Securing an Azure VM with Azure Security Center (using Log Analytics workspace)

Azure Security Center can collect security data and events from a Virtual Machine to help you prevent, detect, and respond to threats. Azure Security Center is build upon Log Analytics and will be able to use this information.

In this blog you can see how to setup a VM which will send data to a Log Analytics workspace. After this setup you will see how Azure Security center can be used to dive into al the security improvements for that VM.

Prerequisites

  • Access to an Azure portal and Azure CLI (https://shell.azure.com/)
  • Azure Security Center – Standard Pricing tier ($/€)
Azure Security Center

What will we build/create?

  • We will create a Resource Group (RG) with resources in it;
  • A Windows Server VM will be configured in that RG;
  • Events of the VM will be collected;
  • A Log analytics workspace will be created;
  • Security Center actions will secure the VM.

Some code, to prepare the environment

Open the Cloud Shell from the Azure Portal:

Azure Cloud Shell
Deze afbeelding heeft een leeg alt-atribuut; de bestandsnaam is image-16.png
Azure CLI

Create an Admin Password

AdminPassword=ThisIsMyPassword1

Create a Resource Group

az group create –name mwp-test-ak –location westeurope

Create a Resource Group

Create a network in Azure

az network vnet create –resource-group mwp-test-ak –name mwp-test-akVnet –subnet-name mwp-test-akSubnet

Create a public IP address

az network public-ip create –resource-group mwp-test-ak –name mwp-test-ak-PublicIP

Create a network security group

az network nsg create –resource-group mwp-test-ak –name mwp-test-ak-NetworkSecurityGroup

Create a virtual network card and associate with public IP address and NSG

az network nic create \
–resource-group mwp-test-ak \
–name mwp-test-ak-Nic \
–vnet-name mwp-test-ak-Vnet \
–subnet mwp-test-ak-Subnet \
–network-security-group mwp-test-ak-NetworkSecurityGroup \
–public-ip-address mwp-test-ak-PublicIP

Create a Windows 2016 Datacenter Server

az vm create \
–resource-group mwp-test-ak \
–name mwp-test-ak-VM \
–location westeurope \
–nics mwp-test-ak
Nic \
–image win2016datacenter \
–admin-username azureuser \
–admin-password $AdminPassword

Open port 3389 to allow RDP traffic to host

az vm open-port –port 3389 –resource-group mwp-test-ak –name mwp-test-ak-VM

Log Analytics Workspace

Agent data from the VM will be send to Azure Log Analytics Workspace. So we will create a Workspace first. To create a new file start VI-editor in Azure Cloud Shell with: “vi loganalytics.json” and past the JSON code (see below) into this file and close the file with “esc” and “:wq“.

{
“$schema”: “https://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#”,
“contentVersion”: “1.0.0.0”,
“parameters”: {
“workspaceName”: {
“type”: “String”,
“metadata”: {
“description”: “Specifies the name of the workspace.”
}
},
“location”: {
“type”: “String”,
“allowedValues”: [
“westeurope”,
“northeurope”
],
“defaultValue”: “westeurope”,
“metadata”: {
“description”: “Specifies the location in which to create the workspace.”
}
},
“sku”: {
“type”: “String”,
“allowedValues”: [
“Standalone”,
“PerNode”,
“PerGB2018”
],
“defaultValue”: “PerGB2018”,
“metadata”: {
“description”: “Specifies the service tier of the workspace: Standalone, PerNode, Per-GB”
}
}
},
“resources”: [
{
“type”: “Microsoft.OperationalInsights/workspaces”,
“name”: “[parameters(‘workspaceName’)]”,
“apiVersion”: “2015-11-01-preview”,
“location”: “[parameters(‘location’)]”,
“properties”: {
“sku”: {
“Name”: “[parameters(‘sku’)]”
},
“features”: {
“searchVersion”: 1
}
}
}
]
}

After this, execute this commandline to deploy the template

az group deployment create –resource-group mwp-test-ak –name mwp-test-ak-loganalytics –template-file loganalytics.json

When prompted provide a name that is globally unique across all Azure subscriptions. E.g. something with a name, dashes and/or a version: mwp-test-ak-loganalytics

A Log Analytics workspace will be created in Azure.

Resource Group

If you take a look at al the resources in the resource group, it would look like this:

A VM, network and Log Analytics workspace in a Resource Group

Azure Security Center

Azure Security Center provides you the tools needed to harden your network, secure your services and make sure you’re on top of your security posture.

We need to set the Pricing and Data collection twice, one time for the Subscription and one time Log Analytics workspace.

First set the Pricing tier for the subscription to Standard. Do not forget to click the Save button.

Subscription pricing tier

Microsoft Monitoring Agent can be installed automatically but now we install it “manualy” now. So NO configuration in the Data collection tab needed.

Data collection

Secondly set the Security policy – Pricing tier to Standard for the Log Analytics workspace. This will cost $15/node/month (in 2020). Go to Pricing & Settings again and select the Log Analytics workspace.

Click the workspace
Select the Security Policy – Standard Pricing Tier

And in Data collection select the Common Windows security events to be collected and stored.

Select Common in the Data collection tab

The Microsoft Monitor Extension/agent can be installed automatically, manual or can be pushed from both the Security Center or Log Analytics workspace. After we install the Microsoft Monitor Extension onto the Virtual Machine, Data will be collected in Log Analytics and will show up in both Security Center and the Log Analytics workspace. In this case we will push the agent from the Log Analytics workspace.

Go to The Log Analytics workspace and find the Virtual machine blade. Select the VM and click Connect.

Click Connect

Connecting VM to Log Analytics will take a while (+-5 minutes).

After a while the VM is connected

Restart the VM to ensure that everything is setup corectly.

Restart the VM

Whats next

Go to the recommendations list in Security Center – Compute & Apps to prevent, detect, and respond to the threats.

Recommendations

Logon to the Virtual Machine server with the username: azureuser and password: ThisIsMyPassword1. and Check if the server is fully functional.

In Apps & Features you can see that the Microsoft Monitoring Agent is installed on the server.

Microsoft Monitoring Agent on a VM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.