Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

Hunting the Clues- Azure Sentinel Administrative Suspicious Activities Library

Azure Sentinel News Editor by Azure Sentinel News Editor
November 30, 2020
in Security and Compliance
0
Microsoft is quietly becoming a cybersecurity powerhouse
6.4kViews
747 Shares Share on Facebook Share on Twitter

Azure Activity logs  provides insight into any subscription-level or management group level events that have occurred in Azure, there are three main categories covered under Azure Activity and a bunch of resource types, for more details click here:

  • Azure Resources
  • Audit
  • Security

Each event in the Activity Log has a particular category . See the sections below for more detail on each category and its schema when you access the Activity log from the portal, PowerShell, CLI, and REST API. The schema is different when you stream the Activity log to storage or Event Hubs: 

Category Description
Administrative Contains the record of all create, update, delete, and action operations performed through Resource Manager. Examples of Administrative events include create virtual machine and delete network security group.

Every action taken by a user or application using Resource Manager is modeled as an operation on a particular resource type. If the operation type is Write, Delete, or Action, the records of both the start and success or fail of that operation are recorded in the Administrative category. Administrative events also include any changes to role-based access control in a subscription.
Service Health Contains the record of any service health incidents that have occurred in Azure. An example of a Service Health event SQL Azure in East US is experiencing downtime.

Service Health events come in Six varieties: Action Required, Assisted Recovery, Incident, Maintenance, Information, or Security. These events are only created if you have a resource in the subscription that would be impacted by the event.
Resource Health Contains the record of any resource health events that have occurred to your Azure resources. An example of a Resource Health event is Virtual Machine health status changed to unavailable.

Resource Health events can represent one of four health statuses: Available, Unavailable, Degraded, and Unknown. Additionally, Resource Health events can be categorized as being Platform Initiated or User Initiated.
Alert Contains the record of activations for Azure alerts. An example of an Alert event is CPU % on myVM has been over 80 for the past 5 minutes.
Autoscale Contains the record of any events related to the operation of the autoscale engine based on any autoscale settings you have defined in your subscription. An example of an Autoscale event is Autoscale scale up action failed.
Recommendation Contains recommendation events from Azure Advisor.
Security Contains the record of any alerts generated by Azure Security Center. An example of a Security event is Suspicious double extension file executed.
Policy Contains records of all effect action operations performed by Azure Policy. Examples of Policy events include Audit and Deny. Every action taken by Policy is modeled as an operation on a resource.

Our hunting library for today will shed more lights on “Administrative” category which contains the record of all create, update, delete, and action operations performed through Resource Manager, this means an auditing  & reporting activities have to be in place and hence there are a set of operations (Operation Name) which defines a resource types.

Hunting such kind of activities (aka: Clues) require defining the category, operation name “value” & activity value. Before sharing couple of hunting use-cases let’s have a look at a set of administrative operations as a sample:

Operation name Resource type
Create or update workbook Microsoft.Insights/workbooks
Delete Workbook Microsoft.Insights/workbooks
Set Workflow – Playbook Microsoft.Logic/workflows
Delete Workflow – Playbook Microsoft.Logic/workflows
Create Saved Search Microsoft.OperationalInsights/workspaces/savedSearches
Delete Saved Search Microsoft.OperationalInsights/workspaces/savedSearches
Update Alert – Analytics Rules Microsoft.SecurityInsights/alertRules
Delete Alert  – Analytics  Rules Microsoft.SecurityInsights/alertRules
Update Alert Rule Response Actions Microsoft.SecurityInsights/alertRules/actions
Delete Alert Rule Response Actions Microsoft.SecurityInsights/alertRules/actions
Update Bookmarks Microsoft.SecurityInsights/bookmarks
Delete Bookmarks Microsoft.SecurityInsights/bookmarks
Update Cases Microsoft.SecurityInsights/Cases
Update Case Investigation Microsoft.SecurityInsights/Cases/investigations
Create Case Comments Microsoft.SecurityInsights/Cases/comments
Update Data Connectors Microsoft.SecurityInsights/dataConnectors
Delete Data Connectors Microsoft.SecurityInsights/dataConnectors
Update Settings Microsoft.SecurityInsights/settings
Update / Delete NSG Microsoft.Network/networkSecurityGroups
Create / Update / Delete Pubic IP Addresses Microsoft.Network/publicIPAddresses
Create / Update / Delete Network Interfaces Microsoft.Network/networkInterfaces
Route tables actions Microsoft.Network/routeTables
Create / Update / Delete Front door web app firewall policies Microsoft.Network/frontdoorwebapplicationfirewallpolicies
DDOS Protection Plans Actions Microsoft.Network/ddosProtectionPlans
Create / Update / Delete Virtual Networks Microsoft.Network/virtualNetworks
Create / Update / Delete Front doors Microsoft.Network/frontdoors
Create / Update / Delete Subnets Microsoft.Network/virtualNetworks/subnets
Create / Update / Delete Application Gateways  Microsoft.Network/applicationGateways
Create / Update / Delete Update Virtual Network Peerings Microsoft.Network/virtualNetworks/virtualNetworkPeerings
Firewall Policies Rule Groups Actions Microsoft.Network/firewallPolicies/ruleGroups
Create / Update / Delete Azure Firewalls  Microsoft.Network/azureFirewalls
Create / Update  / Delete Firewall Policies Microsoft.Network/firewallPolicies
DNS Resources Actions Microsoft.Network/getDnsResourceReference

Use- Cases:

#1 Creating a new Azure Sentinel Analytics – Rule:

AzureActivity
| where Category == "Administrative"
| where OperationNameValue == "Microsoft.SecurityInsights/alertRules/write"
| where ActivitySubstatusValue == "Created"

#2 Deleting an existing Azure Sentinel Analytics – Rule:

AzureActivity
| where Category == "Administrative"
| where OperationNameValue == "Microsoft.SecurityInsights/alertRules/delete"
| where ActivitySubstatusValue == "OK"

#3 Creating a new NSG:

// NSG : 201 Created status means "Created" 
AzureActivity
| where Category == "Administrative"
| where OperationNameValue == "Microsoft.Network/networkSecurityGroups/write"
| where ActivitySubstatusValue == "Created"

#4 Updating an Existing NSG:

// NSG : 200 Ok status means "Updated"
AzureActivity
| where Category == "Administrative"
| where OperationNameValue == "Microsoft.Network/networkSecurityGroups/write"
| where ActivitySubstatusValue == "OK"

#5 Creating Virtual Network Subnets:

// Virtual Networks Subnets Creation
AzureActivity
| where Category == "Administrative"
| where OperationNameValue == "Microsoft.Network/virtualNetworks/subnets/write"
| where ActivitySubstatusValue == "Created"

And much more use-cases and hunting queries can be configured, we make it easy so check out the Azure Sentinel Administrative Suspicious Activities Library uploaded to gihub :

AnalyticsRulesAdministrativeOperations

AzureNSG_AdministrativeOperations

AzureSentinelWorkbooks_AdministrativeOperation

AzureVirtualNetworkSubnets_AdministrativeOperationset

Last but not least, how about visualization – reporting via Workbooks ?

@Clive Watson built a new workbook version that shows in a new [Computer] tab the NSG to Computer relationship, as well as items such as Public and Private IP, policy and version (and many more) with lots of search options, check this out and download from:
https://lnkd.in/dyzJhiT

Enjoy hunting the clues! and please share your feedback.

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-the-clues-azure-sentinel-administrative-suspicious/ba-p/1510773

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
Vectra AI and Microsoft partner on security integration

What's New: Cross Workspace Hunting is now available!

CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

What's New: Azure Sentinel Machine Learning Behavior Analytics: Anomalous RDP Login Detection

Azure Stack and Azure Arc for data services from Blog Posts – SQLServerCentral

Azure Sentinel Side-by-Side with QRadar

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft Buys CyberX To Enhance Azure IoT Security Solutions

Microsoft Buys CyberX To Enhance Azure IoT Security Solutions

4 months ago
Vectra integration with Azure Sentinel to power SOCs

Vectra integration with Azure Sentinel to power SOCs

4 months ago
Microsoft is quietly becoming a cybersecurity powerhouse

Windows Server Netlogon Exploit Code Publicly Exposed, CISA Warns

3 months ago
Vectra AI and Microsoft partner on security integration

Vectra AI and Microsoft partner on security integration

4 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SOC

How to be Mindful Against Dupes and Noise with the new Azure Sentinel/M365 Defender Integration

by Azure Sentinel News Editor
March 8, 2021
0

I’ve spent a good amount of time so far on this blog talking about steps on how...

With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 5, 2021
Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • How to be Mindful Against Dupes and Noise with the new Azure Sentinel/M365 Defender Integration March 8, 2021
  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News