I recently wrote about top 3 benefits of Azure Security Center, one the benefits was advanced alerting – I decided to gather some exhibits of such events into this short blog
Exhibits
Exhibit 1. VM Firewall Disabled
I was recently fiddling with one of my VM’s in the honeypot environment, and suddenly Security Channel in teams alerted me about ”Manipulation of host firewall detected”
- In this case the culprit was me, but this is exactly the kind of alert you want to get. I was fiddling around with UFW which you would not necessarily use, when you have NSG’s enabled on Azure Subnets. So for me this is uncommon pattern
"extendedProperties": { "compromised Host": "TESTINGGW", "user Name": "azureuser", "account Session Id": "0x5e2", "suspicious Process": "/usr/bin/sudo", "suspicious Command Line": "sudo ufw disable", "suspicious Process Id": "0x3543", "resourceType": "Virtual Machine", "killChainIntent": "DefenseEvasion, Exfiltration" }, "isIncident": false, "remediationSteps": "Review with azureuser to confirm that this was legitimate activity that you expect to see on TESTINGGW. If not, escalate the alert to the information security team.",
Exhibit 2. Manipulation of host firewall detected
In total three alerts was produced, two immediately, and then later a correlated event
SecureCloudBlog 
0 comments on “Azure Security Center – Exhibits from the field”