Skip to content

Pack up + Afterthoughts

Environment Clean-up

  • Delete Resource Groups
  • Delete any test users from AAD/Entra
  • Remove diagnostic settings from Entra (Monitoring > Diagnostic Settings > Edit Setting > Delete)
  • Deprovision Microsoft Defender for Cloud > Environment Settings > Edit plans > turn off all plans)

Lessons Learned

Be mindful of the data retention period.

The first time I ran this lab, I was configuring, troubleshooting and trying things out. I didn't really document it that well during, and there was so much to it that I struggled to get a grasp on documenting after the fact. This run-though was specifically for documentation purposes. After running the first observation period, I ended up getting sick and then it was Christmas break and then the new year started and the next thing you know a month had passed before I got back to the lab. The default retention period for the plan I selected when I configured the LAW is 30 days.

I was able to look back in Sentinel and still see the old incidents, but when I tried to get specifics by querying the LAW it did not return any results. Because of this, I ran this part of the lab again. Unfortunately, (although expected) I did not get the same attack results, so the incidents I had planned to address had changed. I still wanted to show a range of attacks/responses so I did still include some incidents from the initial (before Christmas) observation period for the sake of documentation.

Azure Bastion and Azure Firewall are priced per hour

More on crossroad of habitually checking Cost Management and expensive lessons.

  • Once you deploy the bastion instance it is perpetually in a running-state. I was under the impression that once the VM was deallocated/stopped, so was the Bastion. This is not the case. To the best of my knowledge the only way to stop Bastion is to delete it. Luckily, I check cost management semi-neurotically so I caught this before I had so sell any organs.
  • Key takeaway: don't forget to delete it when not in use to save on cost. Consider building a logic app for this in the future that would automatically deprovision and delete at a set time.
  • Azure Firewall is great, but robust feature which may not be necessary (read: may be overkill for your environment) many resources also have a built-in firewall that you can use.
Azure on iOS has limitations
  • There is an Azure mobile app, but it has limitations. It can show you resources, you're able to stop and start VMs, but not able to view or change configurations to resources
  • Microsoft Remote Desktop works beautifully on iPad. Better than expected.