Explain Cloud Workload Protections in Azure Defender (part 2 of 4)

By Ashwin Venugopal -

 


To read part 1 please click here
To read part 3 please click here
To read part 4 please click here



Azure Defender for App Service

Azure App Service is a fully managed platform for building and hosting your web apps as well as APIs without worrying about having to manage the infrastructure while providing management, monitoring, and operational insights to meet the enterprise-grade performance, security as well as compliance requirements. 

Azure Defender for App Service widely uses the scale of the cloud to identify the attacks targeting the applications running over the App Service. Generally attackers probe web applications to find and exploit weaknesses, so before being routed to the specific environments, you should first request to the applications running in Azure to go through  the various gateways, where they can be inspected and logged and can then further be used to identify exploits as well as attackers and learn new patterns that will be used later.

What does Azure Defender for App Service protects?

If the App Service plan is enabled, then the Security Center assesses the resources covered by the App Service plan and generates security recommendations based on its findings. Security Center protects the VM instance in which your App Service is running and the management interface while also monitoring the requests as well as responses sent to and from your apps running in the App Service.

The log data mentioned above basically helps the infrastructure to tell the story, from a new attack circulating into the wild to the compromises in the customer machines, without leaving any information behind. Therefore, even if the Security Center is deployed after a web app has been exploited, it might be easily able to detect the ongoing attacks.

Protect your Azure App Service web apps and APIs

To protect your Azure App Service plan with Azure Defender for App Service you should:
  • Ensure that you have a supported App Service plan which is associated with dedicated machines. 
  • Ensure Azure Defender on your subscription (you can optionally enable only the Azure Defender for App Service plan).

Security Center is natively integrated with the App Service, which eliminates the need for deployment and onboarding- as the integration is transparent.

 Azure Defender for Storage

Azure Defender for Storage is an Azure native-layer of security intelligence that can detect unusual and potentially harmful attempts to access or exploit your storage accounts. Generally, security alerts are triggered when anomalies in an activity occur and are integrated with the Azure Security Center as well as sent via email to subscription administrators with details of all the suspicious activities and recommendations including the investigate and remediate threats methods.

What are the benefits of Azure Defender for Storage?

Azure Defender for Storage provides:
  • Azure-native security- With 1-click enablement, Defender for Storage protects the data stored in Azure Blob, Azure Files, and Data Lakes while providing centralized security across all the data assets managed by Azure and is integrated with the other Azure Security services such as Azure Sentinel. 

  • Rich detection suite- Powered by the Microsoft Threat Intelligence, the detections in Defender for Storage covers the top storage threats such as anonymous access, compromised credentials, social engineering, privilege abuse, and malicious content.

  • Response at scale- Security Center's automation tools makes it easier to prevent and respond to the identified threats. 

What kind of alerts does Azure Defender for Storage provides?

Security alerts are triggered when there's:
  • Suspicious access patterns- such as the successful access from a Tor exit node or from an IP considered suspicious by the Microsoft Threat Intelligence.
  • Suspicious activities- such as anomalous data extraction or unusual change of the access permissions.
  • Uploads of malicious contents- such as potential malware files (based on hash reputation analysis) or hosting phishing content. 

Alerts includes the details of the incident that triggered them, and recommendations on how to investigate as well as remediate threats. 

What is hash reputation analysis for malware?

If you want to determine whether an uploaded file is suspicious, you can use Azure Defender for Storage which in turn uses hash reputation analysis supported by the Microsoft Threat Intelligence. Whenever a file is suspected of containing malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. To set up this automatic removal of files containing malware indicated by hash reputation analysis, you can deploy a workflow automation to trigger on the alerts containing "Potential malware uploaded to a storage account".


To read part 1 please click here
To read part 3 please click here
To read part 4 please click here





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more