Forum Widgets
Latest Discussions
How to Monitor New Mangement Group Creation and Deletion.
I am writing this post to monitor new Management group creation and Deletion using Azure Activity Logs and Trigger Incident in Microsoft Sentinel. You can also use it to Monitor the Subscription Creation as well using this Step. By default, the Dianostic settings for at the management group level is not enabled. It cannot be enabled using Azure Policy or from the Portal interface. Use the below article to enable the "Management Group Diagnostic Settings" Management Group Diagnostic Settings - Create Or Update - REST API (Azure Monitor) | Microsoft Learn Below is the screenshot of message body if you like to forward the logs only to the Log analytic workspace where sentinel is enabled. Also make sure you enable the Diagnostic settings at the tenant management group level to track all changes in your tenant. { "properties": { "workspaceId": "<< replace with workspace resource ID>>", "logs": [ { "category": "Administrative", "enabled": true }, { "category": "Policy", "enabled": true } ] } } Once you have enabled the Diagnostic settings, you can use the below KQL query to monitor the New Management group creation and Deletion using Azure Activity Logs. //KQL Query to Identify if Management group is deleted AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/DELETE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) //KQL Query to Identify if Management group is Created AzureActivity | where OperationNameValue == "MICROSOFT.MANAGEMENT/MANAGEMENTGROUPS/WRITE" | where ActivityStatusValue == "Success" | extend mg = split(tostring(Properties_d.entity),"/") | project TimeGenerated, activityStatusValue_ = tostring(Properties_d.activityStatusValue), Managementgroup = mg[4], message_ = tostring(parse_json(Properties).message), caller_ = tostring(Properties_d.caller) This log can also be used to monitor the new subscription creation as well, using the below query AzureActivity | where OperationNameValue == "Microsoft.Management" and ActivityStatusValue == "Succeeded" and isnotempty(SubscriptionId) If you need to trigger incident on sentinel, use the above query in your custom scheduled analytical rule and create alert.Azure AD Powershell module logs in sentinel
Hello Team, As a part of clean up activity, our SOC has been assigned a task to find list of regular users who are using Azure AD Powershell and what activities they're performing as we want that to be limited to only Admin account to manage azure resources. I was able to find sign in activities for many users to "Azure Active Directory PowerShell" but I'm unable to find what activities they have performed using powershell. Looked under audit logs and other few tables. Can some one tell me under which table or what KQL can I run to see operations logs associated with Azure AD Powershell. Thank in advance.Hold user reported Emails to see if later they become malicious.
Hello Team, Our Security Operations Center has identified a phishing report from a user. We activated email notifications for users to receive updates from Microsoft about the investigation results. In this case, the user was initially informed that the email was safe, but soon after they received another similar email from the same malicious sender, which was quarantined by ZAP. And after this ZAP went back and quarantined the initial email too. Even though ZAP and Safe Links continuously re-evaluate emails post-delivery, it's concerning that initially the report came as clean and later it was quarantined based on the investigation done on another email. I would like to know if there are additional measures we can take to detect emails that may turn malicious after delivery, aside from ZAP. Also, can we implement a mechanism to hold reported emails for 2-3 hours to see if later it becomes malicious and until we assess their safety, preventing users from receiving a false safe notification and later you see ZAP quarantines them? Thanks in advance.Integrate Threat Intelligence with Sentinel that have no API
We receive threat intelligence from a 3rd party vendor through a CSV file to our shared mailbox. As they do not have any API, wondering if there is a way we can automate and have that feeds populate in Sentinel rather than manually entering each IOC's.Question about "anomalous token" alert
Hi Everyone, I am a security analyst working with Sentinel, and every now and again we get the alert "Anomalous token involving one user". "This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens." I need to understand more about this. I know that malicious actors can possibly spoof these tokens, and abuse them.But I literally have no idea where else to go from here. There's very little support online with regards to further mitigations. So just wondering if anyone deals with these and what the protocol is at your business? And any controls we can implement to limit such alerts.
Azure Monitor AMA Migration helper workbook question for subscriptions with AKS clusters
Hi, In an ongoing project, I've been looking into helping a customer updating their agents from the Microsoft Monitoring Agent (MMA) to the new Azure Monitoring Agent (AMA) that consolidates installation and the previous Log Analytics agent, Telegraf agent, diagnostics extension in Azure Event Hubs, Storage etc., and then configure Data Collection Rules (DCRs) to collect data using the new agent. One of the first steps is of course to identify which resources are affected and that needs to be migrated. There are multiple tools to identify the resources such as this PowerShell script as well as the built-in AMAMigration workbook in Azure Monitor, which is what I used as the initial option at the start of the AMA migration process. When running the notebook, it will list all VMs, VMSSs etc. in the subscription that do not have the AMA agent installed, e.g., through an Azure Policy or automatically by having configured a DCR, or that do have theold MMA installed, and thus needs to be migrated. In Azure, Azure Kubernetes Services (AKS), as Kubernetes is a rather specific hosting service, almost like its own mini-ecosystem in regard to networking, storage, scaling etc., enables access and control of the underlyinginfrastructure composing the cluster created by the AKS and its master node, providing the potential fine-grain and granular control of these resources for IT administrators, power users etc. However, in most typical use cases the underlying AKS infrastructureresources should not be modified as it could break configured SLOs. When running the Azure Monitor built-in AMA migration workbook, it includes all resources by default that do not have the AMA installed already, no matter what type of resource it is, including potential underlying clusterinfrastructure resources created by AKS in the "MC_" resource group(s), such as virtual machine scale sets handling the creation and scaling of nodes and node pools of an AKS cluster. Perhaps the underlying AKS infrastructure resources could be excluded fromthe AMA migration results of the Azure Monitor workbook by default, or if underlying non-AMA migrated AKS infrastructure resources are found, perhaps accompanied with a text describing potential remediation steps for AMA agent migration for AKS cluster infrastructureresources. Has anyone encountered the same issue and if so how did you work around it? Would be great to hear some input and if there's already some readily available solutions/workaround out there already (if not, I've been thinking perhaps making a proposedPR here with a filter and exclusion added to the default workbook e.g. herehttps://github.com/microsoft/AzureMonitorCommunity/tree/master/Azure%20Services/Azure%20Monitor/Agents/Migration%20Tools/Migration%20Helper%20Workbook). Thanks!
Azure Monitor and Grafana
Hi All, Has anyone been able to setup Azure Monitor in Grafana to pull and display metric data? I have no issue connecting and finding log data (resources), but I cannot get any metric data to be discovered by the Grafana plugin. I can see and use the metric data in Azure, but not in Grafana. The account configured has read over the resources and will display log data fine. Any help and suggestions would be appreciated. Thanks.Symantec software Disabling Recovery Mode during installations
Security team have been often receiving alert that during the installation of Symantec Encryption Desktop, Windows is using bcdedit.exec to modify the boot configuration, where its disabling windows default system recovery. It might be an expected behavior to ensure no one can bypass the encryption at boot time and It could be a Defense Mechanism. As we're receiving lots of alerts on this, we want to get to the root cause and ensure this is an expected behavior. That way we can have it documented and fine tune our detection. Does any one know if it it would interact with system boot configuration and any mention of bcdedit tasks being used during installation. Command Line: "cmd.exe" /c schtasks.exe /Create /RU %USERNAME% /SC DAILY /TN runBCDEDIT /RL HIGHEST /TR "bcdedit.exe /set recoveryenabled No " & schtasks.exe /run /TN runBCDEDIT & schtasks.exe /Delete /TN runBCDEDIT /F & schtasks.exe /Delete /TN "runBCDEDIT" /F
