Hi!
In this blog-post, I will show you how you can disable the ssl certification for Azure CLI.
set AZURE_CLI_DISABLE_CONNECTION_VERIFICATION=1
Maxime.
Catégorie : Azure
Deprecated VM alerts regarding suspicious activity related to a Kubernetes cluster
Hi!
The following table lists the alerts that were deprecated:
| Alert name | Description | Tactics | Severity |
|---|---|---|---|
| Docker build operation detected on a Kubernetes node (VM_ImageBuildOnNode) | Machine logs indicate a build operation of a container image on a Kubernetes node. While this behavior might be legitimate, attackers might build their malicious images locally to avoid detection. | Defense Evasion | Low |
| Suspicious request to Kubernetes API (VM_KubernetesAPI) | Machine logs indicate that a suspicious request was made to the Kubernetes API. The request was sent from a Kubernetes node, possibly from one of the containers running in the node. Although this behavior can be intentional, it might indicate that the node is running a compromised container. | LateralMovement | Medium |
| SSH server is running inside a container (VM_ContainerSSH) | Machine logs indicate that an SSH server is running inside a Docker container. While this behavior can be intentional, it frequently indicates that a container is misconfigured or breached. | Execution | Medium |
These alerts are used to notify a user about suspicious activity connected to a Kubernetes cluster. The alerts will be replaced with matching alerts that are part of the Microsoft Defender for Cloud Container alerts (K8S.NODE_ImageBuildOnNode, K8S.NODE_ KubernetesAPI and K8S.NODE_ ContainerSSH) which will provide improved fidelity and comprehensive context to investigate and act on the alerts.
Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes
Maxime.
Azure Threat Research Matrix
Hi,
In this article, I will share with you the Azure Threat Research Matrix. The purpose of the Azure Threat Research Matrix (ATRM) is to conceptualize the known tactics, techniques, and procedures (TTP) that adversaries may use against the Azure platform. Inspired from MITRE ATT&CK, ATRM is designed to give quick insight into a potential TTP that an adversary may be using in their attack campaign.
In comparison to MITRE ATT&CK, Azure does not have the same capabilities for some of the tactics, e.g. Initial Access. While some tactics in ATT&CK may pertain to Azure, the ATRM is meant to be specific within Azure AD and Azure Resources.
Source: https://microsoft.github.io/Azure-Threat-Research-Matrix
Maxime.