Azure Cloud Security Monitoring

Change History:

• Initial article - Detect new blob with allowBlobPublicAccess enabled
• Detect new public IP address creation
• Detect NSG creation or deletion
• Detect Azure VM password reset (Lateral movement technique)
• Detect Privilege Escalation on Azure Service Principal
• Detect Azure API spray attacks
• Detect Azure API Secrets Extraction
• Detect Azure VM DNS Threat

MS Reference Blog (Published 3rd April 2024) :

Unleashing the Power of Microsoft Defender for Cloud – Unique Capabilities for Robust Protection

https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/unleashing-the-power-of-microsoft-defender-for-cloud-unique/ba-p/4102392

I was reading the latest MS blog on MDC Robust Protection and was looking at the list of Resource Manager alerts detected. One particular scenario was not included in the Alerts for Azure Storage was the detection of newly created blob with allowBlobPublicAccess enabled. Sometimes the blob maybe misconfigured by incompetent cloud admin or adversary configuring cloud resources for external data exfiltration. To prevent for unintentional data leaks through misconfigured blob, SecOps can configured the below Sentinel rule to query Azure Resource Graph to check for blobs with allowBlobPublicAccess enabled in which SecOps team can then intervene to shut it down to prevent potential data leaks. I have included a KQL below as a detection rule suggest running every 3 hours to monitor for any possible misconfigured blob. ??

AzureActivity
| where OperationNameValue startswith "MICROSOFT.STORAGE/STORAGEACCOUNTS/"
| extend allowBlobPublicAccess = tostring(parse_json(tostring(parse_json(tostring(Properties_d.requestbody)).properties)).allowBlobPublicAccess)
| where isnotempty(allowBlobPublicAccess)
| where allowBlobPublicAccess == "true"
| extend ResourceName = tostring(parse_json(Properties).resource)
| extend CallerUPN = tostring(parse_json(Properties).caller)
| project SubscriptionId, CallerIpAddress, CallerUPN, ResourceName, allowBlobPublicAccess        

Detect new public IP address creation

Public address open's your Azure tenant to the whole public internet, if this is not properly monitored & controlled this may unintentionally create additional attack surface or backdoor for your organization. SecOps should run the following Sentinel KQL analytic rule (hourly basis) to monitor for any new public IP addresses creation and take action to shut it down if deem unauthorized.

AzureActivity
| where OperationNameValue startswith "Microsoft.Network/publicIPAddresses/write"
| where ActivityStatusValue == "Succeeded"         

Detect NSG creation or deletion

NSG controls the network flow between networks. In the event adversary gain hold of compromised credentials that can modify NSG or potential cloud network admin misconfiguration. SecOps will be able to detect and validate with Cloud Admin to mitigate the potential lateral movement by shutting down the NSG. SecOps should run the following Sentinel KQL analytic rule (hourly basis) to monitor for any NSG creation or deletion.

AzureActivity
| where OperationNameValue =~ "Microsoft.Network/networkSecurityGroups/securityRules/delete" or 
OperationNameValue =~ "Microsoft.Network/networkSecurityGroups/securityRules/write"
| where ActivityStatusValue == "Accept"
| extend NsgName = split(_ResourceId, '/')[8], NsgRule = split(_ResourceId, '/')[10]
| project TimeGenerated, NsgName, NsgRule, ResourceGroup, Caller, CallerIpAddress, _ResourceId        

Detect Azure VM password reset (Lateral movement technique)

Reference Palo Alto Blog:

Navigating the Cloud: Exploring Lateral Movement Techniques (paloaltonetworks.com)

Running the below KQL under DefenderXDR custom detection (hourly basis) will be able to detect lateral movement using the VMAccess Extension method

ExposureGraphEdges
| where EdgeLabel contains "contains"
| where TargetNodeName contains "PasswordReset"
| join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId
| project SourceNodeName, TargetNodeName, NodeProperties, EntityIds         

Detect Privilege Escalation on Azure Service Principal

Custom DefenderXDR privilege escalation detection rule for critical identities marked by exposure management for adding Entra service principal credentials. It is vital for SecOps to monitor organization's critical identities for any potential privilege escalation in Entra service principals.

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountID = tostring(NodeProperties.rawData.accountObjectId)
| distinct AccountID;
CloudAppEvents
| where ActivityType == "Add"
| where ActionType == @"Add service principal credentials."
| where AccountId has_any(CriticalIdentities)        

Detect Azure API spray attacks

Monitor the API gateway logs for API spray attacks based on the threshold set

let threshold=5;
ApiManagementGatewayLogs
| where TimeGenerated > ago(1d)
| where IsRequestSuccess == "false"
| summarize Count=count() by CallerIpAddress
| sort by Count desc
| where Count > threshold        

Detect Azure API Secrets Extraction

Monitor the CloudAuditEvents for Azure API secrets extraction. Once you have the API secrets you basically have access to your API management system.

CloudAuditEvents
| where Timestamp > ago(30d)
| where OperationName == "Microsoft.ApiManagement/service/tenant/listSecrets/action"
| extend SubscriptionID = tostring(RawEventData.subscriptionId)
| extend PrincipalOID = tostring(RawEventData.principalOid)
| extend ApplicationID = tostring(RawEventData.applicationId)
| extend HttpRequest = tostring(RawEventData.httpRequest)
| extend Properties = tostring(RawEventData.properties)
| project Timestamp, OperationName, PrincipalOID, SubscriptionID, ApplicationID, HttpRequest, Properties         

Detect Azure VM DNS Threat

Are you aware that the Azure Log Analytics Agent installed on your virtual machine is gathering DNS lookup data and funneling it into your Sentinel DNSEvents table? By activating the Microsoft data connector for Microsoft Sentinel (Threat Intelligence - TAXII), which collects threat intelligence from a range of sources, you can monitor whether any of your Azure cloud virtual machines are querying DNS for domains that may be high risk.

KQL Hourly Analytic Rule:

DnsEvents
| where IPAddresses != ""
| join ThreatIntelligenceIndicator on $left.Name == $right.DomainName
| where ConfidenceScore > 50        

As time progress, I will update this article with more KQL detection for Azure Security Monitoring. Do check back this article once in a while. ??

#MicrosoftSentinel # DefenderXDR #AzureResourceManager #AzureBlob #AzureNSG #AzureVM