To achieve a high level of security in your public cloud environment, you need to provide protection for the individual resources that are activated, however it is also appropriate to monitor the service that allows the distribution and management of the resources themselves. In the Microsoft public cloud, the deployment and management service is defined as Azure Resource Manager, a crucial service connected to all Azure resources, therefore a potential and ambitious target for attackers. Microsoft, aware of this aspect, recently announced Azure Defender for Resource Manager. This article describes the features of this solution that allows you to carry out an advanced security analysis, in order to detect potential threats and be alerted to suspicious activity affecting Azure Resource Manager.
In Azure Defender, there are protections designed specifically for individual Azure services, such as for Azure SQL DB, Azure Storage, Azure VMs, and protections that transversally affect all those components that can be used by the various Azure resources. These include Azure Defender for Azure Network, Key Vault and the availability of Azure Defender for Azure DNS and Azure Resource Manager was also announced recently. These tools allow you to obtain an additional level of protection and control in your Azure environment.
Azure Resource Manager provides the management layer that allows you to create, update and delete resources in the Azure environment. It also provides specific features for the governance of the Azure environment, such as access control, locks and tags, that help protect and organize resources after they are distributed.
Azure Defender for Resource Manager automatically monitors the organization's Azure resource management operations, regardless of whether these are done through the Azure portal, Azure REST APIs, the command line interface or with other Azure programming clients.
To activate this type of protection, simply enable the specific Azure Defender plan in the Azure Security Center settings:
Azure Defender for Resource Manager can enable protection when the following conditions occur:
- Resource management operations classified as suspicious, such as operations from dubious IP addresses, disabling the antimalware component and ambiguous scripts running through the VM extensions.
- Use of exploitation toolkits such as Microburst or PowerZure.
- Lateral shift from the Azure management layer to the Azure resources data plane.
A complete list of alerts that Azure Defender for Resource Manager is able to generate, is located in this Microsoft's document.
Security alerts generated by Azure Defender for Resource Manager are based on potential threats that are detected by monitoring Azure Resource Manager operations using the following sources:
- Azure Activity Log, the Azure platform log providing information about subscription-level events.
- Azure Resource Manager Internal Logs, not accessible by customers, but only by Microsoft personnel.
In order to obtain a better and more in-depth investigation experience, it is advisable to merge the Azure Activity Logs into Azure Sentinel, following the steps in this Microsoft's document.
Simulating an attack on the Azure Resource Manager layer using the PowerZure exploitation toolkits, Azure Defender for Resource Manager generates an alert with high severity, as shown in the following image:
For such an alert you can also receive a notification by appropriately setting up an action group in Azure Monitor. Furthermore, if the integration between Azure Security Center and Azure Sentinel has been activated, the same alert would also be present in Azure Sentinel, with the relevant information necessary to start the investigation process and provide a prompt response to a problem of this type.
Protecting resources effectively in the Azure environment also means adopting the appropriate tools to deal with potential attacks that can exploit the distribution and management mechanisms of the resources themselves. Thanks to the new tool Azure Defender for Resource Manager it is possible to take advantage of effective protection in a fully integrated way in the Azure platform, without having to install specific software or enable additional agents.