Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure VM

Azure VM
Azure VM icon

Out-of-the-Box Security For Azure VM Includes:

Alerts - 14

Stay on top of Azure VM key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

An attempt has been made to delete a locked machine

This alerts detects when a user tries to delete a virtual machine that is locked for deletion. Locks are Azure feature to prevent deletion of machines by admins. Impact An attempt to delete a locked machine should be inspected and validated as legitimate as it could be an attacker trying to delete legitimate resources. Mitigation Validate that the deletion attempt was authorized and intended, revert and further investigate if not. If this alert is followed by a successful deletion alert, pay close attention to the performing user and quickly validate it as it might mean an attacker has managed to circumvent the locking of the machine. MITRE Tactic: TA0005 MITRE Technique: T1578

A Virtual Machine was deleted

This alerts detects when an Azure Virtual Machine was deleted. Impact An attacker can delete VM's to harm the company or users can inadvertently delete required VM's. Therefore each deletion operation should be verified. Mitigation Validate that the VM deletion was authorized and intended, revert and further investigate if not. Give special attention to any bulk delete operations. MITRE Tactic: TA0003 MITRE Technique: T1531

A Virtual Machine Backup Was Deleted

This alerts detects deletion of a Azure Virtual Machine backup. Impact An attacker can delete VM backups to harm the company or users can inadvertently delete required backups. Therefore each deletion operation should be verified. Mitigation Validate that the backup deletion was authorized and intended, revert and further investigate if not. Give special attention to any bulk delete operations. MITRE Tactic: TA0003 MITRE Technique: T1531

A Public IP Was Associated with a VM

This alerts detects association of a Public IP with a virtual machine. Note that access to this machine from the internet is still dependent on the network security group configuration that the machine belongs to. Impact An attacker can associate a public IP address to a machine to make it accessible from the internet for exfiltrate data to a C2 server. Mitigation Validate that the association of the IP was authorized and intended, revert and further investigate if not. MITRE Tactic: TA0003 MITRE Technique: T1098

A Virtual Machine Password Has Been Reset

This alerts detects the reset of a virtual machine password for Windows or Linux through Azure console. Impact An attacker can change the password of a virtual machine either to gain access or to block the access. Mitigation Validate that the change was authorized and intended, revert and further investigate if not. MITRE Tactic: TA0001 MITRE Technique: T1078

More than 10 disks were deleted in 20 minutes

This alerts detects deletion of more than 10 disks under 20 minutes. Impact An attacker can delete disks to harm the company or users can inadvertently delete required disks. Therefore each deletion operation should be verified. Bulk deletion operations are highly suspicious and can greatly harm the organization. Mitigation Validate that the Bulk disk deletion was authorized and intended, revert and further investigate if not. MITRE Tactic: TA0005 MITRE Technique: T1578"

A disk has been deleted

This alert detects deletion of a disk. This alert triggers either on a direct disk deletion or a VM-attached disk deletion, check the log for specific details. Impact An attacker can delete a disk to harm the organization or to cover his tracks. Mitigation Validate that the deletion operation was authorized and intended, revert and further investigate if not. MITRE Tactic: TA0005 MITRE Technique: T1578

More than 10 Virtual Machines were deleted in 20 minutes

This alerts detects deletion of more than 10 virtual machines under 20 minutes. Impact An attacker can delete VM's to harm the company or users can inadvertently deleted needed VM's. Therefore each deletion operation should be verified. Bulk deletion operations are highly suspicious and can greatly harm the organization. Mitigation Validate that the Bulk VM deletion was authorized and intended, revert and further investigate if not. MITRE Tactic: TA0005 MITRE Technique: T1578

No logs from Azure VM

This rule detects if there are no logs in the last 4 hours for Azure VM in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Virtual Machine Re-Image

The "Virtual Machine Re-Image" use case involves monitoring and recording activities related to the re-imaging of virtual machines within a cloud infrastructure, such as Microsoft Azure or Amazon Web Services (AWS). Re-imaging refers to the process of restoring a virtual machine to a known state or deploying a new image to the virtual machine, often used for troubleshooting, updates, or system recovery. Impact Operational Impact Re-imaging a virtual machine results in a temporary loss of service during the process. Applications running on the VM may experience downtime, affecting operational continuity. Data Loss If not properly backed up or if re-imaging involves data deletion, there is a risk of data loss during the re-image process. Configuration Changes Re-imaging may lead to changes in the virtual machine's configuration and settings, potentially impacting network configurations, installed software, and other system-specific settings. Mitigation Validate that the VM Re-imaging was authorized and intended, revert and further investigate if not. Give special attention to image configuration changes and proper data backup taken before disk size changes. MITRE Tactic: TA0005 MITRE Technique: T1531

A Virtual Machine Was Turned off

This alerts detects when an Azure Virtual Machine was turned off. Impact An attacker can shut VM's to harm the company or users work operation that inadvertently required VM's. Therefore each poweroff operation should be verified. Mitigation Validate that the VM thats turned off was authorized and intended, revert and further investigate if not. Give special attention to any bulk delete operations. MITRE Tactic: TA0003 MITRE Technique: T1531

Virtual Machine Scale Set Extension Configuration

This use case involves monitoring changes to the configuration of extensions in a Virtual Machine Scale Set (VMSS). Extensions in Azure VMSS are used to install and configure software on virtual machines, and unauthorized or unintended modifications to these configurations can have security and operational implications. Impact Unauthorized changes to VMSS extension configurations can lead to a variety of impacts, including: Security Risks Operational Disruptions Compliance Violations Mitigation To mitigate the risks associated with VMSS extension configuration modifications, consider implementing the following measures: Role-Based Access Control (RBAC) Monitoring and Alerts MITRE Tactic: T1070 MITRE Technique:T1562

Deallocation of Resources

- The Deallocation Audit Trail use case involves the creation and maintenance of an audit log to track and record deallocation activities within a system or application. Deallocation refers to the release or removal of resources, such as memory, licenses, or any other allocated assets, and it is crucial to maintain a comprehensive record of these actions for accountability, security, and compliance purposes. Impact - A user can deallocate licenses upto a assigned limit but Unauthorised deallocation or if System detected an anomalous deallocation pattern consistent then it is a major security threat on User , System & organisation. Mitigation - To mitigate the potential negative impacts associated with the deallocation audit trail, following startegies and best practices can be implemented such as - Optimize Logging Levels Regular Log Rotation and Purging Regulatory Compliance Alignment Anonymization and Redaction MITRE Tactic: T1070 MITRE Technique:T1562

Deletion Activity of Resources

Deletion activities may involve the removal of files, records, configurations, or any other data elements. It is crucial to maintain a comprehensive record of these delete operations for accountability, security, compliance, and data recovery purposes. Impact An adversary can delete files, records, configurations, or any other data elements to harm or evade detection. Bulk deletion operations (many consecutive group deletion alert) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

Documentation

Learn more about Coralogix's out-of-the-box integration with Azure VM in our documentation.

Read More
Schedule Demo