Incident Response in Azure

Azure provides integrated security tools for incident response:

Azure Incident Response Workflow:

# Isolate compromised VM
$vm = Get-AzVM -ResourceGroupName "MyRG" -Name "CompromisedVM"
$vm | Update-AzVM -ProximityPlacementGroup $null

# Create disk snapshot
$disk = Get-AzDisk -ResourceGroupName "MyRG" -DiskName "MyDisk"
$snapshot = New-AzSnapshot -ResourceGroupName "MyRG" `
  -SnapshotName "IRSnapshot" -Snapshot $snapshotConfig

# Query Activity Logs
Get-AzActivityLog -StartTime (Get-Date).AddDays(-7) `
  -EndTime (Get-Date) | Where-Object {$_.OperationName -like "*Delete*"}

Azure Sentinel KQL Queries:

// Detect suspicious login patterns
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| summarize FailedLogins = count() by UserPrincipalName, IPAddress
| where FailedLogins > 5

// Find unusual resource deletions
AzureActivity
| where OperationNameValue contains "delete"
| where ActivityStatusValue == "Success"
| project TimeGenerated, Caller, Resource