Validating Microsoft Defender for Resource Manager Alerts

As announced at Ignite 2021, Microsoft Defender for Resource Manager plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation.

You can enable Microsoft Defender for Resource Manager on your subscription via environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change.

Now that you have this plan set to ON, you can use the steps below to validate this threat detection. First, make sure that you 

1. The script must be executed by a cloud user with read permissions on the subscription.
2. you need to have the Az PowerShell module installed before running the script. It can be installed using: "Install-Module -Name Az".
3. After ensuring those two items are done, run the script below:

# Script to alert ARM_MicroBurst.AzDomainInfo alert
Import-Module Az

# Login to the Azure account and get a random Resource group
$accountContext = Connect-AzAccount
$subscriptionId = $accountContext.Context.Subscription.Name
$resourceGroup = Get-AzResourceGroup | Get-Random
$rg = $resourceGroup.ResourceGroupName
Write-Output "[*] Dumping information`nSubscription: $subscriptionId`nResource group: $rg."

Write-Output "[*] Scanning Storage Accounts..."
$storageAccountLists = Get-AzStorageAccount -ResourceGroupName $rg | select StorageAccountName,ResourceGroupName

Write-Output "[*] Scanning Azure Resource Groups..."
$resourceGroups = Get-AzResourceGroup

Write-Output "[*] Scanning Azure Resources..."
$resourceLists = Get-AzResource

Write-Output "[*] Scanning AzureSQL Resources..."
$azureSQLServers = Get-AzResource | where {$_.ResourceType -Like "Microsoft.Sql/servers"}

Write-Output "[*] Scanning Azure App Services..."
$appServs = Get-AzWebApp -ResourceGroupName $rg

Write-Output "[*] Scanning Azure App Services #2..."
$appServs = Get-AzWebApp -ResourceGroupName $rg

Write-Output "[*] Scanning Azure Disks..."
$disks = (Get-AzDisk | select ResourceGroupName, ManagedBy, Zones, TimeCreated, OsType, HyperVGeneration, DiskSizeGB, DiskSizeBytes, UniqueId, EncryptionSettingsCollection, ProvisioningState, DiskIOPSReadWrite, DiskMBpsReadWrite, DiskIOPSReadOnly, DiskMBpsReadOnly, DiskState, MaxShares, Id, Name, Location -ExpandProperty Encryption)

Write-Output "[*] Scanning Azure Deployments and Parameters..."
$idk = Get-AzResourceGroupDeployment -ResourceGroupName $rg

Write-Output "[*] Scanning Virtual Machines..."
$VMList = Get-AzVM

Write-Output "[*] Scanning Virtual Machine Scale Sets..."
$scaleSets = Get-AzVmss

Write-Output "[*] Scanning Network Interfaces..."
$NICList = Get-AzNetworkInterface

Write-Output "[*] Scanning Public IPs for each Network Interface..."
$pubIPs = Get-AzPublicIpAddress | select Name,IpAddress,PublicIpAllocationMethod,ResourceGroupName

Write-Output "[*] Scanning Network Security Groups..."
$NSGList = Get-AzNetworkSecurityGroup | select Name, ResourceGroupName, Location, SecurityRules, DefaultSecurityRules
    
Write-Output "[*] Scanning RBAC Users and Roles..."    
$roleAssignment = Get-AzRoleAssignment

Write-Output "[*] Scanning Roles Definitions..." 
$roles = Get-AzRoleDefinition 

Write-Output "[*] Scanning Automation Account Runbooks and Variables..."
$autoAccounts = Get-AzAutomationAccount

Write-Output "[*] Scanning Tenant Information..."
$tenantID = Get-AzTenant | select TenantId

Write-Output "[!] Done Running."

There may be a delay of up to 60 minutes between script completion and the alert appearing in the client environment (With an average of 45 min). An example of this alert is shown below:

Reviewers

Dick Lake, Senior Product Manager

Script by Yuval Barak, Security Researcher