{"id":107,"date":"2021-03-14T11:23:14","date_gmt":"2021-03-14T10:23:14","guid":{"rendered":"http:\/\/www.activeparc.fr\/?p=107"},"modified":"2021-03-14T12:23:34","modified_gmt":"2021-03-14T11:23:34","slug":"security-baseline-on-azure","status":"publish","type":"post","link":"https:\/\/www.activeparc.fr\/index.php\/2021\/03\/14\/security-baseline-on-azure\/","title":{"rendered":"Security Baseline on Azure"},"content":{"rendered":"\n<p>Security Baseline on Azure hands-on lab step-by-step<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"overview\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Overview<\/span><\/h2>\n\n\n\n<p>Contoso is a multinational corporation, headquartered in the United States that provides insurance solutions worldwide. Its products include accident and health insurance, life insurance, travel, home, and auto coverage. Contoso manages data collection services by sending mobile agents directly to the insured to gather information as part of the data collection process for claims from an insured individual. These mobile agents are based all over the world and are residents of the region in which they work. Mobile agents are managed remotely, and each regional corporate office has a support staff responsible for scheduling their time based on requests that arrive to the system.<\/p>\n\n\n\n<p>They are migrating many of their applications via Lift and Shift to Azure and would like to ensure that they can implement the same type of security controls and mechanisms they currently have. They would like to be able to demonstrate their ability to meet compliance guidelines required in the various countries\/regions they do business. They have already migrated a web application and database server to their Azure instance and would like to enable various logging and security best practices for administrator logins, SQL Databases, and virtual network design.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"solution-architecture\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Solution architecture<\/span><\/h2>\n\n\n\n<p>Contoso administrators recently learned about the Azure Security Center and have decided to implement many of its features to secure their cloud-based Azure infrastructure (IaaS) and applications (PaaS). Specifically, they want to ensure that any internet exposed resources have been property secured and any non-required internet access disabled. They also decided that implementing a \u201cjump machine\u201d for admins with Application Security was also important as they have had instances of admins installing non-approved software on their machines and then accessing cloud resources. Additionally, they want the ability to be alerted when TCP\/IP Port Scans are detected, and fire alerts based on those attacks.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image2.png\" alt=\"This diagram shows external access to Azure resources where Just In Time is utilize to lock down the Jump Machine. Azure Log Analytics with Azure Sentinel is then used to monitor the deny events on the network security groups.\" width=\"580\" height=\"326\"\/><\/figure>\n\n\n\n<p>The solution begins by creating a jump machine. This jump machine is used to access the virtual machines and other resources in the resource group. All other access is disabled via multiple&nbsp;<strong>virtual networks<\/strong>. More than one virtual network is required as having a single&nbsp;<strong>virtual network<\/strong>&nbsp;would cause all resource to be accessible based on the default currently un-customizable security group rules. Resources are organized into these virtual networks.&nbsp;<strong>Azure Center Security<\/strong>&nbsp;is utilized to do&nbsp;<strong>Just-In-Time<\/strong>&nbsp;access to the jump machine. This ensures that all access is audited to the jump machine and that only authorized IP-addressed are allowed access, this prevents random attacks on the virtual machines from bad internet actors. Additionally, applications are not allowed to be installed on the jump machine to ensure that malware never becomes an issue. Each of the virtual network and corresponding&nbsp;<strong>network security groups<\/strong>&nbsp;have logging enabled to record deny events to&nbsp;<strong>Azure Logging<\/strong>. These events are then monitored by a&nbsp;<strong>custom alert rule<\/strong>&nbsp;in&nbsp;<strong>Azure Sentinel<\/strong>&nbsp;to fire&nbsp;<strong>custom alerts<\/strong>. Once the solution is in place, the&nbsp;<strong>Compliance Manager<\/strong>&nbsp;tool is utilized to ensure that all GDPR based technical and business controls are implemented and maintained to ensure GDPR compliance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"requirements\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Requirements<\/span><\/h2>\n\n\n\n<ol type=\"1\"><li>Microsoft Azure subscription must be pay-as-you-go or MSDN.<ul><li>Trial subscriptions will not work.<\/li><\/ul><\/li><li>A machine with the following software installed:<ul><li>Visual Studio 2019<\/li><li>SQL Management Studio<\/li><li>Power BI Desktop<\/li><\/ul><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-1-implementing-just-in-time-jit-access\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Exercise 1: Implementing Just-in-Time (JIT) access<\/span><\/h2>\n\n\n\n<p>Duration: 15 minutes<\/p>\n\n\n\n<p>In this exercise, attendees will secure a Privileged Access Workstation (PAW) workstation using the Azure Security Center Just-in-Time Access feature.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-setup-virtual-machine-with-jit\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 1: Setup virtual machine with JIT<\/span><\/h3>\n\n\n\n<p>In a browser, navigate to your Azure portal (<a href=\"https:\/\/portal.azure.com\/\">https:\/\/portal.azure.com<\/a>).<\/p>\n\n\n\n<p>Select\u00a0<strong>Security Center,<\/strong>\u00a0then under\u00a0<strong>ADVANCED CLOUD DEFENSE<\/strong>\u00a0select\u00a0<strong>Just in time VM access<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"Security Center is highlighted on the left side of the Azure portal, and Just in time VM access is highlighted to the right.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image9.png\"><\/p>\n\n\n\n<ol type=\"1\"><li><strong>Note<\/strong>: Your subscription may not be set up with the\u00a0<strong>Standard<\/strong>\u00a0tier; if that is the case then do the following:<ul><li>In the\u00a0<strong>Security Center<\/strong>\u00a0blade, select\u00a0<strong>Pricing &amp; settings<\/strong>.<\/li><li>Select your subscription.<\/li><li>Select\u00a0<strong>Pricing Tier<\/strong>.<\/li><li>Select\u00a0<strong>Standard<\/strong>.<\/li><li>Select\u00a0<strong>Save<\/strong>.<\/li><li>Navigate back to Security Center, select\u00a0<strong>Just in time VM access<\/strong>.<\/li><\/ul><\/li><li>Select the\u00a0<strong>Configured<\/strong>\u00a0tab, and verify the lab VMs (db-1, paw-1 and web-1) are displayed. If not, select the\u00a0<strong>Recommended<\/strong>\u00a0tab, and then check the checkbox to select the lab VMs (db-1, paw-1 and web-1), and then select the\u00a0<strong>Enable JIT on 3 VMs<\/strong>\u00a0link.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-18-16-08-30.png\" alt=\"In the Virtual machines list, the Recommended tab is selected and the db-1, paw-1 and web-1 virtual machines are selected for Just-in-time access.\"\/><\/figure>\n\n\n\n<p><strong>Note<\/strong>: It could take up to 10 minutes for new VMs to show up if you upgraded to standard tier security. Also note that it is possible new VMs display in the\u00a0<strong>No recommendation<\/strong>\u00a0tab until a backend process moves them to the\u00a0<strong>Recommended<\/strong>\u00a0tab. In you find the VMs do not show up after 10 minutes, you can manually enable JIT by choosing the\u00a0<strong>Configuration<\/strong>\u00a0tab in the VMs configuration blade and then\u00a0<strong>Enable JIT Access<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"Configuration and Enable JIT Access is highlighted in the Azure portal.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image119.png\"><\/p>\n\n\n\n<p>Configuration and Enable JIT Access is highlighted in the Azure portal.<\/p>\n\n\n\n<p>In the configuration window that opens, review the settings, then select\u00a0<strong>Save<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"In the configuration window, port settings are listed, and Save is highlighted above them.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image10.png\"><\/p>\n\n\n\n<p>In the configuration window, port settings are listed, and Save is highlighted above them.<\/p>\n\n\n\n<p>After a few minutes, you should see the virtual machines moved to the\u00a0<strong>Configured<\/strong>\u00a0tab.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"The virtual machines are now on the configured tab.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image11.png\">The virtual machines are now on the configured tab.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-perform-a-jit-request\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 2: Perform a JIT request<\/span><\/h3>\n\n\n\n<p>Select the\u00a0<strong>paw-1<\/strong>\u00a0virtual machine, and then select\u00a0<strong>Request access<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"On the Virtual machines screen, the first listed virtual machine name is selected and highlighted (paw-1), as is Request access button above it.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image12.png\"><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>For each of the ports, select the\u00a0<strong>On<\/strong>\u00a0toggle button, notice how the default IP settings is\u00a0<strong>My IP<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"On is selected under the Toggle column for all four of the ports listed under paw-1.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image13.png\"><\/p>\n\n\n\n<p>On is selected under the Toggle column for all four of the ports listed under paw-1.<\/p>\n\n\n\n<p>At the bottom of the dialog, select\u00a0<strong>Open ports<\/strong>. After a few moments, you should now see the\u00a0<strong>APPROVED<\/strong>\u00a0requests have been incremented and the\u00a0<strong>Last Access<\/strong>\u00a0is set to\u00a0<strong>Active now.<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"On the Virtual machines screen, the paw-1 virtual machine displays 1 Request as approved, and the last access column shows Active now.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image14.png\"><\/p>\n\n\n\n<p>On the Virtual machines screen, the paw-1 virtual machine displays 1 Request as approved, and the last access column shows Active now.<strong>Note<\/strong>\u00a0If you did not wait for your VMs and virtual networks to be fully provisioned via the ARM template, you may get an error.<\/p>\n\n\n\n<p>Select the ellipses, then select\u00a0<strong>Activity Log<\/strong>, you will be able to see a history of who requests access to the virtual machines.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"Activity Log is highlighted in the shortcut menu for the last user.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image15.png\">Activity Log is highlighted in the shortcut menu for the last user.<strong>Note<\/strong>: These entries will persist after you have deleted the VMs. You will need to manually remove them after VM deletion.<\/p>\n\n\n\n<p>In the Azure Portal main menu, select\u00a0<strong>All Services<\/strong>, then type\u00a0<strong>Network<\/strong>, then select\u00a0<strong>Network security groups<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"All services is highlighted in the left menu of the Azure portal, and the Network security groups is highlighted in the filtered list to the right.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image16.png\"><\/p>\n\n\n\n<p>All services is highlighted in the left menu of the Azure portal, and the Network security groups is highlighted in the filtered list to the right.<\/p>\n\n\n\n<p>In the filter textbox, type\u00a0<strong>paw-1-nsg<\/strong>, then select the\u00a0<strong>paw-1-nsg<\/strong>\u00a0network security group.<\/p>\n\n\n\n<p>Select\u00a0<strong>Inbound security rules.<\/strong>\u00a0You should now see inbound security rules set up by JIT Access.<\/p>\n\n\n\n<p><img decoding=\"async\" alt=\"The first four listed items are highlighted under Inbound security rules.\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image17.png\"><\/p>\n\n\n\n<p>The first four listed items are highlighted under Inbound security rules.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-2-securing-the-web-application-and-database\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Exercise 2: Securing the Web Application and database<\/span><\/h2>\n\n\n\n<p>Duration: 45 minutes<\/p>\n\n\n\n<p>In this exercise, attendees will utilize Azure SQL features to data mask database data and utilize Azure Key Vault to encrypt sensitive columns for users and applications that query the database.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-setup-the-database\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 1: Setup the database<\/span><\/h3>\n\n\n\n<ol><li>Switch to your Azure portal, select\u00a0<strong>All Services<\/strong>\u00a0then search for\u00a0<strong>SQL Servers<\/strong>. Select\u00a0<strong>SQL Servers<\/strong>.<\/li><\/ol>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image18.png\" alt=\"All services is highlighted on the left side of the Azure portal, and SQL servers is highlighted to the right.\"><\/p>\n\n\n\n<p>2. Select the\u00a0<strong>Azure SQL<\/strong>\u00a0database server you created using the Azure Manager template (Ex: AzureSecurity-INIT).<\/p>\n\n\n\n<p>3. Select\u00a0<strong>SQL databases<\/strong>\u00a0under the Settings section, then select the\u00a0<strong>SampleDB<\/strong>\u00a0database.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image19.png\" alt=\"SQL databases is selected under Settings on the left, and at right, SampleDB is selected.\"><\/p>\n\n\n\n<p>4. In the summary section, select the\u00a0<strong>Show database connection strings<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image20.png\" alt=\"In the summary section beneath Connection strings the Show database connection strings link is highlighted.\"><\/p>\n\n\n\n<p>5. Take note of the connection string for later in this lab, specifically the\u00a0<strong>Server<\/strong>\u00a0parameter:<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image21.png\" alt=\"The Server parameter is listed under ADO.NET (SQL authentication) on the ADO.NET tab.\"><\/p>\n\n\n\n<p>6. In the Lab VM, open\u00a0<strong>SQL Server Management Studio<\/strong>.<\/p>\n\n\n\n<p>7. Enter the database server name from above.<\/p>\n\n\n\n<p>8. Enter the username and password used from the Azure Template deployment (<strong>wsadmin<\/strong>\u00a0&#8211;\u00a0<strong>p@ssword1rocks<\/strong>).<\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: If you changed the username and password in the ARM template deployment, use those values instead.<\/span><\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image22.png\" alt=\"The information above is entered in the Connect to Server dialog box, and Connect is highlighted at the bottom.\"><\/p>\n\n\n\n<p>9. Depending on how you connected to the Azure SQL environment (inside or outside your VNet), you may be prompted to add a firewall rule. If this occurs, perform the following actions:<\/p>\n\n\n\n<ul><li>Select\u00a0<strong>Connect<\/strong>, in the\u00a0<strong>New Firewall Rule<\/strong>\u00a0dialog, select\u00a0<strong>Sign In<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Sign in with your resource group owner credentials.<\/li><\/ul>\n\n\n\n<ul><li>In the dialog, select\u00a0<strong>OK<\/strong>, notice how your incoming public IP address will be added for connection.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image23.png\" alt=\"The New Firewall Rule Dialog is displayed identifying your Internet IP Address.\"\/><\/figure>\n\n\n\n<p>10. Right-click\u00a0<strong>Databases<\/strong>, and select\u00a0<strong>Import Data-tier Application<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-18-16-33-49.png\" alt=\"The Object Explorer shows Import Data-tier Application menu item selected.\"><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image24.png\" alt=\"Introduction is highlighted on the left side of the Import Data-tier Application dialog box, and Next is highlighted at the bottom.\"><\/p>\n\n\n\n<p>11. In the Introduction dialog, select\u00a0<strong>Next<\/strong>.<\/p>\n\n\n\n<p>12. Select\u00a0<strong>Browse<\/strong>, navigate to the extracted\u00a0<strong>\/Hands-on- lab\/Database<\/strong>\u00a0directory, and select the\u00a0<strong>Insurance.bacpac<\/strong>\u00a0file.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image25.png\" alt=\"Insurance.bacpac is selected in the Browse dialog box.\"><\/p>\n\n\n\n<p>13. Select\u00a0<strong>Open<\/strong>.<\/p>\n\n\n\n<p>14. On the\u00a0<strong>Import Settings<\/strong>\u00a0dialog, select\u00a0<strong>Next<\/strong>.<\/p>\n\n\n\n<p>15. On the\u00a0<strong>Database Settings<\/strong>\u00a0dialog, select\u00a0<strong>Next<\/strong>.<\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: If you get an error, close and re-open SQL Management Studio try the import again. If that does not work, you may need to download the latest SQL Management Studio from\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/ssms\/download-sql-server-management-studio-ssms?view=sql-server-2017\">here<\/a>. In some instances, the latest version may not work, version 17.3 is known to deploy the package properly. You should also be aware that bacpac files exported from some SQL Server instances cannot be deployed to Azure SQL Servers. We have also included a .bak file of the Insurance database that you can use to restore from.<\/span><\/p>\n\n\n\n<p>16. Select\u00a0<strong>Finish<\/strong>\u00a0and the database will deploy to Azure. It may take a few minutes.<\/p>\n\n\n\n<p>17. Once completed, select\u00a0<strong>Close<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image26.png\" alt=\"Results is highlighted on the left side of the Import Data-tier Application dialog box, and at right, many items are listed under Operation Complete. Next is highlighted at the bottom.\"><\/p>\n\n\n\n<p>18. In\u00a0<strong>SQL Management Studio<\/strong>, select\u00a0<strong>File->Open->File<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image27.png\" alt=\"In SQL Management Studio, Open is selected in the File menu, and File is selected in the shortcut menu.\"><\/p>\n\n\n\n<p>19. Browse to the extracted GitHub folder, select the\u00a0<strong>\\Hands-on lab\\Database\\00_CreateLogin.sql<\/strong>\u00a0file.<\/p>\n\n\n\n<p>20. Ensure that the\u00a0<strong>master<\/strong>\u00a0database is selected.<\/p>\n\n\n\n<p>21. Run the script to create a login called\u00a0<strong>agent<\/strong>.<\/p>\n\n\n\n<p>22. Browse to the extracted folder, select the\u00a0<strong>\\Hands-on lab\\Database\\01_CreateUser.sql<\/strong>\u00a0file.<\/p>\n\n\n\n<p>23. Ensure that the\u00a0<strong>Insurance<\/strong>\u00a0database is selected.<\/p>\n\n\n\n<p>24. Run the script to create a non-admin user called\u00a0<strong>agent<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-test-the-web-application-solution\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 2: Test the web application solution<\/span><\/h3>\n\n\n\n<ol><li>In the extracted directory, double-click the\u00a0<strong>\\Hands-on lab\\WebApp\\InsuranceAPI\\InsuranceAPI.sln<\/strong>\u00a0solution file, and Visual Studio will open.<\/li><\/ol>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: If prompted, login using your Azure \/ MSDN account.<\/span><\/p>\n\n\n\n<p>2. In the\u00a0<strong>Solution Explorer<\/strong>, navigate to and double-click the\u00a0<strong>Web.config<\/strong>\u00a0file to open it.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image28.png\" alt=\"Web.config is highlighted under the InsuranceAPI project in Solution Explorer.\"><\/p>\n\n\n\n<p>3. Update the web.config (line 77) to point to the\u00a0<strong>Insurance<\/strong>\u00a0database created in Task 2. You should only need to update the server name to point to your Azure SQL Server.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image29.png\" alt=\"Line 72 of the Insurance database is highlighted.\"><\/p>\n\n\n\n<p>4. Press\u00a0<strong>F5<\/strong>\u00a0to run the\u00a0<strong>InsuranceAPI<\/strong>\u00a0solution.<\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: If you get an CSC error, right-click the project, select\u00a0<strong>Clean<\/strong>. Next, right-click the project and select\u00a0<strong>Rebuild<\/strong>.<\/span><\/p>\n\n\n\n<p>5. Test the API for a response by browsing to\u00a0<code>http:\/\/localhost:24448\/api\/Users<\/code>. Your port number may be different from\u00a0<em>24448<\/em>. You should see several records returned to the browser. Copy a\u00a0<code>UserId<\/code>\u00a0value for the next instruction.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-18-16-59-47.png\" alt=\"The sample JSON response is returned.\"><\/p>\n\n\n\n<p>6. In the browser window that opens, browse to\u00a0<code>http:\/\/localhost:24448\/api\/Users\/e91019da-26c8-b201-1385-0011f6c365e9<\/code>\u00a0you should see a json response that shows an unmasked SSN column.<\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: Depending on your browser, you may need to download to view the json response.<\/span><\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image30.png\" alt=\"The json response is displayed in a browser window.\">The json response is displayed in a browser window.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-utilize-data-masking\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 3: Utilize data masking<\/span><\/h3>\n\n\n\n<ol><li>Switch to the Azure Portal.<\/li><\/ol>\n\n\n\n<p>2. Select\u00a0<strong>SQL databases<\/strong>.<\/p>\n\n\n\n<p>3. Select the\u00a0<strong>Insurance<\/strong>\u00a0database.<\/p>\n\n\n\n<p>4. Under\u00a0<strong>Security<\/strong>, select\u00a0<strong>Dynamic Data Masking<\/strong>, then select\u00a0<strong>+Add Mask<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image31.png\" alt=\"Dynamic Data Masking is highlighted on the left, and +Add mask is highlighted on the right.\"><\/p>\n\n\n\n<p>5. Select the\u00a0<strong>User<\/strong>\u00a0table.<\/p>\n\n\n\n<p>6. Select the\u00a0<strong>SSN<\/strong>\u00a0column.<\/p>\n\n\n\n<p>7. Select\u00a0<strong>Add<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image32.png\" alt=\"Add is highlighted at the top of the SSN column, and the User table and SSN column are highlighted below.\"\/><\/figure>\n\n\n\n<p>8. Select\u00a0<strong>Save<\/strong>, then select\u00a0<strong>OK<\/strong>.<\/p>\n\n\n\n<p>9. Switch back to your InsuranceAPI solution, press\u00a0<strong>F5<\/strong>\u00a0to refresh the page. You should see the SSN column is now masked with\u00a0<strong>xxxx<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image33.png\" alt=\"The masked SSN column is highlighted in the InsuranceAPI response.\"><\/p>\n\n\n\n<p>10. Close\u00a0<strong>Visual Studio<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-4-utilize-column-encryption-with-azure-key-vault\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 4: Utilize column encryption with Azure Key Vault<\/span><\/h3>\n\n\n\n<p>Switch to\u00a0<strong>SQL Management Studio<\/strong>.<\/p>\n\n\n\n<p>Select\u00a0<strong>File->Open->File<\/strong>, then open the\u00a0<strong>02_PermissionSetup.sql<\/strong>\u00a0file.<\/p>\n\n\n\n<p>Switch to the\u00a0<strong>Insurance<\/strong>\u00a0database, and execute the SQL statement.<\/p>\n\n\n\n<p>In the\u00a0<strong>Object Explorer<\/strong>, expand the\u00a0<strong>Insurance<\/strong>\u00a0node.<\/p>\n\n\n\n<p>Expand the\u00a0<strong>Tables<\/strong>\u00a0node.<\/p>\n\n\n\n<p>Expand the\u00a0<strong>User<\/strong>\u00a0table node.<\/p>\n\n\n\n<p>Expand the\u00a0<strong>Columns<\/strong>\u00a0node.<\/p>\n\n\n\n<p>Right-click the\u00a0<strong>SSN<\/strong>\u00a0column, and select\u00a0<strong>Encrypt Column<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image34.png\" alt=\"Tables and dbo.User are highlighted in the Insurance database tree. Below that, the SSN column is selected and highlighted, and Encrypt Column is highlighted.\"><\/p>\n\n\n\n<p>Notice that the State of the column is such that you cannot add encryption (data masking):<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image35.png\" alt=\"A slashed circle appears in the State column.\"><\/p>\n\n\n\n<p>9. Select\u00a0<strong>Cancel<\/strong>.<\/p>\n\n\n\n<p>10. Switch back to the Azure Portal, and select the User_SSN data masking.<\/p>\n\n\n\n<p>11. Select\u00a0<strong>Delete<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image36.png\" alt=\"The Delete icon is highlighted under Edit Masking Rule in the Azure portal.\"\/><\/figure>\n\n\n\n<p>12. Select\u00a0<strong>Save<\/strong>.<\/p>\n\n\n\n<p>13. Switch back to\u00a0<strong>SQL Management Studio<\/strong>.<\/p>\n\n\n\n<p>14. Right-click the\u00a0<strong>SSN<\/strong>\u00a0column, and select\u00a0<strong>Encrypt Column<\/strong>.<\/p>\n\n\n\n<p>15. Check the checkbox next to the\u00a0<strong>SSN<\/strong>\u00a0column.<\/p>\n\n\n\n<p>16. For the\u00a0<strong>Encryption Type<\/strong>, and select\u00a0<strong>Deterministic<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image37.png\" alt=\"The check box next to the SSN column is selected and highlighted, and Deterministic is highlighted under Encryption Type.\"><\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Deterministic<\/strong>\u00a0encryption always generates the same encrypted value for any given plain text value. Using deterministic encryption allows point lookups, equality joins, grouping and indexing on encrypted columns. However, it may also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column, especially if there\u2019s a small set of possible encrypted values, such as True\/False, or North\/South\/East\/West region. Deterministic encryption must use a column collation with a binary2 sort order for character columns.<\/span><\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Randomized<\/strong>\u00a0encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents searching, grouping, indexing, and joining on encrypted columns.<\/span><\/p>\n\n\n\n<p>17. Select\u00a0<strong>Next<\/strong>.<\/p>\n\n\n\n<p>18. For the encryption select\u00a0<strong>Azure Key Vault<\/strong>\u00a0in the dialog.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image38.png\" alt=\"Azure Key Vault is selected in the Select the key store provider section.\"><\/p>\n\n\n\n<p>19. Select\u00a0<strong>Sign In<\/strong>.<\/p>\n\n\n\n<p>20. Sign in with your Azure Portal credentials.<\/p>\n\n\n\n<p>21. Select your Azure Key Vault.<\/p>\n\n\n\n<p>22. Select\u00a0<strong>Next<\/strong>.<\/p>\n\n\n\n<p>23. On the\u00a0<strong>Run Settings<\/strong>, select\u00a0<strong>Next<\/strong>.<\/p>\n\n\n\n<p>24. Select\u00a0<strong>Finish<\/strong>, and the configured will start.<\/p>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: You may receive a \u201cWrap Key\u201d error. If so, ensure that your account has been assigned the\u00a0<strong>wrapKey<\/strong>\u00a0permission in the Azure Key Vault.<\/span><\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image39.png\" alt=\"Generate new column master key CMK_Auto1 in Azure Key Vault is highlighted with a green check mark at the top of the Task Summary list.\">Generate new column master key CMK_Auto1 in Azure Key Vault is highlighted with a green check mark at the top of the Task Summary list.<\/p>\n\n\n\n<ul><li>Select\u00a0<strong>Key vault<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Select your key vault.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>Access policies<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>Add New<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>For the principal, select your account.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>Key permissions<\/strong>, and choose\u00a0<strong>Select all<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image40.png\" alt=\"Select all is selected and highlighted under Key permissions, and below that, Decrypt, Encrypt, Unwrap Key, Wrap Key, Verify, and Sign are selected and highlighted under Cryptographic Operations amid the other selected options.\"><\/li><li>Select all is selected and highlighted under Key permissions, and below that, Decrypt, Encrypt, Unwrap Key, Wrap Key, Verify, and Sign are selected and highlighted under Cryptographic Operations amid the other selected options.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>Secret permissions<\/strong>, and choose\u00a0<strong>Select all<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>Certificate permissions<\/strong>, and choose\u00a0<strong>Select all<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>OK<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Select\u00a0<strong>Save<\/strong>.<\/li><\/ul>\n\n\n\n<ul><li>Retry the operation. <\/li><\/ul>\n\n\n\n<p><span class=\"has-inline-color has-luminous-vivid-orange-color\"><strong>Note<\/strong>: If you are still getting errors (such as Access Denied), ensure that you have selected the correct subscription and Key Vault.<\/span><\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image41.png\" alt=\"Results is highlighted on the left side of the Always Encrypted dialog box, and at right, Performing encryption operations is selected under Summary: Task. Performing encryption operations has a green check mark and is listed as Passed under Details.\"><\/p>\n\n\n\n<p>25. Select\u00a0<strong>Close<\/strong>.<\/p>\n\n\n\n<p>26. Right-click the\u00a0<strong>User<\/strong>\u00a0table, and choose\u00a0<strong>Select top 1000 rows<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image42.png\" alt=\"The User table is selected, and Select Top 1000 Rows is selected in the shortcut menu.\"><\/p>\n\n\n\n<p>You will notice the SSN column is encrypted based on the new Azure Key Vault key.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image43.png\" alt=\"The value under UserId is selected on the Results tab.\"><\/p>\n\n\n\n<p>27. Switch to the Azure Portal.<\/p>\n\n\n\n<p>28. Select\u00a0<strong>Key Vaults<\/strong>.<\/p>\n\n\n\n<p>29. Select your Azure Key Vault, and then select\u00a0<strong>Keys<\/strong>. You should see the key created from the SQL Management Studio displayed:<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image44.png\" alt=\"CloudSecurityVault is selected on the left, Keys is selected under Settings from the center menu, and CMKAuto1 is selected under the Unmanaged list on the right.\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-3-migrating-to-azure-key-vault\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Exercise 3: Migrating to Azure Key Vault<\/span><\/h2>\n\n\n\n<p>Duration: 30 minutes<\/p>\n\n\n\n<p>In this exercise, attendees will learn how to migrate web application to utilize Azure Key Vault rather than storing valuable credentials (such as connection strings) in application configuration files.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-create-an-azure-key-vault-secret\"><span class=\"has-inline-color has-vivid-cyan-blue-color\">Task 1: Create an Azure Key Vault secret<\/span><\/h3>\n\n\n\n<p>Switch to your Azure Portal.<\/p>\n\n\n\n<p>Select\u00a0<strong>Key Vaults<\/strong>, then select your Azure Key Vault.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image45.png\" alt=\"Key vaults is highlighted on the left side of the Azure portal, and CloudSecurityVault is highlighted on the right.\"><\/p>\n\n\n\n<p>Select\u00a0<strong>Secrets<\/strong>, then select\u00a0<strong>+Generate\/Import<\/strong>.<\/p>\n\n\n\n<p><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image45.1.png\" alt=\"Secrets is highlighted on the left side of the Azure portal, and Generate\/Import is highlighted on the right.\">Secrets is highlighted on the left side of the Azure portal, and Generate\/Import is highlighted on the right.<\/p>\n\n\n\n<p>For the\u00a0<strong>Upload Options<\/strong>, select\u00a0<strong>Manual<\/strong>.<\/p>\n\n\n\n<p>For the\u00a0<strong>Name<\/strong>, enter\u00a0<strong>InsuranceAPI<\/strong>.<\/p>\n\n\n\n<p>For the\u00a0<strong>Value,<\/strong>\u00a0copy the connection string information from the\u00a0<strong>InsuranceAPI<\/strong>\u00a0solution Web.config file in Exercise 2.<\/p>\n\n\n\n<p>Select\u00a0<strong>Create<\/strong>.<\/p>\n\n\n\n<p>Select\u00a0<strong>Secrets<\/strong>.<\/p>\n\n\n\n<p>Select\u00a0<strong>InsuranceAPI<\/strong>.<\/p>\n\n\n\n<p>Select the current version.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image46.png\" alt=\"The current version is selected with a status of Enabled under InsuranceAPI Versions.\">The current version is selected with a status of Enabled under InsuranceAPI Versions.<\/p>\n\n\n\n<p>Copy and record the secret identifier URL for later use:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image47.png\" alt=\"The Secret Identifier URL is highlighted under Properties.\">The Secret Identifier URL is highlighted under Properties.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-create-an-azure-active-directory-application\">Task 2: Create an Azure Active Directory application<\/h3>\n\n\n\n<ol type=\"1\"><li>In the Azure Portal, select&nbsp;<strong>Azure Active Directory<\/strong>, then select&nbsp;<strong>App registrations<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image48.png\" alt=\"Azure Active Directory is highlighted on the left side of the Azure portal, and App registrations is highlighted on the right.\">Azure Active Directory is highlighted on the left side of the Azure portal, and App registrations is highlighted on the right.<\/li><li>Select&nbsp;<strong>+New application registration<\/strong>.<\/li><li>For the user-facing display name, type&nbsp;<strong>AzureKeyVaultTest<\/strong>.<\/li><li>For the supported accounts, select&nbsp;<strong>Accounts in this organization directory only\u2026<\/strong><\/li><li>For the Redirect URL, type&nbsp;<a href=\"http:\/\/localhost:12345\/\">http:\/\/localhost:12345<\/a>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image49.png\" alt=\"AzureKeyVaultTest is entered in the Name box, and http:\/\/localhost:12345 is entered in the Sign-on URL box under Create.\">AzureKeyVaultTest is entered in the Name box, and http:\/\/localhost:12345 is entered in the Sign-on URL box under Create.<\/li><li>Select&nbsp;<strong>Register<\/strong>.<\/li><li>Copy and record the&nbsp;<strong>Application ID<\/strong>&nbsp;for later use.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image50.png\" alt=\"The Application ID and Object ID are highlighted under Essentials for the AzureKeyVaultTest application, and All settings is selected at the bottom.\">The Application ID and Object ID are highlighted under Essentials for the AzureKeyVaultTest application, and All settings is selected at the bottom.<\/li><li>In the left menu pane, under the&nbsp;<strong>Manage<\/strong>&nbsp;heading, select&nbsp;<strong>Certificates and secrets<\/strong>&nbsp;link.<\/li><li>Under&nbsp;<strong>Client secrets<\/strong>, select&nbsp;<strong>New client secret<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-19-08-34-22.png\" alt=\"In the Certificates and secrets window, the New client secret button is selected.\">In the Certificates and secrets window, the New client secret button is selected.<\/li><li>For the description, enter&nbsp;<strong>InsuranceAPI<\/strong>.<\/li><li>For the Expires, select&nbsp;<strong>In 1 year<\/strong>.<\/li><li>Select&nbsp;<strong>Add<\/strong>.<\/li><li>Copy and record the key value for later use.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-assign-azure-active-directory-application-permissions\">Task 3: Assign Azure Active Directory application permissions<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch back to Azure Portal and select your Azure Key Vault.<\/li><li>Under the&nbsp;<strong>Settings<\/strong>&nbsp;heading, select&nbsp;<strong>Access Policies<\/strong>.<\/li><li>Select&nbsp;<strong>+ Add Access Policy<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image51.png\" alt=\"In the Access policies screen, the + Add Access Policy button is selected.\">In the Access policies screen, the + Add Access Policy button is selected.<\/li><li>Choose&nbsp;<strong>Select principal<\/strong>&nbsp;field value. In the right-hand pane, type&nbsp;<strong>AzureKeyVaultTest<\/strong>. Select the item.<\/li><li>Choose the&nbsp;<strong>Select<\/strong>&nbsp;button at the bottom.<\/li><li>Select the&nbsp;<strong>Secret permissions<\/strong>&nbsp;drop-down, check the&nbsp;<strong>Get<\/strong>&nbsp;and&nbsp;<strong>List<\/strong>&nbsp;permissions.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-19-08-40-27.png\" alt=\"In the secret permissions drop down options, the Get and List operations are selected.\">In the secret permissions drop down options, the Get and List operations are selected.Your selection summary should look like this.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image52.png\" alt=\"The AzureKeyVaultTest principal is selected and the secret permissions drop down list states there are two selected values.\">The AzureKeyVaultTest principal is selected and the secret permissions drop down list states there are two selected values.<\/li><li>Select&nbsp;<strong>Add<\/strong>&nbsp;button.<\/li><li>Select&nbsp;<strong>Save<\/strong>&nbsp;button at the top.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-4-install-or-verify-nuget-package\">Task 4: Install or verify NuGet Package<\/h3>\n\n\n\n<ol type=\"1\"><li>Close the previous Visual Studio solution, then from the extracted GitHub directory, open the&nbsp;<strong>\\Hands-on lab\\WebApp\\InsuranceAPI_KeyVault\\InsuranceAPI.sln<\/strong>&nbsp;solution.<strong>Note<\/strong>: Be sure you re-open the correct solution.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-19-13-13-07.png\" alt=\"The screenshot displays the folder structure for both Visual Studio solutions.\">The screenshot displays the folder structure for both Visual Studio solutions.<\/li><li>Switch to&nbsp;<strong>Visual Studio<\/strong>.<\/li><li>In the menu, select&nbsp;<strong>View-&gt;Other Windows-&gt;Package Manager Console<\/strong>.<\/li><li>In the new window that opens, run the following commands:<code>Install-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform<\/code><code>Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory -Version 2.16.204221202<\/code><code>Install-Package Microsoft.Azure.KeyVault<\/code><strong>Note<\/strong>: These already exist in the project but are provided as a reference. If you receive a codedom version error when you debug, run this command.<code>Update-Package Microsoft.CodeDom.Providers.DotNetCompilerPlatform -r<\/code><\/li><li>From&nbsp;<strong>Solution Explorer<\/strong>, double-click the&nbsp;<strong>Web.config<\/strong>&nbsp;file to open it.Notice the&nbsp;<strong>appSettings<\/strong>&nbsp;section has some token values:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image53.png\" alt=\"Some token values are highlighted in the appSettings section of the Web.config file.\">Some token values are highlighted in the appSettings section of the Web.config file.<\/li><li>Replace the&nbsp;<strong>ApplicationId<\/strong>&nbsp;(<strong>ClientId<\/strong>) and&nbsp;<strong>ClientSecret<\/strong>&nbsp;with the values from Task 2.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-19-13-03-01.png\" alt=\"The pane is displaying the Application Registration information. ApplicationId is circled.\">The pane is displaying the Application Registration information. ApplicationId is circled.<\/li><li>Replace the&nbsp;<strong>SecretUri<\/strong>&nbsp;with the Azure Key Vault secret key Uri from Task 1.<\/li><li>Save the Web.config file in Visual Studio.<strong>Note<\/strong>: You can take this lab a step further and publish the Web App to an Azure App Service and enable&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/app-service\/overview-managed-identity?tabs=dotnet\">System-assigned Managed Identities<\/a>. This will allow you to completely remove any authentication from your configurations and utilize&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/app-service\/app-service-key-vault-references\">Key Vault references<\/a>.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-5-test-the-solution\">Task 5: Test the solution<\/h3>\n\n\n\n<ol type=\"1\"><li>Open the&nbsp;<strong>Web.config<\/strong>, and comment out or delete the&nbsp;<strong>connectionString<\/strong>&nbsp;from the file at line 78.<\/li><li>Open the&nbsp;<strong>Global.asax.cs<\/strong>&nbsp;file, and place a break point at line 28.<strong>Note<\/strong>: This code makes a call to get an accessToken as the application you set up above, then make a call to the Azure Key Vault using that accessToken.<\/li><li>Press&nbsp;<strong>F5<\/strong>&nbsp;to run the solution.You should see that you execute a call to Azure Key Vault and get back the secret (which in this case is the connection string to the Azure Database).<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image54.png\" alt=\"The connection string to the Azure Database is visible through the Visual Studio debugger.\">The connection string to the Azure Database is visible through the Visual Studio debugger.<\/li><li>Press&nbsp;<strong>F5<\/strong>&nbsp;to continue the program.<\/li><li>Navigate to&nbsp;<a href=\"http:\/\/localhost:portno\/api\/Users\">http:\/\/localhost:portno\/api\/Users<\/a>, you should get an error. Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value(s) using default settings. In order to do seamless decryption, you would need to:<ul><li>Run the&nbsp;<strong>\\Hands-on lab\\Database\\02_PermissionSetup.sql<\/strong>&nbsp;script if you have not already done so.<\/li><li>Add the&nbsp;<a href=\"https:\/\/blogs.msdn.microsoft.com\/sqlsecurity\/2015\/11\/10\/using-the-azure-key-vault-key-store-provider-for-always-encrypted\/\">AzureKeyVaultProvider for Entity Framework<\/a>&nbsp;reference to the project.<\/li><li>Register the provider code in order for .NET to handle the encrypted column.<\/li><li>Add an access policy to the Azure Key Vault that gives key permissions (<code>decrypt<\/code>,&nbsp;<code>sign<\/code>,&nbsp;<code>get<\/code>,&nbsp;<code>unwrapkey<\/code>,&nbsp;<code>verify<\/code>) to the Azure AD application.<\/li><li>Add the&nbsp;<code>Column Encryption Setting=Enabled<\/code>&nbsp;to the connection string.<\/li><li>Detailed steps can be found in this&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/archive\/blogs\/sqlsecurity\/using-the-azure-key-vault-key-store-provider-for-always-encrypted\">blog post<\/a><\/li><li>A third solution (<strong>\\Hands-on lab\\WebApp\\InsuranceAPI_KeyVault_Encrypted\\InsuranceAPI.sln<\/strong>) was added to the GitHub repo that has the necessary references and code added.<ul><li>Simply update the web.config file with your client id and secret after adding the required Key Vault permissions above.<\/li><li>Update the Key Vault connection string to have the&nbsp;<code>Column Encryption Setting=Enabled<\/code>.<\/li><li>Review the code added to the global.asax.cs file.<\/li><li>Run the project and navigate to the above page.<\/li><\/ul><\/li><\/ul><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-4-securing-the-network\">Exercise 4: Securing the network<\/h2>\n\n\n\n<p>Duration: 45 minutes<\/p>\n\n\n\n<p>In this exercise, attendees will utilize Network Security Groups to ensure that virtual machines are segregated from other Azure hosted services and then explore the usage of the Network Packet Capture feature of Azure to actively monitor traffic between networks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-test-network-security-group-rules-1\">Task 1: Test network security group rules #1<\/h3>\n\n\n\n<ol type=\"1\"><li>In the Azure Portal, select&nbsp;<strong>Virtual Machines<\/strong>.<\/li><li>Select&nbsp;<strong>paw-1<\/strong>, then select&nbsp;<strong>Connect<\/strong>.<\/li><li>In the dialog, select&nbsp;<strong>Download RDP file Anyway<\/strong>. Open the downloaded RDP file and connect to the Virtual Machine.<strong>Note<\/strong>: Default username is&nbsp;<strong>wsadmin<\/strong>&nbsp;with&nbsp;<strong>p@ssword1rocks<\/strong>&nbsp;as password and you may need to request JIT Access if you have taken a break between exercises.<\/li><li>In the&nbsp;<strong>paw-1<\/strong>&nbsp;virtual machine, open&nbsp;<strong>Windows PowerShell ISE<\/strong>&nbsp;as&nbsp;<strong>administrator<\/strong>.<ul><li>Select the&nbsp;<strong>Windows<\/strong>&nbsp;icon.<\/li><li>Right-click&nbsp;<strong>Windows PowerShell ISE<\/strong>, choose&nbsp;<strong>More<\/strong>, then select&nbsp;<strong>Run as Administrator<\/strong>.<\/li><\/ul><\/li><li>Copy and run the following command:<code>Set-ExecutionPolicy -ExecutionPolicy Unrestricted<\/code><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-12-39-24.png\" alt=\"The PowerShell ISE window displays the execution policy change command.\">The PowerShell ISE window displays the execution policy change command.<\/li><li>In the dialog, select&nbsp;<strong>Yes<\/strong>.<\/li><li>Select&nbsp;<strong>File-&gt;Open<\/strong>, browse to the extracted GitHub directory and open the&nbsp;<strong>\\Hands-on lab\\Scripts\\PortScanner.ps1<\/strong>.<strong>Note<\/strong>: You would have downloaded the&nbsp;<a href=\"https:\/\/github.com\/Microsoft\/MCW-Azure-Security-Privacy-and-Compliance\">GitHub repo<\/a>&nbsp;and extracted this in the setup steps. If you did not perform those steps, perform them now. You can also choose to copy the file from your desktop to the VM.<\/li><li>Review the script. Notice that it does the following for various exercises:<ul><li>Installs Putty<\/li><li>Installs NotePad++<\/li><li>Adds hosts entries for DNS<\/li><\/ul><strong>Note<\/strong>: When using multiple virtual networks, you must setup a DNS server in the Azure tenant.<ul><li>Executes port scans<\/li><li>Executes brute force SSH attack<\/li><\/ul><\/li><li>Press&nbsp;<strong>F5<\/strong>&nbsp;to run the script for exercise 4. You should see the following:<strong>Note<\/strong>: The ARM template deploys a Deny All rule. If you were to simply create a Network Security Group from the UI, you would not experience this behavior.<ul><li>Port scan for port 3389 (RDP) to&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>web-1<\/strong>&nbsp;is unsuccessful from the&nbsp;<strong>paw-1<\/strong>&nbsp;machine.<\/li><li>The information above for port 3389 (RDP) is visible after running the script and pressing&nbsp;<strong>F5<\/strong>.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image55.png\" alt=\"The information above for port 3389 (RDP) is visible after running the script and pressing F5.\">The information above for port 3389 (RDP) is visible after running the script and pressing F5.<ul><li>Port scan for port 1433 (SQL) to&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>web-1<\/strong>&nbsp;is unsuccessful from the&nbsp;<strong>paw-1<\/strong>&nbsp;machine.&nbsp;<strong>db-1<\/strong>&nbsp;is running SQL Server but traffic is blocked at NSG and via the Windows Firewall by default, however a script ran in the ARM template to open port 1433 on the db-1 server.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image56.png\" alt=\"The information above for port 1433 (SQL) is visible after running the script and pressing F5.\">The information above for port 1433 (SQL) is visible after running the script and pressing F5.<ul><li>Port scan for port 80 (HTTP) to&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>web-1<\/strong>&nbsp;is unsuccessful from the&nbsp;<strong>paw-1<\/strong>&nbsp;machine, if traffic was allowed, it would always fail to&nbsp;<strong>db-1<\/strong>&nbsp;because it is not running IIS or any other web server.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image57.png\" alt=\"The information above for port 80 (HTTP) is visible after running the script and pressing F5.\">The information above for port 80 (HTTP) is visible after running the script and pressing F5.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-configure-network-security-groups\">Task 2: Configure network security groups<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the&nbsp;<a href=\"https:\/\/portal.azure.com\/\">Azure Portal<\/a>.<\/li><li>Configure the database server to only allow SQL Connections from the web server:<ul><li>Select&nbsp;<strong>Network Security Groups<\/strong>.<\/li><li>Select&nbsp;<strong>DbTrafficOnly<\/strong>.<\/li><li>Select&nbsp;<strong>Inbound Security Rules<\/strong>.<\/li><li>Select&nbsp;<strong>+Add<\/strong>.<\/li><li>For the&nbsp;<strong>Source<\/strong>, select&nbsp;<strong>IP Addresses<\/strong>.<\/li><li>For the&nbsp;<strong>Source IP address<\/strong>, enter&nbsp;<strong>10.2.0.4<\/strong>.<\/li><li>For the&nbsp;<strong>Destination<\/strong>, keep&nbsp;<strong>Any<\/strong>.<\/li><li>For the&nbsp;<strong>Destination port range<\/strong>, enter&nbsp;<strong>1433<\/strong>.<\/li><li>For the&nbsp;<strong>Priority<\/strong>, enter&nbsp;<strong>100<\/strong>.<\/li><li>For the&nbsp;<strong>Name<\/strong>, enter&nbsp;<strong>Port_1433<\/strong>.<\/li><li>Select&nbsp;<strong>Add<\/strong>.<\/li><li>Select&nbsp;<strong>+Add<\/strong>.<\/li><li>For the&nbsp;<strong>Source<\/strong>, select&nbsp;<strong>IP Addresses<\/strong>.<\/li><li>For the&nbsp;<strong>Source IP address<\/strong>, enter&nbsp;<strong>10.0.0.4<\/strong>.<\/li><li>For the&nbsp;<strong>Destination<\/strong>, keep&nbsp;<strong>Any<\/strong>.<\/li><li>For the&nbsp;<strong>Destination port range<\/strong>, enter&nbsp;<strong>1433<\/strong>.<\/li><li>For the&nbsp;<strong>Priority<\/strong>, enter&nbsp;<strong>102<\/strong>.<\/li><li>For the&nbsp;<strong>Name<\/strong>, enter&nbsp;<strong>Port_1433_Paw<\/strong>.<\/li><li>Select&nbsp;<strong>Add<\/strong>.<\/li><\/ul><\/li><li>Configure the web server to allow all HTTP and HTTPS connections:<ul><li>Select&nbsp;<strong>Network Security Groups<\/strong>.<\/li><li>Select&nbsp;<strong>WebTrafficOnly<\/strong>.<\/li><li>Select&nbsp;<strong>Inbound Security Rules<\/strong>.<\/li><li>Select&nbsp;<strong>+Add<\/strong>.<\/li><li>For the&nbsp;<strong>Source<\/strong>, keep&nbsp;<strong>Any<\/strong>.<\/li><li>For the&nbsp;<strong>Destination<\/strong>, keep&nbsp;<strong>Any<\/strong>.<\/li><li>For the&nbsp;<strong>Destination port ranges<\/strong>, enter&nbsp;<strong>80,443<\/strong>.<\/li><li>For the&nbsp;<strong>Priority<\/strong>, enter&nbsp;<strong>100<\/strong>.<\/li><li>Change the&nbsp;<strong>Name<\/strong>&nbsp;to&nbsp;<strong>Port_80_443<\/strong>.<\/li><li>Select&nbsp;<strong>Add<\/strong>.<\/li><\/ul><strong>Note<\/strong>: In some rare cases it may take up to 15 minutes for your Network Security Group to change its status from&nbsp;<strong>Updating<\/strong>. You won\u2019t be able to add any other rules until it completes.<\/li><li>Configure both the database and web server to only allow RDP connections from the PAW machine:<ul><li>Select&nbsp;<strong>Network Security Groups.<\/strong>&nbsp;For both the&nbsp;<strong>DbTrafficOnly<\/strong>&nbsp;and&nbsp;<strong>WebTrafficOnly<\/strong>, do the following:<ul><li>Select&nbsp;<strong>Inbound Security Rules<\/strong>.<\/li><li>Select&nbsp;<strong>+Add<\/strong>.<\/li><li>For the&nbsp;<strong>Source<\/strong>, select&nbsp;<strong>IP Addresses<\/strong>.<\/li><li>For the&nbsp;<strong>Source IP address<\/strong>, enter&nbsp;<strong>10.0.0.4<\/strong>.<\/li><li>For the&nbsp;<strong>Destination port range<\/strong>, enter&nbsp;<strong>3389<\/strong>.<\/li><li>For the&nbsp;<strong>Priority<\/strong>, enter&nbsp;<strong>101<\/strong>.<\/li><li>For the&nbsp;<strong>Name<\/strong>, enter&nbsp;<strong>Port_3389<\/strong>.<\/li><li>Select&nbsp;<strong>Add<\/strong>.<\/li><\/ul><\/li><\/ul><\/li><li>Configure all Network Security Groups to have Diagnostic logs enabled.<ul><li>Select&nbsp;<strong>Network security groups.<\/strong>&nbsp;For each NSG (DBTrafficOnly and WebTrafficOnly), do the following:<ul><li>In the content menu, select&nbsp;<strong>Diagnostic logs<\/strong>, and then select&nbsp;<strong>Add diagnostic setting<\/strong>.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2019-12-19-18-53-52.png\" alt=\"Diagnostics settings is selected under Monitoring on the left side, and Add diagnostics settings is selected on the right.\">Diagnostics settings is selected under Monitoring on the left side, and Add diagnostics settings is selected on the right.<ul><li>For the name, enter the NSG name and then add&nbsp;<strong>Logging<\/strong>&nbsp;to the end.<\/li><li>Check the&nbsp;<strong>Send to Log Analytics<\/strong>&nbsp;checkbox, in the&nbsp;<strong>Log Analytics<\/strong>&nbsp;box, select&nbsp;<strong>Configure<\/strong>.<\/li><li>Select the&nbsp;<strong>azseclog\u2026<\/strong>&nbsp;workspace.<\/li><li>Select both LOG checkboxes.<\/li><li>Select&nbsp;<strong>Save<\/strong>.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image60.png\" alt=\"Save is highlighted at the top, and two log items are selected below.\">Save is highlighted at the top, and two log items are selected below.<\/li><\/ul><\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-test-network-security-group-rules-2\">Task 3: Test network security group rules #2<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch back to the&nbsp;<strong>paw-1<\/strong>&nbsp;virtual machine.<\/li><li>Press&nbsp;<strong>F5<\/strong>&nbsp;to run the&nbsp;<strong>PortScan<\/strong>&nbsp;script. You should see the following:<ul><li>Port scan for port 3389 (RDP) to&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>web-1<\/strong>&nbsp;is successful from the&nbsp;<strong>paw-1<\/strong>&nbsp;machine.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image61.png\" alt=\"The information above for port 3389 (RDP) is visible after running the script and pressing F5.\">The information above for port 3389 (RDP) is visible after running the script and pressing F5.<ul><li>Port scan for port 1433 (SQL) to&nbsp;<strong>db-1<\/strong>&nbsp;is successful, and&nbsp;<strong>web-1<\/strong>&nbsp;is unsuccessful from the&nbsp;<strong>paw-1<\/strong>&nbsp;machine.<\/li><\/ul><strong>Note<\/strong>: If the ARM script failed, you may need to disable the windows firewall on the db-1 server to achieve this result.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image62.png\" alt=\"The information above for port 1433 (SQL) is visible after running the script and pressing F5.\">The information above for port 1433 (SQL) is visible after running the script and pressing F5.<ul><li><strong>Note<\/strong>: The ARM Template installed IIS on web-1, the port scan for port 80 (HTTP) to&nbsp;<strong>web-1<\/strong>&nbsp;is successful from the&nbsp;<strong>paw-1<\/strong>&nbsp;machine, however to&nbsp;<strong>db-1<\/strong>&nbsp;is unsuccessful as it is not running IIS.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image63.png\" alt=\"The information above for port 80 (HTTP) is visible after running the script and pressing F5.\">The information above for port 80 (HTTP) is visible after running the script and pressing F5.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-4-install-network-watcher-vm-extension\">Task 4: Install network watcher VM extension<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the Azure Portal.<\/li><li>Select&nbsp;<strong>Virtual Machines<\/strong>.<\/li><li>Select&nbsp;<strong>db-1<\/strong>.<\/li><li>In the blade menu, select&nbsp;<strong>Extensions<\/strong>, then select&nbsp;<strong>+Add<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image64.png\" alt=\"Extensions is selected on the left under Settings, and + Add is highlighted at the top right.\">Extensions is selected on the left under Settings, and + Add is highlighted at the top right.<\/li><li>Browse to the&nbsp;<strong>Network Watcher Agent for Windows<\/strong>, and select it.<\/li><li>Select&nbsp;<strong>Create<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image65.png\" alt=\"Network Watcher Agent for Windows is highlighted on the left, and Create is highlighted on the right.\">Network Watcher Agent for Windows is highlighted on the left, and Create is highlighted on the right.<\/li><li>In the next&nbsp;<strong>Install extension<\/strong>&nbsp;dialog window (note that it could be blank) select&nbsp;<strong>OK.<\/strong>&nbsp;You should see a dialog toast notification about the script extension being installed into the Virtual Machine.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image66.png\" alt=\"The toast notification states: \u201cDeployment in progress \u2026 Deployment to resource group \u2018azure-securitytest1\u2019 is in progress.\u201d\">The toast notification states: \u201cDeployment in progress \u2026 Deployment to resource group \u2018azure-securitytest1\u2019 is in progress.\u201d<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-5-setup-network-packet-capture\">Task 5: Setup network packet capture<\/h3>\n\n\n\n<ol type=\"1\"><li>In the main Azure Portal menu, search&nbsp;<strong>All services<\/strong>&nbsp;for&nbsp;<strong>Network Watcher<\/strong>.<\/li><li>In the context menu, select&nbsp;<strong>Network Watcher<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-12-06-30.png\" alt=\"Network watcher is selected from the filtered list of services.\">Network watcher is selected from the filtered list of services.<\/li><li>Expand the subscription regions item you are running your labs in.<\/li><li>For the&nbsp;<strong>East US<\/strong>&nbsp;region (or whatever region you deployed your VMs too), select the ellipsis, then select&nbsp;<strong>Enable network watcher<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image68.png\" alt=\"The East US row is highlighted under Region, and Enable network watcher is selected in the submenu.\">The East US row is highlighted under Region, and Enable network watcher is selected in the submenu.<\/li><li>In the new context menu, select&nbsp;<strong>Packet capture<\/strong>.<\/li><li>Select&nbsp;<strong>+Add<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image69.png\" alt=\"Packet capture is selected and highlighted on the left under Network Diagnostic Tools, and + Add is highlighted at the top right.\">Packet capture is selected and highlighted on the left under Network Diagnostic Tools, and + Add is highlighted at the top right.<\/li><li>Select your subscription.<\/li><li>Select your resource group.<\/li><li>For the target virtual machine, ensure that&nbsp;<strong>db-1<\/strong>&nbsp;is selected.<\/li><li>For the capture name, enter&nbsp;<strong>databasetraffic<\/strong>.<\/li><li>Notice the ability to save the capture file to the local machine or an Azure storage account. Ensure that the resource group storage account is selected. If you check your resource group, the storage account is prefixed with&nbsp;<strong>\u201cdiagstor\u201d<\/strong>.<\/li><li>For the values, enter the following:<ul><li>Maximum bytes per packet: 0.<\/li><li>Maximum bytes per session: 1073741824.<\/li><li>Time limit: 600.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/packetcapture.png\" alt=\"In the Add packet capture window, databasetraffic is entered in the Packet capture name box, and the Storage account check box is checked.\">In the Add packet capture window, databasetraffic is entered in the Packet capture name box, and the Storage account check box is checked.<\/li><li>Select&nbsp;<strong>OK<\/strong>.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-6-execute-a-port-scan\">Task 6: Execute a port scan<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch your Remote Desktop connection to the&nbsp;<strong>paw-1<\/strong>&nbsp;virtual machine.<\/li><li>Uncomment the following line of the script, and press&nbsp;<strong>F5<\/strong>.<code>#TestPortRange $computers 80 443;<\/code><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-12-49-13.png\" alt=\"The PowerShell ISE window displays uncommented PowerShell script port scan command.\">The PowerShell ISE window displays uncommented PowerShell script port scan command.<strong>Note<\/strong>: You should see the basic ports scanned, and then a port scan from 80 to 443. This will generate many security center logs for the Network Security Groups which will be used in the Custom Alert in the next set of exercises. Continue to the next exercise while the script executes.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-5-azure-security-center\">Exercise 5: Azure Security Center<\/h2>\n\n\n\n<p>Duration: 45 minutes<\/p>\n\n\n\n<p>Azure Security Center provides several advanced security and threat detection abilities that are not enabled by default. In this exercise we will explore and enable several of them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-linux-vm-and-microsoft-monitoring-agent-mma-install\">Task 1: Linux VM and Microsoft Monitoring Agent (MMA) install<\/h3>\n\n\n\n<ol type=\"1\"><li>In the Azure Portal, browse to your&nbsp;<strong>azsecurity-INIT<\/strong>&nbsp;resource group, then select the&nbsp;<em>azseclog\u2026<\/em>&nbsp;<strong>Log Analytics Workspace<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/LogAnalyticsWorkspace.png\" alt=\"The log analytics workspace is highlighted.\">The log analytics workspace is highlighted.<\/li><li>In the blade, select&nbsp;<strong>Agents management<\/strong>.<\/li><li>Record the&nbsp;<code>Workspace ID<\/code>&nbsp;and the&nbsp;<code>Primary key<\/code>&nbsp;values.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/LogAnalyticsWorkspace_Settings.png\" alt=\"Agents management blade link is highlighted along with the id and key for the workspace\">Agents management blade link is highlighted along with the id and key for the workspace<\/li><li>Switch to the Remote Desktop Connection to the&nbsp;<strong>paw-1<\/strong>.<\/li><li>Open the&nbsp;<strong>Putty<\/strong>&nbsp;tool, login to the&nbsp;<strong>linux-1<\/strong>&nbsp;machine using the username and password.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/putty-linux-1.png\" alt=\"Putty window with linux-1 as the host.\">Putty window with linux-1 as the host.<\/li><li>Run the following commands, be sure to replace the workspace tokens with the values you records above:<code>wget https:\/\/raw.githubusercontent.com\/Microsoft\/OMS-Agent-for-Linux\/master\/installer\/scripts\/onboard_agent.sh &amp;&amp; sh onboard_agent.sh -w &lt;YOUR_WORKSPACE_ID&gt; -s &lt;YOUR_WORKSPACE_KEY&gt; sudo \/opt\/microsoft\/omsagent\/bin\/service_control restart &lt;YOUR_WORKSPACE_ID&gt;<\/code><\/li><li>Switch back to the Azure Portal.<\/li><li>In the blade menu, select&nbsp;<strong>Advanced settings<\/strong>&nbsp;and then select&nbsp;<strong>Linux Servers<\/strong>, you should see&nbsp;<strong>1 LINUX COMPUTER CONNECTED<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/loganalytics-linux-computers.png\" alt=\"The displayed of connected linux computers for the workspace.\">The displayed of connected linux computers for the workspace.<strong>Note<\/strong>: In most cases, Azure will assign resources automatically to the log analytics workspace in your resource group.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-execute-brute-force-attack\">Task 2: Execute brute force attack<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the Remote Desktop Connection to the&nbsp;<strong>paw-1<\/strong>.<\/li><li>In the PowerShell ISE, comment the lines for Exercise 4, then uncomment the lines for Exercise 5.<\/li><li>Run the script, notice how it will execute several attempts to login via SSH to the&nbsp;<strong>linux-1<\/strong>&nbsp;machine using the plink tool from putty.<\/li><li>After a few moments (up to 30 mins), you will see an alert from Security Center about a successful brute force attack.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/linux-brute-attack-warning.png\" alt=\"The email warning about the Brute Force Attack.\">The email warning about the Brute Force Attack.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-enable-change-tracking-and-update-management\">Task 3: Enable change tracking and update management<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch back to the Azure Portal.<\/li><li>In the search menu, type&nbsp;<strong>Virtual Machine<\/strong>, then select it.<\/li><li>Highlight the&nbsp;<strong>paw-1<\/strong>,&nbsp;<strong>web-1<\/strong>,&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>linux-1<\/strong>&nbsp;virtual machines that were deployed.<\/li><li>In the top menu, select&nbsp;<strong>Services<\/strong>, then select&nbsp;<strong>Change Tracking<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/virtual-machines-svcs-changetracking.png\" alt=\"The virtual machines are selected and the change tracking menu item is selected.\">The virtual machines are selected and the change tracking menu item is selected.<\/li><li>Select the&nbsp;<strong>CUSTOM<\/strong>&nbsp;radio button.<\/li><li>Select&nbsp;<strong>change<\/strong>, select the&nbsp;<strong>Log Analytics Workspace<\/strong>&nbsp;that was deployed with the lab ARM template.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/virtual-machines-svcs-changetracking-config.png\" alt=\"The change tracking blade is displayed with custom and change link highlighted.\">The change tracking blade is displayed with custom and change link highlighted.<\/li><li>Select the log analytics workspace for your resource group and then select the matching automation account, then select&nbsp;<strong>OK<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/virtual-machines-svcs-changetracking-config2.png\" alt=\"The custom configuration dialog is displayed with the log analytics workspace select along with the matching automation account.\">The custom configuration dialog is displayed with the log analytics workspace select along with the matching automation account.<\/li><li>Select all the virtual machines, then select&nbsp;<strong>Enable<\/strong>.<\/li><li>Navigate back to the&nbsp;<strong>Virtual Machines<\/strong>&nbsp;blade, again highlight the&nbsp;<strong>paw-1<\/strong>,&nbsp;<strong>web-1<\/strong>,&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>linux-1<\/strong>&nbsp;virtual machines that were deployed.<\/li><li>In the top menu, select&nbsp;<strong>Services<\/strong>, then select&nbsp;<strong>Inventory<\/strong>.<\/li><li>Select the&nbsp;<strong>CUSTOM<\/strong>&nbsp;radio button.<\/li><li>Select&nbsp;<strong>change<\/strong>, select the&nbsp;<strong>Log Analytics Workspace<\/strong>&nbsp;that was deployed with the lab ARM template.<\/li><li>Notice that all the VMs are already enabled for the workspace based on the last task.<\/li><li>Navigate back to the&nbsp;<strong>Virtual Machines<\/strong>&nbsp;blade, again, highlight the&nbsp;<strong>paw-1<\/strong>,&nbsp;<strong>web-1<\/strong>,&nbsp;<strong>db-1<\/strong>&nbsp;and&nbsp;<strong>linux-1<\/strong>&nbsp;virtual machines that were deployed.<\/li><li>In the top menu, select&nbsp;<strong>Services<\/strong>, then select&nbsp;<strong>Update Management<\/strong>.<\/li><li>Select the&nbsp;<strong>CUSTOM<\/strong>&nbsp;radio button.<\/li><li>Select&nbsp;<strong>change<\/strong>, select the&nbsp;<strong>Log Analytics Workspace<\/strong>&nbsp;that was deployed with the lab ARM template.<\/li><li>Select all the virtual machines, then select&nbsp;<strong>Enable<\/strong>.<\/li><li>Browse to your resource group, then select your Log Analytics workspace.<\/li><li>Under the&nbsp;<strong>General<\/strong>&nbsp;section, select the&nbsp;<strong>Solutions<\/strong>&nbsp;blade, you should see the&nbsp;<strong>ChangeTracking<\/strong>&nbsp;and&nbsp;<strong>Updates<\/strong>&nbsp;solutions were added to your workspace. Select the&nbsp;<strong>ChangeTracking<\/strong>&nbsp;solution.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/loganalytics-solutions.png\" alt=\"The solutions configured for the workspace are displayed.\">The solutions configured for the workspace are displayed.<\/li><li>Under&nbsp;<strong>Workspace Data Sources<\/strong>&nbsp;section, select&nbsp;<strong>Solution Targeting (Preview)<\/strong>.<\/li><li>Remove any scopes that are displayed via the ellipses to the right of the items.<\/li><li>Repeat the steps to remove the solution targeting for the&nbsp;<strong>Updates<\/strong>&nbsp;solution.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-4-review-mma-configuration\">Task 4: Review MMA configuration<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the Remote Desktop Connection to the&nbsp;<strong>paw-1<\/strong>.<\/li><li>Open&nbsp;<strong>Event Viewer<\/strong>.<\/li><li>Expand the&nbsp;<strong>Applications and Services Logs<\/strong>, then select&nbsp;<strong>Operations Manager<\/strong>.<\/li><li>Right-click&nbsp;<strong>Operations Manager<\/strong>, select&nbsp;<strong>Filter Current Logs<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/eventviewer-operations-mgr.png\" alt=\"The event viewer is displayed with the click path highlighted.\">The event viewer is displayed with the click path highlighted.<\/li><li>For the event id, type&nbsp;<strong>5001<\/strong>, select the latest entry, you should see similar names to all the solutions that are deployed in your Log Analytics workspace including the ones you just added:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/eventviewer-operations-mgr-5000.png\" alt=\"The event viewer is displayed with the click path highlighted.\">The event viewer is displayed with the click path highlighted.<\/li><li>Open&nbsp;<strong>Windows Explorer<\/strong>, browse to&nbsp;<strong>C:FilesMonitoring AgentService StatePacks<\/strong>&nbsp;folder.<\/li><li>Notice the management packs that have been downloaded that correspond to the features you deployed from Azure Portal.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/loganalytics-mgmtpacks.png\" alt=\"The management packs for the solutions are displayed.\">The management packs for the solutions are displayed.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-5-adaptive-application-controls\">Task 5: Adaptive Application Controls<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the Azure Portal.<\/li><li>Select&nbsp;<strong>Azure Security Center<\/strong>.<\/li><li>In the blade menu, scroll to the&nbsp;<strong>ADVANCED CLOUD DEFENSE<\/strong>&nbsp;section and select&nbsp;<strong>Adaptive application controls<\/strong>.<\/li><li>You will likely have several groups displayed, find the one that has your newly created lab VMs.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/securitycenter-grouping.png\" alt=\"Machine groupings is displayed.\">Machine groupings is displayed.<\/li><li>Expand the&nbsp;<strong>Publisher whitelisting rules<\/strong>&nbsp;section, you should see that Google Chrome and Notepad++ were picked up and have Microsoft Certificated tied to them.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/securitycenter-whitelistingrules.png\" alt=\"The discovered applications are displayed.\">The discovered applications are displayed.<\/li><li>In the top menu, select&nbsp;<strong>Group settings<\/strong>.<\/li><li>Review the available settings.<\/li><\/ol>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><strong>Note<\/strong>: As of June 2020, the&nbsp;<strong>Enforce<\/strong>&nbsp;option is temporarily disabled.<\/p><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-6-file-integrity-monitoring\">Task 6: File Integrity Monitoring<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the Azure Portal.<\/li><li>Select Azure Security Center.<\/li><li>In the blade menu, scroll to the&nbsp;<strong>ADVANCED CLOUD DEFENSE<\/strong>&nbsp;section and select&nbsp;<strong>File Integrity Monitoring<\/strong>.<\/li><li>For the log workspace tied to your lab environment virtual machines, if displayed, select&nbsp;<strong>Upgrade Plan<\/strong>, then select&nbsp;<strong>Try File Integrity Monitoring<\/strong>.<\/li><li>Select the workspace only, then select&nbsp;<strong>Upgrade<\/strong>.<\/li><li>Select the&nbsp;<strong>Continue without installing agents<\/strong>&nbsp;link.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/fileintegrity-enable.png\" alt=\"The continue without installing agents link is highlighted.\">The continue without installing agents link is highlighted.<\/li><li>If displayed, select&nbsp;<strong>Enable<\/strong>, otherwise simply select the workspace.<\/li><li>In the menu, select&nbsp;<strong>Settings<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/fileintegrity-settings.png\" alt=\"The Settings link is highlighted.\">The Settings link is highlighted.<\/li><li>Select the&nbsp;<strong>Windows Files<\/strong>&nbsp;tab.<\/li><li>Select&nbsp;<strong>+Add<\/strong>.<\/li><li>For the item name, type&nbsp;<strong>HOSTS<\/strong>.<\/li><li>For the path, type&nbsp;<strong>c:\\*<\/strong>.<\/li><li>Select&nbsp;<strong>Save<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/fileintegrity-addentry.png\" alt=\"The settings page is displayed with the links highlighted.\">The settings page is displayed with the links highlighted.<\/li><li>Select the&nbsp;<strong>File Content<\/strong>&nbsp;tab.<\/li><li>Select&nbsp;<strong>Link<\/strong>, then select the storage account tied to your lab.<strong>Note<\/strong>: It will take 30-60 minutes for Log Analytics and its management packs to execute on all your VMs. As you may not have that much time with this lab, screen shots are provided as to what results you will eventually get.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/fileintegrity-filecontent.png\" alt=\"The file content page is displayed with the links highlighted.\">The file content page is displayed with the links highlighted.<\/li><li>Switch to the Remote Desktop Connection to the&nbsp;<strong>paw-1<\/strong>.<\/li><li>Open the **c:* file.<\/li><li>Add the following entry:<code>10.0.0.6 linux-1<\/code><\/li><li>Save the file.<\/li><li>After about 30-60 minutes, the Log Analytics workspace will start to pick up changes to your files, registry settings and windows services:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/fileintegrity-logchanges.png\" alt=\"The file changes are saved to the logs of the workspace.\">The file changes are saved to the logs of the workspace.<\/li><li>You will also start to see the file snapshots show up in the storage account:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/fileintegrity-snapshots.png\" alt=\"The file changes are displayed in the storage account.\">The file changes are displayed in the storage account.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-7-disk-encryption\">Task 7: Disk encryption<\/h3>\n\n\n\n<ol type=\"1\"><li>Switch to the Azure Portal.<\/li><li>Browse to your resource group.<\/li><li>Browse to your key vault.<\/li><li>In the blade menu under&nbsp;<strong>Settings<\/strong>, select&nbsp;<strong>Access Policies<\/strong>.<\/li><li>Select the&nbsp;<strong>Azure Disk Encryption for volume encryption<\/strong>&nbsp;checkbox.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/keyvault-diskencrypt.png\" alt=\"The click path above is highlighted.\">The click path above is highlighted.<\/li><li>Select&nbsp;<strong>Save<\/strong>.<\/li><li>Browse to your resource group.<\/li><li>Select the&nbsp;<strong>linux-1<\/strong>&nbsp;virtual machine.<\/li><li>In the blade menu, select&nbsp;<strong>Disks<\/strong>.<\/li><li>In the top menu, select&nbsp;<strong>Encryption<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/diskencryption.png\" alt=\"The click path above is highlighted.\">The click path above is highlighted.<\/li><li>For&nbsp;<strong>Disks to encrypt<\/strong>, select&nbsp;<strong>OS Disk<\/strong>.<\/li><li>Select the&nbsp;<strong>Select a key vault and key for encryption<\/strong>&nbsp;link.<\/li><li>Select the lab key vault.<\/li><li>For the key, select&nbsp;<strong>Create new<\/strong>.<\/li><li>For the name, type&nbsp;<strong>vm-disk-key<\/strong>.<\/li><li>Select&nbsp;<strong>Create<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/diskencryption-selectkeyvault.png\" alt=\"Select the lab key vault.\">Select the lab key vault.<\/li><li>For the&nbsp;<strong>Version<\/strong>, select the new version.<\/li><li>Select&nbsp;<strong>Select<\/strong>.<\/li><li>Select&nbsp;<strong>Save<\/strong>, then select&nbsp;<strong>Yes<\/strong>&nbsp;when prompted.<\/li><\/ol>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><strong>Note<\/strong>: Disk encryption can take some time, move on to the next exercises.<\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-6-azure-sentinel-logging-and-reporting\">Exercise 6: Azure Sentinel logging and reporting<\/h2>\n\n\n\n<p>Duration: 20 minutes<\/p>\n\n\n\n<p>In this exercise, you will setup Azure Sentinel to point to a logging workspace and then create custom alerts that execute Azure Runbooks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-create-a-dashboard\">Task 1: Create a dashboard<\/h3>\n\n\n\n<ol type=\"1\"><li>Open the Azure Portal.<\/li><li>Select&nbsp;<strong>All services<\/strong>, then type&nbsp;<strong>Sentinel<\/strong>, select&nbsp;<strong>Azure Sentinel<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image94.png\" alt=\"All Services is selected in the left menu, and a search for Sentinel is displayed along with its search results.\">All Services is selected in the left menu, and a search for Sentinel is displayed along with its search results.<\/li><li>In the blade, select&nbsp;<strong>+Add<\/strong>, select the&nbsp;<strong>Log Analytics<\/strong>&nbsp;resource for your resource group, then choose&nbsp;<strong>Add Azure Sentinel<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-12-54-25.png\" alt=\"The screenshot displays the Azure workspace found in the resource group.\">The screenshot displays the Azure workspace found in the resource group.<\/li><li>In the blade, under&nbsp;<strong>Threat Management<\/strong>, select&nbsp;<strong>Workbooks<\/strong>.<\/li><li>In the list of workbooks, select&nbsp;<strong>Azure AD Audit logs<\/strong>, select&nbsp;<strong>Save<\/strong>.<\/li><li>Select the region and select&nbsp;<strong>OK<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image95.png\" alt=\"In the left menu beneath Threat Management the Workbooks item is selected and the Azure AD Audit Logs item is selected beneath the Templates tab on the right.\">In the left menu beneath Threat Management the Workbooks item is selected and the Azure AD Audit Logs item is selected beneath the Templates tab on the right.<\/li><li>In the list of workbooks, select&nbsp;<strong>Azure Network Watcher<\/strong>, choose&nbsp;<strong>Save<\/strong>.<\/li><li>Select the region and choose&nbsp;<strong>OK<\/strong>.<\/li><li>Select&nbsp;<strong>View saved workbook<\/strong>, take a moment to review your new workbook.<strong>Note<\/strong>: You may not have data in the log analytics workspace for the targeted workbook queries.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-create-an-analytics-alert\">Task 2: Create an Analytics alert<\/h3>\n\n\n\n<ol type=\"1\"><li>Navigate back to the&nbsp;<strong>Azure Sentinel<\/strong>&nbsp;workspace, in the&nbsp;<strong>Configuration<\/strong>&nbsp;blade section, select&nbsp;<strong>Analytics<\/strong>&nbsp;then select&nbsp;<strong>+Create<\/strong>&nbsp;then&nbsp;<strong>Scheduled query rule<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image96.png\" alt=\"In the left menu beneath Configuration the Analytics item is selected. To the right, the + Create button is expanded and the Scheduled query rule item is selected.\">In the left menu beneath Configuration the Analytics item is selected. To the right, the + Create button is expanded and the Scheduled query rule item is selected.<\/li><li>On the&nbsp;<strong>General<\/strong>&nbsp;tab, enter&nbsp;<strong>PortScans<\/strong>&nbsp;for the name.<\/li><li>For the description, enter&nbsp;<strong>A custom rule to detect port scans<\/strong>, select&nbsp;<strong>Next: Set rule logic<\/strong>.<\/li><li>In the&nbsp;<strong>Rule query<\/strong>&nbsp;text box, type:<code>AzureDiagnostics | where ruleName_s == 'UserRule_DenyAll' and Type != 'AzureMetric' and type_s == 'block' and direction_s == 'In' and OperationName == 'NetworkSecurityGroupCounters' | summarize AggregatedValue = sum(matchedConnections_d) by ruleName_s, primaryIPv4Address_s | where AggregatedValue &gt; 0<\/code><strong>Note<\/strong>: If you wanted to target a specific NSG, you can add&nbsp;<code>and Resource == 'WEBTRAFFICONLY'<\/code>&nbsp;to the query.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image97.png\" alt=\"In this screenshot, the alert simulation shows data after the query has been entered.\">In this screenshot, the alert simulation shows data after the query has been entered.<strong>Note<\/strong>: If you were quick going through the labs, then you may not have log data in the Log Analytics workspace just yet that corresponds to \u201cAzureMetric\u201d. You may need to wait 15-30 minutes before a query will execute.<strong>Note<\/strong>: Since the introduction of Azure Security Center and Sentinel, the backend logging has changed a few times as well as the way the calculations are done in the rule query (timespan in query vs outside query, etc.). The ultimate goal of this query is to find when a series of failed connection attempts have been made against a network security group and a specific deny rule. If for some reason the UI\/backend has been modified since the last published lab, modify the query to accomplish this goal.<\/li><li>Under&nbsp;<strong>Map entities<\/strong>, for the&nbsp;<strong>IP<\/strong>, select the&nbsp;<strong>primaryIPv4Address_s<\/strong>&nbsp;column, then select&nbsp;<strong>Add<\/strong>.<\/li><li>Under&nbsp;<strong>Query scheduling<\/strong>, for the&nbsp;<strong>Run query every<\/strong>&nbsp;setting, type&nbsp;<strong>5<\/strong>&nbsp;minutes.<strong>Note<\/strong>: This is a lab and you want to see the results as quickly as possible. In a production environment, you may want to choose a different time threshold.<\/li><li>For the&nbsp;<strong>Lookup data from the last<\/strong>, type&nbsp;<strong>2<\/strong>&nbsp;hours.<\/li><li>Under&nbsp;<strong>Alert threshold<\/strong>, for the&nbsp;<strong>Generate alert when number of query results<\/strong>, enter&nbsp;<strong>0<\/strong>.<strong>Note:<\/strong>&nbsp;We want to hit the threshold quickly for lab purposes. This query and value may not be appropriate for production and is only for learning purposes.Review the current data to determine what would trigger the alert. Notice the red threshold line intersects the blue event data line.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-13-26-17.png\" alt=\"A chart is displayed showing the current log data and the alert threshold. The red and blue line intersect in the chart.\">A chart is displayed showing the current log data and the alert threshold. The red and blue line intersect in the chart.<\/li><li>Select&nbsp;<strong>Next: Incident settings<\/strong>, review the potential incident settings.<\/li><li>Select&nbsp;<strong>Next: Automated response<\/strong>, notice you have no playbooks to select yet.<\/li><li>Select&nbsp;<strong>Next: Review<\/strong>.<\/li><li>Select&nbsp;<strong>Create<\/strong>.<strong>Note<\/strong>: It may take a few minutes for the alert to fire. You may need to run the PortScan script a few times from&nbsp;<strong>paw-1<\/strong><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-13-03-56.png\" alt=\"In the Azure Sentinel Analytics screen beneath the Active Rules tab, the PortScans rule is highlighted in the table and its status shows it is Enabled.\">In the Azure Sentinel Analytics screen beneath the Active Rules tab, the PortScans rule is highlighted in the table and its status shows it is Enabled.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-investigate-a-custom-alert-incident\">Task 3: Investigate a custom alert incident<\/h3>\n\n\n\n<ol type=\"1\"><li>In the main menu, select&nbsp;<strong>Azure Sentinel<\/strong>.<\/li><li>Select&nbsp;<strong>Incidents<\/strong>.<\/li><li>Select the new&nbsp;<strong>PortScans<\/strong>&nbsp;incident.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-13-30-12.png\" alt=\"In the Azure Sentinel Incidents window, the most recent PortScans security alert is selected from the table.\">In the Azure Sentinel Incidents window, the most recent PortScans security alert is selected from the table.<strong>Note<\/strong>: It may take 15-20 minutes for the alert to fire. You can continue to execute the port scan script to cause log events or you can lower the threshold for the custom alert.<\/li><li>In the dialog, choose&nbsp;<strong>Investigate<\/strong>. Note that it may take a few minutes for the button to be available.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image76.png\" alt=\"The incident dialog is displayed with the Investigate button selected.\">The incident dialog is displayed with the Investigate button selected.<\/li><li>In future versions, you will get to see insights about the alerts and the resources related to what caused it to fire:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image77.png\" alt=\"The Azure Security Insights screen is displayed detailing the lifetime of an alert instance.\">The Azure Security Insights screen is displayed detailing the lifetime of an alert instance.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-4-create-and-run-a-playbook\">Task 4: Create and run a playbook<\/h3>\n\n\n\n<ol type=\"1\"><li>In the&nbsp;<strong>Azure Sentinel<\/strong>&nbsp;blade, select&nbsp;<strong>Playbooks<\/strong>.<\/li><li>In the new window, select&nbsp;<strong>+ Add Playbook<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image79.png\" alt=\"The playbooks blade is displayed with the Playbooks item selected in the left hand menu and the + Add Playbook button selected.\">The playbooks blade is displayed with the Playbooks item selected in the left hand menu and the + Add Playbook button selected.<\/li><li>The&nbsp;<strong>Create logic app<\/strong>&nbsp;blade will display:<ul><li>For the name, enter&nbsp;<strong>Email<\/strong>.<\/li><li>Select your existing resource group.<\/li><li>Toggle the&nbsp;<strong>Log Analytics<\/strong>&nbsp;to&nbsp;<strong>On<\/strong>&nbsp;and then select your&nbsp;<strong>azuresecurity<\/strong>&nbsp;Log Analytics workspace.<\/li><\/ul><img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image80.png\" alt=\"The information above is entered in the Create logic app blade.\">The information above is entered in the Create logic app blade.<\/li><li>Select&nbsp;<strong>Review + Create<\/strong>&nbsp;then select&nbsp;<strong>Create<\/strong>. After a few moments, the&nbsp;<strong>Logic Apps Designer<\/strong>&nbsp;will load. If the designer does not load, wait a few minutes and refresh the Playbook list. Select the&nbsp;<strong>Email<\/strong>&nbsp;playbook.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-14-40-13.png\" alt=\"The playbooks list is displayed and the Email playbook is highlighted.\">The playbooks list is displayed and the Email playbook is highlighted.<\/li><li>Select the&nbsp;<strong>Get a notification email when Security Center detects a threat<\/strong>&nbsp;template.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-14-44-52.png\" alt=\"The Logic Apps Designer screen is displayed with a list of templates. The Get a notification email when Security Center detects a threat template is selected.\">The Logic Apps Designer screen is displayed with a list of templates. The Get a notification email when Security Center detects a threat template is selected.<\/li><li>Select&nbsp;<strong>Use this template<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image82.png\" alt=\"The Use this template button is selected under Send notification email with alert details from Azure Security Center.\">The Use this template button is selected under Send notification email with alert details from Azure Security Center.<\/li><li>For the&nbsp;<strong>Office 365 Outlook<\/strong>&nbsp;connection, select the&nbsp;<strong>+<\/strong>&nbsp;link, enter your Azure\/O365 credentials.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-14-48-03.png\" alt=\"The Sign in button is highlighted next to Office 365 Outlook under This logic app will connect to.\">The Sign in button is highlighted next to Office 365 Outlook under This logic app will connect to.<strong>Note<\/strong>: This would need to be a valid Office 365 account, if you do not have a valid Office 365 account, then utilize a basic email template for Outlook.com.<\/li><li>For the&nbsp;<strong>Security Center Alert<\/strong>&nbsp;connection, select the&nbsp;<strong>+<\/strong>&nbsp;link.<\/li><li>Select&nbsp;<strong>Continue<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-14-51-29.png\" alt=\"The Logic app connection blade is displayed. Outlook and Azure Security Center validation are displayed.\">The Logic app connection blade is displayed. Outlook and Azure Security Center validation are displayed.<\/li><li>For the email address, enter your email.<\/li><li>Select&nbsp;<strong>Save<\/strong>. You now have an email alert action based on LogicApps for your custom security alert to use.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-14-54-20.png\" alt=\"Save is highlighted in Logic Apps Designer, and information about the custom security alert appears below.\">Save is highlighted in Logic Apps Designer, and information about the custom security alert appears below.<\/li><li>Lastly, after you have created the new Playbook, ensure that the status is&nbsp;<strong>Enabled<\/strong>. If not, then select&nbsp;<strong>Enable<\/strong>&nbsp;in the menu.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-5-execute-jupyter-notebooks\">Task 5: Execute Jupyter Notebooks<\/h3>\n\n\n\n<ol type=\"1\"><li>In the&nbsp;<strong>Azure Sentinel<\/strong>&nbsp;blade, select&nbsp;<strong>Notebooks<\/strong>.<\/li><li>Search for the&nbsp;<strong>Getting Started with Azure Sentinel Notebooks<\/strong>&nbsp;item.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/sentinel-getting-started-notebook.png\" alt=\"The notebook search results are displayed.\">The notebook search results are displayed.<\/li><li>In the right dialog, select&nbsp;<strong>Launch Notebook<\/strong>.<\/li><li>If not already logged in, select your Azure credentials, the GitHub repo will start to clone into your workspace. You will see the GitHub progress meter.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-18-06-26.png\" alt=\"The GitHub progress meter is displayed.\">The GitHub progress meter is displayed.<\/li><li>The notebook should open in the Jupyter notebooks application. It will also start a container kernel for executing the notebook cells.<\/li><li>Follow the directions of the notebook while executing each cell. The notebook will required you to setup some supported API accounts to merge external security data such as known bad actors and other geographical information.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/jupyter-sentinel.png\" alt=\"The getting started Sentinel notebook is displayed.\">The getting started Sentinel notebook is displayed.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-6-creating-reports-with-power-bi\">Task 6: Creating reports with Power BI<\/h3>\n\n\n\n<ol type=\"1\"><li>Navigate back to your&nbsp;<strong>Azure Sentinel<\/strong>&nbsp;browser window. Select&nbsp;<strong>Logs<\/strong>.<strong>Note<\/strong>: You may see a&nbsp;<strong>Welcome to Log Analytics<\/strong>&nbsp;splash page in the blade. Select&nbsp;<strong>Get Started<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-19-14-49.png\" alt=\"The screenshot displays the Welcome to Log Analytics blade.\">The screenshot displays the Welcome to Log Analytics blade.<\/li><li>In the&nbsp;<strong>Schema<\/strong>&nbsp;tab under&nbsp;<strong>Active<\/strong>, expand the&nbsp;<strong>LogManagement<\/strong>&nbsp;node, notice the various options available.<\/li><li>In the schema window, select&nbsp;<strong>AzureDiagnostics<\/strong>, then choose the&nbsp;<strong>eye<\/strong>&nbsp;icon.<\/li><li>In the top right, select&nbsp;<strong>Export<\/strong>, then select the&nbsp;<strong>Export to Power BI (M Query)<\/strong>&nbsp;link.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image103.png\" alt=\"The Azure Sentinel Logs screen is displayed. The logs item is selected in the left menu. LogManagement and AzureDiagnostics are selected from the active schema list. The Azure Diagnostics item has an eye icon. A new query tab is shown with the Export item highlighted.\">The Azure Sentinel Logs screen is displayed. The logs item is selected in the left menu. LogManagement and AzureDiagnostics are selected from the active schema list. The Azure Diagnostics item has an eye icon. A new query tab is shown with the Export item highlighted.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/media\/2020-01-12-19-17-28.png\" alt=\"The Export item is expanded with the Export to PowerBI (M Query) item highlighted.\">The Export item is expanded with the Export to PowerBI (M Query) item highlighted.<\/li><li>Select&nbsp;<strong>Open<\/strong>, a text document with the Power Query M Language will be displayed.<\/li><li>Follow the instructions in the document to execute the query in Power BI.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image88.png\" alt=\"The instructions at the top of the PowerBIQuery.txt file are highlighted.\">The instructions at the top of the PowerBIQuery.txt file are highlighted.<\/li><li>Close&nbsp;<strong>Power BI<\/strong>.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"exercise-7-using-compliance-tools-azure-policy-secure-score-and-compliance-manager\">Exercise 7: Using Compliance Tools (Azure Policy, Secure Score and Compliance Manager)<\/h2>\n\n\n\n<p>Duration: 15 minutes<\/p>\n\n\n\n<p>In this exercise, attendees will learn to navigate the Azure Policy and Secure Score features of Azure. You will also explore the Compliance Manager portal that will provide you helpful tasks that you should consider when attempting to achieve specific compliance policies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-review-a-basic-azure-policy\">Task 1: Review a basic Azure Policy<\/h3>\n\n\n\n<ol type=\"1\"><li>Open the&nbsp;<a href=\"https:\/\/portal.azure.com\/\">Azure Portal<\/a>. Select&nbsp;<strong>All Services<\/strong>, then type&nbsp;<strong>policy<\/strong>. Select&nbsp;<strong>Policy<\/strong>&nbsp;in the list of items.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image104.png\" alt=\"All services are selected in the left menu. In the search box policy is entered. Policy is selected from the filtered list of services.\">All services are selected in the left menu. In the search box policy is entered. Policy is selected from the filtered list of services.<\/li><li>In the blade menu, select&nbsp;<strong>Compliance<\/strong>, and review your&nbsp;<strong>Overall resource compliance<\/strong>&nbsp;percentage.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image105.png\" alt=\"The Compliance item is selected from the left menu. The Policy compliance screen is displayed.\">The Compliance item is selected from the left menu. The Policy compliance screen is displayed.<\/li><li>For the scope, ensure the proper subscription is selected, then select&nbsp;<strong>ASC Default (subscription:<\/strong>.<\/li><li>In the&nbsp;<strong>Initiative compliance<\/strong>&nbsp;blade, review your compliance metrics.<\/li><li>Scroll to the results area and select the&nbsp;<strong>Non-compliant resources<\/strong>&nbsp;tab.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image106.png\" alt=\"The non-compliant resources tab is highlighted.\">The non-compliant resources tab is highlighted.<\/li><li>In the filter search box, type&nbsp;<strong>paw-1<\/strong>&nbsp;and select it when displayed.<strong>Note<\/strong>: You may not see resources display right away. If this is the case, then scroll through some other non-compliant resources.<\/li><li>With the&nbsp;<strong>Policies<\/strong>&nbsp;tab selected, review the policies that the resource is non-complying against.<strong>Note<\/strong>: New policies are being created and your number may be different from the image below.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image107.png\" alt=\"The Resource compliance blade for paw-1 is displayed with the non-compliant items highlighted.\">The Resource compliance blade for paw-1 is displayed with the non-compliant items highlighted.<\/li><li>Choose one of the policies. Review the Definition JSON of the policy definition, notice how it is based on ARM Template format and is looking for specific properties to be set of the non-compliant resources.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image108.png\" alt=\"The policy definition is displayed in JSON format.\">The policy definition is displayed in JSON format.<strong>Note<\/strong>: You can use these out of box templates to build your own policies and apply them as blueprints.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-review-and-create-azure-blueprints\">Task 2: Review and create Azure Blueprints<\/h3>\n\n\n\n<ol type=\"1\"><li>In the Policy blade, under&nbsp;<strong>Authoring<\/strong>, select&nbsp;<strong>Definitions<\/strong>. These are a list of all defined policies which can be selected for assignment to your subscription resources.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image109.png\" alt=\"A listing of policy definitions on the Policy Blade Definitions screen.\">A listing of policy definitions on the Policy Blade Definitions screen.<\/li><li>In the Policy blade, under&nbsp;<strong>Related Services<\/strong>, select&nbsp;<strong>Blueprints<\/strong>.<\/li><li>In the Blueprints blade, select&nbsp;<strong>Blueprint definitions<\/strong>.<\/li><li>Select&nbsp;<strong>+Create blueprint<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image110.png\" alt=\"The Blueprint definitions screen is displayed with the Blueprint definitions item selected from the left menu. The + Create blueprint menu item is selected.\">The Blueprint definitions screen is displayed with the Blueprint definitions item selected from the left menu. The + Create blueprint menu item is selected.<\/li><li>Review some of the sample blueprints, then select&nbsp;<strong>Start with blank blueprint<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image111.png\" alt=\"The Create blueprint screen is displayed with the Blank blueprint item selected from the list of available samples.\">The Create blueprint screen is displayed with the Blank blueprint item selected from the list of available samples.<\/li><li>For the name, type&nbsp;<strong>gdprblueprint<\/strong>.<\/li><li>For the location, select the ellipses, then select your subscription in the drop down.<\/li><li>Choose&nbsp;<strong>Select<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image112.png\" alt=\"New blue print dialog with name and location filled in.\">New blue print dialog with name and location filled in.<\/li><li>Select&nbsp;<strong>Next: Artifacts<\/strong>.<\/li><li>Select&nbsp;<strong>+ Add artifact<\/strong>.<\/li><li>For the Artifact Type, select&nbsp;<strong>Policy assignment<\/strong>, review all the policies available to you (at the time of this writing you would see 37 definitions and 311 policies).<\/li><li>In the search box, type&nbsp;<strong>unrestricted<\/strong>, browse for the&nbsp;<strong>Storage accounts should restrict network access<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image113.png\" alt=\"On the Create blueprint screen, on the Artifacts tab the + Add artifact link is selected beneath the Subscription. In the Add artifact blade, the artifact type of Policy assignment is selected. In the Search textbox, unrestricted is entered. Beneath the Search textbox, the Policy Definitions tab is selected and the Audit unrestricted network access to storage accounts is selected from the list of search results.\">On the Create blueprint screen, on the Artifacts tab the + Add artifact link is selected beneath the Subscription. In the Add artifact blade, the artifact type of Policy assignment is selected. In the Search textbox, unrestricted is entered. Beneath the Search textbox, the Policy Definitions tab is selected and the Audit unrestricted network access to storage accounts is selected from the list of search results.<strong>Note<\/strong>: If the above definition is not available, select one of your own choosing.<\/li><li>Select&nbsp;<strong>Add<\/strong>.<\/li><li>Select&nbsp;<strong>Save Draft<\/strong>. It may take a few minutes. The blade will automatically change when the save operation finishes.<\/li><li>For the new blueprint, select the ellipses, then select&nbsp;<strong>Publish blueprint<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image114.png\" alt=\"The ellipses menu is expanded for the gdprblueprint blueprint item with the Publish blueprint menu item highlighted.\">The ellipses menu is expanded for the gdprblueprint blueprint item with the Publish blueprint menu item highlighted.<\/li><li>Select&nbsp;<strong>Publish<\/strong>.<\/li><li>For the version type&nbsp;<strong>1.0.0<\/strong>.<\/li><li>For the new blueprint, select the ellipses, then select&nbsp;<strong>Assign Blueprint<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image114.png\" alt=\"Screen shot showing the Assign blueprint dialog.\">Screen shot showing the Assign blueprint dialog.<\/li><li>Review the page, then choose&nbsp;<strong>Assign<\/strong>. This policy will now be audited across all your storage accounts in the specific subscription.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-secure-score\">Task 3: Secure Score<\/h3>\n\n\n\n<ol type=\"1\"><li>In the Azure Portal, select&nbsp;<strong>All Services<\/strong>, then type&nbsp;<strong>Security<\/strong>, select&nbsp;<strong>Security Center<\/strong>.<\/li><li>In the Security Center blade, under&nbsp;<strong>POLICY &amp; COMPLIANCE<\/strong>, select&nbsp;<strong>Secure score<\/strong>.<\/li><li>Review your overall secure score values and then notice the category values.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image115.png\" alt=\"Screen shot showing Secure score blade and the score and categories highlighted.\">Screen shot showing Secure score blade and the score and categories highlighted.<\/li><li>On the bottom half of the window, select your subscription, you will be presented with the items that have failed resource validation sorted by the score value that is assigned to that particular recommendation item.<\/li><li>Select the&nbsp;<strong>An Azure Active Directory administrator should be provisioned for SQL Servers<\/strong>, on the recommendation blade, you will be presented with information about how to remediate the recommendation to gain the impact value to your score.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image116.png\" alt=\"Screen shot with the Provision an Azure AD Administrator for SQL Server highlighted.\">Screen shot with the Provision an Azure AD Administrator for SQL Server highlighted.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-4-use-compliance-manager-for-azure\">Task 4: Use Compliance Manager for Azure<\/h3>\n\n\n\n<blockquote class=\"wp-block-quote\"><p><strong>Note<\/strong>: You may need additional permissions to run this portion of the lab. Contact your Global Administrator.<\/p><\/blockquote>\n\n\n\n<ol type=\"1\"><li>In a browser, go to the Service Trust\/Compliance Manager portal (<a href=\"https:\/\/servicetrust.microsoft.com\/\">https:\/\/servicetrust.microsoft.com<\/a>).<\/li><li>In the top corner, select&nbsp;<strong>Sign in<\/strong>, you will be redirected to the Azure AD login page.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image89.png\" alt=\"Sign in is highlighted at the top of the Service Trust\/Compliance Manager portal.\">Sign in is highlighted at the top of the Service Trust\/Compliance Manager portal.<\/li><li>If prompted, select or sign in with your Azure AD\\Office 365 credentials.<\/li><li>In the menu, select&nbsp;<strong>Compliance Manager-&gt;Compliance Manager Classic<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image89.1.png\" alt=\"Compliance Manager Classic is highlight in the menu navigation.\">Compliance Manager Classic is highlight in the menu navigation.<\/li><li>Select on the&nbsp;<strong>+Add Assessment<\/strong>&nbsp;link.<\/li><li>Select&nbsp;<strong>Create a new Group<\/strong>, for the name type&nbsp;<strong>AzureSecurity<\/strong>, select&nbsp;<strong>Next<\/strong>, set the&nbsp;<strong>Would you like to copy the data from an existing group<\/strong>&nbsp;toggle to&nbsp;<strong>No<\/strong>, select&nbsp;<strong>Next<\/strong>.<\/li><li>For the product dropdown, select&nbsp;<strong>Azure<\/strong>.<\/li><li>For the certification dropdown, select&nbsp;<strong>GDPR<\/strong>.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image90.png\" alt=\"Add a Standard Assessment dialog with Azure and GDPR selected.\">Add a Standard Assessment dialog with Azure and GDPR selected.<\/li><li>Select&nbsp;<strong>Add to Dashboard.<\/strong>&nbsp;You will now see a new assessment for Azure and GDPR in progress:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image91.png\" alt=\"Azure GDPR assessment status that shows in progress.\">Azure GDPR assessment status that shows in progress.<\/li><li>Select&nbsp;<strong>Azure GDPR<\/strong>.<\/li><li>Review the various controls that you can implement:<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image91.1.png\" alt=\"Several categories of controls are listed on the page.\">Several categories of controls are listed on the page.<\/li><li>On the top menu, choose&nbsp;<strong>Trust Documents<\/strong>, then select&nbsp;<strong>Audit Reports<\/strong>.<\/li><li>Notice the various tabs that you can select from, select&nbsp;<strong>FedRAMP Reports<\/strong>.<\/li><li>These are all the FedRAMP reports sorted by date that have been performed and publicly posted for Azure customer review. Select the item displayed and briefly review the document.<img decoding=\"async\" src=\"https:\/\/cloudworkshop.blob.core.windows.net\/azure-security-privacy-compliance\/Hands-on%20lab\/images\/Hands-onlabstep-bystep-Azuresecurityprivacyandcomplianceimages\/media\/image93.png\" alt=\"The FedRAMP Reports report type is highlighted on the Data Protection Standards and Regulatory Compliance Reports page, and Azure - FedRAMP Moderate System Security Plan v3.02 is highlighted at the bottom.\">The FedRAMP Reports report type is highlighted on the Data Protection Standards and Regulatory Compliance Reports page, and Azure &#8211; FedRAMP Moderate System Security Plan v3.02 is highlighted at the bottom.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"after-the-hands-on-lab\">After the hands-on lab<\/h2>\n\n\n\n<p>Duration: 10 minutes<\/p>\n\n\n\n<p>In this exercise, attendees will un-provision any Azure resources that were created in support of the lab.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-1-delete-resource-group\">Task 1: Delete resource group<\/h3>\n\n\n\n<ol type=\"1\"><li>Using the Azure portal, navigate to the Resource group you used throughout this hands-on lab by selecting&nbsp;<strong>Resource groups<\/strong>&nbsp;in the menu.<\/li><li>Search for the name of your research group, and select it from the list.<\/li><li>Select&nbsp;<strong>Delete<\/strong>&nbsp;in the command bar, and confirm the deletion by re-typing the Resource group name and selecting&nbsp;<strong>Delete<\/strong>.<\/li><li>Don\u2019t forget to delete the Azure Key Vault application you created in Exercise 3, Task 3.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-2-remove-standard-tier-pricing\">Task 2: Remove Standard Tier Pricing<\/h3>\n\n\n\n<ol type=\"1\"><li>Be sure to set your Azure Security pricing back to&nbsp;<strong>Free<\/strong>.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"task-3-delete-lab-environment-optional\">Task 3: Delete lab environment (optional)<\/h3>\n\n\n\n<ol type=\"1\"><li>If you are using a hosted platform, make sure you shut it down or delete it.<\/li><\/ol>\n\n\n\n<p>You should follow all steps provided&nbsp;<em>after<\/em>&nbsp;attending the Hands-on lab.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Baseline on Azure hands-on lab step-by-step Overview Contoso is a multinational corporation, headquartered in the United States that provides insurance solutions worldwide. Its products include accident and health insurance, life insurance, travel, home, and auto coverage. Contoso manages data collection services by sending mobile agents directly to the insured to gather information as part [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/posts\/107"}],"collection":[{"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/comments?post=107"}],"version-history":[{"count":18,"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/posts\/107\/revisions"}],"predecessor-version":[{"id":127,"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/posts\/107\/revisions\/127"}],"wp:attachment":[{"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/media?parent=107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/categories?post=107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.activeparc.fr\/index.php\/wp-json\/wp\/v2\/tags?post=107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}