Thursday, December 10, 2015

security - Azure Data Out metric. View data source / destination

I have an app service that has been running for a while with steady usage. We noticed that late last night / early this morning there was a large spike in data out. Our website has an authenticated user area and we are concerned that there may have been a breach or something unauthorized happening on the site.




The site has consistently always had below 5MB/15 mins out. But the sudden spike was over 180MB then instantly back down again.



Azure metrics graph



Is there a way using Azure (Metrics or Security Center) to determine what caused the massive spike in Data Out? What data was sent, who it was sent to etc?
Is there anything we can enable to be able to view this data if it was to happen again? (e.g. Azure Sentinel)



Looking at other metrics, there was no obvious spike in 4XX or 5XX errors or number of requests, so we don not suspect a brute force or DoS attack.




Update:
It happened again last night. This time the spike was 600MB and in a 15 minute window the Average CPU time spiked to over one hour. Response time, number of requests and 4xx/5xx errors all remained steady.

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...