New blog post | Detection Engineering in Azure & Introducing AzDetectSuite

Over the past few years of performing Azure security research, I have seen many new attack primitives & techniques discovered that an adversary could abuse within Azure & Azure Active Directory (AAD). When explaining a technique to a client, the challenge wasn’t explaining how something could be abused, the challenge was explaining how to detect it. Last year, I released the Azure Threat Research Matrix (ATRM), which highlighted the potential techniques an adversary could abuse within Azure & AzureAD. The immediate thought would be to give clients an idea of what potential abuse scenarios exist when they decide to use a certain resource or feature. However, it heavily lacked defensive content. I’ve always been a firm believer in that red team exists only to help blue team, so I’m now releasing my newest project: AzDetectSuite.

AzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. Now, in ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.

Detection Engineering in Azure & Introducing AzDetectSuite - Microsoft Community Hub