Document toolboxDocument toolbox

ServiceOps map: Azure Threat Modeling

Purpose

The Azure Threat Modeling map provides an immediate and actionable overview of the current threats present in the Cloud infrastructure. Based on the logs provided by the Azure infrastructure, a series of queries are defined and executed periodically to understand if any threat-posing action has been performed. Linking this information with the Mitre ATTA&CK tactics and providing the output on an easy-to-read, score-based dashboard, this Service Operations map can be customized if needed to address any specific need, modulate the weight of each risk or continue to expand the controlled attack vectors.

Prerequisites

To use Azure Threat Modeling, you must have the following data sources available on your domain:

Service Operations required

If you don’t have it, it will be automatically installed together with the installation of the first map. Refer to Service Operations to know more about the application.

Open ServiceOps map

Once you have installed the map, you can use the Open button at the top right of the card in Exchange to access Service Operations with the map open, where you can work with it as required. You can also access Service Operations via the Navigation pane (Applications → Service Operations) and then select the map from the list of available domain or global maps.

Work with ServiceOps map

When you open the Azure Threat Modeling, you are presented with a summary view of the system overview. This view shows you a summary of all threats to analyze on your map. You can click each of them to have further details (refer to Working with maps to know more about the views).

  • Privilege Escalation

  • Initial Access

  • Persistence

  • Defense Evasion

  • Discovery

  • Credential Access

  • Execution

  • Impact

Â