Versions Compared

Version Old Version 20 New Version 21
Changes made by

Laszlo Frazer

Laszlo Frazer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To check if your collector has been enabled successfully, validate it.

Secure It

Devo Exchange provides an Azure alert pack. The Authentication alert pack works with Entra ID data. The Collective Defense alert pack works with Azure Application Gateway and Azure Firewall. The DNS alert pack works with Azure Firewall DNS proxy.

Entra ID

Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.

Code Block
from cloud.azure.ad.audit 
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type, 
properties_initiatedBy_user_displayName as actor, 
properties_targetResources as target

A password reset or change may occur when an account is compromised.

Code Block
from cloud.azure.ad.audit 
where eq(operationName,"User started password reset") or 
(weakhas(operationName,"change") and has(operationName,"password")) or 
startswith(operationName,"Reset password")

Get authentication risks detected by Microsoft.

Code Block
from cloud.azure.ad.signin_all 
where not eq(risk_state,"none"), isnotnull(risk_state) 
group by user, risk_state, risk_detail

Azure Storage

IP address 1.1.1.1 has been identified as an indicator of compromise. Identify storage actions taken by this IP to determine how many storage resources have been modified. Use the results to assess if the IP should be blocked.

Code Block
from cloud.azure.storage.administrative
where eq(callerIpAddress,1.1.1.1)
group by operationName 
select length(collectdistinct(resourceId)) as resources

Azure App Service

Malicious principals have been stopping applications. Before reenabling the applications, identify the principals and revoke their access so they cannot stop the applications again.

Code Block
from cloud.azure.appservice.administrative
where eq(operationName,"MICROSOFT.WEB/SITES/STOP/ACTION")
group by identity__authorization__evidence__principalId as principal, resultType
select length(collectdistinct(resourceId)) as applications_stopped

Monitor It

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

Code Block
from TABLE cloud.azure
where toktains(hostchain,"collector-") 
select split(hostchain,"-",1) as collector_id

Set the inactivity alert to keep track of the collector_id.

Select values of the product field can also be monitored for inactivity.