Category Archives: Security & Compliance

Cloud Security Posture Management (CSPM) in Defender for Cloud: protect your assets with an advanced security solution

In the context of today's digital landscape, the adoption of cloud computing has opened up new opportunities for organizations, but at the same time new challenges have emerged in terms of security of cloud resources. The adoption of a Cloud Security Posture Management solution (CSPM) is critical to ensuring that cloud resources are configured securely and that security standards are properly implemented. Microsoft Azure offers Defender for Cloud, a complete solution that combines the power of a CSPM platform with advanced security features to help organizations protect their cloud resources effectively. This article dives into the CSPM features offered by Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The features of Microsoft Defender for Cloud are able to contemplate three major pillars of security for modern architectures that adopt cloud components:

  • DevOps Security Management (DevSecOps): Defender for Cloud helps you incorporate security best practices early in the software development process. In fact,, helps secure code management environments (GitHub and Azure DevOps), the development pipelines and allows to obtain information on the security posture of the development environment. Defender for Cloud currently includes Defender for DevOps.
  • Cloud Security Posture Management (CSPM): it is a set of practices, processes and tools aimed at identifying, monitor and mitigate security risks in cloud resources. CSPM offers broad visibility into the security posture of assets, enabling organizations to identify and correct non-compliant configurations, vulnerabilities and potential threats. This proactive approach reduces the risk of security breaches and helps maintain a secure cloud environment.
  • Cloud Workload Protection Platform (CWPP): Proactive security principles require implementing security practices that protect workloads from threats. Defender for Cloud includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the Azure subscriptions and in hybrid and multi-cloud environments.

Figure 1 – The security pillars covered by Microsoft Defender for Cloud

CSPM in Defender for Cloud

Defender for Cloud is the advanced security solution from Microsoft Azure that contemplates the CSPM scope to offer a wide range of security features and controls for cloud resources. With Defender for Cloud, organizations can get complete visibility into their assets, identify and resolve vulnerabilities and constantly monitor the security posture of resources. Some of the key features offered by Defender for Cloud include:

  • Configuration analysis: Defender for Cloud examines cloud resource configurations for non-compliant settings and provides recommendations to fix them. This ensures that resources are configured securely and that security standards are met.
  • Identification of vulnerabilities: the solution continuously scans cloud resources for known vulnerabilities. Recommendations and priorities are provided to address these vulnerabilities and reduce the risk of exploitation by potential threats.
  • Continuous monitoring: Defender for Cloud constantly monitors the security posture of cloud resources and provides real-time alerts in the event of insecure configurations or suspicious activity. This enables organizations to respond promptly to threats and maintain a secure cloud environment.
  • Automation and orchestration: Defender for Cloud automates much of the process of managing the security posture of cloud environments, allowing organizations to save valuable time and resources.

Defender for Cloud offers core CSPM capabilities for free. These features are automatically enabled on any subscription or account that has onboarded Defender for Cloud. If deemed necessary, it is possible to expand the set of features by activating the plan Defender CSPM.

Figure 2 – Comparison between CSPM plans

For a complete comparison you can refer to Microsoft's official documentation.

The optional Defender CSPM plan offers advanced security posture management capabilities, among the main ones we find:

  • Security Governance: security teams are responsible for improving the security posture of their organizations, but they may not have the resources or authority to actually implement the security recommendations. Assigning managers with expiration dates and defining governance rules create accountability and transparency, so you can lead the process of improving your organization's security.
  • Regulatory compliance: with this feature, Microsoft Defender for Cloud simplifies the process of meeting regulatory compliance requirements, providing a specific dashboard. Defender for Cloud continuously assesses the environment to analyze risk factors based on the controls and best practices of the standards applied to the subscriptions. The dashboard reflects your compliance status with these standards. The Microsoft cloud security benchmark (MCSB) instead it is automatically assigned to subscriptions and accounts when you sign in to Defender for Cloud (foundational CSPM). This benchmark builds on the cloud security principles defined by the Azure Security Benchmark and applies them with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP) and for other Microsoft clouds.
  • Cloud Security Explorer: allows you to proactively identify security risks in your cloud environment by graphically querying the Cloud Security Graph, which is the context definition engine of Defender for Cloud. Requests from the security team can be prioritized, taking into account the context and the specific rules of the organization. With the Cloud Security Explorer it is possible to interrogate the security problems and the context of the environment, such as resource inventory, Internet exposure, the permissions and the “lateral movement” across resources and across multiple clouds (Azure and AWS).
  • Attack path analysis: analyzing attack paths helps address security issues, related to the specific environment, which represent immediate threats with the greatest potential for exploitation. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach the specific environment. Furthermore, highlights security recommendations that need to be addressed to mitigate them.
  • Agentless scanning for machines: Microsoft Defender for Cloud maximizes coverage of OS posture issues and goes beyond the coverage provided by specific agent-based assessments. Get instant visibility with agentless scanning for virtual machines, wide and unobstructed regarding potential posture problems. All without having to install agents, meet network connectivity requirements or impact machine performance. Agentless scanning for virtual machines provides vulnerability assessment and software inventory, both through Microsoft Defender Vulnerability Management, in Azure and Amazon AWS environments. Agentless scanning is available in both Defender Cloud Security Posture Management (CSPM) both in Defender for Servers P2.


In the increasingly complex context of IT asset security, especially in the presence of hybrid and multi-cloud environments, the Cloud Security Posture Management (CSPM) has become an essential component of an organizations security strategy. Defender for Cloud in Microsoft Azure offers an advanced CSPM solution, which combines configuration analysis, identification of vulnerabilities, continuous monitoring and automation to ensure that IT assets are adequately protected. Investing in a CSPM solution like Defender for Cloud enables organizations to mitigate security risks and protect IT assets.

Azure management services and System Center: What's New in March 2020

In March there have been several news announced by Microsoft on the Azure management services and System Center. In this summary, that we report on a monthly basis, major announcements are listed, accompanied by the necessary references to be able to conduct further studies on.

Azure Monitor

Azure Security Center integration

In Azure Security Center (ASC) integration with Azure Monitor has been introduced. In fact, in ASC it has been made available the ability to export continues toward a Log Analytics workspace. With this feature, you can configure Azure Monitor alert rules against recommendations and alerts exported from the Security Center. As a result, you can enable action groups to achieve automation scenarios supported by Azure Monitor.

Service availability Azure Monitor for VMs

In Azure monitor, the service that monitors virtual machines has been released, calledAzure Monitor for VMs. This service analyzes the performance data and the status of virtual machines, makes the monitor of the installed processes and examines its dependencies.

The serviceAzure Monitor for VMsis divided into three different perspectives:

  • Health: the logical components present on board of the virtual machines are evaluated according to specific pre-configured criteria, generating alerts when certain conditions are met.
  • Performance: shows summary details of performance, from the guest operating system.
  • Map: generates a map with the interconnections between the various components that reside on different systems.

This solution can be used on Windows and Linux virtual machines, regardless of the environment in which they reside (Azure, on-premises or at other cloud providers).

New agent version for Windows and Linux systems

A new version of the Log Analytics agent has been released this month for Window systemss and for Linux systems. In both cases they are introduced several improvements and increased stability.

SHA-2 signing for the Log Analytics agent

The Log Analytics agent for Windows will start enforcing SHA-2 signings from 18 may 2020. This change requires action if you are running the agent on a legacy version of the operating system (Windows 7, Windows Server 2008 R2, or Windows Server 2008) . Customers who are in this condition should apply the latest updates and patches on these operating systems before 18 may 2020, otherwise their agents will stop sending data to Log Analytics workspaces. The following Azure services will be affected by this change: Azure Monitor, Azure Automation, Azure Update Management, Azure Change Tracking, Azure Security Center, Azure Sentinel, Windows Defender ATP.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 45 that solves several issues and introduces some improvements. The details and the procedure to follow for the installation can be found in the specific KB.

Azure Backup

Azure Backup Report

Azure Backup has announced the release of the solution Azure Backup Report. It's a tool available in the Azure portal that provides reports to answer many questions about backup progress, including: “What backup items consume more storage space?”, “Which machines have consistently had abnormal backup behaviors?”, “What are the main causes of the backup job failure?”. Reports provide cross-sectional information across different types of workloads, Vaults, subscriptions, regions and tenants. This tool also provides support for Windows Server 2008, to facilitate the migration steps of the on-premises systems based on Windows Server 2008 to Azure, process by which you can continue to get security patches.

Azure Automation

Availability in new regions

Azure Automation is now available in preview in the regions ” US Gov Arizona”.

Evaluation of Azure and System Center

To test for free and evaluate the services provided by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Data encryption in Azure

One of the areas related to the improvement of Security Posture of the corporate information system is certainly encryption, through the adoption of specific techniques, that makes the data readable only to those who have the solution to decrypt it. This article provides an overview of how encryption is used in Azure and provides references to further studies.

To protect your data in the cloud, you must first consider the possible states in which the data can be located and evaluate the related controls that can be implemented. Best practices for data security and encryption, particularly in Azure, concern the following states:

  • At rest: includes all information that statically resides on physical storage media, both magnetic and optical.
  • In transit: when data is transferred between components, locations or services, are defined in transit. For example,, transferring data across the network, service bus or during processes of input / output.

Encryption at Rest

Encryption at Rest is a highly recommended technique and is a priority requirement for many organizations to comply with data governance and compliance policies. Different industry-specific and government-specific regulations, require the presence of data protection and encryption measures. Encryption at Rest encrypts the data when it is persistent and is used, in addition to meeting compliance and regulatory requirements, also to have a high level of protection for data. The Azure platform natively involves the adoption of advanced physical security mechanisms, data access control and auditing. However, It is important to take overlapping security measures to deal with potential bankruptcies, and encryption at Rest is a great way to ensure confidentiality, compliance and data sovereignty.

Server-Side Data Encryption Models

Server-side data encryption models refer to encryption performed by Azure services. In this model, it is the Azure Resource Provider that performs encryption and decryption. There are several Encryption at Rest templates at Server Side available in Azure, each of which has different characteristics in key management, these can be applied to different Azure resources:

  • Server-Side Encryption using Service-Managed Keys. In this scenario, the encryption keys are managed by Microsoft and proves to be a good combination of control and convenience.
  • Server-side encryption using customer-managed keys in Azure Key Vault. In this mode, the encryption keys are controlled by the customer through Azure Key Vault, and includes support for using your keys (BYOK).
  • Server-side encryption that uses customer-managed keys on customer-controlled hardware. This methodology allows the customer to check the keys that reside on a repository controlled by the customer, outside of Microsoft's control. This feature is called Host Your Own Key (HYOK). However, configuration is articulated and most Azure services do not support this model at this time.

Figure 1 – Server-side encryption model

Client-side data encryption models

The client-side data encryption model refers to encryption performed outside Azure and is performed directly by the calling service or application. When you use this encryption model, the Resource Provider in Azure receives encrypted data without the ability to decrypt it or access the encryption keys. In this model, key management is performed by the calling service or application and is obscure for the Azure service.

Figure 2 – Client-side encryption model

Encryption at Rest for top Azure services

Azure Storage

Azure Storage provides on automatically encrypts the data when they are made persistent in the cloud environment. In fact,, all Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server side encryption of data at rest and some of them also support encryption client-side of data and encryption keys managed by the customer.

  • Server-side: all default Azure storage services have enabled by default the server-side encryption using keys managed by the service. For Azure Blob storage and Azure Files is also supported using encryption keys managed by the customer in Azure Key Vault. The technology used is called Azure Storage Service Encryption, in automatically able to encrypt the data before being stored and decode them when they are accessed. This process is completely transparent to the user and involves the use of AES encryption 256 bit, one of the most powerful block ciphers currently available. Azure Storage encryption is similar to BitLocker encryption in a Windows environment. Azure Storage encryption is enabled by default for all new storage accounts and cannot be disabled. Storage accounts are encrypted regardless of performance level (standard or premium) or from the deployment model (Azure Resource Manager or classic). All redundancy options provided for storage accounts support encryption and all copies of a storage account are always encrypted. Encryption does not affect the performance of storage accounts and there is no additional cost.
  • Client-side: this encryption is currently supported by Azure Blobs, Tables, and Queues. When used the data is encrypted by the customer managing their keys and is uploaded as an encrypted blob.

Virtual Machines

All Managed Disks, Snapshots and virtual machine images in Azure are encrypted using Storage Service Encryption via keys managed by the service. When processing data on a virtual machine, data can be kept in the Windows paging file or in the Linux swap file, in a crash dump or an application log. Therefore, to obtain a solution of Encryption at Rest more complete on IaaS virtual machines and virtual disks, which ensures that data is never kept in an unencrypted form, you need to use Azure Disk Encryption . This feature helps you protect Windows virtual machines, using the technology Windows BitLocker, and Linux virtual machines through DM-Crypt. Relying on Azure Disk Encryption you get a full protection of the operating system disks and data volumes. The Encryption keys and the secrets are protected within their own Azure Key Vault. Encrypted virtual machine protection is supported by the Azure Backup service. For more information about Azure Disk Encryption you can see the Microsoft's official documentation.

Azure SQL Database

Azure SQL Database currently supports encryption at rest in the following ways:

  • Server-side: server-side encryption is guaranteed through a SQL feature named Transparent Data Encryption (TDE) and it can be activated either at the database server level. Starting in June 2017 this feature is on by default for all new database. TDE protects SQL data and log files, using AES encryption algorithms and Triple Data Encryption Standard (3DES). Database files are encrypted at the page level, they are encrypted before being written to disk and de-encrypted when read into memory.
  • Client-side: client-side encryption of data to SQL Azure Database is supported through the functionality Always Encrypted, that uses keys that are generated and stored on the client side. By adopting this technology it is possible to encrypt data within the client applications before storing in the Azure SQL database.

As with Azure Storage and Azure SQL Database, also for many other Azure services (Azure Cosmos DB, Azure Data Lake, etc.) the data encryption at rest occurs by default, but for other services it can be optionally activated.

Encryption in Transit in Azure

The protection of data in transit must be an essential element to be considered in your data protection strategy. It is generally recommended to protect the movement and exchange of data always using SSL protocols / TLS. Under certain circumstances, it may be appropriate to isolate the entire channel of communication between the on-premises environment and the cloud using a VPN. Microsoft uses the TLS protocol (Transport Layer Security) to protect data when traveling between cloud services and customers. In fact,, a TLS connection is negotiated between the Microsoft datacenter and client systems that connect to the Azure Services. The TLS protocol provides strong authentication, privacy and message integrity (allows detection of tampering, interception and message forgery).


The issue of protection through encryption of the data stored in Azure environment is seen as very important for those who decide to rely on the services in the cloud. Knowing that all Azure services provide encryption at rest options and that basic services encryption is enabled by default, is certainly very comforting. Some services also support the control of the encryption keys from the customer and the client side encryption to provide a greater level of control and flexibility. Microsoft is constantly improving its services to ensure greater control of the encryption at rest options and aims to enable encryption at rest as the default for all customer data.

Security in the cloud with Azure Sentinel solution

Microsoft recently announced a new cloud solution called Azure Sentinel. It is a service that aims to expand the capabilities and potential of the products SIEM (Security Information and Event Management) traditional, going to use the power of the cloud and artificial intelligence to be able to quickly identify and manage security threats affecting your infrastructure. This article lists the main features of the solution.

Azure Sentinel is a solution that allows real-time analysis of security events and information generated within their own hybrid infrastructure, from server, applications, devices and users. It is a cloud-based service, it follows that one can easily scale and have high-speed processing of information, without the need to implement and manage a dedicated infrastructure, to intercept potential security threats.

Azure Sentinel service can be activated directly from the Azure Portal:

Figure 1 - Creation of service Azure Sentinel

Operating principles of Azure Sentinel

Collect data within the infrastructure

Azure Sentinel leans to Azure Monitor that, using the proven and scalable repository of Log Analytics, is able to accommodate a high volume of data, which it is possible to process them effectively thanks to an engine that ensures high performance.

Figure 2 - Adding Azure Sentinel to an existing Log Analytics workspace

With Azure Sentinel you can aggregate different security data from many sources, using the appropriate connectors embedded in the solution. Azure Sentinel is able to connect, in addition to the different platform solutions, even the most widespread and popular network solutions of third-party vendors, including Palo Alto Networks, F5, Symantec, Fortinet and Check Point. Azure Sentinel also has a native integration with logs that meet the standard formats, as common event and syslog.

Figure 3 -Data Connectors

Using this solution, you also have the ability to easily import data from Microsoft Office 365 and combine them with other security data, in order to get a detailed analysis of your environment and have visibility into the entire sequence of an attack.

Figure 4 – Office 365 Connector

Azure Sentinel also integrates with’Microsoft Graph Security API, which allows you to import your own threat intelligence feeds and customize detection rules of potential security incidents and notification.

Analyze and quickly identify the threats by using artificial intelligence

Azure Sentinel uses scalable machine learning algorithms, able to correlate a high amount of security data, to present to the analyst only potential security incidents, all with a high level of reliability. Thanks to this mechanism Azure Sentinel differs from other SIEM solutions, adopting traditional correlation engines, drastically reducing noise and consequently the effort for the analysis required in detecting threats.

Figure 5 – Azure Sentinel Overview

After enabling the Data Collectors required, you will begin to receive data in the workspace of Log Analytics and setting up ofAlert Rules, it can generateCases to report potential security threats. For more details on how to detect threats with Azure Sentinel, see the Microsoft's official documentation.

Investigate suspicious security activities

The data processed by the solution can be found using the dashboards, customizable to suit your needs. Dashboards allow you to conduct investigations by reducing the time needed to understand the scope of an attack and its impact.

Figure 6 – Dashboards available in Azure Sentinel

Figure 7 – Azure Network Watcher dashboard

If security threats are detected, against the Alert Rules set, it is generated a Case, for which you can set the severity, the status and its assignment.

Figure 8 – Cases

Using the console, you can proceed with the investigation of the case:

Figure 9 – Case Investigation

In the same dashboard you can also perform actions. Proactive research activities of suspicious transactions are a fundamental aspect for security analysts, that with Azure Sentinel can be made through two specific features that allow you to automate the analysis: search query (hunting queries) and Azure Notebooks (based on notebook Jupyter), that are constantly updated.

Figure 10 – Hunting queries

Figure 11 -Example of an Azure Notebook

Automate common tasks and response to threats

Azure Sentinel provides the ability to automate and orchestrate the response to common problems, so you don't have to manually perform repetitive tasks. By means of predefined and customizable playbooks you can quickly respond to security threats.

Figure 12 – Alert playbooks

Figure 13 – Logic Apps Designer

Microsoft also announced that more defense and investigation tools will be integrated in the solution increased.


Azure Sentinel is a complete solution that provides native SIEM in the cloud and introduces significant benefits over traditional SIEM solutions, which require to sustain high costs for the maintenance of the infrastructure and for data processing. Azure Sentinel enables customers to simplify the tasks required to maintain high security in the infrastructure and to scale gradually to suit your needs, providing a wide integration with third party solutions.

Azure Security Center: introduction to the solution

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. This article lists the main characteristics and features, to address the use cases and to understand the potential of the instrument.

Key features and characteristics of Azure Security Center

  • It manages security policies centrally. It ensures compliance with the safety requirements to be imposed on business and regulatory. Everything is handled centrally through security policies that can be applied to different workloads.

Figure 1 – Policy & Compliance Overview

Figure 2 – Policy management

  • It makes Security Assessment. It monitors the situation continuously in terms of security of machines, networks, storage and applications, in order to identify potential security problems.
  • It provides recommendations that you can implement. Are given indications that are recommended to implement to fix the security vulnerabilities that affect your environment, before they can be exploited in potential cyber attacks.

Figure 3 – Recommendations list

  • It assigns priorities to warnings and possible security incidents. Through this prioritization you can focus first on the security threats that may impact more on the infrastructure.

Figure 4 – Assigning severity for each report

Figure 5 – Assigning severity for each potential security incident detected

  • It allows to configure your cloud environment in order to protect it effectively. It is made available a simple method, quickly and securely to allowjust-in-time access to system management ports and applications running on the VM, by applying adaptive controls.

Figure 6 – Enabling Just-in-time VM access

  • It provides a fully integrated security solution. Allows you to collect, investigate and analyze security data from different sources, including the ability to integrate with third-party solution.

Figure 7 – Integration with other security solutions


The Cost of the Solution

Security Center is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is completely free and provides visibility into security of resources residing only in Azure. Among the features offered there are: basic security policy, security requirements and integration with third-party security products and services.
  • Standard tier. Compared to tier free adds enhanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats. The tier standard extends the visibility on the security of the resources that reside on-premises, and hybrid workloads. Through machine learning techniques and having the ability to create whitelist it allows to block malware and unwanted applications.

Figure 8 – Comparison of features between the available pricing tiers

For the Standard tier, you can try it for free for 60 days after that, if you want to continue using the solution, you have a monthly fee for single node. For more information on costs of the solution you can access to the official page of costs.

Figure 9 – Standard tier upgrade screen

To take advantage of all the Security Center features is necessary to apply the Standard Tier to the subscribtion or to the resource group that contains the virtual machines. Configuring the tier Standard does not automatically enable all features, but some of these require specific configurations, for example VM just in time, adaptive control of applications and network detection for resources in Azure.


Basic principles of operation

The collection of security data from systems, regardless of their location, is via the Microsoft Monitoring Agent, that it provides to its sending to a Log Analytics workspace. Security Center requires a workspace on which you enabled the following solution according to tier chosen:

  • Free tier: the Security Center enables the solution SecurityCenterFree.
  • Standard tier: the Security Center enables the solution Security. If in the workspace is already installed the solution Security & Auditit is used and nothing else is installed.

To save the data collected from the Security Center you can use a Log Analytics workspace created by default or select a specific one associated with the relative Azure subscription.

Figure 10 – Configuration of the workspace of Log Analytics where you collect the data


Azure Security Center is an appropriate, mature and structured solution to meet the security requirements for cloud, on-premises, or hybrid environments. Thanks to several features covered provides the knowledge that Microsoft has matured in the management of its services, combining it with powerful new technologies, as machine learning and big data, to treat and manage consciously and effectively the security.

Microsoft Azure: network monitoring solutions overview

Microsoft Azure provides several solutions that allow you to monitor network resources, not only for cloud environments, but even in the presence of hybrid architectures. That are cloud-based features, to check the health of your network and connectivity to your applications. Furthermore, they give detailed information about network performance. This article will be made an overview of the various solutions such as the main features, needed to orient the use of the network monitor tools most appropriate for your needs.

Network Performance Monitor (NPM) is a suite that includes the following solutions:

  • Performance Monitor
  • ExpressRoute Monitor
  • Service Endpoint Monitor

In addition to the tools included in the Network Performance Monitor (NPM) you can use Traffic Analytics and DNS Analytics.

Performance Monitor

The most commonly used approach is to have hybrid environments with heterogeneous networking, that allows you to connect your own on-premises infrastructure with the environment implemented in the public cloud. In some cases you may also have different cloud providers, that make the network infrastructure even more complicated . These scenarios require the use of flexible monitor tools that can work across on-premises, in cloud (IaaS), and in hybrid environments. Performance Monitor has all of these characteristics and thanks to the use of synthetic transactions, provides the ability to monitor, almost in real time, the network parameters to get performance information, like packet loss and latency. Furthermore, this solution allows to easily locate the source of a problem in a specific network segment or identifying a particular device. The solution requires the presence of the OMS agent and keeping track of the retransmission packets and the roundtrip time, is able to return a graph of easy and immediate interpretation.

Figure 1 - Hop-by-hop chart provided by Performance Monitor

Where to install the agents

The installation of the agent of Operations Management Suite (OMS) is necessary on at least one node connected to each subnet from which it intends to monitor the connectivity to other subnets. If you plan to monitor a specific network link you must install agents on both endpoints of the link. In cases where you do not know the exact network topology, one possible approach is to install agents on all servers that hold critical workloads and for which you need to monitor your network performance.

The Cost of the Solution

The cost of the feature Performance Monitor in NPM is calculated on the basis of the combination of these two elements:

  • Monitored Subnet link. To obtain the costs for monitoring of a single subnet link for one month, you can see Ping Mesh.
  • Data volume.

For more details please visit the Microsoft's official page.

ExpressRoute Monitor

Using ExpressRoute Monitor it is possible to monitor the end-to-end connectivity and verify the performance between on-premises environment and Azure, in the presence of ExpressRoute connectivity with Azure Private peering and Microsoft peering connections. The key features of this solution are:

  • Auto-detection of the circuit ExpressRoute associated with your subscription Azure.
  • Detection of network topology.
  • Capacity planning and bandwidth usage analysis.
  • Monitoring and alerting both the primary and the secondary path of the circuit ExpressRoute.
  • Monitoring connectivity towards the Azure services such as Office 365, Dynamics 365 using ExpressRoute as connectivity.
  • Detection of possible deterioration of connectivity with the various virtual network.

Figure 2 – Topology view of a VM on Azure (left) connected to a VM on-prem (right), via ExpressRoute

Figure 3 - Trend on the use of the bandwidth and latency on the ExpressRoute circuit

Where to install the agents

In order to use ExpressRoute Monitor you need to install an Operations Management Suite agent on a system that resides on Azure virtual network and at least one agent on a machine attested on the subnet on-premises, connected via private peering of ExpressRoute.

The Cost of the Solution

The cost of ExpressRoute Monitor solution is calculated based on the volume of data generated during the monitoring operations. For more details please visit the specific section in the cost page of NPM .

Service Endpoint Monitor

Using this solution, you have the ability to monitor and test the reachability of your services and your applications, almost in real time, simulating user access. You also have the ability to detect network side performance problems and identify the problematic network segment.

Here are reported the main features of the solution:

  • It does the monitor end-to-end of the network connections to your applications. The monitor can be done by any endpoint "TCP-capable" (HTTP, HTTPS, TCP, and ICMP), as websites, SaaS applications, PaaS applications, and SQL databases.
  • It correlates application availability with network performance, to precisely locate the degradation point on the network, starting from the user's request until the application.
  • It tests applications reachability from different geographical location .
  • It determines the network latencies and lost packets to reach the applications.
  • It detects hot spots on the network that can cause performance problems.
  • It does the monitor of the availability of applications Office 365, through specific built-in test for Microsoft Office 365, Dynamics 365, Skype for Business and other Microsoft services.

Figure 4 - Creating of a Service Connectivity Monitor test

Figure 5 – Diagram showing the topology of the network, generated by different nodes, for a Service Endpoint

Where to install the agents

To use Service Endpoint Monitor you must install the Operations Management Suite agent on each node where you want to monitor network connectivity to a specific service endpoint.

The Cost of the Solution

The cost for using Service Endpoint Monitor is based on these two items:

  • Number of connections, where the connection is understood as reachability test of a single endpoint, from a single agent, for the entire month. In this regard you can see Connection Monitoring in the cost page.
  • Volume of data generated by the monitor. The cost is obtained from cost page of Log Analytics, in the section Data Ingestion.

Traffic Analytics

Traffic Analytics is a totally cloud-based solution, allowing you to have an overall visibility on network activities that are undertaken in the cloud environment. In Azure to allow or deny network communication to the resources connected with Azure Virtual Networks (vNet) it uses the Network Security Group (NSG), containing a list of access rules. The NSGs are applied to network interfaces connected to the virtual machines, or directly to the subnet. The platform uses NSG flow logs to maintain the visibility of inbound and outbound network traffic from the Network Security Group. Traffic Analytics is based on the analysis of NSG flow logs and after an appropriate aggregation of data, inserting the necessary intelligence concerning security, topology and geographic map, can provide detailed information about the network traffic of your Azure cloud environment.

Using Traffic Analytics you can do the following:

  • View network activities cross Azure subscriptions and identify hotspots.
  • Intercept potential network security threats, in order to take the right remedial actions. This is made possible thanks to the information provided by the solution: which ports are open, what applications attempt to access to Internet and which virtual machines connect to unauthorized networks.
  • Understand network flows between different Azure regions and Internet, in order to optimize their deployment for network performance and capacity.
  • Identify incorrect network configurations that lead to having incorrect communication attempts.
  • Analysis of the VPN gateway capabilities or other services, to detect problems caused by over-provisioning and underutilization.

Figure 6 – Traffic Analytics overview

Figure 7 - Map of Active Azure Regions on the subscription

DNS Analytics

DNS Analytics solution is able to collect, analyze and correlate logs of DNS and provides administrators the following features:

  • Identifies clients that try to resolve domains considered malevolent.
  • Finds records that belong to obsolete resources.
  • It highlights domain names frequently questioned.
  • View the load of requests received by the DNS server.
  • It does the monitor of dynamic DNS registrations failed.

Figure 8 – Overview of DNS Analytics solution

Where to install the agents

The solution requires the presence of the OMS agent or the Operations Manager agent installed on each DNS server to be monitored.


With increasing complexity of network architectures in hybrid environments, consequently increases the need to be able to use tools able to contemplate different network topologies. Azure provides several cloud based tools and integrated into the fabric, such as those described in this article, that allow you to fully and effectively monitor the networking of these environments. Remember to test and evaluate free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

OMS and System Center: What's New in June 2018

In June have been announced, by Microsoft, a considerable number of news about Operations Management Suite (OMS) and System Center. Our community, through these articles released monthly, want to provide an overview of the main news of the month, in order to stay up to date on these arguments and have the necessary references for further information.

Operations Management Suite (OMS)

Log Analytics

Recently it was officially announced that the OMS portal will be deprecated, in favour of the Azure Portal. In this article are examined the aspects related to this change and what you should know to avoid being caught unprepared.

Figure 1 - Notifications in the OMS portal

Azure Backup

Azure Backup is enriched with an important new feature that allows you to natively protect SQL workload, running in IaaS virtual machines that reside in Azure. In this article are showed the benefits and the characteristics of this new feature.

Figure 2 – Protection of SQL Server on Azure VMs with Azure Backup

Released an updated version of the’Azure Backup agent (MARS), which can be obtained by accessing this link.

Using Azure Backup there is the possibility of generating the reports needed to be able to easily check the status of resource protection, details on the different backup jobs configured, the actual storage utilization and status of its alert. All this is made possible by using Power BI, allowing you to have a high degree of flexibility in the generation and customization of reports. In this video, recently published, there is show how to configure a Power BI workspace for sharing reports of Azure Backup within your organization. To analyze the steps required to configure the reporting of Azure Backup you can refer this article.

Figure 3 – Sharing PowerBI reports of Azure Backup

Azure Backup introduces the ability to protect workloads running on Azure Stack environment. The tenant who use the Azure Stack solution can then have a short term protection directly on the Azure Stack environment and can make use of Azure Recovery Service vault for long term retention and to perform offsite. For more details on this you can consult therelease announcement.

Figure 4 – Azure Stack Tenant backup with Microsoft Azure Backup Server

Azure Site Recovery

In Azure Site Recovery (ASR) was announced in "general availability (GA)" the ability to configure the Disaster Recovery (DR) of Azure Virtual Machines. Configuring the replication of virtual machines in different regions of Azure, you have the ability to make applications resilient to a fault affecting a specific Azure region. This feature is available in all the Azure regions where you can use ASR. Azure is the first public cloud to offer a native solution for Disaster Recovery for applications that run in IaaS.

During the preview, Microsoft has taken into account the different feedback from the customers and added to the solution, the following import capabilities:

We highlight these useful references regarding this solution:

Security and Audit

The solution Azure Network Security Group Analytics will be replaced by Traffic Analytics that was released in General availability (GA). This solution, fully cloud-based, allows you to have an overall visibility on network activities that are undertaken in the cloud environment. For more details about you can see "How to monitor network activities in Azure with Traffic Analytics"

System Center

System Center Data Protectrion Manager

In environments where System Center Data Protection Manager (SCDPM) is connected to Azure Backup service was introduced the ability to view all the items protected, details on the use of storage and information about the recovery points, direct from the Azure Portal, within the Recovery Service vault. This feature is supported for SCDPM 2012 R2, 2016 and for Azure Backup Server v1 and v2, as long as you have the latest version of Azure Backup Agent (MARS).

Figure 5 – Information from DPM outlined in Recovery Service vault

System Center Configuration Manager

It is usually released a technical preview per month in Configuration Manager, but this month, due to the considerable number of new features, they were released two.

The first is the version 1806 for the Technical Preview branch of System Center Configuration Manager. The main innovation introduced by this update is the addition of support for third-party software update catalogs. From the Configuration Manager console, you can easily subscribe to third-party software update catalogs, then publish updates via Software Update Point. These updates will be issued to the client by using the classic method of Configuration Manager to deploy software update.

Figure 6 – Access to third-party software update catalogs from the SCCM console

In addition to this new feature were released updates on:

  • Sync MDM policy from Microsoft Intune for a co-managed device
  • Office 365 workload transition in co-management
  • Configure Windows Defender SmartScreen settings for Microsoft Edge
  • Improvements to the Surface dashboard
  • Office Customization Tool integration with the Office 365 Installer
  • Content from cloud management gateway
  • Simplified client bootstrap command line
  • Software Center infrastructure improvements
  • Removed Network Access Account (NAA) requirement for OSD Boot Media
  • Removed Network Access Account (NAA) requirement for Task Sequences
  • Package Conversion Manager
  • Deploy updates without content
  • Currently logged on user information is shown in the console
  • Provision Windows app packages for all users on a device

The second is the version 1806.2 for the Technical Preview branch of System Center Configuration Manager, that mainly includes the following news related to the Phased deployment:

  • Ability to monitor the status natively, from the Deployments node.
  • Ability to create Phased deployment of applications and not just for task sequences.
  • Ability to carry out a gradual rollout during the deployment phase.

Also this preview contains updates regarding:

  • Management Insights for proactive maintenance
  • Mobile apps for co-managed devices
  • Support for new Windows app package formats
  • New boundary group options for optimized P2P behaviors
  • Third-party software updates support for custom catalogs
  • Compliance 9 – Overall health and compliance (Report)

Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Released an updated version of the Management Pack for OS Windows Server 2016 and 1709 Plus which includes several updates and issues resolutions. For further information you can consult this article.

Released the version 8.2 of the MP Author that includes several improvements. For a list of what's new in this version you can see theofficial announcement of the release.

Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To test the various components of System Center 2016 you can access theEvaluation Center and after the registration you can start the trial period.

OMS and System Center: What's New in May 2018

Compared to what we were used to seeing in recent months, in the month of may, have been announced by Microsoft a few news about Operations Management Suite (OMS) and System Center. This article will summarize bringing the references needed to conduct further studies.

Operations Management Suite (OMS)

Log Analytics

Microsoft announced the retirement, starting from 8 June 2018, of the following solutions:

This means that, as of this date, you can no longer add this solutions in the Log Analytics workspaces. For those who are currently using it, is appropriate to consider that the solution will still work, but will be missing its support and will not be released new updates.

In this article are reported some important recommendations that should be followed when using the operators "Summarize" and "Join" in Log Analytics and Application Insights query. It is recommended to adjust the syntax of any existing query, using these operators, to comply with the specifications given in the article.

Security and Audit

It should be noted this interesting article where it is shown how you can detect and investigate unusual and potentially malicious activities using Azure Log Analytics and Security Center.

Azure Site Recovery

Microsoft has announced that the following versions of the REST API of Azure Site Recovery will be deprecated since 31 July 2018:

  • 2014-10-27
  • 2015-02-10
  • 2015-04-10
  • 2015-06-10
  • 2015-08-10

You will need to use at least version API 2016-08-10 to interface with Azure Site Recovery. This type of change has no impact on the portal of Azure Site Recovery and to the solution access via PowerShell.

System Center

System Center Orchestrator

The Integration Packs of Orchestrator, version 7.3 for System Center 2016, have been released.
The download can be done at this link and includes the following components:

  • System Center 2016 Integration Pack for System Center 2016 Configuration Manager.
  • System Center 2016 Integration Pack for System Center 2016 Data Protection Manager.
  • System Center 2016 Integration Pack for System Center 2016 Operations Manager.
  • System Center 2016 Integration Pack for System Center 2016 Service Manager.
  • System Center 2016 Integration Pack for System Center 2016 Virtual Machine Manager.

These Integration Packs allow you to develop automation, interfacing directly with the other components of System Center. The Integration Pack for System Center 2016 Operations Manager has been revised to require no more the presence of the Operations Manager console to function correctly.

System Center Operations Manager

Following, are updates released for Operations Manager Management Packs:

  • Active Directory Federation Services version
  • Active Directory Federation Services 2012 R2 version 7.1.10100.1

System Center Service Management Automation

Service Management Automation sees the release ofUpdate Rollup 5. Among the issues addressed are:

  • Runbooks that, using cmdlets of System Center 2016 Service Manager, fail with the error "MissingMethodException".
  • Runbooks that fail with the exception "unauthorized access".

Improvements have also been made in the debug logging.

To see the complete list of issues and the details on how to upgrade, you can access to the specific knowledge base.


Evaluation of OMS and System Center

Please remember that in order to test and evaluate for free Operations Management Suite (OMS) you can access this page and select the mode that is most appropriate for your needs.

To test the various components of System Center 2016 you can access theEvaluation Center and after the registration you can start the trial period.

OMS and System Center: What's New in September 2017

Even the month of September is full of news and different updates have affected Operations Management Suite (OMS) and System Center, also thanks to Ignite 2017, the annual Microsoft conference of this week in Orlando. This article contains a summary accompanied by useful references for further study.

Operations Management Suite (OMS)

  • OMS Customers are using the solution Security & Compliance are given the option to use the features found in ’Azure Security Center in order to have a unified management of security and protection of their systems, all without additional cost. This is particularly useful to be able to manage workloads across hybrid environments, regardless of where they reside, on Azure, on-premises, or on other public clouds. Within the Azure Security Center will be automatically handle the security of the systems that are already connected to the solution OMS Security & Compliance and you can add additional machines simply by installing the Microsoft Monitoring Agent. To see details of the features offered I invite you to consult the publication OMS customers can now use Azure Security Center to protect their hybrid cloud workloads. In this regard it is worth noting that to enable the features just in time VM access, dynamic application controls and network threat detection of Azure resources you must select pricing tier Security Center Standard for the Subscription or the Resource Group.

Figure 1 – List of features for the protection of hybrid environments

  • The Azure portal now includes two features related to Operations Management Suite (OMS): Workspace Settings and View Designer. From the Azure portal you can access the settings of the workspace OMS as shown in the following figure:

    Figure 2 – Settings of the Workspace who are accessible from the Azure Portal

Also, the View Designer, that allows you to create custom views, is now accessible directly from the Log Analytics section of Azure portal:

Figure 3 – View Designer available directly from the portal Azure

  • As already announced in a dedicated article the update of Log Analytics has introduced a new powerful query language. In this useful article highlighted the main changes introduced by the new language.
  • Another interesting new feature is the ability to run query not only on single workspace OMS, but in a transversal way across multiple workspace. To learn more about you can see Query across resources.
  • Article Monitoring SQL Azure Data Sync using OMS Log Analytics returns the configuration to be carried out in order to monitor the solution SQL Azure Data Sync using a custom solution OMS. Azure SQL Data Sync allows you to synchronize data in both directions or unidirectional between different Azure SQL database andor to SQL database on-premises. With this procedure you can detect error conditions or warning in the synchronization process so simple, thanks to OMS.
  • To help you to track the Big Data application involving different technologies was announced in preview the ability to monitor cluster HDInsight with Azure Log Analytics . In this video there are the details of how HDInsight customers can monitor and debug Hadoop, Spark, HBase, Kafka, Interactive Query and cluster Storm.


  • In OMS there is a new solution Virtual Machine Manager (VMM) Analytics for centralizing in Log Analytics the jobs of one or more Virtual Machine Manager to have an overall view of the health and performance of the virtualization infrastructure managed by System Center Virtual Machine Manager.

Figure 4 – Overview of VMM Analytics solution


  • Released a new version of the OMS agent for Linux systems that mainly has solved some bugs and introduced an updated version of some of the main components. For more details and to get the updated version please refer to the official GitHub page OMS Agent for Linux GA v 1.4.1-45

Figure 5 – Bug fixes and what's new for the OMS agent for Linux


System Center

System Center Configuration Manager

  • Released the Cumulative Update 6 for UNIX and Linux clients of Configuration Manager. It is a new version of the client that fixes several bugs and adds support for new Linux distributions. This release also removed support for Unix and Linux distributions even obsolete discontinued by vendor. Customers using the SCCM clients with these versions may continue to use the client updated to Cumulative Update 5. The release announcement and further details can be found in this article.
  • During Ignite 2017 was announced an interesting feature called co-management that interest the management of the device using either System Center Configuration Manager and Microsoft Intune. With Windows 10 Fall Creators Update there is the possibility to make the join of the device both to the Active Directory domain (AD) on-premises and to Azure AD in the cloud. This expands the possibilities for management of devices using the Configuration Manager client and the MDM agent of Intune. To deepen this topic, you can look in the video section of the Ignite site the sessions with the following reference codes: BRK3057, BRK3075, BRK3076 and BRK2079.

Figure 7 – Co-management devices with SCCM and Intune


System Center Updates Publisher

By accessing this page you can select the way you find most suitable to test and evaluate free Operations Management Suite (OMS).

OMS and System Center: What's New in August 2017

This article summarizes the main new features and includes upgrades, concerning Operations Management Suite (OMS) and System Center, that were announced during the month of August.

Operations Management Suite (OMS)

Log Analytics

  • For Log Analytics was published what may be called the most significant upgrade from the date of issue. Among the main changes introduced by this update there is a new powerful query language, the introduction of the new Advanced Analytics portal and greater integration with Power BI. For more details, I invite you to consult the specific article Log Analytics: a major update evolves the solution.

Figure 1 – Upgrade of Log Analytics


  • The agent who for Linux systems is constantly evolving and we released a new version that has fixed some bugs and improved error handling during onboarding of agent for easier troubleshooting: OMS Agent for Linux GA v 1.4.0-45

Figure 2 – Bug fixes and what's new for the OMS agent for Linux


  • The OMS solution Network Performance Monitor has been improved and enhanced with the following new features:
    • The diagnostic agent: the solution now provides the ability to monitor in a specific view the health status of various agents deployed on the network and in case of problems NPM reports useful diagnostic information for troubleshooting.
    • Hop-by-hop latency breakdown: the topology map of the network has been enriched with details of timings found between two specific points.
    • Availability on the Azure Portal: as well as continuing to be available from OMS can be added from the Marketplace Azure and used directly by the Azure Portal.
    • Presence in additional region of Azure: the solution is now also available for the region Azure West Central US.

For more details see the announcement Improvements to the who Network Performance Monitor.

  • The emerging technology is becoming more widespread and monitor containers Docker becomes an essential component. For this reason the OMS team announced the availability of the new solution Container Monitoring that allows you to:
    • Display in a unique location information for all hosts container.
    • Learn which containers are running, where I am and with which image.
    • See audit information concerning action taken on container.
    • View and search logs for troubleshooting without needing access to hosts Docker.
    • Locate the containers that are consuming an excessive amount of resources on the host.
    • Display performance information centrally about the container about CPU usage, of memory, storage and network.

Figure 3 – Synthesis pathway of solution Container Monitoring

Full details on the solution Container Monitoring you can consult them in the document Container Monitoring solution in Log Analytics.

  • Released in preview the new solution for the monitoring of Azure Logic Apps. The solution displays various information about the status of logic app and then drill down to see details useful for troubleshooting. All aspects of this solution you can consult them in Microsoft's official documentation.

Security and Audit

  • The baseline assessment of OMS Security is enhanced with functionality Web security baseline assessment that was announced in public preview and lets you scan the web server with Internet Information Services (IIS) to check for security vulnerabilities and provides useful recommendations regarding the correct environment setup. The document Baseline Assessment in Operations Management Suite Web Security and Audit Solution shows additional information about.

Figure 4 – Assessment dashboard of Web security baseline


System Center

System Center Configuration Manager

  • Last month it was released version 1706 for the Current Branch (CB) System Center Configuration Manager as described in the article OMS and System Center: What's New in July 2017. In date 8 August was released a package update to correct some errors that were encountered during the first deployment, but this package introduced problems therefore on 11 August has been replaced with a new version. For those who have updated SCCM to version 1706 between August 8 and August 11 you need to install an additional update as documented in Microsoft knowledge base article Update for System Center Configuration Manager version 1706, first wave. This update can be installed by accessing the node "Updates and Servicing" of the SCCM console. A further update will be released in the coming week to who made the SCCM update to version 1706 prior to August 8.
  • Released version 1708 for the branch Technical Preview of System Center Configuration Manager: Update 1708 for Configuration Manager Technical Preview Branch – Available Now!. I remind you that the releases in the Technical Preview Branch allows you to evaluate in preview new SCCM functionality and is recommended to apply these updates only in test environments.

System Center Operations Manager

Following the news about the SCOM Management Pack 2016:

  • Advanced Threat Analytics 1.7 Management Pack version
  • Service Map Management Pack in public preview: Thanks to this new MP you can integrate maps are created dynamically by the OMS Service solution Map with diagrams of the Distributed Application in Operations Manager to ensure that the latter are dynamically generated and maintained.

For more information I invite you to consult related documentation available online.

Figure 5 – Integration of the Service Map of who and the SCOM Distributed App

  • Available a hotfix to solve some problems related to the WMI monitor health.