This challenge-based Azure Defender for Cloud CoHack is intended to teach how to enhance the security of your Azure workloads using Defender for Cloud. During the mini-Open Hack you will be working with Defender for Cloud features such as Secure Score, security recommendations, regulatory compliance, workload protections and alerts.
- Build attendee's technical skills on Defender for Cloud
- Understand what Defender for Cloud can do to enhance secuity and compliance in your environment
Attendees will get access to an Azure Subscription where a prebuilt deployment is ready. This includes a VM, a Log Analytics Workspace, some networking resources and a preconfigured Defender for Cloud setup.
- open Azure Cloud Shell
- upload all files from the setup folder to Cloud Shell or git clone this repository
- switch to PowerShell mode
- run New-CoHackDfC.ps1
- navigate to the Azure Portal
- open Defender for Cloud
- click General/Security alerts
- on the top navigation bar select "sample alerts" and click "create sample alerts"
Note the setup script will configure Defender for Server autoprovisioning to connect your servers to the Log Analytics workspace created for this exercise. If you do not want this, please skip the section "enable autoprovisioning" in the setup script and configure the test VMs to log to the correct workspace manually.
- Quickstart: Enable enhanced security features
- Security posture for Microsoft Defender for Cloud
- Tutorial: Improve your regulatory compliance
- Secure your management ports with just-in-time access
- Manage and respond to security alerts in Microsoft Defender for Cloud
- Azure Credentials: The credentials will be handed out during the hack opening session.
- Resource Group: a resource group has been created where you will have a contributor role assigned to you. (Please do not install new resources, only change configuration)
- Log Analytics Workspace: This has already been pre-created to save some time
- Azure virtual machine: This Azure virtual machine is already onboarded to Defender for Cloud. It's probably not configured perfectly from a security perspective. You do not need to sign in to this VM.
- Defender for Cloud service: Defender for Cloud is enabled on your subscription and your VM has been automatically onboarded to send data. You have limited permissions in Defender for Cloud, so you can see the security recommendations for the entire subscription and allresources, but you can only remediate ressoures in your resource group.
- Verify Defender for Server plan is enabled
- Verify autoprovisioning is enabled and find where the events are going
- Review security recommendations for your subscription. Which recommendation increases Secure Score the most?
- Find security recommendations for your sample VM (hint: you can look at the VM directly) and apply a fix for one (e.g., "Machines should be configured to periodically check for missing system updates")
- Find another recommendation for your sample VM and create an exemption. The exemption should expire after a week.
- Check regulatory compliance and download a report
- Find and download the "Azure 2021 - HITRUST Certification Letter"
- Enable Just-in-Time access for the sample VM
- Ensure port 3389 is only accessible for 2 hours per request, and only from IP range 10.0.0.0/16
- Somebody tried to mine Bitcoins in our environment. On which machine did that happen? What was the command line used for that?