Scribd Logo
Upload

Welcome to Scribd!

  • Azure Defender 2021 Maxime 4

    Uploaded by

    hanen chhibi
    61 views50 pages
    This presentation provides an overview of Azure Defender and how it can be used to detect and respond to security threats in Azure environments. The presenter begins with an introduction and outlines their experience. Next, examples are shown of different types of alerts that Azure Defender can generate for threats like suspicious container activity or access from TOR exit nodes. The presentation demonstrates how alerts can be exported to a SIEM and linked to notification systems. Simulation of alerts and use of the Azure Graph and automation capabilities are also covered. Azure Defender is discussed for various cloud services and workloads. The presentation concludes with a discussion of Azure Security Center's multi-cloud monitoring across Azure and AWS.

    Original Description:

    Azure-Defender

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This presentation provides an overview of Azure Defender and how it can be used to detect and respond to security threats in Azure environments. The presenter begins with an introduction and outlines their experience. Next, examples are shown of different types of alerts that Azure Defender can generate for threats like suspicious container activity or access from TOR exit nodes. The presentation demonstrates how alerts can be exported to a SIEM and linked to notification systems. Simulation of alerts and use of the Azure Graph and automation capabilities are also covered. Azure Defender is discussed for various cloud services and workloads. The presentation concludes with a discussion of Azure Security Center's multi-cloud monitoring across Azure and AWS.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    61 views50 pages

    Azure Defender 2021 Maxime 4

    Uploaded by

    hanen chhibi
    This presentation provides an overview of Azure Defender and how it can be used to detect and respond to security threats in Azure environments. The presenter begins with an introduction and outlines their experience. Next, examples are shown of different types of alerts that Azure Defender can generate for threats like suspicious container activity or access from TOR exit nodes. The presentation demonstrates how alerts can be exported to a SIEM and linked to notification systems. Simulation of alerts and use of the Azure Graph and automation capabilities are also covered. Azure Defender is discussed for various cloud services and workloads. The presentation concludes with a discussion of Azure Security Center's multi-cloud monitoring across Azure and AWS.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 50

    Azure Defender in Action!

    Maxime Coquerel - MVP Azure


    # Speaker
    Maxime Coquerel

    Director Cloud Security Architecture

    Email : [email protected]

    Blog : zigmax.net (since 2012)

    Github : https://github.com/zigmax

    Twitter : @zig_max

    Open Source Contributor (Kubernetes / VSCode)


    Disclaimer

    “Any views or opinions expressed in this presentation are those of the presenter
    and not necessarily represent the view and opinions of my employer, its
    ownership, management or its employees.“
    Thanks!
    Session Agenda / Goal
    ● Azure Security Overview

    ● Azure Defender

    ● Examples of Azure Defender Alerts

    ● Suspicious incoming RDP network activity

    ● Export - Alerts to SIEM

    ● Alert - Notification

    ● Alert Simulation

    ● Azure Graph

    ● Alert Automation

    ● Azure Defender for IoT

    ● Azure Security Center - Multi Cloud


    Azure Security Overview
    Azure Security Overview
    Examples of Azure Defender Alerts

    Alert (alert type) Description MITRE tactics Severity

    Alert for containers - Azure Kubernetes Service clusters

    Alert for Azure Storage

    Alert for Azure Key Vault

    https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
    Alert (alert type) Description MITRE tactics Severity

    Alert for containers - Azure Kubernetes Service clusters

    Digital currency mining Kubernetes audit log analysis detected a container that has an Execution High
    container detected image associated with a digital currency mining tool

    Alert for Azure Storage

    Anonymous access to a Indicates that there's a change in the access pattern to a storage Exploitation High
    storage account account. For instance, the account has been accessed
    (Storage.Blob_AnonymousAc anonymously (without any authentication), which is unexpected
    cessAnomaly) compared to the recent access pattern on this account. A
    potential cause is that an attacker has exploited public read
    access to a container that holds blob storage.
    Applies to: Azure Blob Storage

    Alert for Azure Key Vault

    Access from a TOR exit node A key vault has been accessed from a known TOR exit node. Credential Medium
    to a key vault This could be an indication that a threat actor has accessed the Access
    KV_TORAccess key vault and is using the TOR network to hide their source
    location. We recommend further investigations.

    https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
    ● Azure Defender for servers ● Azure Defender for container registries
    ● Azure Defender for App Service ● Azure Defender for Key Vault
    ● Azure Defender for Storage ● Azure Defender for Resource Manager
    ● Azure Defender for SQL ● Azure Defender for DNS
    ● Azure Defender for Kubernetes
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    Azure Sentinel Threat Hunting

    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    https://www.eshlomo.us/monitor-azure-security-center-with-azure-sentinel/
    Export - Alerts to SIEM
    Alert - Notification
    Alert - Notification
    Slack
    Slack
    Alert - Simulation
    Azure Alert - Simulation
    ● App Service / Suspicious WordPress theme invocation detected
    ● App Service / Phishing content hosted on Azure Webapps
    ● App Service / Attempt to run high privilege command detected
    ● AKS / Exposed Kubernetes dashboard detected
    ● AKS / Container with a sensitive volume detected
    ● AKV / Access from a TOR exit node to a Key Vault
    ● AKV / High volume of operations in a Key Vault
    ● AKV / Suspicious secret listing and query in a Key Vault
    ● SQL / Unusual export location
    ● SQL / Attempted logon by a potentially harmful application
    ● SQL / Logon from an unusual location
    ● SQL / Potential SQL injection
    ● Storage / Unusual amount of data extracted from a storage account
    ● Storage / Unusual change of access permissions in a storage account
    ● Windows / Detected Petya ransomware indicators
    ● Windows / Executable found running from a suspicious location
    Azure Graph
    Alert Automation
    Azure Defender for IoT
    Azure Security Center - Multi Cloud

    ● Automatic agent provisioning (Security Center uses Azure Arc to deploy the Log Analytics agent
    to your AWS instances)
    ● Policy management
    ● Vulnerability management
    ● Embedded Endpoint Detection and Response (EDR)
    ● Detection of security misconfigurations
    ● A single view showing Security Center recommendations and AWS Security Hub findings
    ● Incorporation of your AWS resources into Security Center's secure score calculations
    ● Regulatory compliance assessments of your AWS resources
    SC-200
    Mitigate threats using Microsoft 365 Defender (25-30%)

    ● Detect, investigate, respond, and remediate threats to the productivity environment by using Microsoft Defender for
    Office 365
    ● Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint
    ● Detect, investigate, respond, and remediate identity threats
    ● Manage cross-domain investigations in Microsoft 365 Defender Portal

    Mitigate threats using Azure Defender (25-30%)

    ● Design and configure an Azure Defender implementation


    ● Plan and implement the use of data connectors for ingestion of data sources in Azure Defender
    ● Manage Azure Defender alert rules
    ● Configure automation and remediation
    ● Investigate Azure Defender alerts and incidents

    https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Myp3
    SC-200
    Mitigate threats using Azure Sentinel (40-45%)

    ● Design and configure an Azure Sentinel workspace


    ● Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
    ● Manage Azure Sentinel analytics rules
    ● Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel
    ● Manage Azure Sentinel Incidents
    ● Use Azure Sentinel workbooks to analyze and interpret data
    ● Hunt for threats using the Azure Sentinel portal

    https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Myp3
    AZ-500

    Manage identity and access (30-35%) Manage security operations (25-30%)


    ● Manage Azure Active Directory identities ● Monitor security by using Azure Monitor
    ● Configure secure access by using Azure AD ● Monitor security by using Azure Security Center
    ● Manage application access ● Monitor security by using Azure Sentinel
    ● Manage access control ● Configure security policies

    Implement platform protection (15-20%) Secure data and applications (20-25%)


    ● Implement advanced network security ● Configure security for storage
    ● Configure advanced security for compute ● Configure security for databases
    ● Configure and manage Key Vault

    https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3VC70
    https://www.linkedin.com/learning/microsoft-azure-la-securite/decouvrir-azure-policy
    Technical Resources
    ● Microsoft Ignite 2020 - https://myignite.microsoft.com/home

    ● Microsoft Technical Community Content


    https://github.com/Microsoft/TechnicalCommunityContent

    ● Azure Security Blog - https://azure.microsoft.com/en-us/blog/topics/security/

    ● Maxime Blog - http://zigmax.net


    Books
    Questions / Talks

    You might also like