August 31, 2024August 31, 2024 Defender for Cloud – Part 5: Security Alerts This next part describes Security Alerts for the Azure resources. These are great to find out what’s going on if you don’t use or have forwarded alerts to Sentinel or you don’t have access to Defender portal (https://security.microsoft.com) where you also can see these. Table of Contents Summary of the Security Alerts Security alerts are generated by workload protection plans when threats are identified in your Azure, hybrid, or multicloud environments.Security alerts are triggered by advanced detections available when you enable Defender plans for specific resource types.Each alert provides details of affected resources, issues, and remediation steps.MDC classifies alerts and prioritizes them by severity.Alerts are displayed in the portal for 90 days, even if the resource related to the alert was deleted during that time. Alerts can be exported to CSV format.Alerts can also be streamed directly to a Security Information and Event Management (SIEM) such as Microsoft Sentinel, Security Orchestration Automated Response (SOAR), or IT Service Management (ITSM) solution. Security Alerts are also seen in Defender portal if it’s in use.MDC leverages the MITRE ATT&CK Matrix to associate alerts with their perceived intent, helping formalize security domain knowledge. Overview of Security Alerts Like always I have drew areas about different functions to explain what these means:Azure Graph query, suppression rules, security alerts map, alerts workbook, CSV report and guidesAlert status information in resources and classifications by severityFiltersActual alert listingSince there was no security alerts in my subscription I used sample alerts which MDC generates. Defender for Cloud - Security Alerts main view Section 1 - Functions Change status You can change the alert status for example you want to manage alerts by this view. Normally in more mature companies alerts are forwarded for example to Sentinel and handled there. In Sentinel there’s a Defender for Cloud Data Connector which forwards those alerts from MDC to Sentinel. There’s also possible to select a Bi-directional sync so if Alert is closed in Sentinel it is also Closed in MDC’s Alert table and vice versa. Open query Open query link opens Azure Resource Graph Explorer where you can use pre-made templates to query Security recommendations or you can made your own queries. The query languge is KQL (Kusto Query Language) Suppression rules In MDC there is a possibility to create a suppression rules for security alerts which aren’t interesting or relevant. Rules let you automatically dismiss similar alerts in the future.Some examples of how to use suppression rule are:Suppress alerts that you’ve identified as false positivesSuppress alerts that are being triggered too often to be usefulHere’s a animated image to describe how rule is done (a bit old but it works) Source: MS Learn Security alerts map This map presents security alerts that contain IP addresses targeting your resources. Markings on the map represent sources of the attack on your resources. Sample alerts You can create sample alerts from the security alerts page in the Azure portal.Use sample alerts to:evaluate the value and capabilities of your Microsoft Defender for Cloud plans.validate any configurations you’ve made for your security alerts (such as SIEM integrations, workflow automation, and email notifications).In my case writing this post I generates sample security alerts to demostrate how alerts work and what you can to with those. Active Alerts Workbook Active Alerts workbook is quick way to get a snapshop what kind of alerts you have in your environments.It shows alert count by the severityResource groups where those alerts areAlerts by the tag (if there are any)Top 5 attacked resource by the severityTop alert typesNew alerts within 24 hoursAlerts sorted by the Mitre Att&ck tacticsAlso list view & map view of alerts (not shown in images)Click images to get a bigger picture: Active Alerts Workbook part 1 Active Alerts Workbook part 1Active Alerts Workbook part 2 Download CSV report As the link says you can download the Security alerts as a CSV report. There are more informations as this clip shows: Guides & Feedback When you click Guides & Feedback link portal opens the side panel where you can see Useful links and Community tools sections.Useful linksSecurity alerts and incidents – Microsoft Defender for Cloud | Microsoft LearnReference guide for security alerts – Microsoft Defender for Cloud | Microsoft LearnManage and respond to security alerts – Microsoft Defender for Cloud | Microsoft LearnCommunity tools from GitHubAlso some community tools from Microsoft Azure’s Defender for Cloud GitHub repo. Section 2 - Alerts status and classifications This is just a static image of alert status (I mean there are no links), how many resources those alerts are affected and open alerts by the severity. Thought it’s static it updates automatically by the system. Section 3 - Search & Filters Search You can write to Search box what would you like to find. Subscription You can select which subscription you want to search the alerts. Other filters You can choose from the filter dropdown what you want to search: Section 4 - Results Security alert results are based on what you choose above. In my case and the default columns are SeverityAlert nameAffected resourceResource GroupActivity Start TimeMITRE ATT&CK tacticsStatus How to manage the alerts? You can manage alerts different ways but let’s focus to manage in Defender for Cloud.Like I wrote before you change the alert status by selecting the checkbox in front of Alert Severity and from the top of the panel from the drop down list with title Change Status.If you click the alert name the alert opens to side panel: Review the high-level information about the security alert.Alert severity, status, and activity timeDescription that explains the precise activity that was detectedAffected resourcesKill chain intent of the activity on the MITRE ATT&CK matrix (if applicable) Full details If you click the view full details button you can see everything from the selected alert. Take action After investigating a security alert, you can respond to the alert. By clickin the take action button you will see the remediate actions.In this case there are six different sections to help the case:Inspect resource context. Since this is a sample alert there are no logs available but in real case there could be.Mitigate the threat. Some short guides what to do. Also if there are any other alerts regarding to that resource those alerts can be seen clicking the link.Prevent future attacks. If there are security misconfigurations in resources you should fix those to prevent similar alerts in the future.Trigger automated response. You can use logic apps to automate the response to alert and therefore reduce the attack surface.Suppress similar alerts. It’s possible to create suppression rules to automatically remediate the alerts.Configure email notification settings. You can set email notifications to who and in which conditions alert notification emails are send. Finally when you complete the investigation into the alert and responded in the appropriate way, change the status to Dismissed. Email notification about Security alerts As a default Microsoft sends email about security alerts if you have defined them in Environment settings.A sample email below: Email notification from Defender for Cloud To set those email notifications go to Environment Settings, choose the wanted subscription and then click Email notifications and set email: Email notifications settings Here was a presentation of Security Alerts. Hope you get the idea of it. The part is the Attack path analysis. Stay tuned. The parts of the MDC blog series View all the parts of the MDC blog series:Part 0: Microsoft Defender for Cloud – The EPIC blog series – introductionPart 1: Getting started Part 2: The Asset Inventory Part 3: Security posturePart 4: Security recommendations Part 5: Security alertsPart 6: Attack path analysisPart 7: Cloud security explorerPart 8: WorkbooksPart 9: Regulatory compliancePart 10: Workload protectionsPart 11: Data securityPart 12: Firewall managerPart 13: DevOps securityPart 14: Environment settingsPart 14A: Defender PlansPart 14B: Security PoliciesPart 14C: Email notificationsPart 14D: Workflow automationPart 14E: Continuous ExportPart 15: Security solutionsPart 16: Community Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD
DEFENDER FOR CLOUD Defender for Cloud – Part 4: Security Recommendations August 24, 2024August 26, 2024 Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture. Read More
DEFENDER FOR CLOUD Microsoft Defender for DevOps December 21, 2022December 30, 2022 Table of Contents What is Microsoft Defender for DevOps? Microsoft Defender for DevOps adds additional security capabilities to… Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 3: Security Posture June 22, 2024July 7, 2024 Properly managing security posture in public cloud environments is challenging due to lack of awareness and resource constraints. The post introduces Microsoft Defender for Cloud, highlighting its Security Posture feature, which assists with governance, risk assessment, and security management across hybrid and multi-cloud environments, thereby enhancing overall asset security. Read More