Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Microsoft Defender for Cloud Security Alerts

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Mixed (depending on the alert severity)
Rule ID: SecurityCenter-041

Ensure that the security alerts generated by the Microsoft Defender for Cloud workload protection plans are examined and implemented in order to follow security best practices and meet regulatory compliance and standards. Microsoft Defender for Cloud is a security management service that helps you prevent, detect, and respond to threats with increased visibility and control over the security of your Azure cloud resources. The service periodically analyzes the security state of your cloud resources and when it identifies potential security vulnerabilities, it generates alert notifications. These security alerts are triggered when threats are identified in your Azure, hybrid, or multicloud environments.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

When Microsoft Defender for Cloud identifies security incidents, it sends security alert notifications that guide you through the process of configuring the needed controls to protect and harden your Azure cloud environment.


Audit

To check for Microsoft Defender for Cloud security alerts within your Azure cloud account, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the main navigation panel, under General, choose Overview.

04 Choose the Azure subscription that you want to examine and ensure that the appropriate Defender plans are active.

05 Navigate back to the Microsoft Defender for Cloud blade and select Security alerts from the main navigation panel.

06 Select Active and In Progress from the Status filter and choose OK to list all the active security alerts generated for the selected Azure subscription.

07 Click on the name of the security alert that you want to examine.

08 Analyze the selected Microsoft Defender for Cloud security alert by verifying the following attributes:

  1. Name – the name of the selected security alert.
  2. Severity – the severity level of the selected alert.
  3. Status – the current status of the selected security alert.
  4. Activity time – the start time of the detected malicious activity.
  5. Alert description – an explicit description of the selected security alert.
  6. Affected resources – the identifier(s) of the impacted Azure cloud resource(s).

09 Choose Take action and follow the Microsoft Defender for Cloud recommendations on how to mitigate the threats detected for your resource(s) in order to assess the security incident and remediate the issue.

10 Repeat steps no. 7 – 9 for each security alert notification identified in the selected Azure subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each cloud subscription available in your Azure cloud account:

az account list
--query '[*].id'

02 The command output should return the requested subscription IDs:

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-1234-abcd-1234-abcd1234abcd"
]

03 Run security alert list command (Windows/macOS/Linux) using the ID of the Azure subscription that you want to examine as the identifier parameter and custom output filters to list the identifier (name) of each security alert generated for the selected subscription:

az security alert list
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
  --query '[*].name'

04 The command output should return the identifiers (IDs) of the requested security alerts:

[
	"1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd",
	"abc1234abcd1234abcd_12341234-abcd-1234-abcd-123412341234",
	"123abcd1234abcd1234_abcd1234-1234-abcd-1234-abcd1234abcd"
]

05 Run security alert show command (Windows/macOS/Linux) using the name of the Microsoft Defender for Cloud alert that you want to examine as the identifier parameter, to describe the details available for the selected security alert notification:

az security alert show
  --location "westeurope"
  --name "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd"

06 The command output should return the requested information (JSON format):

{
	"name": "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd",
	"alertDisplayName": "Suspected successful brute force attack",
	"description": "A successful login occurred after an apparent brute force attack on your resource",
	"severity": "High",
	"compromisedEntity": "cc-production-vm",
	"startTimeUtc": "2023-06-07T20:08:06.708743+00:00",
	"processingEndTimeUtc": "2023-06-07T20:09:24.708743+00:00",
	"productName": "Microsoft Defender for Cloud",
	"remediationSteps": [
	"Go to the firewall settings in order to lock down the firewall as tightly as possible."
	],

	...

	"resourceGroup": "cloud-shell-storage-westeurope",
	"endTimeUtc": "2023-06-07T20:08:06.708743+00:00",
	"status": "Active",
	"subTechniques": null,
	"supportingEvidence": null,
	"systemAlertId": "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd",
	"techniques": null,
	"timeGeneratedUtc": "2023-06-07T20:09:27.458301+00:00",
	"type": "Microsoft.Security/Locations/alerts",
	"vendorName": "Microsoft",
	"version": "2022-01-01.0"
}

07 Analyze the information returned at the previous step by checking the following attributes:

  1. "alertDisplayName" – the display name of the selected security alert.
    1. "severity" – the severity level of the selected alert.
    2. "status" – the current status of the selected security alert.
    3. "startTimeUtc" – the start time (UTC) of the detected malicious activity.
    4. "description" – an explicit description of the selected security alert.
    5. "compromisedEntity" – the identifier(s) of the impacted Azure cloud resource(s).
    6. "remediationSteps" - recommendations and instructions on how to mitigate the threats detected for your resource(s) in order to assess the security incident and remediate the issue.

    08 Based on the information returned at the previous steps, follow the instructions outlined in the Remediation/Resolution section to implement the recommended security fix.

    09 Repeat steps no. 5 – 8 for each security alert notification generated within the selected Azure subscription.

    10 Repeat steps no. 3 – 9 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To assess the security incidents that triggered the Microsoft Defender for Cloud alerts in your Azure cloud account in order remediate the security issues found, perform the following operations:

As an example, this section demonstrates how to remediate a security issue that triggered a security alert named "Suspected successful brute force attack" within Microsoft Defender for Cloud. The recommended security fix is to restrict inbound access on TCP port 22 (SSH) for the impacted resources, as virtual machine (VM) instances with TCP port 22 exposed to the Internet are vulnerable to malicious activities such as Man-in-the-Middle attacks (MITM) and brute-force attacks.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#view/HubsExtension/BrowseAll to access all your Microsoft Azure cloud resources.

03 From the Subscription filter box, select the Azure account subscription that you want to access and choose Apply.

04 From the Type filter box, select Network security group, and choose Apply to list only the security groups available in the selected Azure subscription.

05 To allow SSH access on TCP port 22 to specific, authorized entities only such as IP addresses or IP ranges, you must update the inbound configuration of the network security group associated with the impacted VM instance. Click on the name of the network security group that you want to reconfigure.

06 In the resource navigation panel, under Settings, select Inbound security rules to access the list with the inbound rules defined for the selected security group.

07 On the Inbound security rules page, click on the name (link) of the non-compliant security group rule that you want to reconfigure.

08 On the selected security group rule configuration panel, perform the following actions:

  • Select IP Addresses from the Source dropdown list to allow inbound traffic on TCP port 22 from specified IP addresses only.
  • For Source IP addresses/CIDR ranges, provide the source IP address, IP addresses or IP address ranges that will be allowed to access the virtual machine(s) associated with the selected network security group (NSG). You can specify a single value or comma-separated list of multiple values. An example of multiple values is 10.0.1.15/32, 10.0.1.16/32.
  • Choose Save to apply the configuration changes.

09 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

10 In the main navigation panel, under General, choose Security alerts.

11 Select the security alert associated with the security issue mitigated at the previous steps, choose Change status and select Resolved.

12 Repeat steps no. 4 – 11 for each security alert that you want to resolve, available in the selected Azure subscription.

13 Repeat steps no. 3 – 12 for each subscription created within your Microsoft Azure cloud account.

Using Azure CLI

01 Run network nsg rule update command (Windows/macOS/Linux) using the name of the network security group rule that you want to reconfigure as the identifier parameter to restrict SSH access on TCP port 22 to specific, trusted entities by setting the --source-address-prefixes parameter to the IP address, IP addresses or IP address ranges that can be allowed to access the virtual machines associated with the selected network security group. You can specify a single value (e.g. 10.0.1.16/32) or a space-separated list of multiple values (e.g. 10.0.1.15/32 10.0.1.16/32):

az network nsg rule update
  --name SSH
  --nsg-name cc-production-vm-nsg
  --resource-group cloud-shell-storage-westeurope
  --source-address-prefixes 10.0.1.16/32

02 The command output should return the configuration information available for the updated NSG rule:

{
	"access": "Allow",
	"description": null,
	"destinationAddressPrefix": "*",
	"destinationAddressPrefixes": [],
	"destinationApplicationSecurityGroups": null,
	"destinationPortRange": "22",
	"destinationPortRanges": [],
	"direction": "Inbound",

	...

	"name": "SSH",
	"priority": 300,
	"protocol": "TCP",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"sourceAddressPrefix": "10.0.1.16/32",
	"sourceAddressPrefixes": [],
	"sourceApplicationSecurityGroups": null,
	"sourcePortRange": "*",
	"sourcePortRanges": [],
	"type": "Microsoft.Network/networkSecurityGroups/securityRules"
}

03 Run security alert update command (Windows/macOS/Linux) using the name of the security alert associated with the security issue remediated at the previous steps as the identifier parameter, to update the security alert status to Resolved (the command does not produce an output):

az security alert update
  --name "1234abcd1234abcd123_abcd1234-abcd-1234-abcd-abcd1234abcd"
  --subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd"
  --location "centralus"
  --status "resolve"

04 Repeat steps no. 1 - 3 for each security alert that you want to resolve, available in the current Azure subscription.

05 Repeat steps no. 1 – 4 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Feb 19, 2022