Up next in 10
Automate(d) security with Azure Security Center || IT Security Virtual Conference 2021
8K views
Nov 9, 2023
Within the last couple of years, we have seen that security hygiene is one the main priorities for companies when it comes to protecting their hybrid cloud estate. Governance concepts, as guardrails, are the first step to enhance their security posture; however, establishing these processes is one of the biggest challenges customers are facing nowadays. Visibility into security issues, data customization and an understanding of automation options can help overcome these to proactively work on improving a line of defense. In this session, Fernanda and Tom - Program Managers in Microsoft’s Azure Security Center team - will take you on a journey across their security tool that touches Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP); guide you in automations and help you build your own custom dashboards based on built-in capabilities. You will learn how to leverage Workbooks and Logic Apps, use Workflow Automation and Continuous Export, and find the perfect timing to use the built-in REST APIs. Conference Website: https://globaltechconferences.com/event/it-security-virtual-conference-2021/ C# Corner - Community of Software and Data Developers: https://www.c-sharpcorner.com C# Live - Dev Streaming Destination: https://csharp.live #ITSecurity #AzureSecurity #AutomatedSecurity #conference
View Video Transcript
0:00
So yeah, welcome everyone to this new session about immediate security with Azure Security Center
0:09
I'm Fernanda Bella. I'm presenting here with Tom. We work in the same team in Microsoft Azure Security Center
0:19
We're program managers in the product team. And yeah, welcome everyone. Here's a poll for everyone to access
0:30
Just please do it now. And let's start with it
0:51
Yeah, we basically would love to see where you are joining us from today
0:55
and we're going to have some more questions throughout this session. So yeah, it would be great to get some interaction here
1:04
and for you to also interact in that poll. I'm seeing some answers coming in already
1:25
Sure, if we can see them on the slide yet, but maybe it's not updating
1:31
So maybe we can just go ahead with the agenda. And then afterwards, if we're going to have other polls, you can still send your answers
1:40
And if you do not see them on screen, we can see them in the back end. So we can still refer to them then
1:51
Perfect. So the agenda for today is that we are going to have an overview of Security Center, which is a CSPM and also a CWPB
2:01
So this is a cloud solutions protection management platform and cloud workflow protection platform
2:09
We're also going to take a look at REST APIs, continuous export and workflow automation
2:16
WordBugs, Logic Apps, and a few demonstrations of how these features work
2:22
in Azure Security Center, how you can use them. And yeah, so I'm going to
2:29
should I skip also this, Tom? or should we start waiting for a few answers
2:40
So if it's not updating, then I think we can skip it
2:45
But I don't see answers in the backend yet, so maybe there will be answers coming in
2:54
But yeah, maybe just go ahead. Perfect. So yes, So Azure Security Center, what is it, right
3:04
We have heard so many times about putting here a high security posture in your environment
3:15
in the enterprise that you are working, because we know that there are so many vulnerabilities
3:21
going on. There are so many threat actors happening. And so what is Azure Security Center
3:29
So Azure Security Center is going to help you actually to strengthen your cloud security posture management
3:38
And this is by using some features as secure score that we can see here on the screen, policies and compliance to help you find and fix vulnerabilities
3:52
And so here, I just want to touch a very important key to success for the hybrid workloads, which is that whether they are in Azure, on-premises, or in any other type of cloud, you have to secure them fast
4:12
And this has to go before the attackers can get to those workloads and probably do damage
4:21
So here, Security Center is going to actually help you getting secure faster with two primary functions, which is attack prevention and attack detention
4:36
So let's take a look at what attack prevention looks like, which is strengthen your security posture
4:45
So, for example, Security Center is going to continuously discover new resources that are being deployed across your workloads
4:58
And it is going to assess whether they are configured according to security best practices
5:06
And we are basing these in the Azure Security Benchmark, which is the Microsoft authored and Azure specific set of guidelines of security and compliance best practices
5:23
This is a very important framework that we use. And so Security Center is going to actually yze the security state of your resources
5:35
to actually identify potential vulnerabilities, just as we just said before. And here you can use, for example, secure score as a KPI, which is a key performance indicator
5:50
But like, how does that work, right? What is that? Well, this percentage that we can see here on the screen is calculated based on your recommendations under these controls that we're showing here
6:09
And so what is a control, right? So a control is a set of security recommendations with instructions that help you implement remediations
6:19
So, for example, here we have the security control remediate vulnerabilities that has many recommendations that fit under this category
6:30
We have here the maximum score that we can achieve, our current score, the potential score increase if we start tackling all of those recommendations and actually repairing, right, the resources that are being assessed here
6:48
We can see also the unhealthy resources that are recommended to actually implement the recommendation, resource scale and a few actions, right
7:01
Sometimes we have quick fix buttons that actually do the entire logic
7:07
And so we only have to go there, just click quick fix this and solve it out just to have it already here solved
7:19
And so your secure score and this is also very important your secure score only is going to improve when you solve all of the recommendations within a control So if I want to achieve the maximum score of a certain control I will have to do
7:38
all of this in order to have this value in my Secure Score. So that is like the main key features
7:50
of secure score and recommendations. And as we just said, you can use security center secure score
7:58
as your security KPI. And AEC is going to continually, like we said
8:08
assess your resources for security issues. And all of the findings are going to be the recommendations
8:17
that will go into the secure score and is going to be represented as a score, right
8:24
So at the end, this can help you actually track your security efforts and projects
8:30
in your organization over time. Because when you start, for example, here in September
8:36
you start with a 57% and then you start remediating certain recommendations
8:43
that go along with the instructions that you have in your enterprise, in your environment
8:52
So you start seeing some progress, right? So maybe you're going to start increasing your secure score by October and November
8:59
And so whenever secure score goes up, you have two things that are going to start happening
9:07
Your security posture is going to be enhanced because, of course, we all want to have that 100% of secure score, right, where all of the security recommendations are mediated
9:20
Also, when you start seeing that enhancement, then the security recommendations will drop, right, because you are already taking action into those
9:29
now let's face it um keeping your secure score at its highest um level by following recommendations
9:41
may look a little bit scary um whenever you have like a complex environment and also when you have
9:48
like a hybrid environment that is rapidly growing right and and why is this right um it is because
9:55
it introduces administration and compliance challenges. And how can you enforce and achieve compliance across your subscription
10:06
in an efficient and automated way, which is the main topic of this conversation
10:14
And, well, this is when governance comes very, very handy in these type of scenarios
10:20
And so it is very challenging to strike like an effective balance between speed and control within cloud adoption
10:31
and without governance, each time, for example, that you are going to start deploying new virtual machines
10:40
storage accounts, SQL servers, whatever type of resource that you are providing in the cloud
10:48
your secure score will drop, right? Because sometimes you're not implementing policies
10:57
that actually say, okay, whenever you're deploying this new server, have these ports disabled, only allow it to have this networking environment
11:10
and have all of these patches, right? So there are many built-in features in Azure that help you achieve governance
11:20
And you have Azure policies, blueprints, management groups, role-based access controls, and many, many others
11:30
Also, you can have some of the automations that also we're going to present
11:35
that can help you that each time that a new recommendation pops up
11:41
then you can trigger an automation so that this gets remediated and so you're not risking too much there
11:57
So up to now, we have seen how to reduce like the attack surface by addressing security recommendations and using Azure Security Center, which is part of an overall improvement of your security hygiene, right
12:14
However, and it is very important, protection is just one of the pillars of security posture
12:21
You also need to boost your threat detection and response. So here is where Azure Security Center also comes very handy because this is for servers, cloud native workloads, databases and storage
12:35
So let's take a deep here. And Azure Security Center is going to use advanced security ytics, of course, and machine learning technologies to evaluate some events and correlate alerts across your entire cloud infrastructure that may have servers, storage accounts
12:59
and other types of resources that you can enable here for protection with Azure Security Center
13:06
which is called Azure Defender for Servers, for Storage, for SQL, and all of those
13:14
And some of the capabilities that AAC provides as a cloud workload protection platform
13:21
is, for example, the detection and block of advanced malware and threats for servers
13:30
threat detection across iOS and past services, protection of data services. And, well, you have a lot of cool things going on here with security alerts
13:45
And for example, you're going to have this display that is going to show you the severity of each of your alerts, the alert title, the resource that is being affected
13:59
And also here you can see like in the first plane, when did they start and the Mitre attack, right
14:09
And if it's in an active state or is just dismissed. You can also do like suppression rules to say, no, I think that this is some test that is going on in my environment
14:21
OK, so we're not going to take that into consideration. But this, for example, like the overall spectrum of the security alerts that you're going to have in security center
14:33
Now, once you go inside of one of these security alerts, you're going to have certain things that are very important
14:44
And each alert is very unique and they have different entities, right
14:51
But the thing is that alerts are going to include certain information that is going to describe for example what happened when happened which process happened and where did it happen So here for example we have that a failed SSH
15:10
brute force attack happened. We know that the status is active. We know the activity time
15:16
the severity. We have the description, resources affected. And also here we can see in what status
15:24
of the Mitre attack tactics it is. So here in this example, we have that it is a pre-attack
15:31
In the alert details, we can see the number of fail authentication attempts
15:36
We can see related entities, which is amazing because we can see these resources that are
15:45
actually connected. And yeah, we can see the host IPs and we can take action into this
15:55
Now, when we go into take action, we can actually do and trigger a logic app and do automations
16:02
So, for example, whenever these type of situations happen, we can create a logic app that is going to isolate, for example, the server so that the brute force attack is not going to affect the machine anymore
16:20
Right. So you can you can take a few automation processes to actually have a very a better ecosystem here based on the alerts that are going to be thrown at you at any time, because that is that is what happens
16:41
Right. So, yes. And I think, yeah
16:57
Okay. Now that you've learned about all the features and the data that Azure Security Center is generating
17:05
let's take a deeper look at how we're exposing all that data. Because it's not only enough to have
17:11
that type of information in Azure portal, a lot of customers really want to get hold of
17:17
that data and to work with own automations around that. One of the good things here is that we're exposing all of
17:23
the information into our REST APIs and we have quite a lot of REST API reference endpoints here
17:29
For example, in Azure Security Center, you can use the Secure Score API to retrieve information
17:35
of the Secure Score in your current subscription. You can get information about the assessments with
17:40
also about the security alerts that Fernanda just referenced. But also, it's not only about Security Center and
17:47
the REST APIs in here, you can also use Azure Resource Graph
17:50
in which we are exposing some information as well as log ytics
17:54
in which you can also get information about your alerts, secure score assessment results and so on and so forth
18:00
Now, when we take a look at the RESTful APIs that we are using
18:06
then basically what I just said before is that we are providing a lot of API endpoints here
18:13
And you can find the REST API endpoints in our API reference
18:19
For example, we have that for the alerts, for assessments, for compliance results
18:23
but also for settings. We have a settings API that you can use
18:29
for example, to enable or disable the integration of Azure Defender for Service with Microsoft Defender for Endpoint
18:35
The same is true for the Microsoft Security Graph, which is a consolidated API for security products
18:39
across the Microsoft ecosystem, which includes alerts that we are generating in Azure Defender that are then stored
18:46
in the Microsoft Security Graph API. And then there is the Azure Resource Graph
18:51
in which we are storing information about security resources, which includes assessment results
18:56
for unhealthy virtual machines, for example. So you have quite a lot of information
19:00
that you can retrieve from basically any type of backend service that we're providing here
19:07
And again, if we then take a deeper look at how the APIs work
19:13
then usually you have type of a managed identity, a service account
19:18
which is called an application that is registered in Azure Active Directory
19:22
That application or managed identity will get RBAC permissions assigned to its identity
19:28
So it is able to pull information, for example, from a subscription
19:34
So if that application will have the security reader access role, then it will be able to get all the information
19:41
about security or basically about Azure Security Center in a particular subscription
19:47
Then using an authentication token, you are able to send a request against the API endpoint
19:55
That can be a get request to retrieve information, but also a put request if you want to update something
20:00
Or, and you will see that later in the live demo, there is an API endpoint for the Azure
20:05
resource graph. So you can also send a KQL query against the Azure Resource Graph API and then retrieve information that is stored by Azure Security Center
20:15
And then at the end, you will get a response. You can use that information, for example, to integrate with third-party applications, such as a third-party SIEM solution
20:26
So you're able to retrieve the information directly from, as I said, the Security Graph API or from our own REST API endpoints
20:34
But you can also run scheduled automations or triggered automations. The button that you have seen before in Fernandez's demo is exactly the triggered automation
20:44
So you can manually trigger a logic app based on information that we are sending to the logic app
20:48
And then the logic app will get all the information of the alert, work with that information and do something
20:54
And I have prepared a logic app for that for a later demo as well. because that is not only using API endpoints
21:00
but also some other capabilities that we're going to cover within a few minutes
21:06
Now, that is Postman, which is a tool that I'm going to use now
21:12
for showing you how to easily retrieve information from our REST APIs
21:16
And also for that, there is an Azure REST API reference documentation that will explain in a small video
21:22
how to use Postman in order to retrieve information from any REST API endpoint that Azure is providing
21:29
With that being said, let's switch over to Postman and take a little demo
21:34
I've prepared a GET request against the Microsoft.Security Alerts API endpoint. And if we just send that GET request now
21:45
we will get some information here. And as you can see, let me just make that a little bit larger
21:53
Here we go. As you can see here, there is quite a lot of information that is part of one alert
22:00
In this case, that is a simulated alert that we have created in my subscription
22:05
But as you can see, there is information about the compromised identity
22:10
There is the alert display name and a description. So what is that alert actually
22:14
Then remediation steps and some extended properties. Now the thing with extended properties is that each and every alert might have or might not have extended properties to its information However everything that you will see for this particular alert here is exactly the same information as you are presented with in the Azure portal So if you have an alert that is popping up in the alert dashboard you will see the same information if you retrieve it from the
22:39
REST API endpoint. Also, there's an alert URL. If you click that, you're immediately redirected to
22:47
a deep link in the Azure portal directly to that particular alert. Now, we also have a secure score
22:54
API. And with the secure score API, you will get the information about the secure score in your
22:59
particular subscription. In this case, I have a secure score of 22.92%, which is not good
23:07
And no, that's not true. It is not percentage points. So it's about 23 points out of 56 points
23:14
that I can get. And that is a percentage value of 40.93%. So using that information, you can
23:22
pull the current secure score for each subscription or even for your management groups
23:28
and you can store that anywhere you want, do with that data whatever you want
23:33
So you are able to just export that information using the APIs. And then we have the assessments API
23:38
including the new values for the status evaluation dates that we call time indicators
23:45
So every assessment result is basically what you see as a recommendation in Azure Security Center
23:52
In this case, it is the recommendation that service principle should be used to protect your subscriptions instead of managed certificates
23:59
The status of my subscription is healthy and the assessment status changed its date on the 6th of June for the last time
24:08
With that information, you can basically also build automations around first evaluation date and status change date
24:15
Because if you know that first evaluation date is the first time that that recommendation for a particular resource appeared
24:21
and the status change date is later, then you know, or it's the same
24:25
then you know how long the status has not changed. So for example, if that is an unhealthy resource
24:31
then you can go to your resource owners and you can basically also do that
24:35
within the scope of a DevOps project and tell the resource owners, hey, you have created a resource
24:39
which has been unhealthy for, let's say, four weeks. Please make sure to remediate that unhealthy resource now
24:45
in order to improve your security posture. Now, another capability that we also have is to use PowerShell and Azure CLI to retrieve basically the same information. There is a module which is called az.security. And the az.security module will contain all the Azure Security Center PowerShell commandlets
25:11
So for example, you can run the command, get AZ security alert, where the alert type is like brute, and you will get all the information about brute force attack alerts in your particular subscription
25:22
In this case, let me just see that here. Let me pull that. In this case, you see that even today, there has been a brute force attack against my Linux victim, which in fact was a successful brute force attack
25:38
I'll come to that back a little bit later because that is an alert that I have generated today
25:43
by successfully brute forcing one of my servers. And I've done that to show you what you can do
25:49
to automatically react on that particular type of an alert. And with that being said, giving it back to you, Fernanda
25:59
Cool, thank you. So now let's talk a little bit about continuous export
26:07
And so Continuous Export is a feature that is going to allow you to export data types whenever they change
26:17
And these data types are like security alerts, security recommendations. Here you can also find security findings or sub-recommendations that are annotated in one recommendation
26:34
You can also pull the secure score and also regulatory compliance. Here is very important to know that you can also export frequency, right
26:46
You can have like a streaming, which is near real time when a resource health state is being updated
26:54
And also you can have snapshots. And a snapshot is a shot of the current state of the support types that will be sent every week
27:08
Here in the configuration, you can actually do it to send it to Event Hub or to a Log ytics workspace
27:20
and from there you can actually connect third-party tools to actually retrieve this information that is going to be hosted
27:30
in this event hub or in this log ytics workspace and actually work with that information, right
27:38
This is just another option. Instead of using, for example, APIs, you can actually store this information into event hub
27:47
or a Log ytics workspace and have it from there. Now, let's talk a little bit about Workbooks
27:57
which is another feature that Azure Security Center has. And so I like to say it or introduce it
28:04
as a canvas for infinite possibilities. And this is because it is where you can actually have
28:10
data ysis or reporting, and you can have these rich and interactive visuals
28:16
that we're going to take a look. So some of the key aspects of Azure workbooks
28:23
is that they are interactive, they are portable, and you can have multiple data sources here
28:32
So how does it look like? So it is a dashboard that it is going to let you interact
28:38
and filter according to subscriptions, management groups, or a specific resource
28:49
You can use parameters to actually have these dynamic contexts instead of just having the users filtering things
28:58
You can have certain parameters that are going to be read into their configuration so that the workbook displays
29:07
different or specific information. Why we say they are portable? because you can actually save them, share them, and pin them in your Azure portal
29:21
We have a lot of workbooks going on in our GitHub community
29:26
So there you can actually also share your workbooks. You can also deploy them as templates
29:35
and the data sources that are going to be read are, for example, logs, metrics, health, Azure resource graph
29:45
which is also some of the things that Tom was explaining, Azure resource manager
29:52
and also you can have a custom end point. So you can actually read from that
29:58
Now, how does that work? Look, right. So this is a workbook, just an idea. And here, what we are saying is that you can actually query data from multiple sources within Azure in a single dashboard, right
30:14
So this is kind of like what a dashboard would look like. Of course, these are canvas and they're going to look different from every user to any user
30:27
So this is just a representation of one of the default workbooks that we have created to help our customers with their vulnerability assessment findings
30:40
So how do you build a workbook, right? So it is just as when you were in your, I don't know, in your game designing classes back in university or I don't know, in some of these design classes, right
30:58
Where you have to actually define a problem that you are solving. So this could be like, I want to get a snapshot view of my resources health and water alerts are active, right
31:09
You have to actually define these problems so that you can have the idea of what you're going to create and then identify the data sources, right
31:22
So some sources can be either in Azure Resource Graph or they can be from the Log ytics workspace or they can be stored in Azure Monitor, right
31:36
For example, health and other monitoring capabilities that Azure is going to provide you
31:45
After this, you can start building it, right? You can have this empty workbook, just empty blank space that you can actually do infinite things with it
31:58
you can start adding text, metrics, or queries for many sources, add parameters, groups, links
32:07
and others. So how does this look like is that whenever you start creating, you have these
32:15
sections where you can start putting the code or the queries to retrieve information from
32:22
different resources that are hosted on Azure. So in this example, I just went into edit mode
32:30
and just started querying across a log ytics workspace. So here, actually, you can see
32:39
how this code goes and what the result is going to look like. So yeah, let's take a look a little
32:51
bit about how this is represented. And here I have this workbook that it is one of the ones that we
33:07
have as default. This is the vulnerability assessment finding that we were just showing
33:12
in our screen. And so I have here the overview machines, containers that are going to have
33:22
vulnerabilities as when findings and SQL servers, right. So for example, if I go into a machine
33:29
I can have certain information that I'm just squirting here, which gives me like a little bit
33:36
more input than the recommendations that are happening here in Security Center. I can also see
33:44
categories. And also, for example, in this case, I can actually export this data so that I can have
33:52
it as an Excel file. The cool thing about this is that I can always edit. So I can go into edit mode
34:02
and start just changing colors, changing the information that I'm displaying here, for example
34:09
more than the resource total, total incidents and their severities. I also want to retrieve
34:19
other types of information, right? So I will go into the edit mode into that specific
34:25
category and start editing and creating more information I just had an error here
34:38
but that is because I don't have permissions into that specific workbook
34:46
How this works is that I have here, for example, a way to actually query things
34:55
that isn't loading right now, but it happens always in live demos
35:02
But the thing is that, right? We're going to have this possibility
35:07
of having this edit edition thing going on here into our workbooks
35:21
That's amazing. Because, you know, you see that a lot of information that Azure Security Center actually provides can be exported to, in this case, for example, a log ytics workspace
35:32
Or you can directly pull the information from the Azure Resource Graph, and then you can build your own custom dashboards around that information that might be interesting for you in your environments
35:41
Now, let's bring that all together and talk a little bit about logic apps
35:46
And I know that some of you might be thinking something like, well, why use logic apps and not kind of another type of automation
35:54
Well, because logic apps are quite beneficial when it comes to protecting your environment
36:01
The nice thing here is that we are providing three different types of Azure Security Center triggers, which are directly built into logic apps
36:11
And with these three trigger types, one of which reacts on an alert, one of which reacts on the recommendations, which is basically the assessments result that I've been talking about before
36:21
And we have one for the regulatory compliance assessments. Now, all of these are feeded with information that we are directly sending from Azure Security Center and that will contain basically the same information as the REST APIs or as what you have seen before in the portal and also what can be exported using continuous export
36:37
Now, logic apps, as I said, can automatically be triggered from inside Security Center. They can manually be triggered from inside Security Center. And each way you're choosing will always get the same type of information
36:52
In addition to that, there are a lot of native connectors from Microsoft to Microsoft and to other third-party services, including Jira, ServiceNow
37:05
And if there's not a connector that is built in, you can usually use the HTTP connector
37:11
And I will show you that in the environment that I've been using, because that is something that you can use also to pull and send data to REST APIs
37:22
And that actually is how it is done. So the cool thing here is that you can use the resource ID in this case, which is a variable
37:34
And within your logic app, you can basically pull information from anywhere, put that into a variable
37:40
and then send a get request against, in this case, the management.azure.com API, which is the Azure REST API endpoint
37:46
and using the resource ID in this case, we'll pull information for a particular resource type
37:53
In this case, that is a virtual machine that we're pulling information from
37:58
because we need that in order to process the whole evaluation at the end
38:05
And I will show you what I mean by that. Now, workflow automation is a capability
38:11
inside Azure Security Center and workflow automation can be referred to as an automation configuration
38:18
that you are storing in a resource group that will connect a logic app
38:23
that then can be automatically triggered. Let me rephrase that. So every time a security center alert is created
38:32
if you have a workflow automation on your subscription, then this workflow automation
38:36
will trigger the configured logic app, sending all the alert information to that logic app
38:41
and then the logic app will decide what to do with that information. And how that looks in a live environment, that is what I want to show you now
38:51
So I mentioned before that earlier today, I had a successful brute force attack against
38:57
my Linux victim, virtual machine. So I been using some command line tools to run a brute force attack against that machine And eventually I been successful what led to an alert that has been generated
39:12
from Azure Security Center. And that alert will contain some information about the IP address that has been used
39:20
the Linux victim as a virtual machine in that subscription. And if we take a look at the full alert details
39:26
then there is some more information, including my IP address that I've been using from Germany
39:32
the host that has been attacked, the accounts that have been used to attack
39:37
in this case, Tom, Ben, and Tim, and also some further information
39:43
about the network connection. Then we have the information about take action
39:47
which is, first of all, how to mitigate the threat. Well, usually that is something like
39:51
you should inform your security operations center. In this case, you can also block the IP address
39:57
and do some other things. Then also in order to prevent future attacks
40:02
we are giving you information about open recommendation for this particular resource in order to close the loop
40:07
So again, we have that proactive approach of securing environments before actually you are creating a resource
40:15
or before someone is attacking the resource, which is part of secure score recommendations
40:21
and all that around. And then we have the reactive part, which is generating a security alert
40:28
and giving you visibility. Then again, referencing the alerts to open recommendations
40:33
so you can prevent future attacks. But what we can do is
40:36
we can trigger a logic app directly from that alert. And I will do that right now
40:42
because there is that block proof force attack logic app that I've created
40:47
and we will take a look at that. And let me just trigger it. That's all
40:51
So that is something that your administrators can directly do from that alert
40:55
Now, the thing to notice is you would have to create your own logic apps depending on the alert type because we can give you an information about how to do that, but we don't have a logic app for each and every type of alert because, you know, it's custom
41:09
It's something that could be fitting to your environment, but not to other customers' environments
41:14
But I just triggered that logic app, right? So let's go here
41:19
And what we see is two things. That is the logic app that has been triggered, and it has been triggered twice today. Once today at 12.11 p.m. and one at 3.11 p.m., which is exactly a minute ago
41:38
What does it mean? So this trigger here was an automated trigger based on workflow automation
41:45
So once I had attacked my virtual machine, Azure Security Center created that successful brute force attack alert
41:53
And the workflow automation has reacted on that alert and sent the alert details to my logic app
42:01
This is the trigger that I've showed you before. And if you take a look at the information, the outputs that we have in here, then we have the information about the alert, which is successful SSH brute force attack against Linux victim
42:14
coming from an IP address that we will find in the extended properties
42:22
Let me just check it where it is. Well, we have it once here in the description
42:28
but also it should be part of the, no, it is part of the entities. Here we go
42:35
There is the IP address in Germany with some local information and some other extended properties and so on
42:44
So basically we're sending all the information from the alert to the logic app. That logic app will then do some magic
42:50
because what we're doing is first of all, we're finding out what virtual machine has been attacked
42:56
And now you can rethink to that one slide. And let me just pull that one slide up again
43:03
Here we go. So there is this slide, a get request against management.azure.com
43:11
with the resource ID, and that actually is exactly the get Azure VM part of that logic app
43:17
And now you see that resource ID, in fact, was subscriptions, the subscription ID, resource groups, the resource group name
43:24
and the provider in this case is Microsoft Compute Virtual Machines. And I'm pulling the information for this particular VM
43:30
That contains all the information that is part of that resource Then after some more magic we pulling the information about the network interface
43:42
Again, using a REST API endpoint. In this case, it's Microsoft.network, network interfaces
43:49
Then we are pulling the NSG rules for this particular network card
43:53
And at the end, what I'm doing here is I send a put request to the network card
44:00
with a new rule that has, in this case, the priority 101
44:05
Why 101? Because 100 was already taken. Now, if we take a look at the manual trigger
44:11
that I just sent a few minutes ago, then you will see that there has been a new rule
44:18
created with a priority 102 because the logic app will count, or basically it will look for existing NSG rules
44:25
starting from 100 and will then create a new deny rule at the next possible step
44:30
So you can automatically react on that type of alert. Once there is a brute force attack
44:36
that logic app can be triggered and it will basically create a deny rule
44:40
for the attacked port. Now in this case, it's even for all ports
44:46
including the attacking IP address. So the IP address is blocked from accessing
44:51
the network card in the NSG directly. Now, if we take another look at the automation capabilities that we now have been covering, then we have PowerShell and Azure CLI
45:08
We have our APIs. We have logic apps. And now, what is the idea of all the automation
45:15
And when do I use what? Well, basically, PowerShell and Azure CLI are great tools if you want to have a one-time task
45:24
Right. I've been using PowerShell quite a lot for even deploying resources
45:28
but that is not like having an ARM template or a Terraform template
45:32
It's more like, you know, it's a imperative language instead of a declarative language, which is not good for DevOps and CICD
45:41
But still, you could use it for that. We are using it in Azure Security Center basically to pull data
45:47
to export data for, you know, for one time. If you want to have a CSV record of a CSV export of a custom set of data, including secure scores and assessment results, then you can do it using Azure CLI and PowerShell
46:02
APIs are high-code interfaces that can be used inside your own applications and services
46:08
But you can also use the APIs directly in the Logic Apps. The nice thing with Logic Apps is you can, but you do not have to use code in it
46:16
So you can also use the editor that we are providing or that the team of the Logic Apps team is providing to have like a graphical user interface to build your own workflows
46:29
And then again, reference to either existing connectors or to API endpoints using the HTTP connector
46:37
In Azure Security Center, we are running an own GitHub community. community. And in that GitHub community, we are providing quite a lot of information
46:46
about automations that you can use within the context of Security Center
46:50
Now, I've shown you that Logic app, and you can find that Logic app exactly here in the Azure
46:58
Security Center GitHub repo in the workflow automation folder. And there is some information about it. So
47:05
what will that Logic app actually do? At the end, it will send out an email. That is the email template
47:10
that is used. So you will also get the information directly from the alert. So again, we are taking
47:15
the alert information that Security Center is sending to the Logic app, and we'll use that
47:21
same data in your email template to send that email out to a stakeholder, to the resource owners
47:28
or to the security contact of your subscription. and with that being said
47:35
I'm very happy that I had Fernanda with me today and yeah, it was a great presentation
47:42
thank you Fernanda thank you C Sharp Corner team and yeah, looking forward to
47:48
the other sessions that are coming now in the afternoon and yeah, if there are any questions
47:54
we're now happy to take some of them
#Computer Science
#Computer Security
#Distributed & Cloud Computing
#Network Security