| LT-1 |
nan |
Enable threat detection capabilities |
Parent |
Enable detection capabilities |
Azure Defender for App Service should be enabled |
Enable threat detection capabilities across compute, storage, database, and identity services to identify known attack patterns, anomalous behaviors, and suspicious activities. Use behavioral analytics and threat intelligence to detect threats that traditional access controls cannot prevent. |
Adversaries exploit environments lacking native threat detection to conduct attacks that remain invisible to traditional security controls. |
Initial Access (TA0001): exploit public-facing application (T1190) leveraging undetected vulnerabilities in web applications or APIs to gain initial foothold. |
A global manufacturing organization enabled comprehensive threat detection across 300+ Azure resources spanning storage accounts, SQL databases, Cosmos DB instances, and IoT production systems to reduce mean time to detect (MTTD) sophisticated attacks. |
Must have |
SI-4(1), SI-4(2), SI-4(5), SI-4(12), SI-4(23), AU-6(1), AU-6(3) |
10.6.1, 10.6.2, 10.6.3, 10.8.1, 11.5.1 |
8.11, 13.1, 13.2 |
DE.CM-1, DE.CM-4, DE.CM-7 |
A.8.16, A.5.24 |
CC7.2, CC7.3 |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
Without behavioral analytics and threat intelligence-driven monitoring: Undetected malware & exploits:Malicious files uploaded to storage or exploitation attempts against databases proceed undetected because signature-based or network-layer defenses miss sophisticated payloads.Silent data exfiltration:Large-scale data extraction, unusual query patterns, or anomalous access volumes evade detection due to absent behavioral baselines and volume anomaly detection.Lateral movement blindness:Attackers pivot across resources (storage to compute to database) without triggering alerts because cross-service correlation and threat intelligence feeds are not integrated.SQL injection & application attacks:Database exploitation attempts via malicious queries or application-layer attacks proceed unmonitored without real-time query analysis and threat pattern matching.Prolonged dwell time:Attackers maintain persistent access for extended periods (days to months) because reconnaissance, staging, and execution phases generate no alerts—delaying incident response |
Execution (TA0002): command and scripting interpreter (T1059) executing malicious code within compute or serverless resources without triggering behavioral alerts. |
Challenge:Traditional security monitoring relied on isolated service-specific alerts without correlation across storage, databases, identity, and email systems. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
Persistence (TA0003): account manipulation (T1098) modifying service principals or creating backdoor identities undetected due to absent anomaly monitoring. |
Security team lacked unified visibility to detect multi-stage attacks spanning phishing campaigns, credential compromise, and data exfiltration. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
Defense Evasion (TA0005): impair defenses (T1562) disabling logging, monitoring agents, or security services to operate in blind spots. |
Mean time to detect sophisticated threats exceeded 30 days. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
Collection (TA0009): data from cloud storage (T1530) silently harvesting blob containers or object storage without volume or pattern-based detection. |
Solution approach: Comprehensive cloud threat detection:Enabled Microsoft Defender for Cloud services across 150+ storage accounts, 40 SQL Database instances, 12 Cosmos DB accounts, and PostgreSQL databases providing behavioral analytics and threat intelligence-driven detection for data plane operations.Unified XDR platform:Deployed Microsoft Defender XDR correlating threat detection across Microsoft 365 Defender (endpoints, email, collaboration), Microsoft Defender for Cloud (Azure infrastructure), and Microsoft Entra ID (identity) with automated cross-domain incident correlation.Custom analytics rules:Created Sentinel analytics rules detecting multi-stage attacks including storage access anomalies coinciding with SQL database schema enumeration, Cosmos DB bulk extraction patterns, and credential spray campaigns across services.Threat intelligence enrichment:Integrated Microsoft Defender Threat Intelligence to enrich alerts with threat actor attribution, known attack infrastructure, and vulnerability exploitation context. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
Exfiltration (TA0010): exfiltration over web service (T1567) streaming data through legitimate API endpoints at volumes or times that behavioral analytics would flag. |
Outcome:Defender XDR detected and contained a phishing-to-exfiltration attack chain shortly after deployment, with Threat Intelligence identifying infrastructure matching known APT targeting manufacturing intellectual property. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Kubernetes Service clusters should have Defender profile enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
Impact (TA0040): resource hijacking (T1496) deploying cryptominers or computational abuse undetected by resource consumption anomaly detection. |
Automated cross-domain incident correlation enabled security teams to rapidly investigate and respond to multi-stage attacks that previously remained undetected for extended periods. |
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Defender Exploit Guard should be enabled on your machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed |
|
|
|
|
|
|
|
|
|
|
|
| LT-1 |
LT-1.1 |
Enable threat detection for cloud services |
Child |
Enable detection capabilities |
Azure Defender for App Service should be enabled |
Enable threat detection capabilities across compute, storage, database, and identity services to identify known attack patterns, anomalous behaviors, and suspicious activities. Use behavioral analytics and threat intelligence to detect threats that traditional access controls cannot prevent. |
nan |
nan |
Deploy native threat detection capabilities across all critical cloud services to identify malicious activities, anomalous behaviors, and known attack patterns through behavioral analytics and threat intelligence. This foundational layer provides the first line of defense against threats targeting compute, storage, database, and key management services. Implement the following steps to establish comprehensive threat detection coverage: Use cloud-native threat detection:Deploy the threat detection capabilities of your cloud security posture management platform for compute, storage, database, and identity services, providing behavioral analytics and threat intelligence-driven monitoring.Enable comprehensive service coverage:Activate threat detection for all critical Azure services usingMicrosoft Defender for Cloud, covering virtual machines, storage accounts, databases, containers, and Key Vault instances.Review detection capabilities:Familiarize security teams with available detection capabilities using theMicrosoft Defender for Cloud security alerts reference guideto understand alert types, severity levels, and response requirements.Address detection gaps:For services without native threat detection capability, collect data plane logs and route to Microsoft Sentinel for custom analytics rules and behavioral detection.Optimize alert quality:Configure alert filtering and analytics rules to reduce false positives and extract high-quality alerts from log data, tuning detection se |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Kubernetes Service clusters should have Defender profile enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Defender Exploit Guard should be enabled on your machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed |
|
|
|
|
|
|
|
|
|
|
|
| LT-1 |
LT-1.2 |
Enable advanced threat detection and analytics |
Child |
Enable detection capabilities |
Azure Defender for App Service should be enabled |
Enable threat detection capabilities across compute, storage, database, and identity services to identify known attack patterns, anomalous behaviors, and suspicious activities. Use behavioral analytics and threat intelligence to detect threats that traditional access controls cannot prevent. |
nan |
nan |
Enhance basic threat detection by centralizing security telemetry, deploying unified extended detection and response (XDR) platforms, and enriching alerts with threat intelligence. This advanced layer enables correlation of threats across multiple domains, custom detection for organization-specific attack patterns, and context-rich alerts that accelerate investigation and response. Build this advanced detection capability through the following steps: Centralize security telemetry:Aggregate alerts and log data from cloud security platforms, endpoint protection, identity systems, and application services intoAzure MonitororMicrosoft Sentinelfor unified analysis and correlation.Deploy unified XDR platform:EnableMicrosoft Defender XDRto correlate threat detection across Microsoft 365 Defender (endpoints, email, collaboration), Microsoft Defender for Cloud (Azure infrastructure), and Microsoft Entra ID (identity) with cross-domain incident grouping and automated investigation workflows.Build custom detection rules:Createcustom analytics rulesmatching organization-specific threat patterns, attack indicators, and business logic violations that pre-built detections cannot address.Enrich with threat intelligence:IntegrateMicrosoft Defender Threat Intelligenceto enrich alerts with threat actor attribution, infrastructure reputation, vulnerability exploitation intelligence, and compromised indicator correlation.Leverage threat indicators:Implementthreat intelligence indicatorsin Microso |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Kubernetes Service clusters should have Defender profile enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for APIs should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Defender Exploit Guard should be enabled on your machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed |
|
|
|
|
|
|
|
|
|
|
|
| LT-2 |
nan |
Enable threat detection for identity and access management |
Parent |
Enable detection capabilities |
Azure Defender for App Service should be enabled |
Monitor authentication and authorization events to detect compromised credentials, anomalous sign-in patterns, and account abuse. Identify behavioral anomalies including excessive authentication failures, impossible travel, deprecated account usage, and unauthorized privilege escalations. |
Identity-based attacks remain the primary initial access vector for cloud breaches, yet many organizations lack behavioral monitoring to detect credential abuse and anomalous access patterns. |
Initial Access (TA0001): valid accounts (T1078) leveraging compromised credentials to gain initial entry appearing as legitimate authentication. |
A financial services organization with 8,000 employees implemented comprehensive identity threat detection to combat credential-based attacks targeting cloud banking applications and customer data repositories. |
Must have |
AU-2(1), AU-6(1), AU-6(3), IA-4(4), SI-4(1), SI-4(12) |
8.2.8, 10.2.1, 10.2.2, 10.6.1 |
6.2, 8.5, 8.11 |
DE.CM-1, PR.AC-4, PR.IP-8 |
A.5.16, A.8.15, A.8.16 |
CC6.1, CC7.2, CC7.3 |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
Without identity-focused threat detection: Credential compromise blindness:Stolen, leaked, or brute-forced credentials are used for extended periods (weeks to months) without detection because sign-in anomalies and risk scoring are absent.Impossible travel undetected:Successful authentications from geographically distant locations within impossible timeframes indicate credential sharing or compromise, but proceed unmonitored without baseline analysis.Deprecated account exploitation:Orphaned accounts, former employees, or unused service principals provide persistence footholds that attackers leverage to avoid user behavior scrutiny.Privilege escalation silence:Attackers add themselves to administrative roles, create new privileged identities, or modify group memberships without triggering audit alerts or anomaly detection.Password spray success:Low-and-slow password guessing attacks avoid account lockout thresholds and evade detection absent aggregated authentication failure analytics across th |
Credential Access (TA0006): brute force (T1110) conducting password spray or credential stuffing attacks against user and service accounts. |
Challenge:Traditional authentication monitoring lacked behavioral analytics to detect credential-based attacks including impossible travel, password spray campaigns, and dormant account exploitation. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
Credential Access (TA0006): unsecured credentials (T1552) harvesting leaked credentials from public breach databases or dark web sources. |
Security team relied on manual log reviews discovering compromises only after fraud incidents or customer complaints. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
Persistence (TA0003): account manipulation (T1098) creating backdoor accounts, adding to privileged groups, or modifying authentication methods. |
Mean time to detect identity-based attacks exceeded 30 days. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
Privilege Escalation (TA0004): valid accounts (T1078.004) abusing cloud accounts to escalate permissions or assume higher-privileged roles. |
Solution approach: Identity risk detection and protection:Deployed Microsoft Entra ID Protection with risk-based Conditional Access policies blocking high-risk sign-ins, requiring MFA for medium-risk authentication attempts, and automatically forcing password resets for leaked credential detection.Advanced SIEM analytics:Created Sentinel analytics rules detecting impossible travel patterns, password spray attacks (50+ failures across 10+ accounts from single source), privilege escalation outside change windows, and dormant account reactivation.Hybrid environment monitoring:Deployed Defender for Identity on 12 on-premises domain controllers to monitor Active Directory signals and correlate with cloud authentication patterns for complete visibility.AI-powered investigation:Integrated Microsoft Security Copilot enabling natural language incident queries, automated threat context enrichment, guided remediation workflows, and cross-domain correlation between identity compromise and resource access. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
Defense Evasion (TA0005): use alternate authentication material (T1550) leveraging tokens, cookies, or session artifacts to bypass MFA requirements. |
Outcome:Identity Protection flagged compromised accounts shortly after deployment, Sentinel detected and contained credential stuffing attacks within minutes, and Security Copilot enabled security teams to rapidly investigate identity-based threats using natural language queries. |
|
|
|
|
|
|
|
|
|
|
|
|
Azure Kubernetes Service clusters should have Defender profile enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
Lateral Movement (TA0008): use alternate authentication material (T1550.001) passing tokens or session credentials to access additional cloud resources. |
The organization achieved substantially faster detection and response to identity-based attacks that previously remained undetected for extended periods. |
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Defender Exploit Guard should be enabled on your machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed |
|
|
|
|
|
|
|
|
|
|
|
| LT-2 |
LT-2.1 |
Enable Microsoft Entra ID threat detection and monitoring |
Child |
Enable detection capabilities |
Azure Defender for App Service should be enabled |
Monitor authentication and authorization events to detect compromised credentials, anomalous sign-in patterns, and account abuse. Identify behavioral anomalies including excessive authentication failures, impossible travel, deprecated account usage, and unauthorized privilege escalations. |
nan |
nan |
Establish comprehensive visibility into identity and authentication activities by enabling audit logging and sign-in monitoring for all identity resources. This foundational telemetry enables detection of suspicious authentication patterns, unauthorized changes to identity configuration, and potential account compromise indicators. Configure the following monitoring capabilities: Enable comprehensive audit logging:ActivateMicrosoft Entra audit logsto provide complete traceability for all changes made to identity resources including user and group management, role assignments, application registrations, and policy modifications.Monitor authentication activities:Track sign-in reports to capture all authentication events for managed applications and user accounts, establishing baselines for normal access patterns and identifying anomalies.Detect risky sign-in patterns:Enable monitoring of risky sign-ins to flag authentication attempts from suspicious sources, impossible travel scenarios, unfamiliar locations, or leaked credential usage indicating potential account compromise.Identify compromised accounts:Monitor users flagged for risk to detect accounts showing multiple risk indicators requiring immediate investigation and remediation through automated or manual review workflows.Integrate with SIEM platforms:Route Microsoft Entra ID logs toAzure Monitor,Microsoft Sentinel, or third-party SIEM platforms for advanced correlation, long-term retention, and cross-domain threat detect |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Kubernetes Service clusters should have Defender profile enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Defender Exploit Guard should be enabled on your machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed |
|
|
|
|
|
|
|
|
|
|
|
| LT-2 |
LT-2.2 |
Implement identity protection and risk-based controls |
Child |
Enable detection capabilities |
Azure Defender for App Service should be enabled |
Monitor authentication and authorization events to detect compromised credentials, anomalous sign-in patterns, and account abuse. Identify behavioral anomalies including excessive authentication failures, impossible travel, deprecated account usage, and unauthorized privilege escalations. |
nan |
nan |
Enhance identity monitoring with advanced risk detection, adaptive access controls, and AI-powered investigation capabilities. This advanced layer applies machine learning to detect sophisticated identity attacks, automates risk-based authentication enforcement, and extends protection to hybrid environments bridging cloud and on-premises infrastructure. Implement these advanced capabilities: Deploy identity risk detection:EnableMicrosoft Entra ID Protectionto detect and remediate identity risks including leaked credentials, sign-ins from anonymous IP addresses, malware-linked sources, and password spray attacks using machine learning and threat intelligence.Implement risk-based access controls:Configure Identity Protection policies to enforce adaptive authentication requirements through Microsoft Entra Conditional Access, requiring MFA for medium-risk sign-ins and blocking high-risk authentication attempts until remediation.Monitor cloud infrastructure identity threats:EnableMicrosoft Defender for Cloud workload protectionto detect suspicious identity activities including deprecated account usage, excessive failed authentication attempts, and anomalous service principal behaviors. Extend to hybrid environments:For organizations with on-premises Active Directory, deployMicrosoft Defender for Identityto monitor domain controllers, detect advanced threats, identify compromised identities, and investigate malicious insider actions spanning hybrid infrastructure. Accelerate invest |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Azure Defender for Azure SQL Database servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for Resource Manager should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL servers on machines should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected Azure SQL servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected MySQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for open-source relational databases should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Defender for servers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Kubernetes Service clusters should have Defender profile enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender CSPM should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Containers should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Microsoft Defender for Storage should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows Defender Exploit Guard should be enabled on your machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed |
|
|
|
|
|
|
|
|
|
|
|
| LT-3 |
nan |
Enable logging for security investigation |
Parent |
Enable comprehensive logging |
App Service apps should have resource logs enabled |
Enable audit logging across data plane operations, control plane activities, and identity events to support incident investigation, forensic analysis, and compliance validation. Comprehensive logging provides the evidence trail required to reconstruct security incidents and determine breach scope. |
Comprehensive audit logging across all cloud tiers provides the forensic foundation for incident investigation, breach reconstruction, and compliance validation. |
Defense Evasion (TA0005): impair defenses (T1562.008) disabling or modifying logging configurations to operate in monitoring blind spots. |
A healthcare SaaS provider enabled comprehensive three-tier logging (infrastructure/identity, platform/data services, application/workload) to meet HIPAA audit requirements and support security investigations for electronic health record (EHR) systems serving 200+ hospital customers. |
Must have |
AU-2(1), AU-3(1), AU-6(1), AU-6(3), AU-12(1), SI-4(2) |
10.2.1, 10.2.2, 10.3.1, 10.3.2, 10.3.3 |
8.2, 8.3, 8.5, 8.12 |
DE.AE-3, DE.CM-1, DE.CM-6, PR.PT-1 |
A.8.15, A.8.16, A.8.17 |
CC4.1, CC7.2, CC7.3 |
|
|
|
|
|
Auditing on SQL server should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Front Door should have Resource logs enabled |
|
Without systematic logging of resource, activity, and identity events: Forensic blind spots:Incident responders cannot determine what was accessed, modified, or deleted during a breach because resource-level data plane operations (key vault access, database queries, storage reads) are not logged.Management plane opacity:Infrastructure changes (role assignments, firewall rule modifications, resource deletions) proceed without audit trails, preventing attribution of malicious or negligent administrative actions.Impossible attribution:Security teams cannot identify which identity performed suspicious actions, from what IP address, at what time, or using which authentication method absent comprehensive Microsoft Entra ID logs.Lateral movement invisibility:Attackers pivot across resources (VM to storage to database) without leaving investigatable breadcrumbs because cross-service activity correlation lacks audit data.Compliance failure:Regulatory frameworks (PCI-DSS, HIPAA, SOC 2) mandate detailed audit trails for all data acce |
Defense Evasion (TA0005): indicator removal (T1070) deleting or manipulating logs to remove evidence of malicious activity. |
Challenge:Fragmented logging across isolated services prevented correlation of multi-stage attacks. |
|
|
|
|
|
|
|
|
|
|
|
|
Diagnostic logs in Azure AI services resources should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Data Lake Store should be enabled |
|
|
Discovery (TA0007): cloud infrastructure discovery (T1580) enumerating resources, permissions, and configurations to map the environment. |
Security team lacked complete audit trails for HIPAA compliance and could not reconstruct incident timelines spanning infrastructure changes, data access, and application abuse. |
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Databricks Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Kubernetes Service should be enabled |
|
|
Collection (TA0009): data from cloud storage (T1530) accessing sensitive data without data plane logging to track reads, downloads, or transfers. |
Mean time to investigate incidents exceeded 2 weeks due to manual log aggregation across 120+ services. |
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Machine Learning Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Stream Analytics should be enabled |
|
|
Exfiltration (TA0010): exfiltration over web service (T1567) extracting data through cloud APIs where transaction logging is disabled or incomplete. |
Solution approach: Infrastructure and identity logging:Configured centralized Activity Logs and Microsoft Entra ID logs (sign-ins, audit) at management group level covering 5 subscriptions, capturing 1.5M daily authentication events and 50K management operations with 2-year retention for compliance.Platform and data service logging:Enabled diagnostic logs for 120+ storage accounts, 12 SQL databases, 15 Key Vaults, Cosmos DB instances, and AKS clusters (kube-audit, Container Insights) capturing data plane operations, query performance, and container security events generating 2M+ daily audit events.Application and workload logging:Deployed Azure Monitor Agent to 150 VMs, enabled App Service diagnostics for 8 web applications, configured API Management logging for 3 healthcare integration APIs, and implemented Application Insights for distributed tracing with structured security context logging.Centralized correlation:Deployed Microsoft Sentinel analytics rules correlating events across all three tiers with tiered retention policies (2 years HIPAA-regulated, 1 year operational, 90 days performance) and Azure RBAC access controls. |
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Batch accounts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Data Lake Analytics should be enabled |
|
|
|
Outcome:Cross-tier log correlation enabled rapid detection of sophisticated multi-stage attacks spanning role assignments, Key Vault access, and storage exfiltration. |
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Event Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in IoT Hub should be enabled |
|
|
|
The organization achieved complete HIPAA audit trail compliance and substantially reduced incident investigation time through centralized log analysis across infrastructure, platform, and application layers. |
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Logic Apps should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Search services should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Service Bus should be enabled |
|
|
|
|
|
|
|
|
|
|
|
| LT-3 |
LT-3.1 |
Enable infrastructure and identity logging |
Child |
Enable comprehensive logging |
App Service apps should have resource logs enabled |
Enable audit logging across data plane operations, control plane activities, and identity events to support incident investigation, forensic analysis, and compliance validation. Comprehensive logging provides the evidence trail required to reconstruct security incidents and determine breach scope. |
nan |
nan |
Establish the foundational audit trail by capturing all management plane operations and identity events across your cloud environment. This layer provides visibility into who is making changes to infrastructure, when those changes occur, and how identities are being used—essential for detecting unauthorized modifications, privilege abuse, and compliance violations. Enable these core logging capabilities: Enable activity logs for management plane operations:ActivateAzure Activity Logsfor all subscriptions to capture management plane operations including resource creation, modification, deletion (PUT, POST, DELETE operations), role assignments, policy changes, and administrative actions.Centralize activity log collection:Configure diagnostic settings at the management group or subscription level to route Activity Logs to centralized Log Analytics workspace for long-term retention, correlation analysis, and compliance reporting.Enforce consistent logging coverage:DeployAzure Policyto enforce diagnostic settings across all subscriptions ensuring consistent Activity Log collection and preventing configuration drift as new subscriptions are created.Capture authentication events:EnableMicrosoft Entra sign-in logsto capture all user and service principal authentication events including interactive sign-ins, non-interactive sign-ins, service principal sign-ins, and managed identity authentications.Track identity changes:EnableMicrosoft Entra audit logsto track all changes made to Micr |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Auditing on SQL server should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Front Door should have Resource logs enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Diagnostic logs in Azure AI services resources should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Data Lake Store should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Databricks Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Kubernetes Service should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Machine Learning Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Stream Analytics should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Batch accounts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Data Lake Analytics should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Event Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in IoT Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Logic Apps should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Search services should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Service Bus should be enabled |
|
|
|
|
|
|
|
|
|
|
|
| LT-3 |
LT-3.2 |
Enable platform and data service logging |
Child |
Enable comprehensive logging |
App Service apps should have resource logs enabled |
Enable audit logging across data plane operations, control plane activities, and identity events to support incident investigation, forensic analysis, and compliance validation. Comprehensive logging provides the evidence trail required to reconstruct security incidents and determine breach scope. |
nan |
nan |
Extend audit coverage to data plane operations where sensitive business data resides and is accessed. Platform service logs capture the "what was accessed" and "by whom" details essential for investigating data breaches, insider threats, and compliance violations—covering storage, databases, secrets management, containers, and NoSQL platforms. Configure the following data plane logging: Enable resource-level data plane logs:ActivateAzure resource logsfor data plane operations performed within Azure services including read, write, and delete operations on data and configurations across all platform services.Log storage operations:EnableAzure Storage diagnostic logsto capture all blob, file, queue, and table storage operations including StorageRead, StorageWrite, StorageDelete events with caller identity, source IP, and operation latency for forensic investigations.Audit database activities:ConfigureAzure SQL Database auditingto log all database queries, schema changes, permission grants, authentication attempts, and administrative operations—route audit logs to Log Analytics workspace or storage account for compliance and security monitoring.Monitor secrets access:EnableAzure Key Vault diagnostic logsto capture all key, secret, and certificate access operations including retrieval, rotation, deletion, and permission changes with full audit context for sensitive asset tracking.Track NoSQL operations:ConfigureAzure Cosmos DB diagnostic logsto capture data plane operations, query |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Auditing on SQL server should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Front Door should have Resource logs enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Diagnostic logs in Azure AI services resources should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Data Lake Store should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Databricks Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Kubernetes Service should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Machine Learning Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Stream Analytics should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Batch accounts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Data Lake Analytics should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Event Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in IoT Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Logic Apps should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Search services should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Service Bus should be enabled |
|
|
|
|
|
|
|
|
|
|
|
| LT-3 |
LT-3.3 |
Enable application and workload logging |
Child |
Enable comprehensive logging |
App Service apps should have resource logs enabled |
Enable audit logging across data plane operations, control plane activities, and identity events to support incident investigation, forensic analysis, and compliance validation. Comprehensive logging provides the evidence trail required to reconstruct security incidents and determine breach scope. |
nan |
nan |
Complete your audit coverage by capturing application-layer activities, custom workload operations, and business logic execution. Application logs provide the deepest visibility into how users interact with your systems, what business data they access, and which application-layer attacks are attempted—essential for detecting insider threats, application abuse, and sophisticated attacks that bypass infrastructure controls. Implement comprehensive application logging: Log web application activities:EnableAzure App Service diagnosticsto capture application logs, web server logs (IIS/HTTP.sys logs), detailed error messages, failed request tracing, and deployment logs for web applications and APIs.Monitor API gateway operations:ConfigureAzure API Management diagnosticsto log API requests, responses, authentication failures, rate limit violations, policy execution details, backend service errors, and subscription management events.Track serverless function execution:EnableAzure Functions monitoringwith Application Insights integration to capture function executions, dependencies, exceptions, performance metrics, and custom security events including authorization decisions and sensitive operation audits.Log business process workflows:For Azure Logic Apps, enable diagnostics to log workflow runs, trigger events, action results, and integration failures supporting business process security investigations.Deploy VM monitoring agents:DeployAzure Monitor Agentto Windows and Linux virtual |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Auditing on SQL server should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Azure Front Door should have Resource logs enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Diagnostic logs in Azure AI services resources should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Data Lake Store should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Databricks Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Kubernetes Service should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Machine Learning Workspaces should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Azure Stream Analytics should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Batch accounts should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Data Lake Analytics should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Event Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in IoT Hub should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Key Vault should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Logic Apps should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Search services should be enabled |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Resource logs in Service Bus should be enabled |
|
|
|
|
|
|
|
|
|
|
|
| LT-4 |
nan |
Enable network logging for security investigation |
Parent |
Enable comprehensive logging |
Flow logs should be configured for every network security group |
Enable network traffic logging including flow logs, firewall decision logs, web application firewall events, and DNS queries to support incident investigation and threat detection. Network logs provide forensic evidence for lateral movement, command-and-control communications, data exfiltration, and policy violations. |
Network traffic logs provide critical forensic evidence for investigating lateral movement, data exfiltration, command-and-control communications, and application-layer attacks. |
Command & Control (TA0011): application layer protocol (T1071) using HTTP/HTTPS or other standard protocols to blend C2 traffic with legitimate communications. Command & Control (TA0011): DNS (T1071.004) leveraging DNS queries for C2 channels or data exfiltration tunnels. |
Challenge:A global e-commerce platform needed to detect lateral movement, data exfiltration, and application-layer attacks across multi-region infrastructure protecting payment processing and customer data systems. |
Must have |
AU-2(1), AU-3(1), AU-6(1), AU-12(1), SI-4(2), SI-4(4), SI-4(5), SI-4(12) |
10.2.1, 10.2.2, 10.3.1, 10.3.2, 11.4.1, 11.4.2 |
8.2, 8.5, 8.6, 8.11, 13.6 |
DE.AE-3, DE.CM-1, DE.CM-4, DE.CM-6, DE.CM-7 |
A.8.15, A.8.16 |
CC7.2 |
|
|
|
|
|
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
|
Without comprehensive network logging: Lateral movement blindness:Attackers pivot across subnets, between VMs, or from compute to data services without leaving network flow evidence—preventing identification of east-west traffic anomalies.Exfiltration path opacity:Large-scale data transfers to external destinations, unusual egress patterns, or DNS tunneling proceed undetected absent flow logs and firewall traffic analysis.Application-layer attacks invisible:SQL injection attempts, web shell uploads, API abuse, or protocol manipulation bypass detection when WAF logs, application gateway logs, and Layer 7 inspection are disabled.C2 communications undetected:Command-and-control beaconing, callback patterns, or tunneled protocols evade detection without DNS query logs and network connection baselines.Policy violation invisibility:Traffic that violates network segmentation, accesses unauthorized ports/protocols, or bypasses firewall rules proceeds unmonitored, eroding zero-trust boundaries.Compliance gaps:Regula |
Lateral Movement (TA0008): remote services (T1021) moving between systems using RDP, SSH, or cloud management protocols. |
Solution approach:Enabled comprehensive network logging by deploying NSG flow logs with Traffic Analytics across 200+ network security groups, configured Azure Firewall and WAF diagnostic logs at centralized egress points and application gateways, implemented DNS analytics for C2 detection, and integrated all network logs with SIEM for correlation with identity and resource activity signals. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exfiltration (TA0010): exfiltration over C2 channel (T1041) streaming stolen data through established command-and-control connections. |
Outcome:Traffic Analytics identified policy violations (exposed management ports), WAF logs detected and blocked SQL injection campaigns, and DNS analytics flagged DGA patterns enabling rapid VM isolation. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exfiltration (TA0010): exfiltration over alternative protocol (T1048) using non-standard ports or protocols to evade egress monitoring. |
Network logging enabled detection of lateral movement patterns and data exfiltration attempts that would have remained invisible without comprehensive flow and firewall log analysis. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Defense Evasion (TA0005): protocol tunneling (T1572) encapsulating malicious traffic within legitimate protocols (DNS, HTTPS) to bypass inspection. |
|
|
|
|
|
|
|
|
| LT-4 |
LT-4.1 |
Enable network security logging and monitoring |
Child |
Enable comprehensive logging |
Flow logs should be configured for every network security group |
Enable network traffic logging including flow logs, firewall decision logs, web application firewall events, and DNS queries to support incident investigation and threat detection. Network logs provide forensic evidence for lateral movement, command-and-control communications, data exfiltration, and policy violations. |
nan |
nan |
Capture comprehensive network traffic telemetry to detect lateral movement, data exfiltration, command-and-control communications, and application-layer attacks. Network logs provide the evidence trail for how attackers move between systems, what external destinations they contact, and which attack techniques they employ—essential for investigating sophisticated multi-stage breaches. Enable the following network logging capabilities: Capture network flow logs:Enablenetwork security group (NSG) flow logsto capture information about IP traffic flowing through NSGs including source/destination IPs, ports, protocols, and allow/deny decisions for lateral movement detection.Monitor firewall activities:EnableAzure Firewall logs and metricsto monitor firewall activity, rules processing, threat intelligence hits, and DNS proxy logs for centralized egress monitoring and threat detection.Log application-layer attacks:Enable Web Application Firewall (WAF) logs to capture application-layer attack attempts including SQL injection, cross-site scripting, and OWASP Top 10 violations with request details and blocking decisions.Collect DNS query data:CollectDNS query logsto assist in correlating network data and detecting DNS-based attacks including tunneling, DGA domains, and command-and-control communications.Deploy comprehensive monitoring:UseAzure networking monitoring solutionsin Azure Monitor for comprehensive network visibility and centralized log correlation.Enable traffic analytics:Sen |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
[Preview]: Network traffic data collection agent should be installed on Linux virtual machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Network traffic data collection agent should be installed on Windows virtual machines |
|
|
|
|
|
|
|
|
|
|
|
| LT-5 |
nan |
Centralize security log management and analysis |
Parent |
Centralize and analyze |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption |
Centralize security logs from all cloud services, identity systems, and network infrastructure into a unified platform for correlation and analysis. Centralized aggregation enables detection of multi-stage attacks spanning multiple services that isolated log sources cannot reveal. |
Distributed logs stored across disparate services and regions prevent correlation of multi-stage attacks and delay incident detection. |
Defense Evasion (TA0005): impair defenses (T1562) exploiting log fragmentation to avoid correlation-based detection across service boundaries. |
Challenge:A multinational insurance company needed unified threat detection and investigation capabilities across 12 Azure subscriptions, 500+ resources, and 4 geographic regions processing policyholder personal information and claims data. |
Must have |
AU-2(1), AU-3(1), AU-6(1), AU-6(3), AU-6(5), AU-7(1), AU-12(1), SI-4(1), SI-4(2), SI-4(5), SI-4(12) |
10.4.1, 10.4.2, 10.4.3, 10.7.1, 10.7.2, 10.7.3 |
8.9, 8.11, 13.1, 13.3, 13.4, 17.1 |
nan |
A.8.15, A.8.16, A.5.25 |
CC7.2, CC7.3 |
|
|
|
|
|
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines |
|
Without centralized log aggregation and SIEM capabilities: Multi-stage attack invisibility:Sophisticated kill chains spanning identity (Microsoft Entra ID), network (NSG flows), and data (storage access) remain undetected because isolated log silos prevent cross-service correlation and timeline reconstruction.Alert fatigue and noise:Security teams drowning in uncorrelated alerts from dozens of individual services miss critical patterns—high-priority incidents buried in thousands of false positives lacking context and prioritization.Delayed detection:Manual log aggregation and analysis extends mean time to detect (MTTD) from minutes to days—attackers completing full attack cycles (reconnaissance → execution → exfiltration) before defenders correlate evidence.Incomplete threat hunting:Security analysts cannot perform proactive threat hunting queries spanning multiple services, time ranges, and attack indicators when logs remain scattered across service-specific interfaces.Compliance audit failures:Regulatory requirements mandate centralized security m |
Discovery (TA0007): cloud infrastructure discovery (T1580) systematically enumerating resources across multiple services—patterns visible only through centralized analysis. |
Solution approach:Deployed centralized Log Analytics workspace with management group-level diagnostic settings routing all Azure activity logs, identity telemetry, and critical resource logs (Storage, SQL, Key Vault, Firewall). Enabled Microsoft Sentinel SIEM with data connectors for Defender for Cloud, Entra ID Protection, Microsoft 365 Defender, and Defender Threat Intelligence. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Lateral Movement (TA0008): use alternate authentication material (T1550) pivoting across services using tokens or credentials—movement traceable only via cross-service log correlation. |
Configured analytics rules for insurance-specific threats (mass claims export, privileged access anomalies, multi-stage attacks), automated response playbooks for containment workflows, and integrated Security Copilot for natural language investigation capabilities. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Collection (TA0009): data staged (T1074.002) aggregating data from multiple sources before exfiltration—staging patterns detectable through multi-service anomaly analysis. |
Established compliance workbooks mapping HIPAA, PCI-DSS, and SOC 2 requirements to Sentinel telemetry. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exfiltration (TA0010): automated exfiltration (T1020) using distributed extraction across multiple services to avoid individual service volume thresholds—detectable only through aggregated analysis. |
Outcome:Sentinel detected credential stuffing campaigns via cross-subscription correlation and identified lateral movement across geographic regions within minutes. Security Copilot enabled tier-1 analysts to conduct sophisticated investigations using natural language queries without requiring advanced query language expertise. Centralized SIEM substantially reduced mean time to detect and investigate security incidents across the global infrastructure. |
|
|
|
|
|
|
|
| LT-5 |
LT-5.1 |
Implement centralized log aggregation |
Child |
Centralize and analyze |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption |
Centralize security logs from all cloud services, identity systems, and network infrastructure into a unified platform for correlation and analysis. Centralized aggregation enables detection of multi-stage attacks spanning multiple services that isolated log sources cannot reveal. |
nan |
nan |
Transform fragmented logs scattered across services into unified visibility by routing all security telemetry to a central platform. Log aggregation provides the foundation for cross-service correlation, enabling detection of attack patterns that span infrastructure boundaries—from initial compromise through lateral movement to data exfiltration. Establish centralized log collection: Aggregate logs centrally:IntegrateAzure activity logs into a centralized Log Analytics workspacealong with resource diagnostic logs from all services to enable cross-resource correlation and unified investigation workflows.Query aggregated logs:UseAzure Monitorwith KQL queries to perform analytics on aggregated logs from Azure services, endpoint devices, network resources, and other security systems for pattern detection and investigation.Configure alerting:Create alert rules using the logs aggregated from multiple sources to detect security threats and operational issues through correlation logic spanning multiple log sources.Establish data governance:Define data ownership, implement role-based access controls to logs, specify storage locations for compliance requirements, and set retention policies balancing investigation needs with cost and regulatory obligations. |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines |
|
|
|
|
|
|
|
|
|
|
|
| LT-5 |
LT-5.2 |
Deploy SIEM and SOAR capabilities |
Child |
Centralize and analyze |
Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption |
Centralize security logs from all cloud services, identity systems, and network infrastructure into a unified platform for correlation and analysis. Centralized aggregation enables detection of multi-stage attacks spanning multiple services that isolated log sources cannot reveal. |
nan |
nan |
Elevate log aggregation into proactive security operations by deploying security information and event management (SIEM) with automated response capabilities. SIEM transforms raw logs into actionable intelligence through correlation rules, threat analytics, and automated incident workflows—enabling security teams to detect and respond to threats at machine speed rather than manual investigation pace. Build your SIEM/SOAR platform: Deploy SIEM platform:Onboard Microsoft Sentinelto provide security information event management (SIEM) and security orchestration automated response (SOAR) capabilities for centralized security analysis and incident response.Connect data sources:Connect data sources to Microsoft Sentinel including Azure services, Microsoft 365, third-party security solutions, and on-premises systems to establish comprehensive security visibility.Configure analytics rules:Create detection rules in Sentinel to identify threats and automatically create incidents based on correlated security events spanning multiple log sources and time periods.Automate response actions:Implement automated response playbooks using Logic Apps to orchestrate incident response actions including containment, notification, and remediation workflows.Enable monitoring dashboards:Deploy Sentinel workbooks and dashboards for security monitoring, threat hunting, compliance reporting, and executive-level security posture visibility.Integrate AI-powered analysis:EnableMicrosoft Security Copilot int |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
[Preview]: Log Analytics extension should be installed on your Linux Azure Arc machines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Log Analytics extension should be installed on your Windows Azure Arc machines |
|
|
|
|
|
|
|
|
|
|
|
| LT-6 |
nan |
Configure log storage retention |
Parent |
Centralize and analyze |
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
Configure log retention periods aligned with regulatory requirements, compliance mandates, and investigation timelines. Balance forensic evidence preservation requirements against storage costs through tiered retention strategies. |
Insufficient or inconsistent log retention policies destroy forensic evidence before investigations complete and create compliance gaps. |
Defense Evasion (TA0005): indicator removal (T1070) attackers leveraging short retention windows to ensure evidence expires naturally without requiring active log deletion. |
Challenge:A regulated financial services organization needed to meet multiple retention requirements (PCI-DSS: 1 year, SEC 17a-4: 7 years) while managing 80 TB of annual security log data cost-effectively. |
Should have |
AU-11(1), SI-12 |
10.5.1, 10.7.1, 10.7.2, 10.7.3 |
8.3, 8.10 |
PR.PT-1, DE.CM-1 |
A.8.15 |
CC7.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without disciplined retention aligned with regulatory and operational requirements: Evidence expiration:Critical forensic data (authentication logs, access patterns, network flows) expires before security teams discover breaches—average dwell time of 200+ days means logs must persist long enough to investigate historical compromise.Compliance violations:Regulatory mandates (PCI-DSS 10.7: 1 year, GDPR: varies by jurisdiction, HIPAA: 6 years) require specific retention periods—inadequate retention creates audit findings, certification failures, and regulatory penalties.Incomplete incident reconstruction:Historical correlation of indicators across extended breach timelines becomes impossible when logs expire prematurely—preventing full kill chain analysis and root cause determination.Legal discovery gaps:Litigation, regulatory investigations, and internal audits require production of historical security logs—missing logs create legal exposure and inability to defend organizational practices.Pattern analysis blindness:Machine learning models and behav |
Persistence (TA0003): account manipulation (T1098) establishing long-term backdoor access with confidence that initial compromise evidence will age out before detection. |
Solution approach:Implemented tiered log retention strategy by configuring Log Analytics workspace with 1-year default retention and table-level overrides (identity logs: 2 years, network flows: 90 days), exporting all logs to Azure Storage accounts with lifecycle management policies (hot→cool at 90 days, cool→archive at 1 year), and configuring immutable storage (WORM) on compliance-critical accounts. Deployed Azure Policy enforcing diagnostic settings and retention configuration consistency, created Log Analytics query packs for automated compliance reporting, and established legal hold process for forensic data preservation during active incidents. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Achieved complete audit trail compliance for PCI-DSS and SEC 17a-4 requirements while substantially reducing log storage costs through tiered storage strategy. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Successfully investigated historical security incidents using archived logs beyond previous retention capabilities, and streamlined quarterly compliance audits through automated evidence collection and retention verification queries. |
|
|
|
|
|
|
|
| LT-6 |
LT-6.1 |
Implement log retention strategy |
Child |
Centralize and analyze |
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher |
Configure log retention periods aligned with regulatory requirements, compliance mandates, and investigation timelines. Balance forensic evidence preservation requirements against storage costs through tiered retention strategies. |
nan |
nan |
Balance forensic preservation needs with storage costs by implementing tiered retention strategies aligned to regulatory mandates and investigation timelines. Different log types require different retention periods—hot storage for active investigations, warm storage for recent history, and cold archival for long-term compliance—optimizing both investigative capability and operational costs. Configure the following retention strategy: Route logs to appropriate storage:Create diagnostic settings to route Azure Activity Logs and other resource logs to appropriate storage locations based on retention requirements, compliance mandates, and investigation timelines balancing hot vs. cold storage costs.Configure short-to-medium term retention:UseAzure Monitor Log Analytics workspacefor log retention up to 1-2 years for active investigation, threat hunting, and operational analytics with KQL query capabilities.Implement long-term archival storage:Use Azure Storage, Data Explorer, or Data Lake forlong-term and archival storagebeyond 1-2 years to meet compliance requirements (PCI-DSS, SEC 17a-4, HIPAA) with significant cost reduction through cold/archive tiers.Forward logs externally:Use Azure Event Hubs to forward logs to external SIEM, data lake, or third-party security systems outside Azure when required for multi-cloud visibility or legacy integrations.Configure storage account retention:Configureretention policies for Azure Storage account logsbased on compliance requirements, impl |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| LT-7 |
nan |
Use approved time synchronization sources |
Parent |
Centralize and analyze |
No Azure Policy available |
Synchronize all systems to authoritative time sources to maintain accurate timestamps across security logs. Consistent time synchronization enables reliable log correlation, incident timeline reconstruction, and forensic analysis. |
Accurate and synchronized time across all systems is fundamental to log correlation, forensic analysis, and incident timeline reconstruction. |
Defense Evasion (TA0005): indicator removal (T1070) manipulating timestamps to hide malicious activity within legitimate time windows or make evidence appear outside investigation scope. |
Challenge:A global retail organization needed forensic timeline integrity across hybrid infrastructure (on-premises point-of-sale systems, Azure cloud POS backend, payment processing) spanning 2,500 stores for PCI-DSS compliance and fraud investigation. |
Should have |
AU-8(1), AU-8(2) |
10.6.1, 10.6.2, 10.6.3 |
8.4 |
DE.CM-1, PR.PT-1 |
A.8.15 |
CC7.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without consistent time synchronization: Forensic timeline corruption:Incident reconstruction becomes impossible when logs from different sources show conflicting timestamps—investigators cannot determine attack sequence or correlate events across systems (VM logs showing attack at 10:00 AM, firewall logs showing same event at 9:45 AM).SIEM correlation failure:Security analytics and correlation rules fail when time drift causes events to arrive out of order—missed detections as rule logic expects chronological event sequences.Authentication bypass opportunities:Time-based authentication mechanisms (Kerberos tickets, JWT tokens, OTP codes) become exploitable when clock skew enables replay attacks or extends token validity windows.Compliance audit failures:Regulatory frameworks (PCI-DSS 10.4, SOC 2, HIPAA) mandate accurate time synchronization for audit trail integrity—time drift creates audit findings and questions evidence reliability.False positive/negative alerts:Anomaly detection and behavioral analytics generate incorrect alerts when time |
|
Solution approach:Configured comprehensive time synchronization by verifying Azure PaaS services' automatic NTP sync, configuring Azure VMs (Windows/Linux) to use Azure host time sources, and implementing Azure Monitor alerts for time drift >5 seconds. Deployed Log Analytics queries detecting timestamp anomalies across correlated log sources and automated remediation runbooks forcing time resync on affected VMs. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Established quarterly time synchronization audits validating NTP configuration and timestamp consistency across application, identity, and network logs. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:Achieved compliance with PCI-DSS time synchronization requirements and successfully correlated fraud investigations across hybrid log sources with consistent timestamp accuracy enabling precise incident reconstruction. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Automated time drift monitoring and remediation eliminated false positive security alerts caused by out-of-order events and ensured forensic timeline integrity across globally distributed infrastructure. |
|
|
|
|
|
|
|
| LT-7 |
LT-7.1 |
Configure secure time synchronization |
Child |
Centralize and analyze |
No Azure Policy available |
Synchronize all systems to authoritative time sources to maintain accurate timestamps across security logs. Consistent time synchronization enables reliable log correlation, incident timeline reconstruction, and forensic analysis. |
nan |
nan |
Ensure accurate and consistent timestamps across all systems to enable reliable log correlation and incident timeline reconstruction. Time synchronization is foundational to forensic integrity—even small clock drift can corrupt investigation timelines, cause SIEM correlation failures, and create compliance audit findings. Configure all systems to use trusted time sources and monitor for drift continuously. Implement these time synchronization practices: Configure Windows time sync:Use Microsoft default NTP servers fortime synchronization on Azure Windows compute resourcesleveraging Azure host time sources through virtualization integration services unless specific requirements dictate otherwise.Configure Linux time sync:Configuretime synchronization for Azure Linux compute resourcesusing chrony or ntpd with Azure-provided NTP sources or appropriate external NTP servers.Secure custom NTP servers:If deploying custom network time protocol (NTP) servers,secure the UDP service port 123and implement access controls restricting time service queries to authorized clients only.Validate timestamp formats:Verify that all logs generated by Azure resources include timestamps with time zone information (preferably UTC) by default to enable unambiguous timeline reconstruction across global deployments.Monitor time drift:Implement continuous monitoring of time drift across systems and configure alerts for significant synchronization issues (>5 seconds) that could impact log correlation, fore |
nan |
nan |
nan |
nan |
nan |
nan |
nan |