Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure Bastion Host

Azure Bastion Host
Azure Bastion Host icon

Coralogix Extension For Azure Bastion Host Includes:

Alerts - 4

Stay on top of Azure Bastion Host key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Suspicious Activity Detected in Azure Bastion Access Logs

Azure Bastion itself doesn't directly generate specific security alerts. However, considering the critical nature of Azure Bastion in providing secure remote access to Azure VMs, it's crucial to understand the potential impact of security issues and have mitigation strategies in place. Unusual login patterns or failed authentication attempts are detected in the access logs of Azure Bastion. Impact Unauthorized Access: Suspicious activity could indicate unauthorized individuals attempting to gain access to Azure VMs through Azure Bastion. Data Breach Risk: Successful unauthorized access could lead to data breaches, data theft, or data manipulation on Azure VMs. Service Disruption: In worst-case scenarios, successful attacks could lead to service disruption or compromise the integrity of VMs hosted in Azure. Mitigation Review Access Logs: Regularly review access logs of Azure Bastion to identify any unusual activity or patterns. Implement Multi-Factor Authentication (MFA): Enforce MFA for all users accessing Azure Bastion to add an extra layer of security. Network Security Group (NSG) Monitoring: Monitor and review NSG rules associated with the Azure Bastion subnet to ensure only necessary traffic is allowed. Mitre tactic: T1035 Mitre technique: T1562

Serial Console Access Was Enabled

Enabling serial console access on an Azure Bastion Host allows users to establish direct console connections to virtual machines (VMs) running in Azure using the serial console feature. This feature provides a low-level access method for troubleshooting and performing maintenance tasks on VMs when traditional network access methods are unavailable or not functioning properly. Impact The serial console does not require an instance to have any networking capabilities. With the serial console, an attacker can enter commands to an instance as if keyboard and monitor are directly attached to the instance's serial port. Mitigation Make sure the serial console access should be provided to the authenticated and authorized users. MITRE Tactic: TA0004 MITRE Technique: T1078

An Existing Route Was Replaced in VPC

This rule detects replacing an existing route within a route table in a VPC. Replacing an existing route in a Virtual Private Cloud (VPC) configuration typically involves modifying the routing table to redirect traffic destined for a specific network range or destination to a different network gateway or endpoint. In the context of Azure, this might involve modifying route tables associated with subnets or virtual networks where Azure Bastion Host is deployed. Impact An adversary may replace an existing route in order to impact the flow of network traffic in their target's cloud environment. Mitigation Investigate and verify that the configuration change was expected. MITRE Tactic: TA0005 MITRE Technique: T1562

Network Packet Capture Was Detected

A network packet capture refers to the interception and recording of network traffic passing through a network interface. In the context of Azure Bastion, if a packet capture is detected, it indicates that someone may be attempting to eavesdrop on network communication between the client machine and the Azure Bastion Host. Impact Traffic Mirroring is an Azure VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. Mitigation Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Traffic Mirroring from unfamiliar users or hosts should be investigated. MITRE Tactic: TA0010 MITRE Technique: T1020


Learn more about Coralogix's out-of-the-box integration with Azure Bastion Host in our documentation.

Read More
Schedule Demo