Catégorie : Azure Security Center

Add Custom Policy to Azure Security Center Recommendation

Hi!

In this article, I will show you how you add a custom policy to Azure Security Center Recommendation.

These recommendations are based on industry best practices, which are incorporated into the generic, default security policy supplied to all customers. They can also come from Security Center’s knowledge of industry and regulatory standards.

With this feature, you can add your own custom initiatives. You’ll then receive recommendations if your environment doesn’t follow the policies you create.

In the Azure Security Center Portal, please select « Regulatory compliance » under « Cloud Security ».

Select, « Manage compliance policies »

Select « Add a custom initiative »

Select, « Creare New »

Please define:

  • Initiative location
  • Demo (Name of your custom initiative, for example XYZ Security Controls)
  • Category > Create new > Demo (Your category name could be storage, network, …)
  • Version 1

Select « Add policy definition(s) »

Select your policies, in this example: « Storage accounts should have infrastructure encryption »

Select « Create Control »

Define a new control, in this example Storage, with the Domain Storage security

Now the custom initiatives is created, please click on « add ».

Please find wait 1 hours before to see our custom initiative in the Azure Security Center Recommendation section.

After 1 hours, we can see our custom initiative in the Azure Security Center Recommendation section:

It’s also possible to Azure Resource Graph to see this custom policies.

securityresources
| where type == "microsoft.security/assessments"
| extend resourceId = properties.resourceDetails.Id
| extend resourceName = tostring(split(resourceId, "/")[8])
| extend resourceGroup = (split(resourceId, "/")[4])
| extend status = properties.status.code
| extend recommendatioName = properties.displayName 
| project subscriptionId,
		  recommendatioName,
		  resourceName,
		  resourceGroup,
		  status,
		  resourceId

Maxime.

Azure Defender – Génération Alertes

Hello,

Dans cet article, je vais vous présenter comment générer des alertes de sécurité pour Azure Defender et ce directement depuis le portail Azure.

La génération d’alertes peut-être intéressantes si vous souhaitez réaliser des « Firedrills » par exemple.

Pour cela je vous donne rendez-vous au sein du service Azure Security Center, puis je vous invite à cliquer sur « Security Alerts » et enfin sur « Create sample alerts ».

Les alertes suivantes peuvent être générées:

  • App Service / Suspicious WordPress theme invocation detected
  • App Service / Phishing content hosted on Azure Webapps
  • App Service / Attempt to run high privilege command detected
  • AKS / Exposed Kubernetes dashboard detected
  • AKS / Container with a sensitive volume detected
  • AKV / Access from a TOR exit node to a Key Vault
  • AKV / High volume of operations in a Key Vault
  • AKV / Suspicious secret listing and query in a Key Vault
  • SQL / Unusual export location
  • SQL / Attempted logon by a potentially harmful application
  • SQL / Logon from an unusual location
  • SQL / Potential SQL injection
  • Storage / Unusual amount of data extracted from a storage account
  • Storage / Unusual change of access permissions in a storage account
  • Windows / Detected Petya ransomware indicators
  • Windows / Executable found running from a suspicious location

Maxime.