Skip to content

Instantly share code, notes, and snippets.

@jikuja

jikuja/Externsions.md

Last active July 31, 2024 09:25
Show Gist options
  • Save jikuja/2d68aba013ce03692f320547285663ae to your computer and use it in GitHub Desktop.
Save jikuja/2d68aba013ce03692f320547285663ae to your computer and use it in GitHub Desktop.
Download ZIP
Monitoring infrastructure
Raw
README.md 
# setup
$rg = "x"
$ws = "y"
$ws_res = Get-AzOperationalInsightsWorkspace -ResourceGroupName $rg -Name $ws

list MMA data source

$kinds = "AzureAuditLog,AzureActivityLog,CustomLog,LinuxPerformanceObject,LinuxSyslog,WindowsEvent,WindowsPerformanceCounter,ApplicationInsights".Split(",") 
$kinds | ForEach-Object { Write-Host $_ ; Get-AzOperationalInsightsDataSource -ResourceGroupName $rg -WorkspaceName $ws -Kind $_ }

AMA migration scripts creates DCR for following kinds:

  • WindowsPerformanceCounter => Stream: Microsoft-Perf
  • WindowsEvent => Stream: Microsoft-Event
  • LinuxPerformanceObject => Stream: Microsoft-Perf
  • LinuxSyslog => Stream: Microsoft-Syslog
  • CustomLog => TBD

Powershell module does not give access to all endpoints

# Will fail. Filter by kind is mandatory. 
Invoke-AzRestMethod -Path ($ws_res.ResourceId + "/dataSources" + "?api-version=2020-08-01") -Method GET

REST API Spec lists all available data sources: https://learn.microsoft.com/en-us/rest/api/loganalytics/data-sources/list-by-workspace?view=rest-loganalytics-2023-09-01&tabs=HTTP#datasourcekind

List legacy solutions

Get-AzOperationalInsightsIntelligencePack -ResourceGroupName $rg -WorkspaceName $ws

Migration tool will handle following solutions

  • VMInsights
    • => Stream: Microsoft-InsightsMetrics
    • => Extension: DependencyAgent, Stream: Microsoft-ServiceMap

Migration workbook

Solution categorization

resources
| where type == "microsoft.operationsmanagement/solutions"
| extend workspace = tolower(properties.workspaceResourceId)
| parse workspace with * "/workspaces/" workspacename
| where workspace == tolower("{workspaceid}")
| parse name with Solution "(" *
| extend Solution = iff(isempty(Solution), name, Solution)
| where Solution !in ("azureActivity")
| extend workspacename = tolower(workspacename)
| extend Message = case(Solution in~ ('security', 'securityCenter', 'securityCenterFree', 'antimalware', 'sqlAdvancedThreatProtection',  'sqlVulnerabilityAssessment', 'sqlAssessment', 'sqlAssessmentPlus'), "Start migrating to Defender for Servers on AMA",
    Solution in~ ('windowsDefenderATP'), "Migrate to latest MDE solution for Windows 10+, For Windows 8 and lower, the legacy agent based support will be deprecated by August 2024",
    Solution in~ ('updates'), "Migration to Update Management Center (does not use legacy agents nor AMA)",
    Solution in~ ('azureAutomation'), "Migrate to Azure Automation Hybrid Worker Extensions (does not use legacy agents nor AMA)",
    Solution in~ ('changeTracking'), "Start migrating to Change Tracking on AMA",
    Solution in~ ('securityinsights', 'windowsFirewall', 'windowsEventForwarding'), "Migrate to Sentinel-AMA connectors",
    Solution in~ ('dnsAnalytics'), "Migrate to Sentinel-DNS-AMA connector",
    Solution in~ ('vminsights', 'servicemap'), "Migrate to VM Insights on AMA",
    Solution in~ ('containerInsights', 'containers'), "Already auto-migrated to AMA. Optional: Migrate to managed identity and DCRs",
    Solution in~ ('infrastructureInsights'), "This has been deprecated and no longer supported.",
    Solution in~ ('networkMonitoring'), "Migrate to Connection Monitor on AMA",
    Solution in~ ('adAssessment','adAssessmentPlus','adSecurityAssessment','sccmAssessmentPlus','windowsServerAssessment','exchangeAssessment','azureAssessment','exchangeOnlineAssessment','windowsClientAssessmentPlus','sharePointOnlineAssessment','spAssessment','sfBOnlineAssessment','sfBAssessment','SCOMAssessmentPlus','SQLAssessmentPlus', 'SQLAssessment/SQLAssessmentPlus','DesktopAssessmentPlus','WindowsClientAssessment'), "Migrate On-Demand Assessments now to AMA",
    Solution contains "Start-Stop-VM", "Migrate to the new Stop/Start VM V2 feature",
    Solution in~ ('behaviorAnalyticsInsights'), "Migrate to Identify advanced threats with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel | Microsoft Learn which does not use agents",
    Solution in~ ('AzureSQLAnalytics'), "Migrate to Monitor your SQL deployments with SQL Insights (preview) - Azure SQL Database | Microsoft Learn on AMA",
    Solution in~ ('agentHealthAssessment'), "Use the AMA Health workbook in the gallery instead",
    Solution in~ ('logicAppsManagement','Office365', 'LogicAppB2B'), "It will work the same on AMA",
    "If you plan to continue using this solution, please contact the solution owner using a support request")
| extend Link = case(Solution in~ ('security', 'securityCenter', 'securityCenterFree', 'antimalware', 'sqlAdvancedThreatProtection',  'sqlVulnerabilityAssessment', 'sqlAssessment', 'sqlAssessmentPlus'), "https://learn.microsoft.com/en-gb/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent",
    Solution in~ ('windowsDefenderATP'), "https://learn.microsoft.com/en-gb/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3?view=o365-worldwide#onboarding-methods",
    Solution in~ ('updates'), "https://learn.microsoft.com/en-gb/azure/update-center/",
    Solution in~ ('azureAutomation'), "https://learn.microsoft.com/en-gb/azure/automation/automation-hybrid-runbook-worker",
    Solution in~ ('changeTracking'), "https://learn.microsoft.com/en-us/azure/automation/change-tracking/overview-monitoring-agent",
    Solution in~ ('securityinsights', 'windowsFirewall', 'windowsEventForwarding'), "https://learn.microsoft.com/en-gb/azure/sentinel/data-connectors-reference#windows-security-events-via-ama",
    Solution in~ ('dnsAnalytics'), "https://learn.microsoft.com/en-gb/azure/sentinel/connect-dns-ama",
    Solution in~ ('vminsights', 'servicemap'), "https://learn.microsoft.com/en-gb/azure/azure-monitor/vm/vminsights-enable-overview",
    Solution in~ ('containerInsights', 'containers'), "https://learn.microsoft.com/en-gb/azure/azure-monitor/containers/container-insights-enable-existing-clusters?tabs=azure-cli#migrate-to-managed-identity-authentication",
    Solution in~ ('networkMonitoring'), "https://learn.microsoft.com/en-us/azure/network-watcher/azure-monitor-agent-with-connection-monitor",
    Solution contains "Start-Stop-VM", "https://learn.microsoft.com/en-us/azure/azure-functions/start-stop-vms/overview",
    Solution in~ ('adAssessment','adAssessmentPlus','adSecurityAssessment','sccmAssessmentPlus','windowsServerAssessment','exchangeAssessment','azureAssessment','exchangeOnlineAssessment','windowsClientAssessmentPlus','sharePointOnlineAssessment','spAssessment','sfBOnlineAssessment','sfBAssessment','SCOMAssessmentPlus','SQLAssessmentPlus', 'SQLAssessment/SQLAssessmentPlus','DesktopAssessmentPlus','WindowsClientAssessment'), "https://learn.microsoft.com/en-us/services-hub/unified/health/migration",
    Solution in~ ('behaviorAnalyticsInsights'), "https://learn.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics",
    Solution in~ ('AzureSQLAnalytics'), "https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-insights-overview?view=azuresql",
    Solution in~ ('logicAppsManagement','Office365', 'LogicAppB2B'), "",
    "https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview")
| project workspace, workspacename, Solution, Message, Link
| order by ['Link'] asc

Common solutions

Raw
Externsions.md

Virtual macine extensions

List all available extensions:

$location = "eastus"  # Specify the location
$publishers = Get-AzVMImagePublisher -Location $location
$extensions = @()
foreach ($publisher in $publishers) {
    $types = Get-AzVMExtensionImageType -Location $location -PublisherName $publisher.PublisherName
    foreach ($type in $types) {
        $extensions += Get-AzVMExtensionImage -Location $location -PublisherName $publisher.PublisherName -Type $type.Type
    }
}

# List extensions
$extensions | Format-Table PublisherName, Type, Version, Location # Full list
$extensions | Select-Object PublisherName, Type -Unique  | Format-Table # Condensed list
$extensions | Select-Object PublisherName, Type -Unique | Where-Object {$_.Type -match ".*MDE.*"}  | Format-Table

List related settings

$subs | ForEach-Object {$subscriptionId = $_.Id ; Get-AzSubscription -SubscriptionId $subscriptionId | Set-AzContext ; Get-AzSecuritySetting }
Raw
MDE.md

MDE

Links

Azure Security Agent extension

"New" MDE deployment:

Links

Related MDE onboarding script setting.

$subscriptionId = (Get-AzContext).Subscription.Id
Invoke-AzRestMethod -Method GET -path "/subscriptions/${subscriptionId}/providers/Microsoft.Security/mdeOnboardings?api-version=2021-10-01-preview"

Or get information for all subs on tenant:

$subs = Get-AzSubscription -TenantId (Get-AzContext).Tenant
$subs | ForEach-Object {$subscriptionId = $_.Id ; Invoke-AzRestMethod -Method GET -path "/subscriptions/${subscriptionId}/providers/Microsoft.Security/mdeOnboardings?api-version=2021-10-01-preview"}

Note that this is read-only resource that is automatically created when supported Defender pricing tier is turned on.

{
  "error": {
    "code": "NonSupportedPricingTier",
    "message": "This subscription does not have Defender for Cloud's enhanced security features enabled. Please upgrade to use this feature. Learn more in https://docs.microsoft.com/azure/security-center/enable-enhanced-security"
  }
}

Please note that when requestor does not have read access to subscription level endpoint will return 200 OK with empty payload:

{
    "value": []
}

Alternative onbording script source

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment