Cloud Security Posture Management

Cloud Security Posture Management (CSPM) is essential to ensuring the security and compliance of cloud environments. In cloud computing, the potential for security misconfigurations is significantly high due to mismanagement of permissions, gaps in network configurations, and various other vulnerabilities.

Cloud Security Posture Management addresses these challenges by continuously monitoring and assessing cloud workloads to identify vulnerabilities and potential security risks. It also provides remediation steps to rectify the potential security risks identified in the cloud environment.

ThreatLockDown is a free, open source, enterprise-grade security monitoring platform that provides comprehensive protection for cloud, on-premises, containerized, and virtualized environments. Microsoft Azure is a comprehensive cloud computing platform that offers a wide range of services to help businesses build, deploy, and manage their applications and infrastructure.

This section demonstrates how to use ThreatLockDown to monitor Microsoft Azure security posture.

Integrating ThreatLockDown with Microsoft Azure

ThreatLockDown integrates with Azure using the Log Analytics Workspace. The Azure Log Analytics workspace is a unique environment for storing log data from Azure Monitor and other Azure services, such as the Microsoft Defender for Cloud. ThreatLockDown provides a native integration module for Azure that retrieves logs from the Log Analytics Workspace.

Below is a summary of the actions performed on Azure to integrate with Wazuh.

  • Creating a service principal application: This involves registering an application with a Microsoft Entra ID, which automatically creates a service principal for the application registration. The service principal is the application’s identity in the Microsoft Entra tenant and its access to resources is restricted by the roles assigned to it.

  • Creating a Log Analytics workspace: The workspace is where logs and data are stored, and it has a unique workspace ID and resource ID. The ThreatLockDown Azure module is then configured to query the workspace for new data.

  • Enabling Microsoft Defender for Cloud: Configure the Microsoft Defender for Cloud to scan all resources inside an Azure Subscription. Microsoft Defender for Cloud is configured to send security log data and recommendations to the created Log Analytics workspace.

Microsoft Azure

Creating a service principal application

Create a Microsoft Entra ID application for ThreatLockDown authentication to the Log Analytics Workspace. Microsoft Entra ID is the identity directory service from Microsoft.

  1. In the Search bar of the Azure portal, type Microsoft Entra ID, then select the same service name. Select App registrations from the Default Directory on the sidebar menu.

  2. Select + New registration from the command bar to create a new service principal application.

  3. On the opened form, enter a unique name for the application and click Register. Note the Application (client) ID on the application overview page.

    Register an application
  4. On the opened application overview page:

    • Select Certificates & secrets from the sidebar menu.

    • Click on the Client secrets tab.

    • Click + New client secret. Enter a description for the secret, select the expiry period, and click Add.

    • Copy and save the client secret value.

    Note

    You can only view client secret values immediately after creation. Be sure to save the secret before leaving the page.

    Create secret
  5. On the application overview page, select API permissions. Select + Add a permission.

  6. On the Request API permissions page:

    • Click on the APIs my organization uses tab.

    • Search for Log Analytics and select Log Analytics API from the list.

    • Click on Application permissions.

    • Select the Read Log Analytics data permission.

    • Click Add permissions.

    • On the API permissions page, Click on Grant admin consent for Default Directory.

    • Click Yes.

    Request API permissions

Create a Log Analytics workspace

Create a Log Analytics Workspace that enables ThreatLockDown to retrieve log data from Azure.

  1. In the search bar of the Azure portal, type Log Analytics workspaces, then select the same service name. Select + Create from the command bar to create a new workspace.

  2. On the opened dialog box, select Create new to create a resource group for the Log Analytics. Enter a unique name for the Resource group and click OK.

  3. In the Instance details section, enter a unique name for the Log Analytics workspace.

  4. Select the Review + Create tab. Once the workspace validation has passed, select Create. Wait for the new workspace to be provisioned, this may take a few minutes.

    Create Log analytics workspace
  5. In the search bar of the Azure portal, type Log Analytics workspaces, select the new workspace. Copy the Workspace ID from the Essentials section. The Workspace ID will be used as part of the configuration in Wazuh.

    Log analytics workspace
  6. Click on the Access control (IAM) on the sidebar menu of the Log Analytics workspace page.

    • Click on + Add on the command bar and select Add role assignment.

    • On the Add role assignment page, search for Log Analytics Reader. Select it and click Next.

    • On the Members page, click on + Select members.

    • Search for your service principal application name on the Select members box and click Select.

    • Click Next then Review + assign.

    Add role assignment
  7. In the Search bar of the Azure portal, type Microsoft Entra ID, then select the same service name.

  8. Copy the Azure tenant Primary domain name from the Basic Information section. This will be used as part of the configuration in Wazuh.

    Copy primary domain

Enable Microsoft Defender for Cloud

Enable and configure Microsoft Defender for Cloud to report all security misconfigurations using its CSPM module.

  1. In the search bar of the Azure portal, type Microsoft Defender, then select Microsoft Defender for Cloud.

  2. Select Getting started on the sidebar menu. On the Getting started page, under the Upgrade tab, select your subscription, and then click the Upgrade button at the bottom of the page.

    Microsoft defender for Cloud upgrade
  3. In the left menu for Microsoft Defender for Cloud;

    • Navigate to the Management section, select Environment settings.

    • Expand Azure > Tenant Root Group to reveal your Azure subscription.

    • Select your Azure subscription.

    On the Settings page, verify the Status of the entries is On, else, click Enable all plans and Save.

    Enable all plans
  4. Click Continuous export on the sidebar menu and click on the Log Analytics workspace tab to configure Defender to continuously send logs to the Log Analytics workspace. Select the Security alerts and Regulatory compliance checkboxes.

    Continuous export setup
  5. Scroll down to the Export sections and select the resource group created for the Log Analytics workspace. Select your tenant Azure subscription and the target workspace. Click Save.

    Continuous export setup
  6. In the left menu for Microsoft Defender for Cloud

    • Navigate to the Management section, select Environment settings.

    • Expand Azure > Tenant Root Group > your Azure subscription

    • Select your Log Analytics workspace created above.

    • Verify the Status of the entries is On, else, click Enable all plans and Save.

    Enable all plans

ThreatLockDown server

Configure the ThreatLockDown server to receive logs from Microsoft Azure by performing the following steps.

Note

Run the following commands as the root user.

  1. Create a credentials directory in the /var/ossec/wodles/ directory:

    # mkdir /var/ossec/wodles/credentials
    
  2. Create a /var/ossec/wodles/credentials/log_analytics_credentials file:

    # touch /var/ossec/wodles/credentials/log_analytics_credentials
    
  3. Update the /var/ossec/wodles/credentials/log_analytics_credentials file as shown below:

    application_id = <SERVICE_PRINCIPAL_APPLICATION_ID>
    application_key = <CLIENT_SECRET_VALUE>
    

    Replace:

  4. Append the following content to the /var/ossec/etc/ossec.conf configuration file. The configuration specifies how ThreatLockDown connects to Azure:

    <ossec_config>
      <wodle name="azure-logs">
        <disabled>no</disabled>
        <run_on_start>yes</run_on_start>
        <interval>5m</interval>
    
        <log_analytics>
            <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>
            <tenantdomain><PRIMARY_DOMAIN></tenantdomain>
    
            <request>
                <tag>azurefindings</tag>
                <query>SecurityRecommendation</query>
                <workspace><LOG_ANALYTICS_WORKSPACE_ID></workspace>
                <time_offset>1d</time_offset>
            </request>
    
            <request>
                <tag>azurefindings</tag>
                <query>SecurityAlert</query>
                <workspace><LOG_ANALYTICS_WORKSPACE_ID></workspace>
                <time_offset>1d</time_offset>
            </request>
    
        </log_analytics>
      </wodle>
    </ossec_config>
    

    Note

    The interval value represents the time between each Azure-Logs module execution. You should set it to a time that is tolerable for your infrastructure.

    Replace:

  5. Create a rule file azure_posture.xml in the /var/ossec/etc/rules/ directory and add the following custom rules to detect Azure posture findings:

    <group name="azure,">
    
      <rule id="100200" level="10">
        <if_sid>87801</if_sid>
        <field name="Type">SecurityRecommendation</field>
        <description>Azure Security Posture: $(RecommendationName).</description>
      </rule>
    
      <rule id="100201" level="10">
        <if_sid>87801</if_sid>
        <field name="Type">SecurityAlert</field>
        <field name="ResourceId">Microsoft.Compute</field>
        <description>Azure Security Posture: $(DisplayName).</description>
        <mitre>
          <id>T1651</id>
        </mitre>
      </rule>
    
      <rule id="100202" level="10">
        <if_sid>87801</if_sid>
        <field name="Type">SecurityAlert</field>
        <field name="ResourceId">microsoft.keyvault</field>
        <description>Azure Security Posture: $(DisplayName).</description>
        <mitre>
          <id>T1098.004</id>
        </mitre>
      </rule>
    
      <rule id="100203" level="10">
        <if_sid>87801</if_sid>
        <field name="Type">SecurityAlert</field>
        <field name="ResourceId">Microsoft.Web</field>
        <description>Azure Security Posture: $(DisplayName).</description>
        <mitre>
          <id>T1648</id>
        </mitre>
      </rule>
    
      <rule id="100204" level="10">
        <if_sid>87801</if_sid>
        <field name="Type">SecurityAlert</field>
        <field name="ResourceId">Microsoft.ApiManagement</field>
        <description>Azure Security Posture: $(DisplayName).</description>
        <mitre>
          <id>T1059.009</id>
        </mitre>
      </rule>
    
      <rule id="100205" level="10">
        <if_sid>87801</if_sid>
        <field name="Type">SecurityAlert</field>
        <field name="ResourceId">Microsoft.ContainerService|cluster</field>
        <description>Azure Security Posture: $(DisplayName).</description>
        <mitre>
          <id>T1609</id>
        </mitre>
      </rule>
    
    </group>
    

    Where:

    • Rule ID 100200 is triggered when ThreatLockDown detects a new security posture recommendation in Azure.

    • Rule ID 100201 is triggered when ThreatLockDown detects an attack against Azure Virtual Machine.

    • Rule ID 100202 is triggered when ThreatLockDown detects an attack in Azure Key Vault.

    • Rule ID 100203 is triggered when ThreatLockDown detects an attack in Azure App Service.

    • Rule ID 100204 is triggered when ThreatLockDown detects an attack in Azure API Management.

    • Rule ID 100205 is triggered when ThreatLockDown detects an attack in Azure Container and clusters.

  6. Restart the ThreatLockDown manager to apply the configuration:

    # systemctl restart wazuh-manager
    

Cloud Security Posture Management simulation

Simulate sample security alerts in Microsoft Defender for Cloud. These alerts mimic real life attacks in a cloud environment.

To create sample alerts, follow the steps below:

  1. In the Search bar of the Azure portal, type Microsoft Defender, then select Microsoft Defender for Cloud.

  2. Click on Security alerts on the sidebar menu. On the Security alerts windows, select Sample alerts on the command bar. Select your Azure Subscription and the desired Azure service in the Defender for Cloud plans dropdown and click Create sample alerts.

    Note

    For this example, we restrict our alert simulation to App Services, Key Vaults, Virtual Machines, Containers, and API.

  3. Refresh the security alerts page to visualize the newly generated alerts.

    Defender for Cloud security alerts

Posture management results on the ThreatLockDown dashboard

Visualize the results by navigating to the Modules > Security events tab. Filter for the azure rule group.

Azure security alerts on the ThreatLockDown dashboard