With more and more organizations moving from traditional on-premises infrastructure to the cloud, it remains critical for organizations to have robust security monitoring, regardless of their cloud platform of choice.
Sumo Logic Threat Labs has expanded our log parsing, mapping and detection rules for Microsoft Azure. While our Cloud SIEM solution has broad coverage for AWS and GCP platforms, we wanted to close the gap for Azure coverage, which previously addressed:
- Identity and Access Management within Azure Active Directory
-
Monitoring user and group management
-
Suspicious Login Activity
-
Privilege Enumeration
-
Azure – Event Hub Deleted Signal Firing
Cloud SIEM heavily leverages the MITRE ATT&CK Framework to map our detection rules to MITRE tactics and techniques from the larger cybersecurity community. To broaden our support for Azure, we use the data source types provided in MITRE ATT&CK for cloud services to help ensure wider coverage. We drilled into the tactics and techniques those types of data sources can reveal. And finally, we identified the specific Azure platform activities and the logs produced by those platform services. A complete list of the data sources we focused on, the types of detections added, and how those can map to MITRE ATT&CK follows.
Dark clouds
Azure platform logging limitations
At present, there is an apparent gap in how Azure logs GET or LIST type operations within most platform resources. Apart from Azure Key Vault, Azure Storage Analytics, and in some cases, Azure Active Directory, we were unable to locate these types of events via audit, activity logs, or by enabling auditing policies for specific activities, like the creation of public storage containers.
While these types of events are inherently noisy, other cloud platforms log these events as they are instrumental in the detection of reconnaissance and discovery activities. Should these types of events become available, our coverage will also expand accordingly.
Making it rain (logs)
Azure platform logging is mostly accomplished via the Activity log for subscription level events and in Resource logs for individual services. Azure Storage Analytics logs are separate from the Resource and Activity logs and are configured independently.
Activity logs can be configured to be sent outside of the Azure portal, such as to an Event Hub, via the Azure Monitor, as well as other methods.
Further documentation can be found on Microsoft’s documentation portal for the Azure Activity log.
Resource logs require that a diagnostic setting be configured per service and forwarded to an Event Hub, typically, for external consumption. It’s recommended that diagnostic settings for each service be set at Audit or All to ensure a complete view of resource activities. It’s also recommended to use Key Vault audit logging if the Azure Key Vault service is being utilized.
Further documentation can be found on Microsoft’s Documentation Portal for Azure Diagnostic Settings.
Storage Analytics logs are similarly configured using diagnostic settings. It is recommended to enable Read, Write and Delete data logging. Version 1.0 and 2.0 of Storage Analytics logs are supported.
Further documentation can be found on Microsoft’s Documentation Portal for Azure Storage Analytics Logs
Both Activity and Resource logs are in JSON format and are parsed and mapped using the same parser and mapper in Cloud SIEM. Because Azure Storage Analytics is in CSV format, it uses an independent parser and mapper.
Newly formed cloud detections
We’ve added coverage for the MITRE ATT&CK Data Sources with Tactics & Techniques in Cloud SIEM. These detections monitor largely for sensitive operations undertaken within Microsoft’s Azure platform. For example, attempts to disable logging for an attacker to hide subsequent malicious activities and the creation of cloud infrastructure to carry out further attacks within and without the compromised environment.
Cloud Service (DS0025)
Impair Defenses (T1562)
-
Diagnostic Setting deletions
-
Diagnostic Setting modifications
-
Event Hub deletions
Data Destruction (T1485)
-
Key and Secret deletions
-
Key and Secret backups
-
Protected item deletion
OS Credential Dumping (T1003)
-
Excessive Key and Secret access
Modify Cloud Compute Infrastructure (T1578)
-
SQL database export
Cloud Storage (DS0010)
Data from Cloud Storage Object (T1530)
-
Anonymous storage blob access
-
Storage Blob Container creations
-
Storage Blob Container deletions
Instance (DS0030)
Modify Cloud Compute Infrastructure (T1578)
-
Virtual Machine and Bastion Host creations
-
Virtual Machine and Bastion Host deletions
-
Virtual Machine Start and Stops
Image (DS0007)
Build Image on Host (T1612)
-
Azure – Image Created/Modified
Data Destruction (T1485)
-
Azure – Image Deleted
Container (DS0032)
Deploy Container (T1610)
-
Container Instance created/modified
User Execution (T1204)
-
Container starts
Each of these new parsers, mappers and detections are available now out-of-the-box for Cloud SIEM customers. As with all Cloud SIEM content, we are always making additions and changes to our content to better serve our customers and respond to the always-evolving threat landscape.
If you’d like to learn more about how we monitor Microsoft Azure and other cloud platforms, see our support for multi-cloud monitoring. We also have a range of existing Microsoft Azure integrations to further streamline your work with Sumo Logic in a Microsoft Azure environment.
