Explain Cloud Workload Protections in Azure Defender (part 4 of 4)

By Ashwin Venugopal -

 


To read part 1 please click here
To read part 2 please click here
To read part 3 please click here


Azure Defender for Resource Manager

Azure Resource Manager is the deployment and management service for Azure which provides a management layer that allows you to create, update, and delete resources in your Azure account as well as capable of automatically monitoring the resource management operations in your organization, even if  they are performed through the Azure portal, Azure REST APIs, Azure CLI, or the other Azure programmatic clients while simultaneously running advanced security analytics to detect threats and alert you about any suspicious activity.

What are the benefits of Azure Defender for Resource Manager?

Azure Defender for Resource Manager readily protects against issues including:
  • Suspicious resource management operations, such as the operations from suspicious IP addresses, disabling antimalware and suspicious scripts running in VM extensions.
  • Use of exploitation toolkits like Microburst or PowerZure.
  • Lateral movement from the Azure management layer to the Azure resources data plane.

Azure Defender for DNS

Azure DNS is a hosting service especially available for the DNS domains that offers name resolution by using Microsoft Azure infrastructure and at the same time provides an extra layer of protection for your cloud resources by:
  • Continuously monitoring all the DNS queries from your Azure resources.
  • Running advanced security analytics to alert you about any suspicious activity.

What are the benefits of the Azure Defender for DNS?

Azure Defender for DNS protects against the following issues:
  • Data exfiltration from your Azure resources using DNS tunneling
  • Malware communicating with C&C server
  • Communication with malicious domain as phishing and crypto mining
  • DNS attacks- communication with the malicious DNS resolvers

Azure Defender for Kubernetes

Azure Kubernetes Service (AKS) is the Microsoft's managed service for developing, deploying, and managing containerized applications. You should enable Azure Defender for kubernetes to detect threat for your kubernetes clusters as well as for Host-level threat detection of your Linux AKS nodes.

What are the benefits of Azure Defender for Kubernetes?

Security Center provides threat protection at different levels:

  • Host level (provided by Azure Defender for servers)- The Log Analytics agent that Security Center uses on the other VMs is used by  Azure Defender to monitor your Linux AKS nodes for any suspicious activities, such as web shell detection and connection with known suspicious IP addresses. The agent also monitors for container-specific analytics such as privileged container creation, suspicious access to API servers, and Secure Shell (SSH) servers running inside a Docker container.

  • If you don't want to install the agents on your hosts, you will only receive a subset of the threat protection benefits and security alerts but you'll still be able to receive alerts related to the network analysis and communications with malicious servers.

  • AKS cluster level (provided by Azure Defender for kubernetes)- At the cluster level, the threat protection is based on analyzing kubernetes' audit logs and to enable this agentless monitoring, you have to enable Azure Defender. To generate alerts at this level, Security Center monitors your AKS-managed services using logs retrieved by AKS.     

Azure Defender for Container Registries

Azure Container Registry (ACR) is a managed, private Docker registry service that stores and manages your container images for Azure deployments in a central registry and you should enable Azure Defender to protect all the Azure Resource Manager based registries in your subscription, enable Azure Defender for container registries at the subscription level. Security Center will scan the images that are pushed to the registry, imported into the registry, or any images pulled within the last 30 days. This feature is charged per image. 

What are the benefits of Azure Defender for Container Registries?

Azure Defender for Container Registries includes a vulnerability scanner to scan images in your Azure Resource Manager-based Azure Container Registry registries and provide deeper visibility into your images' vulnerabilities. The integrated scanner is powered by Qualys, the industry-leading vulnerability scanning vendor. 

When issues are found by Qualys or Security Center, you'll get notified in the Security Center dashboard which provides all the actionable recommendations for every vulnerability, along with a severity classification and guidance for how to remediate the issue.


To read part 1 please click here
To read part 2 please click here
To read part 3 please click here

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more