Azure security and management

Hands-on lab Lab-guide

Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.

© 2018 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed

at https://www.microsoft.com/en-us/legal/intellectualproperty/Trademarks/Usage/General.aspx ar
e trademarks of the Microsoft group of companies. All other trademarks are property of their
respective owners
Contents

 Azure security and management hands-on lab step-by-step

o Abstract and learning objectives
o Overview
o Solution architecture
o Requirements
o Exercise 1: Configure Azure automation
 Overview
 Task 1: Create automation account
 Task 2: Add an Azure Automation credential
 Task 3: Upload DSC configurations into automation account
 Summary
o Exercise 2: Build CloudShop environment
 Overview
 Task 1: Template deployment
 Task 2: Allow remote desktop to the WEBVM1 & WEBVM2 using NAT rules
 Task 3: Configure diagnostics accounts for the VMs
 Summary
o Exercise 3: Build and configure Azure Security Center and Azure Management
 Overview
 Task 1: Provision Log Analytics through Azure Monitor
 Task 2: Explore Security Center
 Task 3: Add Service Map
 Task 4: Configure Service Map
 Task 5: Configure Update Management
 Task 6: Configure Inventory Tracking and Change Management
 Summary
o Exercise 4: Instrument CloudShop using Azure Application Insights
 Overview
 Task 1: Install and Configure the Application Insights Status Monitor
 Task 2: Explore the Application Map, configure alerts, availability tests, and
performance tests
 Task 3: Simulate a failure of the CloudShop application
 Summary
o Exercise 5: Explore Azure Security and Operations Management, Application Insights,
and build a dashboard
 Overview
 Task 1: Work with Log Analytics queries
 Task 2: Preventive maintenance using Security Center
 Task 3: Set up an Activity Log alert
 Task 4: Installing & using the Azure mobile application
 Task 5: Application Insights
  Summary
o After the hands-on lab
 Overview

Azure security and management hands-on lab

step-by-step
Abstract and learning objectives
In this hands-on lab, you will first deploy a simple web application and database to Azure IaaS
VMs, using a Resource Manager Template and Azure Automation DSC. You will then configure a
range of infrastructure management capabilities on this deployment, including Update
Management, Security Center, Service Map, Change Tracking and Application Insights. You will use
Azure Monitor to configure application alerts and send, via both email and mobile application
notifications. You will also learn how to further investigate infrastructure status using Log Analytics
queries. In doing so, you will learn both how to deploy these solutions and be introduced to their
capabilities.

At the end of this hands-on lab, you will be better able to design, implement and use a wide range
of infrastructure management systems in Azure.

Note: The setup tasks should be completed in advance of the hands-on lab to save deployment
time.

Overview
Contoso Holdings is a multi-national holding company headquartered in Los Angeles, CA that
owns 48 manufacturing companies located in North America, Europe and Asia. These companies
sell their products primarily to either distributors or large retail organizations around the world.
Contoso, as the parent company, controls the IT systems for the companies that it owns and thus
runs their e-commerce-based applications. There are about 125 of these e-commerce applications
used primarily for business-to-business purchasing by corporate buyers. These apps provide the
bulk of Contoso's 15 billion dollars in revenue per year, so they are mission critical.

Recently Contoso has started to investigate what it would take to move from on-premises
datacenters to the cloud. Most of their applications are ASP.NET running on Windows VMs with
SQL Server in a traditional N-tier configuration. Their goal is to lift and shift these applications over
to the cloud while gaining more control over the applications and improving their security posture.

They are looking for you to build out a prototype system in Azure using a sample web application
they have provided to you called CloudShop.

They are looking for management tools that will allow them to have a full end-to-end view of both
the infrastructure and application performance. Their goal will be to effectively lift and shift all
applications over to the cloud. They do not have time or money to instrument the applications. Of
course, security is on the top of the chain, so they also need a security solution and updated
management system.

Per Roberto Milian, VP of Development and IT Operations, "Contoso's primary concern is how to
best: deploy, test, manage, monitor, patch, secure and troubleshoot these applications in Azure
IaaS."

Solution architecture

Requirements
 A corporate e-mail address (e.g., your @microsoft.com email).

 Microsoft Azure subscription must be pay-as-you-go or MSDN

o Trial subscriptions will not work.

 Local machine or an Azure LABVM virtual machine configured with:

o Visual Studio 2017 Community Edition or later

o Azure SDK 2.9.+ or Later for Visual Studio
o Azure PowerShell 4.0 or later

Exercise 1: Configure Azure automation

Duration: 15 minutes

Overview
In this exercise, you will create and configure an Azure Automation account in the Azure Portal
which will be used to configure the application servers using Azure DSC.

Task 1: Create automation account

1. Browse to the Azure Portal and authenticate at https://portal.azure.com/.

2. http://portal.azure.com

3. Click +Create a resource, and type Automation in the search box.

Choose Automation from the results.

4. Select Create on the Automation blade. This will display the Add Automation
Account blade.

5. On the Add Automation Account blade, specify the following information:

a. Name: Automation-Acct

b. Resource group: HOLRGAUTO (create a new resource group)

c. Location: East US 2 or West Europe

Note: Not all Azure Automation features are supported in all regions. We suggest using
East US 2 or West Europe, whichever is closer to you. Leave the run as account state as
default.
 6. Click Create.

Task 2: Add an Azure Automation credential

1. The CloudShopSQL DSC configuration requires a credential object to access the local
administrator account on the virtual machine. Within the newly created Azure Automation
DSC configuration select Credentials in the SHARED RESOURCESsection.

2. Select the Add a credential button.

3. Specify the following properties and click Create to continue:

a. Name: SQLLocalAdmin

b. User Name: demouser

c. Password & Confirm: demo@pass123

 Important: It is important to use the exact name for the credential, because one of the
scripts you upload in the next step reference the name directly.

Task 3: Upload DSC configurations into automation account

1. Select Resource groups > HOLRGAUTO > Automation-Acct and click State
Configurations (DSC) in Configuration Management. Select configuration and then
select Add.
2. Select the + Add a configuration button.

3. On the Import pane, upload both C:\HOL\CloudShopSQL.ps1 and C:\HOL\

CloudShopWeb.ps1 files. You'll need to select + Add a configuration a second time to
upload the second file.
4. After importing the .ps1 files, select the CloudShopSQL DSC Configuration. Then,
select Compile on the toolbar (click Yeson the overwrite prompt).

5. Repeat the same steps for CloudShopWeb.

6. Make sure to review the DSC configurations to ensure they have completed the compile
before moving on to the next step.
Summary
In this exercise, you configured an Automation account, and configured DSC configuration scripts
that will be leveraged by the virtual machine resources.

Exercise 2: Build CloudShop environment

Duration: 60 minutes

Overview
In this exercise, you will run a template deployment using an ARM template provided which will
deploy a Virtual Network, Azure Load balancer, two IIS Servers and a SQL Server. The Servers will
check into Azure Automation and run the DSC Configurations that you built in Exercise 1. This will
configure the boxes with the CloudShop Application. You will also configure Inbound NAT Rules to
allow RDP access to the Web Servers. Azure diagnostics will also be configured into a new storage
account for the VMs.

Task 1: Template deployment

1. In the portal, open your Azure Automation Account created earlier.

2. Under Account Settings, locate the and select Keys.

3. Open Notepad and copy both the Primary Access Key and the URL. These will be needed
inputs for the template deployment.

4. In the Azure Portal, select the +Create a resource button. In the Search box, type Template
Deployment.

5. Select Template Deployment and click Create on the following screen.

6. On the Custom deployment screen, select Build your own template in the editor.

7. Select Load File.

8. In the Choose File to Upload dialog, navigate to the C:\HOL folder, and locate
the OMSHacakthon-azuredeployappgw.json file.

9. The JSON file will now be in the text window and the Parameters, Variables,
and Resources should load in the Window. Select Save.

10. Once saved, the window will change to a screen which is asking for inputs. Use the
following information to complete the form:

Note: In your student files C:\HOL\parameters.txt there is a parameters file that you can use
to quickly copy and paste into the portal.
o Subscription: Use the current subscription

o Resource Group: HOLRG (create a new resource group)

o Location: Choose the closest Azure region to you.

o HOL Storage Type: Premium_LRS

o HOL VM Name: WEBVM1

o HOL VM Admin User Name: demouser

o HOL VM Admin Password: demo@pass123

o HOL VM Windows OS Version: 2016-Datacenter

o HOL Public IP DNS Name: hol-then-five-random-lowercase-characters

o Registration Key: Locate in the Automation Account Blade/Keys

o Registration URL: Locate in the Automation Account Blade/Keys

o Webnode Configuration Name: CloudShopWeb.WebServer

o Sqlnode Configuration Name: CloudShopSQL.SQLSERVER

o Reboot Node If Needed: true

o Allow Module Overwrite: true

o Configuration Mode: ApplyAndMonitor

o Configuration Mode Frequency Mins: 15

o Refresh Frequency: 30

o Action After Reboot: ContinueConfiguration

o HOL SQL VM Name: SQLVM

o HOL SQL VM Admin Name: demouser

o HOL SQL VM Admin Password: demo@pass123

o HOL Sql VMSKU: SQLDEV

o VM Size SQL: Standard_DS2_v2

o HOL VM2Name: WEBVM2

o HOL VM2 Admin Name: demouser

o HOL VM2 Admin Password: demo@pass123

 o HOL VM2 Windows OS Version: 2016-Datacenter

o Application Gateway Size: Leave default

o Capacity: Leave default

o Web AV Set Name: webAVSet

11. Once completed, choose the I agree to the terms and conditions stated above, and then
click Purchase.

12. This deployment should take about 25-30 minutes. The servers will take some time to check
in with Azure Automation and configure the CloudShop application.

Note: Wait for the Deployment to successfully complete before to moving on to the next
steps.

13. Now that the servers are built, and the deployment is complete, let's verify the servers are
up and running properly. In the Azure Portal, Open the AppGWVnet and create a VNet
Peering with hackathonVnet following the steps below:

a. In the AppGWVnet blade, in settings area select Peering.

b. At the top select +Add and complete the form.

i. Name: PeeringtoHackathon

ii. Virtual Network: hackathonVNet

iii. Configuration: Select Allow forwarded traffic and Allow gateway transit

14. In the Azure Portal, go to Resource Group HOLRG, select and click to open PublicIP1.
Select Configuration in the Settingsarea and put a DNS name level cloudshop-
XXXX (where X represents unique numbers to make sure it is unique).

15. Repeat the same steps to create a peering from hackathonVnet to AppGWVnet.

Task 2: Allow remote desktop to the WEBVM1 & WEBVM2 using NAT
rules
Now that the deployment and the application is up and running, the next step is to allow RDP to
the Web Servers. There are many ways you can achieve this, including provisioning a dedicated
jump box (or bastion host) in the same VNet where the web servers reside as well as simply
attaching a public IP to one of the web servers and using that as a jump box. It is also possible to
forward RDP traffic through Azure Load Balancer. For this task, you will be attaching a public IP to
one of the web servers. h that to Web Server 1

1. Click + Create a resource and type Public IP Address. Complete the blade with the
following information

o Name: Webserver1PublicIP
 o SKU: Basic

o IP Version: IPv4

o IP Address Assignment: Dynamic

o DNS Name label: Put unique DNS Prefix

o Resource Group: HOLRG

o Location: Same location as your web server.

2. Click Create to create the IP.

3. Once Created, open the Webserver1PublicIP blade and associate it with Web Server 1
Network Interface.

4. In the Azure portal, select WEBVM1, and the Connect Link should now be available.
Select Connect.
5. On the 'Connect to virtual machine' blade, ensure the RDP tab is selected and
choose Download RDP File.

6. Select Open when the RDP file downloads.

7. You will get a warning about the publisher of the RDP file being unknown. Select Don't ask
me again for connections to this computer and click Connect.

8. When prompted by Windows Security, enter your credentials:

 o User Name: demouser

o Password: demo@pass123

9. A warning will appear stating The identity of the remote computer cannot be verified.
Do you want to connect anyway?. Select the checkbox for the disclaimer Don't ask me
again for connection to this computer. and then select Yes.

Note: When connecting to machines during this lab for the first time, you may encounter
the same warnings. Follow these same steps to no longer receive those warnings as they do
not apply to our setup.
10. When logging on for the first time, you will see a prompt on the right asking about network
discovery. Select No.

11. Notice the Server Manager opens by default. On the left, select Local Server.

12. On the right side of the pane, select On by IE Enhanced Security Configuration.
13. Change to Off for Administrators and select OK.
14. In the lower left corner, select the Windows button to open the Start Screen.
Then, Internet Explorer to open it. On first use, you will be prompted about security
settings. Accept the defaults by selecting OK.
 15. Leave your RDP Session to WEBVM1 open and minimized. Then, repeat this same
procedure for WEBVM2.

Task 3: Configure diagnostics accounts for the VMs

In this task, you will configure the VMs to capture diagnostic data in an Azure Storage Account.
Later you will connect this account to Azure Security Center and Log Analytics.

1. In the Azure Portal, navigate to the HOLRG Resource Group and locate WEBVM1. Select
the name to open the blade.

2. On the WEBVM1, locate the Monitoring section, and select Diagnostic Settings
3. Select the Enable guest-level monitoring button. This will load more information to
choose from. Select the Storage Account Configure Required Settings, and then, choose the
Storage Account you just created.
 Note: If you receive an error at this stage. Navigate to All Services -> Subscriptions ->
Resource Providers -> and ensure the Microsoft.Insights resource provider is registered.

4. Select the Configure performance counters.

5. Next check the ASP.NET box and select Save.

6. This will submit a deployment for WEBVM1.

7. Complete the same steps for WEBVM2.

8. Next, using the same steps, configure SQLVM for diagnostics capture as well. Select the
following metrics for this SQL Server, and select Save.

a. SQL Metrics
 Note: You will need to wait for the portal to complete the updates to all VMs before
moving to the next exercise.

Summary
In this exercise, you ran a template deployment using an ARM template provided which created a
Virtual Network, Azure Load balancer, two IIS Servers and a SQL Server. The servers checked into
Azure Automation and ran the DSC Configurations that configured the boxes with the CloudShop
Application. You then configured a public IP to access the servers through a jump box and
successfully connected to them through RDP. Azure diagnostics was also configured with a new
storage account for the VMs.

Exercise 3: Build and configure Azure Security Center and

Azure Management
Duration: 30 minutes

Overview
The next step is to provision the Azure security and Azure management components of Azure
Automation, configure the VMs for the CloudShop application to be managed by the portal, and
configure the diagnostics storage account to load data into the Log Analytics platform.
Additionally, you will configure Update Management, Inventory Tracking and Change
Management as well as install and configure the Service Map solution pack.
Task 1: Provision Log Analytics through Azure Monitor
1. Open the Azure portal and navigate to All services, search for Log Analytics.

2. In the Log Analytics blade, select + Add.

3. Complete the OMS Workspace blade using the following information. Then, select OK:

a. OMS Workspace: Unique name

b. Subscription: Select the current subscription.

c. Resource Group: HOLRG

d. Location: Closest to your deployment

e. Pricing Tier: Select Per GB

4. The deployment will only take a few moments to complete. Upon completion, open Log
Analytics by clicking on the Log Analytics resource within the HOLRG resource group.

5. Open the newly created oms log analytics workspace and select Virtual Machines which is
found in the Workspace Data Sources section.

6. A list of the VMs in your subscription will be shown in the list. You may want to filter your
view to see the VMs for this HOL. You will add the WEB and SQL VMs.
 7. Select the SQLVM to load a blade to the right. Then, click on Connect to add it to this Log
Analytics Workspace.

8. Follow the same steps for the WEBVM1 & WEBVM2.

9. The portal should update to show that they are now a part of This workspace once they
have all been added.

Task 2: Explore Security Center

1. Open the Azure portal and navigate to the Security Center menu option (All Services >
Security Center).
2. This will present the Security Center - Overview screen. For this exercise, you want to
upgrade to the Standard tier which extends the capabilities of the Free tier to workloads
running anywhere, including on-premises. It provides unified security management and
threat protection across your hybrid cloud workloads. The Standard tier also adds advanced
threat detection capabilities, which uses built-in behavioral analytics and machine learning
to identify attacks and zero-day exploits, access and application controls to reduce
exposure to network attacks and malware, and more.

3. Select Start trial if present (your subscription may already be enabled for Standard).

4. Close the panel and navigate back to the Security Center Overview screen. Click
on Security policy under the Policy & Compliance section. Review the policy options that
can be automatically applied to your subscription.
 5. Click on Recommendations on the left navigation. Note the different options and
the SECURE SCORE IMPACT. This lets you know the impact of the changes on your overall
security score (the higher the better).

6. Click the option for Install monitoring agent on your Virtual machines. On the next
screen, click Install agents to turn on automatic provision of the monitoring agent.

7. On the next screen, accept the default workspace configuration and click Save to enable
monitoring. This will automatically install the agent on any new or existing virtual machines
in the subscription.

8. After a few minutes, refresh the portal and click on Compute & Apps. You will see
the Resolve monitoring agent health issues on your machines move to an orange state.
Click on the orange bar and you will see that this recommendation is being remediated.

9. Next, click on the Recommendations tab again and remediate the Install endpoint
protection solution on virtual machines recommendation by clicking on it and following
the directions to install Endpoint Protection on all of the virtual machines except LabVM.

Note: You can accept the default configuration options for Microsoft Endpoint protection.
You will explore Azure Security Center more later in this lab, including configuring alerts and
preventative maintenance.

Task 3: Add Service Map

In this section, you will add the Service Map solution to Log Analytics.

1. From the Azure portal, click the + Create a resource Link followed by Management
Tools and See all.
2. Note there are many solutions available, and more are added frequently. Browse the
solutions to gain familiarity with the options.
3. Locate the Service Map solution and select it. If you don't see it on the page, use
the Search Monitoring + Managementfield at the top of the screen to search for Service
Map. On the Details page, you can read about the solution. When ready, select Create.

4. Select the Log Analytics workspace you created and click Create.
Task 4: Configure Service Map
To configure the Service Map functionality, the Microsoft Dependency Agent needs to be installed
on each virtual machine. This can be installed as a VM extension. For this lab, we'll install the VM
extension for Service Map using the Azure CLI.

1. Open the Azure Cloud Shell by clicking on the 'Cloud Shell' icon.

Note: If this is your first time using the Azure Cloud Shell, you will be prompted to choose
between a Bash Shell and PowerShell. Choose Bash Shell. Also, you will be prompted to
create a storage account for use by the Cloud Shell.

2. The Cloud Shell will open at the bottom of the Azure portal browser window. (If a
PowerShell has been selected, change to the Bash Shell.) In the Bash Shell window, type the
following command:

3. az vm extension set --publisher Microsoft.Azure.Monitoring.DependencyAgent --version 9.1

--name DependencyAgentWindows --vm-name WEBVM1 --resource-group HOLRG
Note: This command will take a minute or two to run.
4. Repeat the above command two more times, replacing the --vm-name parameter
with WEBVM2 and then with SQLVM.
5. In the Azure Portal, navigate to the All Resources menu and locate the Service
Map resource you created earlier. Click on the resource name.

6. This will bring up the Service Map blade and you'll see that it is already populated with
some data. Since we installed the agent on the three Windows virtual machines, the Service
Map is showing these virtual machines now reporting data. Click on the Service Map tile.

7. When Service Map loads, click on WEBVM1 to see the data that has been analyzed for that
virtual machine.
Task 5: Configure Update Management
The Update Management functionality will be configured through your Virtual Machines.

1. In the Azure Portal, browse to WEBVM1.

2. Select Update management under OPERATIONS.

3. Select your Log Analytics workspace and Automation Account and select Enable.

Note: In some cases, your Log Analytics workspace may not be shown if it is located in a
different region or geography. In this case, use the option provided to create a new Log
Analytics workspace.

4. Wait for the deployment to complete. This can take up to 15 minutes.

Note: Do not navigate away from the Update Management blade until the deployment
message reads "The 'Update Management' solution is being deployed on this virtual machine.
This can take a few minutes. You can do other work while this is in progress.".
5. While the solution is deploying, navigate to WEBVM2 and repeat steps 2-4.

6. While the solution is deploying, navigate to SQLVM and repeat steps 2-4.

7. Verify that the solution has been deployed by navigating to WEBVM1 and clicking
on Update management under OPERATIONS.

8. The Portal shows the Update Management dashboard for the virtual machine. Here you can
see which updates are pending, and the overall update compliance status of the VM.

9. Click on Schedule update deployment. The portal shows the 'New update deployment'
blade, where you can choose which updates to deploy (based on classification), which to
exclude (based on KnowledgeBase ID), when to deploy, and the duration of the
maintenance window (updates not deployed within 20 minutes of the end of this time
window are omitted so the VM can reboot.).
10. Review the update settings, but do not configure an update deployment (to save time
during the lab). Close the New update deployment blade.
 11. Click on Manage multiple machines. This brings you to the Update Management view
within the Azure Automation portal experience. This gives you an overview of update
compliance across all of your VMs.

Note: It may take several minutes before data is shown in this view.

Task 6: Configure Inventory Tracking and Change Management

The Update Management functionality will be configured through Azure Automation.

1. In the Azure Portal, browse to WEBVM1.

2. Select Change tracking under OPERATIONS.

3. Verify the Log Analytics workspace and Automation Account and select Enable.
4. Wait for the deployment to complete. This can take a few minutes.

Note: Do not navigate away from the Update Management blade until the deployment
message reads "The 'Change Tracking and Inventory' solution is being deployed on this
virtual machine. This can take a few minutes. You can do other work while this is in progress.".

5. While the solution is deploying, navigate to WEBVM2 and repeat steps 2-4.

6. While the solution is deploying, navigate to SQLVM and repeat steps 2-4.

7. Verify that the solution has been deployed by navigating to WEBVM1 and clicking
on Change tracking under OPERATIONS.
Summary
In this exercise, you provisioned the portal, configured the VMs for the CloudShop application to
be managed by the Portal, and configured the diagnostics storage account to load data into the
Log Analytics platform. Additionally, solution packs were installed and configured to gather data
and provide dashboards for applications deployed in Azure IaaS. You also configured Service Map
and now understand how it surfaces data.

Exercise 4: Instrument CloudShop using Azure Application

Insights
Duration: 45 minutes

Overview
In this exercise, you will instrument the CloudShop using Application Insights at runtime. This will
be accomplished by installing the Applications Insights tool on the web services and configuring
an Application Insight workspace in Azure. Then, you will configure Application Insights to perform
web tests and alerts. The final task will be to connect the Application Insights workspace to send
data to the Portal.

Task 1: Install and Configure the Application Insights Status Monitor

To read more about this tool follow this link.

1. Open a Remote Desktop Connection to WEBVM1.

2. Open Internet Explorer and follow this link: http://bit.ly/2jxQ43z. Select Run on the
Question if you want to run the file: AppliationsInsightsMonitor.exe.

3. This will start the Web Platform Installer. Select Install followed by I Accept on the
following screen, and Continue.
4. Once the Monitor is installed, select the Sign In link under the Configuration.

5. You will sign-in to Azure as normal.

6. Under the Send telemetry to: Select Default website under New Application Insights
resource. Then, click Configure settings.

7. On the Configuration settings for Application Insights, complete the information as

follows, and select OK:

o Microsoft Azure Subscriptions: Use the same subscription

o Resource Groups: HOLInsights (It will create a new RG in Azure if you

type HOLInsights)

o Application Insights Resource: HOLCloudShop

o Location: Select the same region as your deployment.

8. This will build the Application Insights workspace for you in Azure.

9. Next, select Add Application Insights.

10. Click Restart IIS to complete the setup.

11. This will only take a few seconds. Now, the CloudShop application running on WEBVM1 is
instrumented and sending data to Azure Application Insights. The monitor
on WEBVM1 should now look like below:
12. Connect to a Remote Desktop Session for WEBVM2. To connect to WEBVM2, you can RDP
to its private IP from WEBVM1.

13. Open Internet Explorer and follow this link: http://bit.ly/2jxQ43z. Select Run on the
Question if you want to run the file: AppliationsInsightsMonitor.exe. You may need to
change the internet explorer security settings to allow download file in order to install.

14. This will start the Web Platform Installer. Click on Install followed by I Accept on the
following screen, and Continue.

15. Once the Monitor is installed, select the Sign In link under the Configuration.

16. You will sign-in to Azure as normal.

18. Under the Send telemetry to: Select Default website under Existing Application Insights
resource. Then, click Configure Settings.

19. On the Configuration settings for Application Insights, complete the information as
follows, and select OK:

a. Microsoft Azure Subscriptions: Use the same subscription

b. Resource Groups: HOLInsights

c. Application Insights Resource: HOLCloudShop

d. Location: Select the same region as your deployment.

 20. This will attach WEBVM2 to the Application Insights workspace you created a moment ago
in Azure. Next, select Add Application Insights.

21. Select Restart IIS to complete the setup.

Note: This will only take a few seconds. You can disconnect from WEBVM2 when done.

Task 2: Explore the Application Map, configure alerts, availability tests,

and performance tests
1. Open the Application Insights blade by clicking All services, followed by Application
Insights (use the search filter to help you find it).

2. Select HOLCloudShop, followed by Application map.

3. Take a few minutes to explore the Application map. Click on each node in the application
map and look at the data available.

4. Close the Application Map pane, then click on Alerts.

5. Select View Classic Alert (next to the bell icon) then select +Add Metric Alert
(Classic), complete the blade with the following information, and select OK:

o Name: CloudShopProcessorAlert

o Metric: Processor Time

o Condition: Greater than

o Threshold: 80

o Period: Over the last 5 minutes

o Notify via: Email owners, contributors and readers -- Check the Box
6. Select OK to save the alert. The portal will update with the new alert.

7. In your HOLRG, locate the PublicIP Address, take note of the DNS name which is on the
front of the load balancer Application Gateway for the CloudShop App running
on WEBVM1 & WEBVM2.

8. Next in the HOLCloudShop Application Insights workspace, under the Investigate section,
select Availability
9. Select +Add test, and complete the blade using the following information. Then,
select Create.

o Test name: CloudShopWebTest

o Test type: URL Ping Test

o URL: http://cloudshop-XX.southcentralus.cloudapp.azure.com

o Test locations: Choose locations from all over the world.

o All other accept defaults.

10. Select Create to create the availability test.

Note: If the CloudShop Application becomes unavailable to this WebTest, you will then
receive an email alert from Azure Application Insights.

11. Select Performance Testing in the Configure section.

12. Select +New.

13. Click on Configure Test Using and complete this using these inputs. Then, select Done.

o Test Type: Manual Test

o URL: http://cloudshop-XXX.southcentralus.cloudapp.azure.com

14. Complete the New Performance Test blade using the following information, and click Run
Test.

o Name: CloudShopLoadTest

o Generate Load from: Select a Region

o User Load: 2000

o Duration: 5
15. Select Run Test to start the performance test.

Note: An error may occur if you do not have an Azure DevOps Account configured. If so,
then you'll need to create one before setting up the Performance Test.

16. Once this is submitted it will show as Queued. Select the line and then details about the
performance test will be shown.

17. Select the Messages box to see the details of the test.
18. Now, head back to the Overview blade of the HOLCloudShop Application Insights and
select Live Metrics Stream.

19. Real-time application information can be seen regarding the CloudShop App running in
Azure on our IaaS VMs. Here, you can wait for the Performance Test to run, and show how
the Web Application performs.
20. If you go back to the Performance Testing blade, and click on CloudShopLoadTest, you
will see the metrics from the test run.

21. Close the Performance Test and click on the Performance under Investigate.
22. Explore the metrics from the CloudShop application.

23. The Load Test should also have caused the alert on high processor usage to be triggered.
An email should have been received.
 Note: The email may take several minutes to arrive. You can proceed with the lab and check
for the email later.

24. The alert will quickly resolve as the Load Test has completed causing the CPU condition to
quiet.
Task 3: Simulate a failure of the CloudShop application
1. Move to your HOLRG Resource group and stop both WEBVM1 and WEBVM2.

2. Navigate back to the HOLCloudShop Application Insights portal. Select Availability and
notice that the availability tests have start to fail once the web VMs are stopped.
3. Select CloudShopWebTest to open the test summary blade. Notice how the tests are
failing from all regions.
4. A few email alerts should come into your inbox.
5. Select the See the analysis of this issue link in the email which will load the Azure portal.

6. Move back to your HOLRG and restart the VMs.

7. Once the VMs are back online, the website will come back up. This will initiate responses to
the Web Test and sending data to the Applications Insights portal. An email will be sent
resolving the alert. After a period of time, the Smart Detection Alert will also resolve.
Summary
In this exercise, you instrumented the CloudShop using Application Insights at runtime. This was
accomplished by installing the Application Insights Monitor for the web services and configuring
an Application Insights workspace in Azure. Then, you configured Application Insights to perform
web tests and alerts.

Exercise 5: Explore Azure Security and Operations

Management, Application Insights, and build a dashboard
Duration: 45 minutes

Overview
In this exercise, you will explore the information and data being provided by Azure Security and
Operations Management and Application Insights to gain situational awareness of the application
and infrastructure. You will look at the security posture of the infrastructure, the applications
performance, and build a dashboard that can be used to manage it moving forward.

Task 1: Work with Log Analytics queries

In this section, we will perform an ad-hoc search in Log Analytics data to see where our servers are
not in compliance with security baselines. In the Log Search interface, we can perform ad-hoc
searches against the log data being ingested into the Log Analytics service. Because the data is
indexed, searching is very fast.

1. Open the Azure portal and navigate to Azure Monitor by clicking on All services,
searching for log analytics, and selecting Log Analytics.

2. Select Log from the left under General.

3. In the query editor, enter the following query: Update | where OSType!="Linux" and
Optional==false. Select Run. This will search the Update management logs and report
results. There are many other data sources we can query.

4. Update |
5. where OSType!="Linux" and Optional==false

Note: you may have less or more data, but keep in mind, the service has only been
collecting data since you began the lab.

6. Notice in the left, there are different types of data. Select Windows Defender followed
by Apply.

7. Notice the query dialog (where you entered a search before) has a search string in it
querying for the type Product==Windows Defender.
8. As you click on options in Log Search, queries are built automatically. Also, notice the
results are paired down to a smaller subset of data. Click on Table to view the data in a
column and row format.

9. This is a list of Windows virtual machines tracked in Update management that have pending
updates for Windows Defender. To further refine the list, scroll on the left down
to UPDATESTATE and select Needed (this option may not be shown if all updates are
already installed). Notice the query automatically updates as it is a single point to refine.

10. Further refinements can be made as needed. Select additional refiners to update the search.

11. Next, sort the findings, so the computers are sorted alphabetically. Click on the column
header Computer until the virtual machines are sorted correctly.

12. Now we will export the list. This may be helpful if we wanted to share the findings list out
amongst administrators, so several people can help remediate the findings. Click on Export.
13. Once the report is exported, you are prompted what to do with the file. Select Save. Once
completed, click on Open. Choose Notepad to open the file**.

12. Review the text file. Then, close it. You can also copy the file to your local PC and view it in
Excel.

13. Because this is a useful query, we can save it to be able to quickly run it again anytime we
wish. First, copy the search query to the clipboard.
14. Click the Saved Searches followed by + Add.

15. Complete the Add Saved Search Blade with this information:

o Display Name: Computers Needing Windows Defender Updates

o Category: My Queries

o Query: Paste the query from your clipboard.

o Function Alias: WindowsDefNeeded

16. Select OK.

17. Let's explore some more sample queries. These are taken from the repository
at: https://github.com/MicrosoftDocs/LogAnalyticsExamples/tree/master/log-analytics.

Replace the current query with the following:

let start_time=ago(23h);
let end_time=now();
Heartbeat
| summarize heartbeat_per_hour=count() by bin_at(TimeGenerated, 1h, start_time),
Computer
| extend available_per_hour=iff(heartbeat_per_hour>0, true, false)
| summarize total_available_hours=countif(available_per_hour==true) by Computer
| extend total_number_of_buckets=round((end_time-start_time)/1h)+1
| extend availability_rate=total_available_hours*100/total_number_of_buckets

18. Click Run.

19. Select Table output. Notice how this query calculates VM availability, based on heartbeat.
 For more information on how this query works,
see: https://github.com/MicrosoftDocs/LogAnalyticsExamples/blob/master/log-analytics/
server-availability-rate.md.

20. Replace the current query with the following:

21. // Find all processes that started in the last 3 days. ID 4688: A new process has been
created.
22. let RunProcesses =
23. SecurityEvent
24. | where TimeGenerated > ago(3d)
25. | where EventID == "4688";
26. // Find the 5 processes that were run the most
27. let Top5Processes =
28. RunProcesses
29. | summarize count() by Process
30. | top 5 by count_;
31. // Create a time chart of these 5 processes - hour by hour
32. RunProcesses
33. | where Process in (Top5Processes)
34. | summarize count() by bin (TimeGenerated, 1h), Process
35. | render timechart

36. Click Run.

Note: This query uses security events (only available when using the Standard tier of
Security Center) to identify how often each process was run in the past 3 days, and then
calculates the most commonly run processes. For more information,
see https://github.com/MicrosoftDocs/LogAnalyticsExamples/blob/master/log-analytics/
top-5-running-processes-in-the-last-3-days.md.

Task 2: Preventive maintenance using Security Center

In this section, we will use the Security Center Overview screen to review what preventative steps
we can take to protect our environment.
1. Within Security Center Overview page, there are five tiles in the middle of the screen
under Resource security hygiene.

2. Click on the Compute tile to drill into the security health of your compute resources.

3. Notice there are several recommendations at the bottom of the screen. Let's go ahead and
drill into these recommendations. Click on the Missing disk encryption item.

4. This brings up the Apply disk encryption blade. This gives a description of Azure disk
encryption, links to instructions, and a list of virtual machines affected.
5. Close the panel and navigate back to the Security Center Overview page. This time click
on the Networking tile to drill into the security health of your networking resources.

6. Review the items showing in the Networking Recommendations. We won't implement

these recommendations today, but if we wanted to, we could click on the item and
implement each recommendation from this panel.
7. Close the panel and navigate back to the Security Center Overview screen. This time, click
on the Data & storage tile.

8. Notice this tile is green which is an indication the resources are in a healthy state. Azure
Security Center will flag the tile as red if there are critical recommendations that need to be
addressed.
9. As a last step, navigate back to the Security Center Overview screen and click on
the Identity & access tile.

10. As you review the Applications Security Health, notice in this example there's a
recommendation to assign a second subscription owner.

11. Go ahead and close this panel and return to the Security Center Overview page.

12. Azure Security Center provides a quick way to see all the recommendations we just saw in a
single view. Click on the Recommendations tile under the Overview section.

13. This presents the same recommendations you saw by navigating to each resource type in
the previous steps. Clicking each of the recommendations will provide you with additional
steps you can take to remediate the issue.
Task 3: Set up an Activity Log alert
If one of the virtual machines in the resource group were to be stopped (deallocated), that's a
condition you would want to be notified of. In this section, we will set up an activity log alert to
detect this condition.

1. Open the Azure portal and navigate to Azure Monitor by clicking All services, searching
for "monitor", and selecting Monitor.

2. Select Alerts followed by New Alert Rule.

3. Under Define alert condition, click on + Select target.

4. In the 'Select a resource' blade, open the Filter by resource type drop-down and
select Virtual machines. The UI will show each virtual machine in your subscription,
grouped into resource groups. Click on the HOLRG resource group to select all the virtual
machines in that resource group as the target resources monitored by this alert rule. Verify
this selection in the 'Selection preview', then click Done.
5. Under Define alert condition, select + Add criteria.

6. In the 'Configure signal logic' blade, open the Monitor service drop-down and
select Activity Log - Administrative. In the search field, enter deallocate. Click
on Deallocate Virtual Machine (VirtualMachines).
7. If you have recently stopped the virtual machines, you will see a history of those events,
otherwise the chart will show 'No data to display'. Leave the settings at their default values
and click Done.
8. Under Define alert details, fill in as follows:

o Alert rule name: Alert on VM deallocate

o Description: Raise an alert any time any VM in the HOLRG resource group is
stop-deallocated.

o Save alert to resource group: HOLRG

o Enable rule upon creation: Yes

9. Under Define action group, select + New action group.

Note: Action groups define what action is taken when an alert is fired. They are defined
separately from the alert rule, so that the same action group can be re-used across multiple
alerts.

10. Fill in the first section of the Add action group blade as follows:

o Action group name: Mobile app push notifications action group

o Short name: Mobile Push

o Subscription: Choose your subscription.

o Resource group: HOLRG

11. In the table under Actions, under Action name enter Notify mobile app. Open the drop
down under Action Type and select Email/SMS/Push/Voice.
12. The Email/SMS/Push/Voice blade should open automatically (if it does not, click on Edit
details). Enable the checkbox for Azure app Push Notifications, and fill in your Azure user
ID, then select OK.

13. All alert settings are now complete. Select OK to close the 'Add action group' blade, then
click on Create alert rule to close the Create rule blade. You will see a notification once the
alert has been created.

Note: It may take up to 5 minutes after the alert rule is created for the alert to become
active.
Task 4: Installing & using the Azure mobile application
In this section, you will take your monitoring solution mobile by installing and configuring the
Azure mobile application.

1. Open the AppStore or Google Play on your mobile device. Locate the search box and
type Microsoft Azure, and press enter.

2. When you locate the Microsoft Azure application, install it to your device.

3. Once the application has been installed, you will need to allow the application to send you
notifications.

4. Next, touch the Sign in button.

5. Once the login page loads, enter your Azure Credentials.

 6. Once you are logged into the app, navigate to the Notifications menu to see there are
currently no notifications.

7. Putting the phone aside for a moment, in your desktop web browser, navigate to
the Virtual Machines list in the Azure portal.

8. Click on checkbox next to WEBVM1, then click Stop, followed by Yes at the confirmation
prompt. This will stop (deallocate) this virtual machine, which should trigger our alert and
notify you through the Azure mobile application.

9. In a few moments, you should receive an alert through the Azure mobile app that the virtual
machine was stopped (deallocated).

Task 5: Application Insights

Understanding what is happening within an application can be very challenging, but with the
Application Insights configured for CloudShop, there is great telemetry being fed to Azure which
can be viewed and acted upon. Here, you will investigate that data regarding how the CloudShop
is performing.

1. Open the Azure portal and navigate to Azure Monitor by clicking on All services,
searching for "monitor", and selecting Monitor.
2. Click on the Application Insights tile, then select HOLCloudShop.

3. From the Application Insights blade, click on Pin to Dashboard.

4. Under the INVESTIGATE section, click the Performance item.

5. The Performance feature of Application Insights allows us to get rich performance

monitoring and easy to consume dashboards.

6. This dashboard gives near real-time insight into the performance of your application. In the
screenshot below, you can see this application appears to have a performance issue with
the Home/Index page. It appears to be taking 20.5 seconds on average to load.

Note: Your numbers may not match. By clicking on the GET Home/Index, you will see the
other sections of the dashboard will filter to performance data focused on that page.

7. Feel free to experiment with this dashboard to understand the performance considerations
of your application.

8. Pin the 'Operation times' chart to My Dashboard by clicking on the pin in the top right of
the chart.
 9. At this point, navigate back to My Dashboard and click Edit Dashboard, and arrange the
many tiles you have added to give yourself an all up view of the environment you have
built. Feel free to open the various solutions, find interesting data and Pin it to the
Dashboard.

Summary
In this exercise, you explored the information and data being provided by Azure Security and
Operations Management and Application Insights to gain situational awareness of the application
and infrastructure. You looked at the Security Posture of the infrastructure, the performance of
applications, and you built a dashboard that can be used to manage it moving forward.

After the hands-on lab

Duration: 10 mins

Overview
In this exercise, attendees will de-provision any Azure resources that were created in support of
the lab. Delete the HOLRG, HOLInsights, and OPSLABRG resource groups. You should follow all
steps provided after attending the Hands-on lab.