Azure Security Center Integration with Windows Defender Advanced Threat Protection for Servers

At RSA Security Conference this year we announced that Security Center now harnesses the power of WDATP to provide improved threat detection for Windows Servers (this integration is currently in preview). When this integration is enabled you will be able to see more details from the endpoint perspective. You will still start your investigation using Security…


Integrated Security Configuration for your Azure VM

Last week I wrote about the new Azure Security Center Network Map, today I want to talk about the new integrated security configuration experience for Azure VMs, which was also something that we announced at RSA Conference. With this new experience, you can see all recommendations for a particular VM, directly from the VM’s properties…


Going beyond the signature with behavior analytics in Azure Security Center

One of the benefits of using Azure Security Center as your cloud workload protection is the capability to quickly detect threats in your environment based on known patterns. This is not only about matching signatures but going beyond that by understanding the common techniques used by threat actors. By using behavioral analytics, Security Center analyzes…


Detecting Suspicious PowerShell Activity in Azure Security Center

Adversaries may use PowerShell scripts as a defense evasion technique, or to establish persistence. The use of PowerShell to attack systems is not new, it was successfully leveraged in many different attack campaigns in the past, and it is still a growing trend. For this reason is important to follow some core principals to protect…


Considerations Regarding Azure Security Center Adoption

One common question that I receive from customers is: how do I fit Azure Security Center in my overall Security Operations and Incident Response plan? The answer may vary according to your SOC model, the size of the organization, cloud workload, and maturity level. For this reason, is important to take in consideration some key…


Azure Advisor Integration with Azure Security Center

First of all, Azure Advisor is super cool, it’s basically one-stop-shop for recommendations regarding high availability, security, performance, and cost of your Azure environment. If you never visited this dashboard, make sure to check it out:  The other cool thing is that the security recommendations is fully integrated with Azure Security Center. When you click…


Detecting attempts to run untrusted code by using trusted executables in Azure Security Center

In February 2017, FireEye documented a sophisticated spear phishing campaign targeting individuals within the Mongolian government. In the initial part of this attack, they were bypassing AppLocker restrictions by using Regsrv32.exe, which enables the attacker to run untrusted code. This technique was used in many others attack campaigns.  By using virtual machine behavioral analysis, Security…


Creating Custom Notable Event in Azure Security Center

In Azure Security Center you can use the Events dashboard to see the security events (including Windows Firewall) collected over time: The visualization of security events over time can be very useful for you to observe some patterns, and to have a snapshot of the environment. You can also use this information when performing an…


Using Azure Activity Log to query security alerts originated by Azure Security Center

By now you know that you can use Azure Security Center dashboard to visualize Security Alerts, and you can also use Log Analytics to query Security Alerts. Recently we also added the capability to visualize Security Alerts originated by Security Center from Azure Activity Log. For the example below I’m going to search for security…


Using Search in Security Center to find Indicators of Compromise

Indicators of Compromise (IoC) are individually-known malicious events that indicate that a network, or a computer has already been breached. You can find a lot of IoC at OpenIOC (www.openioc.org), such as the Zeus IoC. In some circumstances, the IoCs will indicate the existence of a particular file in the system, or the execution of…