Azure

The Azure cloud platform is a major cloud providers with more than 200 products and cloud services design to help bring new solutions to life. Azure enables organizations to build, run, and manage applications across multiple environments and even at the edge. With the capabilities that Azure provides many large organizations, it has become popular place to grow an organizations cloud foot print and resulting attack surface. Devo provides a list of out-of-the-box detections that enable our customers to protect themselves against populars attacks against Azure environments.

An adversary could escalate privileges by adding an account to a role.

Source table → cloud.azure.ad.audit

This alert identifies when a user has created or modified an Azure Automation runbook. This could be used by an attacker in order to gain persistence on the Azure environment.

Source table → cloud.azure.activity.events

This alert identifies when a user deletes a conditional access policy, this should be checked since it could be undermining the security posture of the environment.

Source table → cloud.azure.eh.events

This alert identifies when an Azure DevOps project visibility has been set to public. This action should be reviewed since it could be undermining the security posture of the company.

Source table → cloud.azure.vm.unknown_events

An adversary could create an invitation for an external user to create a new account in Azure AD. This may be a routine activity but could be used as a vector for an adversary to gain access or persistence.

Source table → cloud.azure.ad.audit