How-to use Microsoft Defender for Cloud Ransomware alerts to preserve Azure Backup recovery points

Credits: This blog post has been co-authored by Chaya Aishwarya. Automation samples developed by Akhil Nampelly, Rajath Ranganath and Vasavi Pasula. Reviewers: Srinath Vasireddy, Anshul Ahuja, Neeraj Jain, Pratik Joshi, Kalyan Karri, Sivasubramanian Narayanan, Yuri Diogenes

 

Introduction 

Ransomware attacks deliberately encrypt or tamper data to force your organization to pay money to attackers. These attacks can target your data and your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems. You can leverage Azure native ransomware protection capabilities and implement the best practices to ensure your organization is optimally positioned to prevent, protect, and detect potential ransomware attacks on your Azure assets. 

 

One of the most important steps you can take to protect your data is to have a reliable backup infrastructure. But it's just as important to ensure that your data is backed up in a secure fashion, and that your backups are always protected. Azure Backup provides several security capabilities to help you protect your backup data – Soft Delete is enabled by default, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss.  Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. You can configure Multi-user authorization (MUA) for Azure Backup as an additional layer of protection to critical operations on your Recovery Services vaults. Even if security best practices are not followed and notifications aren't configured for the Recovery Services vault, critical alert for destructive operation (such as stop protection with delete backup data) are still raised and an email is sent to subscription owners, admins, and co-admins (learn more).  

 

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud generates security alerts when threats are identified in your cloud, hybrid, or on-premises environment. It is available when you enable enhanced security features. Each alert provides details of affected resources along with the information you need to quickly investigate the problem and steps to take to remediate an attack. In the event of a malware or a ransomware attack on an Azure Virtual Machine, Microsoft Defender for Cloud detects suspicious activity and indicators associated with ransomware on an Azure VM and generates a Security Alert.

Here are the Defender for Cloud Alerts that trigger on a Ransomware detection: 

• Detected Petya ransomware indicators 
• Ransomware indicators detected 
• Behavior similar to Fairware ransomware detected 
• Behavior similar to ransomware detected 

Defender for Cloud provides threat intelligence reports containing information about detected threats. This helps incident response teams investigate and remediate threats. For more details: Microsoft Defender for Cloud threat intelligence report | Microsoft Learn

 

Solution details  

Assume Virtual Machine protected by both Defender and Azure Backup is breached. Defender detects the ransomware, raises an alert which includes details of the activity and suggested recommendations to remediate. As soon as a ransomware signal is detected from Defender, ensuring backups are preserved (i.e., paused from expiring) to minimize the data loss is top of our customers’ mind. This sample solution demonstrates integration of Azure Backup with Microsoft Defender for Cloud for detection and response to alerts to accelerate response. Sample illustrates following three uses cases: 1) ability to send email alerts to backup admin 2) SecOps admin triages and manually triggers logic app to secure backups and 3) Workflow to automatically respond to the alert by performing the Disable Backup Policy (Stop backup and retain data) operation. 

 

Step-by-Step instructions 

Prerequisites: 

• Enable Azure Backup for Virtual Machines 
• Enable Microsoft Defender for Servers Plan 2 for the Subscription 

Note: This sample solution is scoped to Azure Virtual Machines. The logic app can only be deployed at a subscription level, which means that all Azure VMs under the subscription can leverage the logic app for pausing expiry of recovery points in the event of a security alert.  

 

 

 

Step 1: Deploy the logic app 

Note: Owner access on the Subscription is needed to deploy the logic app.   

• Visit Github and click on ‘Deploy to Azure’ as shown below: 

 

2. Input the following values in the deployment page: 

 

Subscription: Select the Subscription whose Azure VMs the logic app should govern.  

Name: Input a suitable name for the logic app. 

Region: Choose the region with which the Subscription is associated.  

Email: Input the email address of the Backup admin for them to receive alerts when policy is suspended.   

Resource Group: Logic apps need to be associated with a Resource Group for deployment. Choose any Resource Group for the same.  

Managed Identity: Create and assign a Managed Identity (for guidance on creating a User-defined Managed Identity, visit here ) with the below minimum permissions for the service to perform the operation of ‘Stop backup and retain data’ on the backup item automatically in the event of a malware alert.  

• Virtual Machine Contributor on the subscription 
• Backup Operator on the subscription 
• Security Reader 

Note: To further tighten the security, we recommend you create a custom role and assign that to the Managed Identity instead of the above built-in roles. This will ensure that all the calls run with least privileges. For more details on custom role, visit Github article.  

 

Managed Identity Subscription: Input the name of a Subscription that the Managed Identity should reside in.  

Managed Identity Resource Group: Input the name of a Resource Group that the Managed Identity should reside in.  

 

Step 2: Authorize Office 365 for email alerts 

To authorize the API connection to Office 365: 

• Go to the Resource Group you have used to deploy the template resources. 

• Select the Office365 API connection (which is one of the resources you just deployed) and click on the error that appears at the API connection. 

• Press Edit API connection. 

• Press the Authorize button. 

• Make sure to authenticate against Azure AD. 

• Press Save. 

Step 3: Triggering the logic app 

The logic app deployed in step 1 can be triggered manually or automatically by leveraging workflow automation.  

 

Triggering manually: 

• Visit Microsoft Defender for Cloud and navigate to Security Alerts in the sidebar.    
• Click on the required alert to expand details.   
• Click on ‘Take action’ and choose ‘Trigger automated response’ and click on ‘Trigger logic app’.  
• Search the logic app deployed in step 1 by name and click ‘Trigger’.   

Note: The minimum RBAC permissions needed for triggering an action for the security alert are as follows: Logic app Operator, Security Admin role 

 

Triggering using workflow automation via Azure portal: 

Workflow automation will ensure that in the event of a security alert, your backups corresponding to the VM facing this issue will automatically reach ‘Stop backup and retain data’ state hence suspending policy and pause recovery point pruning. You can also use Azure Policy to deploy workflow automations. 

 

Note: Minimum roles of Logic app Operator and Security Admin are required to deploy the workflow automation.  

 

• Visit Defender for Cloud's sidebar, select Workflow automation.  
• Select Add workflow automation. The options pane for your new automation opens. 
• Input the following values: 
• Name and Description: Input a suitable name for the automation. 
• Subscription: Define the scope of the automation, this should be the same as the scope of the logic app.  
• Resource Group: Choose the RG in which the automation will reside.  
• Defender for Cloud Data Type: Security Alert 
• Alert name contains: ‘Malware’ or ‘ransomware’ 
• Alert severity: High 
• Logic app: Choose the logic app deployed in step 1 

Step 4: Email Alerts  

Upon disabling the backup policy on the backup item, the logic app also sends an email to the ID entered during deployment. The email ID should ideally be that of the Backup Admin. The alert can then be investigated, and the backups can be resumed once the issue is resolved or if it is a false alarm. 

 

Additional Resources:

• What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn
• Reference table for all security alerts in Microsoft Defender for Cloud | Microsoft Learn
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-concept
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-immutable-vault-how-to-manage
• https://techcommunity.microsoft.com/t5/azure-storage-blog/how-azure-backup-soft-delete-protects-from... 
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-enhanced-soft-delete-about 
• https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization-concept?tabs=recovery-servic...
• https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature-cloud#frequently-asked-...