1. Welcome to the Azure Sentinel webinar
We will start at 2-3 minutes after the scheduled time to accommodate those
still connecting.
Questions? Feel free to type them in the instant message window at any time. Note that any
questions you post will be public. You have the option to post questions anonymously. After
the webinar, you can ask questions at https://aka.ms/AzureSentinelCommunity.
This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/SecurityWebinars.
Please give us your feedback on this webinar at
https://aka.ms/SecurityCommunityWebinarFeedback.
Join our Community: https://aka.ms/SecurityCommunity
19. Failed AzureAD logons but
success logon to AWS
Console
New UserAgent observed
in last 24 hours
Changes to internet facing
AWS RDS Database
instances
Changes to
Amazon VPC
settings
Login to AWS
Management Console
without MFA
MFA disabled for a user
Tracking Privileged
Account Rare Activity
Suspicious Data Access
to S3 Bucket from
Unknown IP
S3 Bucket outbound
Data transfer
anomaly
Failed AWS Console
logons but success logon
to AzureAD
Exploit and Pentest
Framework User Agent
Changes to AWS Elastic
Load Balancer security
groups
Tracking Privileged
Account Rare
Activity
Changes to Amazon
VPC settings
Failed AzureAD logons but
success logon to
AWS Console
Monitor AWS
Credential abuse
or hijacking
Login to AWS Management
Console without MFA
Changes to AWS Security
Group ingress and egress
settings
Changes made to AWS
IAM policy
Changes made to
AWS IAM policy
Failed AWS Console
logons but success logon
to AzureAD
Changes to Amazon
VPC settings
Privileged role
attached to
Instance
Suspicious credential
token access of valid
IAM Roles
Known IRIDIUM IP
Suspicious credential
token access of valid
IAM Roles
Changes made to
AWS CloudTrail logs
(Preview) TI map IP entity
to AWSCloudTrail
New UserAgent observed
in last 24 hours
Exploit and Pentest
Framework User Agent
Known IRIDIUM IP
(Preview) TI map IP entity
to AWSCloudTrail
INITIAL
ACCESS
EXECUTION PERSISTENCE
PRIVILEGE
ESCALATION
DEFENSE
EVASION
CREDENTIAL
ACCESS
DISCOVERY COLLECTION EXFILTRATION
Low Medium High HuntingQuery
24. Azure for AWS Professionals
What is AWS CloudTrail ?
MITRE ATT&CK Enterprise Matrix
OSSEM : Data dictionary for AWS Cloud Data sources
Guardduty Active Finding Types
Cloudgoat Scenario : iam_privesc_by_attachment
25. Thank You for Joining Us!
Recordings will be posted to our community forums at
https://aka.ms/SecurityWebinars.
You can ask additional questions at https://aka.ms/AzureSentinelCommunity.
Please give us your feedback on this webinar at
https://aka.ms/SecurityCommunityWebinarFeedback.
Join our Community: https://aka.ms/SecurityCommunity
For any questions or comments on our documentation (https://docs.microsoft.com)
contact directly at MSsecuritydocs@microsoft.com
Editor's Notes
Logic Apps is very simple, but for high volumes can be expensive
Azure Functions is much cheaper, but has a steeper learning curve, even if using PowerShell as the programming language.
Logstash is a popular choice but requires a VM to run on