Category Archives: Security & Compliance

Microsoft Azure: network monitoring solutions overview

Microsoft Azure provides several solutions that allow you to monitor network resources, not only for cloud environments, but even in the presence of hybrid architectures. That are cloud-based features, to check the health of your network and connectivity to your applications. In addition, they give detailed information about network performance. This article will be made an overview of the various solutions such as the main features, needed to orient the use of the network monitor tools most appropriate for your needs.

Network Performance Monitor (NPM) is a suite that includes the following solutions:

  • Performance Monitor
  • ExpressRoute Monitor
  • Service Endpoint Monitor

In addition to the tools included in the Network Performance Monitor (NPM) you can use Traffic Analytics and DNS Analytics.

Performance Monitor

The most commonly used approach is to have hybrid environments with heterogeneous networking, that allows you to connect your own on-premises infrastructure with the environment implemented in the public cloud. In some cases you may also have different cloud providers, that make the network infrastructure even more complicated . These scenarios require the use of flexible monitor tools that can work across on-premises, in cloud (IaaS), and in hybrid environments. Performance Monitor has all of these characteristics and thanks to the use of synthetic transactions, provides the ability to monitor, almost in real time, the network parameters to get performance information, like packet loss and latency. In addition, this solution allows to easily locate the source of a problem in a specific network segment or identifying a particular device. The solution requires the presence of the OMS agent and keeping track of the retransmission packets and the roundtrip time, it is able to return a graph of easy and immediate interpretation.

Figure 1 - Hop-by-hop chart provided by Performance Monitor

Where to install the agents

The installation of the agent of Operations Management Suite (OMS) is necessary on at least one node connected to each subnet from which it intends to monitor the connectivity to other subnets. If you plan to monitor a specific network link you must install agents on both endpoints of the link. In cases where you do not know the exact network topology, one possible approach is to install agents on all servers that hold critical workloads and for which you need to monitor your network performance.

The Cost of the Solution

The cost of the feature Performance Monitor in NPM is calculated on the basis of the combination of these two elements:

  • Monitored Subnet link. To obtain the costs for monitoring of a single subnet link for one month, you can see Ping Mesh.
  • Data volume.

For more details please visit the Microsoft's official page.

ExpressRoute Monitor

Using ExpressRoute Monitor it is possible to monitor the end-to-end connectivity and verify the performance between on-premises environment and Azure, in the presence of ExpressRoute connectivity with Azure Private peering and Microsoft peering connections. The key features of this solution are:

  • Auto-detection of the circuit ExpressRoute associated with your subscription Azure.
  • Detection of network topology.
  • Capacity planning and bandwidth usage analysis.
  • Monitoring and alerting both the primary and the secondary path of the circuit ExpressRoute.
  • Monitoring connectivity towards the Azure services such as Office 365, Dynamics 365 using ExpressRoute as connectivity.
  • Detection of possible deterioration of connectivity with the various virtual network.

Figure 2 – Topology view of a VM on Azure (left) connected to a VM on-prem (right), via ExpressRoute

Figure 3 - Trend on the use of the bandwidth and latency on the ExpressRoute circuit

Where to install the agents

In order to use ExpressRoute Monitor you need to install an Operations Management Suite agent on a system that resides on Azure virtual network and at least one agent on a machine attested on the subnet on-premises, connected via private peering of ExpressRoute.

The Cost of the Solution

The cost of ExpressRoute Monitor solution is calculated based on the volume of data generated during the monitoring operations. For more details please visit the specific section in the cost page of NPM .

Service Endpoint Monitor

Using this solution, you have the ability to monitor and test the reachability of your services and your applications, almost in real time, simulating user access. You also have the ability to detect network side performance problems and identify the problematic network segment.

Here are reported the main features of the solution:

  • It does the monitor end-to-end of the network connections to your applications. The monitor can be done by any endpoint "TCP-capable" (HTTP, HTTPS, TCP, and ICMP), as websites, SaaS applications, PaaS applications, and SQL databases.
  • It correlates application availability with network performance, to precisely locate the degradation point on the network, starting from the user's request until the application.
  • It tests applications reachability from different geographical location .
  • It determines the network latencies and lost packets to reach the applications.
  • It detects hot spots on the network that can cause performance problems.
  • It does the monitor of the availability of applications Office 365, through specific built-in test for Microsoft Office 365, Dynamics 365, Skype for Business and other Microsoft services.

Figure 4 - Creating of a Service Connectivity Monitor test

Figure 5 – Diagram showing the topology of the network, generated by different nodes, for a Service Endpoint

Where to install the agents

To use Service Endpoint Monitor you must install the Operations Management Suite agent on each node where you want to monitor network connectivity to a specific service endpoint.

The Cost of the Solution

The cost for using Service Endpoint Monitor is based on these two items:

  • Number of connections, where the connection is understood as reachability test of a single endpoint, from a single agent, for the entire month. In this regard you can see Connection Monitoring in the cost page.
  • Volume of data generated by the monitor. The cost is obtained from cost page of Log Analytics, in the section Data Ingestion.

Traffic Analytics

Traffic Analytics is a totally cloud-based solution, allowing you to have an overall visibility on network activities that are undertaken in the cloud environment. In Azure to allow or deny network communication to the resources connected with Azure Virtual Networks (vNet) it uses the Network Security Group (NSG), containing a list of access rules. The NSGs are applied to network interfaces connected to the virtual machines, or directly to the subnet. The platform uses NSG flow logs to maintain the visibility of inbound and outbound network traffic from the Network Security Group. Traffic Analytics is based on the analysis of NSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment.

Using Traffic Analytics you can do the following:

  • View network activities cross Azure subscriptions and identify hotspots.
  • Intercept potential network security threats, in order to take the right remedial actions. This is made possible thanks to the information provided by the solution: which ports are open, what applications attempt to access to Internet and which virtual machines connect to unauthorized networks.
  • Understand network flows between different Azure regions and Internet, in order to optimize their deployment for network performance and capacity.
  • Identify incorrect network configurations that lead to having incorrect communication attempts.
  • Analysis of the VPN gateway capabilities or other services, to detect problems caused by over-provisioning and underutilization.

Figure 6 – Traffic Analytics overview

Figure 7 - Map of Active Azure Regions on the subscription

DNS Analytics

DNS Analytics solution is able to collect, analyze and correlate logs of DNS and provides administrators the following features:

  • Identifies clients that try to resolve domains considered malevolent.
  • Finds records that belong to obsolete resources.
  • It highlights domain names frequently questioned.
  • View the load of requests received by the DNS server.
  • It does the monitor of dynamic DNS registrations failed.

Figure 8 – Overview of DNS Analytics solution

Where to install the agents

The solution requires the presence of the OMS agent or the Operations Manager agent installed on each DNS server to be monitored.

Conclusions

With increasing complexity of network architectures in hybrid environments, consequently increases the need to be able to use tools able to contemplate different network topologies. Azure provides several cloud based tools and integrated into the fabric, such as those described in this article, that allow you to fully and effectively monitor the networking of these environments. Remember to test and evaluate free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

OMS and System Center: What's New in June 2018

In June have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community, through these articles released monthly, aims to provide a general overview of the main new features of the month, in order to stay up to date on these arguments and have the necessary references for further information.

Operations Management Suite (OMS)

Log Analytics

Recently it was officially announced that the OMS portal will be deprecated, in favour of the Azure Portal. In this article are examined the aspects related to this change and what you should know to avoid being caught unprepared.

Figure 1 - Notifications in the OMS portal

Azure Backup

Azure Backup is enriched with an important new feature that allows you to natively protect SQL workload, running in IaaS virtual machines that reside in Azure. In this article are showed the benefits and the characteristics of this new feature.

Figure 2 – Protection of SQL Server on Azure VMs with Azure Backup

Released an updated version of the’Azure Backup agent (MARS), which can be obtained by accessing this link.

Using Azure Backup there is the possibility of generating the reports needed to be able to easily check the status of resource protection, details on the different backup jobs configured, the actual storage utilization and status of its alert. All this is made possible by using Power BI, allowing you to have a high degree of flexibility in the generation and customization of reports. In this video, recently published, there is show how to configure a Power BI workspace for sharing reports of Azure Backup within your organization. To analyze the steps required to configure the reporting of Azure Backup you can refer this article.

Figure 3 – Sharing PowerBI reports of Azure Backup

Azure Backup introduces the ability to protect workloads running on Azure Stack environment. The tenant who use the Azure Stack solution can then have a short term protection directly on the Azure Stack environment and can make use of Azure Recovery Service vault for long term retention and to perform offsite. For more details on this you can consult therelease announcement.

Figure 4 – Azure Stack Tenant backup with Microsoft Azure Backup Server

Azure Site Recovery

In Azure Site Recovery (ASR) was announced in "general availability (GA)" the ability to configure the Disaster Recovery (DR) of Azure Virtual Machines. Configuring the replication of virtual machines in different regions of Azure, you have the ability to make applications resilient to a fault affecting a specific Azure region. This feature is available in all the Azure regions where you can use ASR. Azure is the first public cloud to offer a native solution for Disaster Recovery for applications that run in IaaS.

During the preview, Microsoft has taken into account the different feedback from the customers and added to the solution, the following import capabilities:

We highlight these useful references regarding this solution:

Security and Audit

The solution Azure Network Security Group Analytics will be replaced by Traffic Analytics that was released in General availability (GA). This solution, fully cloud-based, allows you to have an overall visibility on network activities that are undertaken in the cloud environment. For more details about you can see "How to monitor network activities in Azure with Traffic Analytics"

System Center

System Center Data Protectrion Manager

In environments where System Center Data Protection Manager (SCDPM) is connected to Azure Backup service was introduced the ability to view all the items protected, details on the use of storage and information about the recovery points, direct from the Azure Portal, within the Recovery Service vault. This feature is supported for SCDPM 2012 R2, 2016 and for Azure Backup Server v1 and v2, as long as you have the latest version of Azure Backup Agent (MARS).

Figure 5 – Information from DPM outlined in Recovery Service vault

System Center Configuration Manager

It is usually released a technical preview per month in Configuration Manager, but this month, due to the considerable number of new features, they were released two.

The first is the version 1806 for the Technical Preview branch of System Center Configuration Manager. The main innovation introduced by this update is the addition of support for third-party software update catalogs. From the Configuration Manager console, you can easily subscribe to third-party software update catalogs, then publish updates via Software Update Point. These updates will be issued to the client by using the classic method of Configuration Manager to deploy software update.

Figure 6 – Access to third-party software update catalogs from the SCCM console

In addition to this new feature were released updates on:

  • Sync MDM policy from Microsoft Intune for a co-managed device
  • Office 365 workload transition in co-management
  • Configure Windows Defender SmartScreen settings for Microsoft Edge
  • Improvements to the Surface dashboard
  • Office Customization Tool integration with the Office 365 Installer
  • Content from cloud management gateway
  • Simplified client bootstrap command line
  • Software Center infrastructure improvements
  • Removed Network Access Account (NAA) requirement for OSD Boot Media
  • Removed Network Access Account (NAA) requirement for Task Sequences
  • Package Conversion Manager
  • Deploy updates without content
  • Currently logged on user information is shown in the console
  • Provision Windows app packages for all users on a device

The second is the version 1806.2 for the Technical Preview branch of System Center Configuration Manager, that mainly includes the following news related to the Phased deployment:

  • Ability to monitor the status natively, from the Deployments node.
  • Ability to create Phased deployment of applications and not just for task sequences.
  • Ability to carry out a gradual rollout during the deployment phase.

Also this preview contains updates regarding:

  • Management Insights for proactive maintenance
  • Mobile apps for co-managed devices
  • Support for new Windows app package formats
  • New boundary group options for optimized P2P behaviors
  • Third-party software updates support for custom catalogs
  • Compliance 9 – Overall health and compliance (Report)

Please note that the releases in the Technical Preview Branch help you evaluate the new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Released an updated version of the Management Pack for OS Windows Server 2016 and 1709 Plus which includes several updates and issues resolutions. For further information you can consult this article.

Released the version 8.2 of the MP Author that includes several improvements. For a list of what's new in this version you can see theofficial announcement of the release.

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To test the various components of System Center 2016 you can access theEvaluation Center and after the registration you can start the trial period.

OMS and System Center: What's New in May 2018

Compared to what we were used to seeing in recent months, in the month of may, have been announced by Microsoft a few news about Operations Management Suite (OMS) and System Center. This article will summarize bringing the references needed to conduct further studies.

Operations Management Suite (OMS)

Log Analytics

Microsoft announced the retirement, starting from 8 June 2018, of the following solutions:

This means that, as of this date, you can no longer add this solutions in the Log Analytics workspaces. For those who are currently using it, is appropriate to consider that the solution will still work, but will be missing its support and will not be released new updates.

In this article are reported some important recommendations that should be followed when using the operators "Summarize" and "Join" in Log Analytics and Application Insights query. It is recommended to adjust the syntax of any existing query, using these operators, to comply with the specifications given in the article.

Security and Audit

It should be noted this interesting article where it is shown how you can detect and investigate unusual and potentially malicious activities using Azure Log Analytics and Security Center.

Azure Site Recovery

Microsoft has announced that the following versions of the REST API of Azure Site Recovery will be deprecated since 31 July 2018:

  • 2014-10-27
  • 2015-02-10
  • 2015-04-10
  • 2015-06-10
  • 2015-08-10

You will need to use at least version API 2016-08-10 to interface with Azure Site Recovery. This type of change has no impact on the portal of Azure Site Recovery and to the solution access via PowerShell.

System Center

System Center Orchestrator

The Integration Packs of Orchestrator, version 7.3 for System Center 2016, have been released.
The download can be done at this link and includes the following components:

  • System Center 2016 Integration Pack for System Center 2016 Configuration Manager.
  • System Center 2016 Integration Pack for System Center 2016 Data Protection Manager.
  • System Center 2016 Integration Pack for System Center 2016 Operations Manager.
  • System Center 2016 Integration Pack for System Center 2016 Service Manager.
  • System Center 2016 Integration Pack for System Center 2016 Virtual Machine Manager.

These Integration Packs allow you to develop automation, interfacing directly with the other components of System Center. The Integration Pack for System Center 2016 Operations Manager has been revised to require no more the presence of the Operations Manager console to function correctly.

System Center Operations Manager

Following, are updates released for Operations Manager Management Packs:

  • Active Directory Federation Services version 10.0.1.0
  • Active Directory Federation Services 2012 R2 version 7.1.10100.1

System Center Service Management Automation

Service Management Automation sees the release ofUpdate Rollup 5. Among the issues addressed are:

  • Runbooks that, using cmdlets of System Center 2016 Service Manager, fail with the error "MissingMethodException".
  • Runbooks that fail with the exception "unauthorized access".

Improvements have also been made in the debug logging.

To see the complete list of issues and the details on how to upgrade, you can access to the specific knowledge base.

 

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To test the various components of System Center 2016 you can access theEvaluation Center and after the registration you can start the trial period.

OMS and System Center: What's New in September 2017

Even the month of September is full of news and different updates have affected Operations Management Suite (OMS) and System Center, also thanks to Ignite 2017, the annual Microsoft conference of this week in Orlando. This article contains a summary accompanied by useful references for further study.

Operations Management Suite (OMS)

  • OMS Customers are using the solution Security & Compliance are given the option to use the features found in ’Azure Security Center in order to have a unified management of security and protection of their systems, all without additional cost. This is particularly useful to be able to manage workloads across hybrid environments, regardless of where they reside, on Azure, on-premises, or on other public clouds. Within the Azure Security Center will be automatically handle the security of the systems that are already connected to the solution OMS Security & Compliance and you can add additional machines simply by installing the Microsoft Monitoring Agent. To see details of the features offered I invite you to consult the publication OMS customers can now use Azure Security Center to protect their hybrid cloud workloads. In this regard it is worth noting that to enable the features just in time VM access, dynamic application controls and network threat detection of Azure resources you must select pricing tier Security Center Standard for the Subscription or the Resource Group.

Figure 1 – List of features for the protection of hybrid environments

  • The Azure portal now includes two features related to Operations Management Suite (OMS): Workspace Settings and View Designer. From the Azure portal you can access the settings of the workspace OMS as shown in the following figure:

    Figure 2 – Settings of the Workspace who are accessible from the Azure Portal

Also, the View Designer, that allows you to create custom views, is now accessible directly from the Log Analytics section of Azure portal:

Figure 3 – View Designer available directly from the portal Azure

  • As already announced in a dedicated article the update of Log Analytics has introduced a new powerful query language. In this useful article highlighted the main changes introduced by the new language.
  • Another interesting new feature is the ability to run query not only on single workspace OMS, but in a transversal way across multiple workspace. To learn more about you can see Query across resources.
  • Article Monitoring SQL Azure Data Sync using OMS Log Analytics returns the configuration to be carried out in order to monitor the solution SQL Azure Data Sync using a custom solution OMS. Azure SQL Data Sync allows you to synchronize data in both directions or unidirectional between different Azure SQL database andor to SQL database on-premises. With this procedure you can detect error conditions or warning in the synchronization process so simple, thanks to OMS.
  • To help you to track the Big Data application involving different technologies was announced in preview the ability to monitor cluster HDInsight with Azure Log Analytics . In this video there are the details of how HDInsight customers can monitor and debug Hadoop, Spark, HBase, Kafka, Interactive Query and cluster Storm.

Solutions

  • In OMS there is a new solution Virtual Machine Manager (VMM) Analytics for centralizing in Log Analytics the jobs of one or more Virtual Machine Manager to have an overall view of the health and performance of the virtualization infrastructure managed by System Center Virtual Machine Manager.

Figure 4 – Overview of VMM Analytics solution

Agent

  • Released a new version of the OMS agent for Linux systems that mainly has solved some bugs and introduced an updated version of some of the main components. For more details and to get the updated version please refer to the official GitHub page OMS Agent for Linux GA v 1.4.1-45

Figure 5 – Bug fixes and what's new for the OMS agent for Linux

 

System Center

System Center Configuration Manager

  • Released the Cumulative Update 6 for UNIX and Linux clients of Configuration Manager. It is a new version of the client that fixes several bugs and adds support for new Linux distributions. This release also removed support for Unix and Linux distributions even obsolete discontinued by vendor. Customers using the SCCM clients with these versions may continue to use the client updated to Cumulative Update 5. The release announcement and further details can be found in this article.
  • During Ignite 2017 was announced an interesting feature called co-management that interest the management of the device using either System Center Configuration Manager and Microsoft Intune. With Windows 10 Fall Creators Update there is the possibility to make the join of the device both to the Active Directory domain (AD) on-premises and to Azure AD in the cloud. This expands the possibilities for management of devices using the Configuration Manager client and the MDM agent of Intune. To deepen this topic, you can look in the video section of the Ignite site the sessions with the following reference codes: BRK3057, BRK3075, BRK3076 and BRK2079.

Figure 7 – Co-management devices with SCCM and Intune

 

System Center Updates Publisher

By accessing this page you can select the way you find most suitable to test and evaluate free Operations Management Suite (OMS).

OMS and System Center: What's New in August 2017

This article summarizes the main new features and includes upgrades, concerning Operations Management Suite (OMS) and System Center, that were announced during the month of August.

Operations Management Suite (OMS)

Log Analytics

  • For Log Analytics was published what may be called the most significant upgrade from the date of issue. Among the main changes introduced by this update there is a new powerful query language, the introduction of the new Advanced Analytics portal and greater integration with Power BI. For more details, I invite you to consult the specific article Log Analytics: a major update evolves the solution.

Figure 1 – Upgrade of Log Analytics

Agent

  • The agent who for Linux systems is constantly evolving and we released a new version that has fixed some bugs and improved error handling during onboarding of agent for easier troubleshooting: OMS Agent for Linux GA v 1.4.0-45

Figure 2 – Bug fixes and what's new for the OMS agent for Linux

Solutions

  • The OMS solution Network Performance Monitor has been improved and enhanced with the following new features:
    • The diagnostic agent: the solution now provides the ability to monitor in a specific view the health status of various agents deployed on the network and in case of problems NPM reports useful diagnostic information for troubleshooting.
    • Hop-by-hop latency breakdown: the topology map of the network has been enriched with details of timings found between two specific points.
    • Availability on the Azure Portal: as well as continuing to be available from OMS can be added from the Marketplace Azure and used directly by the Azure Portal.
    • Presence in additional region of Azure: the solution is now also available for the region Azure West Central US.

For more details see the announcement Improvements to the who Network Performance Monitor.

  • The emerging technology is becoming more widespread and monitor containers Docker becomes an essential component. For this reason the OMS team announced the availability of the new solution Container Monitoring that allows you to:
    • Display in a unique location information for all hosts container.
    • Learn which containers are running, where I am and with which image.
    • See audit information concerning action taken on container.
    • View and search logs for troubleshooting without needing access to hosts Docker.
    • Locate the containers that are consuming an excessive amount of resources on the host.
    • Display performance information centrally about the container about CPU usage, of memory, storage and network.

Figure 3 – Synthesis pathway of solution Container Monitoring

Full details on the solution Container Monitoring you can consult them in the document Container Monitoring solution in Log Analytics.

  • Released in preview the new solution for the monitoring of Azure Logic Apps. The solution displays various information about the status of logic app and then drill down to see details useful for troubleshooting. All aspects of this solution you can consult them in Microsoft's official documentation.

Security and Audit

  • The baseline assessment of OMS Security is enhanced with functionality Web security baseline assessment that was announced in public preview and lets you scan the web server with Internet Information Services (IIS) to check for security vulnerabilities and provides useful recommendations regarding the correct environment setup. The document Baseline Assessment in Operations Management Suite Web Security and Audit Solution shows additional information about.

Figure 4 – Assessment dashboard of Web security baseline

 

System Center

System Center Configuration Manager

  • Last month it was released version 1706 for the Current Branch (CB) System Center Configuration Manager as described in the article OMS and System Center: What's New in July 2017. In date 8 August was released a package update to correct some errors that were encountered during the first deployment, but this package introduced problems therefore on 11 August has been replaced with a new version. For those who have updated SCCM to version 1706 between August 8 and August 11 you need to install an additional update as documented in Microsoft knowledge base article Update for System Center Configuration Manager version 1706, first wave. This update can be installed by accessing the node "Updates and Servicing" of the SCCM console. A further update will be released in the coming week to who made the SCCM update to version 1706 prior to August 8.
  • Released version 1708 for the branch Technical Preview of System Center Configuration Manager: Update 1708 for Configuration Manager Technical Preview Branch – Available Now!. I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

System Center Operations Manager

Following the news about the SCOM Management Pack 2016:

  • Advanced Threat Analytics 1.7 Management Pack version 1.7.1.1.
  • Service Map Management Pack in public preview: Thanks to this new MP you can integrate maps are created dynamically by the OMS Service solution Map with diagrams of the Distributed Application in Operations Manager to ensure that the latter are dynamically generated and maintained.

For more information I invite you to consult related documentation available online.

Figure 5 – Integration of the Service Map of who and the SCOM Distributed App

  • Available a hotfix to solve some problems related to the WMI monitor health.

How to connect third-party security solutions at OMS

Between the various features of Operations Management Suite (OMS) There is a possibility to collect events generated in standard form Common Event Format (CEF) and events generated by Cisco ASA devices. Many vendors of security solutions generate events and log files matching the syntax defined in the standard CEF for interoperability with other solutions. Configuring the sending of data in this format to who and adopting the solution OMS Security and Audit You can correlate the different information collected, leverage the powerful search engine of OMS to monitor your infrastructure, retrieve audit information, detect problems and use Threat Intelligence.

This article will be fleshed out the necessary steps to integrate the logs generated by Cisco Adaptive Security Appliance (ASA) within the who. Before you can configure this integration you must have a Linux machine with installed agent OMS (version 1.2.0-25 or later) and configure it to forward the logs are received by the who to the workspace. For installation and onboard Linux agent I refer you to the official Microsoft documentation: Steps to install the OMS Agent for Linux.

Figure 1 – Architecture for collecting logs from Cisco ASA in OMS

Cisco ASA apparatus must be configured to forward events to the Linux machine defined as collector. To do this you can use Cisco ASA device management tools such as Cisco Adaptive Security Device Manager:

Figure 2 – Syslog Server configuration example Cisco ASA

On the Linux machine must be running the syslog daemon will send events to UDP port 25226 local. The agent who is listening on this port for all incoming events.

For this configuration, you must create the file Security-config-omsagent. conf respecting the following specifications depending on the type of Syslog running on Linux machine. For example, a sample configuration to send all events with facility local4 the agent who is as follows:

  • If daemon rsyslog the file must be present in the directory /etc/d/rsyslog. with the following content:
#OMS_facility = local4

local4.* @ 127.0.0.1:25226
  • If daemon syslog-ng the file must be present in the directory /etc/syslog-ng/ with the following content:
#OMS_facility = local4  

filter f_local4_oms { facility(local4); };  

destination security_oms { TCP("127.0.0.1" port(25226)); };  

log { source(src); filter(f_local4_oms); destination(security_oms); };  

The next step is the creation of the configuration file Fluentd named security_events. conf that lets you collect and make parsing of events received by the agent who. The file you can download it from GitHub repository and must be copied into the directory /etc/opt/microsoft/omsagent/<workspace id>/conf/d/omsagent..

Figure 3 – Configuration file Fluentd the agent OMS

At this point, to make the changes, You must restart the syslog daemon and agent who through the following commands:

  • Restarting Syslog daemon:
sudo service rsyslog restart or sudo/etc/init.d/syslog-ng restart
  • Restart agent OMS:
sudo/opt/microsoft/omsagent/bin/service_control restart

Complete these steps the agent who should view the log to see if there are any errors using the command:

tail/var/opt/microsoft/omsagent/<workspace id>/logs/omsagent.log

After finishing the configuration from the who portal you can type in the query Log Search Type = CommonSecurityLog to analyze data collected from the Cisco ASA:

Figure 4 – Query to see Cisco ASA events collected at OMS

Log collection is enriched by Threat Intelligence present in solution Security & Compliance Thanks to an almost real-time correlation of data collected in the repository OMS with information from leading vendor of Threat Intelligence and with the data provided by the Microsoft security centers allows you to identify the nature and results of any attacks involving our systems, including the network equipment.

By accessing the solution Security And Audit from the OMS section appears Threat Intelligence:

Figure 5 – Information of Threat Intelligence

By selecting the tile Detected threat types You can see details about intrusion attempts that in the following case involving the Cisco ASA:

Figure 5 – Detected threat on Cisco ASA

In this article you entered the configuration details of Cisco ASA, but similar configurations you can make them for all solutions that support the generation of events in standard form Common Event Format (CEF). To configure the integration of Check Point Securtiy Gateway with who I refer you to the document Configuring your Check Point Security Gateways to send logs to Microsoft OMS.

Conclusions

Using Operations Management Suite there is a chance to consolidate and to correlate events from different products that provide security solutions allowing you to have a complete overview of your infrastructure and respond quickly and accurately to any incident of security.

OMS Log Analytics: the Update Management solution for Linux systems

Using the Operations Manager Update Management Solution Suite (OMS) you have the ability to centrally manage and control the update status of systems in heterogeneous environments both Windows and Linux machines and independently from their placement, on-premises rather than in the cloud. In this article, we explored aspects of solution regarding Linux systems.

The Update Management solution allows you to quickly assess the status of updates available on all servers with the OMS agent installed and is able to start the process of installing the missing updates. Linux systems are configured to use this solution require in addition to the presence of ’ agent who Powershell Desired State Configuration (DSC) for Linux andHybrid Runbook Automation Worker (installed automatically).

The solution currently supports the following Linux distributions:

  • CentOS 6 (x 86/x 64) and CentOS 7 (x 64).
  • Red Hat Enterprise 6 (x 86/x 64) and Red Hat Enterprise 7 (x 64).
  • SUSE Linux Enterprise Server 11 (x 86/x 64) and SUSE Linux Enterprise Server 12 (x 64).
  • Ubuntu 12.04 LTS and later (x 86/x 64).

In addition to work correctly you need the Linux system has access to an update repository. In this regard it is worth noting that at the moment there is a chance by who to select which updates to apply, but ’ all available updates are available from the update repository configured on the machine. To have more control over updates to apply you may evaluate the ’ using a custom update repository created and contains only the updates that you want to approve.

The following diagram shows the flow of operations being carried out by the solution to move towards compliance status and the workspace who to apply the missing updates:

Figure 1 – Flow of operations performed on Linux systems

  1. The agent who for Linux scans each 3 hours to detect missing updates and reports the outcome of the scan to the workspace who.

Figure 2 – OMS Dashboard Update Management solution

  1. The operator using the dashboard OMS can refer to update assessments and define the schedule for deployment of updates:

Figure 3 – Management of Update Deployment

Figure 4 – OMS Dashboard Update Management solution

In creating the Update Deployment is defined a name, the list of systems to be involved, that can be provided explicitly or by using a query of Log Analytics, and scheduling.

  1. The component Hybrid Runbook Worker running on Linux systems checks for maintenance Windows and the availability of any deployment to apply. In this regard it is good to specify that enabling the solution to Update Management every Linux system connected to the workspace who is automatically configured as Hybrid Runbook Worker to perform runbook created to deploy updates. Also every system managed by the solution is a Hybrid Runbook Worker Group within the Automation OMS Account following the naming convention Hostname_GUID:

Figure 5 – Hybrid Worker Groups

  1. If a machine has an Update Deployment (as a direct member or because it belongs to a specific group of computers) on it starts the package manager (Yum, Apt, Zypper) to install updates. Installing updates is driven by who through specific runbook Automation within Azure. These are not visible in Azure runbook Automation and require no configuration by the administrator.

Figure 6 – Azure Automation Account used by the solution of Update Management

  1. After Setup OMS agent for Linux and the basic status of Update Deployment and compliance to the workspace who.

Conclusions

Microsoft Operations Management Suite is a tool that lets you manage and monitor heterogeneous environments. Still today, unfortunately, you are faced to the debate on the real need to maintain regularly updated Linux systems, but considering some recent security incident caused by outdated systems, It is evident that it is good to have a solution that allows you to manage updates for Linux machines. The solution to Update Management of OMS is constantly evolving, but already today enables us to control and manage the distribution of updates also on Linux systems in a simple and efficient way.

For more details, I invite you to consult Microsoft's official documentation Solution for Update Management of OMS.

To further explore this and other features you can activate free OMS.

 

OMS Security: Antimalware solution Assessment presentation

Microsoft Operations Management Suite (OMS) offers an interesting solution named Antimalware Assessment with which you can monitor the status of anti-malware protection on the entire infrastructure and easily detect potential threats.

In order to use the Antimalware solution Assessment you must subscribe to l ’ offer "Security & Compliance "OMS. The installation of the solution can be made by following the procedure described at the beginning of the article OMS Security: Threat Intelligence or by going directly to theAzure Marketplace. After having activated the OMS is not required no further configuration and is ready to be used.

La solution thanks to an easy-to-navigate dashboard shows real-time antimalware protection systems without active and is able to show a status in OMS antimalware for the following products:

  • Windows Defender on Windows 8, Windows 8.1, Windows 10 and Windows Server 2016.
  • Windows Security Center (WSC) on Windows 8, Windows 8.1, Windows 10, Windows Server 2016.
  • System Center Endpoint Protection (version 4.5.216 or later).
  • Antimalware extension and Windows Malicious Software Removal Tool (MSRT) activated on the VMS in Azure.
  • Symantec Endpoint 12. x and 14 x.
  • Trend Micro Deep 9.6.

At the moment only detects installations of some solutions of third party vendors such as Symantec and Trend Micro, but probably this list is set to increase.

On monitored systems by who is made an assessment about security by checking the status of the antimalware product, performing analysis on a regular basis, and if you are using signatures from as little as seven days.

The portal home page who is the tile that reports a summary Assessment of the State of anti-malware infrastructure:

Figure 1 – Antimalware Assessment tile

By selecting this tile leads to Antimalware solution dashboard Assessment that categorizes the information collected and reported in 4 different tile:

  • Threat Status
  • Detected Threats
  • Protection Status
  • Type of Protection

Figure 2 – Antimalware Dashboard Assessment

The first two tile focus on observations of infections with the type of malware intercepted, infected systems and highlighting situations where the antimalware ’ was not able to clean your system from ’ infection.

Selecting the infected machine or the name of the malware is returned on the page Log Search where you can see the details of the threat detected:

Figure 3 – Details of the threat detected

Selecting the link View next to the name of threat you are directed to the Microsoft malicious software encyclopedia:

Figure 4 – Search all internal Microsoft ’ encyclopedia of malware

By selecting the name of the malware you can consult the card with all details about all ’ infection:

Figure 5 – Card with malware information

The remaining tile shows useful information on the State of infrastructure security:

  • Which machines are not protected and why (agent disabled, signature not updated or not scan made recently) so you can take corrective action.
  • The list of machines detected on antimalware solutions.

From these tile you can easily do a drill down to see the list of affected machines, such as the list of machines without a real time protection enabled:

Figure 6 – Machines with no real time protection

Conclusions

You can count on a tool that can quickly identify systems with antimalware protection not sufficient or compromised machines from malware is crucial to mitigate attempts at compromise of corporate data and avoid major incidents of security. Microsoft Operations Management Suite (OMS) In addition to these features it includes other important solutions in this area making it a great tool to ensure the security and compliance of your infrastructure. To further explore this and other features you can try the OMS for free.

OMS Security: Threat Intelligence

Among the various features offered by Operations Management Suite (OMS) There is the possibility to activate the solution called Security & Compliance that identifies, evaluate and mitigate potential risks of security on our systems. The solution you can turn it on easily with just a few steps:

  1. I log into the portal who and I select the tile "Solutions Gallery"

Figure 1 – Step 1: activating solution Security & Compliance

  1. Among the various solutions offered have the ability to add "Security & Compliance " that currently includes the solution "Antimalware Assessment"e"Security and Audit"

Figure 2 – Step 2: activating solution Security & Compliance

  1. Select the Workspace who and by pressing the button Create the solution is added and made available for use

Figure 3 – Step 3: activating solution Security & Compliance

As a result of the activation of the ’ solution who will connect to systems with the agent installed to perform a security assessment that may initially require up to several hours, then return the processed data in the portal. The solution is able to examine both Windows and Linux machines and helps protect l ’ infrastructure be it on-premises or in the cloud. In this article we'll delve into the functioning of the mechanism of Threat Intelligence.

Figure 4 – Architecture Threat Intelligence

Threat Intelligence plays a vital role in ’ solution scope of security of OMS thanks to a nearly real-time correlation of data collected in the repository OMS with information from leading vendor of Threat Intelligence and with the data provided by the Microsoft security centers. Let us not forget that Microsoft is constantly working to protect their services in the cloud and therefore has a unique visibility and widespread threats that can potentially affect our systems. Providing this functionality Microsoft enables its customers to benefit easily of his knowledge to protect resources, detect attacks and act the same with a quick response without having to resort to complex integration scenarios.

Threat Intelligence is able to provide the following information that enable teams of security to make the necessary actions and to understand the possible level of impairment of their systems:

  • Detect the nature of the attack
  • Determines the intent of the attack, useful to understand if it is a targeted attack at your organization to acquire specific information or if it is a random and massive attack
  • Identifies where the attack
  • Intercepts any compromised systems and reports the server performing traffic considered malevolent outwards
  • Reports which files have been possibly accessed

To access the information in the main portal dashboard Threat Intelligence who select the tile "Security and Audit":

Figure 5 – Tile Security and Audit

On the dashboard "Security and Audit" is the section Threat Intelligence then reset:

Figure 6 – Information of Threat Intelligence

In tile Server with outbound malicious traffic monitored server systems are reported that are generating malicious traffic from the Internet. If they are reported immediately should undertake in this tile systems of remedies.

In tile Detected threat types shows a summary of threat detected recently:

Figure 7 – Tile Detected threat types

By selecting the tile you can also obtain more details about:

Figure 8 – Details about the threat detected

Threat Intelligence also provides the map display of the attacks which enables you to quickly identify which part of the globe are made. Orange arrows indicate the presence of incoming malicious traffic, While Red arrows indicate malicious traffic outbound to certain location. By selecting a specific arrow you will get more details about the source of the attack:

Figure 9 – Threat Intelligence map

Conclusions

Detect potential attacks and respond quickly and effectively to security incidents that occur in your environment is crucial. Activating the solution "Security & Compliance"the Microsoft Operations Management Suite (OMS) You can use Threat Intelligence to enhance the effectiveness of its strategies in security and have a powerful tool that can minimize the amount of potential incidents of security. For those interested to further deepen this and other features of the who remember that you can try the OMS for free.