Forensic capture of Azure VMs

[MiklosEC]

As a CSIRC analyst I want my Axiom Magnet workstation to be able to acquire the right credentials so that I can carry out a forensic capture of Azure VMs in the EC Azure IaaS/PaaS tenant.

• Change it so that the story isn’t about acquiring the credentials but acquiring the forensic captures USING credentials it has access to that this ticket will required rolled out as part of the definition of done
• Change to any tenant not iaas/paas

Substories:

1. As a CSIRC analyst, working on my Axiom Magnet workstation, I can assume the right S2 role in any tenant and subscription, so that the right credentials are applied to my session.
2. Once the right credentials are applied, the CSIRC analyst, can access the target VM and capture the disk image.
3. Once the right credentials are applied, the CSIRC analyst can access the target VM and capture the memory image.
4. Once the right credentials are applied, the CSIRC analyst can access the target VM and create a full clone of the VM.
5. Once the forensic image has been captured, the CSIRC analyst can can send the captured image to the Forensic image bucket in the CSIRC tenant.

[augustincolle-digit]

Some requests for clarification on my side for the capture only:

• Should this action be performed by a user (manual procedure) or a function of any kind (logic app, azure function, ...)
• How should privileges access be granted ? Auto-approved request, approval from a team leader, auto-approved only if MFA has been provided ?
• Are there many tasks (besides capture) that must be performed on the target environment, which would require elevated privileges ?

I created a first proposal for the procedure, can you have a look and tell me if this fits: https://webgate.ec.europa.eu/fpfis/wikis/display/CVTF/CSIRC+incident+response