Discover and read the best of Twitter Threads about #azuresentinel
Most recents (9)
THREAD: Yesterday I gave a talk at #ITechDays on #Security approach in a #Cloud with #Azure context.
Here is key points and promised links and references.
Here is key points and promised links and references.
DISCLAIMER: I'm MVP and RD but it isn't based on NDA info. My opinions only.
It might be wrong. You are warned.
Pic (cc) visualhunt.com/re7/e60879a6
It might be wrong. You are warned.
Pic (cc) visualhunt.com/re7/e60879a6
Added #STRONTIUM election-related credential harvesting campaign "detection" to #AzureSentinel: github.com/Azure/Azure-Se…
Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).
You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
As shipped, it's looking over the past 30 days. But if you have #AzureSentinel, I recommend pasting that same KQL in & searchings logs w/ expanded timeframe.
The # authAttempts can stay where it's at ... #STRONTIUM activity is approx 100 attempts per IP per account
The # authAttempts can stay where it's at ... #STRONTIUM activity is approx 100 attempts per IP per account
It has never been easier to get started with key Microsoft security tools. There are ninja trainings for:
- Azure Security Center
- Microsoft Defender ATP
- Azure Sentinel
#AzureSecurityCenter #MDATP #MicrosoftDefenderATP #AzureSentinel
- Azure Security Center
- Microsoft Defender ATP
- Azure Sentinel
#AzureSecurityCenter #MDATP #MicrosoftDefenderATP #AzureSentinel
Azure Security Center: techcommunity.microsoft.com/t5/azure-secur…
Microsoft Defender ATP: techcommunity.microsoft.com/t5/microsoft-d…
It's been awesome to witness so many teams collaborating to prevent/detect malicious OAuth apps and reduce the attack surface.
Excited for my small part in providing #AzureSentinel visibility into suspicious OAuth behavior & tooling. Blog soon!
🙏PwnAuth, O365-attack-toolkit, C3
Excited for my small part in providing #AzureSentinel visibility into suspicious OAuth behavior & tooling. Blog soon!
🙏PwnAuth, O365-attack-toolkit, C3
Context:
I figured if I tweeted, I'd be forced to actually finish that blog with @cglyer 😅
I figured if I tweeted, I'd be forced to actually finish that blog with @cglyer 😅
Taking lots of action against multiple forms of OAuth abuse: https://t.co/kpH8363ey0
🆕 Job Update: I'm joining @Microsoft!
On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF
My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅
Also:
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF
My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅
Also:
I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
• @MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
• @msftsecresponse w/ the awesome @n0x08
• @Lee_Holmes for everything Azure
¹if I say it here, it has to happen right?😉
• @MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
• @msftsecresponse w/ the awesome @n0x08
• @Lee_Holmes for everything Azure
¹if I say it here, it has to happen right?😉
For 2020, here are 20 reasons to look into #AzureSentinel
👇👇
👇👇
Detect AWS attacks:
Detonate phishing URLs in a VM:
Wait is over .. Read final part 2 which is focused on aws log data ingestion , #hunting and investigation of Capital one breach TTPs in #AzureSentinel techcommunity.microsoft.com/t5/Azure-Senti…
T1078: Privileged role attached to Instance.
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
T1078 : Suspicious credential token access of valid IAM Roles
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
I was invited by @ram_ssk to speak at the Microsoft Security Data Science Colloquium. 🙏 COOL EVENT
His summary 👉
His summary 👉
I talked on accelerating learning in infosec, importance of organizing knowledge w/ @MITREattack (and extending to cloud), executable know-how with @cyb3rops #Sigma, cloud native #AzureSentinel, #Jupyter notebooks for sharing repeatable analysis.
SLIDES: github.com/ramshans/2019-…
SLIDES: github.com/ramshans/2019-…
I ♥️that it has attendees from the community including @Google, @salesforce, @netflix, @Facebook, @splunk (@meansec, @daveherrald, @davidveuve), @NicolasPapernot
Shout out to @Cyb3rWard0g and @ianhellen in my presentation!
Shout out to @Cyb3rWard0g and @ianhellen in my presentation!
If you use O365, you need to learn about password spray. Want to see some campaigns against you? Try #AzureSentinel--you can connect your O365 data for free. Here are some common patterns.
👇👇👇
👇👇👇
Attacker uses a formulaic Microsoft Office User Agent string.
Attacker using IMAP interface. Look for CBAInPROD from invalid login sources.
🔗gcits.com/knowledge-base…
🔗gcits.com/knowledge-base…
