDP, SSH, SQL attacks and more
  • Application and DDoS attacks (WAF partners)
  • Intrusion detection (NG Firewall partners)

Install and Exploit

  • Known malicious signatures (AM/EPP partners)
  • In-memory malware and exploit attempts
  • Suspicious process execution
  • Suspicious PowerShell activity
  • Lateral Movement
  • Internal reconnaissance

Post Breach

  • Communication to a known malicious IP (Data exfiltration or command and control)
  • Using compromised resources to mount additional attacks
    • Outbound port scanning
    • Brute force RDP/SSH attacks
    • Spam

Security Alerts

Scenario: Outbound SPAM detected using machine learning and threat intelligence

  • An attacker gains access to a VM and begins to send spam emails
  • Security Center machine learning detects a spike in SMTP traffic
  • Traffic is correlated with O365 spam database to determine if the traffic is likely legitimate or not.
    • helps prevent false positives
  • An alert is generated.

Security Alerts + Data Correlation = Security Incident

(Follow the RED text)

Attacked

  • RDP Brute Force
  • SSH Brute Force

Abused

  • Simple process
  • Suspicious CMD
  • Suspicious user activity
  • Malicious Communication
  • Compromised Machine ()

Attacker

  • Outgoing Spam
  • Outgoing BF
  • Outgoing scans
  • Outgoing DDoS
  • PowerShell analytics
  • Privilege escalation
  • Log clear activity
  • Built-in user activity
  • Account enumeration
  • Lateral move

Demo

  • Red means bad.
  • Alerts with a ‘group of dots’ icon means multiple alerts have been correlated together into a single alert.
    • Successful brute force attack
    • Suspicious SVCHOST process executed
    • Multiple Domain Accounts queried
    • All of these correlate to the same attack, so are grouped together.

Custom Alerts

Creating Custom Alerts

Security Center > Detection > Custom alert rules

What are Custom Alerts?

  • Custom alert rules in Security Center allow you to define new se4curity alerts based on data that is already collected from your environment.
  • You can create queries and the result of these queries can be used as criteria for the custom rule.  Once this criteria is matched, the rule is executed.
  • You can use computers security events, partner’s security solution logs or data ingested using APIs to create your custom queries.

Create a custom alert rule

  • Name
  • Description
  • Severity (Select from dropdown)
  • Enter query based on Powershell queries?
    • Lame

 

 

LEAVE A COMMENT