Going beyond the signature with behavior analytics in Azure Security Center

One of the benefits of using Azure Security Center as your cloud workload protection is the capability to quickly detect threats in your environment based on known patterns. This is not only about matching signatures but going beyond that by understanding the common techniques used by threat actors. By using behavioral analytics, Security Center analyzes…


Exploring the Identity & Access dashboard in Azure Security Center

In Azure Security Center you can use the Identity & Access dashboard to explore more details about your identity posture. In this dashboard you have a snapshot of your identity related activities as shown in the example below: Just by looking at this dashboard you can draw some conclusions, for example, all failed logons were…


Detecting Suspicious PowerShell Activity in Azure Security Center

Adversaries may use PowerShell scripts as a defense evasion technique, or to establish persistence. The use of PowerShell to attack systems is not new, it was successfully leveraged in many different attack campaigns in the past, and it is still a growing trend. For this reason is important to follow some core principals to protect…


Detecting Persistence in Azure Security Center

According to Mitre Adversarial Tactics, Techniques & Common Knowledge (ATT&CK), Persistence is “any access, action, or configuration change to a system that gives an adversary a persistent presence on that system”, which is a common technique used by adversaries to keep a communication channel open with the attacked resource. The use of Run and RunOnce registry…


Considerations Regarding Azure Security Center Adoption

One common question that I receive from customers is: how do I fit Azure Security Center in my overall Security Operations and Incident Response plan? The answer may vary according to your SOC model, the size of the organization, cloud workload, and maturity level. For this reason, is important to take in consideration some key…