Unlock the full potential of your projects.
Show full map
Copy and edit map Copy

Threat protection - (CWP) Microsoft Defender for Cloud

Technology
NS
Nathan Swift

Azure Security Center threat detection map. This can help map the threat detection capabilities of ASC to the public stories that exist out there to further understanding of ASC.

Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
Threat protection - (CWP) Microsoft Defender for Cloud by Mind Map: Threat protection - (CWP) Microsoft Defender for Cloud

1. Defender for SQL (PaaS\IaaS\On-Prem)

1.1. SQL Injection

1.2. Suspicious Logins

1.3. SQL Brute Force

1.4. High priv SQL commands

1.5. Unusual Export location

1.6. vulnerability assessment

1.6.1. permission configurations

1.6.2. feature configurations

1.6.3. database settings

2. Azure PaaS

2.1. Azure Storage

2.1.1. Malware Hash Reputation Analysis

2.1.2. Phishing campaigns, unusual access

2.1.3. NRT Malware Scanning

2.2. Azure Cosmos Database

2.2.1. Potential SQL injection

2.2.2. Anomalous database access patterns

2.2.3. Suspicious database activity

2.3. Azure KeyVault

2.4. Azure Resource Manager - Management APIs

2.5. Azure App Service

2.6. Azure Database for Open Source relational databases

2.6.1. PostgreSQL

2.6.2. MySQL

2.6.3. MariaDB

3. Defender for Containers

3.1. Architecture

3.2. Kubernetes (AKS, EKS, K8S via ARC) (cluster)

3.2.1. Gate Keeper - Policy Control

3.2.2. Runtime Vulnerability assessments (AKS)

3.2.3. creation of high privileged roles

3.2.4. abnormal service account operation and abnormal managed identity association

3.2.5. creation of sensitive mounts

3.2.6. Excessive role permissions assigned in Kubernetes cluster

3.2.7. Anomalous pod deployment

3.2.8. exposed K8s dashboards

3.3. Host level (node) Daemon set

3.3.1. web shell detection

3.3.2. Suspicious Logins

3.3.3. Privileged container creation

3.3.4. SSH Server hosted in container

3.3.5. suspicious access to API

3.3.6. Exposed Docker API \ Services

3.4. Azure Container Registry

3.4.1. Vulnerability management

4. Security Analytics

4.1. Integrated threat intelligence

4.1.1. Microsoft Threat Intelligence Center (MSTIC)

4.1.1.1. Outbound communication to a malicious IP address

4.1.2. Digital Crimes Unit

4.1.3. 3rd Party Lists

4.1.4. Cloud Service Provider sharing

4.1.5. Instruments

4.1.5.1. Sample Zoos

4.1.5.2. Original research

4.1.5.3. Dark markets

4.1.5.4. Threat feeds

4.1.5.5. Sinkholes & Honeypots

4.1.5.6. Detonation & sandboxes

4.1.5.7. Customer IR intelligence

4.2. Behavioral analytics

4.2.1. Suspicious process execution

4.2.2. Hidden malware and exploitation attempts

4.2.3. Lateral movement and internal reconnaissance

4.2.4. Malicious PowerShell Scripts

4.2.5. Outgoing attacks

4.3. Anomaly detection

4.3.1. Inbound RDP/SSH Brute force attacks

4.3.2. Bloom Filtering Multivariate

5. Defender for IoT

6. Defender for DevOps

6.1. Discover misconfigurations in Infrastructure as Code (IAC)

6.2. MSDO command line

6.2.1. Bandit

6.2.2. BinSkim

6.2.3. ESLint

6.2.4. TemplateAnalyzer

6.2.5. Terrascan

6.2.6. Trivy

6.2.7. Antimalware

7. Defender for APIs

7.1. Integrate with Azure API Management Service & Monitor API traffic to detect threats

7.1.1. Spike in API Activity including traffic, payloads, and unusal large requests

7.1.2. API parameter enumeration & manipulation

7.1.3. API Spray Requests

7.1.4. OWASP API Top 10 - Threat Detection

7.1.5. Scanning data and tag API for Sensitive Data passed

8. Windows

8.1. Crash dump analysis

8.1.1. Shell code discovered

8.1.2. Code injection discovered

8.1.3. Masquerading Windows Module Detected

8.2. Fileless attack

8.2.1. memory process contains attack toolkit

8.2.2. shell code

8.3. Microsoft Defender for Endpoint

8.3.1. PowerShell scripts

8.3.2. Fileless malware

8.3.3. Credential dumping

8.4. Event ID 4688 - A new process has been created

8.5. SQL Brute Force

8.6. Cypto mining attack

8.7. Integrated vulnerability assessment solution for Azure and hybrid machines

9. Linux

9.1. AuditD

9.2. crypto mining campaign

9.3. bash scripts

9.4. password spray

9.5. Microsoft Defender for Endpoint: Linux

9.5.1. EDR for Linux

9.5.2. Behavior monitoring and blocking

9.5.3. AntiVirus Solution

9.6. Fileless Attack

9.7. Integrated vulnerability assessment solution for Azure and hybrid machines

10. Kill chain intents

10.1. PreAttack

10.2. IntialAccess

10.3. Persistence

10.4. PrivilegeEscalation

10.5. DefensiveEvasion

10.6. CredentialAccess

10.7. Discovery

10.8. LateralMovement

10.9. Execution

10.10. Collection

10.11. Exfiltration

10.12. CommandAndControl

10.13. Impact

11. 474 Unique Detections

12. Test Drive Microsoft Defender for Cloud

12.1. Simulations

13. Last Updated: 1/9/2024

14. Provide Feedback ? - Sarahah - SwiftSolves

15. Defender for Servers P2

15.1. Adaptive Application Controls

15.2. File Integrity Monitoring

15.3. Azure Network Layer

15.4. VM Extension Detections

15.4.1. Sudden surge in extension usage by a suspicious account

15.4.2. Code or script execution containing parts indicating malicious intent

15.4.3. Combination of extensions indicating a recon attempt

15.4.4. Suspicious installation of disk nncryption

15.5. DNS

15.5.1. Data exfiltration from your Azure resources using DNS tunneling

15.5.2. Malware communicating with C&C server

15.5.3. Communication with malicious domains as phishing and crypto mining

15.5.4. DNS attacks - communication with malicious DNS resolvers