Introduction

Azure Workbooks offer detailed, interactive data exploration tools in Azure. They allow for in-depth analysis with the ability to create complex queries, interactive reports, and detailed visualizations, combining data from multiple sources.

For more information on how to create your work books, click here

In this case, we have created and added into our Security Dashboards , Malware events & Smart screen events and others that may be handy .

Having this simple workbook dashboard gives access to quickly access on the last day’s detections and effectively monitor for true and false positives.

The era of malware & phishing

In the era of malware of phishing , there is a need of always doing more than the EDR or simple antivirus can tell.

Sources like the hacker news imply that 70% of the Security incidents start in an endpoint

As the technologies evolve so do we have to evolve with them , if there is a log that can be inspected , it must be. Where there is a control or technology we can help with implement , we must do

What can help our EDR/ Malware/Antivirus solution ?

Cybersecurity Educational training
Follow Frameworks or standards ( ISO 27001 , NIST , CIS
ASR / Smart Screen rules or similar technology as mitigations
Operating System updates ( regularly update )
Control on local firewalls ( do not disable them ! )
Control supply chain security and interaction with your endpoints
Block applications not known to a system or not business required
Constant update of known applications
Vulnerability scans
Strong policies on administrator rights in devices
Zero trust and Assume breach methodologies on securing endpoints
Harden operating systems with as many requirements accomplishable as possible
Know where your endpoints can fail or can be weak and apply mitigations accordingly
Follow Microsoft Score or other benchmarking like CIS link to cis webpage
Have a plan for when everything goes wrong ( Backup , incident response)
Protect your Data ( Data protection policies )
Bring your own device policies

Following the SonicWall 2024 Report

Small business are likely to be attacked more
Increase of an 11% yearly of malware attacks
Encrypted Threats jump of 111%
Cryptojacking up 659%.
Other attacks are also up as phishing

Read the full report : Sonic wall threat report

Recommendations for effectiveness using these dashboards / workbooks

Defender EDR deployed in all devices
Policies for EDR updates in Windows Devices
Logs of defender enabled & integrated with Sentinel ( Integration with XDR) -> link
Smartcreen : Visit Smart screen site Link
PUA Protection : Visit PUA site config Link
ASR Rules ( implementation & monitoring) : Visit this Link

With a simple Azure Workbooks, we will be monitoring in a sole dashboard Smart screen events & Malware detections of our EDR (Defender) , this can be combined with others like ASR rules , Malicious scripts or malware extensions.

Framework Controls reference – Malware detections NIST

NIST Cybersecurity framework NIST DE.CM – 4 Malicious Code detection

Endpoint Security Solutions
Network monitoring
Application control policies
Web Browser security settings and tools
User education an awareness

NIST SP 800-53 : Malicious code protection (SI – 3)

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;Configure malicious code protection mechanisms to:

Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Assignment (one or more): endpoint, network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and
[Assignment (one or more): block malicious code, quarantine malicious code, take [Assignment: organization-defined action] ]; and send alert to [Assignment: organization-defined personnel or roles] in response to malicious code detection; and

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system

ISO 27001n A.12.2.1 Controls against malware

Azure Sentinel Example queries for Workbooks

Workbook Dashboard – Malware Detections (Device)

DeviceEvents
| where ActionType == "AntivirusDetection"
| sort by TimeGenerated

Workbook Dashboards – Smart screen events

DeviceEvents
| where TimeGenerated > ago(7d)
| where ActionType has_any('SmartScreenAppWarning', 
'SmartScreenUrlWarning')
| extend SmartScreenTrigger = iff(ActionType == "SmartScreenUrlWarning", 
RemoteUrl, FileName)
| extend ReasonForTrigger = parse_json(AdditionalFields).Experience
| project
     TimeGenerated,
     DeviceName,
     ActionType,
     SmartScreenTrigger,
     ReasonForTrigger,
     InitiatingProcessCommandLine

Workbook Dashboards – ASR Rules Monitoring

DeviceEvents
| where ActionType startswith "Asr"

Workbook Dashboards Escalation Privilege CMD.exe monitoring

DeviceProcessEvents
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has_all ("add", "user") 
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine

Workbook dashboards User Rogue Creation events monitoring

DeviceEvents
| where ActionType == 'UserAccountCreated'
| Where  AccountName