Automate NOBELIUM Scan using Azure Sentinel and Logic App

Hello fellow security enthusiast !

Ok, So NOBELIUM has been identified by Microsoft Security as a 'Real' threat (Link:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/) , question is , what to do. How do I scan, monitor and protect my on-premise and cloud infrastructure for yet another malicious threat?

Answer- Azure Log Analytics and Sentinel, with a little help from automated Azure Logic Apps. :) Just like 'SolorWinds' breach we ,as 'It Security and architects', can protect the environments we monitor by automating scans and monitoring the alerts or incidents we find.

The attached walkthrough allows you to not only script the scan but also to automate the outcome, if, (Hopefully not) anything is found. This Azure Logic App also emails and identifies the different venues 'NOBELIUM' seems to like to attach itself to such as:

Cloud spaces - Azure, AWS, Rackspace, Google. Etc..

Azure Active Directory

Azure Services

AWS

Azure Ad Sync performance and setting

Office365

and of course any on Premise connections you have to the cloud. (Example: IPsec, Express routes, SQL Sync, File Shares..etc.) Using the below, scheduled scan, within Azure Sentinel & Log Analytics, you can monitor and protect your environments. The great thing about Azure Sentinel, is it uses Azure AI to identity 'Potential' issues, before they become a bigger problem.

The attached document walks you through the basics of deploying this solution, should you have any questions, please feel free to reach out.

Happy Hunting! :)

Link to Walkthrough: ( https://1drv.ms/b/s!Ak8Zkfv6kiLFhe84ed4xCPwD0k39fQ?e=rEYNif )