Featuring Randy Franklin Smith from Ultimate Windows Security & Rapid7.
Check out the full on-demand training here: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=2558
3. Preview of Key
Points
The more things change the more they stay the same
Logging in
Azure Resource Manager
Control plane
Application plane
Azure AD
Office 365
8 examples of cloud events you want to know about
4. Logs
With on-prem technology, there are many different kinds of log
sources
Each with their own format
Cryptic fields
Duplicate and incomplete data
Unfortunately, it’s the same story in the cloud
8. 8 examples of
cloud events
you want to
know about
Storage account accessed via stolen key
Privileged logon to Azure Resource Manager with bad password
Windows level intrusion ofVirtual Machine
Azure SQL Database level intrusion
Backdoor account created in Azure AD
Traffic restriction loosened onVirtual Network
Subscription Administrator added
CEO’s mailbox accessed by another user
10. Privileged logon attempt toAzure
Resource Manager with bad password
Date (UTC) User Application Application ID Resource ID Resource IP address Location Status Sign-in error code Failure reason
2019-06-
13T20:16:07.1836708+00:00
Randy
Franklin
Smith Azure Portal
c44b4083-3bb0-49c1-
b47d-974e53cbdf3c
797f4846-ba00-4fd7-
ba43-dac1f8f63013
Windows Azure
Service
Management
API 23.253.78.215 Dallas, Texas, US Failure 50126
Invalid username or password or
Invalid on-premise username or
password.
2019-06-
13T19:01:39.349708+00:00
Randy
Franklin
Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053
Account is locked because user
tried to sign in too many times with
an incorrect user ID or password.
2019-06-
13T19:01:21.5189135+00:00
Randy
Franklin
Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053
Account is locked because user
tried to sign in too many times with
an incorrect user ID or password.
2019-06-
13T19:01:07.5555883+00:00
Randy
Franklin
Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053
Account is locked because user
tried to sign in too many times with
an incorrect user ID or password.
2019-06-
13T19:00:53.8268405+00:00
Randy
Franklin
Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053
Account is locked because user
tried to sign in too many times with
an incorrect user ID or password.
Log: Azure AD Signins Format: csv or json
11. Windows
level intrusion
ofVirtual
Machine
Log:
WADWindowsEventLogsTable
Format:Table
Windows Security Log of theVM
Sent with all other tracked EVTX events to aTable on specified Storage
Account
<Event
xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider
Name='Microsoft-Windows-Security-Auditing'Guid='{54849625-5478-4994-a5ba-
3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task>
13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Time
Created SystemTime='2019-06-
14T14:05:06.366777400Z'/><EventRecordID>1611</EventRecordID><Correlation
ActivityID='{4dd9e9e0-6126-0000-7297-983cb122d501}'/><Execution ProcessID='680'
ThreadID='2284'/><Channel>Security</Channel><Computer>wbr1</Computer><Security/>
</System><EventData><Data Name='TargetUserName'>bosshogg</Data><Data
Name='TargetDomainName'>wbr1</Data><Data Name='TargetSid'>S-1-5-21-3803767376-
4286365568-2514934844-500</Data><Data Name='SubjectUserSid'>S-1-5-
18</Data><Data Name='SubjectUserName'>wbr1$</Data><Data
Name='SubjectDomainName'>WORKGROUP</Data><Data
Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x694</Data><Data
Name='CallerProcessName'>C:WindowsAzurePackagesWaAppAgent.exe</Data></Even
tData></Event>