Detecting attempts to run untrusted code by using trusted executables in Azure Security Center

In February 2017, Fireye documented a sophisticated spear phishing campaign targeting individuals within the Mongolian government. In the initial part of this attack, they were bypassing AppLocker restrictions by using Regsrv32.exe, which enables the attacker to run untrusted code. This technique was used in many others attack campaigns.  By using virtual machine behavioral analysis, Security…


Creating Custom Notable Event in Azure Security Center

In Azure Security Center you can use the Events dashboard to see the security events (including Windows Firewall) collected over time: The visualization of security events over time can be very useful for you to observe some patterns, and to have a snapshot of the environment. You can also use this information when performing an…


Hybrid Cloud Workload Protection with Azure Security Center

In case you missed due the holidays, we released a new Microsoft Virtual Academy fully dedicated to Azure Security Center. In this MVA, Ty Balascio and I are covering the following content: 1 | Getting Started with Azure Security Center Learn about the current threat landscape and how Azure Security Center can enhance your security…


Exporting Computers that are not Compliant with Security Baseline Recommendations in Azure Security Center

To enhance your security posture you must ensure that your computers are using the appropriate secure configuration, which may vary according to its role, for example: Web Servers will have a different security baseline compare to File Servers. In Security Center you can see the current security state of your computers by using the Security…


Azure Security Center Overview Page Updated

If you are using Azure Security Center, and you use the Overview page as your main dashboard, you are used to this layout: This week we had a small update on this page, and the Advanced Cloud Defense was removed from this page, as you can see the latest screen below: Nothing really change as…


Azure Security Center User Voice

I started working with Azure Security Center in July 2015 when it was still only available for some private preview customers. In December 2nd 2015 we officially announced that Security Center was available. The amount of changes since day 1 were absolutely incredible, and Security Center continues to evolve to address new threats, and new…


Upcoming Azure Security Center Book

Following the great success of the Azure Security Infrastructure book, Tom and I signed another contract with Microsoft Press, and we are working on a new book dedicated to Azure Security Center. This new book is now available for pre-order at Amazon, and it will cover all capabilities available in Security Center. Stay tuned for…


Installing Azure Security Center Agent on Linux Computer

You probably know that Security Center can monitor your Linux computers, right? You also know how to onboard non-Azure machines to Security Center, right? OK, now the question that I’ve received recently was: how can I install the Security Center Linux agent in my Linux computer? The steps documented in the article Connect your Linux Computers…


Using Azure Activity Log to query security alerts originated by Azure Security Center

By now you know that you can use Azure Security Center dashboard to visualize Security Alerts, and you can also use Log Analytics to query Security Alerts. Recently we also added the capability to visualize Security Alerts originated by Security Center from Azure Activity Log. For the example below I’m going to search for security…


Using Search in Security Center to find Indicators of Compromise

Indicators of Compromise (IoC) are individually-known malicious events that indicate that a network, or a computer has already been breached. You can find a lot of IoC at OpenIOC (www.openioc.org), such as the Zeus IoC. In some circumstances, the IoCs will indicate the existence of a particular file in the system, or the execution of…