SlideShare a Scribd company logo

Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

Download as PPTX, PDF
E
Eric Sun, CISSP

Featuring Randy Franklin Smith from Ultimate Windows Security & Rapid7. Check out the full on-demand training here: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=2558

Software
1 of 23
Sponsored by Azure &O365Audit Logging: 8 EventsAcross theStackThatYouWant to KnowWhenThey Happen © 2019 Monterey Technology Group Inc.
Thanks to  Made possible by
Preview of Key Points  The more things change the more they stay the same  Logging in  Azure Resource Manager  Control plane  Application plane  Azure AD  Office 365  8 examples of cloud events you want to know about
Logs  With on-prem technology, there are many different kinds of log sources  Each with their own format  Cryptic fields  Duplicate and incomplete data  Unfortunately, it’s the same story in the cloud
Virtual Network Storage Account Azure Logging Azure AD Virtual Machine SQL DB Resource Manager Activity Log Control Plane Application Plane EVTX IIS etc Storage Analytics SQL Audit Diagno stic Logs Flow Logs Audit Log Sign- ins
Office 365 Logging Azure AD Audit Log Sign- ins Exchange Sway, Yammer, Teams, etc Share Point / OneDrive Unified Audit Log https://docs.microsoft.com/en-us/office/office-365-management-api/office- 365-management-activity-api-schema Kind of
Each log source  Enable logging  Which events  Destination  Interpret
8 examples of cloud events you want to know about  Storage account accessed via stolen key  Privileged logon to Azure Resource Manager with bad password  Windows level intrusion ofVirtual Machine  Azure SQL Database level intrusion  Backdoor account created in Azure AD  Traffic restriction loosened onVirtual Network  Subscription Administrator added  CEO’s mailbox accessed by another user
Storage account accessed via stolen key Log:Storage Analytics Format: semicolon/lf  Shared key access to storage accounts  Security very brittle 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;557;0;559;1698;0;;;""0x8D6F03FD5C0F68F"";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;23.253.78.215:64918;2018-03- 28;557;0;559;1698;0;;;""0x8D6F03FD5C0F68F"";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:40.3070744Z;GetBlobProperties;Success;200;3;3;authenticated;uwsstorage1;uwsstorage 1;blob;"https://uwsstorage1.blob.core.windows.net:443/$logs/blob/2019/06/13/2000/000004.log";"/ uwsstorage1/$logs/blob/2019/06/13/2000/000004.log";1275b599-a01e-0098-1a2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;558;0;607;0;0;;;""0x8D6F03FD5C0F68F"";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0d1d3bd0-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:27.8928186Z;ListBlobs;Success;200;128;28;authenticated;uwsstorage1;uwsstorage1;blob ;"https://uwsstorage1.blob.core.windows.net:443/$logs?restype=container&comp=list& maxresults=1000&delimiter=%2F&prefix=blob%2F2019%2F06%2F13%2F2000%2F";"/u wsstorage1/$logs";34afa9cd-f01e-00ed-592f-22ed60000000;0;160.238.136.130:64917;2018-03- 28;610;0;152;3428;0;;;;;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"05904010-8e23-11e9-b618- bf2a9352902c";;;;;;;;
Privileged logon attempt toAzure Resource Manager with bad password Date (UTC) User Application Application ID Resource ID Resource IP address Location Status Sign-in error code Failure reason 2019-06- 13T20:16:07.1836708+00:00 Randy Franklin Smith Azure Portal c44b4083-3bb0-49c1- b47d-974e53cbdf3c 797f4846-ba00-4fd7- ba43-dac1f8f63013 Windows Azure Service Management API 23.253.78.215 Dallas, Texas, US Failure 50126 Invalid username or password or Invalid on-premise username or password. 2019-06- 13T19:01:39.349708+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:21.5189135+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:07.5555883+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:00:53.8268405+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. Log: Azure AD Signins Format: csv or json
Windows level intrusion ofVirtual Machine Log: WADWindowsEventLogsTable Format:Table  Windows Security Log of theVM  Sent with all other tracked EVTX events to aTable on specified Storage Account <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing'Guid='{54849625-5478-4994-a5ba- 3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task> 13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Time Created SystemTime='2019-06- 14T14:05:06.366777400Z'/><EventRecordID>1611</EventRecordID><Correlation ActivityID='{4dd9e9e0-6126-0000-7297-983cb122d501}'/><Execution ProcessID='680' ThreadID='2284'/><Channel>Security</Channel><Computer>wbr1</Computer><Security/> </System><EventData><Data Name='TargetUserName'>bosshogg</Data><Data Name='TargetDomainName'>wbr1</Data><Data Name='TargetSid'>S-1-5-21-3803767376- 4286365568-2514934844-500</Data><Data Name='SubjectUserSid'>S-1-5- 18</Data><Data Name='SubjectUserName'>wbr1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x694</Data><Data Name='CallerProcessName'>C:WindowsAzurePackagesWaAppAgent.exe</Data></Even tData></Event>
Azure SQL Database level intrusion Log: sqldbauditlogs Format: XEL
Backdoor account created in AzureAD Log:AzureAD Audit Format: JSON { "id": "Directory_J6R02_71893829", "category": "UserManagement", "correlationId": "d97266c3-13f5-4850-8838-63da5f000694", "result": "success", "resultReason": "", "activityDisplayName": "Add user", "activityDateTime": "2019-06-14T15:05:00.4527804+00:00", "loggedByService": "Core Directory", "initiatedBy": { "user": { "id": "ecb59d40-fa6a-4a50-a6d4-254cb06a3405", "displayName": null, "userPrincipalName": "rsmith@montereytechgroup.com", "ipAddress": "<null>" } }, "targetResources": [ { "id": "df2173b6-3d47-4984-b1b9-263c314e2257", "displayName": null, "type": "User", "userPrincipalName": "azuresync@montereytechgroup.com", "groupType": null, "modifiedProperties": [ { "displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]" },
Traffic restriction loosened onVirtual Network { "authorization": { "action": "Microsoft.Network/networkSecurityGroups/securityRules/write", "caller": "rsmith@montereytechgroup.com", "channels": "Operation", "ipaddr": "160.238.136.130", "name": "Randy Franklin Smith", "localizedValue": "Create or Update Security Rule" "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP", "submissionTimestamp": "2019-06-14T15:09:25.0686119Z", "responseBody": "{"name":"RDP","id":"/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP","etag":"W/"2d306427-dc80-498e-b410- 964a7490e134"","type":"Microsoft.Network/networkSecurityGroups/securityRules","properties":{"prov isioningState":"Updating","protocol":"TCP","sourcePortRange":"*","destinationPortRange":"1- 5000","sourceAddressPrefix":"*","destinationAddressPrefix":"*","access":"Allow","priority":30 0,"direction":"Inbound","sourcePortRanges":[],"destinationPortRanges":[],"sourceAddressPrefixes":[ ],"destinationAddressPrefixes":[]}}" }, "relatedEvents": [] } Log: Azure RM Activity Log Format: json
Subscription Administrator added Log:Azure RMActivity Log Format: json  "level": "Informational",  "operationId": "02511296-cc4b-4c18-999b-c2e66de36877",  "operationName": {  "value": "Microsoft.Authorization/classicAdministrators/write",  "localizedValue": "Set administrator"  },  "resourceGroupName": "",  "resourceProviderName": {  "value": "Microsoft.Authorization",  "localizedValue": "Microsoft.Authorization"  },  "resourceType": {  "value": "Microsoft.Authorization/classicAdministrators",  "localizedValue": "Microsoft.Authorization/classicAdministrators"  },  "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "status": {  "value": "Succeeded",  "localizedValue": "Succeeded"  },  "subStatus": {  "value": "",  "localizedValue": ""  },  "submissionTimestamp": "2019-06-14T15:36:36.2613059Z",  "subscriptionId": "e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "properties": {  "adminEmail": "azuresync@montereytechgroup.com",  "adminType": "CoAdmin"  },  "relatedEvents": []  }
CEO’s mailbox accessed by another user Log: Exchange MailboxAudit Log Format:XML  https://office365itpros.com/2019/01/06/exchange-online-message- access-audit/  https://techcommunity.microsoft.com/t5/Office-365/Microsoft-Halts- Deployment-of-MailItemsAccessed-Audit-Records/td-p/394520 Access Exchange mailbox folder Occurred: 1/16/2013 10:57:54 AM Operation: FolderBind Result: Succeeded Originating server: SP2010-EX1 (14.02.0328.009) Mailbox GUID: d74d840c-4dff-4d73-bd8c-5b7a6ce254fd Owner: n/a Owner UPN: Jack.Striker@sp2010.com Owner SID: S-1-5-21-2141518605-3280587107-2299868870-1113 Folder ID: LgAAAADhmB/WGtj9QJHQYGoruww9AQB73FvAgkdWRYw1hL/iqQFMAAAAJaFGAAAB Folder: Sent Items Performed By User name: Administrator User SID: S-1-5-21-2141518605-3280587107-2299868870-500 Logon type: Owner Client Info: Client=OWA IP address: fe80::c005:56c7:e881:f29eAdministrator Process name: n/a Version: n/a Additional information: Owner= [Jack Striker]; LastAccessed= [2013-01-16T10:57:54.2036325-05:00]; LogonType= [Delegate]
Bottom line  Azure Logging vs O365  One log in O365  Apparently at the expense of timely delivery  Not complete  Azure: many logs and formats  much more timely delivery  Features in the cloud change faster than you can implement them  Need to bring together on-prem and cloud-based logs so that you can see what’s happening at every level and component, regardless where it’s deployed  Next up: how Rapid7’s cloud SIEM, InsightIDR, automatically applies security analytics to data across your modern network—on-premises, remote workers, SaaS, and IaaS © 2019 Monterey Technology Group Inc.
Monitor Azure and more with InsightIDR Alex Teng with Felipe Legorreta 06/18/2019 Integrate using Azure Event Hubs
1919 The Many Faces of Event Hub
2020 The Many Faces of Event Hub
2121 Event Hub Stream Flow On-Prem Sources
2222 Security Center Alerts
2323 User Behavior Analysis (UBA) Alerts

Recommended

Test Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb EnoTest Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb Eno
QA or the Highway
 
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
DataStax Academy
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Joanna Gardner
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Wendy Belieu
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Leslie Thomas
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Angela Garcia
 
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User AdoptionSPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
Stacy Deere
 

Recommended

Test Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb EnoTest Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb Eno
QA or the Highway
 
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
DataStax Academy
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Joanna Gardner
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Wendy Belieu
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Leslie Thomas
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Angela Garcia
 
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User AdoptionSPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
Stacy Deere
 
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
Sandesh Rao
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET Journal
 
Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best Practices
Benoit HAMET
 
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User AdoptionSPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
Stacy Deere
 
Azure Machine Learning and Data Journeys
Azure Machine Learning and Data JourneysAzure Machine Learning and Data Journeys
Azure Machine Learning and Data Journeys
Luca Mauri
 
Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365
Paul Hunt
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
serge luca
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore
 
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
Sébastien Paulet
 
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to GroundIDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Software
 
Big Data & Data Lakes Building Blocks
Big Data & Data Lakes Building BlocksBig Data & Data Lakes Building Blocks
Big Data & Data Lakes Building Blocks
Amazon Web Services
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Power Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practicesPower Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practices
PowerSaturdayParis
 
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, ParisMicrosoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
serge luca
 
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Amazon Web Services
 
John Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated TestingJohn Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated Testing
John Zozzaro
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
SPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User OnboardingSPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User Onboarding
Jimmy Hang
 
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
aOS Community
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
Andres Canello
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
JinanKordab
 

More Related Content

Similar to Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
Sandesh Rao
 
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User AdoptionSPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
Stacy Deere
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore
 
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to GroundIDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Software
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 

Similar to Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen (20)

The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
 
Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best Practices
 
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User AdoptionSPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
 
Azure Machine Learning and Data Journeys
Azure Machine Learning and Data JourneysAzure Machine Learning and Data Journeys
Azure Machine Learning and Data Journeys
 
Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
 
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
 
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to GroundIDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to Ground
 
Big Data & Data Lakes Building Blocks
Big Data & Data Lakes Building BlocksBig Data & Data Lakes Building Blocks
Big Data & Data Lakes Building Blocks
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Power Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practicesPower Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practices
 
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, ParisMicrosoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
 
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
 
John Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated TestingJohn Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated Testing
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
SPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User OnboardingSPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User Onboarding
 
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
 

Recently uploaded

Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
drm1699
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
Prakhyath Rai
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Andrea Goulet
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Maxim Salnikov
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
Roberto Bettazzoni
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
Tomasz Kowalczewski
 

Recently uploaded (20)

Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
Abortion Pills For Sale WhatsApp[[+27737758557]] In Birch Acres, Abortion Pil...
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Encryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key ConceptsEncryption Recap: A Refresher on Key Concepts
Encryption Recap: A Refresher on Key Concepts
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)The mythical technical debt. (Brooke, please, forgive me)
The mythical technical debt. (Brooke, please, forgive me)
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
[GeeCON2024] How I learned to stop worrying and love the dark silicon apocalypse
 

Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

  • 1. Sponsored by Azure &O365Audit Logging: 8 EventsAcross theStackThatYouWant to KnowWhenThey Happen © 2019 Monterey Technology Group Inc.
  • 2. Thanks to  Made possible by
  • 3. Preview of Key Points  The more things change the more they stay the same  Logging in  Azure Resource Manager  Control plane  Application plane  Azure AD  Office 365  8 examples of cloud events you want to know about
  • 4. Logs  With on-prem technology, there are many different kinds of log sources  Each with their own format  Cryptic fields  Duplicate and incomplete data  Unfortunately, it’s the same story in the cloud
  • 6. Office 365 Logging Azure AD Audit Log Sign- ins Exchange Sway, Yammer, Teams, etc Share Point / OneDrive Unified Audit Log https://docs.microsoft.com/en-us/office/office-365-management-api/office- 365-management-activity-api-schema Kind of
  • 7. Each log source  Enable logging  Which events  Destination  Interpret
  • 8. 8 examples of cloud events you want to know about  Storage account accessed via stolen key  Privileged logon to Azure Resource Manager with bad password  Windows level intrusion ofVirtual Machine  Azure SQL Database level intrusion  Backdoor account created in Azure AD  Traffic restriction loosened onVirtual Network  Subscription Administrator added  CEO’s mailbox accessed by another user
  • 9. Storage account accessed via stolen key Log:Storage Analytics Format: semicolon/lf  Shared key access to storage accounts  Security very brittle 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;557;0;559;1698;0;;;"&quot;0x8D6F03FD5C0F68F&quot;";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;23.253.78.215:64918;2018-03- 28;557;0;559;1698;0;;;"&quot;0x8D6F03FD5C0F68F&quot;";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:40.3070744Z;GetBlobProperties;Success;200;3;3;authenticated;uwsstorage1;uwsstorage 1;blob;"https://uwsstorage1.blob.core.windows.net:443/$logs/blob/2019/06/13/2000/000004.log";"/ uwsstorage1/$logs/blob/2019/06/13/2000/000004.log";1275b599-a01e-0098-1a2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;558;0;607;0;0;;;"&quot;0x8D6F03FD5C0F68F&quot;";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0d1d3bd0-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:27.8928186Z;ListBlobs;Success;200;128;28;authenticated;uwsstorage1;uwsstorage1;blob ;"https://uwsstorage1.blob.core.windows.net:443/$logs?restype=container&amp;comp=list&amp; maxresults=1000&amp;delimiter=%2F&amp;prefix=blob%2F2019%2F06%2F13%2F2000%2F";"/u wsstorage1/$logs";34afa9cd-f01e-00ed-592f-22ed60000000;0;160.238.136.130:64917;2018-03- 28;610;0;152;3428;0;;;;;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"05904010-8e23-11e9-b618- bf2a9352902c";;;;;;;;
  • 10. Privileged logon attempt toAzure Resource Manager with bad password Date (UTC) User Application Application ID Resource ID Resource IP address Location Status Sign-in error code Failure reason 2019-06- 13T20:16:07.1836708+00:00 Randy Franklin Smith Azure Portal c44b4083-3bb0-49c1- b47d-974e53cbdf3c 797f4846-ba00-4fd7- ba43-dac1f8f63013 Windows Azure Service Management API 23.253.78.215 Dallas, Texas, US Failure 50126 Invalid username or password or Invalid on-premise username or password. 2019-06- 13T19:01:39.349708+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:21.5189135+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:07.5555883+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:00:53.8268405+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. Log: Azure AD Signins Format: csv or json
  • 11. Windows level intrusion ofVirtual Machine Log: WADWindowsEventLogsTable Format:Table  Windows Security Log of theVM  Sent with all other tracked EVTX events to aTable on specified Storage Account <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing'Guid='{54849625-5478-4994-a5ba- 3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task> 13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Time Created SystemTime='2019-06- 14T14:05:06.366777400Z'/><EventRecordID>1611</EventRecordID><Correlation ActivityID='{4dd9e9e0-6126-0000-7297-983cb122d501}'/><Execution ProcessID='680' ThreadID='2284'/><Channel>Security</Channel><Computer>wbr1</Computer><Security/> </System><EventData><Data Name='TargetUserName'>bosshogg</Data><Data Name='TargetDomainName'>wbr1</Data><Data Name='TargetSid'>S-1-5-21-3803767376- 4286365568-2514934844-500</Data><Data Name='SubjectUserSid'>S-1-5- 18</Data><Data Name='SubjectUserName'>wbr1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x694</Data><Data Name='CallerProcessName'>C:WindowsAzurePackagesWaAppAgent.exe</Data></Even tData></Event>
  • 13. Backdoor account created in AzureAD Log:AzureAD Audit Format: JSON { "id": "Directory_J6R02_71893829", "category": "UserManagement", "correlationId": "d97266c3-13f5-4850-8838-63da5f000694", "result": "success", "resultReason": "", "activityDisplayName": "Add user", "activityDateTime": "2019-06-14T15:05:00.4527804+00:00", "loggedByService": "Core Directory", "initiatedBy": { "user": { "id": "ecb59d40-fa6a-4a50-a6d4-254cb06a3405", "displayName": null, "userPrincipalName": "rsmith@montereytechgroup.com", "ipAddress": "<null>" } }, "targetResources": [ { "id": "df2173b6-3d47-4984-b1b9-263c314e2257", "displayName": null, "type": "User", "userPrincipalName": "azuresync@montereytechgroup.com", "groupType": null, "modifiedProperties": [ { "displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]" },
  • 14. Traffic restriction loosened onVirtual Network { "authorization": { "action": "Microsoft.Network/networkSecurityGroups/securityRules/write", "caller": "rsmith@montereytechgroup.com", "channels": "Operation", "ipaddr": "160.238.136.130", "name": "Randy Franklin Smith", "localizedValue": "Create or Update Security Rule" "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP", "submissionTimestamp": "2019-06-14T15:09:25.0686119Z", "responseBody": "{"name":"RDP","id":"/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP","etag":"W/"2d306427-dc80-498e-b410- 964a7490e134"","type":"Microsoft.Network/networkSecurityGroups/securityRules","properties":{"prov isioningState":"Updating","protocol":"TCP","sourcePortRange":"*","destinationPortRange":"1- 5000","sourceAddressPrefix":"*","destinationAddressPrefix":"*","access":"Allow","priority":30 0,"direction":"Inbound","sourcePortRanges":[],"destinationPortRanges":[],"sourceAddressPrefixes":[ ],"destinationAddressPrefixes":[]}}" }, "relatedEvents": [] } Log: Azure RM Activity Log Format: json
  • 15. Subscription Administrator added Log:Azure RMActivity Log Format: json  "level": "Informational",  "operationId": "02511296-cc4b-4c18-999b-c2e66de36877",  "operationName": {  "value": "Microsoft.Authorization/classicAdministrators/write",  "localizedValue": "Set administrator"  },  "resourceGroupName": "",  "resourceProviderName": {  "value": "Microsoft.Authorization",  "localizedValue": "Microsoft.Authorization"  },  "resourceType": {  "value": "Microsoft.Authorization/classicAdministrators",  "localizedValue": "Microsoft.Authorization/classicAdministrators"  },  "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "status": {  "value": "Succeeded",  "localizedValue": "Succeeded"  },  "subStatus": {  "value": "",  "localizedValue": ""  },  "submissionTimestamp": "2019-06-14T15:36:36.2613059Z",  "subscriptionId": "e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "properties": {  "adminEmail": "azuresync@montereytechgroup.com",  "adminType": "CoAdmin"  },  "relatedEvents": []  }
  • 16. CEO’s mailbox accessed by another user Log: Exchange MailboxAudit Log Format:XML  https://office365itpros.com/2019/01/06/exchange-online-message- access-audit/  https://techcommunity.microsoft.com/t5/Office-365/Microsoft-Halts- Deployment-of-MailItemsAccessed-Audit-Records/td-p/394520 Access Exchange mailbox folder Occurred: 1/16/2013 10:57:54 AM Operation: FolderBind Result: Succeeded Originating server: SP2010-EX1 (14.02.0328.009) Mailbox GUID: d74d840c-4dff-4d73-bd8c-5b7a6ce254fd Owner: n/a Owner UPN: Jack.Striker@sp2010.com Owner SID: S-1-5-21-2141518605-3280587107-2299868870-1113 Folder ID: LgAAAADhmB/WGtj9QJHQYGoruww9AQB73FvAgkdWRYw1hL/iqQFMAAAAJaFGAAAB Folder: Sent Items Performed By User name: Administrator User SID: S-1-5-21-2141518605-3280587107-2299868870-500 Logon type: Owner Client Info: Client=OWA IP address: fe80::c005:56c7:e881:f29eAdministrator Process name: n/a Version: n/a Additional information: Owner= [Jack Striker]; LastAccessed= [2013-01-16T10:57:54.2036325-05:00]; LogonType= [Delegate]
  • 17. Bottom line  Azure Logging vs O365  One log in O365  Apparently at the expense of timely delivery  Not complete  Azure: many logs and formats  much more timely delivery  Features in the cloud change faster than you can implement them  Need to bring together on-prem and cloud-based logs so that you can see what’s happening at every level and component, regardless where it’s deployed  Next up: how Rapid7’s cloud SIEM, InsightIDR, automatically applies security analytics to data across your modern network—on-premises, remote workers, SaaS, and IaaS © 2019 Monterey Technology Group Inc.
  • 18. Monitor Azure and more with InsightIDR Alex Teng with Felipe Legorreta 06/18/2019 Integrate using Azure Event Hubs
  • 19. 1919 The Many Faces of Event Hub
  • 20. 2020 The Many Faces of Event Hub
  • 21. 2121 Event Hub Stream Flow On-Prem Sources