O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Microsoft Azure Security Center, First Edition

Book Description

Discover high-value Azure security insights, tips, and operational optimizations

This book presents comprehensive Azure Security Center techniques for safeguarding cloud and hybrid environments. Leading Microsoft security and cloud experts Yuri Diogenes and Dr. Thomas Shinder show how to apply Azure Security Center's full spectrum of features and capabilities to address protection, detection, and response in key operational scenarios. You'll learn how to secure any Azure workload, and optimize virtually all facets of modern security, from policies and identity to incident response and risk management. Whatever your role in Azure security, you'll learn how to save hours, days, or even weeks by solving problems in most efficient, reliable ways possible.


Two of Microsoft's leading cloud security experts show how to:

• Assess the impact of cloud and hybrid environments on security, compliance, operations, data protection, and risk management

• Master a new security paradigm for a world without traditional perimeters

• Gain visibility and control to secure compute, network, storage, and application workloads

• Incorporate Azure Security Center into your security operations center

• Integrate Azure Security Center with Azure AD Identity Protection Center and third-party solutions

• Adapt Azure Security Center's built-in policies and definitions for your organization

• Perform security assessments and implement Azure Security Center recommendations

• Use incident response features to detect, investigate, and address threats

• Create high-fidelity fusion alerts to focus attention on your most urgent security issues

• Implement application whitelisting and just-in-time VM access

• Monitor user behavior and access, and investigate compromised or misused credentials

• Customize and perform operating system security baseline assessments


• Leverage integrated threat intelligence to identify known bad actors

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Contents
  5. Acknowledgments
  6. About the authors
  7. Foreword
  8. Introduction
  9. Chapter 1 The threat landscape
    1. Understanding cybercrime
    2. Understanding the cyber kill chain
    3. Common threats
    4. Building a security posture
    5. Adopting an assume-breach mentality
    6. Cloud threats and security
      1. Compliance
      2. Risk management
      3. Identity and access management
      4. Operational security
      5. Endpoint protection
      6. Data protection
    7. Azure Security
      1. Host protection
      2. Network protection
      3. Storage protection
  10. Chapter 2 Introduction to Azure Security Center
    1. Understanding Security Center
      1. Security Center architecture
      2. Security Center dashboard
    2. Considerations before adoption
      1. Role-based access control
      2. Security policy
      3. Storage
      4. Recommendations
    3. Incorporating Security Center into your security operations
    4. Onboarding resources
    5. Initial assessment
  11. Chapter 3 Policy management
    1. Legacy Azure Security Center security policy
    2. Next-generation Azure Security Center security policy
      1. The Data Collection blade
      2. The Policy Management blade
      3. The Email Notifications blade
      4. The Pricing Tier blade
    3. Azure Policy
      1. Policy definitions and assignments
      2. Initiative definitions and assignments
      3. Exploring Azure Policy
      4. Customizing your Security Center security policies
    4. Azure Security Center RBAC and permissions
  12. Chapter 4 Mitigating security issues
    1. Compute recommendations
      1. Setting up endpoint protection
      2. Remediate Security Configurations
    2. Networking recommendations
      1. NSGs on subnets not enabled
      2. Restrict access through internet-facing endpoint
    3. Storage and data
      1. Server auditing and threat detection not enabled
      2. Storage encryption not enabled
    4. Applications
      1. Web application firewall not installed
  13. Chapter 5 Using Security Center for incident response
    1. Understanding security alerts
    2. Detection scenarios
      1. Detecting spam activity
      2. Crash-dump analysis
    3. Accessing security alerts
      1. Security incidents
      2. Custom alerts
    4. Investigating a security issue
    5. Responding to a security alert
      1. Creating a playbook
      2. Building the workflow
      3. Executing a playbook
      4. Auditing playbook execution
  14. Chapter 6 Advanced cloud defense
    1. Threat prevention versus threat detection
    2. Methods of threat detection
      1. Atomic detection
      2. Threat-intelligence feeds and integrated security solutions
      3. Behavioral analysis
      4. Anomaly detection
    3. The cyber kill chain and fusion alerts
    4. Application whitelisting: adaptive application controls
    5. Just-in-time VM access
  15. Chapter 7 Security incident and event management (SIEM) integration with Splunk
    1. Integrating SIEM solutions
    2. Splunk integration with Azure Security Center
      1. Confirming accessible logs in Azure Monitor
      2. Configuring the subscription for the Splunk SIEM pipe
      3. Creating and configuring a resource group for the Splunk SIEM pipe
      4. Setting up an Azure AD application to provide an access control identity
      5. Creating an Azure key vault
      6. Copying the app password into Key Vault
      7. Making an event hub
      8. Creating a shared access key for event hub access control
      9. Placing the event hub shared access key in Azure Key Vault
      10. Hooking up the event hub to Azure Monitor
      11. Spinning up the virtual machine that hosts the Splunk enterprise VM
      12. Installing and configuring the Azure Monitor add-on for Splunk
  16. Chapter 8 Monitoring identity and access
    1. Monitoring identity-related activities
      1. Identity posture
      2. Failed logons
      3. Logons over time
    2. Integrating Security Center with Azure Active Directory Identity Protection
    3. Customizing your search
  17. Chapter 9 Using threat intelligence to identify security issues
    1. What is threat intelligence and why use it?
    2. Using threat intelligence reports in Security Center
    3. Using the Threat Intelligence dashboard in Security Center
    4. Hunting security issues in Security Center
    5. Virtual Analyst
  18. Appendix A Using multiple workspaces in Security Center
    1. Creating a new workspace
    2. Moving computers and VMs to a new workspace
  19. Appendix B Customizing your operating system security baseline assessment
    1. General considerations
    2. Customizing operating system configuration
      1. Downloading the JSON file
      2. Editing the JSON file
      3. Uploading the new rule
  20. Index
  21. Code Snippets