Azure Security Center

Azure Security Center – Exhibits from the field

I recently wrote about top 3 benefits of Azure Security Center, one the benefits was advanced alerting – I decided to gather some exhibits of such events into this short blog


Exhibit 1. VM Firewall Disabled

I was recently fiddling with one of my VM’s in the honeypot environment, and suddenly Security Channel in teams alerted me about ”Manipulation of host firewall detected”

  • In this case the culprit was me, but this is exactly the kind of alert you want to get. I was fiddling around with UFW which you would not necessarily use, when you have NSG’s enabled on Azure Subnets. So for me this is uncommon pattern
"extendedProperties": { "compromised Host": "TESTINGGW", "user Name": "azureuser", "account Session Id": "0x5e2", "suspicious Process": "/usr/bin/sudo", "suspicious Command Line": "sudo ufw disable", "suspicious Process Id": "0x3543", "resourceType": "Virtual Machine", "killChainIntent": "DefenseEvasion, Exfiltration" }, "isIncident": false, "remediationSteps": "Review with azureuser to confirm that this was legitimate activity that you expect to see on TESTINGGW. If not, escalate the alert to the information security team.",

Exhibit 2. Manipulation of host firewall detected

In total three alerts was produced, two immediately, and then later a correlated event

Sudo ufw disable
Triage option
Export to JSON option
Some export examples



Teams integration

0 comments on “Azure Security Center – Exhibits from the field


Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

Olet kommentoimassa -tilin nimissä. Log Out /  Muuta )


Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: