/
Azure Security Alerts
Azure Security Alerts
- Former user (Deleted)
- Solomon F Prophete
Owned by Former user (Deleted)
Welcome to the Azure Security Monitoring knowledge base!
The CUIT Cybersecurity team has built this security monitoring process to detect security vulnerabilities or misconfigurations in the Azure Cloud. Each alert has a criticality assigned to demonstrate how to prioritize the issue detected. A description and remediation are also provided in each alert to guide you as the subscription owner on how to solve the issue at hand. Additionally each alert has references to the Azure Support Site, CIS Benchmark or MITRE ATT&CK framework which were the teams source to build the monitoring alerts.
Below is a search bar which will let you type in the alert name and find additional information about the event. On the left you can see a drop down under Azure Security Monitoring, this will provide you access to a comprehensive list of detections which we use in our monitoring.
Azure Security Best Practices
We have compiled the following list as best practices to provide a security foundation to Azure Subscription owners. These controls are designed to limit exposure and reduce the attack surface of your cloud resources.
Run Antivirus or Anti-Malware on virtual machines
If you are looking for antivirus or anti-malware CUIT provides Malwarebytes to the university
IT Staff around the university can request a site to manage their endpoints
Limit public resources
Buckets and databases should be restricted from being directly accessible from the outside world
This will prevent from information being exposed which it was not intended t
Limit which region resources are provisioned
Since Columbia University is operating out of the United States from a legal perspective it is in the Universities best interest to host data within the same region.
Deploying workloads to regions outside of the US will require an exception, you can find that process to the left of this page
Leverage University login systems and Multi Factor authentication
The Identity and access management system provide a platform to enable UNI based authentication on applications
No Public IPs on Virtual Machines
Security best practice is to limit which network ports are accessible via the world on virtual machines
To facilitate applications which need to be publicly accessible a load balancer should be used to provide that connectivity. This will also provide you additional features such as distribution of workload and high availability
Critical Alerts for Azure
- CORS should not allow every resource to access your Web Application/Function/API App
- Storage Account Public Access Should Be Disallowed
- RDP Access from the Internet Should be Blocked
High Alerts for Azure
- Managed Identity Should be Used in Your Web App/Function App
- SSH Access to the Internet should be blocked
- System updates should be installed on your machines
- Virtual Machines should be Migrated to new Azure Resource Manager
- Windows Web Servers Should be Configured to Use Secure Communication Protocols
- Storage Accounts Should Restrict Network Access Using Virtual Network Rules
- Key Vaults Should Have Soft Delete Enabled
- Firewall Should be Enabled on Key Vault
- Secure Transfer to Storage Accounts Should be Enabled
- FTPS Should be Required in your Web/Function/API App
- Access to Storage Accounts with Firewall and Virtual Network Configurations Should be Restricted
- Private Endpoint Should be Configured for Key Vault
- Diagnostic Logs in XYZ Should be Enabled
- Windows Defender Exploit Guard Should be Enabled on Your Machines
- Virtual Networks Should be Protected by Azure Firewall
- TLS should be Updated to the Latest Version for Your App
- Web/Function Application Should Only be Accessible Over HTTPS
- MFA Should be Enabled on Accounts with Owner/Read/Write Permissions on your Subscription
- Azure Defender for XYZ Should be Enabled
- Email Notification to Subscription Owner for High Severity Alerts Should be Enabled
- Subscriptions Should Have a Contact Email Address for Security Issues
- Vulnerabilities in Security Configuration on your Machines Should be Remediated
- Install endpoint protection solution on machines/virtual machines
- Endpoint Protection Health Failures/Issues Should be Resolved on your Machines
- There should be more than one owner assigned to your subscription
- Adaptive Application Controls for Defining Safe Applications Should be Enabled on your Machines
- Allowlist Rules in your Adaptive Application Control Policy Should be Updated
- Authentication to Linux Machines Should Require SSH Keys
- Automation Account Variables Should be Encrypted
- File Integrity Monitoring Should be Enabled on Servers
- Log Analytics Agent Should be Installed on XYZ
- Management Ports of Virtual Machines Should be Protected with Just-In-Time Network Access Control
- Pod Security Policies Should be Defined on Kubernetes Services (Deprecated)
- Service Fabric Clusters should Have the ClusterProtectionLevel Property Set to EncryptAndSign
- Service Fabric Clusters Should Only Use Azure Active Directory for Client Authentication
- System Updates on Virtual Machine Scale Sets Should be Installed
- Java Should Be Updated to the Latest Version for Your App
- Web Application Should Only be Accessible Over HTTPS
- Azure Policy Add-on for Kubernetes Should be Installed and Enabled on Your Clusters
- Container Images Should be Deployed from Trusted Registries Only
- Container Registries Should Not Allow Unrestricted Network Access
- Container Registries Should Use Private Link
- Kubernetes Clusters Should Be Accessible Only Over HTTPS
- Kubernetes API Server Should Be Configured With Restricted Access
- Least Privileged Linux Capabilities Should Be Enforced for Containers
- Overriding or Disabling of Containers AppArmor Profile Should Be Restricted
- Privileged Containers Should be Avoided
- Role-Based Access Control Should Be Used on Kubernetes Services
- Running Containers as Root User Should be Avoided
- Services Should Listen on Allowed Ports Only
- Usage of Host Networking and Ports Should be Restricted
- Usage of Pod Hostpath Volume Mounts Should Be Restricted to a Known List to Restrict Node Access From Compromised Containers
- Vulnerabilities in Azure Container Registry Images Should Be Remediated (Powered by Qualys)
- An Azure Active Directory Administrator Should Be Provisioned for SQL Servers
- Azure Arc Enabled Kubernetes Clusters Should Have Azure Defender’s Extension Installed
- Email Notification for High Severity Alerts Should Be Enabled
- Enforce SSL Connection Should Be Enabled for MySQL Database Servers
- Enforce SSL Connection Should be Enabled for PostgreSQL Database Servers
- Kubernetes Clusters Should Disable Automounting API Credentials
- Kubernetes Clusters Should Not Grant CAPSYSADMIN Security Capabilities
- Only Secure Connections to Your Redis Cache Should Be Enabled
- SQL Databases Should Have Vulnerability Findings Resolved
- SQL Servers on Machines Should Have Vulnerability Findings Resolved
- Vulnerability Assessment Should Be Enabled on Your SQL Managed Instances
- Vulnerability Assessment Should Be Enabled on Your SQL Servers
- Deprecated Accounts Should Be Removed From Your Subscription
- Deprecated Accounts With Owner Permissions Should Be Removed From Your Subscription
- External Accounts With XYZ Permissions Should Be Removed From Your Subscription
- Key Vault Keys Should Have an Expiration Date
- Key Vault Secrets Should Have an Expiration Date
- Identical Authentication Credentials
- IoT Devices - Auditd Process Stopped Sending Events
- IoT Devices - Open Ports on Device
- IoT Devices - Operating System Baseline Validation Failure
- IoT Devices - Permissive Firewall Policy in One of the Chains Was Found
- IoT Devices - Permissive Firewall Rule in the Input Chain Was Found
- IoT Devices - Permissive Firewall Rule in the Output Chain Was Found
- IoT Devices - TLS Cipher Suite Upgrade Needed
- IP Filter Rule Large IP Range
- Adaptive Network Hardening Recommendations Should Be Applied on Internet Facing Virtual Machines
- All Network Ports Should Be Restricted on Network Security Groups Associated to Your Virtual Machine
- Azure DDoS Protection Standard Should Be Enabled
- Internet-Facing Virtual Machines Should Be Protected With Network Security Groups
- Management Ports Should Be Closed on Your Virtual Machines
- Subnets Should Be Associated With a Network Security Group
- Access to App Services Should Be Restricted
- The Rules for Web Applications on IaaS NSGs Should be Hardened
- Pod Security Policies Should Be Defined to Reduce the Attack Vector by Removing Unnecessary Application Privileges
- Monitoring Agent Should Be Installed on Your Machines
Medium Alerts for Azure
- Authentication should be enabled on your web app
- Guest configuration extension should be installed on your machines
- Authentication should be enabled on your function app
- Key vaults should have purge protection enabled
- Diagnostic Logs should be Enabled in App Service
- Storage account should use Private Link Connection
- Storage accounts should allow access from trusted Microsoft services
- Function apps should have Client Certificates (Incoming client certificates) enabled
- PHP Should be Updated to the Latest Version for Your App
- Network Traffic Data Collection Agent Should be Installed on Windows/Linux Virtual Machines
- Python Should be Updated to the Latest Version for Your App
- Storage Accounts Should Use Customer-Managed Key (CMK) for Encryption
- Web Apps Should Request an SSL Certificate for All Incoming Requests
- A Maximum of 3 Owners Should be Designated for your Subscription
- An Activity Log Alert Should Exist for XYZ
- Azure Subscriptions Should Have a Log Profile for Activity Log
- Azure Monitor Should Collect Activity Logs from All Regions
- Activity log should be retained for at least one year
- Auto Provisioning of the Log Analytics Agent Should be Enabled on Your Subscription
- Disk encryption should be applied on virtual machines
- A Vulnerability Assessment Solution Should be Enabled on your Virtual <achines
- Log Analytics Agent Health Issues Should be Resolved on your Machines
- Virtual Machines Guest Attestation Status Should be Healthy
- Virtual Machines Should Encrypt Temp Disks, Caches, and Data Flows Between Compute and Storage Resources
- Virtual Machines' Guest Configuration Extension Should be Deployed with System-Assigned Managed Identity
- API App Should Only be Accessible Over HTTPS
- Ensure API App Has Client Certificates Incoming Client Certificates Set to On
- Container CPU and Memory Limits Should be Enforced
- Container With Privilege Escalation Should Be Avoided
- Containers Sharing Sensitive Host Namespaces Should Be Avoided
- Containers Should Listen on Allowed Ports Only
- Immutable (Read-Only) Root Filesystem Should Be Enforced for Containers
- All Advanced Threat Protection Types Should Be Enabled in SQL Managed Instance Advanced Data Security Settings
- All Advanced Threat Protection Types Should Be Enabled in SQL Server Advanced Data Security Settings
- API Management Services Should Use a Virtual Network
- App Configuration Should Use Private Link
- Azure Cache for Redis Should Reside Within a Virtual Network
- Azure Cosmos Db Accounts Should Have Firewall Rules
- Azure Event Grid Domains/Topics Should Use Private Link
- Azure Machine Learning Workspaces Should Use Private Link
- Azure SignalR Service Should Use Private Link
- Azure Spring Cloud Should Use Network Injection
- Cognitive Services Accounts Should Enable Data Encryption
- Cognitive Services Accounts Should Restrict Network Access
- Cognitive Services Accounts Should Use Customer Owned Storage or Enable Data Encryption
- Private Endpoint Connections on Azure SQL Database Should Be Enabled
- Private Endpoint Should Be Enabled for MariaDB Servers
- Private Endpoint Should Be Enabled for MySQL Servers
- Private Endpoint Should Be Enabled for PostgreSQL Servers
- Public Network Access on Azure SQL Database Should Be Disabled
- Public Network Access Should Be Disabled for Cognitive Services Accounts
- Public Network Access Should Be Disabled for MySQL Servers
- Public Network Access Should Be Disabled for MariaDB Servers
- Public Network Access Should Be Disabled for PostgreSQL Servers
- Storage Account Should Use a Private Link Connection
- VM Image Builder Templates Should Use Private Link
- Service Principals Should Be Used to Protect Your Subscriptions Instead of Management Certificates
- Validity Period of Certificates Stored in Azure Key Vault Should Not Exceed 12 Months
- Default IP Filter Policy Should Be Deny
- IP Forwarding on Your Virtual Machine Should Be Disabled
- Your Machines Should Be Restarted to Apply System Updates
Low Alerts for Azure
- Unattached disks should be encrypted
- Remote Debugging should be Disabled for Apps
- Azure Backup Should be Enabled for Virtual Machines
- Ensure That 'HTTP Version' is the Latest, if Used to Run the Web App
- Diagnostic Logs in Event Hub Should be Enabled
- Storage Accounts Should be Migrated to New Azure Resource Manager Resources
- Only Approved VM Extensions Should be Installed
- Secure Boot Should be Enabled on Supported Windows Virtual Machines
- Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'
- Custom subscription owner roles should not exist
- Remove/Approve Untrusted Boot Components
- Guest Attestation Extension Should be Installed on XYZ
- Linux Virtual Machines Should Enforce Kernel Module Signature Validation
- Linux Virtual Machines Should Use Secure Boot
- Machines Should be Restarted to Apply security Configuration Updates
- vTPM Should be Enabled on Supported Virtual Machines
- Container Registries Should be Encrypted with a Customer-Managed Key (CMK)
- [Enable if Required] Azure Cosmos Db Accounts Should Use Customer-Managed Keys to Encrypt Data at Rest
- [Enable if Required] Azure Machine Learning Workspaces Should Be Encrypted With a Customer-Managed Key (CMK)
- [Enable if Required] Cognitive Services Accounts Should Enable Data Encryption With a Customer-Managed Key (CMK)
- [Enable if Required] MySQL Servers Should Use Customer-Managed Keys to Encrypt Data at Rest
- [Enable if Required] PostgreSQL Servers Should Use Customer-Managed Keys to Encrypt Data at Rest
- [Enable if Required] SQL Managed Instances Should use Customer-Managed Keys to Encrypt Data at Rest
- [Enable if required] SQL Servers Should Use Customer-Managed Keys to Encrypt Data at Rest
- [Enable if Required] Storage Accounts Should Use Customer-Managed Key (CMK) for Encryption
- Audit Retention for SQL Servers Should Be Set to at Least 90 Days
- Auditing on SQL Server Should Be Enabled
- Diagnostic Logs in Azure Data Lake Store Should Be Enabled
- Diagnostic Logs in Data Lake Analytics Should Be Enabled
- Geo-Redundant Backup Should Be Enabled for Azure Database for MariaDB
- Copy of Geo-Redundant Backup Should Be Enabled for Azure Database for MySQL
- Copy of Geo-Redundant Backup Should Be Enabled for Azure Database for PostgreSQL
- Kubernetes Clusters Should Not Use the Default Namespace
- Network Watcher Should Be Enabled
- Sensitive Data in Your SQL Databases Should Be Classified
- Transparent Data Encryption on SQL Databases Should Be Enabled
- Web Application Firewall (WAF) Should Be Enabled for Application Gateway
- Web Application Firewall (WAF) Should Be Enabled for Azure Front Door Service Service
- Diagnostic Logs in Key Vault Should Be Enabled
- Diagnostic Logs in IoT Hub Should Be Enabled
- IoT Devices - Agent Sending Underutilized Messages
- Non-Internet-Facing Virtual Machines Should Be Protected With Network Security Groups
- Install Azure Security Center for IoT Security Module to Get More Visibility Into Your IoT Devices
, multiple selections available,
Related content
Cloud Security Monitoring
Cloud Security Monitoring
More like this
GCP Security Alerts
GCP Security Alerts
More like this
Subscriptions Should Have a Contact Email Address for Security Issues
Subscriptions Should Have a Contact Email Address for Security Issues
More like this
Vulnerabilities in Security Configuration on your Machines Should be Remediated
Vulnerabilities in Security Configuration on your Machines Should be Remediated
More like this
Allowlist Rules in your Adaptive Application Control Policy Should be Updated
Allowlist Rules in your Adaptive Application Control Policy Should be Updated
More like this
Install endpoint protection solution on machines/virtual machines
Install endpoint protection solution on machines/virtual machines
More like this