Azure VM Antimalware Extension Management

Azure VM Antimalware Extension Management has always been a tricky subject. You can easily enable the Microsoft Antimalware Extension from the Azure Portal upon the Azure VM creation or by using the Extensions blade. But after that, the management of the extension is somehow tricky. There is no way to manage the Microsoft Antimalware exclusion list and auto-scan setting from the portal or from inside the VM. Even using PowerShell there is not a single command to manage the Microsoft Antimalware settings.

There is no need to point out that all VMs must have an Endpoint Protection Solution. Azure provides the ability to add an Endpoint Protection Solution to all Azure VMs. Microsoft Antimalware for Azure Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software, with configurable alerts when known malicious or unwanted software attempts to install itself or run on your system and it is absolutely free. For the 3rd party extensions you need to add your key.

For Windows Server VMs up to version 2012 R2, the extension will install the System Center Endpoint Protection client and apply the configuration policies. Windows Server 2016 and above have build-in the Windows Defender, so the extension will only apply the configuration.

Below we will walk through on how to deploy & manage the Microsoft Antimalware Extension Using the Azure Portal (Single VM), Using the Azure Security Center (Multiple VMs)and Using PowerShell for a Single VMand for Multiple VMs filtered by Resource Groups or Tags.

Deploy the Microsoft Antimalware Extension

Using the Azure Portal for single VM deployment

Using the Azure Security Center for multi VM deployment

Single VM

$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"

#view all versions for the West Europe location
Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type | fl Version
#view the latest major version
((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#add the latest major version in a variable called "amversion"
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')

$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@

Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

Login-AzAccount
#variables
$ResourceGroupName = "devrg"
$VMName = "devrgvm"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings
Set-AzVMExtension -ResourceGroupName $ResourceGroupName -VMName $VMName-Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio -ResourceGroupName $ResourceGroupName -VMName $Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $Location -TypeHandlerVersion $amversio

Multi VM – All VMs in a Resource Group

#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

#Login-AzAccount
#variables
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, exclusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs in the Resource Group
Get-AzVM -ResourceGroupName $ResourceGroupName | ForEach-Object {
    Set-AzVMExtension -ResourceGroupName $_.ResourceGroupName -VMName $_.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $_.Location -TypeHandlerVersion $amversion
    }

Using Tags instead of Resource Group to filter the VMs

Login-AzAccount
#variables (filter by tags)
$tagName = "Service"
$tagValue = "dev"
$Location = "West Europe"
$PublisherName = "Microsoft.Azure.Security"
$Type = "IaaSAntimalware"
#Get the latest major version
$amversion = ((Get-AzVMExtensionImage -Location $Location -PublisherName $PublisherName -Type $Type).Version[-1][0..2] -join '')
#Antimalware extension settings, excusions and schedules
$amsettings = @'
{
    "AntimalwareEnabled": true,
    "RealtimeProtectionEnabled": true,
    "ScheduledScanSettings": {
        "isEnabled": true,
        "day": 7,
        "time": 120,
        "scanType": "Quick"
    },
    "Exclusions": {
        "Extensions": ".log;.ldf",   
        "Paths": "D:IISlogs;D:DatabaseLogs",
        "Processes": "mssence.svc"
    }
}
'@
#enable the Microsoft Antimalware Extension with the above settings to all VMs of a spesific Tag
$tagResList = Get-AzResource -TagName $tagName -TagValue $tagValue
foreach($tagRes in $tagResList) { 
    Set-AzVMExtension -ResourceGroupName $tagRes.ResourceGroupName -VMName $tagRes.Name -Name $Type -Publisher $PublisherName -ExtensionType $Type -SettingString $amsettings -Location $tagRes.Location -TypeHandlerVersion $amversion
    }

The post Azure VM Antimalware Extension Management appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Today Microsoft announced the Azure Backup for SQL Server in Azure Virtual Machines in General Availability! Azure Backup for SQL Server is an enterprise scale backup solutions that doesn’t need infrastructure deployment & management at all. With Azure Backup for SQL Server you can centrally manage and monitor SQL Server Standalone and Always On AG backups!

Some of the major features of Azure SQL Backup for SQL Server are 15 minute RPO, one click PIT restore, long term retention, encrypted database support, auto-protect new databases, centralized management and monitor and no infrastructure deployment and management!

Learn more at the announcement page: https://azure.microsoft.com/en-us/blog/azure-backup-for-sql-server-in-azure-virtual-machines-now-generally-available/

The post Backup SQL Server & AlwaysOn AG inside Azure VMs appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Get real insights about your Windows and Linux VMs & VMSSs performance and their dependencies with Azure Monitor. Integrate with Log Analytics for even more in depth analysis and retain the data over time. Health, Performance & Service Map of your VM in a dashboard.

Deploy to Single VM

For a single VM, go to the VMs blade, scroll down to the “Monitoring” section, select “Insights” and press “Try now”

The Azure Monitor Insights Onboarding wizard will open. If your VM is already onboard at a Log Analytics workspace just click Enable. Otherwize select a Log Analytics workspace or create one.

You will start seeing data form the VM in about 20-30 minutes.

Deploy to multiple VMs using Azure Policy

For deploying to multiple VMs, the easiest way is to use Azure Policy

Go to the Azure Policy, select Assignments and press “Assign initiative”

The first option is the Scope. Press the three dots “…” at the Scope field. You can choose a a Management Group, a Subscription or a Resource Group. So if you just select a Management Group (And don’t select subscription and resource group), this policy will apply to all Subscriptions under the Management Group and of course to all resources of the subscription. If you choose a Subscription (and don’t select a resource group then the policy will apply to all resources of the subscription. Finally if you choose a resource group then the policy will apply only to this resource group. Later we will see how to select specific VMs in the Subscription or Resource group.

After selecting the Scope you can add exclusions. There you can check the VMs you don’t want this policy to apply.

The next step is to select the Policy. At the BASICS section, press the three dots “…” near the “Initiative definition” and find the “Enable Azure Monitor for VMs”

Next step is to configure the Parameters. There select the Log Analytics workspace that the VM will onboard, or create a new one. Optionally you can provide a list of VMs instead of adding all of them

Finally press Apply. Back at the Azure Policy main menu you will see the new Definition Assignment.

View the Health / Performance / Service Map of the VMs

To view the Azure Monitor of the VMs, go to the VM that you have enabled Insights, select the Insights blade and you will be able to see the health status not only for the common CPU. Memory, Disk,

But also for the services that run inside the VM and the Azure Monitor discovered.

By clicking on any service you will have a list of all logs of this service

At the performance section you have the ability to select time range and have performance analytics for a requisted period of time

Finally at the MAp, you have a service map of the services and ports that are open and listening

Product Documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/insights/vminsights-overview

The post Azure Monitor for VMs – Health, Performance & Service Map appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Today Microsoft Azure becomes 9 years old. Azure released on February 1, 2010, as “Windows Azure” before being renamed “Microsoft Azure” on March 25, 2014

Some major dates of Azure until now:

• October 2008 (PDC LA) – Announced the Windows Azure Platform
• March 2009 – Announced SQL Azure Relational Database
• November 2009 – Updated Windows Azure CTP, Enabled full trust, PHP, Java, CDN CTP and more
• February 1, 2010 – Windows Azure Platform commercially available! Azure is GA!
• June 2010 – Windows Azure Update, .NET Framework 4, OS Versioning, CDN, SQL Azure Update
• October 2010 (PDC) – Platform enhancements, Windows Azure Connect, improved Dev / IT Pro Experience
• December 2011 – Traffic manager, SQL Azure reporting, HPC scheduler
• June 2012 – Websites, Virtual machines for Windows and Linux, Python SDK, new portal, locally redundant storage
• April 2014 – Windows Azure renamed to Microsoft Azure, ARM Portal introduced at Build 2014.
• July 2014 – Azure Machine Learning public preview
• November 2014 – Outage affecting major websites including MSN.com
• September 2015 – Azure Cloud Switch introduced as a cross-platform Linux distribution.
• December, 2015 – Azure ARM Portal (codename “Ibiza”) released.
• March, 2016 – Azure Service Fabric is Generally Available (GA)
• September 2017 – Microsoft Azure gets a new logo and a Manifesto
• July 16, 2018 – Azure Service Fabric Mesh public preview
• September 24, 2018 – Microsoft Azure IoT Central is Generally Available (GA)
• October 10, 2018 – Microsoft joins the Linux-oriented group Open Invention Network.

Currently Microsoft Azure is available at 54 Regions Worldwide!

Happy Birthday Azure!

Source: https://en.wikipedia.org/wiki/Microsoft_Azure & https://azure.microsoft.com/en-us/global-infrastructure/regions/

The post Happy 9th Birthday Azure! appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure Web Application Firewall (WAF) is a function of the Azure Application Gateway that detects and prevents exploits and attacks to a web application. Using a WAF we add an additional security layer in front of our application. To have a sneak peak at the most common web application attacks, take a look at the OWASP Top 10 Most Critical Web Application Security Risks .

At my previous posts we have seen how to Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. At this post I want to share some tips on how to configure the Azure Web Application Firewall.

The Azure Web Application Firewall, like all WAFs, needs a period of detection “the training period”, in order to gather logs about what is logged as blocked so to configure it accordingly before turning the WAF to Prevention mode. The Azure Web Application Firewall uses OWASP ModSecurity Core Rule Set (CRS). You can select version 2.2.9 or version 3.0 of the OWASP ModSecurity Core Rule Set. These rules include protection against attacks such as SQL injection, cross-site scripting attacks, and session hijacks.

The configuration of the Azure Web Application Firewall has two parts. One part is the OWASP rules custom configuration, where we can check / uncheck the OWASP rules that the WAF will use to analyse the requests:

and the second part is the Exclusions and the Request Size Limits:

Let’s see how we can find out what to exclude and what to customize. Once you setup the Azure Application Gateway and Publish your web application turn of the Firewall in Detection mode. Enable the Diagnostic Logs and send the logs to Log Analytics and start using the we application. I have covered all those steps at my previous posts, Protect your Web App using Azure Application Gateway Web Application Firewall and Use Log Analytics to Query the WAF Logs and email those logs to the Admins. To make it more fun you can actually attack your application using sample attacks, like SQL Injection samples from this link: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) and Cross-site Scripting (XSS) from this link: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) . Both links are from OWASP for testing.

After a while run the query to check the Azure Web Application Firewall logs:

You will get the below results:

At the Message part of the Log you will see the kind of attack that the WAF has detected.

At the ruleId_s you can find the OWASP rule ID. With this information you can search the Rule ID at the Advanced rule configuration and uncheck the specific rule. Of course every rule you uncheck you open a security hole. So I recommend to first check if you can alter your application to comply with the rule and only if this is not possible to drop the rule.

At the details_message_s column also you can find the matched pattern and configure the Exclusions

Finally you can configure the request size limits according to your application

Once you finalize your Azure Application Firewall configuration and you no longer have “Blocked” messages change it to “Prevention” mode to start protecting your web application.

Reference:
WAF Overview: https://docs.microsoft.com/en-us/azure/application-gateway/waf-overview
WAF Configuration: https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-waf-configuration
OWASP ModSecurity Core Rule Set (CRS): https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

The post Configure The Azure Web Application Firewall appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.

A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/

Use Log Analytics to Query the WAF Logs

The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.

AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s

You can save the query by clicking the Save button and give it a name and a Category.

We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/

Create a Logic App

From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”

At the Logic App creation wizard add Name, subscription, resource group, location and press Create

Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.

Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”

search for “log analytics” and select the “Run query and visualize results”

I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.

After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”

search for “sendgrid” and select the “Send email (V2)”

Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/

Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.

Press Save to save the Flow and Run to test it.

The result at my email:

The post Serverless Computing | Email Report Azure WAF Logs appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Azure offers free smtp relay using the SendGrid application. SendGrid is a cloud service that provides email delivery and marketing campaigns. The specific offer is for up to 25.000 emails per month. Also this offers provides full reporting and analytics and 24/7 support.

At this post we will see how to create a SendGrid free account that can be used for many purposes, like:

• Send emails through an application using the SendGrid API
• Send email campaigns, newsletters, etc using the SendGrid SMTP service

At the Azure Portal, portal.azure.com, search for sendgrid and click the “SendGrid Email Delivery”

The SendGrid account wizard will open. Fill the name and password, select subscription and resource group and choose the F1 free pricing tier. Also fill the contact information, accept the legal terms and press “Create”

Once the SendGrid Account is created, navigate to it and select Manage

The SendGrid portal will open. Navigate to the Settings / API Keys to Create an API Key.

Enter a name for the key. For permissions you only need send emails So select Restricted Access and add “Mail Send”. Press create & view to create the key.

You will only see the key once, upon creation. After that there is no way to see the key again, so copy and keep it safe.

SMTP Service

We are ready to send emails using any host that supports SMTP. The settings are:

• Server: smtp.sendgrid.net
• Username: apikey
• Password: “The API Key you created before”
• Ports: SSL 465, Unencrypted: 25 , TLS 586
• More about SendGrid SMTP: https://sendgrid.com/docs/API_Reference/SMTP_API/integrating_with_the_smtp_api.html

API Usage:

https://sendgrid.com/docs/for-developers/sending-email/api-getting-started/

The post azure free smtp relay using sendgrid appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Working as a Cloud Consultant, Administrator, Architect, many companies will provide you guest (Azure AD B2B) access to their subscription. After completing the Admins of the subscriptions, many times, forget to remove this accesses and as a result you still have access to resources with no reason and also the list of your available subscriptions grows making it difficult to choose the right subscription to work.

In this post we will walk through the steps of removing your account from those subscriptions. Since this is an identity matter, you need to login to the https://account.activedirectory.windowsazure.com portal and login with your account. I logged in with my account, pantelis@e-apostolidis.gr

There you will see a list of all the applications that you have access at the Tenant that your account resides. Press the user icon, at the top right corner.

Once you press the user icon, a drop down menu will appear and there you will see all the organizations that you have been provided access. Near the “ORGANIZATIONS” press the gear icon.

You will redirected to the organizations section of the portal. There, in order to leave an organization subscription you need to sign in. Actually by clicking sign in to leave organization you will be redirected to that tenant. The tricky part here is to choose the right organization, since many organizations does not change the “Default directory” name. A, easy way to do this it to hover your mouse to the “sign in to leave organization” link and you will see the tenant id at the bottom of the page.

Now, by navigating to the https://portal.azure.com and pressing the Subscription filter button, at the top par, near the notifications icon, you will have a list of all organizations tenant ids and names.

After ensuring the organization id that you want to leave, go back to the organization selection portal and press “sign in to leave organization”. There, at the browser’s address bar you will see again the organization tenant id. Check again just to be sure.

There you need again to press the user icon and the little gear icon

Finally you have the option to “Leave organization”

A final warning will appear, just to be sure, and by pressing “Leave” you instantly loose all access to that organization and it will not be listed at your subscription filter.

After a while you will also receive an email from Microsoft invitations that you have left that organization.

The post Leave an Azure Subscription – Directory appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

At the 15# Azurehads meetup we talked about how to integrate our data using Azure Data Factory and from the Azure Data Factory to call an Azure HDInsights cluster that will be created on-demand. After the process ends, the HDInsights cluster will be automatically deleted.

Also we saw how we can copy and transform data from almost any source to almost any location.

Download the presentation: http://bit.ly/AH15Presentation

Download the demo video: http://bit.ly/AH15Video

Download the project files: http://bit.ly/AH15Projectfiles

At the demo, we created a data factory. At the data factory we created a pipeline that reads a Python script from an Azure Storage account folder. THe Azure Data FActory creates an on-demand HDInsights Spark cluster and runs the python script. The python script reads a text and provides for output a text with the word count of the input text. Finally the cluster is automatically deleted.

The post Azureheads #15 | Integrate your data to the cloud meetup resources appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr

Today Microsoft Azure announced the Simplified restore experience for Azure virtual machines https://azure.microsoft.com/en-us/updates/simplified-restore-of-azure-vms/

Now we can restore an Azure VM directly with managed disks with a truly single-click operation.

In addition, we can restore only the unmanaged disks to a storage account and the process will create a template for us to create the VM  on a later time.

So, at the recovery services vault, select a VM to restore and you will see two main options.

Create New: to create a new Virtual Machine with managed disks or to restore the disks with the ARM Template

Replace existing: To restore the VM in-place, replacing the current VM.

At both options you will need to select a Staging storage account, in order to restore the VHD files. Those file will be auto-converted to managed disks by the process.

The post New Azure VM Restore Experience appeared first on Apostolidis IT Corner.

Source: e-apostolidis.gr