Blog

How to Remediate a Brute Force Attack on Azure VMs Brute force attacks have become a common method used by attackers to gain unauthorized access to servers, applications, and databases. With cloud computing becoming an important part of IT infrastructure, securing cloud-hosted resources such as Azure Virtual Machines (VMs) is more critical than ever. Once you’ve analyzed the attack and confirmed the incident as a true positive, it’s time to take action. Your remediation action will be based on your organization’s needs and the functionality of the target machine (e.g., a public-facing web server). Here are some responses and remediation steps: In this post, I will discuss how to secure your Azure VM against brute-force attacks, focusing on three key steps: 1. Securing the Connection Using Network Security Groups (NSGs) Network Security Groups (NSGs) act as a firewall for your Azure VM, controlling both inbound and outbound traffic. By configuring appropriate rules, you can effectively limit who can access your VM, drastically reducing the risk of brute-force attacks. This lab is a continuation of our previous lab. Click here to learn how to analyze a brute force attack in Microsoft Sentinel. In the previous post, I analyzed brute force attacks in Microsoft Sentinel. The target machine was a honeypot I created in Azure. I intentionally made this machine vulnerable to brute force attacks by exposing the VM to the internet and allowing any port, protocol, source, and destination to be opened. In this lab, I am going to secure the honeypot against brute force attacks. How to Secure a Virtual Machine Hosted in Azure To remediate the brute force attack analyzed in the previous post, the VM must be secured. There are different ways you can secure your machine against brute force attacks, as listed above, depending on your situation, but for this example, the remediation is simple for this Azure virtual machine. You can block the attacker’s IP address or addresses, but this solution is temporary (maybe to end the session and delay the attacker’s activity) because most attackers now use some form of proxy (VPN or anonymous web browser such as Tor) to keep their online activities private. This means that they can easily mask or change their IP address using a VPN. You can create a Network Security Gateway (NSG), enable RDP, and whitelist your IP address or addresses. How to Whitelist an IP Address in Azure Using Network Security Group (NSG) Start by logging into the Azure Portal. Search for Virtual Machine in the search bar and click on it. You should see your virtual machine listed, as shown in the screenshot below. Click on your VM. The virtual machine property opens up. Click on Network Settings on the left menu to set up specific rules that allow access only from trusted IP addresses or IP ranges. For example, if you know you or your team will only access the VM from specific locations, restrict access by IP. You will find your existing NSG rule, as shown in the screenshot below. Delete the existing rule and create a new rule with priority 100 so you can give it a meaningful name. Click on + Create port rule to create a Network Security Group (NSG) rule. Select the Inbound port rule. Under Source, select IP Addresses. You can specify an IP address, IP range, or a subnet. For this example, I will specify my IP address as the source IP address and 3389 as the destination port. Click the Save button to save the rule. The new rule was successfully created, as shown in the screenshot below. How to Block Malicious IP Address in Azure Using Network Security Group (NSG) You can block the attacker’s IP address or addresses. If, after a thorough analysis of the incidents, the source IP is confirmed to be malicious, the next step is to block it. An attacker successfully logged into the honeypot as an anonymous user. Blocking the malicious source IP address helped stop or delay the attacker. In the Microsoft Sentinel dashboard, run the Kusto Query Language (KQL) query below to get the list of security events summarized by IP address. This query tracks failed login attempts (EventID 4625) and counts how many times they occurred from each IP address in the SecurityEvent log. By analyzing the data, you can identify potential brute force attacks or other suspicious behavior based on where the failed login attempts originated from. The result will give you a list of IP addresses along with the number of failed logins from each address. You can modify the query to fit your specific needs, such as filtering by time or adding more conditions. Your result should look similar to the screenshot below. To learn more about each IP address, you can click on the right arrowhead next to the IP address to expand it. Once you have the IP addresses, identify the malicious IP addresses to block using the Network Security Group NSG and follow these steps: In your Azure virtual machine property, click on Network Settings on the left menu. Click on + Create port rule to create a Network Security Group (NSG) rule. Select the Inbound port rule. Select IP Addresses under Source, then list the IP address or addresses to block, separated by a comma. Select Any under Destination, select RDP under Service, select Deny under Action, specify the Priority, name your rule, and click on the Add button to add the rule. The Deny rule was successfully created, as shown in the screenshot below. Turn on Microsoft Defender Next, log in to your Azure Virtual Machine and turn Microsoft Defender on if it’s currently off. I turned Microsoft Defender off in the previous lab to make the honeypot vulnerable. So, I will turn it back on as shown below. Enable Multifactor Authentication on Azure VM By enforcing MFA through Microsoft Entra ID, you can ensure that anyone trying to access your Azure VM will need to go through an additional

Analyze a Malware Incident in CrowdStrike Falcon Malware incidents can be one of the most devastating events for organizations, leading to data breaches, system downtime, and potential financial losses. That’s why having the right tools to identify, investigate, and respond to malware attacks is crucial. CrowdStrike Falcon, a leading cybersecurity platform, is designed to help businesses detect, prevent, and respond to advanced cyber threats, including malware attacks. In this guide, I will walk you through how to analyze a malware incident using CrowdStrike Falcon, ensuring you can quickly identify the threat and take effective action. What is CrowdStrike Falcon? CrowdStrike Falcon is a cloud-native endpoint protection platform that offers real-time protection and advanced threat intelligence. It provides multiple layers of security, including malware detection, behavioral analysis, and incident response capabilities. With Falcon, you can monitor endpoints, detect suspicious activities, and respond to potential threats with actionable insights. Why Analyze Malware Incidents in CrowdStrike Falcon? Analyzing malware incidents effectively is essential for several reasons: Step-by-Step Guide to Analyzing a Malware Incident in CrowdStrike Falcon To begin analyzing a malware incident, log in to the CrowdStrike Falcon Console. This central hub gives you access to all security data and tools to investigate and manage incidents. Click on the hamburger button on the top left. Click on Endpoint security, then click on Activity Dashboard, under the Monitor section. On the dashboard, you will see Current CrowdScore, New detections, SHA-based detections, Prevented malware by host, Total OverWatch-analyzed events, OverWatch endpoint hunting leads, OverWatch endpoint detections triggered, CrowdScore over time, Most recent detections, and Detections by tactics. Click on New detections, as shown below. This page provides detection, categorized by severity level and detail such as Severity, Detect time, Name, Attributes, Assigned to, Resolution, and Status. Click on the Sort by Time drop-down arrow to sort based on your needs. Click on the Group by drop-down arrow to group the incident based on your needs. Configure table columns. Notice there are incidents with different dates. Let’s investigate the incident that occurred on Feb 23, 2025, with High severity. Click on the ellipsis located on the right side of the incident you are working on and select Edit Status to assign the incident and update the status. As shown below. Change the status to In progress and assign it to yourself. Click on Update status, as shown below. Click on the Status tab, uncheck New, and select In Progress to see the incident you just updated. Click Apply. You should see the assigned incident listed with in-progress status, as shown below. Click on the incident. Look through the Process table. We will learn more about it later. Investigate Click on Investigate on the top right and select an option based on your needs. These investigation options are essential for effective incident response, allowing security teams to analyze hosts, events, and potential threats in depth. Learn about their uses below: Click on See full detection. There are five tabs at the top of this page: Details, Process Table, Process Tree, Process Graph, and Events Timeline. Let’s learn about them. 1. Details The Details tab provides detailed information about the incident. These could include Adversaries, Full details, Hash, Quarantined files, Host, and User. The suspicious file has been quarantined by CrowdStrike Falcon, as shown in the screenshot below. Triggering indicator Associated IOC (File write) Click on the Details tab and scroll down to File details. Under the Triggering indicator Associated IOC (File write) section, we can see the Command line, File path, and File hash. What is an Indicator of Compromise (IOC)? An Indicator of Compromise (IOC) is a piece of forensic data or a specific event that points to potential malicious activity or a security breach. When a File Write IOC is triggered, it indicates that CrowdStrike Falcon or a similar security platform has detected suspicious file creation, modification, or movement in a location that could be indicative of malicious activity. These IOCs are important for threat hunting, forensic investigations, and incident response. Explanation of the Associated Indicator of Compromise IOC Command line “C:\Windows\Explorer.EXE” /NoUACCheck File path: \Device\HarddiskVolume3\Users\Administrator\Downloads\mimikatz_trunk (1)\Win32\mimikatz.exe File Hash: (SHA256 on file write) 94795fd89366e01bd6ce6471ff27c3782e2e16377a848426cf0b2e6baee9449b Go to Virustotal.com, paste the hash into the search bar, and press enter to check the integrity of the file. 2. Process Table The Process Table shows information about processes, including their executable filenames, parent processes, and other relevant details. The table provides a detailed view of all processes, which is crucial for detecting suspicious activity, such as abnormal or unauthorized processes running on the system. Click on the Process Table tab to learn more about the incident. 3. Process Tree The Process Tree is a hierarchical visualization of how processes are related to each other. It shows the parent-child relationship between processes. Each process is spawned by another, forming a tree structure. This visualization helps security analysts trace the origin of suspicious processes and understand how an attack or malware might be spreading or executing. Click on the Process Tree tab. Here, you can see all the entities involved in the incident. For this example, five entities are involved, as shown below. Click on each entity to learn more. 4. Process Graph The Process Graph is a visual representation of processes and their interactions over time. It is similar to the process tree. The process graph is useful for detecting complex attack behaviors, such as multi-stage attacks, by visualizing the sequence and relationships of processes. 5. Events Timeline The Events Timeline is a chronological view of system events, which helps analysts understand the sequence of actions that occurred on the endpoint. This feature helps in investigating an incident by providing a clear, time-based view of actions that took place on the system. It’s essential for understanding the progression of an attack and determining the attack’s start and end points. Containment Now that we have analyzed the incident and found the activity to be malicious, the next step is to isolate (contain) the compromised endpoint from the network. Isolating a compromised endpoint means disconnecting it from the rest of the network to stop the spread of an

Investigate a Malware Incident in Microsoft Sentinel Using NIST SP 800-61 Malware incidents can have serious consequences for your organization’s security and data integrity. Detecting, investigating, and responding to malware effectively is critical to mitigating damage and preventing future attacks. Microsoft Sentinel, a cloud-native SIEM (Security Information and Event Management) platform, can help automate much of the detection and investigation process. By aligning with NIST SP 800-61, which provides guidelines for handling security incidents, organizations can ensure they are following best practices throughout the investigation. In this post, I will guide you through the step-by-step process of investigating a malware incident in Microsoft Sentinel, from detection to recovery. I will also discuss how to handle false positives during the investigation process. Understanding NIST SP 800-61 NIST SP 800-61 is the National Institute of Standards and Technology’s guide for handling computer security incidents. It provides an organized approach to incident management and is divided into four main phases: These steps help structure an investigation process, ensuring a consistent, thorough approach. By following the steps, you can investigate and respond to a malware incident methodically, reducing the impact on your organization and improving your incident response capabilities over time. Prerequisites for Using Microsoft Sentinel Before diving into the investigation process, ensure the following prerequisites are in place: Step-by-Step Malware Incident Investigation in Microsoft Sentinel 1. Detection and Analysis NIST SP 800-61 Reference: Detection and Analysis phase, where you identify suspicious activity and confirm whether it is indeed a malware incident. The first step in investigating a malware incident is detection and identification. This is where Microsoft Sentinel excels, helping you quickly identify potential malware infections through pre-configured alerts or custom detection rules. Check the Microsoft Sentinel Dashboard for Incidents and for alerts indicating malware-related activities, such as: For this example, Microsoft Defender for Endpoint is integrated with Microsoft Sentinel. So, I will be working on the incidents detected by the Defender for Endpoint. In your Sentinel Workspace, click on Incidents under Threat management on the left navigation pane. Here, we have 3 incidents. Two High-severity incidents and one Medium-severity incident, as shown in the screenshot below. Create Incident (Preview): This option allows you to create a new incident and begin the investigation process, which can be very useful during threat hunting. Column Tab: The column tab organizes and displays different pieces of information or filters, making it easier to manage and view incident data in a structured way. You can filter based on information that is important to you. Date and Time range: The date and time range allows you to filter incidents based on a specific period. You can select one of the times available or click on custom range to select a start and end date and time to narrow down the information to the relevant timeframe for your investigation or analysis. Actions: This section displays the available actions you can take, such as changing the incident Severity, assigning the Owner, and updating the incident Status. You can assign the incident to an analyst or to yourself. Click on the incident and click on the Actions tab. Here, you can change the incident Severity, assign an Owner, and update the incident Status. Select your name under Owner to assign the incident to yourself, then select Active under Status to change the status to active. Click on Apply to apply the changes. Click on View full detail on the lower right side to learn more about the incident. The Timeline tab gives basic information about the incident. Click on the Similar Incidents tab to see incidents from the past that are similar to the one you are working on. Click on the Entities (preview) tab to gather information about the entities involved. Some information about the incident is provided on the right side. Click on the link provided to read about the identified malware. Scroll down and read the Remediation steps. Click on Investigate on the bottom left to learn more about the incident. Visually investigate your incidents with the Investigation Graph Investigation Graph helps you see how entities and activities are connected in a clear, visual format. You can track relationships between different elements to better understand the incident. The Entities widget displays all the entities identified in the incident, such as affected users, devices, IP addresses, potentially malicious files, or more. Here, you will get information about the incident. Including the endpoint and the affected end user, how the malware got in, the type of malware, and more. Click on each entity for more information. Click on Entities. Here, you can see the infected device name, IP address, file name, file hashes, and the URL. The name of the file detected as malicious is mimikatz-master (5).zip. Mimikatz is a popular open-source tool used for post-exploitation tasks in cybersecurity. It allows attackers (or penetration testers) to extract sensitive information from Windows systems, such as: While it’s often used for malicious purposes, it’s also a useful tool for security professionals to test and strengthen system defenses against such attacks. Click on the Entities tab to copy the file hash. Investigate the file hash associated with the incident. Copy the file hash and remove the (SHA1) at the end. Then go to virustotal.com, click on SEARCH, paste the hash in, and press enter. See the screenshot below. Read through the DETECTION section and click on DETAILS, RELATIONSHIP, BEHAVIOUR, and COMMUNITY. Next, In the comment session, leave a detailed comment about the result of your analysis. Click on the incident under the Timeline tab. On the right side, scroll down and click on the Alert link as shown below. This will take you to the Microsoft Defender portal. Clicking on the Alert link takes you to Microsoft Defender on the Alert story page, where you can get even more information about the incident and take some action. The process tree in Microsoft Defender helps security teams trace the origin of a potential threat. It provides insight into the entire lifecycle of processes to aid in incident investigation and response. This tool is handy for investigating malware or other

Steps to Create a Honeypot in Azure and Integrate with Microsoft Sentinel As cyber threats continue to evolve, organizations are seeking advanced ways to detect and mitigate attacks before they escalate. One effective and proactive security measure is the deployment of a honeypot. A honeypot is a decoy system designed to attract attackers and capture valuable threat intelligence. In this post, I will guide you through creating a honeypot in Microsoft Azure and utilizing Microsoft Sentinel to monitor and analyze attacker activity. What is a Honeypot and Why Use It? A honeypot is a security resource designed to deceive cybercriminals by mimicking real, vulnerable systems. When attackers attempt to exploit these decoy systems, security teams can capture detailed logs of the intrusions, helping to identify attack techniques and better prepare defenses. In Azure, creating a honeypot provides a low-cost, scalable environment for monitoring malicious activity without risking your critical infrastructure. By pairing your honeypot with Microsoft Sentinel, Azure’s cloud-native SIEM (Security Information and Event Management) solution, you can gain powerful insights into your environment, detect patterns of attacker behavior, and respond to threats faster. Why Integrate Azure Honeypots with Microsoft Sentinel? In this section, I will walk you through setting up a honeypot in Azure and configuring Microsoft Sentinel to monitor attacker activity. Set Up an Azure Virtual Machine (VM) for the Honeypot The first step in creating a honeypot is to deploy an Azure Virtual Machine (VM) that will simulate a vulnerable system. Log in to the Azure Portal with your admin credentials. In Azure, type virtual machine into the search box and click on Virtual Machine in the list. Click on + Create and select Azure virtual machine. Select your Azure subscription, and select or create a new Resource group. Give your virtual machine a Name, select a Region, and select the desired Operating System (either Linux or Windows) for your honeypot. For example, you can choose Ubuntu if you’re creating a Linux-based honeypot. I am going to select the Windows Server image for this example. Choose a VM Size that is appropriate for your requirements. For a simple honeypot, a smaller VM size should suffice. Create a username and password to log in to your VM. Select Allow selected ports for Public inbound ports, and choose RDP 3389 for Select inbound ports to enable RDP on port 3389. Click on the Networking tab, select Advanced, and click on Create new to create a new Network Security Group (NSG). Delete the 1000: default-allow-rdp rule and click on +Add an inbound rule, as shown below. This is a honeypot VM, so we need to make it vulnerable to unauthorized access by exposing the VM to the internet. Allowing any port, protocol, source, and destination, as listed below. Click Add to add the rule. The Network Security Group rule was successfully created. Click on OK. Click on Review + create. Review and make sure it meets your requirements. Click on the Create button to create the Virtual Machine. The VM was deployed successfully and is running. To log in to the VM, click on Connect and select Connect. Click on Download RDP file Click on Connect, enter your password, and log in. Once you log in to your VM, turn Windows Defender Firewall off to make the machine vulnerable, as shown below. Configure Microsoft Sentinel Once your honeypot is running, the next step is to set up Microsoft Sentinel to monitor and analyze the activities. In the Azure portal, search for Microsoft Sentinel in the search bar and select it from the list. Click on + Create. Click on + Create a new workspace to create a new Log Analytics workspace that will store and analyze the log data. Select your subscription, select your Honeypot Resource group, name your workspace, and select the region where your HoneypotVM is located. Click on Review + Create. Review and click on the Create button. The workspace was deployed successfully. In the Microsoft Sentinel dashboard, click on + Create. You should see the newly deployed workspace available. Select the workspace you want to add and click on the Add button. The workspace was added successfully, as shown below. Connect Azure Virtual Machines to Sentinel In Microsoft Sentinel, click Content hub on the left menu under Content management, as shown in the screenshot below. Search for and select Windows Security Events via AMA. Click on the Install button to install it. In Microsoft Sentinel, Click Data connectors on the left menu under Configuration, as shown in the screenshot below. Click on Windows Security Events via AMA. Click on Open connector page. Click on + Create data collection rule. On the Basic tab, name your data connection rule. Select your Subscription and select your Resource group. Click on Next: Resources > Select your Honeypot resource group, as shown below, and click on Next: Collect > Select based on what events you would like to collect. For this example, I will select All Security Events. Click Next: Review + create > Review your data collection rule and click on the Create button. Run Queries and Schedule Alert Rules in Microsoft Sentinel Microsoft Sentinel uses Kusto Query Language (KQL) to write query filters and retrieve event logs from a variety of sources, including security logs, system logs, and other telemetry data. KQL is a powerful query language designed for fast and efficient querying of large datasets, which is essential for analyzing and detecting security threats in Microsoft Sentinel. With KQL, you can: Next, we are going to run some queries and then schedule them to run every 10 minutes to generate alerts and create incidents if specific conditions are met. Copy the query below and paste it into Sentinel to create a new query. Explanation Event ID 4625 corresponds to a failed login attempt in Windows security logs. So, this query retrieves all failed login attempts from the security event logs within the time range specified at the top. The query works as expected, so it’s time to schedule it.

Analyze a Brute Force Attack in Microsoft Sentinel A brute force attack is one of the most common methods that attackers use to gain unauthorized access to systems. It involves trying multiple combinations of usernames and passwords until the correct one is found. Detecting and responding to such attacks promptly is crucial to protecting your organization’s sensitive data. Microsoft Sentinel, a cloud-native SIEM (Security Information and Event Management) tool, provides robust capabilities to detect, investigate, and respond to security threats like brute force attacks. In this blog post, I will walk you through how to effectively investigate and analyze a brute force attack in Microsoft Sentinel. Understanding Brute Force Attacks Before diving into the steps to investigate a brute force attack, it’s important to understand what it entails. A brute force attack involves systematically trying all possible password combinations or username/password pairs until the correct one is discovered. These attacks can target various services, including Remote Desktop Protocol (RDP), VPNs, and other web applications. Detecting Brute Force Attacks in Microsoft Sentinel The first step in successfully investigating a brute force attack is to detect it. Sentinel uses advanced machine learning, analytics, and custom detection rules to identify potential brute-force attempts. Some common indicators of a brute force attack include: You can set up custom rules or leverage built-in analytics to detect these suspicious activities. In Sentinel, leveraging KQL (Kusto Query Language) queries for log data is a great way to identify brute force patterns. Click here to learn from the previous lab. Investigating the Attack When a brute force attack is detected, it’s time to investigate. Follow these steps to carry out a detailed analysis: Review the Alert: Begin by reviewing the triggered alert. You should find information like: Use KQL Queries: Utilize Kusto Query Language (KQL) queries in Sentinel to examine logs and find further details. Below is an example KQL query to analyze failed login attempts: This query identifies and counts the number of failed login attempts (EventID 4625) for each unique IP address in the SecurityEvent log. It helps in detecting potential brute force attacks or suspicious activities by tracking where failed logins are coming from. The result will provide a list of IP addresses with the corresponding count of failed login attempts. You can adjust the query based on your specific use case. Explanation 1. SecurityEvent 2. | where EventID == 4625 3. | summarize Count = count() by IpAddress I left the honeypot created in the previous lab running for about 20 hours. And I got 27 Incidents created by Microsoft Sentinel. In this lab, I will walk you through step by step how to analyze brute force attack incidents in Microsoft Sentinel. Click here to learn how to create a honeypot and create a Sentinel alert rule. First, it is important to address incidents based on their priorities. I am curious and can’t wait to see what is going on, especially the high-severity incident. You can assign the incident to an analyst by clicking on the Actions tab at the top or clicking on unassigned by the right and then selecting the user you like to assign it to. For this example, I will assign the ticket to myself, as shown below. Click on the high-severity incident to learn about it. You can click on View full details. Notice that there are 2 events in this incident. You can scroll down to leave a comment in the comment section. Click on the 2 Events as shown below. Click on the Right Arrowhead next to one of the 2 events to expand. A successful login was made by an anonymous user on 3/3/2025 at 1:59:42.017 PM, with IP address 34.77.25.224 and Event ID 4624, as shown in the screenshot below. Investigate the Source IP Address Investigate the source IP address using threat intelligence data or external services like IP reputation databases (e.g., AbuseIPDB, VirusTotal, APIVoid) to check if the IP is associated with known malicious activity. Let’s check the reputation of the source IP address. Type in the Google search IP address reputation checker or click here. The attacker’s country is Belgium (BE), and the city is Brussels, though the hacker was using some form of VPN. The IP address has 8 detection counts. The IP address was blocked by Engine, BitNinja, CRDF, ELLIO IP Feed, HoneyDB, IPSpamList IPsum, and S5hbl. Click on More Details to learn more. VirusTotal’s report also shows that the source IP address is malicious. Next, let’s analyze one of the incidents with medium severity. On the Microsoft Sentinel dashboard, click on Incident on the right menu. Click on the Medium severity incident to select it. Click on the Actions tab to assign the incident to an analyst. For this example, I will assign the incident to myself, as shown below. Click on the 2 Events to view the events. Notice there are 2 events in this incident. Click on the right arrow by the left to expand the event for details. Here, we can see that the attacker tried to log In as an administrator on 03/03/2025 at 12:14:59.717 PM local time with IP address 210.176.44.217. FailureReason is %%2313, which means an unknown username or bad password. Event ID 4625, Activity 4625 An account with failed log-on. This is a security event, and the targeted username was administrator. The attack was from Taiwan, and there were 13 detection counts. The attacker wasn’t using a VPN, and the Internet Service Provider ISP is Telstra Global. The IP address has been blocked by Engine, BitNinja, BlockedServersRBL, CI Army List, CRDF, ELLIO IP, Feed,IPSpamList,ISX.fr DNSBL, NUBI Bad IPs, Nginx Bad Bot Blocker, Peter-s NUUG IP BL, PlonkatronixBL, S5hbl, and USTC IP BL, as shown below. In a production environment, it’s important to examine other logs, such as firewall logs, Microsoft Entra ID logs, or VPN logs, for any signs of suspicious behavior. Look for patterns like: By following the steps outlined in this blog post, you’ll be equipped to effectively analyze and gather valuable

A Comprehensive Guide to Securing Your Azure VM Using Azure Bastion In today’s digital age, securing your cloud infrastructure is paramount. When running virtual machines (VMs) on Azure, it is essential to ensure that they are protected from unauthorized access and cyber threats. One powerful tool for enhancing Azure security is Azure Bastion. In this blog post, we’ll explore how Azure Bastion can help you secure your Azure VMs, allowing a seamless and secure connection to your resources without exposing them to the public internet. What is Azure Bastion? Azure Bastion is a fully managed platform-as-a-service (PaaS) that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) connectivity to your Azure VMs. Unlike traditional methods, where you expose your VMs directly to the public internet via an IP address, Azure Bastion ensures that no inbound public IP addresses are required to access your virtual machines. This eliminates the attack surface for your VMs, enhancing the overall security of your cloud environment. Why Use Azure Bastion? How to Secure Azure VM Using Azure Bastion Let’s walk through the steps to set up Azure Bastion and secure your Azure VMs. Create a Virtual Network (VNet) Before using Azure Bastion, you need a virtual network where your Azure VMs reside. If you don’t already have a VNet, follow these steps to create one: Log in to the Azure portal with your admin credentials. In the search bar, type Virtual Network and select it from the list. Click on the VNet to which you want to associate the Azure Baston. Click on the + Subnet tab at the top to create a new subnet. For Subnet purposes, select Azure Bastion. Azure Bastion requires a subnet called AzureBastionSubnet with at least a /26 address space. The default meets the requirements. Click on the Create button. The subnet was created successfully, as shown in the screenshot below. Notice that the subnet is named AzureBastionSubnet by default. Set Up Azure Bastion Once you have your virtual network in place, you can create an Azure Bastion resource: In the Azure search bar, type in marketplace and select it from the list. In the Azure Marketplace, search for Bastion. On the Bastion by Microsoft, click on Create, then select Bastion. Choose the Subscription and Resource Group where you want to deploy Bastion. Select the Region where your VNet is located. Select the tier based on your organization’s needs. Click here to learn more about Azure Bastion SKUs. Under Virtual Network, choose the VNet where your VMs are deployed and select the subnet created earlier. Click on the Review + create button. Review and click on the Create button. The Bastion was successfully deployed. Click on Go to resource. Configure Azure Bastion to Connect to Your VM Once Azure Bastion is deployed, you can connect to your VMs using the following steps: Navigate to the Virtual Machines section in the Azure portal. Select the VM you want to connect to. Click on Connect, and under the Connect button, select Bastion. Azure Bastion will establish a secure RDP or SSH session, and you can interact with your VM without any additional configuration. Enter your VM username and password or SSH key (depending on your authentication method). Click Connect to initiate the connection. When you click on Connect, it opens in a new window. Make sure to allow popups. I was able to successfully log in via Bastion, as shown below. Best Practices for Securing Azure VMs with Azure Bastion Conclusion Securing your Azure virtual machines is crucial to prevent cyberattacks and unauthorized access. Azure Bastion offers a secure, seamless, and easy-to-use solution to protect your VMs by eliminating the need for public IPs and exposing your resources to the internet. By following the steps in this guide, you can significantly enhance the security of your Azure environment, streamline your access management, and ensure that your cloud infrastructure remains safe.

How to Onboard a Device into Microsoft Defender for Endpoint When securing your organization’s network, it is essential to ensure that all devices are protected by advanced endpoint security solutions like Microsoft Defender for Endpoint. This comprehensive security tool helps protect against diverse cyber threats, including malware, ransomware, phishing, and more. In this guide, I will walk you through the process of onboarding a new device into Microsoft Defender for Endpoint, ensuring seamless integration and robust protection. Prerequisites Before you begin the onboarding process, there are a few requirements you need to fulfill: Network Connectivity: The device must have internet access to communicate with the Defender for Endpoint service. Microsoft Defender for Endpoint Subscription: Ensure your organization has an active subscription to Microsoft Defender for Endpoint. Admin Permissions: You need to have administrative rights in the Microsoft 365 Defender portal. Supported OS Versions: Microsoft Defender for Endpoint supports a wide range of operating systems, including Windows 10, Windows 11, macOS, Linux, and mobile devices. Make sure your devices meet the system requirements. Sign in to Microsoft Defender Sign in to the Microsoft Defender portal with your global administrator or security administrator account. Once logged in, In the left-hand side navigation pane, click on System > Settings > Endpoints. Download the Onboarding Package Click on Device management > Onboarding. Based on your organization’s needs, choose an operating system to onboard to Microsoft Defender. Choose the Connectivity type and Deployment method. For this example, I will choose Windows 10 and 11, Streamlined, and Local Script (for up to 10 devices). Click on the Download onboarding package button to download it. Click on Device management > Onboarding. Based on your organization’s needs, choose an operating system to onboard to Microsoft Defender. Choose the Connectivity type and Deployment method. For this example, I will choose Windows 10 and 11, Streamlined, and Local Script (for up to 10 devices). Click on the Download onboarding package button to download it. Extract the file, then right-click and click on Run as Administrator. Press Y for yes to confirm and continue. Press any key to proceed. Next, confirm if the installation was successful. To do this, open a Command Prompt window on the newly onboarded device. At the prompt, copy the command below and run it. The Command Prompt window will close automatically when done. This verifies that the device is properly onboarded and reported to the service. Now login to Microsoft Defender to verify that the device was added successfully. On the left-hand side blade, click on Assets > Devices. You should see your device listed, as shown in the screenshot below. Conclusion Onboarding a new device into Microsoft Defender for Endpoint is an essential step in ensuring your organization’s cybersecurity posture is strong and up-to-date. By following this guide, you can quickly onboard new devices into the system, apply necessary configurations, and continuously monitor them for threats.