Catégorie : Azure Security Center

New alerts for Microsoft Defender for Kubernetes

Hi!

To expand the threat protections provided by Microsoft Defender for Kubernetes, we’ve added two preview alerts.

Alert (alert type)DescriptionMITRE tacticSeverity
Anomalous pod deployment (Preview)
(K8S_AnomalousPodDeployment)
Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties.ExecutionMedium
Excessive role permissions assigned in Kubernetes cluster (Preview)
(K8S_ServiceAcountPermissionAnomaly)
Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender.Privilege EscalationLow

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

Maxime.

Azure Security Center and Azure Defender become Microsoft Defender for Cloud

Hi!

During Microsoft Ignite 2021, Microsoft announced a new rebranding of Azure Security Center and Azure Defender unified as Microsoft Defender for Cloud.

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and protects workloads across multi-cloud and hybrid environments.

Maxime.

Advanced Threat Protection for Azure Cosmos DB

Hi!

In this article, I will show you how you can enable Advanced Threat Protection for Azure Cosmos DB. This will help you to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Two types of alerts can be detected:

  • Access from unusual locations: This alert is triggered when there is a change in the access pattern to an Azure Cosmos account, where someone has connected to the Azure Cosmos DB endpoint from an unusual geographical location. In some cases, the alert detects a legitimate action, meaning a new application or developer’s maintenance operation. In other cases, the alert detects a malicious action from a former employee, external attacker, etc.

  • Unusual data extraction: This alert is triggered when a client is extracting an unusual amount of data from an Azure Cosmos DB account. This can be the symptom of some data exfiltration performed to transfer all the data stored in the account to an external data store.

It can currently trigger the following alerts:

AlertDescriptionMITRE tacticsSeverity
PREVIEW – Access from an unusual location to a Cosmos DB accountIndicates that there was a change in the access pattern to an Azure Cosmos DB account. Someone has accessed this account from an unfamiliar IP address, compared to recent activity. Either an attacker has accessed the account, or a legitimate user has accessed it from a new and unusual geographical location. An example of the latter is remote maintenance from a new application or developer.ExploitationMedium
PREVIEW – Unusual amount of data extracted from a Cosmos DB accountIndicates that there was a change in the data extraction pattern from an Azure Cosmos DB account. Someone has extracted an unusual amount of data compared to recent activity. An attacker might have extracted a large amount of data from an Azure Cosmos DB database (for example, data exfiltration or leakage, or an unauthorized transfer of data). Or, a legitimate user or application might have extracted an unusual amount of data from a container (for example, for maintenance backup activity).ExfiltrationMedium

To enable Advanced Threat Protection for Azure Cosmos DB:

Select your Azure Cosmos DB account > Settings > Advanced security (preview) > Advanced Threat Protection (Preview) On > Save.

Maxime.