cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Azure Sentinel and Azure Arc
By
CliveWatson
Published Nov 11 2019 03:03 AM 7,799 Views
CliveWatson
Microsoft
‎Nov 11 2019 03:03 AM

Azure Sentinel and Azure Arc

‎Nov 11 2019 03:03 AM

Azure Arc was announced very recently https://azure.microsoft.com/en-gb/updates/azure-arc-for-servers-in-public-preview/ and https://azure.microsoft.com/en-gb/updates/azure-arc-for-servers-in-public-preview/

What is Azure Arc - this is the high-level summary:
Azure Arc extends Azure Resource Manager capabilities to Linux and Windows servers, as well as Kubernetes clusters on any infrastructure across on-premises, multi-cloud, and edge. With Azure Arc, customers can also run Azure data services anywhere, realizing the benefits of cloud innovation, including always up-to-date data capabilities, deployment in seconds (rather than hours), and dynamic scalability on any infrastructure. Azure Arc for servers is currently in public preview.

“Azure Arc for servers allows you to manage machines which are outside of Azure. When a non-Azure machine is connected to Azure, it becomes a Connected Machine and is treated as a resource in Azure. Each Connected Machine has a Resource ID, is managed as part of a Resource Group inside a subscription, and benefits from standard Azure constructs such as Azure Policy and tagging.”

 

This means you see servers in your Azure portal (thanks to Julius Davies for adding these two for me!).  These are two on-premises machines, in the Microsoft reading Campus (UK).

 

clipboard_image_1.png

 

You can see the same info in tools like Azure Resource Graph and the Sentinel Logs.  Azure Arc machines can be identified as they have a unique ResourceProvider value of   

“Microsoft.HybridCompute”.  This can help us detect these types of machines in the future. As this is a platform level feature we can use this in workbooks as I will show soon, but also in Incident or Hunting scenarios, you have access to the api or Logs (you do need the MMA for Logs).  Let me show you two ways of seeing these servers, outside of the Azure Arc portal:

 

Azure Resource Graph - example query:

 

 resources

|  where type == "microsoft.hybridcompute/machines"

 

clipboard_image_2.png

 

Azure Sentinel Logs - example query:

 

Heartbeat

| where ResourceProvider in ("Microsoft.Compute","Microsoft.HybridCompute")

| distinct Computer, ResourceProvider

| summarize count() by ResourceProvider, Computer

 

You might like to show this as a Pie Chart, and see how your usage of Arc grows over time?

 

clipboard_image_3.png

 

The workbook explained:

 

1. Download the workbook from here:  https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SecurityStatus.json

2. See here for import instructions: https://techcommunity.microsoft.com/t5/Azure-Sentinel/How-to-use-Azure-Sentinel-to-follow-a-Users-tr...

 

 

I have created some options for you to select;  Subscriptions, Workspaces, Time and a Computer.  This will also work with Azure Lighthouse so works for an MSSP or if you have multiple Azure Directories in your organisation.

 

clipboard_image_4.png

 

 

So let’s now choose a Computer:

 

We see this report.

 

clipboard_image_5.png

For this I’m using a Azure Resource Graph Query, looking at the “securityresources” information - see lines 1 & 2 below.  More resources can be found here: https://docs.microsoft.com/en-us/azure/governance/resource-graph/concepts/explore-resources

 

securityresources

| where type == "microsoft.security/securitystatuses"

| where name =~ '{Computer}'

| extend p=array_length(properties.resourceDetails) 

| mvexpand prop=properties.resourceDetails

| parse id with *"/providers/" res "/machines/" *

| extend type = iif (res == "microsoft.hybridcompute", "HybridCompute-Arc","AzureCompute") 

| project ComputerName = name, Resource= prop.name, Status = prop.value, type

 

This works by looking at securityresources, then getting the computer name from our drop down (line #3), I then get some of the property fields (you may need more/less). I also parse the ResourceID column to get the Resource Provider Name, if its “microsoft.hybridcompute” then I display that its Azure Arc in the type column, else it must be AzureCompute

 

If we swap the drop-down to a computer that is managed by Azure Arc we see

 

clipboard_image_6.png

 

Now, you will see the “type” column detects it, but there isn’t yet a lot of other information about this Azure Arc machine, hopefully this will improve in time.  However in my case, this machine is also in Azure Security Center so in my 1st  Chart of the workbook you see, its ASC Security Event status:

 

clipboard_image_7.png

Note: there are a 2nd and 3rd Chart area for CEF and Syslog (not shown, but you can open the workbook to see them).  I also check and provide a map if the computer chosen has any MaliciousIP data (see previous posts for that).

 

 

Azure Arc area:

 

I also created a dedicated area in the workbook for Azure Arc.  This is a display area where I show any Azure Arc machines (using ARG); using the basic query of:

 

 resources

|  where type == "microsoft.hybridcompute/machines"

 

 

 

clipboard_image_8.png

You can update this query a bit yourself (edit the workbook), maybe to this:

 

 resources

| where type == "microsoft.hybridcompute/machines"

| extend p=array_length(properties.provisioningState) 

| mvexpand prop=properties.provisioningState

| project id, ComputerName = name, Resource= prop.name, Status = properties.status, State=prop, location, resourceGroup, type

clipboard_image_9.png

 

 

 

7 Comments
Gary Bushey
Bronze Contributor
‎May 01 2020 06:39 AM
‎May 01 2020 06:39 AM

Just came across this while researching Azure Arc.   Would we be able to use Azure Arc to push the Microsoft Management Agents to all the servers?

0 Likes
Like
CliveWatson
Microsoft
‎May 01 2020 06:53 AM
‎May 01 2020 06:53 AM

It's sort of the other way, Arc uses the same Agent so it could already be on the machine for Arc to use https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview 

To deliver this experience with your hybrid machines hosted outside of Azure, the Azure Connected Machine agent needs to be installed on each machine that you plan on connecting to Azure. This agent does not deliver any other functionality, and it doesn't replace the Azure Log Analytics agent. The Log Analytics agent for Windows and Linux is required when you want to proactively monitor the OS and workloads running on the machine, manage it using Automation runbooks or solutions like Update Management, or use other Azure services like Azure Security Center.

 

https://docs.microsoft.com/en-us/azure/azure-arc/servers/overview#connected-machine-agent

0 Likes
Like
Gary Bushey
Bronze Contributor
‎May 01 2020 06:57 AM
‎May 01 2020 06:57 AM

Thanks for the answer.

 

If I am reading the second paragraph correctly it sounds like you would need BOTH the Azure Connected Machine agent AND the Log Analytics agent if you want to get all the information.  Hopefully those will be combined at some point to make life easier.

0 Likes
Like
CliveWatson
Microsoft
‎May 01 2020 07:02 AM
‎May 01 2020 07:02 AM

I am not aware of any plans like that, so wont comment.  However you only need the connected agent for Arc, but can also use the MMA "when you want to proactively monitor the OS and workloads running on the machine,"

0 Likes
Like
Gary Bushey
Bronze Contributor
‎May 01 2020 07:07 AM
‎May 01 2020 07:07 AM

OK.  Thanks again.

0 Likes
Like
Jian (Jane) Yan
Microsoft
‎May 14 2020 07:26 PM
‎May 14 2020 07:26 PM

The Azure Arc agent is going to release an update in the next week or so, which will support extension deployment through Azure Arc, which means user would be able to use Policy or ARM template to deploy MMA extensions to the Arc machines.

0 Likes
Like
LauraNicolas
Microsoft
‎Jun 27 2020 01:19 AM
‎Jun 27 2020 01:19 AM

Hi @Gary Bushey I just created a post explaining how you could use Azure Arc to push the MMA agent to all VMs/servers using Azure Policies and remediation tasks: https://techcommunity.microsoft.com/t5/azure-sentinel/automating-the-onboarding-on-premises-aws-and-... 

 

It uses the extension management feature that @Jian (Jane) Yan mentioned. You can also take a look at the automation we have for this scenario as part of the Azure Arc jumpstart repo: https://github.com/likamrat/azure_arc/blob/master/azure_arc_servers_jumpstart/docs/arc_policies_mma.... Hope it helps!

Version history
Last update:
‎Nov 02 2021 05:43 PM
Updated by: