Using Security Center for incident response

  • 8/23/2018

In this sample chapter from Microsoft Azure Security Center, learn how to use Security Center to detect threats against your environment, and how to investigate security issues as part of your incident-response process.

In the previous chapter, you learned how to address security recommendations using Azure Security Center, which is part of the overall enhancement of your security posture. However, protection is just one of the pillars of your security posture. You also need to enhance your detection and response.

On the detection front, Security Center constantly monitors your assets. When it identifies suspicious activities, it raises an alert. Importantly, it also reduces false positives, which is very important for your security operations.

In this chapter, you will learn how to use Security Center to detect threats against your environment, and how to investigate security issues as part of your incident-response process.

Understanding security alerts

The information gathered by Security Center in conjunction with network data and feeds from connected partners is used to detect threats and suspicious activities. Security Center analyzes this information by correlating the data from these sources to identify threats. Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat.

Security Center uses advanced security analytics and machine-learning technologies to evaluate events across the entire cloud fabric. The security analytics include data from multiple sources, including Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds. Security Center also applies known patterns to discover malicious behavior, which is called behavioral analysis.

Security Center uses statistical profiling to build a historical baseline, which is called anomaly detection. This triggers alerts when it detects deviations from established baselines that conform to a potential attack vector.

Regardless of which capability Security Center uses to identify a threat, the result will be externalized in the dashboard via a security alert. A security alert contains valuable information about what triggered the alert, the resources targeted, the source of the attack, and suggestions to remediate the threat.

Security alerts are divided in four categories:

  • Virtual Machine Behavioral Analysis (VMBA) This type of alert uses behavioral analytics to identify compromised resources based on an analysis of the virtual machine (VM) event logs, such as process creation events and login events.

  • Network analysis This type of alert collects security information from your Azure Internet Protocol Flow Information Export (IPFIX) traffic and analyzes it to identify threats. An example of an alert that belongs to this category is the Suspicious Incoming RDP Network Activity from Multiple Sources alert.

  • Resource analysis This analyzes your Platform as a Service (PaaS) services, such as Azure SQL, and triggers alerts based on this analysis. An example of an alert that belongs to this category is the Potential SQL Injection alert.

  • Contextual information This provides extra context to reach a verdict about the nature of the threat and how to mitigate it.