search

Azure / Microsoft-Defender-for-Cloud

Welcome to the Microsoft Defender for Cloud community repository
https://azure.microsoft.com/en-us/services/security-center/
MIT License
1.7k stars 766 forks source link

qualys-remediate-unhealthy-vms.ps1 not working #267

Closed hassanbsee2071 closed 3 years ago

hassanbsee2071 commented 3 years ago

I am running qualys-remediate-unhealthy-vms.ps1 script but I am facing below issue. it would be great if you can help us.

Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-failure-cause, System.String[]], [x-ms-request-id, System.String[]]…} Version : 1.1 StatusCode : 400 Method : GET Content : {"error":{"code":"NoRegisteredProviderFound","message":"No registered resource provider found for location 'westeurope' and API version '2019-12-01' for type 'machines'. The supported api-versions are '2019-03-18-preview, 2019-08-02-preview, 2019-12-12, 2020-03-11-preview, 2020-07-30-preview, 2020-08-02, 2020-08-15-preview'. The supported locations are 'westcentralus, westus2, westeurope, southeastasia, eastus, australiaeast, southcentralus, eastus2, northeurope, uksouth'."}}

liorarviv commented 3 years ago

Hi @hassanbsee2071 - do you have unhealthy Azure Arc machines on the recommendation or just regular Azure VMs?

hassanbsee2071 commented 3 years ago

Hi, We have only unhealthy azure arc vms.

On Sun, Dec 13, 2020, 9:26 PM Lior Arviv notifications@github.com wrote:

Hi @hassanbsee2071 https://github.com/hassanbsee2071 - do you have unhealthy Azure Arc machines on the recommendation or just regular Azure VMs?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744032178, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZWVEVIPHDSETKPHDETSUTTK5ANCNFSM4UVNYJSQ .

liorarviv commented 3 years ago

Thanks for the feedback. The current version does not support Azure Arc connected machines. I modified the script to include such support and now testing it. Will upload a new version by the end of tomorrow.

hassanbsee2071 commented 3 years ago

Thanks for the update.. Actually I am from Telenor group and we have deployed all our infra on AWS and integrating with azure arc. I am writing script to enable log analytics extension from the script. I think it is not working properly. It would be great if you can check my script to see if there is problem with script or with azure. Theoretically and practically script should work fine and it works fine some time.. But unable to identify the exact problem. Can you help me with this?

On Sun, Dec 13, 2020, 10:02 PM Lior Arviv notifications@github.com wrote:

Thanks for the feedback. The current version does not support Azure Arc connected machines. I modified the script to include such support and now testing it. Will upload a new version by the end of tomorrow.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744036967, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZUMJNWXRNDQO646AZLSUTXTVANCNFSM4UVNYJSQ .

liorarviv commented 3 years ago

@hassanbsee2071 I created a different issue for that matter. Can you please paste your script there?

hassanbsee2071 commented 3 years ago

Yes, Sure,

Please find the script below mentioned... I have executed the script now and one VM is successfully added. Comments are added in the script.

$Setting = @{ "workspaceId" = " XXXXXXXXXXXXXXXXXXXXXXX " } $protectedSetting = @{ "workspaceKey" = " XXXXXXXXXXXXXXXXXXXXXXX " }

$query = @" securityresources | where type == "microsoft.security/assessments" and name == "27ac71b1-75c5-41c2-adc2-858f5db45b08" or name == "720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1" | extend resourceId = properties.resourceDetails.Id | extend resourceName = tostring(split(resourceId, "/")[8]) | extend resourceGroup = (split(resourceId, "/")[4]) | extend status = properties.status.code | extend recommendatioName = properties.displayName | where status == "Unhealthy" | project subscriptionId, recommendatioName, resourceName, resourceGroup, status, resourceId, name "@

$vms = Search-AzGraph -Query $query write-host "n" echo "Following VMs have been identified for Loga Analytics Extension" $vms.resourceName write-host "n" write-host "`n" foreach ($vm in $vms) { $vmName = ($vm.resourceName) $resgrp = ($vm.resourceGroup) if ($vm.name -match '27ac71b1-75c5-41c2-adc2-858f5db45b08') {

                              Write-Host "This is Windows Platform

$vmName" -ForegroundColor Green Write-Host "Adding log Analytics Extention to VM $vmName. It will take eight minutes per vm:-)" -ForegroundColor Green New-AzConnectedMachineExtension -Name MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.0" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "MicrosoftMonitoringAgent" write-host "`n" Get-AzConnectedMachineExtension -ResourceGroupName $resgrp -MachineName $vmName

                                                  }
else {

                              Write-Host "This is Linux Platform

$vmName" -ForegroundColor Green Write-Host "Adding log Analytics Extention to VM $vmName. It will take eight minutes per vm:-)" -ForegroundColor Green Write-Host "$resgrp" -ForegroundColor Green New-AzConnectedMachineExtension -Name MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.13" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "OmsAgentforLinux"

                              write-host "`n"
                              Get-AzConnectedMachineExtension

-ResourceGroupName $resgrp -MachineName $vmName }

                      }

On Sun, Dec 13, 2020 at 10:20 PM Lior Arviv notifications@github.com wrote:

@hassanbsee2071 https://github.com/hassanbsee2071 I created a different issue for that matter. Can you please paste your script there?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744039335, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZRN7VYJ5QDLKZTQ6ZLSUTZVTANCNFSM4UVNYJSQ .

hassanbsee2071 commented 3 years ago

Hi,

I think I have identified the issue. Once Vms are connected with Azure Arc agent. Then wait for one hour approximately for refresh recommendation and similarly once they are disconnected we should wait for one hour to get updated recommendations. Previously I tried immediately. It would be great if you could take a look.

On Sun, Dec 13, 2020 at 10:32 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 < hassan.bsee2071@iiu.edu.pk> wrote:

Yes, Sure,

Please find the script below mentioned... I have executed the script now and one VM is successfully added. Comments are added in the script.

$Setting = @{ "workspaceId" = " XXXXXXXXXXXXXXXXXXXXXXX " } $protectedSetting = @{ "workspaceKey" = " XXXXXXXXXXXXXXXXXXXXXXX " }

$query = @" securityresources | where type == "microsoft.security/assessments" and name == "27ac71b1-75c5-41c2-adc2-858f5db45b08" or name == "720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1" | extend resourceId = properties.resourceDetails.Id | extend resourceName = tostring(split(resourceId, "/")[8]) | extend resourceGroup = (split(resourceId, "/")[4]) | extend status = properties.status.code | extend recommendatioName = properties.displayName | where status == "Unhealthy" | project subscriptionId, recommendatioName, resourceName, resourceGroup, status, resourceId, name "@

$vms = Search-AzGraph -Query $query write-host "n" echo "Following VMs have been identified for Loga Analytics Extension" $vms.resourceName write-host "n" write-host "`n" foreach ($vm in $vms) { $vmName = ($vm.resourceName) $resgrp = ($vm.resourceGroup) if ($vm.name -match '27ac71b1-75c5-41c2-adc2-858f5db45b08') {

                              Write-Host "This is Windows Platform

$vmName" -ForegroundColor Green Write-Host "Adding log Analytics Extention to VM $vmName. It will take eight minutes per vm:-)" -ForegroundColor Green New-AzConnectedMachineExtension -Name MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.0" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "MicrosoftMonitoringAgent" write-host "`n" Get-AzConnectedMachineExtension -ResourceGroupName $resgrp -MachineName $vmName

                                                    }
else {

                              Write-Host "This is Linux Platform

$vmName" -ForegroundColor Green Write-Host "Adding log Analytics Extention to VM $vmName. It will take eight minutes per vm:-)" -ForegroundColor Green Write-Host "$resgrp" -ForegroundColor Green New-AzConnectedMachineExtension -Name MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.13" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "OmsAgentforLinux"

                              write-host "`n"
                              Get-AzConnectedMachineExtension

-ResourceGroupName $resgrp -MachineName $vmName }

                      }

On Sun, Dec 13, 2020 at 10:20 PM Lior Arviv notifications@github.com wrote:

@hassanbsee2071 https://github.com/hassanbsee2071 I created a different issue for that matter. Can you please paste your script there?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744039335, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZRN7VYJ5QDLKZTQ6ZLSUTZVTANCNFSM4UVNYJSQ .

hassanbsee2071 commented 3 years ago

Sorry I think I have posted on the wrong topic.

Just two questions. Below Qualys script works for an azure arc also. (1) When I execute the query it shows azure arc vms. Did you mean it does not remediate vulnerability assessment for azure arc vms. VMs are just shown up in query only? I just skipped the condition which checks vm status running or not. and (2) can we do that with policy?

Requires -Modules Az.Accounts, Az.ResourceGraph

if(-not (Get-AzContext)) { Write-Host "Please authenticate to Azure using 'Connect-AzAccount'" }

$query = @" securityresources | where type == 'microsoft.security/assessments' and name == 'ffff0522-1e88-47fc-8382-2a80ba848f5d' | extend status = properties.status.code, resourceid = properties.resourceDetails.Id | where status == 'Unhealthy' | project resourceid "@

$vms = Search-AzGraph -Query $query foreach ($vm in $vms) { $vmName = ($vm.resourceid -split '\/')[-1] Write-Host "Working on $vmName" -ForegroundColor Green

    $res = Invoke-AzRestMethod -Path

('{0}/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview' -f $vm.resourceid) -Method PUT if ($res.StatusCode -notmatch '200|202') { Write-Host ($res.Content | ConvertFrom-Json).Error.message -ForegroundColor Red }

        else {
                  Write-Host "Working on $vmName is Complete"

-ForegroundColor Green }

On Sun, Dec 13, 2020 at 10:39 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 < hassan.bsee2071@iiu.edu.pk> wrote:

Hi,

I think I have identified the issue. Once Vms are connected with Azure Arc agent. Then wait for one hour approximately for refresh recommendation and similarly once they are disconnected we should wait for one hour to get updated recommendations. Previously I tried immediately. It would be great if you could take a look.

On Sun, Dec 13, 2020 at 10:32 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 < hassan.bsee2071@iiu.edu.pk> wrote:

Yes, Sure,

Please find the script below mentioned... I have executed the script now and one VM is successfully added. Comments are added in the script.

$Setting = @{ "workspaceId" = " XXXXXXXXXXXXXXXXXXXXXXX " } $protectedSetting = @{ "workspaceKey" = " XXXXXXXXXXXXXXXXXXXXXXX " }

$query = @" securityresources | where type == "microsoft.security/assessments" and name == "27ac71b1-75c5-41c2-adc2-858f5db45b08" or name == "720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1" | extend resourceId = properties.resourceDetails.Id | extend resourceName = tostring(split(resourceId, "/")[8]) | extend resourceGroup = (split(resourceId, "/")[4]) | extend status = properties.status.code | extend recommendatioName = properties.displayName | where status == "Unhealthy" | project subscriptionId, recommendatioName, resourceName, resourceGroup, status, resourceId, name "@

$vms = Search-AzGraph -Query $query write-host "n" echo "Following VMs have been identified for Loga Analytics Extension" $vms.resourceName write-host "n" write-host "`n" foreach ($vm in $vms) { $vmName = ($vm.resourceName) $resgrp = ($vm.resourceGroup) if ($vm.name -match '27ac71b1-75c5-41c2-adc2-858f5db45b08') {

                              Write-Host "This is Windows Platform

$vmName" -ForegroundColor Green Write-Host "Adding log Analytics Extention to VM $vmName. It will take eight minutes per vm:-)" -ForegroundColor Green New-AzConnectedMachineExtension -Name MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.0" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "MicrosoftMonitoringAgent" write-host "`n" Get-AzConnectedMachineExtension -ResourceGroupName $resgrp -MachineName $vmName

                                                    }
else {

                              Write-Host "This is Linux Platform

$vmName" -ForegroundColor Green Write-Host "Adding log Analytics Extention to VM $vmName. It will take eight minutes per vm:-)" -ForegroundColor Green Write-Host "$resgrp" -ForegroundColor Green New-AzConnectedMachineExtension -Name MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring" -TypeHandlerVersion "1.13" -Settings $Setting -ProtectedSetting $protectedSetting -ExtensionType "OmsAgentforLinux"

                              write-host "`n"
                              Get-AzConnectedMachineExtension

-ResourceGroupName $resgrp -MachineName $vmName }

                      }

On Sun, Dec 13, 2020 at 10:20 PM Lior Arviv notifications@github.com wrote:

@hassanbsee2071 https://github.com/hassanbsee2071 I created a different issue for that matter. Can you please paste your script there?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744039335, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZRN7VYJ5QDLKZTQ6ZLSUTZVTANCNFSM4UVNYJSQ .

liorarviv commented 3 years ago

Hi @hassanbsee2071 - Please try the latest version of the remediation script which now supports Azure Arc enabled servers. Let me know if it works for you. 🙏

hassanbsee2071 commented 3 years ago

Hi,

Thank you very much. Tomorrow we will do mass deployment and surely use this script and will let you know.Thank you once again.

On Mon, Dec 14, 2020 at 2:20 PM Lior Arviv notifications@github.com wrote:

Hi @hassanbsee2071 https://github.com/hassanbsee2071 - Please try the latest version https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/PowerShell of the remediation script which now supports Azure Arc enabled servers. Let me know if it works for you. 🙏

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744302343, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZX3VO6QTEYZOB4PVPDSUXKHRANCNFSM4UVNYJSQ .

hassanbsee2071 commented 3 years ago

Hi,

I have used the latest version for 25 Azure Arc VMs. The script works perfectly. It is perfect. Amazing work. Thank You.

On Mon, Dec 14, 2020 at 9:55 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 < hassan.bsee2071@iiu.edu.pk> wrote:

Hi,

Thank you very much. Tomorrow we will do mass deployment and surely use this script and will let you know.Thank you once again.

On Mon, Dec 14, 2020 at 2:20 PM Lior Arviv notifications@github.com wrote:

Hi @hassanbsee2071 https://github.com/hassanbsee2071 - Please try the latest version https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/PowerShell of the remediation script which now supports Azure Arc enabled servers. Let me know if it works for you. 🙏

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/Azure-Security-Center/issues/267#issuecomment-744302343, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL75JZX3VO6QTEYZOB4PVPDSUXKHRANCNFSM4UVNYJSQ .

liorarviv commented 3 years ago

Glad to hear! Thanks for the update @hassanbsee2071. I will go ahead and close this item.