Quick Start Security for Azure Audit
Thank you!
We got your information.
Coralogix Extension For Azure Audit Includes:
Alerts - 8
Stay on top of Azure Audit key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Managed Cluster Agent Pool Configuration Audit Trail
The Managed Cluster Agent Pool Configuration Audit Trail are a crucial component of container orchestrators, such as Kubernetes, and managing their configuration is vital for optimizing performance, ensuring scalability, and maintaining the security of containerized applications. Impact The implementation of a Managed Cluster Agent Pool Configuration Audit Trail has various positive impacts on an organization's containerized environment, operations, and security Mitigation Mitigating security threats on a Managed Cluster Agent Pool Configuration Audit Trail involves implementing measures to protect the audit trail data, prevent unauthorized access, and respond effectively to potential threats. Here are steps to mitigate security threats on the audit trail: Encryption and secure storage Access control Audit trail integrity check MITRE Tactic: TA0005 MITRE Technique: T1497
Container Service Managed Cluster List Credential
The "Container Service Managed Cluster List Credential" use case involves the establishment of an audit log to track and record activities related to listing administrative credentials for a managed cluster within a container service, such as Azure Kubernetes Service (AKS) or a similar platform. Impact The impact of implementing a Container Service Managed Cluster List Credential Audit has several implications for the security, compliance, and operational aspects of managing containerized environments. Mitigating security threats on a Container Service Managed Cluster List Credential involves implementing measures to protect the audit trail data, prevent unauthorized access, and respond effectively to potential threats. Here are steps to mitigate security threats on the audit trail: Encryption and secure storage Access control Audit trail integrity check Mitre tactic : T1082 Mitre technique: T1562
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated. Impact An adversary may perform configuration changes to impact users affect the usual operations in their target's environment. Mitigation Verify whether the Application identity, and/or hostname should be making changes in your environment. Access of Application by unfamiliar users or hosts should be investigated. MITRE Tactic: TA0005 MITRE Technique: T1087
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions Impact If Wrong permission was provided against RBAC Policy can lead to Data misconfiguration . Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0005 MITRE Technique: T1562
Azure diagnostic setting deleted or disabled
Trigger for deletion of diagnostic settings, potentially disrupting centralized logging and metrics in Azure. Impact Disrupt centralized logging and metrics in Azure. Mitigation Check the diagnostic setting in and validate with the user to confirm the legitimacy of the removal. MITRE tactic : TA0005 MITRE technique : T1562
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Share point etc . Impact If Wrong permission was provided against RBAC Policy can lead to Data misconfiguration . Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0005 MITRE Technique: T1562
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials. Impact Some potential impact can be Security and compliance risk , credential in transit and password exposure . Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0003 MITRE Technique: T1078
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles. Impact An admin can perform many sensitive operations in the system, an adversary obtaining admin access is a worst-case scenario that should be avoided. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0003 MITRE Technique: T1078
Integration
Learn more about Coralogix's out-of-the-box integration with Azure Audit in our documentation.