Scribd
Upload
117 views50 pages

Azure Defender 2021 Maxime 4

This presentation provides an overview of Azure Defender and how it can be used to detect and respond to security threats in Azure environments. The presenter begins with an introduction and outlines their experience. Next, examples are shown of different types of alerts that Azure Defender can generate for threats like suspicious container activity or access from TOR exit nodes. The presentation demonstrates how alerts can be exported to a SIEM and linked to notification systems. Simulation of alerts and use of the Azure Graph and automation capabilities are also covered. Azure Defender is discussed for various cloud services and workloads. The presentation concludes with a discussion of Azure Security Center's multi-cloud monitoring across Azure and AWS.

Uploaded by

hanen chhibi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
117 views50 pages

Azure Defender 2021 Maxime 4

This presentation provides an overview of Azure Defender and how it can be used to detect and respond to security threats in Azure environments. The presenter begins with an introduction and outlines their experience. Next, examples are shown of different types of alerts that Azure Defender can generate for threats like suspicious container activity or access from TOR exit nodes. The presentation demonstrates how alerts can be exported to a SIEM and linked to notification systems. Simulation of alerts and use of the Azure Graph and automation capabilities are also covered. Azure Defender is discussed for various cloud services and workloads. The presentation concludes with a discussion of Azure Security Center's multi-cloud monitoring across Azure and AWS.

Uploaded by

hanen chhibi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 50

Azure Defender in Action!

Maxime Coquerel - MVP Azure


# Speaker
Maxime Coquerel

Director Cloud Security Architecture

Email : [email protected]

Blog : zigmax.net (since 2012)

Github : https://github.com/zigmax

Twitter : @zig_max

Open Source Contributor (Kubernetes / VSCode)


Disclaimer

“Any views or opinions expressed in this presentation are those of the presenter
and not necessarily represent the view and opinions of my employer, its
ownership, management or its employees.“
Thanks!
Session Agenda / Goal
● Azure Security Overview

● Azure Defender

● Examples of Azure Defender Alerts

● Suspicious incoming RDP network activity

● Export - Alerts to SIEM

● Alert - Notification

● Alert Simulation

● Azure Graph

● Alert Automation

● Azure Defender for IoT

● Azure Security Center - Multi Cloud


Azure Security Overview
Azure Security Overview
Examples of Azure Defender Alerts

Alert (alert type) Description MITRE tactics Severity

Alert for containers - Azure Kubernetes Service clusters

Alert for Azure Storage

Alert for Azure Key Vault

https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
Alert (alert type) Description MITRE tactics Severity

Alert for containers - Azure Kubernetes Service clusters

Digital currency mining Kubernetes audit log analysis detected a container that has an Execution High
container detected image associated with a digital currency mining tool

Alert for Azure Storage

Anonymous access to a Indicates that there's a change in the access pattern to a storage Exploitation High
storage account account. For instance, the account has been accessed
(Storage.Blob_AnonymousAc anonymously (without any authentication), which is unexpected
cessAnomaly) compared to the recent access pattern on this account. A
potential cause is that an attacker has exploited public read
access to a container that holds blob storage.
Applies to: Azure Blob Storage

Alert for Azure Key Vault

Access from a TOR exit node A key vault has been accessed from a known TOR exit node. Credential Medium
to a key vault This could be an indication that a threat actor has accessed the Access
KV_TORAccess key vault and is using the TOR network to hide their source
location. We recommend further investigations.

https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
● Azure Defender for servers ● Azure Defender for container registries
● Azure Defender for App Service ● Azure Defender for Key Vault
● Azure Defender for Storage ● Azure Defender for Resource Manager
● Azure Defender for SQL ● Azure Defender for DNS
● Azure Defender for Kubernetes
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
Azure Sentinel Threat Hunting

https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
Export - Alerts to SIEM
Alert - Notification
Alert - Notification
Slack
Slack
Alert - Simulation
Azure Alert - Simulation
● App Service / Suspicious WordPress theme invocation detected
● App Service / Phishing content hosted on Azure Webapps
● App Service / Attempt to run high privilege command detected
● AKS / Exposed Kubernetes dashboard detected
● AKS / Container with a sensitive volume detected
● AKV / Access from a TOR exit node to a Key Vault
● AKV / High volume of operations in a Key Vault
● AKV / Suspicious secret listing and query in a Key Vault
● SQL / Unusual export location
● SQL / Attempted logon by a potentially harmful application
● SQL / Logon from an unusual location
● SQL / Potential SQL injection
● Storage / Unusual amount of data extracted from a storage account
● Storage / Unusual change of access permissions in a storage account
● Windows / Detected Petya ransomware indicators
● Windows / Executable found running from a suspicious location
Azure Graph
Alert Automation
Azure Defender for IoT
Azure Security Center - Multi Cloud

● Automatic agent provisioning (Security Center uses Azure Arc to deploy the Log Analytics agent
to your AWS instances)
● Policy management
● Vulnerability management
● Embedded Endpoint Detection and Response (EDR)
● Detection of security misconfigurations
● A single view showing Security Center recommendations and AWS Security Hub findings
● Incorporation of your AWS resources into Security Center's secure score calculations
● Regulatory compliance assessments of your AWS resources
SC-200
Mitigate threats using Microsoft 365 Defender (25-30%)

● Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for
Office 365
● Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint
● Detect, investigate, respond, and remediate identity threats
● Manage cross-domain investigations in Microsoft 365 Defender Portal

Mitigate threats using Azure Defender (25-30%)

● Design and configure an Azure Defender implementation


● Plan and implement the use of data connectors for ingestion of data sources in Azure Defender
● Manage Azure Defender alert rules
● Configure automation and remediation
● Investigate Azure Defender alerts and incidents

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Myp3
SC-200
Mitigate threats using Azure Sentinel (40-45%)

● Design and configure an Azure Sentinel workspace


● Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
● Manage Azure Sentinel analytics rules
● Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel
● Manage Azure Sentinel Incidents
● Use Azure Sentinel workbooks to analyze and interpret data
● Hunt for threats using the Azure Sentinel portal

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Myp3
AZ-500

Manage identity and access (30-35%) Manage security operations (25-30%)


● Manage Azure Active Directory identities ● Monitor security by using Azure Monitor
● Configure secure access by using Azure AD ● Monitor security by using Azure Security Center
● Manage application access ● Monitor security by using Azure Sentinel
● Manage access control ● Configure security policies

Implement platform protection (15-20%) Secure data and applications (20-25%)


● Implement advanced network security ● Configure security for storage
● Configure advanced security for compute ● Configure security for databases
● Configure and manage Key Vault

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3VC70
https://www.linkedin.com/learning/microsoft-azure-la-securite/decouvrir-azure-policy
Technical Resources
● Microsoft Ignite 2020 - https://myignite.microsoft.com/home

● Microsoft Technical Community Content


https://github.com/Microsoft/TechnicalCommunityContent

● Azure Security Blog - https://azure.microsoft.com/en-us/blog/topics/security/

● Maxime Blog - http://zigmax.net


Books
Questions / Talks

You might also like