defender + monitoring

Author: carlospolop

src/SUMMARY.md

@@ -417,12 +417,14 @@
     - [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md)
     - [Az - Container Instances, Apps & Jobs](pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md)
     - [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
+    - [Az - Defender](pentesting-cloud/azure-security/az-services/az-defender.md)
     - [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
     - [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
     - [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md)
     - [Az - Key Vault](pentesting-cloud/azure-security/az-services/az-keyvault.md)
     - [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
     - [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
+    - [Az - Monitoring](pentesting-cloud/azure-security/az-services/az-monitoring.md)
     - [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md)
     - [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md)
     - [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue.md)

src/pentesting-cloud/azure-security/az-services/az-defender.md

@@ -0,0 +1,39 @@
+# Az - Defender
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Microsoft Defender for Cloud
+
+Microsoft Defender for Cloud is a comprehensive security management solution that spans Azure, on-premises, and multi-cloud environments. It is categorized as a Cloud-Native Application Protection Platform (CNAPP), combining Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWPP) capabilities​. Its purpose is to help organizations find **misconfigurations and weak spots in cloud resources**, strengthen overall security posture, and protect workloads from evolving threats across Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), hybrid on-premises setups​ and more.
+
+In practical terms, Defender for Cloud **continuously assesses your resources against security best practices and standards**, provides a unified dashboard for visibility, and uses advanced threat detection to alert you of attacks. Key benefits include a **unified view of security across clouds**, actionable recommendations to prevent breaches, and integrated threat protection that can reduce the risk of security incidents​.
+By supporting AWS and GCP and other SaaS platforms natively and using Azure Arc for on-premises servers, it ensures you can **manage security in one place** for all environments​.
+
+### Key Features
+
+- **Recommendations**: This section presents a list of actionable security recommendations based on continuous assessments. Each recommendation explains identified misconfigurations or vulnerabilities and provides remediation steps, so you know exactly what to fix to improve your secure score.
+- **Attack Path Analysis**: Attack Path Analysis visually maps potential attack routes across your cloud resources. By showing how vulnerabilities connect and could be exploited, it helps you understand and break these paths to prevent breaches.
+- **Security Alerts**: The Security Alerts page notifies you of real-time threats and suspicious activities. Each alert includes details such as severity, affected resources, and recommended actions, ensuring you can respond quickly to emerging issues.
+  - Detection techniques are based on **threat intelligence, behavioral analytics and anomaly detection**.
+  - It’s possible to find all the possible alerts in https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference. Based on the name and description it’s possible to know **what is the alert looking for** (to bypass it).
+- **Inventory**: In the Inventory section, you find a comprehensive list of all monitored assets across your environments. It provides an at-a-glance view of each resource’s security status, helping you quickly spot unprotected or risky assets that need remediation.
+- **Cloud Security Explorer**: Cloud Security Explorer offers a query-based interface to search and analyze your cloud environment. It allows you to uncover hidden security risks and explore complex relationships between resources, enhancing your overall threat-hunting capabilities.
+- **Workbooks**: Workbooks are interactive reports that visualize your security data. Using pre-built or custom templates, they help you monitor trends, track compliance, and review changes in your secure score over time, making data-driven security decisions easier.
+- **Community**: The Community section connects you with peers, expert forums, and best practice guides. It’s a valuable resource for learning from others’ experiences, finding troubleshooting tips, and staying updated on the latest Defender for Cloud developments.
+- **Diagnose and Solve Problems**: This troubleshooting hub helps you quickly identify and resolve issues related to Defender for Cloud’s configuration or data collection. It provides guided diagnostics and solutions to ensure the platform operates effectively.
+- **Security Posture**: The Security Posture page aggregates your overall security status into a single secure score. It provides insights into which areas of your cloud are strong and where improvements are needed, serving as a quick health check of your environment.
+- **Regulatory Compliance**: This dashboard evaluates how well your resources adhere to industry standards and regulatory requirements. It shows compliance scores against benchmarks like PCI DSS or ISO 27001, helping you pinpoint gaps and track remediation for audits.
+- **Workload Protections**: Workload Protections focuses on securing specific resource types (like servers, databases, and containers). It indicates which Defender plans are active and provides tailored alerts and recommendations for each workload to enhance their protection. It’s able to find malicious behaviours in specific resources.
+  - This is also the option to **`Enable Microsoft Defender for X`** you can find in certain services.
+- **Data and AI Security (Preview)**: In this preview section, Defender for Cloud extends its protection to data stores and AI services. It highlights security gaps and monitors sensitive data, ensuring that both your data repositories and AI platforms are safeguarded against threats.
+- **Firewall Manager**: The Firewall Manager integrates with Azure Firewall to give you a centralized view of your network security policies. It simplifies managing and monitoring firewall deployments, ensuring consistent application of security rules across your virtual networks.
+- **DevOps Security**: DevOps Security integrates with your development pipelines and code repositories to embed security early in the software lifecycle. It helps identify vulnerabilities in code and configurations, ensuring that security is built into the development process.
+
+## Microsoft Defender EASM
+
+Microsoft Defender External Attack Surface Management (EASM) continuously **scans and maps your organization’s internet-facing assets**—including domains, subdomains, IP addresses, and web applications—to provide a comprehensive, real-time view of your external digital footprint. It leverages advanced crawling techniques, starting from known discovery seeds, to automatically uncover both managed and shadow IT assets that might otherwise remain hidden. EASM identifies **risky configurations** such as exposed administrative interfaces, publicly accessible storage buckets and services vulnerable to different CVEs, enabling your security team to address these issues before they are exploited.
+Moreover, the continuous monitoring can also show **changes in the exposed infrastructure** comparing different scan results so the admin can be aware of every change performed.
+By delivering real-time insights and detailed asset inventories, Defender EASM empowers organizations to **continuously monitor and track changes to their external exposure**. It uses risk-based analysis to prioritize findings based on severity and contextual factors, ensuring that remediation efforts are focused where they matter most. This proactive approach not only helps in uncovering hidden vulnerabilities but also supports the continuous improvement of your overall security posture by alerting you to any new exposures as they emerge.
+
+{{#include ../../../banners/hacktricks-training.md}}
+

src/pentesting-cloud/azure-security/az-services/az-monitoring.md

@@ -0,0 +1,109 @@
+# Az - Monitoring
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Entra ID - Logs
+
+There are 3 types of logs available in Entra ID:
+
+- **Sign-in Logs**: Sign-in logs document every authentication attempt, whether successful or failed. They offer details such as IP addresses, locations, device information and applied conditional access policies, which are essential for monitoring user activity and detecting suspicious login behavior or potential security threats.
+- **Audit Logs**: Audit logs provide a record of all changes made within your Entra ID environment. They capture updates to users, groups, roles, or policies for example. These logs are vital for compliance and security investigations, as they let you review who made what change and when.
+- **Provisioning Logs**: Provisioning logs provide information about users provisioned in your tenant through a third-party service (such as on-premises directories or SaaS applications). These logs help you understand how identity information is synchronized.
+
+> [!WARNING]
+> Note that these logs are only stored for **7 days** in the free version, **30 days** in P1/P2 version and 60 additional days in security signals for risky signin activity. However, not even a global admin would be able to **modify or delete them earlier**.
+
+## Entra ID - Log Systems
+
+- **Diagnostic Settings**: A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource, and one or more destinations that you would stream them to. Normal usage charges for the destination will occur. Learn more about the different log categories and contents of those logs.
+    - **Destinations**:
+        - **Analytics Workspace**: Investigation through Azure Log Analytics and create alerts.
+        - **Storage account**: Static análysis and backup.
+        - **Event hub**: Stream data to external systems like third-party SIEMs.
+        - **Monitor partner solutions**: Special integrations between Azure Monitor and other non-Microsoft monitoring platforms.
+- **Workbooks**: Workbooks combine text, log queries, metrics, and parameters into rich interactive reports.
+- **Usage & Insights**: Useful to see the most common activities in Entra ID
+
+## Azure Monitor
+
+These are the main features of Azure Monitor:
+
+- **Activity Logs**: Azure Activity Logs capture subscription‑level events and management operations, giving you an overview of changes and actions taken on your resources.
+    - **Activily logs** cannot be modified or deleted.
+- **Change Analysis**: Change Analysis automatically detects and visualizes configuration and state changes across your Azure resources to help diagnose issues and track modifications over time.
+- **Alerts**: Alerts from Azure Monitor are automated notifications triggered when specified conditions or thresholds are met in your Azure environment.
+- **Workbooks**: Workbooks are interactive, customizable dashboards within Azure Monitor that enable you to combine and visualize data from various sources for comprehensive analysis.
+- **Investigator**: Investigator helps you drill down into log data and alerts to conduct deep-rooted analysis and identify the cause of incidents.
+- **Insights**: Insights provide analytics, performance metrics, and actionable recommendations (like those in Application Insights or VM Insights) to help you monitor and optimize the health and efficiency of your applications and infrastructure.
+
+### Log Analytics Workspaces
+
+Log Analytics workspaces are central repositories in Azure Monitor where you can **collect, analyze, and visualize log and performance data** from your Azure resources and on-premises environments. Here are the key points:
+
+- **Centralized Data Storage**: They serve as the central location to store diagnostic logs, performance metrics, and custom logs generated by your applications and services.
+- **Powerful Query Capabilities**: You can run queries using Kusto Query Language (KQL) to analyze the data, generate insights, and troubleshoot issues.
+- **Integration with Monitoring Tools**: Log Analytics workspaces integrate with various Azure services (such as Azure Monitor, Azure Sentinel, and Application Insights) allowing you to create dashboards, set up alerts, and gain a comprehensive view of your environment.
+
+In summary, a Log Analytics workspace is essential for advanced monitoring, troubleshooting, and security analysis in Azure.
+
+You can configure a resource to send data to an analytics workspace from the **diagnostic settings** of the resource.
+
+## Enumeration
+
+### Entra ID
+
+```bash
+# Get last 10 sign-ins
+az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=10'
+
+# Get last 10 audit logs
+az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=10'
+
+# Get last 10 provisioning logs
+az rest --method get --uri ‘https://graph.microsoft.com/v1.0/auditLogs/provisioning?$top=10’
+
+# Get EntraID Diagnostic Settings
+az rest --method get --uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"
+
+# Get Entra ID Workbooks
+az rest \
+  --method POST \
+  --url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
+  --headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
+  --body '{
+    "subscriptions": ["9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
+    "query": "where type =~ \"microsoft.insights/workbooks\" \n| extend sourceId = tostring(properties.sourceId) \n| where sourceId =~ \"Azure Active Directory\" \n| extend DisplayName = tostring(properties.displayName) \n| extend WorkbookType = tostring(properties.category), LastUpdate = todatetime(properties.timeModified) \n| where WorkbookType == \"workbook\"\n| project DisplayName, name, resourceGroup, kind, location, id, type, subscriptionId, tags, WorkbookType, LastUpdate, identity, properties",
+    "options": {"resultFormat": "table"},
+    "name": "e4774363-5160-4c09-9d71-2da6c8e3b00a"
+  }' | jq '.data.rows'
+```
+
+### Azure Monitor
+
+```bash
+# Get last 10 activity logs
+az monitor activity-log list --max-events 10
+
+# Get Resource Diagnostic Settings
+az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.DocumentDb/databaseAccounts/<db-name>/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview"
+
+# Get Entra ID Workbooks
+az rest \
+  --method POST \
+  --url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
+  --headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
+  --body '{
+    "content": {},
+    "commandName": "AppInsightsExtension.GetWorkbooksListArg"
+  }'
+
+# List Log Analytic groups
+az monitor log-analytics workspace list --output table
+
+# List alerts
+az monitor metrics alert list --output table
+az monitor activity-log alert list --output table
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
+