Stage 5 · Platform
SRE Patterns on Azure
Security Operations
Microsoft Defender for Cloud, Sentinel, and threat detection patterns.
Security Operations Overview
Security operations (SecOps) on Azure encompass monitoring for threats, investigating incidents, and responding to security events. Microsoft Defender for Cloud provides posture management and threat protection, while Sentinel acts as the SIEM/SOAR platform.
- Prevent — Harden configurations, apply policies, reduce attack surface
- Detect — Monitor for threats, anomalies, and policy violations
- Respond — Automate response to known threats, escalate unknown ones
- Recover — Restore compromised resources and learn from incidents
Microsoft Defender for Cloud
Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) platform. It provides security recommendations, threat detection, and compliance scoring across your Azure estate.
# Enable Defender for Servers
az security pricing create --name VirtualMachines --tier Standard
# Enable Defender for Containers
az security pricing create --name Containers --tier Standard
# Enable Defender for Key Vault
az security pricing create --name KeyVaults --tier Standard
# View security recommendations
az security recommendation list \
--query "[?status=='Unhealthy'].{title:displayName, resource:resourceMetadata.resourceId, severity:properties.severity}" \
--output table
# Get the secure score
az security secure-scores show \
--name "ascScore" \
query "{score:properties.score, maxScore:properties.maxScore}" --output jsonThe secure score ranges from 0 to 100. Higher is better. Defender provides specific recommendations with estimated impact on the score.
Defender for Cloud has a free tier that provides basic posture management and 50 free recommendations. Enable Standard tier only for workloads that require threat protection.
Microsoft Sentinel
Sentinel is Azure's cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response). It collects data from Azure, on-premises, and third-party sources, and provides advanced analytics and automated response.
# Create a Log Analytics workspace for Sentinel
az monitor log-analytics workspace create \
--resource-group rg-security \
--workspace-name law-sentinel \
--location eastus
# Enable Sentinel on the workspace
az security workspace-setting create \
--name default \
--target-workspace "/subscriptions/{sub-id}/resourceGroups/rg-security/providers/Microsoft.OperationalInsights/workspaces/law-sentinel"
# Install the Azure Activity connector
az monitor data-collection rule create \
--resource-group rg-security \
--name dcr-azure-activity \
--location eastus \
--destinations-log-analytics workspaceId="/subscriptions/{sub-id}/resourceGroups/rg-security/providers/Microsoft.OperationalInsights/workspaces/law-sentinel" \
--data-sources syslog \
--name activity-connector \
--facility-names audit \
--protocol tcp \
--port 514Sentinel uses the same Log Analytics workspace as other Azure Monitor data. This enables correlation between security events and operational telemetry.
Threat Detection Patterns
// Detect brute force attempts against Key Vault
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where OperationName == "Authentication"
| where ResultType != "Success"
| summarize FailedAttempts = count() by CallerIP, bin(TimeGenerated, 5m)
| where FailedAttempts > 10
| order by FailedAttempts desc
// Detect unusual VM creation patterns
AzureActivity
| where OperationName == "Create or Update Virtual Machine"
| where-TimeGenerated > ago(7d)
| summarize count() by Caller, Location
| where count_ > 5
| order by count_ desc
// Detect lateral movement via SSH
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.COMPUTE"
| where Category == "CommandExecutions"
| where Message contains "ssh"
| where Message !has "authorized_keys"
| project TimeGenerated, Resource, MessageSentinel includes built-in analytics rules for common attack patterns. Customize these rules for your environment and add custom queries for unique threat vectors.
Compliance and Regulatory
Azure provides compliance certifications for major frameworks (SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP). Defender for Cloud tracks compliance with Azure Policy and provides audit-ready reports.
# View compliance by regulatory standard
az security regulatory-compliance-standards list \
--query "[].{name:name, state:state}" --output table
# View compliance by standard
az security regulatory-compliance-controls list \
--standard-name "pci-dss-3.2.1" \
--query "[].{control:name, state:state}" --output tableCompliance standards in Defender for Cloud map Azure resources to specific regulatory requirements. Use them to generate audit evidence for compliance teams.
Security Incident Response
# Create a Sentinel automation rule
az sentinel automation-rule create \
--resource-group rg-security \
--workspace-name law-sentinel \
--name auto-isolate-compromised-vm \
--display-name "Auto-Isolate Compromised VM" \
--description "Isolate VMs with active security incidents" \
--incident-number 1 \
--actions '[{
"type": "RunPlaybook",
"playbookId": "/subscriptions/{sub-id}/resourceGroups/rg-security/providers/Microsoft.LogicApp/workflows/isolate-vm"
}]'Sentinel playbooks use Azure Logic Apps to automate response. Common automations include isolating compromised VMs, disabling users, and enriching alerts with threat intelligence.
Automated response actions can cause service disruption. Start with notification-only automation, then gradually add containment actions (isolate, disable) only after validating the detection logic.
Mark this lesson complete to store local progress and unlock a cleaner resume path the next time you visit.