In the realm of cybersecurity, the ability to efficiently comprehend and utilize logs within Azure subscriptions for threat hunting is paramount. These investigations typically involve meticulous log analysis aimed at identifying the initial breach and the subsequent actions executed by the Threat Actor. This blog post delves into various strategies and methodologies designed to enhance our grasp of the scope and complexity of how threat actors' manoeuvre within Azure subscriptions, thereby fortifying our defenses against the ever-evolving landscape of cyberattacks.
To better understand the intricacies involved, let us consider a hypothetical attack scenario:
Figure 1: Diagram of hypothetical attack scenario
Breached Global Administrator Account: The attack commences with a "Pass the Cookie" assault on the global administrator's identity. This type of credential theft involves an adversary stealing a user's session cookie to gain unauthorized access to their account. With the compromised admin account, the adversary gains entry to the Azure subscription via the portal or Azure management API (application programming interfaces). For more information on “Pass the Cookie” attacks, check out Token tactics: How to prevent, detect, and respond to cloud token theft | Microsoft Security Blog
External user invite and privilege elevation: Leveraging the hijacked administrator account, the adversary proceeds to extend access to external users, elevating their privileges to authoritative roles such as a Subscription Owner or Contributor. This step aims to establish a persistent presence within the tenant, providing the adversary with a reliable re-entry point and sufficient permissions to fulfil their malicious objectives.
Action on objective: The adversary's commonly observed action on objectives may include:
For better forensic data analysis, it is important to know where Azure logs are and how to access them. By default, Azure saves control plane logs (also called Management Plane logs) in Azure Monitor which records operations like creating, deleting, or modifying a resource. But data plane logs which are specific to each resource, such as Blob Storage Access logs, are separate and need to be turned on for each resource through Azure Diagnostics Settings in the resource configuration. In this blog, we will focus on Azure Monitor Activity logs together with Microsoft Entra ID Audit Logs, however below you can see a data flow diagram for the default and potential locations of the different types of logs which may be useful during an Azure investigation.
Figure 2: Diagram of data flow for logs relating to Azure investigations
Pre-requisites to collect data for use in M365 Defender
To collect data, Defender for Cloud Apps requires the following connectors to be enabled:
Pre-requisites to collect data for use in Log Analytics
In this section, we will delve into some key activities you can look out for to quickly identify potential security incidents. Some of these activities include:
Microsoft Defender for Cloud Apps is an advanced security solution that fortifies cloud-based applications across Microsoft 365 and additional SaaS providers. It offers a suite of investigative features that are particularly beneficial in the context of the case study mentioned above, including:
Activity log: Keep track of all activities by external user accounts with administrative privileges by utilizing the Microsoft Defender portal "Cloud Apps" tab, then navigate to "Activity log." Apply a filter for "Microsoft Azure" and “External Users” and select the appropriate "Action type." These filters can also be used to create custom new policies.
Figure 3: Diagram showing a Defender for Cloud Apps filter for external users performing actions against Azure
Advanced Hunting: Another powerful tool at your disposal is Advanced Hunting, which can help you hunt for unusual activities within your Azure subscriptions. The Advanced Hunting portal will display results from historical data spanning 30 days.
By watching out for these activities using Advanced Hunting queries, you can proactively detect and respond to security threats in your Azure environment. Remember, staying ahead of potential incidents is key to maintaining a secure and resilient cloud infrastructure. Incorporate these strategies into your security operations to strengthen your defense against evolving cyber threats.
Example useful Advanced Hunting queries:
//Hunt for creation of new guest accounts
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "Add user."
| where RawEventData.ResultStatus == "Success"
| where RawEventData has "guest" and RawEventData.ObjectId has "#EXT#"
| mv-expand Property = RawEventData.ModifiedProperties
| where Property.Name == "AccountEnabled" and Property.NewValue has "true"
| project Timestamp, AccountObjectId, AccountDisplayName, newGuestAccount = RawEventData.ObjectId, UserAgent
Figure 4: Screenshot of output from query
//Hunt for Azure activities from guest users
let newGuestAccounts = (
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType == "Add user."
| where RawEventData.ResultStatus == "Success"
| where RawEventData has "guest" and RawEventData.ObjectId has "#EXT#"
| mv-expand Property = RawEventData.ModifiedProperties
| where Property.Name == "AccountEnabled" and Property.NewValue has "true"
| project newGuestAccountObjectId = tostring(RawEventData.Target[1].ID)
| distinct newGuestAccountObjectId);
CloudAppEvents
| where Timestamp > ago(7d)
| where isnotempty(toscalar(newGuestAccounts))
| where Application == "Microsoft Azure"
| where AccountObjectId in (newGuestAccounts)
//Hunt for Azure activities from high-risk users
let riskyAzureSignIns = (
AADSignInEventsBeta
| where Timestamp > ago(30d)
| where ErrorCode == 0
| where Application == "Azure Portal"
| where RiskLevelAggregated == 100 or RiskLevelDuringSignIn == 100
| project AccountObjectId, RiskySignInTimestamp = Timestamp);
let AzureActivity = (
CloudAppEvents
| where Timestamp > ago(30d)
| where Application == "Microsoft Azure"
| project AccountObjectId, ActivityTime = Timestamp);
//join the tables
riskyAzureSignIns
| join AzureActivity on AccountObjectId
| where ActivityTime between (RiskySignInTimestamp .. (RiskySignInTimestamp + 12h))
Figure 5: Screenshot of output from high risk activities in Azure queries
Detecting suspicious activity with Activity policies: A crucial tool in cloud monitoring, Activity policies in Microsoft Defender for Cloud Apps allow you to track your organization's cloud activities effectively. Notifications are triggered based on policy results, and users can be suspended from cloud apps as needed. An Activity policy comprises the following components:
Figure 6: Example Activity policy
Microsoft Azure is Microsoft’s public cloud computing platform, providing a broad range of configurable security options and the ability to control them so that they can be customized to meet unique requirements. We will take a closer look at two of these security options using the above case study:
Azure Monitor Activity Log: The Azure Monitor Activity Log is a comprehensive log within Azure that offers visibility into actions taken at the subscription level. The entries in Activity Logs include control plane changes only. It records all modification operations (create, update, or delete) on cloud resources, a good example being when a virtual machine is started or stopped. The activity logs can be filtered at the subscription level or resource-level. Activity log events are retained in Azure for 90 days and then deleted but for more functionality, the diagnostic settings can be used to increase retention based on your needs. By default, the control plane logs are collected. To collect data from the data plane, diagnostics settings need to be enabled on each resource.
Figure 7: Snippet of Azure Monitor activity log
Continuously monitor for any unusual activities and verify their legitimacy. Additionally, keep an eye on the Metrics tab for any unexpected spikes in activity. A significant increase in outbound data transfer, measured in megabytes, could signal unauthorized data exfiltration. Similarly, a series of consecutive virtual machine creations warrants further investigation.
Azure Log Analytics: Azure Log Analytics stands out as another powerful tool in your arsenal. It's a service designed to monitor your resources and applications across both cloud and on-premises environments. This tool empowers you to perform crucial tasks such as searching, analyzing, and visualizing data using the powerful Kusto Query Language (KQL).
Setting up a log analytics workspace is the first step, acting as a virtual container to store logs efficiently. These logs can originate from diverse sources like Activity logs, ARM logs, and Microsoft Entra ID Audit Logs, boasting extended retention periods for your convenience.
Figure 8: Example showing Microsoft Entra ID logs being sent to a Log Analytics workspace
For investigating the previously described attack scenario using Azure Log Analytics, you'll want to direct both Microsoft Entra ID Audit logs and Azure Activity logs to Log Analytics. In the Advanced Hunting feature, these logs are consolidated in the CloudAppEvents table, while Log Analytics organizes this data into the AuditLogs and AzureActivity tables respectively.
Example useful Log Analytics queries:
//Hunt for Azure Role assignments to newly added guest user accounts
let newGuestAccounts = AuditLogs
| where OperationName == "Add user"
| mv-expand TargetResources = TargetResources
| mv-expand ModifiedProperties = TargetResources.modifiedProperties
| where ModifiedProperties.displayName == "UserType" and ModifiedProperties.newValue has "Guest"
| summarize by tostring(TargetResources.id);
AzureActivity
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| extend Properties=parse_json(Properties)
| extend requestbody = parse_json(tostring(parse_json(Properties).requestbody))
| extend PrincipalId= requestbody.Properties.PrincipalId
| extend RoleDefinitionId= requestbody.Properties.RoleDefinitionId
| extend Scope= requestbody.Properties.Scope
| extend Entity = tostring(Properties.entity)
| where PrincipalId in (newGuestAccounts)
| join kind=inner (
AzureActivity
| where OperationNameValue == "MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE"
| where ActivityStatusValue != "Start" | extend Entity = tostring(parse_json(Properties).entity) ) on CorrelationId,Entity,OperationNameValue
| project TimeGenerated,OperationNameValue,PrincipalId,RoleDefinitionId,FinalStatus = ActivityStatusValue1, Caller, Properties
Figure 9: Screenshot of query hunting for suspicious Azure role assignments
//Hunt for Azure activity performed by newly added guest user account
let newGuestAccounts = AuditLogs
| where OperationName == "Add user"
| mv-expand TargetResources = TargetResources
| mv-expand ModifiedProperties = TargetResources.modifiedProperties
| where ModifiedProperties.displayName == "UserType" and ModifiedProperties.newValue has "Guest"
| summarize by tostring(TargetResources.id);
AzureActivity
| where Claims has_any (newGuestAccounts)
Setting up and customizing diagnostic settings is essential for resources that demand heightened data plane monitoring, such as Key Vaults, Storage accounts, and others. If diagnostic settings are not configured it can limit visibility into activities such as reconnaissance, credential access, data exfiltration, and other malicious behaviours. Diagnostic logs play a crucial role in identifying actions such as identifying the entity accessing a data store or a secret, logging failed API attempts towards web services or databases, and much more. Enabling Diagnostic settings incurs a cost. It is recommended to use Azure Policy to enforce Diagnostic settings configuration on critical resources to ensure you have the proper logging enabled. You can either utilize the built-in policy definitions that Azure Policy already has for Diagnostic settings, or you can build you own custom policy.
In conclusion, cloud investigation in Azure subscriptions is multi-faceted and a crucial aspect of maintaining a secure and resilient cloud environment. By understanding and utilizing logs effectively and ideally bringing them into a central location, organizations can enhance their threat hunting capabilities and proactively identify potential security threats and vulnerabilities. Azure provides robust logging and monitoring tools that can be leveraged to gain insights into system activities, detect anomalies, and respond promptly to security incidents. Integrating best practices for log management, analysis, and incident response is essential for organizations to stay ahead of evolving cyber threats and safeguard their sensitive data and assets in the cloud.