Incident Management Implementation Guidance for Azure and Office365

Couple of months ago I had had a great opportunity to be among the contributors/reviewers of this very cool white paper that talks about incident management using Azure and Office 365. Today I’m very please to let you know that you can download this paper right now! This document helps customers to understand how to…


Going beyond the signature with behavior analytics in Azure Security Center

One of the benefits of using Azure Security Center as your cloud workload protection is the capability to quickly detect threats in your environment based on known patterns. This is not only about matching signatures but going beyond that by understanding the common techniques used by threat actors. By using behavioral analytics, Security Center analyzes…


Exploring the Identity & Access dashboard in Azure Security Center

In Azure Security Center you can use the Identity & Access dashboard to explore more details about your identity posture. In this dashboard you have a snapshot of your identity related activities as shown in the example below: Just by looking at this dashboard you can draw some conclusions, for example, all failed logons were…


Detecting Suspicious PowerShell Activity in Azure Security Center

Adversaries may use PowerShell scripts as a defense evasion technique, or to establish persistence. The use of PowerShell to attack systems is not new, it was successfully leveraged in many different attack campaigns in the past, and it is still a growing trend. For this reason is important to follow some core principals to protect…


Detecting Persistence in Azure Security Center

According to Mitre Adversarial Tactics, Techniques & Common Knowledge (ATT&CK), Persistence is “any access, action, or configuration change to a system that gives an adversary a persistent presence on that system”, which is a common technique used by adversaries to keep a communication channel open with the attacked resource. The use of Run and RunOnce registry…


Considerations Regarding Azure Security Center Adoption

One common question that I receive from customers is: how do I fit Azure Security Center in my overall Security Operations and Incident Response plan? The answer may vary according to your SOC model, the size of the organization, cloud workload, and maturity level. For this reason, is important to take in consideration some key…


Integrating Azure Function with Azure Security Center Playbook

The Playbook feature in Azure Security Center leverages Azure Logic Apps to create a comprehensive workflow that can be used to aggregate a set of procedures to be executed when a certain condition takes place. The demo that I presented at Ignite 2007 shows the integration with Slack, and how the Security Center alert can…


Testing Azure Security Center Detections Capabilities

When you first onboard your VMs/Computers in Azure Security Center, and the Microsoft Monitoring Agent is fully installed in the target systems, you may see some security recommendations for your workloads. This initial security assessment is very important, and usually it doesn’t take long for Security Center to provide a good picture of how secure…


Exploring Notable Events in Security Incidents

Azure Security Center is able to identify threats that may compromise your system in different phases of the kill chain. Security Center will use different detection capabilities prior to trigger an alert, and the content of this alert can also vary according to its type. If Security Center identifies that there is a correlation between…


Azure Advisor Integration with Azure Security Center

First of all, Azure Advisor is super cool, it’s basically one-stop-shop for recommendations regarding high availability, security, performance, and cost of your Azure environment. If you never visited this dashboard, make sure to check it out:  The other cool thing is that the security recommendations is fully integrated with Azure Security Center. When you click…