Platform alert pack: Azure

[ 1 Purpose ] [ 2 Included alerts ] [ 3 Prerequisites ] [ 4 Open alert pack ] [ 5 Use alert pack ]

Purpose

This alert pack brings our Security Operations related content to our non-Security Operations customers and helps jump-start threat coverage. Inside this pack we have a multitude of detections that alert when an attacker is trying to attack Microsoft Azure environments.

What is Azure?

Azure is a market leader in public clouds and is used by many companies across the globe. Devo recognizes the importance of securing your cloud infrastructure and has decided to become a market leader in out-of-the-box detections for Microsoft Azure. These detections protect all aspects of Azure ranging from Active Directory to DevOps. We want to ensure that our customers are accurately covered and can rest assured that these detections will alert them for most attacks they face.

Included alerts

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsAzureUserAddedToRoleNonPIM	SecOpsAzureFWPolicyDeletion	SecOpsAzureExternalUserInvitationRedeemed
SecOpsAzureUserInfoDownload	SecOpsAzureUserLoginSuspiciousRisk	SecOpsAzureAutomationWebhookCreated
SecOpsAzureUserAddedNonAdminRole	SecOpsAzureImpossibleTravel	SecOpsAzureConditionalAccessPolicyAdded
SecOpsAzureAutomationRunbookCreatedOrMofidied	SecOpsAzureVMCmdEXE	SecOpsAzureUserHighAggregateRiskSignIn
SecOpsAzureConditionalAccessPolicyDeleted	SecOpsAzureUserCreated	SecOpsAzureGroupInformationDownload
SecOpsLog4ShellVulnerabilityCloudAzure	SecOpsAzureUserHighRiskSignIn	SecOpsAzureConditionalAccessPolicyUpdated
SecOpsAzureExternalUserInvited	SecOpsAzureUserAddedToGlobalAdminRole	SecOpsAzureUserConfirmedCompromised
SecOpsAzureAutoAccountCreated	SecOpsAzureFrontDoorWafPolicyDeletion	SecOpsAzureNWDeviceModified
SecOpsAzureConditionalAccessPolicyUpdated	SecOpsAzureUserAddedOutsidePIMRole	SecOpsAzureAutomationRunbookDeleted
SecOpsAzureUserInformationDownload

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

cloud.azure ^{learn more}
cloud.azure.ad.audit ^{learn more}
cloud.azure.activity.events ^{learn more}
cloud.azure.ad.signin ^{learn more}
cloud.azure.eh.events ^{learn more}

Open alert pack

Once you have installed the desired alerts individually, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find them and later manage them as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts installed are deactivated by default. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.