Monitoring User Activities

With the maturity of cloud, usages of the Cloud Computing is rocketing as they are offering enrich services at affordable price. It's normal that an organization having multiple subscriptions and multiple users' managing it. Azure logs every user's activities that are performed against its resources including the action performed by pre-defined code using Runbook. What so ever the error collection domain the Microsoft gives, I prefer to group this into two. Logs auto-generated by System/Application or User Activates Log, which will trigger the previous logs.

In this blog, I will discuss how user activities can be traced down to the various events so that anomalies (defined by the organizational norms) can be detected.

User Login

User's identity could be cloud only, federated or hybrid. Depending on their identity model, Azure Active directory will handle the authentication or will forward to the identity handler. For example, if ADFS is in place, then it will redirect the request to the federated server. Once the user proves themselves who they are based on their claim, user's will get access to their system. As the session is established, RBAC will determine their ability to perform an action against resources. All these activities can be monitored. Navigate to the Azure AD blade from the portal, and then Sign In. You can customize the data you want to retrieve back based on the retention period you define. Based on its machine learning algorithm, Auditing these activities will give us more insight of user login activities and trace down anomalies. This equally applies to Office365 as well as Azure as it usages single source of authentication. You could find the user's who have not logged in for several months or needs removal so that you may free some license and save cost.

Risky Sign-Ins

Azure AD detects and logs the Risky Sign-Ins event which can be viewed/downloaded from Portal. All typical locations of Azure AD (Free and Basic, Premium 1, Premium 2) supports this features however for more detail report we must acquire the premium license. Its always good to have this enabled for all users or at least for all privileged user account. This process can be automated by applying policies on how to handle such event. It usages it's adaptive machine learning algorithm to detect such event based on the past user's sign-ins records. These events could be Users with leaked credentials, Sign-Ins from anonymous IP Addresses, Impossible travel to atypical locations, Sign-Ins from infected devices, Sing-Ins from IP Address with suspicious activity, Sign-Ins from unfamiliar locations.

Actions Performed Against Resources

Privilege user can create, modify and delete resources. We can audit those activities using the Azure Monitor service. Log analytics, Activities Log, Network Watcher is useful when analyzing that information and apply alert to similar activities if performed again. Information such as who initiated an event, which IP was used can be traced down. OMS organized and visualize such events including system health of devices being monitored. Lots of quantitate analysis can be performed on the data collected by log analytics. Such data can be transferred to third-party visualization tools. Security Poster Assessment has to be performed regularly based on the data collected.

Comments

Post a Comment

Popular posts from this blog

Deploy Palo Alto in Azure

Image
There are many ways to deploy Palo Alto Firewall in Azure. Out of those options today I will discuss how Palo Alto can be configured to protect your Azure workload. This setup is suitable for Proof of Concept only. Planning-Includes Minimum Requirement - Without HA Logical Diagram:  Create Virtual Network Name: PAN-VNet Address Space: 10.0.0.0/16 Subnet Name: Management Subnet Address Space: 10.0.1.0/24 Subnet Name: Untrust Subnet Address Space: 10.0.2.0/24 Subnet Name: Trust Subnet Address Space: 10.0.3.0/24 Resource Group: PA-VNet    Subnet Spin Web Server Virtual Machine  Name: SecureWebServices Image: Windows Server 2016 Resource Group: Services Network: PAN-VNet Subnet: Trust Role: Web Server (IIS) Installed Change NSG rules of Web Server to accept request on port 80, if you wish to test the web request. However, later on, this behaviour will be controlled through firewall. Spin Palo Alto Firewall Virtual Machine Name: vmseries300 Im
Read more

Demystifying System and User Define Routes of Azure

Image
As Virtual Network is created, Azure automatically create its own route tables for that Virtual Network, so that all the packets which enters the virtual network can traverse within its address prefix and leave the subnet for its destination. These are known as the Default Routes . We can’t modify these routes; however, we can add our custom routes on top of default routes for the traffic leaving the subnet. These custome route is known as User Define Routes . In this case, we are modifying the default behaviour of packets routing but still the internal and external routing of packet is done by virtual network to ensure that our packets are never hijacked.  In another word, we are adding routes and requesting virtual network to routes traffic in the way we want. So far its not possible to route the traffic independently bypassing the Azure Virtual Network routing mechanism and for security reason I do not think this will ever be possible. Common Use Case of UDR:  Every bus
Read more

Azure Web App Vnet Integration - Hub and Spoke Scenario

Image
Integrating Web Apps with virtual network allows us to access the resources which is located within our private network space, however web apps will be still be accessible from internet. App Service Environment could be possible solution if you wish to make your Web App completely private. In this blog I will be discussing the 3 possible use cases. Integrate Web Apps with VNet and verify connectivity between Web App and a VM which is deployed within the same VNet.  Web App Integration in Hub and Spoke  Establish connectivity between On-Prem network and Azure Web App Use Case 1 - Simple We need to have the following things to meet the goal with use case 1. 1. Virtual Network - Ansible-vnet - Address Space -10.0.0.0/16 2. Provision a Gateway Subnet - Address Space - 10.0.1.0/24 3. Virtual Network Gateway - WebApp-GW : SKU - VpnGw1 4. Create Point to Site in WebApp-GW - Address Space : 172.16.201.0/24 5. Since, SKU - VpnGw1 is used, IKEv2 VPN should be unchecked. (
Read more