Azure Windows machines

Overview

Azure Virtual Machines service is developed and managed by Microsoft Corp.

Setup

This setup guide will show you how to forward events produced by a Windows Virtual Machine hosted on Azure platform to SEKOIA.IO.

Theses changes have to be made from the Azure web portal (https://portal.azure.com).

1. Event hubs

As a prerequisite you need an Event Hubs (e.g. company-eventhub) and to choose an existing resourceGroup or create a new one (e.g. company-resource-group). You also need your Subscription ID if you don't have a default one.

Navigate to: Home > Cost Management + Billing > Subscriptions. From there, copy the relevant Subscription ID that will be used in the command line (e.g. uuid)

Then you use Azure powershell (within Cloud Shell interface for example): you will a create a global Event Hubs, then specific Event Hub (e.g. active-directory-event).

1
2
3
PS Azure:\> az eventhubs namespace create --name company-eventhub --resource-group company-resource-group --enable-kafka true --subscription uuid

PS Azure:\> az eventhubs eventhub create --resource-group company-resource-group --namespace-name company-eventhub --name windows-event --message-retention 3 --partition-count 4 --subscription uuid

Navigate to: Home > Event Hubs > company-eventhub - Shared access policies. From there, you can create a policy (e.g. RootManageSharedAccessKey) with the claims Manage, Send and Listen, and note the Primary Key that will be used as the SharedAccessKey.

Navigate to: Home > Event Hubs > company-eventhub > windows-event - Shared access policies. From there, you can create a policy (e.g. sekoiaio-nifi) with the claims Listen. Once created, click on the policy and save the Connection string-primary key, to be sent to SEKOIA.IO.

Navigate to: Home > Event Hubs > company-eventhub > windows-event - Consumer groups. From there, you can create a consumer group (e.g. sekoiaio-nifi).

2. Windows Virtual Machine

You need to activate and configure the diagnostic extension Microsoft.Insights.VMDiagnosticsSettings. Navigate to: Home > Virtual machines > virtual machine name (e.g. company-windows) > Settings > Extensions. Install it and note the new StorageAccount name created (e.g. company-storage-account).

Navigate to: Home > Storage accounts > company-storage-account - Access keys. From there you can note the key value later used as the storageAccountKey.

You need to create two configuration files public_settings.json and protected_settings.json. Once again you need Azure powershell to do it using your favorite text editor:

1
PS Azure:\> vim public_settings.json

Adapt the public settings configuration file with the value oh theses variables: Url, SharedAccessKeyName, StorageAccount.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
{
"WadCfg": {
        "DiagnosticMonitorConfiguration": {
            "overallQuotaInMB": 4096,
            "sinks": "applicationInsights.errors",
            "DiagnosticInfrastructureLogs": {
                "scheduledTransferLogLevelFilter": "Error"
            },
            "WindowsEventLog": {
                "scheduledTransferPeriod": "PT1M",
                "DataSource": [
                    {
                      "name": "Application!*"
                    },
                    {
                      "name": "System!*"
                    },
                    {
                      "name": "Security!*"
                    }
                ],
                "sinks": "HotPath"
            },
            "Logs": {
                "scheduledTransferPeriod": "PT1M",
                "scheduledTransferLogLevelFilter": "Error",
                "sinks": "HotPath"
            }
        },
        "SinksConfig": {
            "Sink": [
                {
                    "name": "HotPath",
                    "type": "JsonBlob",
                    "EventHub": {
                        "Url": "https://company-eventhub.servicebus.windows.net/windows-event",
                        "SharedAccessKeyName": "RootManageSharedAccessKey"
                    }
                },
                {
                    "name": "applicationInsights",
                    "ApplicationInsights": "",
                    "Channels": {
                        "Channel": [
                            {
                                "logLevel": "Error",
                                "name": "errors"
                            }
                        ]
                    }
                }
            ]
        }
    },
    "StorageAccount": "company-storage-account"
}

A more specific windows event log can be added by specifying the event log filename (e.g for Sysmon: "name": "Microsoft-Windows-Sysmon/Operational!*").

Then edit the protected settings configuration file:

1
PS Azure:\> vim protected_settings.json

Adapt the public protected settings configuration file with the value of theses variables: storageAccountName, storageAccountKey, Url, SharedAccessKeyName, SharedAccessKey:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
    "storageAccountName": "company-storage-account",
    "storageAccountKey": "base64-string",
    "storageAccountEndPoint": "https://core.windows.net",
    "EventHub": {
        "Url": "https://company-eventhub.servicebus.windows.net/windows-event",
        "SharedAccessKeyName": "RootManageSharedAccessKey",
        "SharedAccessKey": "base64-string"
    }
}

Finally you could push the change of the diagnostic extension configuration (adapt the parameters resource-group, vm-name):

1
PS Azure:\> az vm extension set --publisher Microsoft.Azure.Diagnostics --name IaaSDiagnostics --version 1.5 --resource-group company-resource-group --vm-name company-windows --protected-settings protected_settings.json --settings public_settings.json --subscription uuid

3. Sysmon

Sysmon tool from Microsoft could improve the detection on Windows computers. You could download the tool on Microsoft website. If you do not know how to use and configure it, please check SwiftOnSecurity github.

4. Enjoy your events

You can send to Sekoia the Connection string-primary key previously mentioned.

Once the configuration has been done on Sekoia side, you can go to the events page to watch your incoming events.

Further Readings