Azure Sentinel Guide

July 27, 2019 Leave a comment

Microsoft Azure Sentinel is a cloud-based SIEM solution with built in AI and machine learning capabilities that allow you to collect information form all your assets whether on-premises or cloud including Applications, servers. and network devices.

during public preview Azure Sentinel is almost free of charge and data import from office 365 or Azure Active Directory are free. additional charges may be applied related to automation workflow or customization of machine learning models.

untitledWalk-Through: How Azure Sentinel Achieve SIEM Workflow 

  1. Connect data providers to Azure sentinel (data connectors):
    • Identity and access providers: Azure Active Directory, office 365, syslog, DNS, security events and Azure Activity
    • Microsoft Security component: Azure ATP, Azure Security center, Azure Information Protection
    • Other Cloud providers: AWS
    • Network and security vendors: Palo Alto, F5, CISCO ASA, Checkpoint, Fortinet, Barracuda, and Symantec.
  2. Threat Hunting feature: hunting for threats using identified queries
  3.  Use Analytics to create alert rules that trigger on the queries we define
  4. When an Azure alert fires, Azure Sentinel will open a case

Deploy Azure Sentinel 

as a prerequisites you need to create Log analytics workspace or you can connect to exiting one

  • login to Azure portal and search for Azure Sentinel, click create

sentinel

  • connect to workspace or create a new one if you don’t have

workspace

  • the next step will be collection required data by adding data connectors

collect data.PNG

In this article I will add the below connectors:

  1. Office 365
  2. Azure Security Center
  3. Azure Activity
  4. Azure Active Directory
  5. Azure Active Directory Identity protction

In each connector you will find a prerequisites to integrate with Azure Sentinel, I added 5 connectors as listed above

connectors

after that it will take a few hours till the data populated and my dashboard start displaying data

dashboard.PNG

 

 

 

 

 

Categories: Azure Tags: , , ,

Azure Migrate v2: Server Assessment

July 17, 2019 Leave a comment

Microsoft announced the new release of the Azure Migrate v2 tool/service “General Availability”.

There are 5 steps in the whole migration journey

  • Discover – You first need to discover all the target systems before you can assess their eligibility to migrate to the cloud.
  • Assess – With your systems discovered and inventoried, you can now assess if the target systems are a good fit to migrate, what the optimal target system size in the cloud will be, and what the estimated costs will look like.
  • Migrate – After identifying which systems are eligible to migrate, and after performing a proper assessment to understand the costs (and potential cost savings), we can now finally perform the actual migration.
  • Manage – Now that the systems have been migrated to the cloud, we still need to manage them; including activities like monitoring, backups, disaster recovery, etc.
  • Optimize Just because we’ve migrated to the cloud, doesn’t necessarily mean we “set it and forget it”. We want to ensure we are accounting for high availability, ways we can enhance security on our systems, adjust for performance needs (or lack thereof), and of course, reduce costs as much as possible.

Steps 1 and 2 are pre-migration, then you have the actual migration activities, and then finally the post-migration on-going management of the cloud environment.

What is new in Azure Migrate V2

The new tool provides you access to Microsoft and ISV tools and helps identify the right tool for your migration scenario. To help with large-scale datacenter migrations and cloud transformation projects.

Microsoft soon will add support for physical server discovery and assessment.

With the new Azure Migrate: Server Assessment service offering, in addition to discovery and assessment of VMware servers, you will now be able to:

  • Unified assessment, migration, & progress tracking A single centralized user experience to track your migration journey using Microsoft and ISV tools.
  • Hyper-V assessments: Get Azure suitability analysis, right-sizing recommendations and cost estimates for migration of Hyper-V virtual machines to Azure, you can profile Hyper-V Hosts with up to 10,000 VMs and bring all you inventory from VMWare and Hyper-V in the same Azure Migrate Project.
  • Improved VMware assessment capabilities: Greater assessment scale (up to 35K VMware VMs) that can incorporate your entire datacenter, this is a tremendous scale improvement from the previous limit of 1,500 VMs.
  • Agentless migration of VMware VMs to Azure in preview. When you opt to use the new agentless migration method for VMware VMs, you can use the same appliance for discovery, assessment, and migration. Onboard once and execute the entire process seamlessly. You also get OS-agnostic support to help you migrate any client or server OS, including Windows or Linux, that is supported on the Azure platform.
  • Agentless migration of Hyper-V VMs to Azure and agent-based migration of physical servers and VMs running on Amazon Web Services or Google Cloud Platform to Azure.
  • No-impact migration testing that helps you plan your migration with confidence. You also get zero data loss when you move your applications to Azure.

Azure Migrate Cost

Azure Migrate: Server Migration is free to all Azure customers. You only pay for the compute and storage that you consume in your Azure subscription.

Capture

Discover Hyper-V VMs

Click Assess and migrate servers to get started with server assessment and migration. Click on Add Tools to get started with selecting tools and creating a migrate project


Add Tool

create tool.PNG

tools

In addition to native Azure tools, Azure Migrate integrates with a number of ISV offerings. You identify the tool you need, and add it to an Azure Migrate project. You can centrally track your migration journey from within the Azure Migrate project, across Azure and ISV tools. You can get starting by obtaining a license, or signing up for a free trial, in accordance with the ISV policy. In each tool, there’s an option to connect to Azure Migrate. Follow the tool instructions and documentation, to connect the tool with Azure Migrate.

migrate tool.PNG

Download the Azure Migrate appliance

1. In the Azure Migrate dashboard, in the context of the Azure Migrate: Server Assessment solution click on +Discover option.

2. In the Discover machines page, in the Are your machines virtualized? dropdown, specify Yes, with Hyper-V

3. Click Download to download the appliance.

Capture

Create the Azure Migrate appliance VM

Import the downloaded file to the Hyper-V host to create a VM from it.

1. Extract the downloaded .zip file to a folder on the Hyper-V host where you will be setting up the appliance. This folder will have three folders in it.

2. Open Hyper-V Manager. In Actions pane on the right, click Import Virtual Machine

import

copy the vm

1

2

Once you login to the VM, a shortcut on the desktop named AzureMigrate will opened automatically.

4.PNG

Register to Azure Migrate

Click on log in. You will see a new tab open. 

1. Log in using your Azure credentials. After logging in successfully, close this tab and go back to the discovery app.

2. Select the subscription in which Azure Migrate project was created.

3. Select the Migrate project, next to the project, you can see the resource group in which the project is created (in parentheses).

4. Specify a name for the appliance. Note the appliance name is to be alphanumeric with a maximum length of 14 characters. Click Register.

5

6

Provide Hyper-V server details

In User name and Password, specify the host / cluster account details to be used to discover VMs. 

 Click Add. Enter the list of clusters or hosts you want to discover in the pop up. Click Validate.

After you are done with validation, click Save and start discovery.

7.PNG

9

What data is collected by the Azure Migrate appliance?

The Azure Migrate appliance collects metadata about the on-premises VMs that helps in assessing the VMs for migration to Azure. The complete list of metadata collected by the appliance is listed below:

Configuration data of the VM

  • VM display name

  • IP address

  • MAC address

  • Operating system

  • Number of cores, disks, NICs

  • Memory size, Disk sizes

Performance data of the VM

  • CPU usage

  • Memory usage

  • For each disk attached to the VM
    • Disk read throughput
    • Disk writes throughput
    • Disk read operations per sec
    • Disk writes operations per sec
  • For each network adapter attached to the VM:
    • Network in
    • Network out

Assess Hyper-V VMs

Once the VMs are discovered, we can create assessment in Azure portal. Assessment are created on a group of machines that you plan to Migrate together.

assesment

assesment2

There are two kind of assessments we can create in Azure Migrate (Performance based and on-premises based). For example, if you have an on-premises VM with 4 cores (20% utilization), and 8GB (10% utilization) memory, a performance based will look at the utilization number to find out the effective number of cores (0.8 cores) and memory (0.8). it will then apply a comfort factor (default is 30%) to these numbers to ensure there is headroom for growth and then recommended a size in Azure.

assesment3

assesment4.PNG

Dependency Visualization in Azure Migrate

Using dependency visualization we can view network dependencies of VMs and identify related machines that needed to be migrated together to Azure.

Azure Migrate uses Service Map and log analytics to provide these information, so we need to create a new workspace and install two agents into on-premises VMs.

overview.PNGoms.PNG

depend.PNG

map1map3

 

Categories: Uncategorized

Azure Bastion – Private RDP and SSH access to Azure VMs

June 25, 2019 Leave a comment

Microsoft Announced the release of a new Service called Azure Bastion, Azure Bastion is a new fully platform-managed Paas service that you provision inside your virtual network. it provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the azure portal over SSL without exposure of the public IPs on your virtual network.

Key Features

  • RDP and SSH from the Azure portal
  • Remote session over SSL and firewall traversal for RDP/SSH
  • No public IP required on Azure Virtual Machines
  • Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion.
  • Increased protection against port scanning
  • Hardening in one place to protect against zero-day exploits

c44e78bb-bfe1-47a6-b250-0643e0f6c3bd

How Azure Bastion Works?

  • You connect to the Azure management portal over https using any browser, then you select a virtual machine to connect to.
  • Now the Azure portal connects to the Azure Bastion service using the public IP on port 443.
  • You get a new session in your browser and you can browse the desktop of the virtual machine and any other VMs inside your network using RDP or SSH.

Think about the Azure bastion as a proxy, it receives connections from the internet using SSL and connects you back to your VMs using RDP and SSH

Azure Bastion public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

Pricing

Azure Bastion cost $0.095 per hour and first 5 GB/month is free

https://azure.microsoft.com/en-us/pricing/details/azure-bastion/

During public preview, pricing reflects a 50% discount.

Is it Secure?

Since Azure Bastion allows you to RDP or SSH through the Azure portal, its secured using SSL/TLS encryption, also while removing the need for a Jumpbox, you will no longer need to setup, configure or manage any public facing VMs. its probably more secure to use Bastion rather than the traditional jumpbox method.

lets see in action how to access your VMs using Bastion Service

Step 1: Register for the Preview

first you need to register for the preview by running the following PowerShell commands

  1. Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
  2. Register-AzResourceProvider -ProviderNamespace Microsoft.Network  
    

Bastion

Step 2: Create Azure Bastion resource

 

  • go to http://aka.ms/BastionHost, which will redirect you to the Azure portal with preview features enabled (not the regular Azure portal).

portal

  • On the New page, in the Search the Marketplace field, type Bastion, then click Enter to get to the search results.

bastion preview

  • On the Bastion (preview) page, click Create to open the Create a bastion page.
  • On the Create a bastion page, configure a new Bastion resource. Specify the configuration settings for your Bastion resource.

 

new resource

Now I will go to my vnet-production VNET and create a new subnet. Keep in mind that the name of this subnet MUST be AzureBastionSubnet. Now for the IP address range, I will choose 172.10.20.0/27

you can see that the Azure bastion host requires creating a public IP address that will be used for SSL connectivity only from the internet, this IP is not going to be attached to your VMs in anyway.

deployment

Step 3: Connect to a virtual machine

Now if I click Connect to any of the VMs, you can see a new option called Bastion. RDP

Clipboard and Full screen support are enabled within your RDP Bastion Desktop session

Categories: Azure

Error when you try to RDP to a Windows VM in Azure

August 16, 2018 Leave a comment

when you try to make a remote desktop connection to Azure VM you got the below error

Categories: Azure

Exchange and .NET Framework 4.7.2

May 25, 2018 Leave a comment

.Net Framework 4.7.2 is recent release but the new version is not mentioned in the Exchange supportability matrix at this moment.

.NET Framework Exchange 2016 CU8 & CU9 Exchange 2016 CU5 – CU7 Exchange 2013 CU19 & CU20 Exchange 2013 CU16 – CU18 Exchange 2010 SP3
.NET Framework 3.5         X1
.NET Framework 3.5 SP1         X
.NET Framework 4.0         X1,2
.NET Framework 4.5         X1,2
.NET Framework 4.6.2 X X X X  
.NET Framework 4.7.1 X X

As such, it is not a validated combination, and you will be in an unsupported configuration.

To block (accidental) installation of .NET Framework 4.7.2, you can configure the following registry key on your current Exchange servers to block its installation:

HKLM\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework472= 1 (REG_DWORD)

https://support.microsoft.com/en-us/help/4024204/how-to-temporarily-block-installation-of-the-net-framework-4-7

 

Categories: .NET, Exchange 2016

Installing Exchange 2016 CU3 on Windows Server 2016

November 6, 2016 Leave a comment

Update 13-12-2016 Update KB 3206632 has been released by the Windows team to address the issue with Exchange 2016. and you can download it here.

Microsoft released Exchange Server 2016 Cumulative Update 3 with supported deployment on Windows Server 2016. However, some customers have reported crashes of the IIS (W3WP.exe) process which make  Exchange 2016 became unstable.

Microsoft confirmed there is an issue with Exchange Server 2016 CU3 on Windows Server 2016

Important issues in Windows Server 2016

Microsoft Exchange

If you attempt to run Microsoft Exchange 2016 CU3 on Windows Server 2016, you will experience errors in the IIS host process W3WP.exe. There is no workaround at this time. You should postpone deployment of Exchange 2016 CU3 on Windows Server 2016 until a supported fix is available.

 

hold on any deployment of Exchange 2016 on Windows Server 2016 until further notice.

 

 

SCOM 2012 R2 Enterprise Management Monitoring Console crashes

October 30, 2016 Leave a comment

We have a problem with  Operations Manager 2012 r2  Console – when we navigate to “windows computers” on monitoring view, console crashes :

Faulting application name: Microsoft.EnterpriseManagement.Monitoring.Console.exe, version: 7.1.10226.1239, time stamp: 0x57bd213f

Faulting module name: ntdll.dll, version: 6.3.9600.18438, time stamp: 0x57ae642e

Exception code: 0xc0000374

Fault offset: 0x00000000000f1b70

Faulting process id: 0x15bc

Faulting application start time: 0x01d22573c3e46b2a

Faulting application path: C:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Console\Microsoft.EnterpriseManagement.Monitoring.Console.exe

Faulting module path: C:\Windows\SYSTEM32\ntdll.dll

Report Id: 8af2bdbd-9167-11e6-80c2-00155d0ad523

Faulting package full name:

Faulting package-relative application ID:

 

scom

Solution: The issue happen after installing October 2016 cumulative Windows updates (KB3194798/3192392/3185330/3185331) on Windows Server releases from 2008R2 up tp 2016 and Windows client releases from 7 up to 10.

Microsoft released a hotfix to fix this issue, you can install it from the following link

https://support.microsoft.com/en-us/kb/3200006

 

 

 

Categories: SCOM 2012 R2