Recently, I was playing with the Investigation feature in Azure Security Center, which allows you to visualize the scope of a security event, triage, and track down the root cause of potential security incidents. It reminded me a lot of Microsoft Advanced Threat Analytics (ATA) we recommend for customers in their own datacenter. A companion feature are security playbooks, which are collections of procedures that can be executed from Security Center once a certain playbook is triggered from selected alert. In effect, Microsoft is offering intelligent detection of potential security events with capability to automate incident response.

IMPORTANT NOTES

  • Additional Reading. Notice the many hyperlinks in this article, which lead to additional reading on topics directly related to these features and duplicating this scenario in your own lab.
  • Cost. Bear in mind that the feature only comes with the Standard tier of Security Center, which enables Advanced threat detection capabilities, which includes advanced analytics that leverage the Microsoft Intelligent Security Graph…the source of intelligence through analysis of signals via machine learning. The security playbooks leverage Azure Logic Apps, which carries a separate charge.

Exploring on your own

I started by attempting some lateral movement with Mimikatz on a Windows server running the Microsoft Monitoring Agent, which is what collects the data consumed by Security Center.

This spawned a security alert in the Security Center portal.

You could also easily trigger similar events with AppLocker bypass.

image

When you drill into the Security alerts tile in the Detection section of the dashboard above, you can see a list of events.

image

And clicking on an event in the list, you can see the details of the event, including the description, severity, resource type and details of the action. Notice the Investigate button at the bottom of the event details window.

SNAGHTML177c4e6

Clicking on the Investigate button launches the Investigation Dashboard. The investigation consists of a graph , which is always focused on a specific entity, and presents the entities that are related to it. An entity could be a security alert, user, computer or incident. In this case, the “specific entity” is the suspicious process…Mimikatz.exe.

image

If we select the Suspicious process executed entity, you’ll see guidance on how to proceed with investigation. Most of the steps I found in various scenarios were fairly rudimentary.

image

If you click on the Playbooks tab at the right of the window, you’ll find the Run Playbooks based on this alert.

image

I did not find m(any) existing sample runbooks, but there is a tutorial with an example for creating your own Security Playbook in response to a suspicious process execution. As with the example, since more than 90% of malicious activities are observed once and never again, you may find your playbooks are driving expedited notification to the appropriate channels in your org.

If you have not yet spent time with the advanced features of Security Center present only in the Standard tier, it is worth a look. The story grows more compelling every month.