Knocking on Clouds Door: Threat Hunting in Azure AD with Azula

Tools (716AB) November 3, 2021 10:10 am - 10:50 am Feedback     

Bookmark and Share

Mangatas Tondang

This talk will uncover the amazing detection capability available from Azure AD Reports and how any organization can utilize it in the most efficient ways to help detect malicious actors. On top of that, the talk will walk attendants through a tool that can be used to help threat hunters and analysts anywhere to work even faster and more efficiently. As an introduction, this presentation will go through some of the core changes in Azure AD (compared to traditional AD), followed by some threat assessments against those changes. We will also talk about what are some of the security measures that are provided by Microsoft to mitigate those threats. While the above topics are old and have been explored in the past years, this presentation aims to focus on the detection side of Azure AD.

Just like Windows AD, Microsoft also provided Azure users with logging capabilities, called “Azure AD Reports “. These reports are rich in information and can be used as data sources for Threat Hunting research, and detection development. This presentation will unravel the different types of logs and how you can utilize them to “elevate” your detection game against cloud threats. There will be some practical detection mechanisms shared with the attendees that can be applied to their organization right away. Lastly, the attendee will get a chance to see a new (in-house) tool: AZure (AD) Unified Lightweight Automated (AZULA). This tool has the automation capability of enriching and contextualizing data to help security analysts and threat hunters investigate Azure AD events faster and more efficiently. We hope that with these resources, attendees will be able to improve their Azure security posture.