Pular para o conteúdo

This site is automatic translation of http://www.marcelosincic.com.br, original in portuguese

Azure Monitor SCOM Managed Instance–System Center Operations Manager on Azure

In April of this year, with the launch of the System Center 2022 suite, I wrote whether the products were still important and their counterparts in services and solutions on Azure System Center 2022 Launch – Still Worth It? Will it be discontinued? | Marcelo Sincic [MVP] (wordpress.com)

One of these products was System Center Operations Manager (SCOM) which has always been a very important tool in monitoring on-premise environments.

As already discussed in April, the use of Azure Arc and Azure Monitor can be used for on-premise environments but depend on the internet, generating corresponding alerts written in KQL and consuming credits with the massive ingestion of events from the log.

For example, a rule built in SCOM where we relate the log of one server to another using a sequential Event ID to indicate a break chain or else a map with related objects is much more complicated to be built in Azure Monitor requiring knowledge of Jupyter Notebooks and KQL.

What is Azure Monitor SCOM Managed Instance

In practice, Microsoft is not launching a new product or new feature, but transforming a PaaS into a product that is still very important for several corporations.

The diagram below is available at About Azure Monitor SCOM Managed Instance (preview) | Microsoft Learn makes it very clear that the functionality is inverted where SCOM is now in the cloud monitoring the on-premise environment.

Screenshot showing architecture.

Factors to be considered

With this new feature we have to question whether or not it will be worth migrating to the managed environment and we can use these factors initially:

Benefits Disadvantages
    • Not having to manage the added features, which were usually the most “problematic” like Reporting Services and SQL
    • Use the same Management Packs as on-premise
    • Ease of implementation and scalability as the entire resource creative process is performed by Azure
    • Licensing is the same, leveraging investment in CIS or System Center Suite licenses
    • Using SCOM to monitor on-premises VMs in Azure and other clouds, leveraging the knowledge already acquired on om-premise, without the need to send data from the Azure VM to the on-premise environment
    • Simple integration with Power BI
    • Cost of ingesting logs into Azure Monitor using Arc is higher than cost of uploading logs via VPN
    • Infrastructure cost on Azure for VMs, Load Balancing and data traffic
    • Inverted internet link situation, now it is no longer the SCOM that would send the data to Azure Monitor, but the on-premise servers that will send data to the SCOM, generating cascading alerts when there is a link drop
    • Discovery for automatic installation is not supported (1)
    • It is not possible to have Management Servers in the on-premise environment (2)

    (1) So far not available in Preview

    (2) So far not supported, but allows the use of Gateway Server

Publicidade

Preventing Data Leakage with Microsoft Purview

During the Microsoft Ignite After Party I had the opportunity to present new Purview features that were released in GA.

Here we cover 4 different features that have been released, GA or improved:

    Evitando vazamento de dados com o Microsoft Purview

    Durante o Microsoft Ignite After Party tive a oportunidade de apresentar novas funcionalidades do Purview que foram lançadas em GA.

    Aqui abrangemos 4 diferentes funcionalidades que tiveram lançamento, GA ou melhorarias:

    Incident Maintenance in Microsoft Sentinel

    One feature that we tested in Private Preview and is now in GA is incident maintenance, which involves both deletion and creation.

    Create and delete incidents in Microsoft Sentinel – Microsoft Tech Community

    Incident Deletion

    It may seem at first that deleting an incident in the SOC environment is a non-standard task, as it could be used to hide or improve a statistic (KPI) of the support team.

    Despite an apparent contradiction, this feature is important because an incident is not always closed or dealt with. A common example is the Adaptive application that repeatedly responds to applications like Azure Arc itself or Automation.

    In cases where the incident was not effective and not even a false positive because it has nothing to do with an effective security breach, deletion can be a useful feature instead of ignoring the alert. After all, one day a really suspicious application will run on the server and by ignoring the suspicious applications rule you won’t know.

    image

    As can be seen above, the feature is very visible and accessible.

    Note : Incidents generated by integration with Microsoft 365 Defender cannot be deleted as they have been linked.

    Important : In the SecurityIncident table, the incident and who deleted it will be recorded. There is no recycle bin to recover the incident, but the alerts and the incident itself remain recorded in the log tables and you will eventually be able to audit the deleted incidents to avoid improper manipulations.

    Captura de tela 2022-09-13 095509

    Manual Incident Creation

    This feature has been expected for a while and doesn’t need much explanation, after all we used custom alerts to create custom incidents. This was work, since it was necessary to identify a situation that could generate an incident but that was not mapped. For example a specific event that we generated manually and mapped an alert in KQL to create an incident of a specific case.

    But that didn’t always work, for example let’s say that a user received a phishing in his personal email and opened it on the company computer and consequently was not detected by the MDE. In this case, we manually record the incident to be included in the SOC activities.

    Another very common case is the activities of calling programs that could not be installed, activities that were barred and it was necessary to create some type of mitigation, etc. In these cases, the SOC had no way of recording these incidents, normally coming from the ticket system.

    The process is very simple, you will use the incident creation button and enter all the necessary fields and then work with it as you do with the other incidents.

    image

    Now your SOC service dashboard will have a much better view, without the need to add more than one tool.

    Detecting Suspicious Activities with IRM – Inside Risk Management

    Detecting suspicious activity works with the behavior of users.This behavior is not limited to DLP, but covers:

    • MPIP (formerly Microsoft Information Protection) Data Protection Rules
    • MDE (Microsoft Defender Endpoint) Rules
    • MDfC (Microsot Defender for Cloud Apps, formerly CASB) Rules
    • Office 365 and Windows Activity Log

    Once I capture this data I can create a baseline to detect:

    1. Unexpected behavior of a person in relation to their own activity in the last 30 to 90 days
    2. Unexpected behavior of an entity compared to the company-wide baseline

    For this, triggers are created that can be activities such as a DLP rule, copying files to a flash drive, exfiltration via the web, etc.

    I presented all these resources in the webcast with Thais Mafra. Watch and better understand this feature (pt-br)!

    Delivering Sentinel Alerts in Teams

    A simple and very functional feature of Sentinel in the integration with playbooks is delivery as a chat message in Teams.

    The example below demonstrates how alerts are delivered to Teams with the details of the alert that was triggered.

    image

    Creating Logic Apps and Automation Rule

    When Sentinel connectors are installed, a Logic Apps is automatically created for automation, without having tasks configured except for the first one, which is the incident trigger.

    This will be the playbook that all enabled alerts are configured as the default response form.

    image

    When editing the playbook, enter the For each object that is the loop to enable multiple incidents to be triggered and not just the first one. This can happen in environments where a situation has created more than one incident and the lack of this loop would not trigger for all of the incidents.

    Note that the For each loop reads the incident data and sends it to the email with the properties below for title, recipient and sent text.

    In the case below, I deleted the default object that was email and replaced it with the Post message in a chat or channel object, which allows sending the message to both a single user and a Teams group or channel:

    image

    The next step is to create the trigger rule for the notification playbook in Sentinel.

    See that the name is similar to my choice but you can use any other name, which will make it easier when relating the alerts to the automation call.

    image

    Enabling Analytical Rules for Submission in Teams

    Go into Sentinel Analytics options , enable the rules you want to be alerted to and edit them.

    image

    In the rule options, you can edit the automation autoresponder that we created in the previous step so that the playbook is executed.

    image

    By editing the rules you can create new automation responses without having to create them first in Automation as I did before, although I think this can generate multiple orphan objects later.

    But if you want to create a new response, you can click on the Add new button and name the automation and indicate which of the playbooks will be executed:

    image

    Okay, now you will receive incident details directly through the Teams channel or chat!

    Using Microsoft Sentinel Entity behavior

    The concept of entity behavior is very important in an investigation or suspected misuse of rights or actions that indicate a failure or intrusion.

    With Entity Behavior we can use an IP, hostname, resource name in Azure or a user’s account to check the history of what he has done over a period of time and identify harmful behavior.

    Configuring the Entity Behavior

    By clicking on Sentinel in the menu “Threat management –> Entity behavior” you will see the option “Entity behavior settings” where you will configure what you want to include in the search. See that in my example I selected the different auditing sources that I have enabled.

    image

    Note that you can use UEBA (User and Entity Behavior Analytics) which we will not cover here in this post, but it is a Sentinel feature for analyzing the analytical behavior of entities autonomously.

    Running the research

    The next step is to choose the entity or object that you will generate the data from. I’ll use my test user as an example:

    Once you have selected what you are going to analyze, Sentinel will bring up the summary screen with the object data, a graph of actions, anomalies or potentially dangerous activities and a table with analyzes on the right side (Top Insights) such as groups and similar users, administrative actions performed such as account lockout, ceded privileges, SAP actions, anomalies, UEBA, therat indicators and watchlist.

    In my example, see that in Top Insights a DLP rule was alerted as an activity that could be indicative of dangerous behavior.

    image

    Also, in the Overview frame you can see that a search operation detected by one of Sentinel’s analytic rules was performed. This rule detects active object listing operations, categorized in MITER as Initial Access.

    image

    Now using the Investigate button you will see an interesting panel with a summary of the actions performed by the user being analyzed.

    Note that I have a breakdown by objects that were accessed or actions that generated certain behavior.

    image

    By clicking on most of them, you will not see a summary already analyzed as below, as they will have aggregated events and it will be necessary to open Log Analytics, like the screen below. In this case I opened one of the objects and asked for its details.

    Just as a side note, I used the UEBA query to detect actions where I had previously had a high number of file deletion actions.

    Conclusion

    When an attempt or suspicion of misuse of privileges or erratic behavior occurs, the Entity behavior is the tool that will allow you to obtain quick insights from the aggregation of all Sentinel features.

    It is certainly an excellent tool for day-to-day analysis and detection of threats that may not have generated a more serious incident or that we need to find a breaking point in behavior.

    Security for IoT Beyond the Manufactoring Floor

    We always approach with customers the importance of monitoring in manufacturing environments. For this I always do demonstrations of Microsoft Defender for IoT and we show the number of unknown devices in an environment and how they often communicate directly with the internet.

    But it’s not just shop floor and automation systems that can be a leakage problem in our environments. So we ask ourselves:

    Am I really safe even though I’m not manufacturing and industrial automation?

    The answer is no!!!

    For example, recently a vulnerability in Mikrotik and in the past with Cisco and other products show that we can have smart equipment connected to the network hacked and used for data leakage or cyber attacks.

    Alexa and Google Home are common even in the domestic environment, but in companies we have telephone exchanges, sophisticated video conferencing equipment, door opening, smart lights, air conditioning with wifi and energy sensors. That’s just citing the ones that many have in their homes!

    In addition, many of these devices are from companies that we are not sure about security, for example Sonoff uses eWelink, Geonav or HI, LG or ThinQ and each manufacturer has a different platform that integrates with Home and Alexa without any type of security. sophisticated. It would be enough for me to hack one of these to do a remote reconnaissance and inventory.

    How to protect myself?

    Adopt solutions that track these devices. These solutions read protocols common to smart equipment as they use broadcast to be configured as is the case with Alexa and Google Home and wifi devices.

    In the case of Microsoft Defender for Endpoint it detects BIOS changes, having a catalog of most industrial automation manufacturers (ABB, Siemmens and others) allowing it to be updated whenever important changes appear.

    The print below is a dashboard of a scan in my house, where I have air conditioning, Google Home, smart lamps and energy sensors:

    image

    image

    image

    image

    Microsoft Defender for IoT allows you to simulate situations between different devices to analyze whether direct or indirect communications occur between them, which are shown in the previous screenshot as red dots. Below is an example of this analysis:

    image

    Another analysis that is also performed by these solutions is the discovery and alert for new devices placed on the network. For example if an employee shows up with a wifi and connects to the network it will detect it instantly!

    In addition, it is also important to know the protocols and ports that the devices use and their internet bandwidth consumption:

    image

    Finally, we can generate executive reports for detailed analysis and a safety score for what was inventoried:

    image

    Integration with Sentinel

    Microsoft Sentinel already has a connector for Defender for IoT, but you can also integrate standalone systems such as SCADA directly, as well as allowing you to export logs to an external SIEM.

    Stream Microsoft Defender for IoT alerts to a 3rd party SIEM

    CONCLUSION

    Even home environments already have many automations and in general they are software and providers that we don’t have complete trust.

    The behavior of this equipment can be harmful and go unnoticed by the entire security team, so don’t miss out because you don’t have a factory environment!

    Microsoft Sentinel–Automations do not run

    A very common mistake when I see Sentinel implementations on clients is not running the automations.

    To understand the problem, it is interesting to interconnect with Power Platform applications such as Power Apps, where the user needs to authorize the Office 365 account for the app to run. This is done on first run and Power Apps or Power Automate will save the connection user.

    The same happens with Sentinel automations, they are not necessarily linked to an Automation Account and with that it is necessary to authenticate all connections !

    How do I know if I have unauthenticated automations?

    Open Sentinel and click Automations.

    img1

    When opening click on the option that will appear at the top of the list on the right side “API Connections”.

    Filter for automations that have errors.

    img2

    For automations that have an error in connection, open their properties and go to the “Edit API Connection” option and voilá found the problem  Winking smile

    img3

    Remembering that the API connections can be different, Office 365 if sending an email, key for applications, SAS for storage and other specific data that has been used in automation and needs to have the credential.

    Now you can see that the same automations with error will appear as “Connected” indicating that they are now working.

    img4

    System Center 2022 Launch – Still Worth It? Will it be discontinued?

    The first time I received the MVP award was in the System Center category, which later changed to Cloud and Datacenter Management (CDM).

    With the exponential growth of public clouds, on-premises environments have also become integrated with the resources available in public and/or migrated clouds.

    So I constantly get the question “Is System Center going to die?” and even claims “System Center has been discontinued”.

    With the release of System Center 2022 on April 1st we return to these questions https://cloudblogs.microsoft.com/windowsserver/2022/04/01/system-center-2022-is-now-generally-available?WT.mc_id= AZ-MVP-4029139

    So let’s go to some questions and I’ll use a presentation I made at MVPConf.

    What led to these conclusions?

    • Semi-annual updates were discontinued (1801, 1909, etc), updates followed the previous model of Update Rollups every 12 to 18 months and new versions every 3 or 4 years
    • Configuration Manager had its last version 2012 R2 as the last one that was part of the System Center suite and became Enpoint Manager in the Intune family
    • Service Manager had a communication from the product team in 2018 where they stated that the product would not be discontinued
    • Operations Manager did not have an integration with Azure Monitor
    • Virtual Machine Manager did not support new Hyper-V features and limited Azure support
    • Orchestrator with few integration packs for 3rd partners

    Configuration and Endpoint Data Protection Manager

    • Moved from the System Center family to the Endpoint Management family
    • Integration with Intune and new Azure features like Analytics (Log and Desktop)
    • Possibility of using roles directly on the web (CMG)
    • Licensing has been integrated into Microsoft 365, Enterprise Mobility Suite (EMS), Intune add-on and CoreCal Bridge licenses

    Conclusion : The product was not discontinued nor became a new family to “detach”, but a repositioning for the Windows management team.

    Operations Manager

    • Management Packs have all been updated for new products (Windows Server 2019, Exchange, SharePoint, etc)
    • A Management Pack for Azure was made available that allows for all monitoring and dashboards, received integration with Log Analytics, which feeds data for use in Azure Monitor
    • Reduces costs and has better performance in alerts for on-premise servers, when the environment is integrated with Azure Monitor
    • Project Aquila will allow you to use SCOM as a SaaS (source: ZDNET and Directions)

    Conclusion : It remains an important tool for on-premise environments. For cloud environment, Azure Monitor and others are indicated.

    Virtual Machine Manager

    • It’s being updated with new Windows 2019 features, but the timeline between new Windows features and inclusion follows Update Rollups, 12-18 months
    • It is still very important because of the resources in the Hyper-V Cluster and monitoring for those who use it.
    • Windows Admin Center comes with many of the features that VMM has, but the VMM wizards are superior.

    Conclusion : For large clusters VMM is indispensable, but for managing segregated Hyper-V servers the Admin Center is a good option.

    Data Protection Manager

    • It kept the main backup features of only on-premise Microsoft products (SQL, Hyper-V, Exchange, etc.) and VMWare. There is no provision for inclusion for third-party products
    • Does not support Azure services, each Azure service has its own backup tools. It accepts agents in Azure VMs, however the download cost must be taken into account
    • It has the free version Microsoft Azure Recovery System (MARS) which is a subset of DPM without tape support

    Conclusion : For on-premises Microsoft environments or Azure VMs for local disks or tapes is still important, but Azure environments utilize the native features of each service.

    Service Manager

    • Self-Service Portal Now in HTML 5
    • Supports integration with BMC, ServiceNow and others, but some connectors are paid (3rd SW)
    • Stayed true to the ITIL v3 model
    • Workflow construction has been improved including a more user-friendly interface and more Orchestrator integration features

    Conclusion : It is a suite tool that has received few advances and has kept its dependence on Orchestrator, which makes administration more complex. But as part of the suite it is financially justifiable as a whole.

    orchestrator

    • Integration Packs have all been updated for new products (Windows Server 2019, Exchange, SharePoint, etc)
    • 3rd SW Integration Packs not all have updates, most are paid
    • Now supporting PowerShell v4 allows you to create new functionality by code, which removes the limitations of Integration Packs

    Conclusion : It remains an important tool for on-premise environments. For cloud environment, Azure Monitor and others are indicated.

    Alternatives to System Center

    With the advancements of integrated tools like Hybrid using Azure Arc and Azure Automation, you will be able to extend the same capabilities on on-premises servers equivalent to System Center.

    image