Please enable JavaScript.

Coggle requires JavaScript to display documents.

AZ-500 - Coggle Diagram

- - - - Manual and recurring scan
  - - - registered only on DB
      - Initial Admin user is local
    - - Require associate a existing AD user in SqlServer with the option Active directory Admin
      - Logged In as Admin, can create other external users of AD
        
        Use SQL Management studio with option Azure AD-Universal MFA
        
        Execute query: CREATE USER "demousrB@techsup1000gmail.onmicrosoft.com" FROM EXTERNAL PROVIDER
        
        Execute query: exec sp_addrolemember 'db_datareader','demousrB@techsup1000gmail.onmicrosoft.com'
  - - - Deterministic
        
        Less Secure
        
        Same encrypted value for all plain text
        
        Allows point lookups, equality joins, grouping, and indexing on encypted columns
      - Randomized
        
        More secure
        
        Prevents point lookups, equality joins, grouping, and indexing on encrypted columns
    - - Colum master Key
        
        to be stored in a external data store as a keyvault
      - Colum encryption key
        
        Generated from colum master key to encrypt the column
    - - Enable ecryption options in permission to the user in keyvault
      - Select table>rigth clic encryption
      - Select column and encryption type
      - Select keyvault and sign in with the user with permission on keyvault
  - - - Email
        
        Shows fist letter and domain
      - Credit card
        
        Shows only last 4 digits
      - Custom text
        
        Decide which characters expose
        
        Expose prefix
        
        Expose sufix
        
        Padding string
      - Random number
        
        Generate random number for the field
- - - - Full access
    - - Only Limited Reports
        
        Risky Users, Risky Sign-ins and Risk Detection
    - - Only Limited Reports
        
        Risky Users and Risky Sugins
  - - - Full access
    - - Full excep password for user
    - - View reports, not configure policies, alerts, or reset user passwords
  - - - Leaked credentials
    - - Sign-in from anonymous ip addres
      - Imposible travel from atypical locations
      - Sig-in from unfamiliar locations
    - - Sign-in from infected devices
  - - - If allow can require password change
  - - - Require MFA enforce for users
  - - - If allow can require mfa authentication
- - - - One for each operative system Linux and Windows
- - - - MFA authentication
      - Compliant device
        
        require MS Intune instaled
      - Hybryd Azure AD Join device
      - Approved client app
      - password change
      - app protection policy
- - - - selected users
      - assigned
      - manager
    - - Auto apply
      - If reviewers dont respond
        
        No change
        
        Remove access
        
        Approve access
        
        Take recomendation
  - - - Set PIM parameters to a role as maximum allowed eligible duration for example
  - - - 1.Discover resources
        
        Manage resource
        
        Allows PIM manage the resource creating a MS-PIM service principal with User acces Administrator role
      - 2.Select Suscription of the resource
      - Assign Role and members
      - For Azure resource roles in Privileged Identity Management, only a subscription administrator, a resource Owner, or a resource User Access administrator can manage assignments for other administrators
- - - - where you manage Key Vault itself and it is the interface used to create and delete vaults. You can also read key vault properties and manage access policies
    - - allows you to work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
      - policies
        
        Keyvault policy
        
        user require general reader role to read secrets
        
        RBAC
        
        Require special roles to work
        
        Keyvault secrets user
        
        read secret only
        
        Keyvault secrets reader
        
        Keyvault secrets officer
        
        create secrets
  - - - Purge permissions are required
- - - - multiple services (BLOB,FILE, TABLE, QUEUE)
    - - Only one service
      - Can be controled with an access policies
        
        Allows to create SAS based in policies
        
        Allows to revoke SAS when acces policy is removed or modify
    - - Actions Required
        
        Microsoft.Storage/storageAccounts/listKeys/action
        
        Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey
      - use Azure AD credentials to create a user delegation SAS for superior security
      - Setup
        
        first request a user delegation key
        
        use the key to sign SAS
      - Supported by
        
        Azure Blob storage
        
        Azure Data Lake Storage Gen2
      - Stored access policies are not supported for a user delegation SAS
    - - Set period of expiration time
      - Ips allowed
      - Protocol http or https used
    - - Used with SAS to gives you more control over the acces given by SAS
      - Set permissions and expiration time
      - Generate SAS Based on Acces Policies,
      - when you need to change or remove access just change permissions on the policy
  - - - permisions to manage storage account
        
        Storage Account Contributor
        
        Contributor
      - permision access storage data
        
        Storage Blob Data Owner
        
        Storage Blob Data Reader
        
        Storage Blob Delegator
        
        Storage Blob Data Contributor
  - - - Protect your data from overwrites and deletes
      - Container level
        
        Acces Policy
        
        Policy type
        
        Legal Hold
        
        legal hold stores immutable data until the legal hold is explicitly cleared
        
        When a legal hold is set, objects can be created and read, but not modified or deleted
        
        Time base retention
        
        set policies to store data for a specified interval.
        
        set, objects can be created and read, but not modified or deleted
        
        fter the retention period has expired, objects can be deleted but not overwritten
  - - - Open access to other MS services to conect
- - - - are used by apps that have a signed-in user present
      - For these apps, either the user or an administrator consents to the permissions that the app requests
      - the effective permissions of your app are the least-privileged intersection of the delegated permissions the app has been granted (by consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user.
    - - are used by apps that run without a signed-in user present
      - Only an administrator can consent to application permissions
      - for example, apps that run as background services or daemons.
      - the effective permissions of your app are the full level of privileges implied by the permission.
      - For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization
  - - - An app can receive a unique identifier for the user in the form of the sub claim. The permission also gives the app access to the UserInfo endpoint
    - - It gives the app access to the user's primary email address in the form of the email claim
    - - It gives the app access to a large amount of information about the user
    - - Access to resources on behalf of the user for an extended time. On the consent page, this scope appears as the Maintain access to data you have given it access to permission.
      - offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire.
- - - - Microsoft.StorageService
      - Microsoft.Keyvault
      - Microsoft.Sql
  - - - conect a specific resource and subresource
    - - Customer Service must have a Standard Load Balancer to conect
    - - Add a nic to the subnet in the vnet
    - - Microsoft manage DNS queries use private ip set
    - - to conect Microsft as a service
    - - to conect to a customer managed services
        
        require Azure Standard Load Balancer in destination
  - - - can be used with virtual network gateway in vnet to conect onpremise or edge from peer
  - - - traffic encrypted end to end with IPSEC
    - - Virtual Network Gateway
        
        VPN
        
        Express Route
      - Local Network Gateway
      - Connection
    - - Point to site
        
        User to Virtual Network Gateway
      - Site to site
        
        Onpremise to Virtual Network Gateway
      - Vnet to Vnet
    - - Polycy based
        
        almost deprecated
        
        limited to one device and site
      - Route Based
  - - - express route circuit
        
        Partner edge (Partner)
        
        Microsoft edge
      - Peerings
        
        Private peering
        
        to Azure services
        
        Microsoft peering
        
        to Microsoft 365 services
      - Express Route gateway
        
        Virtual network gateway in our vnet
- - - - VM
      - NIC of VM
      - Vnet of VM if there is pairing
      - Bastion
  - - - Configure or edit a JIT policy for a VM
        
        Microsoft.Security/locations/jitNetworkAccessPolicies/write
        
        Microsoft.Compute/virtualMachines/write
      - Request JIT access to a VM
        
        Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
        
        Microsoft.Security/locations/jitNetworkAccessPolicies/*/read
        
        Microsoft.Network/networkInterfaces/*/read
  - - - Distributed from Azure security center
      - Only works in Windows2008 R2 and later do not support Linux
      - is Free
      - features
        
        real time protection agains malware
        
        malware remediation
        
        automatic updates
        
        protect and reporting
        
        configure exclusion for files, processes and drives
        
        Auditing, record suspicious activities, remediation, health to events log
      - is a VM Extension
        
        name IaaSAntimalware
      - Scan time
        
        minutes afterd midnigth to run
    - - Support Windows and Linux
      - Paid
      - endpoint security solution that offers vulnerability management, endpoint protection, endpoint detection and response, mobile threat defense, and managed services in a single, unified platform.
  - - - Linux dm-Crypt + VFAT
      - Windows Bitllocker
    - - Advance configuration policy enabled
        
        Azure disk encryption for volume encryption
    - - for windows require at least 2 GB of ram
  - - - Azure Automation account
      - LogAnalytics Workspace
      - Hybryd automation account (for different enviroments (AWS, etc)
      - Log Analytics Workspace Solution (Azure monitoring solution)
    - - YUM
      - APT
      - Zypper
    - - Report status (pre-update)
      - Schedule update, review assestment, deploy statuses
      - Check for maintenance window and deployment
      - Start updates
        
        Pre-steps
        
        Updates
        
        Post-steps
    - - Add VMs different regions and suscriptions
    - - location
      - tag
      - name
- - - - Azure Password Hash Sync (PHS)
        
        Auth occur in cloud
        
        Sync Onpremise with Azure
        
        users, contacts and groups
        
        supports mfa only with azure ad mfa
        
        Only support AD Onpremise control polycies for disable accounts
        
        supports office 365 hybrid identity
      - Azure Password TroughSync (PTS)
        
        support OnPremises policies
        
        all policies enforced when the user logins
        
        supports mfa only with azure ad mfa
        
        Requires Outbound tunnel permanent from OnPremises agents to Azure
        
        requires
        
        Azure Custom domain added and verified
        
        via TXT or MX record
        
        outbound conectivity to azure ad
        
        PT Agent run on ad conect server. Could be installed in other servers for HA
        
        Sync Onpremise with Azure
        
        users, contacts and groups
        
        supports office 365 hybrid identity
        
        Detection of users with leaked credentials is not available
        
        Cannot be integrated with Azure Connect health
        
        allow enable SSO Single Sign On
        
        authentication ocurs in OnPremises
        
        Smart Lockout capability
        
        filter ips that try to buterforce passwords or atack
      - Federation AD FS
        
        authentication ocurs in OnPremises
        
        support smart card auth
        
        Allows display password expiry on windows 10
        
        support all on premises policies
        
        requires
        
        OnPremise ADFS
        
        Web Application proxy
        
        Do not support SSO
    - - Account
        
        Azure Global Administrator account from the Organization
        
        Express Setting require OnPrem Enterprise Administrator account
      - OnPremAD
        
        Enable OnPrem AD Recycle Bin
        
        OnPrem W2003 or later as Domain controller Writable or Member
        
        Domain name must be routable at internet
        
        Domain name or Altrnative UPN suffix must be equal to a custom domain registered in our Azure AD
      - OnPrem Server
        
        W2008R2 or later
        
        Powershell 3.0
        
        .NET Framework 4.5.1
        
        W2008R2 SP1 for password sync
        
        W2012 for Group managed service accounts
      - SQL Database
        
        Local SQL server 2012 expres for 100000 Objects
        
        Server with SQL server 2008R2SP2 or later
    - - Express
        
        PHS Paasword Hash Sync
        
        Sync All Atributes
        
        Enable AutoUpgrade+
        
        Start Sync
      - Custom
        
        Specify custom install location
        
        Use existing SQL
        
        Use existing service account (if not install will create one)
        
        Specify custom sync group (set of local server to manage this server)
      - User Sign-in method
        
        PHS
        
        PTS
        
        Federation with AD FS
        
        Federation with PingFederate
        
        Enable single sing on (SSO)
      - Conect directories
        
        to Azure AD using Azure Global Admintrator
        
        to OnPremises using Entreprise Administrator. It will create an account to sync.
      - UPN validation,
        
        is posible continue without matching all UPNs,
        
        UPNs dont match will not be added
      - Domain filtering
        
        Select OUs that will be sync
      - Users identiying
        
        Allow to have a unique identifier in cloud and onpremise
        
        Source Anchor can be define by Azure or we can use an user antribute . Default is mS-DS-ConsistencyGuid
      - Filtering
        
        Sync all users and devices
        
        Sync selected users
      - Optional features
        
        Password hash sync
        
        Password writeback
        
        to update passwords from Azure AD to OnPrem when the user changes it using password recovery methods
        
        Azure AD app and atribute filtering
        
        Dyrectory extension attribute sync
      - Sync manager
        
        Set the frecuency and time beetwen syncs
        
        All Syncs after the first are delta
      - Rules editor
        
        Always clone when you modify rules of sync
        
        Set scope accounts to sync
        
        Set order
        
        It could deletes what is not included in the rule
    - - require 2 serversin the enviroment
        
        Primary
        
        Staging
      - Sync OnPrem with Azure AD to build his Database
      - It will not export thos sync changes out
      - If the primary server fail, take out from staging and continue where priimary left
    - - Each account can be modified from its AD source
    - - show status of the sync, errors, etc
      - Allow manage conectors
      - Allow add other DC Controlers
    - - Requires MFA
      - Requires Devices registered
  - - - Owner
        
        full access
      - Contributor
        
        full access
        
        no roles asignment
      - Reader
        
        read all
        
        no changes
      - User Access Administrator
        
        manage user access to Azure resources
      - Compute
        
        Virtual Machine Contributor
        
        Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to
        
        Can create virtual machines
      - Storage
        
        Backup Contributor
        
        Lets you manage backup service, but can't create vaults and give access to others
      - Azure Kubernetes Service RBAC Cluster Admin
        
        Lets you manage all resources in the kubernetes cluster.
      - Virtual machine administrator login
        
        allows to view virtual machines in Azure portal and login as administrator.
        
        reset the built-in Administrator account password
      - Application Developer
        
        can create application registrations when the "Users can register applications" setting is set to No
        
        This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No
        
        Users assigned to this role are added as owners when creating new application registrations or enterprise applications.
- - - - Select the user of the AD
      - SET read, write or execute access
- - - - Free
        
        Basic health and secure recommendations
      - Standard
        
        resources Outside of azure
        
        Several monitor options
    - - Cloud App Security
      - Windows Defender Advance Thread Protection ATP
    - - Security policy
      - Recomendations
        
        Could be based in a international standard
    - - using logic apps to trigger based on a thread
      - Trigger conditions
        
        Threat detection alerts
        
        Security center recommendations
        
        Regulatory compliance standards
      - Actions
        
        executed a Logic App
    - - Advanced protection
        
        File integrity monitoring
        
        detects unusual and potentially harmful attempts to access or exploit storage accounts.
        
        available for
        
        Azure Files
        
        Azure Data Lake Storage Gen2
        
        Blob storage
        
        Types supported
        
        block blob
        
        Blob storage accounts
        
        general-purpose v2
        
        VM Vulnerability assesment
        
        Install Qualys Windows Agent on VM
        
        Install Microsoft Defender for Enpoint
        
        Just-in time VM access
        
        You can use Just-In-Time access to limit the access to the machines. This feature can actually lock down the Network Security Group. Then you need to specify request for access to RDP into the machines.
        
        Just-In-Time VM access requires ensure that there is a Network Security Group applied to either the network interface attached to the VM or to the subnet containing the virtual machine.
        
        JIT generates the rules in NSG and firewalls in front of the VM objetive
        
        Adaptive application control
        
        SQL Vulnerability assesment
        
        Network map
        
        Advanced Threat Protection
      - Services Supported
        
        Virtual Machines
        
        KeyVaults
        
        Appservices
        
        Storage
        
        SQL Servers Or Machines
        
        Kubernetes
        
        Container Registry
        
        DNS
        
        Resource Manager
        
        OpenSource relarional database
    - - Defender for Cloud collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.
  - - - SIEM: Security Inforamtion and Event Management
      - SOAR: Security Orchestration Automation and Respond
    - - detected with IA
      - respond with orchestration or automation
    - - AWS
      - Azure AD
      - AzureInformation Protection
      - Azure security Center
    - - Things you should hunt therads by monitoring
    - - Range of proper responses
    - - Visbility
      - Analytics
      - Huntings
      - Incidents
      - Automation
    - - Cant use the same Workspace for security center
      - Cant move that workspace to other location
    - - Needs role Azure sentinel responder
    - - type rules
        
        Fusion
        
        Logic hiden
        
        Only One Rule allowed
        
        Schedule
        
        ML Behavioral
        
        Logic hiden
        
        Only One Rule allowed
        
        Anomaly
        
        Logic hiden
        
        Microsoft Security
      - Create rule
        
        Can create from template o create your own schedule query rule
        
        Microsoft incident creation rule
        
        base on information that came from a azure service
    - - Livestream
        
        Live view of the Kquery used in Log Analytic WonKSpace
        
        Can create a rule from the live query used
      - Query
        
        Buil-in query rules
- - - - Buy certificate or Upload certificate pfx
      - Bind the certificate to the webapp
        
        CustomDomains>AddSSLBinding>Select certificate associated
- - - - Push and Pull images
    - - Pull images
    - - Sign images
      - Just Signer can sign images not even Owner have it
    - - Access Resource Manager
      - Pull images
    - - Delete images