{"id":1339,"date":"2018-03-28T01:56:30","date_gmt":"2018-03-28T01:56:30","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=1339"},"modified":"2018-04-03T10:17:25","modified_gmt":"2018-04-03T10:17:25","slug":"azure-security-center-detecting-and-responding-to-threats","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=1339","title":{"rendered":"Azure Security Center &#8211; Detecting and Responding to Threats"},"content":{"rendered":"<h2><a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/03\/23\/getting-started-with-azure-security-center\/\">Main Menu<\/a><\/h2>\n<h1>Detecting and Responding to Threats<\/h1>\n<p><a href=\"https:\/\/mva.microsoft.com\/en-US\/training-courses\/hybrid-cloud-workload-protection-with-azure-security-center-18173?l=xGLWo42jE_4806218965\" target=\"_blank\" rel=\"noopener\">https:\/\/mva.microsoft.com\/en-US\/training-courses\/hybrid-cloud-workload-protection-with-azure-security-center-18173?l=xGLWo42jE_4806218965<\/a><\/p>\n<h1>Detection Capabilities<\/h1>\n<h2>Detection Capabilities<\/h2>\n<h3>Threat Intelligence<\/h3>\n<p>Looks for malicious actors<\/p>\n<ul>\n<li>Network traffic to malicious IP addresses<\/li>\n<li>Malicious process executed<\/li>\n<\/ul>\n<h3>Behavioral analytics<\/h3>\n<p>Looks for known patterns and malicious behaviors<\/p>\n<ul>\n<li>Process executed in a suspicious manner<\/li>\n<\/ul>\n<h3>Anomaly detection<\/h3>\n<p>Uses statistical profiling to build historical baselines.\u00a0 Alert on deviations that confirm to a potential attack vector.<\/p>\n<ul>\n<li>Remote desktop connections to a specific VM typically occur 5 times a day, today there were 100 connection attempts.<\/li>\n<\/ul>\n<h3>Fusion<\/h3>\n<p>Combine events and alerts from across the kill chain to map the attack timeline<\/p>\n<ul>\n<li>SQL injections (WAF + Azure SQL Logs)<\/li>\n<li>Malicious process (Crash dump&#8230; and later&#8230; suspicious process execution)<\/li>\n<li>Breach detection (Brute force attempt&#8230; and later&#8230; suspicious VM activity)<\/li>\n<\/ul>\n<h2>Detection throughout the kill chain<\/h2>\n<h3>Target and Attack<\/h3>\n<ul>\n<li>Inbound brute fource, RDP, SSH, SQL attacks and more<\/li>\n<li>Application and DDoS attacks (WAF partners)<\/li>\n<li>Intrusion detection (NG Firewall partners)<\/li>\n<\/ul>\n<h3>Install and Exploit<\/h3>\n<ul>\n<li>Known malicious signatures (AM\/EPP partners)<\/li>\n<li>In-memory malware and exploit attempts<\/li>\n<li>Suspicious process execution<\/li>\n<li>Suspicious PowerShell activity<\/li>\n<li>Lateral Movement<\/li>\n<li>Internal reconnaissance<\/li>\n<\/ul>\n<h3>Post Breach<\/h3>\n<ul>\n<li>Communication to a known malicious IP (Data exfiltration or command and control)<\/li>\n<li>Using compromised resources to mount additional attacks\n<ul>\n<li>Outbound port scanning<\/li>\n<li>Brute force RDP\/SSH attacks<\/li>\n<li>Spam<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Security Alerts<\/h2>\n<h3>Scenario: Outbound SPAM detected using machine learning and threat intelligence<\/h3>\n<ul>\n<li>An attacker gains access to a VM and begins to send spam emails<\/li>\n<li>Security Center machine learning detects a spike in SMTP traffic<\/li>\n<li>Traffic is correlated with O365 spam database to determine if the traffic is likely legitimate or not.\n<ul>\n<li>helps prevent false positives<\/li>\n<\/ul>\n<\/li>\n<li>An alert is generated.<\/li>\n<\/ul>\n<h3>Security Alerts + Data Correlation = Security Incident<\/h3>\n<p>(Follow the <strong><span style=\"color: #ff0000;\">RED<\/span><\/strong> text)<\/p>\n<h4>Attacked<\/h4>\n<ul>\n<li><strong><span style=\"color: #ff0000;\">RDP Brute Force<\/span><\/strong><\/li>\n<li>SSH Brute Force<\/li>\n<\/ul>\n<h4>Abused<\/h4>\n<ul>\n<li>Simple process<\/li>\n<li><strong><span style=\"color: #ff0000;\">Suspicious CMD<\/span><\/strong><\/li>\n<li>Suspicious user activity<\/li>\n<li>Malicious Communication<\/li>\n<li>Compromised Machine ()<\/li>\n<\/ul>\n<h4>Attacker<\/h4>\n<ul>\n<li>Outgoing Spam<\/li>\n<li>Outgoing BF<\/li>\n<li>Outgoing scans<\/li>\n<li>Outgoing DDoS<\/li>\n<li>PowerShell analytics<\/li>\n<li>Privilege escalation<\/li>\n<li>Log clear activity<\/li>\n<li>Built-in user activity<\/li>\n<li><strong><span style=\"color: #ff0000;\">Account enumeration<\/span><\/strong><\/li>\n<li><strong><span style=\"color: #ff0000;\">Lateral move<\/span><\/strong><\/li>\n<\/ul>\n<h2>Demo<\/h2>\n<ul>\n<li>Red means bad.<\/li>\n<li>Alerts with a &#8216;group of dots&#8217; icon means multiple alerts have been correlated together into a single alert.\n<ul>\n<li>Successful brute force attack<\/li>\n<li>Suspicious SVCHOST process executed<\/li>\n<li>Multiple Domain Accounts queried<\/li>\n<li>All of these correlate to the same attack, so are grouped together.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Custom Alerts<\/h1>\n<h2>Creating Custom Alerts<\/h2>\n<p>Security Center &gt; Detection &gt; Custom alert rules<\/p>\n<h3>What are Custom Alerts?<\/h3>\n<ul>\n<li>Custom alert rules in Security Center allow you to define new se4curity alerts based on data that is already collected from your environment.<\/li>\n<li>You can create queries and the result of these queries can be used as criteria for the custom rule.\u00a0 Once this criteria is matched, the rule is executed.<\/li>\n<li>You can use computers security events, partner&#8217;s security solution logs or data ingested using APIs to create your custom queries.<\/li>\n<\/ul>\n<h3>Create a custom alert rule<\/h3>\n<ul>\n<li>Name<\/li>\n<li>Description<\/li>\n<li>Severity (Select from dropdown)<\/li>\n<li>Enter query based on Powershell queries?\n<ul>\n<li>Lame<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Main Menu Detecting and Responding to Threats https:\/\/mva.microsoft.com\/en-US\/training-courses\/hybrid-cloud-workload-protection-with-azure-security-center-18173?l=xGLWo42jE_4806218965 Detection Capabilities Detection Capabilities Threat Intelligence Looks for malicious actors Network traffic to malicious IP addresses Malicious process executed Behavioral analytics Looks for known patterns and malicious behaviors Process executed in a suspicious manner Anomaly detection Uses statistical profiling to build historical baselines.\u00a0 Alert on deviations that ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=1339\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35,36],"tags":[],"class_list":["post-1339","post","type-post","status-publish","format-standard","hentry","category-azure","category-security-center"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1339","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1339"}],"version-history":[{"count":4,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1339\/revisions"}],"predecessor-version":[{"id":1343,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1339\/revisions\/1343"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}