Using Security Center for incident response

  • 8/23/2018
Contents

Accessing security alerts

The number of security alerts you see in the Security Center dashboard may vary depending on the amount of resources that you are monitoring with Security Center and the business itself. Some organizations receive more attacks than others, and as a result have more security alerts.

If you don’t have any security alerts in your environment, simulate one by following the procedures in the following article: https://aka.ms/ASCAlertValidation. Once you have an alert, follow these steps to access it:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Detection, click Security Alerts. The Security Alerts dashboard appears. (See Figure 5-3.)

    FIGURE 5-3

    FIGURE 5-3 The Security Alerts dashboard.

  4. The Security Alerts dashboard lists current alerts, organized by severity (with high-severity alerts listed first), and a bar graph showing the distribution of high-, medium-, and low-severity alerts. Click an alert type to open a new blade showing resources that have been flagged with the alert. (See Figure 5-4.)

    FIGURE 5-4

    FIGURE 5-4 A list of attacked resources.

    The list contains the following information about each attacked resource:

    • The name of the attacked resource

    • The number of times the resource was attacked

    • The time at which the attack was detected

    • The environment in which that the resource resides

    • The state of the alert

    • The severity of the alert

  5. Click an attacked resource to see details about the attack, including the following. (See Figure 5-5. Note that the subscription ID has been intentionally obscured in this figure.)

    • A clear description of the attack

    • Attack-specific information, such as the source IP and the software used by the attacker

    • A list of steps to remediate the issue

  6. Return to the main Security Center dashboard.

TIP

You can use the Azure Activity Log to query security alerts originated by Azure Security Center. For more information, see https://aka.ms/ASCActivityLog. You can also use the Alert API to obtain these alerts; see https://aka.ms/ASCAlertAPI for details.

FIGURE 5-5

FIGURE 5-5 Details of a security alert.

Security incidents

Some attacks may happen in a completely isolated way. Others will be coordinated—that is, part of the same attack campaign. Security Center can identify correlations among these types of attacks and create a security incident that contains two or more related security alerts. To see how this works, follow these steps:

  1. In the left pane of the Security Center window, under Detection, click Security Alerts. If Security Center has identified a security incident in your environment, it will create an alert marked by a different icon. (See the first two alerts in Figure 5-6.)

    FIGURE 5-6

    FIGURE 5-6 Security incidents appear in the Security Alert dashboard with a different icon.

  2. Click a security incident. A new blade opens with more details about the incident. In the blade shown in Figure 5-7, the incident contains two alerts and two notable events. These notable events are contextual information that can help you during an investigation. (Note that the subscription ID and attacked resources have been intentionally hidden in the figure.)

    FIGURE 5-7

    FIGURE 5-7 Details about a security incident.

    NOTE

    The advantage of using the Security Incident blade is that it tells you which alerts are related. This can help you to track down the perpetrator and identify com-promised systems.

  3. Click an alert to see details about the alert. The details will be similar to those shown in Figure 5-5.

  4. Click a notable event. This opens a page containing contextual data about the event. (See Figure 5-8.) This page shows the suspicious process name and the command line that was executed, and emphasizes other information that is relevant to your investigation.

    FIGURE 5-8

    FIGURE 5-8 Contextual information with more details about an event.

  5. Return to the main Security Center dashboard.

Custom alerts

Each environment may have its own unique processes that can be identified as suspicious. For example, your organization might consider it suspicious to run a particular executable file, but Security Center might not. To address this type of scenario, Security Center enables you to create your own custom alerts. Follow these steps to create a new custom alert:

  1. In the left pane of the Security Center window, under Detection, click Custom Alert Rules. The Custom Alert Rules blade appears. (See Figure 5-9.)

    FIGURE 5-9

    FIGURE 5-9 Creating a custom alert.

  2. Click the New Custom Alert Rule button. The Create a Custom Alert Rule blade appears. (See Figure 5-10.)

    FIGURE 5-10

    FIGURE 5-10 The Create Custom Alert Rule blade.

  3. In the Name field, type the name for this rule.

  4. In the Description field, type a brief description of the rule’s intent.

  5. In the Severity drop-down list, select the severity level—High, Medium, or Low. Choose a level that reflects the priority of this alert for your security operations team.

  6. In the Sources section, open the Subscription drop-down list and select the subscription that will be used by this custom rule.

  7. Open the Workspace drop-down list and choose the workspace against which this rule should be running.

  8. In the Search Query box in the Criteria section, search for the event you want to monitor. For example, if you want to monitor all security events whose identifier is 4688 and whose command line contains the word diskpart, type the following query and click the Execute Your Search Query Now link:

    SecurityEvent | where EventID==4688 and CommandLine contains "diskpart"

    TIP

    The query language used for this search is the Log Analytics language. For more information about this language, and for more examples, see https://aka.ms/laquerylan.

  9. In the Period drop-down list, select the time interval that should be used for this query. (By default, it will test over the last hour.)

  10. In the Evaluation section, open the Evaluation Frequency drop-down list and specify how frequently this custom rule should be executed.

  11. The Generate Alert Based On section contains two settings that are directly correlated: Number of Results and Threshold. Open the Number of Results drop-down list and choose Greater Than. Then, in the Threshold box, type 2. The alert will be triggered if the result for the query is greater than 2.

  12. Select the Enable Suppress Alerts option if you want to set a time to wait before Security Center sends another alert for this rule.

  13. Click OK to create the new rule. It will appear in the Custom Alert Rules section of the Custom Alert blade. (See Figure 5-11.)

    FIGURE 5-11

    FIGURE 5-11 The new custom rule.

  14. Now that you’ve created the new rule, alerts pertaining to this rule will appear with other alerts in the Security Alerts dashboard. (See Figure 5-12.)

    FIGURE 5-12

    FIGURE 5-12 A new security alert based on the custom rule that was created.

Save to your account

This chapter is from the book