azure:az-500:security_operations_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
azure:az-500:security_operations_management [2022/06/24 14:07] – [Diagnostic Logs vs. Activity Logs] mmuzeazure:az-500:security_operations_management [2022/07/23 00:37] (current) – [Microsoft Defender for Cloud] mmuze
Line 19: Line 19:
   * Evaluate alerts and incidents in Microsoft Sentinel   * Evaluate alerts and incidents in Microsoft Sentinel
  
-====== Azure Monitor ====== +====== Azure Policy ====== 
-**Azure Monitor** is a service that delivers a comprehensive solution for collecting, analyzing, and acting on telemetry (metrics and logs) from your cloud and on-premises environments. + 
 + 
 +====== Azure Monitor/Logging ====== 
 +**Azure Monitor** is a service that delivers a comprehensive solution for collecting, analyzing, and acting on telemetry (metrics and logs) from your cloud and on-premises environments
 + 
 +  * [[https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview]] 
 + 
 +  * By default the Activity Log keeps logs for 90 days.
  
 {{:azure:az-500:azure-monitor-overview.png|?800}} {{:azure:az-500:azure-monitor-overview.png|?800}}
  
  
-  * **Metrics** are numeric values collected at regular intervals (e.g. CPU utilization)+  * **Metrics** are numeric values collected at regular intervals (e.g. CPU utilization, disk IOPS, network connections, etc.)
     * Metrics are produced automatically without any configuration done by the user     * Metrics are produced automatically without any configuration done by the user
   * **Logs** are textual data that are produced organically as things occur in the environment (e.g. user login event)   * **Logs** are textual data that are produced organically as things occur in the environment (e.g. user login event)
Line 31: Line 38:
   * Most Azure resources have an option to enable **Diagnostic Logs**   * Most Azure resources have an option to enable **Diagnostic Logs**
   * **Azure Monitoring Agent (AMA)** is an agent that runs on Windows or Linux OS that can collect logs and metrics.   * **Azure Monitoring Agent (AMA)** is an agent that runs on Windows or Linux OS that can collect logs and metrics.
 +  * Some logs are automatically generated by resources by default, but for more details logging it maybe necessary to enabled diagnostics logs for a resource, or, in the case of VMs, install an agent on the OS.
  
  
Line 38: Line 46:
 > These logs differ from the activity log. The **activity log** provides insight into the operations, such as creating a VM or deleting a logic app, that Azure Resource Manager performed on resources in your subscription using. The activity log is a subscription-level log. Resource-level **diagnostic logs** provide insight into operations that were performed within that resource itself, such as getting a secret from a key vault. > These logs differ from the activity log. The **activity log** provides insight into the operations, such as creating a VM or deleting a logic app, that Azure Resource Manager performed on resources in your subscription using. The activity log is a subscription-level log. Resource-level **diagnostic logs** provide insight into operations that were performed within that resource itself, such as getting a secret from a key vault.
  
-  * activity logs represent events on the control plane+  * activity logs represent events on the control/management plane
   * diagnostic logs represent events on the data plane   * diagnostic logs represent events on the data plane
-  * //diagnostic logs// may be referred to as //resource logs//; they represent operations that were performed within a resource+  * //diagnostic logs// may be referred to as //[[https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs|resource logs]]//; they represent operations that were performed within a resource 
 + 
 + 
 +  * Resource logs are automatically generated by supported Azure resources, but they aren't available to be viewed unless you create a [[https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview#diagnostic-settings|diagnostic setting]].
 ====== Microsoft Defender for Cloud ====== ====== Microsoft Defender for Cloud ======
 > Microsoft Defender for Cloud is your central location for setting and monitoring your organizations security posture. > Microsoft Defender for Cloud is your central location for setting and monitoring your organizations security posture.
Line 49: Line 60:
  
   * Defender continuously assesses the security posture of environments and their resources and produces a score (based on the **Azure Security Benchmark**) for it.   * Defender continuously assesses the security posture of environments and their resources and produces a score (based on the **Azure Security Benchmark**) for it.
 +      * **Security** Posture assessment how well and environment is hardened against attacks.
 +      * There is also **threat detection** capability that uses real-time signals to detect threats.
   * Defender works for Azure, other clouds and on-prem resources.   * Defender works for Azure, other clouds and on-prem resources.
   * JIT VM Access is a feature of Defender that only allows VM access after approval and for a short. fixed amount of time. This mitigates against brute-force types of attacks. (requires the Enhanced Security tier)   * JIT VM Access is a feature of Defender that only allows VM access after approval and for a short. fixed amount of time. This mitigates against brute-force types of attacks. (requires the Enhanced Security tier)
   * The free tier does not include monitoring non-Azure resources; this requires the Enhance tier of the service.   * The free tier does not include monitoring non-Azure resources; this requires the Enhance tier of the service.
   * **Example:** Defender would not detect if there is a new version of an OS, but it would detect of there are critical security updates that are missing.   * **Example:** Defender would not detect if there is a new version of an OS, but it would detect of there are critical security updates that are missing.
 +  * **Azure Policy** provides most of the data Defender for Cloud uses
 +  * A **Log Analytics Workspace** is used just for data coming from virtual machines
 +===== Defender for Servers =====
 +> Microsoft Defender for Servers is one of the enhanced security features of Microsoft Defender for Cloud. Use it to add threat detection and advanced defenses to your Windows and Linux machines whether they're running in Azure, AWS, GCP, and on-premises environment.
  
 +  * [[https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction]] 
 +  * Alerts and vulnerability data from Microsoft Defender for Endpoint is shown in Microsoft Defender for Cloud 
 +  * There are two tiers Plan 1 and Plan 2. 
 +  * Defender for Servers also has features for just-in-time VM access, file integrity monitoring, ... 
 +  * For just-in-time VM access, JIT does not support VMs protected by Azure Firewalls controlled by Azure Firewall Manager. The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.
 ====== Security Center ====== ====== Security Center ======
  
  • azure/az-500/security_operations_management.1656079667.txt.gz
  • Last modified: 2022/06/24 14:07
  • by mmuze