What is Azure Sentinel?
Azure Sentinel is a security information event management (SIEM) and security orchestration automation response (SOAR) solution.
Sentinel is a cloud-native solution.
How it works
Sentinel sits on top of Log Analytics.
Features and benefits
What it provides, features and benefits:
Use Cases
Architecture
Security, monitoring, and compliance
Availability and costs
Differences to other products
What is Azure Security Center?
Azure Security Center is an infrastructure security hygiene tool. It has a lot of recommendations around security hygiene.
Features and Benefits
Azure Security Center Standard has threat protection built-in for the resources that it monitors.
What is Azure Defender?
Azure Defender is an infrastructure security thread alert solution.
What is Azure Kubernetes Service (AKS)?
Azure Kubernetes Service is a fully managed container orchestration service based on the open-source Kubernetes system, available on the Microsoft Azure public cloud.
az account list
Set context to the desired subscription
az account set -s "{subscription}"
az account show
Set default resource group for all Azure CLI commands
az configure --defaults group={resource-group-name}
Get AKS credentials
az aks get-credentials --name {aks-cluster-name}
Download and install kubectl
az aks install-cli
Get the deployments
kubectl get deployments
Delete deployments
kubectl delete deployment {deployment_name}
Samples
Sample to expose an endpoint
kubectl expose deployment {app_name} --type=LoadBalancer --port=80 --target-port=80
Azure Sentinel can only be enabled for a single Log Analytics Workspace. Therefore it is recommended to centralize all security logs to a dedicated central workspace. Use Azure Lighthouse if you have multiple workspaces.
To create Azure Sentinel, an active subscription and a Log Analytics workspace need to be available.
The permissions required
Resource
Get the resource ID:
SP_ID=$(az aks show --resource-group aksrg --name pdtaks\
--query servicePrincipalProfile.clientId -o tsv)
az ad sp credential list --id $SP_ID --query "[].endDate" -o tsv
From: AKS ErrImagePull and ImagePullBackOff on AKS after a year
Azure Resource Graph is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.
These queries provide the following features:
By default, the kubectl
command for Kubernetes uses parameters from the current context to communicate with the cluster.
Display the current context:
$ kubectl config current-context
List all contexts in a kubeconfig file:
$ kubectl config get-contexts
Switch context:
$ kubectl config use-context <context_name>
A Pod is a group of one or more containers with shared storage, network, and lifecycle and is the basic deployable unit in Kubernetes.
How to get detailed information about Pods using kubectl
command.
List Pods in the default Namespace for the current context:
$ kubectl get pods $ kubectl get pods -o wide
List all Pods from the all Namespace:
$ kubectl get pods --all-namespaces
Get Pods from a particular Namespace:
$ kubectl get pods --namespace <namespace-name>
Get detailed information about a Pod
$ kubectl describe pods <pod-name>
In general, I see two approaches
What do/would I consider
Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Empower data consumers to find valuable, trustworthy data.
Establish the foundation for effective data usage and governance with Purview Data Map.
Azure Sentinel is a next-generation Security Information and Event Management (SIEM) and Security Operation Automation Response (SOAR) solution provided by Microsoft.
Types
Azure Sentinel
A cloud-based SIEM and SOAR solution that depends on various security solutions to provide threat detection, investigation, hunting, and automated response capabilities.
Azure Security Center
A Cloud Security Posture Management and Cloud Workload Platform Protection solution.
Complements Azure Sentinel
Types of Analytic Rules
K9s provides a terminal UI to interact with your Kubernetes clusters. This project aims to make it easier to navigate, observe, and manage your applications in the wild. K9s continually watches Kubernetes for changes and offers subsequent commands to interact with your observed resources.
K9s - Manage Your Kubernetes Clusters In Style (k9scli.io)
Manging and Investigating Incidents
An incident
Azure Logic Apps is a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows.
A security playbook is a collection of procedures that can be run from Azure Sentinel in response to an alert. Playbooks provide the ability to build flows that can automate investigations and respond to security alerts that happen in the environment.
Azure Monitor Private Link Scope (AMPLS) connects private endpoints (and the VNets contained in) to one or more Azure Monitor resources - Log Analytics workspaces and Application Insights components.
Azure Arc simplifies governance and management by delivering a consistent multi-cloud and on-premises management platform. Azure Arc enables you to:
Today, Azure Arc allows you to manage the following resource types hosted outside of Azure:
For further information visit Azure Arc overview.
Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service supports two types of containers: vaults and managed hardware security module(HSM) pools. Vaults support storing software and HSM-backed keys, secrets, and certificates. Managed HSM pools only support HSM-backed keys. See Azure Key Vault REST API overview for complete details.
Application Insights can monitor Azure cloud service apps for availability, performance, failures, and usage by combining data from Application Insights SDKs with Azure Diagnostics data from your cloud services. With the feedback you get about the performance and effectiveness of your app in the wild, you can make informed choices about the direction of the design in each development lifecycle.
Application Insights, a feature of Azure Monitor, is an extensible Application Performance Management (APM) service for developers and DevOps professionals. Use it to monitor your live applications. It will automatically detect performance anomalies and includes powerful analytics tools to help you diagnose issues and understand what users actually do with your app. It's designed to help you continuously improve performance and usability. It works for apps on various platforms, including .NET, Node.js, Java, and Python hosted on-premises, hybrid, or any public cloud. It integrates with your DevOps process and has connection points to a variety of development tools. It can monitor and analyze telemetry from mobile apps by integrating with Visual Studio App Center.
Log Analytics is a tool in the Azure portal used to edit and run log queries with data in Azure Monitor Logs. You may write a simple query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze them. Or you may write a more advanced query to perform statistical analysis and visualize the results in a chart to identify a particular trend. Whether you work with the results of your queries interactively or use them with other Azure Monitor features such as log query alerts or workbooks, Log Analytics is the tool that you're going to use to write and test them.
For further details, visit Overview of Log Analytics in Azure Monitor.
Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.
App Service not only adds the power of Microsoft Azure to your application, such as security, load balancing, autoscaling, and automated management. You can also take advantage of its DevOps capabilities, such as continuous deployment from Azure DevOps, GitHub, Docker Hub, and other sources, package management, staging environments, custom domain, and TLS/SSL certificates.
With App Service, you pay for the Azure compute resources you use. The compute resources you use are determined by the App Service plan that you run your apps on. For more information, see Azure App Service plans overview.
For further information visit App Service overview
The message size limit for Service Bus is 1 MB (premium tier).
Octant is an open-source developer-centric web interface for Kubernetes that lets you inspect a Kubernetes cluster and its applications.
Website: Octant
In this overview video I cover the basics of containers, Kubernetes, the Azure Kubernetes Service (AKS) and how all the pieces fit together!
Private Azure Kubernetes Service Cluster
In a private cluster, the control plane or API server has internal IP addresses that are defined in the RFC1918 - Address Allocation for Private Internet document. Using a private cluster lets you ensure network traffic between your API server and your node pools remains on the private network only.
Create a private Azure Kubernetes Service cluster - Azure Kubernetes Service | Microsoft Docs
Provide the requirements of your AKS deployment to generate the assets to create a fully operational environment, incorporating best-practices guidance.
The Azure CLI's default authentication method for logins uses a web browser and access token to sign in.
az login
If the CLI can open your default browser, it will do so and load an Azure sign-in page. Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal. Sign in with your account credentials in the browser.
If no web browser is available or the web browser fails to open, use device code flow with az login --use-device-code.
You can select a tenant to sign in under with the --tenant
argument. The value of this argument can either be an .onmicrosoft.com
domain or the Azure object ID for the tenant. Both interactive and command-line sign in methods work with --tenant
.
az login --tenant {tenant}
Additional details can be found at Sign in with Azure CLI — Login and Authentication | Microsoft Docs
az login --service-principal --username {SPN_CLIENT_ID} --password {SPN_CLIENT_SECRET} --tenant {SPN_TENANT_ID}
PuTTY is a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator. It is written and maintained primarily by Simon Tatham.
Commands
az extension add --name connectedk8s
az extension add --name k8s-configuration
az extension update --name connectedk8s
az extension update --name k8s-configuration
Connect to cluster
az connectedk8s connect --name {kubernetes-name} --resource-group {resource-group-name}
Data duplication across your data landscape is a common challenge. You can now share data with your consumers (internal or external) from Azure Storage without physically copying it over. To ease your data management efforts, you can govern the whole process from Purview.
Further reading at Share data near real-time with Microsoft Purview in-place data sharing for Azure Storage
The cost of a typical application hack in today's modern world is high, and traditional WAFs don’t always work. This webinar details how you can better secure your Kubernetes apps with NGINX.
Watch it On Demand: Secure Your Kubernetes Apps from Attacks with NGINX - NGINX
KEDA (or, Kubernetes Event-Driven Autoscaling) is a Kubernetes-based event-driven auto-scaler for Pods. With KEDA, we can scale out our application easily and then scale back to 0 which is not possible when it comes to the default HPA (Horizontal Pod Autoscaler) of Kubernetes.
Read more at Scale your Apps using KEDA in Kubernetes
Announcing Public Preview of Confidential VM on AKS.
Azure confidential VMs (DCav5/ECav5) are VM based Hardware Trusted Execution Environment (TEE) that leverage SEV-SNP security features to deny the hypervisor and other host management code access to VM memory and state, providing defense in depth protections against operator access.
Source: Confidential VM node pool support on AKS with AMD SEV-SNP VM in preview (microsoft.com)
This video (GERMAN) demonstrates how to expose Azure Service Bus as REST service by using of Azure API Management.
Source: Exposing ServiceBus via Azure API Management | Microsoft Docs
Video: https://docs.microsoft.com/video/media/1de8e6a2-c0ae-4565-902a-be1534538bff/apimsb_mid.mp4
Azure Services map with workload type
See details at Azure Solution Architect Map.pdf · GitHub
How to stay up-to-date with Microsoft Azure
Microsoft Azure is huge and changes fast! At this point in time, there are more than 200 services in Azure, with many, many features. The rate at which services evolve is amazing. New services come out all the time, and services are constantly being improved with new features. Microsoft is able to do this because most services are owned by separate teams that develop functionality.
This high rate of change is great because it keeps providing new ways to solve problems. However, it is very hard to stay up-to-date. It is very hard to keep track of new services; and what their purpose is in the world of Azure.
So the question is how to stay up-to-date? Here are some important information sources:
- Azure Friday | Microsoft Docs
- Azure This Week - A Cloud Guru
- Azure updates | Microsoft Azure
- Announcements | Azure Blog and Updates | Microsoft Azure
- Azure Blog and Updates | Microsoft Azure
- Azure App Service Team Blog
And also, the Azure Developer's Cheat Sheet at GitHub - milanm/azure-cheat-sheet: Azure Cheat Sheet
Message Bus Queues and Topics provide
With Queues, you can have multiple senders, but only one message-consumer receives and process each message.
Using queues to intermediate between message producers and consumers provides an inherent loose coupling between the components.
With Queues, there are two different modes available to process messages.
Received & Delete
This mode is suitable where the system can tolerate not processing messages in case of failure. In this mode, once the consumer service reads the message, it will be deleted from the Queue irrespective of the status of the message process.
Peek
This mode is suitable where the system cannot tolerate ignoring messages in case of failure. So here, messages are processed in two stages, as below.
Senders send messages to a topic in the same way that they send messages to a queue, but it varies on a slight factor where 'Topics' can have multiple, independent 'Subscriptions'. Subscriptions are durable by default but can be configured to expire and then be automatically deleted.
We can define rules on a subscription. A subscription rule has a filter to define a condition for the message to be copied into the subscription and an optional action that can modify message metadata.
Azure offers a unique capability of mounting Blob Storage (or object storage) as a file system to a Kubernetes pod or application using BlobFuse or NFS 3.0 options. This allows you to use blob storage with a number of stateful Kubernetes applications including HPC, Analytics, image processing, and audio or video streaming. Not only that, if your application ingests data into Data Lake storage on Azure Blobs, you can now directly mount and use it with AKS. Previously, you had to manually install and manage the lifecycle of the open-source Azure Blob CSI driver including deployment, versioning, and upgrades.
You can now use the Azure Blob CSI driver as a managed addon in AKS with built in storage classes for NFS and BlobFuse, reducing the operational overhead and maximizing time to value.
Source: Generally available: Azure Blob CSI driver support in AKS
Enable higher throughput levels for Azure Service Bus premium via two new features in public preview today.
First, we are releasing scaling partitions, allowing the use of partitioning for the premium messaging tier. Service Bus partitions enable messaging entities to be partitioned across multiple message brokers. This means that the overall throughput of a partitioned entity is no longer limited by the performance of a single message broker. Additionally, a temporary outage of a message broker, for example during an upgrade, does not render a partitioned queue or topic unavailable, as messages will be retried on a different partition.
Second, we are making a change to our infrastructure, which will result in more consistent low latency. This is accomplished by switching our storage to a different implementation called local store. During public preview we will create partitioned namespaces using this new feature, but in the future all new namespaces will be created on local store.
Source: Public preview: Performance improving features for Azure Service Bus premium
Azure Key Vault is a cloud-based secrets store for holding app secrets, including configuration values like passwords and connection strings that must always remain secure. It keeps secrets in a single central location and provides secure access, permissions control, and access logging.
Use Azure Key Vault to store secrets like Passwords, Shared Access Signature (SAS) tokens, Application Programming Interface (API) keys, and Personal Access Tokens (PAT).
Microsoft Azure Service Bus is a fully managed enterprise message broker with message queues and publish-subscribe topics.
Service Bus is used to decouple applications and services from each other, which help us to balance workload.
Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Empower data consumers to find valuable, trustworthy data.