Cloud Security
92 TopicsKQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, Serge10Views0likes0CommentsAzure Secure Score Comparison for Similar Organizations
Is there a way to see comparison of Azure Secure Score for similar organizations like how Microsoft Secure Score in the Defender portal shows? For example, Microsoft Secure Score has the below options, and I am looking for a something similar in Azure Secure Score/Defender for Cloud Secure Score.113Views0likes1CommentNew Blog | Enhancing Server and Container Risk Score Analysis in Power BI
By iulio Astori Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVEs). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), providing a standardized numerical score that ranges from 0.0 to 10.0, translated into severity ratings like Low, Medium, High, or Critical. While Microsoft Defender for Cloud provides a robust risk level assessment for each resource, there is an opportunity to enhance this by integrating additional factors such as the exploitability of each CVE, the age since it was made public, and whether the CVE is a zero-day vulnerability. Additionally, resources themselves have contextual elements such as the number of attack paths, which can significantly impact their overall risk. The Power BI solution builds Defender for Cloud's capabilities by integrating these multiple factors, providing a more comprehensive risk score for each resource and enhancing the prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources needing attention. Read the full post here: Enhancing Server and Container Risk Score Analysis in Power BI188Views1like0CommentsNew Blog | New E-book: Building a Comprehensive API Security Strategy
By Loren Goduti APIs are everywhere – they are proliferating at a rapid pace, therefore, making them a prime target for attackers. Thus, having a plan to secure protect your APIs as part of your overall cybersecurity strategy is critical for protecting your business, as well as sensitive user data. We are excited to share our newest e-book: Building a Comprehensive API Security Strategy Read the full post here: New E-book: Building a Comprehensive API Security Strategy227Views0likes2CommentsAzure Cloud Defender false positive
Cloud Defender threw up alert on Trojan:Script/Phonzy.B!ml for a PaloAlto virtual firewall. There are no Defender agents, (detection was agentless). I cannot find any other incidents or similar issues. The affected file is pps_parport.ko which is a library file. Currently unable to get the file off the Palo to upload to VirusTotal or similar website. No other security issues with Azure servers. Is there a way to find if this is a false positive or am is this system a canary in a coalmine?720Views0likes3CommentsNew Blog | Detect Container Drift with Microsoft Defender for Containers
By Vasavi Pasula Introduction In cloud-native Kubernetes environments, Containers are often treated as immutable resources, meaning they shouldn’t change after deployment. Immutable containers minimize the attack surface because they do not allow modifications during runtime. This limits the potential for attackers to make unauthorized changes, install malware, or create backdoors within a running container. Container drift refers to unintended or unauthorized manual changes, updates, patches, or other modifications made during its runtime. When containers drift, they may incorporate untested and unverified changes, such as software updates, configuration modifications, or new libraries. These changes can introduce new vulnerabilities that were not present in the original, vetted container image. Drift might introduce changes that grant elevated privileges to processes or users within the container, which can be exploited to gain broader access to the system or network. Changes caused by drift can alter or disable security monitoring tools within the container, making it harder to detect and respond to security incidents promptly. Microsoft Defender for Containers introduces the binary drift detection feature in public preview, to detect execution of files in a running container drifting from original Container Image which was scanned, tested, and validated. It's available for the Azure (AKS) V1.29, Amazon (EKS), and Google (GKE) clouds. Read the full post here: Detect Container Drift with Microsoft Defender for Containers250Views0likes0CommentsNew Blog | Securing Multi-Cloud Gen AI workloads using Azure Native Solutions
By Abhi Singh Note: This series is part of “Security using Azure Native services” series and assumes that you are or planning to leverage Defender for Cloud, Defender XDR Portal, and Azure Sentinel. Introduction AI Based Technology introduces a new set of security risks that may not be comprehensively covered by existing risk management frameworks. Based on our experience, customers often only consider the risks related to the Gen AI models like OpenAI or Anthropic. Thereby, not taking a holistic approach that cover all aspects of the workload. This article will help you: Understand a typical multi-cloud Gen AI workload pattern Articulate the technical risks exists in the AI workload Recommend security controls leveraging Azure Native services Read the full post here: Securing Multi-Cloud Gen AI workloads using Azure Native Solutions297Views0likes0CommentsNew Blog | Leveraging Azure Native Tooling to Hunt Kubernetes Security Issues
By singhabhi Introduction Container binary drift refers to the phenomenon where a running container deviates from its original image over time. This can happen due to various reasons, such as manual updates, automated processes, or security vulnerabilities. Essentially, the container starts to differ from the static snapshot it was created from, leading to potential inconsistencies and security risks. When thinking of container image drifts, it is important to understand the following: Security Risks: Image drift can introduce security risks, as the container may run software or processes that were not part of the original image. This can create a security blind spot, as traditional image scanning may not detect these changes Detection: Detecting image drift involves monitoring the container for changes that deviate from the original image. This can be done using tools that compare the running container's state with its original image. Prevention: To prevent image drift, it is recommended to implement image immutability, regularly update base images, and use image scanning tools. Monitoring and alerting for image drift can also help in identifying and addressing any deviations. Read the full post here: Leveraging Azure Native Tooling to Hunt Kubernetes Security Issues219Views0likes0CommentsNew Blog | Using Defender XDR Portal to hunt for Kubernetes security issues
By singhabhi As we saw in previous article, the binary drift alert gives you information about where the activity happened like the object namespace, image, cluster, etc. This might or might not be enough information for you to act. Say, if you want to identify “how” this drift came to be for example, did a user logged on to container and downloaded the said binary. To supplement the information provided by the alert we can then use Defender XDR portal (https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal) Harnessing the power of the Microsoft Ecosystem If you are an E5 customer, your security teams most likely are very familiar with Advance Hunting on security.microsoft.com portal. Here we will extend that hunting capability to add context to your Kubernetes alerts. This is a huge time saver and cost advantage for you as you don’t need to teach your Red Team or SOC analysts Level 400 Kubernetes concepts. To jump start your Kubernetes hunting, you can leverage the developer knowledge of your Platform teams to provide most common Kubernetes actions like exec (access to a container), debug (access to node). The hunting team can then leverage these in the hunting queries in a data structure and format they already know using KQL. Read the full post here: Using Defender XDR Portal to hunt for Kubernetes security issues266Views0likes0Comments