☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • Key Concepts:
  • Key Components for Threat Hunting Workflows:
  • Key Components for Advanced Threat Hunting:
  • How Logic Apps Work in a Threat-Hunting Scenario:
  1. Automation
  2. Logic Apps

How Logic Apps Work

Logic Apps consist of workflows made up of Triggers and Actions, allowing security teams to automate processes such as detecting security threats, responding to incidents, and orchestrating security tools. Let's review the key concepts of a Logic App.

Key Concepts:

  1. Workflows:

    • A Logic App workflow is a sequence of steps that automate tasks or processes. For threat hunting, these workflows can be used to automate responses to suspicious activity, such as blocking an IP address, querying threat intelligence databases, or generating alerts.

  2. Triggers:

    • Triggers are events that start the Logic App workflow. In threat hunting, triggers might be a new security alert, a suspicious event in logs, or a scheduled check for threats.

    • Logic Apps offers two types of triggers:

      1. Polling Triggers: Regularly check a data source for new information (e.g., query logs every 5 minutes to check for specific indicators of compromise).

      2. Push Triggers: Automatically respond to events (e.g., trigger a workflow when Azure Sentinel generates a new alert).

  3. Actions:

    • Actions are the steps performed after a trigger is fired. In threat-hunting scenarios, actions could include anything from sending an alert, executing a security query, blocking a malicious IP, or quarantining a compromised machine.

    • You can add multiple actions in a workflow to create complex automations, such as:

      • Run Queries: Automatically query logs or threat intelligence feeds.

      • Enrich Data: Enhance a security event by pulling additional information from external sources (e.g., reputation checks on IP addresses or file hashes).

      • Remediate Threats: Execute actions to block or mitigate threats in real-time.

Key Components for Threat Hunting Workflows:

  1. Triggers in Threat Hunting:

    • Azure Sentinel Alert Trigger: Automatically start a workflow when an alert is generated in Azure Sentinel. This is commonly used in incident response scenarios.

    • HTTP Trigger: Receive HTTP requests from other systems (such as security appliances or custom threat intelligence platforms) to start a workflow. For example, a custom script could send a security event to Logic Apps to trigger an investigation.

    • Recurrence Trigger: Schedule regular threat-hunting workflows to run at specific intervals. This is useful for daily or weekly automated threat checks, such as reviewing audit logs or checking for failed login attempts.

    Example: A Logic App that is triggered every 15 minutes to query Azure Sentinel for high-priority alerts, and automatically escalate them to the security team for further investigation.

  2. Actions in Threat Hunting:

    • Query Security Logs: Use actions to query logs from Azure Monitor, Office 365, or other connected services for suspicious behavior. For example, you could automatically search for failed login attempts across multiple regions in your organization.

    • Send Notifications: Automatically send alerts or notifications (via email, SMS, or Microsoft Teams) when a potential threat is detected. Security teams can be instantly notified of critical incidents without manual intervention.

    • Automated Remediation: Perform security actions like blocking an IP address, disabling a user account, or triggering a script to quarantine a compromised device. These actions can be integrated directly into your Logic App workflow.

    • Integrate Threat Intelligence: Use Logic Apps to pull data from threat intelligence feeds like VirusTotal, MISP, or others, allowing you to enrich security events with contextual information.

    Example: After an IP address is flagged as suspicious, a Logic App can automatically check the IP against a threat intelligence database and take predefined actions based on the response, such as blocking the IP if it has a high-risk score.

  3. Conditions and Loops:

    • Conditions allow you to introduce decision-making into your workflows. For instance, you can create a condition that checks if an IP is blacklisted in a threat intelligence database, and then decide whether to block it or escalate it.

    • Loops enable you to repeat actions for multiple items. This is useful in threat hunting when analyzing multiple log entries, IPs, or alerts in a single workflow.

    Example: You could create a loop that iterates through a list of suspicious IP addresses from a log and checks each one against a threat intelligence feed, blocking any IP that is found to be malicious.

  4. Parallel Execution:

    • Logic Apps allow actions to run in parallel, speeding up workflows that involve multiple steps. For example, while querying threat intelligence feeds, you could also be triggering an investigation in Azure Sentinel and notifying your security team at the same time.

Key Components for Advanced Threat Hunting:

  1. Variables and Data Handling:

    • You can store data in variables for later use in your workflow. In threat hunting, variables might store details like a suspicious user’s name, an IP address, or the results of a threat intelligence query. You can reference these variables throughout your workflow for decisions and actions.

    Example: Store the results of a log query in a variable and use that information to determine whether to escalate the incident or close the alert.

  2. Custom Connectors and APIs:

    • Logic Apps can integrate with third-party APIs using custom connectors. This is particularly useful in security scenarios where your team might need to integrate with specialized threat intelligence platforms, incident management systems, or internal APIs.

    Example: Build a custom connector to interact with a proprietary threat intelligence platform, enabling the Logic App to enrich security incidents with the latest threat data.

  3. Error Handling and Retry Policies:

    • Built-in error handling allows Logic Apps to gracefully handle failures. For example, if a workflow fails to connect to a threat intelligence API, it can automatically retry or notify the team of the issue.

How Logic Apps Work in a Threat-Hunting Scenario:

Scenario: Automating Threat Response for Failed Login Attempts

  1. Trigger: A Logic App is set to trigger when Azure Sentinel detects five failed login attempts from a specific user in a short time frame.

  2. Action 1: The Logic App automatically queries an external threat intelligence service to check if the source IP of the login attempts is known for malicious activity.

  3. Action 2: If the IP is flagged as malicious, the Logic App blocks the IP address in the company’s firewall and disables the user account temporarily.

  4. Action 3: The Logic App sends an alert to the security team via Microsoft Teams, detailing the incident and providing context from the threat intelligence query.

  5. Action 4: The Logic App logs all actions taken and updates the incident in the company’s ticketing system for further investigation.

Last updated 8 months ago