Section 4: Microsoft Ecosystem Flashcards by Jake Thundersnake

Which MITRE ATT&CK technique’s goal is to exfiltrate sensitive information from emails hosted in cloud platforms, such as Microsoft 365 or Google Workspace?

Email Forwarding Rule

Remote Email Collection

Local Email Collection

Remote Data Collection

MITRE ATT&CK technique T1114.002 (Remote Email Collection) has only one goal: to exfiltrate data from the victim’s environment to an attacker-controlled system residing outside the victim’s environment. Remote Email Collection is specifically targeting the mail infrastructure, while Local Email Collection focuses on client-side systems, such as stealing an Outlook .PST or .OST file. Book 4 Page 9

How well did you know this?

Not at all

Perfectly

Which component of the Microsoft Defender for Cloud identifies deviations from security best practices, benchmark guidance, and compliance regulations?

Microsoft Threat Intelligence

Cloud Workload Protection

Azure Log Analytics

Cloud Security Posture Management

Microsoft claims that Microsoft Defender for Cloud enhances your security using two different techniques: acting as a Cloud Security Posture Management (CSPM) solution; as well as a Cloud Workload Protection (CWP) platform. CSPMs, as the name implies, are tasked with identifying deviations from security best practices, benchmark guidance, and compliance regulations. Microsoft Defender for Cloud meets this mark by offering an automated and frequent analysis of several common policies. Book 4 Page 12

How well did you know this?

Not at all

Perfectly

In the AzureNetworkAnalytics_CL table in Azure Log Analytics workspaces, which field shows the internet-routable address of the connection recipient?

DestPublicIP_s

SrcPublicIP_s

SrcIP_s

DestIP_s

DestPublicIP_s/SrcPublicIP_s: Depending on whether the requestor (SrcPublicIP_s) or a responder (DestPublicIP_s) of a flow contains a public IP address, this column will show that internet-routable address.

Complete list of useful commands: – Book 4 Page 124

How well did you know this?

Not at all

Perfectly

What is a key question to answer when determining what is known normal in Entra ID?

Responses

How many users are members of the Domain Administrators and Enterprise Administrators AD groups?

How many Entra ID Domain Controllers should be provisioned?

What is the naming convention and structure of Organizational Units?

Are guest users or external identities in use and are they approved?

Knowing what to expect in the Entra ID deployment you are tasked to protect is paramount. Some of the more important questions to answer related to Entra ID are as follows:1. Are guest users or external identities in use and are they approved?2. What users are currently in Entra ID?3. Which groups are in use and who are members of these groups?4. Which roles are assigned and to whom? Book 4 Page 58

How well did you know this?

Not at all

Perfectly

User account with the following User Principal Name?janedoe79_protonmail.com#EXT#@sec541.onmicrosoft.com

The user account is a member of the sec541.onmicrosoft.com Azure account.

The user has extended attributes populated (based on the #EXT# tag).

The user is the Azure account owner.

A user from the sec541.onmicrosoft.com Azure account has invited them.

EXT# identifies that this account is an external account. The user type for this user account is Guest, which means that someone invited the external user to the Azure environment. Book 4 Page 59

How well did you know this?

Not at all

Perfectly

contain an audit trail of sign-ins performed by a client application or OS component on behalf of a user?

ApplicationLogs
AADNonInteractiveUserSignInLogs
AuditLogs
AADManagedIdentitySignInLogs

The AADNonInteractiveUserSignInLogs table would be most helpful to investigate a type of interaction where a user is leveraging some sort of client application or operating system component to interact with the Azure environment.

How well did you know this?

Not at all

Perfectly

How long are the logs stored and viewable in the Entra ID service?

Twenty-four hours
Seven days
One month
Twelve months

Entra ID logs are only stored and viewable in the Entra ID service for one month. Book 4 Page 66

How well did you know this?

Not at all

Perfectly

Use the Office365ComplianceAnalyzer tool.
Use the Get-ComplianceLog PowerShell cmdlet.
Use the Search-UnifiedAuditLog PowerShell cmdlet.
A programmatic option is not available.

To programmatically access these data outside of the graphical user interface that is the Compliance Admin Center, a PowerShell cmdlet is available to retrieve and query the audit log called Search-UnifiedAuditLog. Book 4 Page 45

How well did you know this?

Not at all

Perfectly

What important characteristic of Microsoft 365 admin centers must be understood when securing Microsoft 365 SaaS?

Simplified, built-in, out-of-the-box detection strategies can be implemented.
A wide range of attributes can be fully customized.
There is only one admin center per customer’s instance.
Capabilities within the admin centers are limited.

ID: f2f4d8b7-66a3-430b-a7d6-ad15b7d5087b

There are a large number of admin centers in Microsoft 365. They are used to manage multiple service components at once or individual components. Capabilities within these admin centers are limited, with little, if any, customization. Customizations, when available, are quite rigid. The options presented to the end users are not as fully featured as what is available in Microsoft Azure. In fact, some of the detection strategies require the end user to get creative in their approach by querying the Microsoft Graph service directly to gain more insight into the Microsoft 365 resources.

Book 4 Page 39

How well did you know this?

Not at all

Perfectly

Which detection feature of the Microsoft Exchange Admin Center can provide early warning of suspicious activity, such as slow transport rules, mail loops, or new forwarding rules?

Mail flow
Spam filtering
Mail health-check
Message traces

The following detections are available in the Exchange Admin Center, via user- and Microsoft-generated policies:

Mail flow – Can be used to discover mail loops, slow transport rules, and new forwarding rules. Security team can be notified via email of suspicious activity.
Spam filtering – Discover likely spam messages. Places message into quarantine. Can also be used to detect potential phishing from cousin domains.
Message traces – Query for email based on sender and receiver addresses. Book 4 Page 40

How well did you know this?

Not at all

Perfectly

An attacker would like to use the local agents on cloud virtual machines to execute script content; which of the following resource provider operations would they require?

Microsoft.Compute/VirtualMachines/RunCommand/Action
Microsoft.ClassicCompute/virtualMachines/start/action
Microsoft.ClassicCompute/virtualMachines/restart/action
Microsoft.Compute/virtualMachines/login/action

ID: 03e85ed6-02b0-47f6-9a6a-206a3856a5dc

The Microsoft.Compute/VirtualMachines/RunCommand/Action resource provider operation is required to utilize the feature to run commands in the virtual machine using run commands. This operation grants the necessary permissions to execute commands on the VM via the installed agent. Attackers who obtain these permissions can exploit this feature to run malicious scripts or commands, gaining control over the VM without needing direct network access to it.

Book 4 Page 85

How well did you know this?

Not at all

Perfectly

What is the next step after a storage location has been chosen when configuring DLP policies using the Microsoft 365 Compliance Admin Center?

Identify data to be protected.
Create rule conditions and actions.
Name and describe the policy.
Enable, test, or disable the policy.

ID: db88eae7-37c5-4754-a224-ec39e9c45193

Data Loss Prevention (DLP) is a great feature to prevent and detect malicious use of organization data within the Microsoft 365 services. This needs to be set up by the end users and can be done by using DLP policies. To create these policies, there are a few steps that the Microsoft 365 Compliance admin center will walk through:

Step 1: Identify the types of data to be protected.
Step 2: Name and describe the policy so that viewers can make sense of the policy and why it would have triggered a violation.
Step 3: Choose which of the available storage locations the policy pertains to.
Step 4: Create specific rule conditions (when to trigger) and actions (what to do when triggered).
Step 5: Enable, test, or disable the policy. Book 4 Page 46

How well did you know this?

Not at all

Perfectly

An analyst is looking to identify if a new Azure account was added as a persistence mechanism. Which of the following logs should they search for the “add user” operation?

AuditLogs
Azure Resource logs
Sign-in logs
Application logs

To identify the user creation persistence technique, you will need to craft two queries: one to find evidence of a new user creation event and one for that user being assigned either a role or, in this case, to a group. Both queries will leverage the AuditLogs table in log analytics which has been fed event data from Entra ID. Book 4 Page 81

How well did you know this?

Not at all

Perfectly

How can an analyst identify a C2 channel that utilizes a valid protocol using the protocol’s common port in Azure?

Detection is impossible, since Azure does not allow for a full packet capture.
Detection is automatically provided with an appropriate subscription of Microsoft Threat Analytics.
Detection will require AI connector consuming NSG flow logs data.
Detection will require packet capture and payload inspection network monitoring tools.

ID: 0e4ef98d-5a0e-4e21-8aed-c87e90bcfe81

Attackers may use common ports, protocols, and even the matching application for that port/protocol pair to perform C2 of victim systems.

Prevention and mitigation efforts are much trickier here as these ports, protocols, and applications are likely used in the victim environment, and filtering of this outbound traffic is extremely difficult without some help from some network-based security appliances. A full packet capture and payload inspection will be required to detect such a C2 channel. Book 4 Page 132

How well did you know this?

Not at all

Perfectly

Which of the following is a term used for domains that are similar to legitimate domains and are often used in phishing campaigns?

Twin domains
Command and control domains
Phish domains
Cousin domains

ID: b2e8021b-b13c-4d98-8bb9-3e75060ce450

Oftentimes, targeted phishing attacks may try to lure an unsuspecting user to click on a link. This link may look very similar to a legitimate link, but could be controlled by the attacker or, at the very least, contain malicious content that the attacker would like to leverage against this victim. These look-alike domains are known as cousin domains.

Book 4 Page 42

How well did you know this?

Not at all

Perfectly

Once Microsoft 365 Defender is enabled, which component will allow an analyst to scan email for content of interest?

Explorer
Endpoints
Analytics
Auditing

ID: 10823319-0098-4fd4-855c-04ec7948d6c0

Microsoft 365 Defender contains a massive amount of defensive capabilities but does not automatically come with all Microsoft 365 subscriptions. Once Microsoft 365 Defender is enabled, some of the capabilities offered are redundant; but many more capabilities are now rolled into this one service, saving analysts from clumsily moving from one admin center:

Explorer: A new feature that can scan email for content of interest
Attack simulation training: Sends benign phishing emails to internal users
Incidents and alerts: Roll-up of all identified suspicious activity
Hunting: Manually search for data or activity of interest; also allows for custom detection rules
Threat analytics: Microsoft-provided analytics to identify malice
Endpoints: Perform inventory, vulnerability management, and configuration management of users’ devices
Auditing: The compliance admin center

Book 4 Page 47

Which of the following threat intelligence indicators can be created in Microsoft Sentinel?

Logon
File
Resource
Password

ID: a9b08dea-954d-47ee-b0ce-405236faae97

The supported indicators you can create in Microsoft Sentinel are:

file: A hash of a suspicious or malicious file used during an attack. This would be a great indicator to see whether systems or cloud resources other than the presumed infected system also contain this file.
domain-name: A known domain name used during attack campaigns. An example is a stage 2 malware download URL.
ipv4-addr: An IP version 4 address. This indicator can be used to find other communication to an attacker discovered during an investigation. Perhaps the attacker was communicating elsewhere in the Azure ecosystem.
ipv6-addr: This indicator is identical to ipv4-addr, but, of course, IP version 6.
url: A Uniform Resource Locator (URL). This could be a known malware download site, data exfiltration location, or other internet-based system adversaries use to communicate with victim systems.

Book 4 Page 28

Which Analytics rule in Microsoft Sentinel runs once every minute and captures events ingested in the preceding minute?

Microsoft security rules
Scheduled rules
Near-real-time rules
Default rules

ID: df7eccec-9b9c-4966-82ae-9cc78c664080

Scheduled rules to generate an alert and/or incident
Microsoft security rules pull in alerts from other Microsoft products to generate an incident.
Near-real-time (NRT) rules running once per minute

Book 4 Page 21

What is the primary risk mitigation strategy for C2 channels that utilizes an uncommon port in Azure?

Reviewing flow data
Leveraging host-based intrusion detection suites
Inspecting the traffic content
Restricting internet-bound traffic to approved ports and protocols

ID: 1af943aa-2835-4fbf-ae7f-5bda3617fadf

Primary mitigation is to restrict the Azure NSG to only allow approved outbound ports and protocols to known hosts. This is necessary as Azure’s default NSG configuration allows unrestricted outbound traffic.

Book 4 Page 128

What would an analyst be looking for when they execute the following Azure CLI command?

az storage container list –account-name $storageAcctName –query [?[].properties.publicAccess==”blob|container”]

Azure blob storage containers that are not configured as private
Azure blob storage containers that are present in the given storage account
Azure blob storage containers that are responsible for the highest monetary cost
Azure blob storage containers that have public access disabled

The Azure CLI command in the question searches the $storageAcctName storage for containers with public access property set to Blobs or Containers. Blobs and Containers are publicly accessible. Therefore, the command is identifying blob storage containers not configured as private.

There are three options in Azure blob storage in the Azure Storage service to set the container’s public access level to. The first option, and the default in Azure, is Private, which means only Entra ID users with proper rights can access the container and its stored data. The second option, Blob, on the other hand, allows users, both inside and outside of Azure, the ability to access the blob data. Lastly, and exposing the most to the public, is Container. This option allows for not only reading the blob data, but also listing the container’s contents.

A way to efficiently identify publicly accessible Azure Storage containers and blobs is to leverage the tools provided by Azure: the Azure PowerShell Get-AzStorageContainer cmdlet and the Azure CLI tool’s az storage container list command.Book 4 Page 98

What is an important consideration before Azure Detection Services, such as MS Defender for Cloud, can be leveraged?

The appropriate log data must be sent to the Azure Elastic Search workspaces.
All log data must be sent to the Azure Log Sail Service.
The appropriate log data must be sent to the Azure Log Analytics workspaces.
Azure Detection Services automatically consume the appropriate log data.

679a9363-9590-44c0-9ac0-ef2626894319

zure provides built-in threat detection and alerting services such as Microsoft Defender for Cloud and Microsoft Sentinel. Both capabilities require adequate log data stored in an Azure Log Analytics workspace. Examples of such log data include:

Azure management activity
Azure services’ diagnostic logs
Virtual Machine logs

Book 4 Page 11

Which Azure Log Analytics workspaces table would contain an audit trail of sign-ins performed by a client application or OS component on behalf of a user?

AADNonInteractiveUserSignInLogs
ApplicationLogs
AuditLogs
AADManagedIdentitySignInLogs

bf44e83c-7940-4d46-8d30-586add970e3f

If the log data are exported to Azure Log Analytics workspaces, there will be several tables generated as the log data arrive. Some common tables that are generated include:

The AADManagedIdentitySignInLogs can be very useful if monitoring or investigating where Azure service components (like an Azure Virtual Machine) are leveraging either a user-assigned or system-assigned managed identity.

The AuditLogs table will capture activity log–like data related to the Entra ID service. If strange configurations, users, groups, or other resources are noticed in Entra ID, a record of this activity and context around the interaction can be viewed in this table.

The SignInLogs table can be very valuable if determining when, how, and from where users are signing into the Azure environment.

Book 4 Page 75

What would an analyst be looking for when they execute the following Azure CLI command?

az storage container list –account-name $storageAcctName –query [?[].properties.publicAccess==”blob|container”]

Azure blob storage containers that have public access disabled
Azure blob storage containers that are responsible for the highest monetary cost
Azure blob storage containers that are present in the given storage account
Azure blob storage containers that are not configured as private

c3cff31b-991f-43de-8086-7976ccacdb9b

Book 4 Page 98

What minimum access is required to use the serial console of a virtual machine in Azure Cloud?

Tenant global admin
Cloud account
None
Local account

b48f2909-2afb-4bc7-8a0f-a52ae9162817

f enabled for the VM, attackers could access the console of the VM. This requires a local account with credentials that the attacker knows or can guess.

Book 4 Page 87

Which MITRE ATT&CK technique exploits a stolen item that can be leveraged to compromise a cloud instance by accessing the cloud Application Programming Interface (API)? Credentials Acquisition API Access Rights MFA Bypass Application Access Token ## Footnote c8b3c2fd-37ec-43fd-95b7-4207b7173711

MITRE ATT&CK technique T1550.001 (Application Access Token) assumes that the attacker acquires some sort of token that, when sent along with an Application Programming Interface (API) request to the cloud provider, allows the action to take place — provided the account with which the token is associated has the proper rights. ## Footnote Book 4 Page 5

Which detection feature of the Microsoft Exchange Admin Center can provide early warning of suspicious activity, such as slow transport rules, mail loops, or new forwarding rules? Mail health-check Mail flow Message traces Spam filtering ## Footnote 4203aeb6-f7d9-4183-956a-d7bac9a765e6

Mail flow – Can be used to discover mail loops, slow transport rules, and new forwarding rules. Security team can be notified via email of suspicious activity. Spam filtering – Discover likely spam messages. Places message into quarantine. Can also be used to detect potential phishing from cousin domains. Message traces – Query for email based on sender and receiver addresses. ## Footnote Book 4 Page 40

What Azure service offers automated suspicious activity identification using machine learning techniques? Dynamic Identification of Suspicious Actions (DISA) User and Entity Behavior Analytics (UEBA) Unusual Activity Detection Analytics (UADA) Account Analytics of User Behaviors (AAUB) ## Footnote 9773ff94-2f28-40ce-87f4-e17c7f15f9b5

Not all threats can be identified using atomic indicators — for example, behaviors of users or cloud resources can be monitored to identify suspicious actions. This requires comparing each action against a normal action. User and entity behavior analytics (UEBA) technologies automate suspicious activity identification using machine learning techniques. ## Footnote Book 4 Page 29

Where are the Network Security Group (NSG) flow data located in Azure Storage? In the PT1H table located within the Azure Log Analytics workspaces In the NGSFlows table located within the Azure Log Analytics workspaces In a PT1H.json file located within the directory structure of a custom-named insight-logs- Azure Storage container In a PT1H.json file located within the directory structure of a custom-named insight-logs- Azure Storage container ## Footnote 527bcc6f-5254-41a9-a2a4-a790193a46c6

Azure's Network Watcher service provides the option to capture Network Security Group (NSG) flow data. These data can be output to two different locations: an Azure Storage container and/or an Azure Log Analytics workspace. When the Azure Storage container is used, an Azure Storage container is created. The name of that container will automatically be created as soon as the NSG flow configuration is set. This storage container name is not customizable. The directory of this Azure Storage container contains a deeply nested sub-folder structure that begins with the folder resourceid= and has many subfolders until you arrive at the actual flow data. These subfolders include the SUBSCRIPTIONS, subscription ID of the Azure account, RESOURCEGROUPS, resource group name, which contains the NSG, PROVIDERS, MICROSOFT.NETWORK, NETWORKSECURITYGROUPS, the name of the NSG, a breakdown of the time of the flow record (year, month, day, hour, and minute), and the MAC address of the cloud resource creating the flow data. Finally, you will arrive at a JSON-formatted file named PT1H.json containing one or more flow records for the given time. ## Footnote Book 4 Page 116

When leveraging Microsoft Defender for Cloud, what step must be taken to identify known adversarial TTPs against Azure Virtual Machines, such as the SSH brute-force alert? The Logons plan must be enabled. The Containers plan must be enabled. The Servers plan must be enabled. The Storage plan must be enabled. ## Footnote 4603529f-5510-43a2-962e-7b0046ffdf68

To take advantage of the Microsoft Defender for Cloud Security Alerts feature in Azure, the appropriate plan must be enabled. Different plans include different attackers' behaviors. One of the plans is the Servers plan, which allows Azure VMs to send their feed to the Defender for Cloud platform; one of the predefined rules is SSH brute-force alert. ## Footnote Book 4 Page 14

A compliance analyst needs to review the Microsoft 365 Compliance Admin Center log data. How can the analyst programmatically retrieve the log data from outside the time that it would be available within the Compliance Admin Center? Use the Get-ComplianceLog PowerShell cmdlet. Use the Office365ComplianceAnalyzer tool. Use the Search-UnifiedAuditLog PowerShell cmdlet. A programmatic option is not available. ## Footnote 50406084-6fff-411e-a1c4-bc816f78ad35

The Compliance Admin is used primarily for meeting the compliance needs of an organization. Normally, most data in Microsoft 365 related to user activity or detected threats are short lived. Thirty to ninety days is a pretty typical lifespan for these data. With auditing, you have the power to retain this trail of events for the following intervals: ninety days, six months, nine months, one year, or ten years. To programmatically access these data outside of the graphical user interface that is the Compliance Admin Center, a PowerShell cmdlet is available to retrieve and query the audit log called Search-UnifiedAuditLog. ## Footnote Book 4 Page 45

Which MITRE ATT&CK technique's goal is to exfiltrate sensitive information from emails hosted in cloud platforms, such as Microsoft 365 or Google Workspace? Remote Email Collection Remote Data Collection Local Email Collection Email Forwarding Rule ## Footnote 96c2d59f-bc1e-49ce-b5d6-98d13b779731

MITRE ATT&CK technique T1114.002 (Remote Email Collection) has only one goal: to exfiltrate data from the victim's environment to an attacker-controlled system residing outside the victim's environment. Remote Email Collection is specifically targeting the mail infrastructure, while Local Email Collection focuses on client-side systems, such as stealing an Outlook .PST or .OST file. ## Footnote Book 4 Page 9

What can be inferred when the Creation Time and the Last Modified time are different in an Azure blob storage container that is specifically used to keep historical log data? The historical log entries are indexed by the Azure Cognitive Search service and the Last Modified time reflects the latest indexing activity. A backup job has successfully completed and the Last Modified time reflects the latest backup timestamp. A backup job has failed and the Last Modified time is used to identify which files failed to back up. An attacker may be attempting to cover their tracks by modifying the historical log entries. ## Footnote 5a7bf047-3670-4da9-a144-cc9c23a44083

Azure generates metadata for blobs uploaded to the container. These data are retrievable using both the Azure Portal and the Azure CLI. When historical log data are stored in an Azure Storage container, these data, being log data, are not expected to have changed. That is unless, perhaps, a mistake has been made by an administrator. Even worse, what if a malicious user is trying to cover their tracks by manipulating the records? The metadata field of Creation Time would allow you to catch either one of these by indicating the changes. In fact, being log data, if the Creation Time and Last Modified entries were different, that would show an alteration to the data. ## Footnote Book 4 Page 95

What should be kept in mind when configuring Azure SQL Database Auditing? Database-level auditing will override server-level auditing. Server-level auditing results in specific database configuration to be audited. Server-level auditing will override database-level auditing. Database configurations have a dedicated log table called AzureSQLSecurityLogs. ## Footnote f460cfa5-cb21-47b4-bc2c-237337f4b4ce

By default, there is little insight into the happenings of the Azure SQL database other than some metric data. This can be achieved by enabling auditing in either the Azure SQL server or Azure SQL database configuration, referred to as server-level and database-level auditing. Server-level auditing will override database-level auditing. Server-level logging is configured in the Azure SQL server configuration. When implemented, all databases, regardless of their individual auditing settings, will begin auditing all their interactions — the most important being the queries issued to the database. If server-level auditing is not possible, there is another option referred to as database-level auditing that allows you to audit the databases of your choosing. This is performed by configuring the auditing settings of each of the appropriate Azure SQL databases. ## Footnote Book 4 Page 109

Which component of the Microsoft Defender for Cloud identifies deviations from security best practices, benchmark guidance, and compliance regulations? Cloud Security Posture Management Cloud Workload Protection Azure Log Analytics Microsoft Threat Intelligence ## Footnote af3b798a-520a-42f1-9d99-7836ed286bc9

What conclusion can be made about a guest Entra ID User account with the following User Principal Name? janedoe79_protonmail.com#EXT#@sec541.onmicrosoft.com Responses The user account is a member of the sec541.onmicrosoft.com Azure account. The user is the Azure account owner. A user from the sec541.onmicrosoft.com Azure account has invited them. The user has extended attributes populated (based on the #EXT# tag). The user has extended attributes populated (based on the #EXT# tag). ## Footnote 64ef2d63-643e-4aba-9fa2-cd55dcffb5cf

#EXT# identifies that this account is an external account. The user type for this user account is Guest, which means that someone invited the external user to the Azure environment. ## Footnote Book 4 Page 59

What is a key question to answer when determining what is known normal in Entra ID? Are guest users or external identities in use and are they approved? How many Entra ID Domain Controllers should be provisioned? What is the naming convention and structure of Organizational Units? How many users are members of the Domain Administrators and Enterprise Administrators AD groups? ## Footnote faa5ab2c-67c6-4189-b257-b579f5e03a73

Knowing what to expect in the Entra ID deployment you are tasked to protect is paramount. Some of the more important questions to answer related to Entra ID are as follows: 1. Are guest users or external identities in use and are they approved? 2. What users are currently in Entra ID? 3. Which groups are in use and who are members of these groups? 4. Which roles are assigned and to whom? ## Footnote Book 4 Page 58

Which role assignments scope can be leveraged to apply permissions directly to a single Azure resource using Azure RBAC? Entra ID Resource Resource Group Classic Subscription Admin ## Footnote 9b49a401-73c7-4840-b3be-540cffb48559

Resource roles can be leveraged to apply permissions directly to a single Azure resource. In classic subscription admin role, an administrator can directly apply permissions that affect all resources deployed within the Azure subscription. In resource group, one or more Azure resources are placed during deployment. The resource group roles, as you could likely guess, control access to all resources within the resource group. ## Footnote Book 4 Page 60

In the AzureNetworkAnalytics_CL table in Azure Log Analytics workspaces, which field shows the internet-routable address of the connection recipient? SrcPublicIP_s SrcIP_s DestPublicIP_s DestIP_s ## Footnote ec0df75b-270a-4e4c-8e73-9db049a6bd55

The data stored in the AzureNetworkAnalytics_CL table in Azure Log Analytics workspaces has many available fields. In certain respects, all columns can be valuable. But in the event of a breach or when performing analysis of a suspicious flow, the following will likely be the most valuable: * DestPort_d: This column contains the recipient's listening TCP or UDP port. * !!DestPublicIP_s/SrcPublicIP_s: Depending on whether the requestor (SrcPublicIP_s) or a responder (DestPublicIP_s) of a flow contains a public IP address, this column will show that internet-routable address!! * SrcIP_s/DestIP_s: This column contains the source IP address (SrcIP_s) or destination IP address (DestIP_s) of the Azure virtual machine (VM) involved in the flow — depending on which side of the communication the VM is part. * InboundPackets_d/OutboundPackets_d: These columns show the number of packets in the specified direction of the flow. * InboundBytes_d/OutboundBytes_d: These columns show the number of bytes in the specified direction of the flow. * FlowDirection_s: If looking for an inbound flow (I) or outbound flow (O), this column proves useful. * FlowStatus_s: This column displays whether the flow was allowed by the Azure NSG (A) or denied (D). * L4Protocol_s: The transport layer protocol used in the flow is specified in this column. T specifies TCP; U stands for UDP. * VM_s: This column includes both the resource group and VM name involved in the flow. ## Footnote Book 4 Page 124

When investigating the source of SQLmap attacks against an Azure SQL server that has a web application front-end, where can an analyst locate details on the source? Azure SQL database log client_ip_s column cross-checked against the web server's access.log Dips and valleys in the Data Transaction Units Azure SQL database log x_forwarded_for column only, as it stores the attacker's IP The User_Agent field in the AzureDiagnostics table ## Footnote 135bed84-4e4f-4531-8503-eedfa9165330

When SQLmap is being used, it is very likely to be noticed if you are paying attention to the log data. This is because the tool is quite noisy — meaning there are several hundreds or thousands of requests being sent to the web server when it is being analyzed or exploited. Not only are the requests numerous, but they also tend to be quite large in size. Because of this, the web server will be sending very large database queries to the database, which are likely much larger than the legitimate requests it normally receives. Azure SQL database logs contain the client_ip_s column. This field is the web server making the request, not the attacker. As such, a crosscheck and correlation against the web server access logs is necessary. ## Footnote Book 4 Page 112