Azure resource entity page - your way to investigate Azure resources

[Guest maayanmag]

Intro

 

Azure resources such as Azure Virtual Machines, Azure Storage Accounts, Azure Key Vault, Azure DNS, and more are essential parts of your network. Threat actors might attempt to obtain sensitive data from your storage account, gain access to your key vault and the secrets it contains, or infect your virtual machine with malware. The new Azure resource entity pages are designed to help your SOC investigate incidents that involve Azure resources in your environment, hunt for potential attacks, and assess risk.

 

 

 

What's in it for me

 

You can now gain a 360-degree view of your resource security with the new entity pages, which provide several layers of security information about your resources.

 

 

 

First, they provide some basic details about the resource: where it is located, when it was created, to which resource group it belongs, the Azure tags it contains, etc. Further, it surfaces information about access management: how many owners, contributors, and other roles are authorized to access the resource, and what networks are allowed access to it; what is the permission model of the key vault, is public access to blobs allowed in the storage account, and more.

 

 

 

The pages also include a few integrations that enrich the information about the resource:

 

• Aside from the Microsoft Defender for Cloud and Microsoft Defender for Endpoints alerts that are presented in the timeline, the integration components for MDC (for all resources) and MDE (for VMs only) give you a quick glance at the number of alerts, recommendations, and vulnerabilities (and their severity) in MDC/MDE, as well as the option to switch directly from MDC/MDE in one click.
  

• Microsoft Purview - for the relevant resources, you can determine whether the resource contains sensitive data, as well as its labels and classifications, based on Microsoft Purview.
  

 

 

 

 

You will also find two additional features on the entity page:

 

1. A timeline showing all alerts, anomalies, and activities related to the selected timeframe. These activities included activities like a sensitive operation made on a key vault, Storage account keys list, VM access extension execution, VM Run Command execution and more. You will soon be able to add your own activities.
   
2. The insights feature can provide you with a wealth of information about the entity through KQL queries. Among these insights are: what are the top IP addresses that accessed this Azure Resource, and their geolocation if available; what are the most common operations performed on this Azure Resource, and their classification; and who are the most active users on this Azure Resource. More relevant insights will be added in the future.
   

 

Scope of the feature

 

While most of the information described above applies to all resources, we provided more detailed information about virtual machines, key vaults, and storage accounts based on possible attack vectors. Later, we will expand to other resources as well.

 

 

 

What’s next?

 

We plan to add more relevant data to the pages, including advanced insights.

 

Continue reading...