The detections are written using the Kusto Query Language (KQL), a language designed to explore data and discover patterns, identify anomalies and outliers, and create statistical modeling.
In ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.įor example, AzDetectSuite supports detections for attacks like Azure Key Vault dumping, account creation or manipulation, or password spraying. Ryan Hausknecht, senior security researcher at Microsoft, explains:ĪzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. Written to match the Azure Threat Research Matrix (ATRM), a knowledge base built to document known TTPs within Azure and Azure AD, the detections are grouped according to the different tactics involved: reconnaissance, initial access, execution, privilege escalation, persistence, credential access, and exfiltration. The open-source project provides basic detection capabilities at a low cost, targeting small environments within the Microsoft cloud platform.ĪzDetectSuite is an open-source library designed to help developers detect and understand tactics, techniques, and procedures used in cyber-attacks on Azure networks. The Microsoft security team recently released AzDetectSuite, a collection of KQL queries and detection alerts against security threads on Azure and AzureAD.
0 kommentar(er)
