SlideShare a Scribd company logo

Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

Download as PPTX, PDF
E
Eric Sun, CISSP

Featuring Randy Franklin Smith from Ultimate Windows Security & Rapid7. Check out the full on-demand training here: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=2558

Software
1 of 23
Sponsored by Azure &O365Audit Logging: 8 EventsAcross theStackThatYouWant to KnowWhenThey Happen © 2019 Monterey Technology Group Inc.
Thanks to  Made possible by
Preview of Key Points  The more things change the more they stay the same  Logging in  Azure Resource Manager  Control plane  Application plane  Azure AD  Office 365  8 examples of cloud events you want to know about
Logs  With on-prem technology, there are many different kinds of log sources  Each with their own format  Cryptic fields  Duplicate and incomplete data  Unfortunately, it’s the same story in the cloud
Virtual Network Storage Account Azure Logging Azure AD Virtual Machine SQL DB Resource Manager Activity Log Control Plane Application Plane EVTX IIS etc Storage Analytics SQL Audit Diagno stic Logs Flow Logs Audit Log Sign- ins
Office 365 Logging Azure AD Audit Log Sign- ins Exchange Sway, Yammer, Teams, etc Share Point / OneDrive Unified Audit Log https://docs.microsoft.com/en-us/office/office-365-management-api/office- 365-management-activity-api-schema Kind of
Each log source  Enable logging  Which events  Destination  Interpret
8 examples of cloud events you want to know about  Storage account accessed via stolen key  Privileged logon to Azure Resource Manager with bad password  Windows level intrusion ofVirtual Machine  Azure SQL Database level intrusion  Backdoor account created in Azure AD  Traffic restriction loosened onVirtual Network  Subscription Administrator added  CEO’s mailbox accessed by another user
Storage account accessed via stolen key Log:Storage Analytics Format: semicolon/lf  Shared key access to storage accounts  Security very brittle 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;557;0;559;1698;0;;;""0x8D6F03FD5C0F68F"";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;23.253.78.215:64918;2018-03- 28;557;0;559;1698;0;;;""0x8D6F03FD5C0F68F"";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:40.3070744Z;GetBlobProperties;Success;200;3;3;authenticated;uwsstorage1;uwsstorage 1;blob;"https://uwsstorage1.blob.core.windows.net:443/$logs/blob/2019/06/13/2000/000004.log";"/ uwsstorage1/$logs/blob/2019/06/13/2000/000004.log";1275b599-a01e-0098-1a2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;558;0;607;0;0;;;""0x8D6F03FD5C0F68F"";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0d1d3bd0-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:27.8928186Z;ListBlobs;Success;200;128;28;authenticated;uwsstorage1;uwsstorage1;blob ;"https://uwsstorage1.blob.core.windows.net:443/$logs?restype=container&comp=list& maxresults=1000&delimiter=%2F&prefix=blob%2F2019%2F06%2F13%2F2000%2F";"/u wsstorage1/$logs";34afa9cd-f01e-00ed-592f-22ed60000000;0;160.238.136.130:64917;2018-03- 28;610;0;152;3428;0;;;;;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"05904010-8e23-11e9-b618- bf2a9352902c";;;;;;;;
Privileged logon attempt toAzure Resource Manager with bad password Date (UTC) User Application Application ID Resource ID Resource IP address Location Status Sign-in error code Failure reason 2019-06- 13T20:16:07.1836708+00:00 Randy Franklin Smith Azure Portal c44b4083-3bb0-49c1- b47d-974e53cbdf3c 797f4846-ba00-4fd7- ba43-dac1f8f63013 Windows Azure Service Management API 23.253.78.215 Dallas, Texas, US Failure 50126 Invalid username or password or Invalid on-premise username or password. 2019-06- 13T19:01:39.349708+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:21.5189135+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:07.5555883+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:00:53.8268405+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. Log: Azure AD Signins Format: csv or json
Windows level intrusion ofVirtual Machine Log: WADWindowsEventLogsTable Format:Table  Windows Security Log of theVM  Sent with all other tracked EVTX events to aTable on specified Storage Account <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing'Guid='{54849625-5478-4994-a5ba- 3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task> 13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Time Created SystemTime='2019-06- 14T14:05:06.366777400Z'/><EventRecordID>1611</EventRecordID><Correlation ActivityID='{4dd9e9e0-6126-0000-7297-983cb122d501}'/><Execution ProcessID='680' ThreadID='2284'/><Channel>Security</Channel><Computer>wbr1</Computer><Security/> </System><EventData><Data Name='TargetUserName'>bosshogg</Data><Data Name='TargetDomainName'>wbr1</Data><Data Name='TargetSid'>S-1-5-21-3803767376- 4286365568-2514934844-500</Data><Data Name='SubjectUserSid'>S-1-5- 18</Data><Data Name='SubjectUserName'>wbr1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x694</Data><Data Name='CallerProcessName'>C:WindowsAzurePackagesWaAppAgent.exe</Data></Even tData></Event>
Azure SQL Database level intrusion Log: sqldbauditlogs Format: XEL
Backdoor account created in AzureAD Log:AzureAD Audit Format: JSON { "id": "Directory_J6R02_71893829", "category": "UserManagement", "correlationId": "d97266c3-13f5-4850-8838-63da5f000694", "result": "success", "resultReason": "", "activityDisplayName": "Add user", "activityDateTime": "2019-06-14T15:05:00.4527804+00:00", "loggedByService": "Core Directory", "initiatedBy": { "user": { "id": "ecb59d40-fa6a-4a50-a6d4-254cb06a3405", "displayName": null, "userPrincipalName": "rsmith@montereytechgroup.com", "ipAddress": "<null>" } }, "targetResources": [ { "id": "df2173b6-3d47-4984-b1b9-263c314e2257", "displayName": null, "type": "User", "userPrincipalName": "azuresync@montereytechgroup.com", "groupType": null, "modifiedProperties": [ { "displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]" },
Traffic restriction loosened onVirtual Network { "authorization": { "action": "Microsoft.Network/networkSecurityGroups/securityRules/write", "caller": "rsmith@montereytechgroup.com", "channels": "Operation", "ipaddr": "160.238.136.130", "name": "Randy Franklin Smith", "localizedValue": "Create or Update Security Rule" "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP", "submissionTimestamp": "2019-06-14T15:09:25.0686119Z", "responseBody": "{"name":"RDP","id":"/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP","etag":"W/"2d306427-dc80-498e-b410- 964a7490e134"","type":"Microsoft.Network/networkSecurityGroups/securityRules","properties":{"prov isioningState":"Updating","protocol":"TCP","sourcePortRange":"*","destinationPortRange":"1- 5000","sourceAddressPrefix":"*","destinationAddressPrefix":"*","access":"Allow","priority":30 0,"direction":"Inbound","sourcePortRanges":[],"destinationPortRanges":[],"sourceAddressPrefixes":[ ],"destinationAddressPrefixes":[]}}" }, "relatedEvents": [] } Log: Azure RM Activity Log Format: json
Subscription Administrator added Log:Azure RMActivity Log Format: json  "level": "Informational",  "operationId": "02511296-cc4b-4c18-999b-c2e66de36877",  "operationName": {  "value": "Microsoft.Authorization/classicAdministrators/write",  "localizedValue": "Set administrator"  },  "resourceGroupName": "",  "resourceProviderName": {  "value": "Microsoft.Authorization",  "localizedValue": "Microsoft.Authorization"  },  "resourceType": {  "value": "Microsoft.Authorization/classicAdministrators",  "localizedValue": "Microsoft.Authorization/classicAdministrators"  },  "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "status": {  "value": "Succeeded",  "localizedValue": "Succeeded"  },  "subStatus": {  "value": "",  "localizedValue": ""  },  "submissionTimestamp": "2019-06-14T15:36:36.2613059Z",  "subscriptionId": "e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "properties": {  "adminEmail": "azuresync@montereytechgroup.com",  "adminType": "CoAdmin"  },  "relatedEvents": []  }
CEO’s mailbox accessed by another user Log: Exchange MailboxAudit Log Format:XML  https://office365itpros.com/2019/01/06/exchange-online-message- access-audit/  https://techcommunity.microsoft.com/t5/Office-365/Microsoft-Halts- Deployment-of-MailItemsAccessed-Audit-Records/td-p/394520 Access Exchange mailbox folder Occurred: 1/16/2013 10:57:54 AM Operation: FolderBind Result: Succeeded Originating server: SP2010-EX1 (14.02.0328.009) Mailbox GUID: d74d840c-4dff-4d73-bd8c-5b7a6ce254fd Owner: n/a Owner UPN: Jack.Striker@sp2010.com Owner SID: S-1-5-21-2141518605-3280587107-2299868870-1113 Folder ID: LgAAAADhmB/WGtj9QJHQYGoruww9AQB73FvAgkdWRYw1hL/iqQFMAAAAJaFGAAAB Folder: Sent Items Performed By User name: Administrator User SID: S-1-5-21-2141518605-3280587107-2299868870-500 Logon type: Owner Client Info: Client=OWA IP address: fe80::c005:56c7:e881:f29eAdministrator Process name: n/a Version: n/a Additional information: Owner= [Jack Striker]; LastAccessed= [2013-01-16T10:57:54.2036325-05:00]; LogonType= [Delegate]
Bottom line  Azure Logging vs O365  One log in O365  Apparently at the expense of timely delivery  Not complete  Azure: many logs and formats  much more timely delivery  Features in the cloud change faster than you can implement them  Need to bring together on-prem and cloud-based logs so that you can see what’s happening at every level and component, regardless where it’s deployed  Next up: how Rapid7’s cloud SIEM, InsightIDR, automatically applies security analytics to data across your modern network—on-premises, remote workers, SaaS, and IaaS © 2019 Monterey Technology Group Inc.
Monitor Azure and more with InsightIDR Alex Teng with Felipe Legorreta 06/18/2019 Integrate using Azure Event Hubs
1919 The Many Faces of Event Hub
2020 The Many Faces of Event Hub
2121 Event Hub Stream Flow On-Prem Sources
2222 Security Center Alerts
2323 User Behavior Analysis (UBA) Alerts

Recommended

Test Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb EnoTest Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb Eno
QA or the Highway
 
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
DataStax Academy
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Joanna Gardner
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Wendy Belieu
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Leslie Thomas
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Angela Garcia
 
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User AdoptionSPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
Stacy Deere
 

Recommended

Test Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb EnoTest Automation in the Fast Lane by Caleb Eno
Test Automation in the Fast Lane by Caleb Eno
QA or the Highway
 
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
Glassbeam: Ad-hoc Analytics on Internet of Complex Things with Apache Cassand...
DataStax Academy
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
John Staveley
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Joanna Gardner
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Wendy Belieu
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Leslie Thomas
 
7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.7Th Grade Essay Guidelines. Online assignment writing service.
7Th Grade Essay Guidelines. Online assignment writing service.
Angela Garcia
 
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User AdoptionSPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
SPS Chevy Chase - Build It and They Will Come: Sharepoint 2013 User Adoption
Stacy Deere
 
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
Sandesh Rao
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET Journal
 
Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best Practices
Benoit HAMET
 
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User AdoptionSPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
Stacy Deere
 
Azure Machine Learning and Data Journeys
Azure Machine Learning and Data JourneysAzure Machine Learning and Data Journeys
Azure Machine Learning and Data Journeys
Luca Mauri
 
Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365
Paul Hunt
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
serge luca
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore
 
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
Sébastien Paulet
 
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to GroundIDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Software
 
Big Data & Data Lakes Building Blocks
Big Data & Data Lakes Building BlocksBig Data & Data Lakes Building Blocks
Big Data & Data Lakes Building Blocks
Amazon Web Services
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Power Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practicesPower Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practices
PowerSaturdayParis
 
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, ParisMicrosoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
serge luca
 
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Amazon Web Services
 
John Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated TestingJohn Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated Testing
John Zozzaro
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
SPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User OnboardingSPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User Onboarding
Jimmy Hang
 
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
aOS Community
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
Andres Canello
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 

More Related Content

Similar to Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
Sandesh Rao
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET Journal
 
Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best Practices
Benoit HAMET
 
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User AdoptionSPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
Stacy Deere
 
Azure Machine Learning and Data Journeys
Azure Machine Learning and Data JourneysAzure Machine Learning and Data Journeys
Azure Machine Learning and Data Journeys
Luca Mauri
 
Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365
Paul Hunt
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
serge luca
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore
 
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
Sébastien Paulet
 
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to GroundIDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Software
 
Big Data & Data Lakes Building Blocks
Big Data & Data Lakes Building BlocksBig Data & Data Lakes Building Blocks
Big Data & Data Lakes Building Blocks
Amazon Web Services
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
DevOps.com
 
Power Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practicesPower Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practices
PowerSaturdayParis
 
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, ParisMicrosoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
serge luca
 
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Amazon Web Services
 
John Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated TestingJohn Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated Testing
John Zozzaro
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
SPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User OnboardingSPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User Onboarding
Jimmy Hang
 
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
aOS Community
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
Andres Canello
 

Similar to Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen (20)

The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019 The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
The Machine Learning behind the Autonomous Database- EMEA Tour Oct 2019
 
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy GoalsIRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
IRJET- Exchanging Secure Data in Cloud with Confidentiality and Privacy Goals
 
Office 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best PracticesOffice 365 Saturday - Office 365 Security Best Practices
Office 365 Saturday - Office 365 Security Best Practices
 
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User AdoptionSPFest DC Build It and They Will Come Share-Point 2013 User Adoption
SPFest DC Build It and They Will Come Share-Point 2013 User Adoption
 
Azure Machine Learning and Data Journeys
Azure Machine Learning and Data JourneysAzure Machine Learning and Data Journeys
Azure Machine Learning and Data Journeys
 
Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365Spsnl18 exploring identity management options in office 365
Spsnl18 exploring identity management options in office 365
 
Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...Design mission-critical enterprise applications with Power Automate and Docto...
Design mission-critical enterprise applications with Power Automate and Docto...
 
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & AzureRencore Webinar: Myth-busting GDPR in Office 365 & Azure
Rencore Webinar: Myth-busting GDPR in Office 365 & Azure
 
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
aOS Kuala Lumpur 2019 Manage sensitive and personal data in O365
 
IDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to GroundIDERA Live | Mitigating Data Risks from Cloud to Ground
IDERA Live | Mitigating Data Risks from Cloud to Ground
 
Big Data & Data Lakes Building Blocks
Big Data & Data Lakes Building BlocksBig Data & Data Lakes Building Blocks
Big Data & Data Lakes Building Blocks
 
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
How to Govern Identities and Access in Cloud Infrastructure: AppsFlyer Case S...
 
Power Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practicesPower Saturday 2019 - D4 - Doctor Fow best practices
Power Saturday 2019 - D4 - Doctor Fow best practices
 
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, ParisMicrosoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
Microsoft flow best practices with Doctor Flow. PowerSaturday 2019, Paris
 
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
Using Amazon S3 and Amazon Glacier for Backup or Archive Storage (STG339) - A...
 
John Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated TestingJohn Rhodes - DevOps Automated Testing
John Rhodes - DevOps Automated Testing
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
SPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User OnboardingSPS Oslo 2018 - Office 365 User Onboarding
SPS Oslo 2018 - Office 365 User Onboarding
 
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
2018-09-03 aOS Aachen - Leveraging Azure for SharePoint - Manojk
 
Azure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protectionsAzure AD - Password attacks - logging and protections
Azure AD - Password attacks - logging and protections
 

Recently uploaded

Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Neo4j
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
Ayan Halder
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
lorraineandreiamcidl
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Envertis Software Solutions
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 

Recently uploaded (20)

Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
Neo4j - Product Vision and Knowledge Graphs - GraphSummit Paris
 
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissancesAtelier - Innover avec l’IA Générative et les graphes de connaissances
Atelier - Innover avec l’IA Générative et les graphes de connaissances
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOMLORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
LORRAINE ANDREI_LEQUIGAN_HOW TO USE ZOOM
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 

Azure & O365 Audit Logging: 8 Events Across the Stack That You Want to Know When They Happen

  • 1. Sponsored by Azure &O365Audit Logging: 8 EventsAcross theStackThatYouWant to KnowWhenThey Happen © 2019 Monterey Technology Group Inc.
  • 2. Thanks to  Made possible by
  • 3. Preview of Key Points  The more things change the more they stay the same  Logging in  Azure Resource Manager  Control plane  Application plane  Azure AD  Office 365  8 examples of cloud events you want to know about
  • 4. Logs  With on-prem technology, there are many different kinds of log sources  Each with their own format  Cryptic fields  Duplicate and incomplete data  Unfortunately, it’s the same story in the cloud
  • 6. Office 365 Logging Azure AD Audit Log Sign- ins Exchange Sway, Yammer, Teams, etc Share Point / OneDrive Unified Audit Log https://docs.microsoft.com/en-us/office/office-365-management-api/office- 365-management-activity-api-schema Kind of
  • 7. Each log source  Enable logging  Which events  Destination  Interpret
  • 8. 8 examples of cloud events you want to know about  Storage account accessed via stolen key  Privileged logon to Azure Resource Manager with bad password  Windows level intrusion ofVirtual Machine  Azure SQL Database level intrusion  Backdoor account created in Azure AD  Traffic restriction loosened onVirtual Network  Subscription Administrator added  CEO’s mailbox accessed by another user
  • 9. Storage account accessed via stolen key Log:Storage Analytics Format: semicolon/lf  Shared key access to storage accounts  Security very brittle 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;557;0;559;1698;0;;;"&quot;0x8D6F03FD5C0F68F&quot;";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:39.4374607Z;GetBlob;Success;200;25;25;authenticated;uwsstorage1;uwsstorage1;blob;" https://uwsstorage1.blob.core.windows.net:443/apps/blob/app1/importantfile.dat";"/uwsstorage1/ $appss/blob/app1/importantfile.dat";1275b2ef-a01e-0098-3c2f- 226adb000000;0;23.253.78.215:64918;2018-03- 28;557;0;559;1698;0;;;"&quot;0x8D6F03FD5C0F68F&quot;";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0c98c990-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:40.3070744Z;GetBlobProperties;Success;200;3;3;authenticated;uwsstorage1;uwsstorage 1;blob;"https://uwsstorage1.blob.core.windows.net:443/$logs/blob/2019/06/13/2000/000004.log";"/ uwsstorage1/$logs/blob/2019/06/13/2000/000004.log";1275b599-a01e-0098-1a2f- 226adb000000;0;160.238.136.130:64918;2018-03- 28;558;0;607;0;0;;;"&quot;0x8D6F03FD5C0F68F&quot;";Thursday, 13-Jun-19 20:43:47 GMT;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"0d1d3bd0-8e23-11e9-8293-ffe0703d9b5a";;;;;;;; 2.0;2019-06- 13T21:34:27.8928186Z;ListBlobs;Success;200;128;28;authenticated;uwsstorage1;uwsstorage1;blob ;"https://uwsstorage1.blob.core.windows.net:443/$logs?restype=container&amp;comp=list&amp; maxresults=1000&amp;delimiter=%2F&amp;prefix=blob%2F2019%2F06%2F13%2F2000%2F";"/u wsstorage1/$logs";34afa9cd-f01e-00ed-592f-22ed60000000;0;160.238.136.130:64917;2018-03- 28;610;0;152;3428;0;;;;;;"Microsoft Azure Storage Explorer, 1.8.1, win32, Azure-Storage/2.10.3 (NODE-VERSION v8.9.3; Windows_NT 10.0.17763)";;"05904010-8e23-11e9-b618- bf2a9352902c";;;;;;;;
  • 10. Privileged logon attempt toAzure Resource Manager with bad password Date (UTC) User Application Application ID Resource ID Resource IP address Location Status Sign-in error code Failure reason 2019-06- 13T20:16:07.1836708+00:00 Randy Franklin Smith Azure Portal c44b4083-3bb0-49c1- b47d-974e53cbdf3c 797f4846-ba00-4fd7- ba43-dac1f8f63013 Windows Azure Service Management API 23.253.78.215 Dallas, Texas, US Failure 50126 Invalid username or password or Invalid on-premise username or password. 2019-06- 13T19:01:39.349708+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:21.5189135+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:01:07.5555883+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. 2019-06- 13T19:00:53.8268405+00:00 Randy Franklin Smith Office 365 bfc44fc5-2fe3-4d02-98ec-1e5967475f68 117.69.25.22 Meilongzhen, Shanghai Shi, CN Failure 50053 Account is locked because user tried to sign in too many times with an incorrect user ID or password. Log: Azure AD Signins Format: csv or json
  • 11. Windows level intrusion ofVirtual Machine Log: WADWindowsEventLogsTable Format:Table  Windows Security Log of theVM  Sent with all other tracked EVTX events to aTable on specified Storage Account <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing'Guid='{54849625-5478-4994-a5ba- 3e3b0328c30d}'/><EventID>4798</EventID><Version>0</Version><Level>0</Level><Task> 13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Time Created SystemTime='2019-06- 14T14:05:06.366777400Z'/><EventRecordID>1611</EventRecordID><Correlation ActivityID='{4dd9e9e0-6126-0000-7297-983cb122d501}'/><Execution ProcessID='680' ThreadID='2284'/><Channel>Security</Channel><Computer>wbr1</Computer><Security/> </System><EventData><Data Name='TargetUserName'>bosshogg</Data><Data Name='TargetDomainName'>wbr1</Data><Data Name='TargetSid'>S-1-5-21-3803767376- 4286365568-2514934844-500</Data><Data Name='SubjectUserSid'>S-1-5- 18</Data><Data Name='SubjectUserName'>wbr1$</Data><Data Name='SubjectDomainName'>WORKGROUP</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='CallerProcessId'>0x694</Data><Data Name='CallerProcessName'>C:WindowsAzurePackagesWaAppAgent.exe</Data></Even tData></Event>
  • 13. Backdoor account created in AzureAD Log:AzureAD Audit Format: JSON { "id": "Directory_J6R02_71893829", "category": "UserManagement", "correlationId": "d97266c3-13f5-4850-8838-63da5f000694", "result": "success", "resultReason": "", "activityDisplayName": "Add user", "activityDateTime": "2019-06-14T15:05:00.4527804+00:00", "loggedByService": "Core Directory", "initiatedBy": { "user": { "id": "ecb59d40-fa6a-4a50-a6d4-254cb06a3405", "displayName": null, "userPrincipalName": "rsmith@montereytechgroup.com", "ipAddress": "<null>" } }, "targetResources": [ { "id": "df2173b6-3d47-4984-b1b9-263c314e2257", "displayName": null, "type": "User", "userPrincipalName": "azuresync@montereytechgroup.com", "groupType": null, "modifiedProperties": [ { "displayName": "AccountEnabled", "oldValue": "[]", "newValue": "[true]" },
  • 14. Traffic restriction loosened onVirtual Network { "authorization": { "action": "Microsoft.Network/networkSecurityGroups/securityRules/write", "caller": "rsmith@montereytechgroup.com", "channels": "Operation", "ipaddr": "160.238.136.130", "name": "Randy Franklin Smith", "localizedValue": "Create or Update Security Rule" "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP", "submissionTimestamp": "2019-06-14T15:09:25.0686119Z", "responseBody": "{"name":"RDP","id":"/subscriptions/e6fe8876-8d67-40b8-89e9- 4d7688fa8dd7/resourceGroups/AzureAuditWbr/providers/Microsoft.Network/networkSecurityGroups/wbr1- nsg/securityRules/RDP","etag":"W/"2d306427-dc80-498e-b410- 964a7490e134"","type":"Microsoft.Network/networkSecurityGroups/securityRules","properties":{"prov isioningState":"Updating","protocol":"TCP","sourcePortRange":"*","destinationPortRange":"1- 5000","sourceAddressPrefix":"*","destinationAddressPrefix":"*","access":"Allow","priority":30 0,"direction":"Inbound","sourcePortRanges":[],"destinationPortRanges":[],"sourceAddressPrefixes":[ ],"destinationAddressPrefixes":[]}}" }, "relatedEvents": [] } Log: Azure RM Activity Log Format: json
  • 15. Subscription Administrator added Log:Azure RMActivity Log Format: json  "level": "Informational",  "operationId": "02511296-cc4b-4c18-999b-c2e66de36877",  "operationName": {  "value": "Microsoft.Authorization/classicAdministrators/write",  "localizedValue": "Set administrator"  },  "resourceGroupName": "",  "resourceProviderName": {  "value": "Microsoft.Authorization",  "localizedValue": "Microsoft.Authorization"  },  "resourceType": {  "value": "Microsoft.Authorization/classicAdministrators",  "localizedValue": "Microsoft.Authorization/classicAdministrators"  },  "resourceId": "/subscriptions/e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "status": {  "value": "Succeeded",  "localizedValue": "Succeeded"  },  "subStatus": {  "value": "",  "localizedValue": ""  },  "submissionTimestamp": "2019-06-14T15:36:36.2613059Z",  "subscriptionId": "e6fe8876-8d67-40b8-89e9-4d7688fa8dd7",  "properties": {  "adminEmail": "azuresync@montereytechgroup.com",  "adminType": "CoAdmin"  },  "relatedEvents": []  }
  • 16. CEO’s mailbox accessed by another user Log: Exchange MailboxAudit Log Format:XML  https://office365itpros.com/2019/01/06/exchange-online-message- access-audit/  https://techcommunity.microsoft.com/t5/Office-365/Microsoft-Halts- Deployment-of-MailItemsAccessed-Audit-Records/td-p/394520 Access Exchange mailbox folder Occurred: 1/16/2013 10:57:54 AM Operation: FolderBind Result: Succeeded Originating server: SP2010-EX1 (14.02.0328.009) Mailbox GUID: d74d840c-4dff-4d73-bd8c-5b7a6ce254fd Owner: n/a Owner UPN: Jack.Striker@sp2010.com Owner SID: S-1-5-21-2141518605-3280587107-2299868870-1113 Folder ID: LgAAAADhmB/WGtj9QJHQYGoruww9AQB73FvAgkdWRYw1hL/iqQFMAAAAJaFGAAAB Folder: Sent Items Performed By User name: Administrator User SID: S-1-5-21-2141518605-3280587107-2299868870-500 Logon type: Owner Client Info: Client=OWA IP address: fe80::c005:56c7:e881:f29eAdministrator Process name: n/a Version: n/a Additional information: Owner= [Jack Striker]; LastAccessed= [2013-01-16T10:57:54.2036325-05:00]; LogonType= [Delegate]
  • 17. Bottom line  Azure Logging vs O365  One log in O365  Apparently at the expense of timely delivery  Not complete  Azure: many logs and formats  much more timely delivery  Features in the cloud change faster than you can implement them  Need to bring together on-prem and cloud-based logs so that you can see what’s happening at every level and component, regardless where it’s deployed  Next up: how Rapid7’s cloud SIEM, InsightIDR, automatically applies security analytics to data across your modern network—on-premises, remote workers, SaaS, and IaaS © 2019 Monterey Technology Group Inc.
  • 18. Monitor Azure and more with InsightIDR Alex Teng with Felipe Legorreta 06/18/2019 Integrate using Azure Event Hubs
  • 19. 1919 The Many Faces of Event Hub
  • 20. 2020 The Many Faces of Event Hub
  • 21. 2121 Event Hub Stream Flow On-Prem Sources