Duration: 10 minutes

Synopsis: In this exercise, attendees will use Microsoft Defender for Cloud to analyze the cloud workloads using advanced analytics and threat intelligence to setup some alerts to let you know about potentially malicious activities in your cloud resources.

Task 1 – Investigate a security alert

When you've decided which alert to investigate first:

1. Lets go to the Microsoft Defender for Cloud in the Azure portal 
2. Click on Security Alerts.

3. Select the desired alert.

4. From the alert overview page, select the resource to investigate first.

5. Begin your investigation from the left pane, which shows the high-level information about the security alert.

   

   This pane shows:

   • Alert severity, status, and activity time
   • Description that explains the precise activity that was detected
   • Affected resources
   • Kill chain intent of the activity on the MITRE ATT&CK matrix

6. For more detailed information that can help you investigate the suspicious activity, examine the Alert details tab.

7. When you've reviewed the information on this page, you may have enough to proceed with a response. If you need further details:

   • Contact the resource owner to verify whether the detected activity is a false positive.
   • Investigate the raw logs generated by the attacked resource

Task 2 – Respond to a security alert

After you've investigated a security alert and understood its scope, you can respond to the alert from within Microsoft Defender for Cloud:

1. Open the Take action tab to see the recommended responses.

   

2. Review the Mitigate the threat section for the manual investigation steps necessary to mitigate the issue.

3. To harden your resources and prevent future attacks of this kind, remediate the security recommendations in the Prevent future attacks section.

4. To trigger a logic app with automated response steps, use the Trigger automated response section.

5. If the detected activity isn’t malicious, you can suppress future alerts of this kind using the Suppress similar alerts section.

6. When you've completed the investigation into the alert and responded in the appropriate way, change the status to Dismissed.

   

   This removes the alert from the main alerts list. You can use the filter from the alerts list page to view all alerts with Dismissed status.

7. We encourage you to provide feedback about the alert to Microsoft:

   1. Marking the alert as Useful or Not useful.

   2. Select a reason and add a comment.

      

Duration: 15 minutes

Synopsis: In this exercise, attendees will secure a Privileged Access Workstation (PAW) workstation using the Azure Security Center Just-in-Time Access feature.

Task 1 Setup virtual machine with JIT

1. In a browser, navigate to your Azure portal (https://portal.azure.com).

2. Select Security Center, then under ADVANCED CLOUD DEFENSE select Just in time VM access.

   

   Note: Your subscription may not be set up with the Standard tier; if that is the case then do the following:

   • In the Security Center blade, select Pricing & settings.
   • Select your subscription.
   • Select Pricing Tier.
   • Select Standard.
   • Select Save.
   • Navigate back to Security Center, select Just in time VM access.

3. Select the Configured tab, and verify the lab VMs (db-1, paw-1 and web-1) are displayed. If not, select the Recommended tab, and then check the checkbox to select the lab VMs (db-1, paw-1 and web-1), and then select the Enable JIT on 3 VMs link.

   

   Note: It could take up to 10 minutes for new VMs to show up if you upgraded to standard tier security. Also note that it is possible new VMs display in the No recommendation tab until a backend process moves them to the Recommended tab. In you find the VMs do not show up after 10 minutes, you can manually enable JIT by choosing the Configuration tab in the VMs configuration blade and then Enable JIT Access.

   

4. In the configuration window that opens, review the settings, then select Save.

   

5. After a few minutes, you should see the states changed to Resolved. If this does not occur due to UI changes, then browse back to the Configured tab.

   

Task 2: Perform a JIT request

1. Select the Configured tab. You should now see all the machines listed.

2. Select the paw-1 virtual machine, and then select Request access.

   

3. For each of the ports, select the On toggle button, notice how the default IP settings is My IP.

   

4. At the bottom of the dialog, select Open ports. After a few moments, you should now see the APPROVED requests have been incremented and the Last Access is set to Active now..

   

   Note If you did not wait for your VMs and virtual networks to be fully provisioned via the ARM template, you may get an error.

5. Select the ellipses, then select Activity Log, you will be able to see a history of who requests access to the virtual machines.

   

   Note: These entries will persist after you have deleted the VMs. You will need to manually remove them after VM deletion.

6. In the Azure Portal main menu, select All Services, then type Network, then select Network security groups.

   

7. In the filter textbox, type paw-1-nsg, then select the paw-1-nsg network security group.

8. Select Inbound security rules. You should now see inbound security rules set up by JIT Access.

   

Duration: 45 minutes

Synopsis: In this exercise, attendees will utilize Azure SQL features to data mask database data and utilize Azure Key Vault to encrypt sensitive columns for users and applications that query the database.

Task 1: Setup the database

1. Switch to your Azure portal, select All Services then search for SQL Servers. Select SQL Servers.

   

2. Select the Azure SQL database server you created using the Azure Manager template (Ex: AzureSecurity-INIT).

3. Select SQL databases under the Settings section, then select the SampleDB database.

   

4. In the summary section, select the Show database connection strings.

   

5. Take note of the connection string for later in this lab, specifically the Server parameter:

   

6. In the Lab VM, open SQL Server Management Studio.

7. Enter the database server name from above.

8. Enter the username and password used from the Azure Template deployment (wsadmin – p@ssword1rocks).

   Note: If you changed the username and password in the ARM template deployment, use those values instead.

   

9. Depending on how you connected to the Azure SQL environment (inside or outside your vnet), you may be prompted to add a firewall rule. If this occurs, perform the following actions:

   • Select Connect, in the New Firewall Rule dialog, select Sign In.

   • Sign in with your resource group owner credentials.

   • In the dialog, select OK, notice how your incoming public IP address will be added for connection.

   

10. Right-click Databases, and select Import Data-tier Application.

    

    

11. In the Introduction dialog, select Next.

12. Select Browse, navigate to the extracted /Hands-on- lab/Database directory, and select the Insurance.bacpac file.

    

13. Select Open.

14. On the Import Settings dialog, select Next.

15. On the Database Settings dialog, select Next.

    Note: If you get an error, close and re-open SQL Management Studio try the import again. If that does not work, you may need to download the latest SQL Management Studio from here. In some instances, the latest version may not work, version 17.3 is known to deploy the package properly. You should also be aware that bacpac files exported from some SQL Server instances cannot be deployed to Azure SQL Servers. We have also included a .bak file of the Insurance database that you can use to restore from.

16. Select Finish and the database will deploy to Azure. It may take a few minutes.

17. Once completed, select Close.

    

18. In SQL Management Studio, select File->Open->File.

    

19. Browse to the extracted GitHub folder, select the \Hands-on lab\Database\00_CreateLogin.sql file.

20. Ensure that the master database is selected.

21. Run the script to create a login called agent.

22. Browse to the extracted folder, select the \Hands-on lab\Database\01_CreateUser.sql file.

23. Ensure that the Insurance database is selected.

24. Run the script to create a non-admin user called agent.

Task 2: Test the web application solution 

1. In the extracted directory, double-click the \Hands-on lab\WebApp\InsuranceAPI\InsuranceAPI.sln solution file, and Visual Studio will open.

   Note: If prompted, login using your Azure / MSDN account.

2. In the Solution Explorer, navigate to and double-click the Web.config file to open it.

   

3. Update the web.config (line 77) to point to the Insurance database created in Task 2. You should only need to update the server name to point to your Azure SQL Server.

   

4. Press F5 to run the InsuranceAPI solution.

   Note: If you get an CSC error, right-click the project, select Clean. Next, right-click the project and select Rebuild.

5. Test the API for a response by browsing to http://localhost:24448/api/Users. Your port number may be different from 24448. You should see several records returned to the browser. Copy a UserId value for the next instruction.

   

6. In the browser window that opens, browse to http://localhost:24448/api/Users/e91019da-26c8-b201-1385-0011f6c365e9 you should see a json response that shows an unmasked SSN column.

   Note: Depending on your browser, you may need to download to view the json response.

   

Task 3: Utilize data masking

1. Switch to the Azure Portal.

2. Select SQL databases.

3. Select the Insurance database.

4. Under Security, select Dynamic Data Masking, then select +Add Mask.

   

5. Select the User table.

6. Select the SSN column.

7. Select Add.

   

8. Select Save, then select OK.

9. Switch back to your InsuranceAPI solution, press F5 to refresh the page. You should see the SSN column is now masked with xxxx.

   

10. Close Visual Studio.

1. Switch to SQL Management Studio.

2. Select File->Open->File, then open the 02_PermissionSetup.sql file.

3. Switch to the Insurance database, and execute the SQL statement.

4. In the Object Explorer, expand the Insurance node.

5. Expand the Tables node.

6. Expand the User table node.

7. Expand the Columns node.

8. Right-click the SSN column, and select Encrypt Column.

   

   Notice that the State of the column is such that you cannot add encryption (data masking):

   

9. Select Cancel.

10. Switch back to the Azure Portal, and select the User_SSN data masking.

11. Select Delete.

    

12. Select Save.

13. Switch back to SQL Management Studio.

14. Right-click the SSN column, and select Encrypt Column.

15. Check the checkbox next to the SSN column.

16. For the Encryption Type, and select Deterministic.

    

    Deterministic encryption always generates the same encrypted value for any given plain text value. Using deterministic encryption allows point lookups, equality joins, grouping and indexing on encrypted columns. However, it may also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column, especially if there's a small set of possible encrypted values, such as True/False, or North/South/East/West region. Deterministic encryption must use a column collation with a binary2 sort order for character columns.

    Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents searching, grouping, indexing, and joining on encrypted columns.

17. Select Next.

18. For the encryption select Azure Key Vault in the dialog.

    

19. Select Sign In.

20. Sign in with your Azure Portal credentials.

21. Select your Azure Key Vault.

22. Select Next.

23. On the Run Settings, select Next.

24. Select Finish, and the configured will start.

    Note: You may receive a “Wrap Key” error. If so, ensure that your account has been assigned the wrapKey permission in the Azure Key Vault.

    

    • Select Key vault.

    • Select your key vault.

    • Select Access policies.

    • Select Add New.

    • For the principal, select your account.

    • Select Key permissions, and choose Select all.

      

    • Select Secret permissions, and choose Select all.

    • Select Certificate permissions, and choose Select all.

    • Select OK.

    • Select Save.

    • Retry the operation.

    Note: If you are still getting errors (such as Access Denied), ensure that you have selected the correct subscription and Key Vault.

    

25. Select Close.

26. Right-click the User table, and choose Select top 1000 rows.

    

    You will notice the SSN column is encrypted based on the new Azure Key Vault key.

    

27. Switch to the Azure Portal.

28. Select Key Vaults.

29. Select your Azure Key Vault, and then select Keys. You should see the key created from the SQL Management Studio displayed:

    

Duration: 30 minutes

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Create an Azure Key Vault secret

1. Switch to your Azure Portal.

2. Select Key Vaults, then select your Azure Key Vault.

   

3. Select Secrets, then select +Generate/Import.

   

4. For the Upload Options, select Manual.

5. For the Name, enter InsuranceAPI.

6. For the Value, copy the connection string information from the InsuranceAPI solution Web.config file in Exercise 2.

7. Select Create.

8. Select Secrets.

9. Select InsuranceAPI.

10. Select the current version.

    

11. Copy and record the secret identifier URL for later use:

    

Task 2: Create an Azure Active Directory application

1. In the Azure Portal, select Azure Active Directory, then select App Registrations.

   

2. Select +New application registration.

3. For the user-facing display name, type AzureKeyVaultTest.

4. For the supported accounts, select Accounts in this organization directory only…

5. For the Redirect URL, type http://localhost:12345.

   

6. Select Register.

7. Copy and record the Application ID for later use.

   

8. In the left menu pane, under the Manage heading, select Certificates and secrets link.

9. Under Client secrets, select New client secret.

   

10. For the description, enter InsuranceAPI.

11. For the Expires, select In 1 year.

12. Select Add.

13. Copy and record the key value for later use.

Task 3: Assign Azure Active Directory application permissions

1. Switch back to Azure Portal and select your Azure Key Vault.

2. Under the Settings heading, select Access Policies.

3. Select + Add Access Policy.

   

4. Choose Select principal field value. In the right-hand pane, type AzureKeyVaultTest. Select the item.

5. Choose the Select button at the bottom.

6. Select the Secret permissions drop-down, check the Get and List permissions.

   

   Your selection summary should look like this.

   

7. Select Add button.

8. Select Save button at the top.

Task 4: Install or verify NuGet Package

1. Close the previous Visual Studio solution, then from the extracted GitHub directory, open the \Hands-on lab\WebApp\InsuranceAPI_KeyVault\InsuranceAPI.sln solution.

   Note: Be sure you re-open the correct solution.

   

2. Switch to Visual Studio.

3. In the menu, select View->Other Windows->Package Manager Console.

4. In the new window that opens, run the following commands:

   Install-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform

   Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202

   Install-Package Microsoft.Azure.KeyVault

   Note: These already exist in the project but are provided as a reference. If you receive a codedom version error when you debug, run this command.

   Update-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform -r

5. From Solution Explorer, double-click the Web.config file to open it.

   Notice the appSettings section has some token values:

   

6. Replace the ApplicationId (ClientId) and ClientSecret with the values from Task 2.

   

7. Replace the SecretUri with the Azure Key Vault secret key Uri from Task 1.

8. Save the Web.config file in Visual Studio.

   Note: You can take this lab a step further and publish the Web App to an Azure App Service and enable System-assigned Managed Identities. This will allow you to completely remove any authentication from your configurations and utilize Key Vault references.

Task 5: Test the solution 

1. Open the Web.config, and comment out or delete the connectionString from the file at line 78.

2. Open the Global.asax.cs file, and place a break point at line 28.

   Note: This code makes a call to get an accessToken as the application you set up above, then make a call to the Azure Key Vault using that accessToken.

3. Press F5 to run the solution.

   You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).

   

4. Press F5 to continue the program.

5. Navigate to http://localhost:portno/api/Users, you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value(s) using default settings. In order to do seamless decryption, you would need to:

   • Run the \Hands-on lab\Database\02_PermissionSetup.sql script if you have not already done so.

   • Add the AzureKeyVaultProvider for Entity Framework reference to the project.

   • Register the provider code in order for .NET to handle the encrypted column.

   • Add an access policy to the Azure Key Vault that gives key permissions (decrypt, sign, get, unwrapkey, verify) to the Azure AD application.

   • Add the Column Encryption Setting=Enabled to the connection string.

   • Detailed steps can be found in this blog post

   • A third solution (\Hands-on lab\WebApp\InsuranceAPI_KeyVault_Encrypted\InsuranceAPI.sln) was added to the GitHub repo that has the necessary references and code added.

     • Simply update the web.config file with your client id and secret after adding the required Key Vault permissions above.

     • Update the Key Vault connection string to have the Column Encryption Setting=Enabled.

     • Review the code added to the global.asax.cs file.

     • Run the project and navigate to the above page.

Duration: 45 minutes

Synopsis: In this exercise, attendees will utilize Network Security Groups to ensure that virtual machines are segregated from other Azure hosted services and then explore the usage of the Network Packet Capture feature of Azure to actively monitor traffic between networks.

Task 1: Test network security group rules #1

1. In the Azure Portal, select Virtual Machines.

2. Select paw-1, then select Connect.

3. In the dialog, select Download RDP file Anyway. Open the downloaded RDP file and connect to the Virtual Machine.

   Note: Default username is wsadmin with p@ssword1rocks as password and you may need to request JIT Access if you have taken a break between exercises.

4. In the PAW-1 virtual machine, open Windows PowerShell ISE as administrator.

   • Select the Windows icon.

   • Right-click Windows PowerShell ISE, choose More, then select Run as Administrator.

5. Copy and run the following command:

   Set-ExecutionPolicy -ExecutionPolicy Unrestricted

   

6. In the dialog, select Yes.

7. Select File->Open, browse to the extracted GitHub directory and open the \Hands-on lab\Scripts\PortScanner.ps1.

   Note: You would have downloaded the GitHub repo and extracted this in the setup steps. If you did not perform those steps, perform them now. You can also choose to copy the file from your desktop to the VM.

8. Review the script. Notice that it does the following:

   • Installs NotePad++

   • Adds hosts entries for DNS

   Note: When using multiple virtual networks, you must setup a DNS server in the Azure tenant.

   • Executes port scans

9. Press F5 to run the script. You should see the following (the Azure ARM Template created a default rule to block all traffic):

   • Port scan for port 3389 (RDP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine.

   • The information above for port 3389 (RDP) is visible after running the script and pressing F5.

   

   • Port scan for port 1433 (SQL) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine. DB-1 is running SQL Server but traffic is blocked at NSG and via the Windows Firewall.

   

   • Port scan for port 80 (HTTP) to DB-1 and WEB-1 is unsuccessful from the PAW-1 machine, if traffic was allowed, it would always fail to DB-1 because it is not running IIS or any other web server.

   

Note: The ARM template deploys a Deny All rule. If you were to simply create a Network Security Group from the UI, you would not experience this behavior.

Task 2: Configure network secuirty groups

1. Switch to the Azure Portal.

2. Configure the database server to only allow SQL Connections from the web server:

   • Select Network Security Groups.

   • Select DbTrafficOnly.

   • Select Inbound Security Rules.

   • Select +Add.

   • For the Source, select IP Addresses.

   • For the Source IP address, enter 10.2.0.4.

   • For the Destination, keep Any.

   • For the Destination port range, enter 1433.

   • For the Priority, enter 100.

   • For the Name, enter Port_1433.

   • Select Add.

3. Configure the web server to allow all HTTP and HTTPS connections:

   • Select Network Security Groups.

   • Select WebTrafficOnly.

   • Select Inbound Security Rules.

   • Select +Add.

   • For the Source, keep Any.

   • For the Destination, keep Any.

   • For the Destination port ranges, enter 80,443.

   • For the Priority, enter 100.

   • Change the Name to Port_80_443.

   • Select Add.

   Note: In some rare cases it may take up to 15 minutes for your Network Security Group to change its status from Updating. You won't be able to add any other rules until it completes.

4. Configure both the database and web server to only allow RDP connections from the PAW machine:

   • Select Network Security Groups. For both the DbTrafficOnly and WebTrafficOnly, do the following:

     • Select Inbound Security Rules.

     • Select +Add.

     • For the Source, select IP Addresses.

     • For the Source IP address, enter 10.0.0.4.

     • For the Destination port range, enter 3389.

     • For the Priority, enter 101.

     • For the Name, enter Port_3389.

     • Select Add.

5. Configure all Network Security Groups to have Diagnostic logs enabled.

   • Select Network security groups. For each NSG (DBTrafficOnly and WebTrafficOnly), do the following:

     • In the content menu, select Diagnostic logs, and then select Add diagnostic setting.

     

     • For the name, enter the NSG name and then add Logging to the end.

     • Check the Send to Log Analytics checkbox, in the Log Analytics box, select Configure.

     • Select the azseclog… workspace.

     • Select both LOG checkboxes.

     • Select Save.

     

     • Repeat for all remaining Network Security Groups.

Task 3: Test network security group rules #2

1. Switch back to the PAW-1 virtual machine.

2. Press F5 to run the PortScan script. You should see the following:

   • Port scan for port 3389 (RDP) to DB-1 and WEB-1 is successful from the PAW-1 machine.

   

   • Port scan for port 1433 (SQL) to DB-1 is successful, and WEB-1 is unsuccessful from the PAW-1 machine.

   Note: You may need to disable the windows firewall on the DB-1 server to achieve this result.

   

   • If IIS has been setup on WEB-1, the port scan for port 80 (HTTP) to DB-1 is unsuccessful and WEB-1 is successful from the PAW-1 machine

   

Task 4: Install network watcher VM extension

1. Switch to the Azure Portal.

2. Select Virtual Machines.

3. Select db-1.

4. In the blade menu, select Extensions, then select +Add.

   

5. Browse to the Network Watcher Agent for Windows, and select it.

6. Select Create.

   

7. In the next Install extension dialog window (note that it could be blank) select OK. You should see a toast notification about the script extension being installed into the Virtual Machine.

   

Task 5: Setup network packet capture

1. In the main Azure Portal menu, search All services for Network Watcher.

2. In the context menu, select Network Watcher.

   

3. Expand the subscription regions item you are running your labs in.

4. For the East US region (or whatever region you deployed your VMs too), select the ellipsis, then select Enable Network Watcher.

   

5. In the new context menu, select Packet capture.

6. Select +Add.

   

7. Select your subscription.

8. Select your resource group.

9. For the target virtual machine, ensure that db-1 is selected.

10. For the capture name, enter databasetraffic.

11. Notice the ability to save the capture file to the local machine or an Azure storage account. Ensure that the resource group storage account is selected. If you check your resource group, the storage account is prefixed with “diagstor”.

    

12. For the values, enter the following:

    • Maximum bytes per packet: 0.
    • Maximum bytes per session: 1073741824.
    • Time limit: 600.

13. Select OK.

Task 6: Execute a port scan

1. Switch your Remote Desktop connection to the PAW-1 virtual machine.

2. Uncomment the last line of the script, and press F5.

   

   Note: You should see the basic ports scanned, and then a port scan from 80 to 443. This will generate many security center logs for the Network Security Group which will be used in the Custom Alert in the next exercise.

Duration: 20 minutes

Synopsis: In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.

Task 1: Create a dashboard

1. Open the Azure Portal.

2. Select All services, then type Sentinel, select Azure Sentinel.

   

3. In the blade, select +Add, select the Log Analytics resource for your resource group, then choose Add Azure Sentinel.

   

4. In the blade, under Threat Management, select Workbooks.

5. In the list of workbooks, select Azure Network Watcher, choose Save.

6. Select the region and choose OK.

7. In the list of workbooks, select Azure AD Audit logs, select Save.

8. Select the region and select OK.

   

9. Select View saved workbook, take a moment to review your new workbook.

   Note: You may not have data in the log analytics workspace. Wait for 10-15 minutes.

Task 2: Create an Analytics alert 

1. Navigate back to the Azure Sentinel workspace, in the Configuration blade section, select Analytics then select +Create then Scheduled query rule.

   

2. On the General tab, enter PortScans for the name.

3. For the description, enter A custom rule to detect port scans, select Next: Set rule logic.

4. In the Rule query text box, type:

   AzureDiagnostics
   | where ruleName_s == 'UserRule_DenyAll' and Type != 'AzureMetric' and type_s == 'block' and direction_s == 'In' and Resource == 'WEBTRAFFICONLY' and OperationName == 'NetworkSecurityGroupCounters'
   | summarize AggregatedValue = sum(matchedConnections_d) by ruleName_s, primaryIPv4Address_s
   | where AggregatedValue > 0

   

   Note: If you were quick going through the labs, then you may not have log data in the Log Analytics workspace just yet that corresponds to “AzureMetric”. You may need to wait 15-30 minutes before a query will execute.

   Note: Since the introduction of Azure Security Center and Sentinel, the backend logging has changed a few times as well as the way the calculations are done in the rule query (timespan in query vs outside query, etc.). The ultimate goal of this query is to find when a series of failed connection attempts have been made against a network security group and a specific deny rule. If for some reason the UI/backend has been modified since the last published lab, modify the query to accomplish this goal.

5. Under Map entities, for the IP, select the primaryIPv4Address_s column.

6. Under Query scheduling, for the Run query every setting, type 5 minutes.

   Note: This is a lab and you want to see the results as quickly as possible. In a production environment, you may want to choose a different time threshold.

7. For the Lookup data from the last, type 1 hours.

8. Under Alert threshold, for the Generate alert when number of query results, enter 1.

   Note: We want to hit the threshold quickly for lab purposes. This query and value may not be appropriate for production and is only for learning purposes.

   Review the current data to determine what would trigger the alert. Notice the red threshold line intersects the blue event data line.

   

9. Select Next: Automated response, notice you have no playbooks to select yet.

10. Select Next: Review.

11. Select Create.

    Note: It may take a few minutes for the alert to fire. You may need to run the PortScan script a few times from paw-1

    

Task 3: Investigate a custom alert incident

1. In the main menu, select Azure Sentinel.

2. Select Incidents.

3. Select the new PortScans incident.

   

   Note: It may take 15-20 minutes for the alert to fire. You can continue to execute the port scan script to cause log events or you can lower the threshold for the custom alert.

4. In the dialog, choose Investigate.

   

5. In future versions, you will get to see insights about the alerts and the resources related to what caused it to fire:

   

Task 4: Create an run a playbook

1. In the Azure Sentinel blade, select Playbooks.

2. In the new window, select + Add Playbook.

   

3. The Create logic app blade will display:

   • For the name, enter Email.

   • Select your existing resource group.

   • Toggle the Log Analytics to On and then select your azuresecurity Log Analytics workspace.

   

4. Select Create, after a few moments, the Logic Apps Designer will load. If the designer does not load, wait a few minutes and refresh the Playbook list. Select the Email playbook.

   

5. Select the Get a notification email when Security Center detects a threat template.

   

6. Select Use this template.

   

7. For the Office 365 Outlook connection, select the + link, enter your Azure/O365 credentials.

   

   Note: This would need to be a valid Office 365 account, if you do not have a valid Office 365 account, then utilize a basic email template for Outlook.com.

8. For the Security Center Alert connection, select the + link.

9. Select Continue.

   

10. For the email address, enter your email.

11. Select Save. You now have an email alert action based on LogicApps for your custom security alert to use.

    

12. Lastly, after you have created the new Playbook, ensure that the status is Enabled. If not, then select Enable in the menu.

Task 5: Execute Jupyter Notebooks

1. In the Azure Sentinel blade, select Notebooks.

2. In the blade top menu navigation, select Clone Notebooks.

3. If not already logged in, select your Azure credentials, the GitHub repo will start to clone into your workspace.

   

   You will see the GitHub progress meter.

   

4. Navigate to My Projects and select the Run on Free Compute.

5. Search for the Get Started.ipynb notebook. You may have to page through the results to find the Get Started.ipynb notebook. Select it. In this example, it was located on the second page.

   

6. In the menu, select Kernel->Change kernel, then select Python 3.6.

   

7. Choose the Run button until you execute the entire Notebook, note that some steps will required your input.

   When the cell has an asterisk, it is still processing. Wait for a number to appear.

   

   This cell has completed processing. You should see a number.

   

   Note: You can find the open source GitHub notebooks at https://github.com/Azure/Azure-Sentinel.

   At this point, you may have to enter the code.

   

   Your final cell processing should provide an output.

   

Task 6: Creating Reports with Power BI

1. Navigate back to your Azure Sentinel browser window. Select Logs.

   Note: You may see a Welcome to Log Analytics splash page in the blade. Select Get Started.

   

2. In the Schema tab under Active, expand the LogManagement node, notice the various options available.

3. In the schema window, select AzureDiagnostics, then choose the eye icon.

4. In the top right, select Export, then select the Export to Power BI (M Query) link.

   

   

5. Select Open, a text document with the Power Query M Language will be displayed.

6. Follow the instructions in the document to execute the query in Power BI.

   

7. Close Power BI.

Duration: 30 minutes

Synopsis: In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.

Task 1: Review a basic Azure Policy

1. Open the Azure Portal. Select All Services, then type Policy. Select Policy in the list of items.

   

2. In the blade menu, select Compliance, and review your Overall resource compliance percentage.

   

3. For the scope, ensure the proper subscription is selected, then select ASC Default (subscription:.

4. In the Initiative compliance blade, review your compliance metrics.

5. Scroll to the results area and select the Non-compliant resources tab.

   

6. In the filter search box, type PAW-1 and select it when displayed.

   Note: You may not see resources display right away. If this is the case, then scroll through some other non-compliant resources.

7. With the Policies tab selected, review the policies that the resource is non-complying against.

   Note: New policies are being created and your number may be different from the image below.

   

8. Choose one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.

   

   Note: You can use these out of box templates to build your own policies and apply them as blueprints.

Task 2: Review and create Azure Blueprints 

1. In the Policy blade, under Authoring, select Definitions. These are a list of all defined policies which can be selected for assignment to your subscription resources.

   

2. In the Policy blade, under Related Services, select Blueprints.

3. In the Blueprints blade, select Blueprint definitions.

4. Select +Create blueprint.

   

5. Review some of the sample blueprints, then select Start with blank blueprint.

   

6. For the name, type gdprblueprint.

7. For the location, select the ellipses, then select your subscription in the drop down.

8. Choose Select.

   

9. Select Next: Artifacts.

10. Select + Add artifact.

11. For the Artifact Type, select Policy Assignment, review all the policies available to you (at the time of this writing you would see 37 definitions and 311 policies).

12. In the search box, type unrestricted, browse for the Audit unrestricted network access to storage accounts.

    

13. Select Add.

14. Select Save Draft. It may take a few minutes. The blade will automatically change when the save operation finishes.

15. For the new blueprint, select the ellipses, then select Publish Blueprint.

    

16. Select Publish.

17. For the version type 1.0.0.

18. For the new blueprint, select the ellipses, then select Assign Blueprint.

    

19. Review the page, then choose Assign. This policy will now be audited across all your storage accounts in the specific subscription.

Task 3: Secure Score

1. In the Azure Portal, select All Services, then type Security, select Security Center.

2. In the Security Center blade, under POLICY & COMPLIANCE, select Secure score.

3. Review your overall secure score values and then notice the category values.

   

4. On the bottom half of the window, select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.

5. Select the An Azure Active Directory administrator should be provisioned for SQL Servers, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.

   

Task 4: Use Compliance Manager for Azure 

Note: You may need to additional permissions to run this portion of the lab. Contact your Global Administrator.

1. In a browser, go to the Service Trust/Compliance Manager portal (https://servicetrust.microsoft.com).

2. In the top corner, select Sign in, you will be redirected to the Azure AD login page.

   

3. If prompted, select or sign in with your Azure AD\Office 365 credentials.

4. In the menu, select Compliance Manager->Compliance Manager Classic.

   

5. Select on the +Add Assessment link.

6. Select Create a new Group, for the name type AzureSecurity, select Next, set the Would you like to copy the data from an existing group toggle to No, select Next.

7. For the product dropdown, select Azure.

8. For the certification dropdown, select GDPR.

   

9. Select Add to Dashboard. You will now see a new assessment for Azure and GDPR in progress:

   

10. Select Azure GDPR.

11. Review the various controls that you can implement:

    

12. On the top menu, choose Trust Documents, then select Audit Reports.

13. Notice the various tabs that you can select from, select FedRAMP Reports.

14. These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.