Incident Response and Forensics for EC2: Preparation
Regarding Task 7 in this Lab (Incident Response and Forensics for EC2: Preparation) ---- Create forensics AMI 1/4 I CANNOT find the required AMI "the ubuntu 22.04 ami with ID ami-01dd271720c1ba44f" in the AWS console as shown in the image below: Could you take a look and help me out? Thanks🙂
S3: Demonstrate Your Skills
I have completed all 10 questions except question 6. 6. Access control Create an access point (AP) called metrolio-dev-ap attached to the metrolio-data-467e6352 bucket. This should allow developers working in the dev vpc vpc-08333ea4fc7562479 using the role arn:aws:iam::447645673093:role/metrolio-developer to list and get all objects in the bucket. Ensure you follow best practices of blocking public access. NOTE: AWS often faces internal errors – we believe these to be race conditions – when applying policies to new access points. You may need to re-apply the policy to the AP. I have re-applied the Access Point policy several times but still is not detected. I’m not sure if it is my Access Point policy or the AWS Immersivelabs that is at fault. Any help would be greatly appreciated. This is my Access Point Policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::447645673093:role/metrolio-developer" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap/object/*", "arn:aws:s3:eu-west-1:447645673093:accesspoint/metrolio-dev-ap" ], "Condition": { "StringEquals": { "aws:SourceVpc": "vpc-08333ea4fc7562479" } } } ] } I tried to replicate similar permissions on bucket policy only to be denied by restrictive permission. NOTE: Account ID, Bucket names and few other identifiers do not match between screenshot 1-2 and screenshot 3. The screenshot 3 is from different attempt.
Configuring Secure Web Hosting with AWS CloudFront
Hello, Q4 on this lab (Browse to the CloudFront console and click on Create a CloudFront distribution) don't complete even following all the instructions. When the deploy completes, the standard logging appears off: When I click on edit, it shows an IAM error: Anything that I can do from here to complete this task? Regards,Logging and Monitoring in AWS: Demonstrate Your Skills
Hello, In Q3 Creating EventBridge I followed the instructions as exposed, but it didn't Detect the completion. Here's how I structured the Rule: Are there any error on the way I structured the rule (don't think so) or can it be an error on the lab itself (missing content)? Thanks in advance. Regards,Microsoft Sentinel: Threat Hunting Tools You Could Be Missing Out On
As a SOC analyst, incident responder, or cloud security engineer using Microsoft Sentinel as your SIEM, you’ll be familiar with its standard features, such as incidents, analytics rules, and threat intelligence. However, you might not be so familiar with workbooks, which enable data visualisation and dynamic reporting, or notebooks, which empower you to document threat hunts and build replayable incident response playbooks. Let’s look at how these Microsoft Sentinel features can improve your incident response and threat hunting. Eyes on: monitoring metrics with workbooks One key advantage of workbooks is their ability to dynamically visualise data from a range of sources across your Microsoft environment and beyond. This provides obvious security advantages via monitoring of metrics such as request rates, egress traffic, CPU utilisation, and management plane actions. If your workbook dashboard shows an unexpected spike in requests to a sensitive resource, it could be a sign that something isn’t quite right. Visualising these metrics in near-real-time graphs helps spot early signs of compromise and speeds up detection. The other, often overlooked advantage of metrics in workbooks comes from a management perspective. Microsoft Azure offers many template workbooks for common data reporting needs, including the Cybersecurity Maturity Model Certification and Azure Security Benchmark workbooks. Up-to-date reporting on performance against these core security benchmarks is critical for security engineers to identify insecure points in your Microsoft estate. For CISOs and SOC managers, the capability to track improvements in KPI metrics like Mean Time to Triage or Mean Time to Repair can prove invaluable in monitoring SOC performance and evidencing the positive effects of realistic training. This can be achieved using the Security Operations Efficiency Workbook offered as a template workbook. To learn more about monitoring metrics with workbooks, check out the newly released Azure Workbooks: Monitoring Metrics lab. Diving deep: security analysis with workbooks From a security perspective, workbooks can be a powerful tool if you get creative. The ability to query logs and metric data across a wide range of sources means you can combine information to enhance threat intelligence and identify unusual behavior in investigations through visual comparison of standard baseline activities. Workbooks can build complex queries into logs from a range of sources, including sign-in logs, Windows Event logs, networking logs, and resource activity logs. By cleverly designing log queries within your workbooks, you can visually detect anomalous activity and chart this in workbook reports that can be shared across a SOC team. Graphically representing data in workbooks can have numerous advantages. By visualising resource relationships, you can easily identify shadow IT or resources deployed by threat actors for persistence, such as a lone resource in a location your business doesn’t use. For another example, you can diagram external collaborations in Microsoft Teams or email connections in Microsoft Outlook to identify anomalous behaviour and hunt for potential risks. By visualising data dynamically in workbooks, you can boost security analysis and threat hunting across every stage of the Cyber Kill Chain. Our Microsoft Sentinel: Security Analysis with Workbooks lab covers this further. Improved response: incident investigations with notebooks Microsoft Sentinel integrates Jupyter notebooks into the Microsoft Azure portal, enabling you to run and document code during SIEM investigations in Microsoft Sentinel. If you’re in a SOC team, notebooks provide some seriously useful advantages: Readable code for other analysts: By tracking your steps in a notebook using markdown, you can explain your queries, capture outputs, and make your work easy for another analyst to understand. Standardise your analysis and response: Once you've made a notebook for a specific security event, you can reuse it whenever a similar incident occurs. This gives you a step-by-step guide to analyse and respond to the new incident. Share incident response knowledge: Notebooks are also very easy to share with other people. If you want to train a more junior team member in how to analyse and respond to that specific security event, you can share the notebook with them. This reduces reliance on individuals, helps to prevent silos, and teaches other members of your team. Improve your response: The next time a specific security event occurs, you may realise that other data sources or queries can be helpful to investigate. It's very easy to add to and develop your notebook. This means you can improve your response over time as you iterate on the work you've already done. For hands-on experience getting to grips with notebooks, check out the Microsoft Sentinel: Introduction to Notebooks lab. Tracking threat actors: hunting with notebooks It’s not just the inherent advantages of Jupyter notebooks that this feature brings to the table. By enabling sophisticated automation and log querying, notebooks in Microsoft Sentinel can offer detailed investigation guides, empowering your threat hunting and incident response teams. By connecting natively to Microsoft Sentinel workspaces, notebooks can query Log Analytics log tables to investigate recent activity, sign-in logs, requests, and more. By collating this information into a centralised location, your investigation can seamlessly track a threat actor’s movements through your estate. Then, by storing these queries in a notebook, you can reuse them repeatedly, which can rapidly reduce investigation times for commonly occurring incidents. The example below shows a saved query that displays any write operations against a virtual machine with a provided name. It’s reusable, repeatable, and reliable. By standardising incident investigations and creating reusable, documented queries for threat hunting, you can reduce time wasted by rewriting the same playbooks repeatedly, greatly improving your SOC team's efficiency. The new Microsoft Sentinel: Threat Hunting with Notebooks lab gives hands-on experience tracking a realistic threat actor who has compromised a Microsoft Azure account. Beyond workbooks and notebooks: Empowering your SOC team Workbooks and notebooks are handy tools in Microsoft Sentinel, but they form only a small part of the arsenal. The newly released Microsoft Sentinel: Threat Hunting with Notebooks and Workbooks collection is ideal for SOC analysts, incident responders, forensics specialists, and cloud/security engineers who use Microsoft Sentinel as their SIEM and want to expand their knowledge. By adding this collection to our existing Microsoft Sentinel content, we cover the core areas of the Microsoft Sentinel (SC-200) certification while offering more advanced content for experienced SIEM users. Gain a competitive edge by building hands-on experience in realistic scenarios so you can use Microsoft Sentinel to its fullest potential. Share your thoughts Why not give this content a try and let me know how you got on? Remember, if you need help with a lab or want to collaborate with other community members, share your question on the Help forum!Decoding Coding: Picking a Language
These days, more and more jobs can benefit from being able to write simple scripts and programs, especially in cybersecurity. For example, pulling data from an API, scraping web pages, or processing large data files to extract information – the list of uses is virtually endless! Tempting as it is to dive right in, there are several things worth thinking about before you begin. This article will discuss one of the most important choices – selecting a language. What to consider when choosing a language A basic understanding of programming languages can make your life easier, increasing your adaptability and finesse in different environments. But with tons of languages like Python, Java, JavaScript, Go, Rust, and more, which one should you choose? Here are the crucial factors to consider: What's available Can you install whatever language you like to run your code, or are there limitations? If you have an enterprise-managed computer, you might not be able to install new software or languages, and you may need to use the default options. For Windows, this is PowerShell. Bash Script is the equivalent for Mac and Linux devices, and Python is often available too. Your personal experience and interest This one might sound obvious, but it does matter. We learn better and faster when we're invested in the subject. Look at your previous experiences. Have you worked with any programming languages before? Did you enjoy them? For example, if you had a good experience working with Python, let that guide your decision! That said, don't shy away from learning something new if there's a good reason or you’re curious to do so. What's trending in your organization Does your organization or team predominantly use a specific language? Not only would learning that one help you communicate better with your colleagues, but it could also give you an edge while working with systems developed in that language. Plus, there’ll be plenty of people to talk to if you get stuck! The language's capabilities and nature Like people, different languages have different strengths. Some are fantastic for web development (like JavaScript), while others are better suited for system-level programming (like C). Python is often an excellent choice. It's considered easy to learn, incredibly flexible, and powerful due to the huge catalog of packages available. While it isn't as fast as many other languages, for most purposes, it's usually more than fast enough. Java is a very widely used object-oriented programming language and can be extremely fast. The learning curve is steeper than Python, but there are loads of learning resources available. JavaScript (not to be confused with Java!) isn’t as useful for quick standalone scripts or applications, but it's the dominant language for websites and browsers, so understanding it is practically a superpower for testing and manipulating websites and applications. C and C++ allow low-level access to memory and offer a lot of flexibility – incredibly helpful when evaluating systems with these languages at their core. Available tools and training Great tools can make tough jobs easier. Certain programming languages have robust toolsets that can help automate your tasks. For instance, Python has a wide array of libraries and frameworks that make handling big projects a cinch while saving you time and effort – why reinvent the wheel when you can just import it? Take a look at what training is available for the language you’re interested in. Older and more popular languages are likely to have more to choose from, but there’s loads out there and a lot of it is free! Also, consider what tools you might already have access to within your organization. Community and support If a programming language has a large active community, it means help is readily available when you get stuck. Languages like Python, JavaScript, and Java have strong communities and plenty of online resources available. Scope for growth If you're planning to learn a language, why not pick one that's in demand? Check job boards, look at industry trends, and see if learning a particular language can give your professional growth a boost! Summary Remember, no language is “the best". The best is the one that suits your needs and circumstances. You might even find mastering multiple programming languages useful over time. Just like speaking multiple languages, the more you know, the better you can communicate in different environments! Once you understand some of the basic programming concepts, like variables and loops, it’s easier to learn a second or third language. Learning a programming language may initially seem like climbing a steep mountain. But once you get the hang of it, you'll realize that the view from the top was well worth the hike! Want to take the next step? Here are some lab collections that may help you learn a bit more about PowerShell and Python: PowerShell Basics Offensive PowerShell Introduction to Python Scripting Share your thoughts If you’re new to coding, tell us what language you’re trying out! Why did you pick it, and would you make the same choice again? Are there any specific challenges you found or any relevant experiences you’d like to share?
