☁️
CTHFM: Azure
  • Welcome
  • Getting Started
    • Account Setup
      • Account Creation Instructions
  • Azure Fundamentals
    • Azure Fundamentals Overview
      • Azure Documentation
      • Azure Entra
      • Azure Hierarchy
      • Identities
      • Azure Entra Roles
      • Azure RBAC
      • Azure Licensing Overview
        • Azure Entra ID Premium Licenses Comparison
      • Azure Shared Responsibility Model
      • Azure Frameworks
      • Azure Security Services
      • Conditional Access Policies
        • How Conditional Access Policies Work
        • Benefits of Conditional Access
        • Best Practices for Conditional Access
        • Conditions for Conditional Access
        • Conditional Access Controls
        • Sign-In Risk and Identity Protection
        • Conditional Access Session Control
        • Name Locations IP Location
      • Azure Quotas
      • Azure Tokens
        • Access Tokens
        • ID Tokens
        • Refresh Tokens
          • Invalidate Refresh Tokens
        • Primary Refresh Tokens
        • Continuous Access Evaluation (CAE)
        • Token Protection: Conditional Access (Public Preview)
  • Azure CLI
    • Introduction to Azure CLI
    • Installing Azure CLI
    • CLI Commands
    • Resource Group Management
    • Creating and Managing Resources with Azure CLI
    • Managing IAM
    • Azure CLI Automation
    • Monitoring and Troubleshooting in Azure CLI
    • Azure CLI Overview
      • Azure CLI: Linux
      • Azure CLI: Windows
      • Azure CLI: MacOS
  • KQL
    • KQL Overview
      • KQL Introduction
      • Data Types
      • Quick Reference
      • Render
      • Basic Queries
  • Powershell
    • PowerShell for Azure
      • Powershell Documentation
      • Powershell Basics
      • Understanding Powershell Variables
      • Understanding Cmdlets
      • Powershell Console & ISE
      • Powershell: Entra Module
        • Module Reference & Getting Started
      • Powershell: Azure Module
        • Installation Instructions
        • Powershell Azure CLI: Windows
        • Powershell Azure CLI: Linux
        • Powershell Azure CLI: MacOS
        • Example Azure Cmdlets
  • Bicep
    • Bicep File Structure
    • Variable Types
  • Azure Logging References
    • Logging
      • Log Retention Strategies
      • Azure Log Types
      • Azure Activity Logs
        • Administrative Event Schema
        • Service Health Notification Schema
        • Resource Health
        • Alert Category
        • Autoscale
        • Security
        • Recommendation
        • Policy
      • Entra ID Logging
        • Identity Based Logs
          • Audit Logs
          • Sign-In Logs
            • AADNonInteractiveUserSignInLogs
            • AADManagedIdentitySignInLogs
            • AADServicePrincipalSignInLogs
            • First Party Sign-In Activity
          • Provisioning Logs (AADProvisioningLogs)
          • Microsoft Graph Activity
          • Identity Protection
            • Risk Detections
            • AADRiskyServicePrincipals
            • AADRiskyUsers
            • AADUserRiskEvents
            • AADServicePrincipalRiskEvents
        • Additional Entra ID Logs
      • Azure Key Vault
        • Azure Key Vault Logging Overview
      • Network Watcher
        • RBAC Permissions
        • Flow Log Types
          • NSG Flow Log Schema
          • VNET Flow Log Schema
        • Enabling Logs
          • NSG Flow Logs
          • VNET Flow Logs
        • Packet Capture
          • Packet Capture: VM
          • Packet Capture: Scale Sets
      • Compute Resources
        • Azure Monitor Agent
        • VM Insights
          • VM Insights Tables
      • Storage Accounts
        • Storage Account Logging
          • File
            • Enable StorageFileLogs
            • StorageFileLogs
          • Blob
            • Enable Blob Logging
            • StorageBlobLogs
          • Queue
            • Enable Queue Logging
            • StorageQueueLogs Table
          • Table
            • Enable Table Logging
            • StorageTableLogs Table
      • Azure App Service
        • Log Types
        • Enabling Logging
      • Azure Monitor
        • Resource Logs
          • Resource Log Top Level Documentation
        • Log Analytics Workspace
          • Setup
        • Workbooks
        • Dashboards
        • Alerts
        • Azure Monitor Documentation
      • Defender for Cloud
      • Intune
      • Sysmon
      • Purview Audit Log Schema
      • Kubernetes Audit Log (AKS)
  • Threat Hunting
    • Threat Hunting in Azure
      • Threat Hunting Introduction
      • Threat Hunting Process
        • Hypothesis Generation
        • Investigation
        • Identification
        • Resolution & Follow Up
      • Pyramid of Pain
      • Azure Threat Hunting Ideas
      • Hands On Threat Hunting Examples
      • OSINT Feeds
  • Sigma
    • Sigma Rule Structure
  • Microsoft Defender TI
    • Microsoft Defender Threat Intelligence
      • Data Sets
      • Reputational Scoring
      • Analyst Insights
      • Microsoft Defender TI: Copilot Integration
  • MITRE Att&ck
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Data Sources
      • MITRE Att&ck Mitigations
      • MITRE Att&ck: Azure
        • MITRE Att&CK: Azure Security Control Mapping
  • Microsoft Resources
    • Microsoft Incident Response Ninja Hub
    • Microsoft Defender XDR Ninja Hub
  • Azure Threat Research Matrix (ATRM)
  • Security Research & Resources
    • Azure Goat
    • Azure Security Research
      • Azure Related CVEs
  • Defender XDR
    • Defender XDR Overview
    • Defender XDR Licensing
    • Defender XDR Default Retention
    • Defender XDR Advanced Hunting Table Schemas
    • Automated Response Requirements
    • Supported Response Actions
  • Azure Sentinel
    • Sentinel Overview
    • Azure Sentinel Deployments
    • Supported Data
    • Workbook, Playbook, Notebook Comparison
    • Sentinel Workbooks
    • Entities
    • User and Entity Behavior Analytics
    • Anomaly Detection
    • Mult-Stage Attack Detection
    • Sentinel: Az CLI
  • Microsoft Defender
    • Microsoft Defender for Cloud References
    • Defender for Cloud: Az CLI
  • Azure Policy
    • Azure Policy
    • Azure Policy Components
    • Azure Policy Rules
    • Scope Azure Policy
    • Policy Assignments
    • Policy Effect
    • Initiative Definition
    • Policy Parameters
    • Remediation Task Structure
    • Use Cases for Azure Policy
    • Azure Policy: Az CLI
  • Intune
    • Intune Overview
    • Intune Licensing
    • Intune API Permission Scopes
    • Intune Sample Script Resources
  • Intune Logging
    • Configure Logging
    • Logging Schema References
    • Intune Queries and Resources
  • Windows Host Security
    • Windows System Architecture and OS Fundamentals
    • SysInternals
    • Basic vs Advanced Security Auditing
    • Sysmon
  • Adversary Emulation
    • AzureHound
    • AADInternals
      • Install
    • RoadTools
      • Install
    • Oh365UserFinder
    • GraphRunner
  • Incident Response
    • Incident Response
      • Azure IR Program Development Cheat Sheet
      • Azure IR Playbooks (MS Guidance)
      • Ransomware (MS Guidance)
  • Automation
    • Automation Overview
    • Logic Apps
      • How Logic Apps Work
      • Logic App Types
      • Triggers
      • Connectors
      • Conditional Logic and Control Flow
      • APIs in Logic Apps
      • Handling Large Workflows with Stateful Logic Apps
      • External Service Integration
      • Securing, Managing, and Scaling Azure Logic Apps
      • Logic Apps: Az CLI
  • Packet Analysis
    • Wireshark Cheatsheet
    • TShark Cheatsheet
    • TCPDUMP Cheatsheet
    • Protocol Analysis Basics
    • HTTP Response Code Cheatsheet
    • RFC Protocol Mappings
    • PCAP Acquisition
  • Detection Lab
    • Detection Lab Introduction
    • Account Creation Instructions
    • Enable MFA Within Azure Tenant
    • Create an Azure Admin With Cloud Shell
    • Setup and Install Instructions
  • VSCode and Code Setup
  • Deploying Code
  • Enabling Logs for Log Analytics Workspace
  • Logging Into Windows VM
  • Verifying Logs in Log Analytics Workspace
  • Creating Detections: Azure Monitor
  • Cost Management: Billing Alarms
Powered by GitBook
On this page
  • Key Activities to Monitor in Azure
  • 1. Administrative Actions
  • 2. Identity and Access Management (IAM)
  • 3. Resource Configuration Changes
  • 4. Security Monitoring and Threat Detection
  • 5. Data Management and Access
  • 6. Application and Service-Specific Monitoring
  • Practical Monitoring Tips:
  1. Threat Hunting
  2. Threat Hunting in Azure

Azure Threat Hunting Ideas

Key Activities to Monitor in Azure

The following examples below are potential ideaS for activities to monitor within an Azure enviroment. It is important that controls be put in place as well as a baseline be established to determine business as usual (BAU) activity within an environment.

1. Administrative Actions

  • Role Assignments and Modifications

    • Activity: Changes to role assignments, especially those granting administrative privileges (e.g., UserAccessAdministrator, Owner roles).

    • Why Monitor?: Unauthorized changes to role assignments can grant excessive permissions to users or entities, leading to privilege escalation.

  • Resource Group and Subscription-Level Changes

    • Activity: Creation, deletion, or modification of resource groups and subscriptions.

    • Why Monitor?: These actions can significantly impact the organization’s resources and configurations. Unauthorized changes could lead to resource exposure or service disruption.

  • Policy Assignment Changes

    • Activity: Changes to Azure Policies, including creating, updating, or deleting policy assignments.

    • Why Monitor?: Policies enforce compliance and security standards. Changes to policies could weaken security controls or cause non-compliance.

2. Identity and Access Management (IAM)

  • Failed Sign-In Attempts

    • Activity: Multiple failed sign-in attempts, especially from the same user or IP address.

    • Why Monitor?: Could indicate brute-force attacks or attempts to compromise user accounts.

  • Sign-In from Unusual Locations or Devices

    • Activity: Sign-ins from unfamiliar locations, IP addresses, or devices.

    • Why Monitor?: May indicate that a user’s credentials have been compromised and are being used maliciously.

  • Use of Privileged Accounts

    • Activity: Sign-ins or actions performed by users with high-privilege roles (e.g., Global Administrator, Security Administrator).

    • Why Monitor?: Privileged accounts are often targeted by attackers; monitoring their activity helps detect misuse or compromise.

  • Multi-Factor Authentication (MFA) Changes

    • Activity: Enabling, disabling, or bypassing MFA.

    • Why Monitor?: MFA is a critical security control. Changes to MFA settings could indicate attempts to reduce account security.

3. Resource Configuration Changes

  • Network Security Group (NSG) Changes

    • Activity: Modification of NSG rules, particularly those allowing inbound traffic.

    • Why Monitor?: Changes to NSGs can open your environment to unauthorized access or expose resources to the internet.

  • Virtual Machine (VM) Management

    • Activity: Creation, deletion, start, stop, or reconfiguration of VMs.

    • Why Monitor?: Unauthorized changes to VMs can lead to data loss, service disruption, or security breaches.

  • Key Vault Access and Changes

    • Activity: Access to secrets, keys, or certificates stored in Azure Key Vault; modifications to access policies.

    • Why Monitor?: Key Vault stores sensitive information. Unauthorized access or changes could compromise the security of your applications and data.

  • Storage Account Configuration Changes

    • Activity: Changes to storage account settings, including public access, encryption settings, and firewall rules.

    • Why Monitor?: Misconfigurations can lead to data exposure or unauthorized data access.

4. Security Monitoring and Threat Detection

  • Azure Security Center Alerts

    • Activity: Security alerts generated by Azure Security Center (now Microsoft Defender for Cloud).

    • Why Monitor?: These alerts provide insights into potential threats, vulnerabilities, or misconfigurations in your environment.

  • Azure Sentinel Incidents

    • Activity: Creation, escalation, or resolution of incidents in Azure Sentinel.

    • Why Monitor?: Sentinel incidents aggregate and correlate data from multiple sources, making them a key indicator of security threats.

  • Firewall and DDoS Protection Logs

    • Activity: Logs from Azure Firewall and DDoS Protection, particularly related to blocked traffic or attack attempts.

    • Why Monitor?: These logs help detect and respond to network-level attacks.

  • Conditional Access Policy Changes

    • Activity: Creation, modification, or deletion of Conditional Access policies in Azure AD.

    • Why Monitor?: Conditional Access policies enforce security controls on sign-ins. Changes to these policies can weaken security and allow unauthorized access.

5. Data Management and Access

  • Blob Storage Access and Changes

    • Activity: Access to blobs, particularly those that are sensitive or contain critical data; changes to public access settings.

    • Why Monitor?: Unauthorized access to blob storage can lead to data breaches. Monitoring changes to public access settings helps prevent unintended data exposure.

  • SQL Database Access and Changes

    • Activity: Access to SQL databases; changes to firewall rules, audit settings, or encryption.

    • Why Monitor?: SQL databases often store sensitive data. Monitoring access and configuration changes helps protect against unauthorized access or data breaches.

  • Backup and Recovery Operations

    • Activity: Initiating or modifying backup and recovery operations for critical resources.

    • Why Monitor?: Ensures that backup processes are not tampered with and that recovery operations are legitimate.

6. Application and Service-Specific Monitoring

  • App Service Configuration Changes

    • Activity: Changes to App Service settings, including authentication settings, SSL/TLS configurations, and app service plans.

    • Why Monitor?: Unauthorized changes can affect the security and availability of your applications.

  • Container Registry and Kubernetes (AKS) Changes

    • Activity: Changes to container registries, AKS clusters, and associated network settings.

    • Why Monitor?: Containers and Kubernetes clusters are often targeted by attackers; monitoring these changes helps ensure their integrity and security.

Practical Monitoring Tips:

  • Implement Automation: Use Azure Monitor, Security Center, and Sentinel to automate the detection of these activities. Set up alerts and automate responses where possible.

  • Use Workbooks: Azure Monitor Workbooks allow you to create custom dashboards that can visualize and track these key activities in real-time.

  • Regular Reviews: Regularly review logs and alerts to ensure that your monitoring setup is capturing all relevant activities and that no critical events are missed.

Last updated 9 months ago