Blogs by Ashwin

  To read part 1, please click  here To read part 2, please click  here To read part 4, please click  here Enabling Azure Sentinel After successfully creating Log Analytics workspace to work with Azure Sentinel, you can easily perform the following tasks: If Azure Sentinel is not enabled for your tenant, then you have to sign in to Azure portal, enter Azure Sentinel in the search box, and select the Azure Sentinel entry. Click the Add button for an extra workspace. You can easily choose an appropriate workspace from the list provided or click Create a new workspace to add a new workspace and then select it. Now you can click Add Azure Sentinel  button at the bottom of the screen to continue further. After creating a new workspace, the News & guide  page of Azure Sentinel will provide some easy steps to set up the workspace.  Now, you have successfully created your Azure Sentinel environment and ready to use it. Exploring the Azure Sentinel Overview page  You will be automaticall

  To read part 1, please click  here To read part 3, please click  here To read part 4, please click  here Exploring the Overview Page You may have created your Log Analytics workspace by any means, but the further work will be done only on Azure Portal: Open the portal and go to the Log Analytics Solution page. Locate your new Analytics workspace for Azure Sentinel and click on it which will take you to the overview screen. The Essentials list present at the top of the page will help you to review the following-     Resource group- it is where the workspace resides and by selecting [change] you can move to another one. Status- it should show Active. Location- it is the Azure location where the workspace resides. Subscription name- it is the subscription this resource is associated with. Subscription ID- it is a unique GUID for the preceding subscription and is useful while calling Microsoft for technical support. Workspace name- it's the name of the Log Analytics workspace. Works

  To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here Introduction to Azure Monitor Log Analytics Azure Monitor can accumulate logs as well as metrics and then use them to make insights, visualizations, and automated responses while Log Analytics is an important service that can analyze the collected logs.  An Azure Analytics workspace can be created with the help of Azure subscription which is entirely based on a specific geographic location that can tie the data storage to that region. The region selection can be based on your required data storage location and also impact the costs related with both Log Analytics and Azure Sentinel. After creating the workspace, it can collect the information from several different sources like: Azure resources in the same subscription Azure resources in different subscriptions Data from other cloud services (such as Amazon Web Services, and Google Cloud Platform) Data from your private data cente

  To read part 1, please click  here To read part 2, please click  here To read part 3, please click  here Scenario Mapping It should be repeated regularly so that the tools and procedures are in-tune for better analysis and right flow of data along with the sell defined responses to make sure about appropriate actions to be taken upon detection of actual threats. Step 1 - Define the new scenarios Impact analysis- It can be considered as a summary of the complete analysis and you can provide a scoring system to make sure that the security controls' implementation are done on priority basis according to the potential impact's severity. Risk  vs likelihood- As some scenarios are at high risk of catastrophe, you can take the help of risk calculations to justify budget and controls which are required to mitigate the risk to some extent while prioritizing your resources to implement the controls. Cost & value estimate- You must know the cost and value of the resource to your org

  To read part 1, please click  here To read part 2, please click  here To read part 4, please click  here Cloud Platform Integrations As Azure Sentinel can protect your cloud platform deployments, so that instead of sending logs from the cloud provider to an on-premises SIEM solution, you can keep data off your local network to save bandwidth as well as storage costs. Following platforms can be integrated with Azure Sentinel: Integrating with AWS As AWS can offer API access to most of the features across the platform, it allows Azure Sentinel a rich integration solution. The following enabled resources should be integrated with Azure Sentinel: AWS Cloud Trail logs have insights into AWS user activities, like failed sign-in attempts, IP addresses, regions, user agents, identity types as well as potential malicious user activities with assumed roles. AWS Cloud Trail logs have network related resource activities too, like the creation, update, and deletions of security groups, network Ac

  To read part 1, please click  here To read part 3, please click  here To read part 4, please click  here Mapping the SOC Architecture You should always review and implement the following components regularly along with the testing of strength as well as improving any weaknesses for the best result of an SOC platform. Log management & data sources First of all you will have to gather and store appropriate log data from the wide range of available services in your IT environment while also considering the following: Variety- You must have data feeds from multiple sources to acquire visibility across the spectrum of the hardware and software in your organization. Volume- Large volume will cost you much more for the analysis and current storage, whereas very low volume may lead you to miss some important breach related events.  Velocity- After processing as well as analyzing data on real-time, you should also store it on real-time as well, which will surely improves performance. Valu

  To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here Current Cloud Security Landscape Every security architecture requires a thorough understanding of the IT environment it will protect and you should know all the security solutions that will be deployed to protect a particular IT environment. The major components of a modern IT environment are as follows: Identity for authentication and authorization of access to systems. Networks to gain access to internal resources and the internet. Storage and compute in the data center for internal applications and sensitive information. End user devices and the applications they use to interact with data. You can also include Industrial Control Systems (IOC) and the IoT for some environments.  The threats and vulnerabilities of all these components must be studied thoroughly before any further use.  Cloud security reference framework The components of cloud security reference framework is give

  To read part 1, please click  here To read part 2, please click  here To read part 3, please click  here Disaster recovery failover procedure The following cases are considered for failover to a DR site: SAP HANA database is required to go back to the latest status of data. Here, failover can be performed with the help of a self-service script without any Microsoft contact. But for the failback you have to work with Microsoft.  You will require the help of Microsoft to restore to a storage snapshot instead of the latest replicated snapshot.    If you want to test multiple SAP HANA instances, then you have to run the script several times and when requested, you have to enter the SAP HANA SID of the instance you want to test for failover.  Note- This approach works when there is a requirement to failover to the DR site to rescue some old deleted data and the DR volumes are required to set an earlier snapshot. Shut down the non-production instance of of HANA on the disaster recovery uni

  To read part 1, please click  here To read part 2, please click  here To read part 4, please click  here Set up disaster recovery for SQL Server SQL Server can be easily deployed in a number of ways: Standalone SQL Server- In this one, the SQL Server as well as all the other databases are hosted on a single machine. While host clustering is required for the local high availability when virtualized, the guest-level high availability isn't implemented. SQL Server Failover Clustering Instances (Always On FCI)- Here, two or more nodes running SQL Server instanced with shared disks are configured in a Windows Failover Cluster and if a node is down, the cluster can fail SQL Server over to another instance. This kind of approach is specifically used to implement high availability at a primary site but cannot protect against failure or outage in the shared storage layer. SQL Always On Availability Groups-  Two or more nodes are set up in a shared nothing cluster, with SQL Server database

  To read part 1, please click  here To read part 3, please click  here To read part 4, please click  here Setup Disaster Recovery for a Multi-tier SAP NetWeaver app deployment (in Azure) The following steps can help in setting up of the disaster recovery easily: Replicate VMs Replicate a domain controller Replicate data base tier Perform a test failover Perform a failover You have to follow the steps given below to achieve the same- Create a Recovery Services Vault - You can create the vault in any region except for the source region: Sign in to the Azure portal > Recovery Services. Click Create a resource > Management Tools > Backup and Site Recovery. In Name, specify a friendly name to recognize a vault and if you have more than one subscription you have to select accordingly. Create a resource group or select an existing one. Specify the Azure region. Verify target resource settings-   Verify that your Azure subscription lets you create VMs in the target region and contact

  To read part 2, please click  here To read part 3, please click  here To read part 4, please click  here Azure Site Recovery Replicate VMs You must follow the guidance in replicate a Virtual Machine to Azure to easily replicate Azure VMs to the Azure region serving as the disaster recovery site, which is available at https://docs/microsoft/com/en-us/azure/site-recovery/azure-to-azure-walkthrough-enable-replication To protect Active Directory and DNS, you can refer to Protect Active Directory and DNS document available at https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-active-directory To protect database tier running on SQL server, you can refer to Protect SQL Server document available at https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-active-directory Configure Networking If you are using a static IP address, you can easily specify the IP address that you want the VM to take as a part of its Azure Site Recovery settings. Create a recovery plan I

  Scaling Azure VMs Compute The VM can be scaled up or down by simply changing the VM size which may first require deallocating it. It only happens when a new size is not available on the hardware cluster that is hosting the VM currently which in turn also leads to the deallocation of  all the VMs in the availability set to resize them. After that you may also have to update the size of the other VMs in the availability set after the resizing of one VM. The resizing can be done from the Azure portal, via PowerShell, Azure CLI, Azure Resource Manager templates, or programmatically (including REST API). Storage As the size of the virtual machine controls the number of data disks you can attach, you can detach a data disk without stopping the Azure VM by using PowerShell or Azure CLI after confirming that the particular disk is not being in use currently. You can also expand the attached Azure VM disks. Scaling SAP HANA on Azure (Large Instances) Compute You can easily choose from many si

  Networking Changes for Azure VMs The additional network requirements must be accounted for as a part of Azure VMs or Large Instances of SAP HANA on Azure. Forced Tunneling The default routes can be advertised to route all the traffic out through the cross-premises connection which will force traffic to Azure PaaS services back to your on-premises environment, but to return traffic to Azure via Microsoft peering path or over the Internet, you have to configure your routers. Generally, such routing is not required due to the performance reasons, however, you can easily leverage service endpoints to remediate this. Virtual Network (VNet) service endpoints can extend your virtual network's private address space and the identity of your VNet to the Azure services, over a direct connection which also helps you to secure your critical Azure service resources to only your virtual networks. Service endpoints are usually available for a number of PaaS services and if they are enabled for a

  To read part 1 please click  here To read part 2 please click  here SAP HANA File-Level Backups While choosing a "file" type to specify a particular path in the file system where SAP HANA can write the backup files, you have to consider the number of data disks which can be limited while the other option of Azure blob storage offers much space with a nice blob storage with some cost benefit. A geo-replicated storage account can also be used to store the SAP HANA backups providing a dedicated geo-replicated storage account for your dedicated VHDs for SAP HANA backups. Azure backup agent It readily helps you to not only backup the complete VMs, but also files and directories through the backup agent already installed in the guest OS. However, you can also copy SAP HANA backup files to a Windows VM on Azure and then use the Azure backup agent from there which might also add some complexity and slow down the backup or restore process, hence this approach isn't recommended t