Azure Threat Hunting Ideas

Key Activities to Monitor in Azure

The following examples below are potential ideaS for activities to monitor within an Azure enviroment. It is important that controls be put in place as well as a baseline be established to determine business as usual (BAU) activity within an environment.

1. Administrative Actions

Role Assignments and Modifications
- Activity: Changes to role assignments, especially those granting administrative privileges (e.g., UserAccessAdministrator, Owner roles).
- Why Monitor?: Unauthorized changes to role assignments can grant excessive permissions to users or entities, leading to privilege escalation.
Resource Group and Subscription-Level Changes
- Activity: Creation, deletion, or modification of resource groups and subscriptions.
- Why Monitor?: These actions can significantly impact the organization’s resources and configurations. Unauthorized changes could lead to resource exposure or service disruption.
Policy Assignment Changes
- Activity: Changes to Azure Policies, including creating, updating, or deleting policy assignments.
- Why Monitor?: Policies enforce compliance and security standards. Changes to policies could weaken security controls or cause non-compliance.

2. Identity and Access Management (IAM)

Failed Sign-In Attempts
- Activity: Multiple failed sign-in attempts, especially from the same user or IP address.
- Why Monitor?: Could indicate brute-force attacks or attempts to compromise user accounts.
Sign-In from Unusual Locations or Devices
- Activity: Sign-ins from unfamiliar locations, IP addresses, or devices.
- Why Monitor?: May indicate that a user’s credentials have been compromised and are being used maliciously.
Use of Privileged Accounts
- Activity: Sign-ins or actions performed by users with high-privilege roles (e.g., Global Administrator, Security Administrator).
- Why Monitor?: Privileged accounts are often targeted by attackers; monitoring their activity helps detect misuse or compromise.
Multi-Factor Authentication (MFA) Changes
- Activity: Enabling, disabling, or bypassing MFA.
- Why Monitor?: MFA is a critical security control. Changes to MFA settings could indicate attempts to reduce account security.

3. Resource Configuration Changes

Network Security Group (NSG) Changes
- Activity: Modification of NSG rules, particularly those allowing inbound traffic.
- Why Monitor?: Changes to NSGs can open your environment to unauthorized access or expose resources to the internet.
Virtual Machine (VM) Management
- Activity: Creation, deletion, start, stop, or reconfiguration of VMs.
- Why Monitor?: Unauthorized changes to VMs can lead to data loss, service disruption, or security breaches.
Key Vault Access and Changes
- Activity: Access to secrets, keys, or certificates stored in Azure Key Vault; modifications to access policies.
- Why Monitor?: Key Vault stores sensitive information. Unauthorized access or changes could compromise the security of your applications and data.
Storage Account Configuration Changes
- Activity: Changes to storage account settings, including public access, encryption settings, and firewall rules.
- Why Monitor?: Misconfigurations can lead to data exposure or unauthorized data access.

4. Security Monitoring and Threat Detection

Azure Security Center Alerts
- Activity: Security alerts generated by Azure Security Center (now Microsoft Defender for Cloud).
- Why Monitor?: These alerts provide insights into potential threats, vulnerabilities, or misconfigurations in your environment.
Azure Sentinel Incidents
- Activity: Creation, escalation, or resolution of incidents in Azure Sentinel.
- Why Monitor?: Sentinel incidents aggregate and correlate data from multiple sources, making them a key indicator of security threats.
Firewall and DDoS Protection Logs
- Activity: Logs from Azure Firewall and DDoS Protection, particularly related to blocked traffic or attack attempts.
- Why Monitor?: These logs help detect and respond to network-level attacks.
Conditional Access Policy Changes
- Activity: Creation, modification, or deletion of Conditional Access policies in Azure AD.
- Why Monitor?: Conditional Access policies enforce security controls on sign-ins. Changes to these policies can weaken security and allow unauthorized access.

5. Data Management and Access

Blob Storage Access and Changes
- Activity: Access to blobs, particularly those that are sensitive or contain critical data; changes to public access settings.
- Why Monitor?: Unauthorized access to blob storage can lead to data breaches. Monitoring changes to public access settings helps prevent unintended data exposure.
SQL Database Access and Changes
- Activity: Access to SQL databases; changes to firewall rules, audit settings, or encryption.
- Why Monitor?: SQL databases often store sensitive data. Monitoring access and configuration changes helps protect against unauthorized access or data breaches.
Backup and Recovery Operations
- Activity: Initiating or modifying backup and recovery operations for critical resources.
- Why Monitor?: Ensures that backup processes are not tampered with and that recovery operations are legitimate.

6. Application and Service-Specific Monitoring

App Service Configuration Changes
- Activity: Changes to App Service settings, including authentication settings, SSL/TLS configurations, and app service plans.
- Why Monitor?: Unauthorized changes can affect the security and availability of your applications.
Container Registry and Kubernetes (AKS) Changes
- Activity: Changes to container registries, AKS clusters, and associated network settings.
- Why Monitor?: Containers and Kubernetes clusters are often targeted by attackers; monitoring these changes helps ensure their integrity and security.

Practical Monitoring Tips:

Implement Automation: Use Azure Monitor, Security Center, and Sentinel to automate the detection of these activities. Set up alerts and automate responses where possible.
Use Workbooks: Azure Monitor Workbooks allow you to create custom dashboards that can visualize and track these key activities in real-time.
Regular Reviews: Regularly review logs and alerts to ensure that your monitoring setup is capturing all relevant activities and that no critical events are missed.

Last updated 9 months ago

Key Activities to Monitor in Azure

1. Administrative Actions

Role Assignments and Modifications

Activity: Changes to role assignments, especially those granting administrative privileges (e.g., UserAccessAdministrator, Owner roles).
Why Monitor?: Unauthorized changes to role assignments can grant excessive permissions to users or entities, leading to privilege escalation.

Resource Group and Subscription-Level Changes

Activity: Creation, deletion, or modification of resource groups and subscriptions.
Why Monitor?: These actions can significantly impact the organization’s resources and configurations. Unauthorized changes could lead to resource exposure or service disruption.

Policy Assignment Changes

Activity: Changes to Azure Policies, including creating, updating, or deleting policy assignments.
Why Monitor?: Policies enforce compliance and security standards. Changes to policies could weaken security controls or cause non-compliance.

2. Identity and Access Management (IAM)

Failed Sign-In Attempts

Activity: Multiple failed sign-in attempts, especially from the same user or IP address.
Why Monitor?: Could indicate brute-force attacks or attempts to compromise user accounts.

Sign-In from Unusual Locations or Devices

Activity: Sign-ins from unfamiliar locations, IP addresses, or devices.
Why Monitor?: May indicate that a user’s credentials have been compromised and are being used maliciously.

Use of Privileged Accounts

Activity: Sign-ins or actions performed by users with high-privilege roles (e.g., Global Administrator, Security Administrator).
Why Monitor?: Privileged accounts are often targeted by attackers; monitoring their activity helps detect misuse or compromise.

Multi-Factor Authentication (MFA) Changes

Activity: Enabling, disabling, or bypassing MFA.
Why Monitor?: MFA is a critical security control. Changes to MFA settings could indicate attempts to reduce account security.

3. Resource Configuration Changes

Network Security Group (NSG) Changes

Activity: Modification of NSG rules, particularly those allowing inbound traffic.
Why Monitor?: Changes to NSGs can open your environment to unauthorized access or expose resources to the internet.

Virtual Machine (VM) Management

Activity: Creation, deletion, start, stop, or reconfiguration of VMs.
Why Monitor?: Unauthorized changes to VMs can lead to data loss, service disruption, or security breaches.

Key Vault Access and Changes

Activity: Access to secrets, keys, or certificates stored in Azure Key Vault; modifications to access policies.
Why Monitor?: Key Vault stores sensitive information. Unauthorized access or changes could compromise the security of your applications and data.

Storage Account Configuration Changes

Activity: Changes to storage account settings, including public access, encryption settings, and firewall rules.
Why Monitor?: Misconfigurations can lead to data exposure or unauthorized data access.

4. Security Monitoring and Threat Detection

Azure Security Center Alerts

Activity: Security alerts generated by Azure Security Center (now Microsoft Defender for Cloud).
Why Monitor?: These alerts provide insights into potential threats, vulnerabilities, or misconfigurations in your environment.

Azure Sentinel Incidents

Activity: Creation, escalation, or resolution of incidents in Azure Sentinel.
Why Monitor?: Sentinel incidents aggregate and correlate data from multiple sources, making them a key indicator of security threats.

Firewall and DDoS Protection Logs

Activity: Logs from Azure Firewall and DDoS Protection, particularly related to blocked traffic or attack attempts.
Why Monitor?: These logs help detect and respond to network-level attacks.

Conditional Access Policy Changes

Activity: Creation, modification, or deletion of Conditional Access policies in Azure AD.
Why Monitor?: Conditional Access policies enforce security controls on sign-ins. Changes to these policies can weaken security and allow unauthorized access.

5. Data Management and Access

Blob Storage Access and Changes

Activity: Access to blobs, particularly those that are sensitive or contain critical data; changes to public access settings.
Why Monitor?: Unauthorized access to blob storage can lead to data breaches. Monitoring changes to public access settings helps prevent unintended data exposure.

SQL Database Access and Changes

Activity: Access to SQL databases; changes to firewall rules, audit settings, or encryption.
Why Monitor?: SQL databases often store sensitive data. Monitoring access and configuration changes helps protect against unauthorized access or data breaches.

Backup and Recovery Operations

Activity: Initiating or modifying backup and recovery operations for critical resources.
Why Monitor?: Ensures that backup processes are not tampered with and that recovery operations are legitimate.

6. Application and Service-Specific Monitoring

App Service Configuration Changes

Activity: Changes to App Service settings, including authentication settings, SSL/TLS configurations, and app service plans.
Why Monitor?: Unauthorized changes can affect the security and availability of your applications.

Container Registry and Kubernetes (AKS) Changes

Activity: Changes to container registries, AKS clusters, and associated network settings.
Why Monitor?: Containers and Kubernetes clusters are often targeted by attackers; monitoring these changes helps ensure their integrity and security.

Practical Monitoring Tips:

Implement Automation: Use Azure Monitor, Security Center, and Sentinel to automate the detection of these activities. Set up alerts and automate responses where possible.

Use Workbooks: Azure Monitor Workbooks allow you to create custom dashboards that can visualize and track these key activities in real-time.

Regular Reviews: Regularly review logs and alerts to ensure that your monitoring setup is capturing all relevant activities and that no critical events are missed.