Azure Advisor Integration with Azure Security Center

First of all, Azure Advisor is super cool, it’s basically one-stop-shop for recommendations regarding high availability, security, performance, and cost of your Azure environment. If you never visited this dashboard, make sure to check it out:  The other cool thing is that the security recommendations is fully integrated with Azure Security Center. When you click…


Detecting attempts to run untrusted code by using trusted executables in Azure Security Center

In February 2017, FireEye documented a sophisticated spear phishing campaign targeting individuals within the Mongolian government. In the initial part of this attack, they were bypassing AppLocker restrictions by using Regsrv32.exe, which enables the attacker to run untrusted code. This technique was used in many others attack campaigns.  By using virtual machine behavioral analysis, Security…


Creating Custom Notable Event in Azure Security Center

In Azure Security Center you can use the Events dashboard to see the security events (including Windows Firewall) collected over time: The visualization of security events over time can be very useful for you to observe some patterns, and to have a snapshot of the environment. You can also use this information when performing an…


Using Azure Activity Log to query security alerts originated by Azure Security Center

By now you know that you can use Azure Security Center dashboard to visualize Security Alerts, and you can also use Log Analytics to query Security Alerts. Recently we also added the capability to visualize Security Alerts originated by Security Center from Azure Activity Log. For the example below I’m going to search for security…


Using Search in Security Center to find Indicators of Compromise

Indicators of Compromise (IoC) are individually-known malicious events that indicate that a network, or a computer has already been breached. You can find a lot of IoC at OpenIOC (www.openioc.org), such as the Zeus IoC. In some circumstances, the IoCs will indicate the existence of a particular file in the system, or the execution of…


Searching for suspicious user in Azure Security Center

Last September during my presentation with Meir at Ignite, we talked about how powerful the new search capability in Azure Security Center is, the integration with Log Analytics gives you total control, and flexibility to find what you really need.  But how to really use this? First step is to read our core documentation regarding Search…


Updates in Azure Security Center – September 2017 – Part 3

Here another wave of new features that were released today, this time in public preview, but fully documented below: Investigate Incidents and Alerts in Azure Security Center (Preview) Custom Alert Rules in Azure Security Center (Preview) Security Playbook in Azure Security Center (Preview) If you are planning to go to Ignite next week, here are…


Updates in Azure Security Center – September 2017 – Part 2

You thought we were done, didn’t you? Nope, it ain’t over yet, and here are the new articles that reflect new capabilities in Azure Security Center released today: Monitoring and processing security events Azure Security Center search Adaptive Application Controls in Azure Security Center (Preview) Partner and Solutions Integration in Azure Security Center That’s a…


Azure Security Center – June Updates

I would like to share with you some updates that we had during this month in the Azure Security Center documentation, which directly reflect some changes in this service. The main changes are: Platform Migration: Beginning in early June 2017, Azure Security Center rolls out important changes to the way security data is collected and stored. These…


Respond to advanced threats with Azure Active Directory identity protection

The EMS + Security Team released a new series of demo videos with different common scenarios that EMS + Security can assist you to protect your organization’s assets. This one uses risk based conditional access helps admins and end users to ensure that their identities are not compromised. This is very important as advanced threats target user credentials a…