Greetings, welcome to the second demo for our course on Azure security and compliance. This demo will be pretty short, we're just going to review the "three lines of defense" for detecting drift in an Azure cloud environment. We'll be showing off the Azure Resource Manager portal, the activity log, and how to enable the track changes feature. So let's dive right in.

First of all, we'll start off in our portal, and we'll go to the Resource Groups section. Now, in our test account here we only have a few small groups, in two geographic regions here, US east one and two. To see our config, we'll just click on our group that's interesting to us. So for us let's try "TestGroup1." And right away we can get a lay of the land, we can see in the menu that there is an overview here which is where we start. We have a number of additional things like access control, and the activity log up here, which we'll come back to. As we mentioned in the lesson one of this section, one of the key things in the Resource Manager, in ARM is the concept of deployment templates.

So let's take a quick look at that. We can just click on "deployments" actually. Then select the one that we care about, it will take a second to load. Okay, so once those are loaded, we can see our deployments. And we can select any of the ones we care about. There's not a lot of deployments here 'cause we've just done a few basic VM's, but if we click on any one at random, we can see, for example, this one, creation of a server. And if we go into this server creation, cool thing is we can actually click on the template and we get this big JSON file that describes everything about the deployment, about the resource. So this is human readable and parseable, which is pretty cool. So it's very easy to manage this kind of thing in version control if you wanted to. They have an infrastructure's code paradigm. In the web portal, we get nice time stamps and status reports on every deployment, and we can check the parameters as well, and scripts. Really it's a great first source of truth for identifying drift. So we'll go back to our resource group.

And now, we're gonna take a look at the activity log. Now, the activity log we can also get from the Resource Group menu. The log will just give us information about Azure environment events detectable by the API. So this is an important thing to note. If you SSH to a server and edit a file or do some other more surgical operation, it won't necessarily be reflected here unless you have detailed change tracking enabled which we will talk about. But keep that in mind.

The activity log is for things recognizable by the Azure API. And it's still very easy as a high level source of truth to parse when it comes to resources. So we can see a few events here. One of the nice things is that we can change the timeframe, this is really only the last six hours. So we can change it to the last week, and we can see how much broader range of options here, of output, right? And we can also add additional filters here aside from time span. So, this is another really easy way to catch drift, by going through and parsing this log. Okay, so now the last thing we're gonna do is we're going to show off the track changes feature. And this is not difficult to do but there are a few prerequisites.

Now, first of all, one thing you need is you have to enable an Azure Automation account, which is not enabled by default. So, you just go to that item in your portal, and you'll have to enable it, you have to select it. And you can enable it even with a free tier account. If that is done, if you have an Azure Automation account, here you see there's two. Then, all you need is a Log Analytics work space. To define that, you can see the item here in Azure services or you can search for it. You can literally just type Azure log analytics, or just log analytics and it'll just pop up, if you can't find it. And then you need to define a workspace, and when you create new, you'll have to give it a name and a location. Now, the location is actually really important. One note here is that the regions do not have a one to one mapping, the Log Analytics workspace and your Automation account. So for example, if your Log Analytics account is in US region east one, US east one, you'll actually need an Azure Automation account in east two. So, that mapping is a little bit annoying, we'll give you a link to the documentation to see those mappings.

But anyway, as far as enabling it, you go into your Automation account, this is one basic account. This account does not have change tracking enabled, but to actually enable it, basically we just go in to our Automation account, and we click on the change tracking here, and we will pick the workspace we care about.

The Automation account has a lot of different features. I'm gonna actually go to an account that has it enabled. I could actually do a whole lesson on just Azure Automation account because honestly as a DevOps guy it's really a dream tool set, all of the stuff they have here. But this is a security-focused class so we'll focus in on that. Once you have change tracking here enabled, you'll see here that you have a few different options here.

So, we have options for files, for daemons, for events, registry, software window services. There's no changes in this account because it's a pretty empty account, but the cool thing is you can do diffs by clicking on individual things here. And I think from here it's fairly intuitive, but this is our final point for this demo. That about does it. Resource Manager, activity log, and change tracking. Three ways to preempt and stop drift in your environment. All pretty easy to see in the web, and easy to work with at the API level. So, hopefully this is helpful. Cheers.

Useful Links

https://azure.microsoft.com/da-dk/blog/tracking-configuration-changes-for-your-azure-vm/

https://azure.microsoft.com/en-us/updates/azure-stack-security-drift-detection/

https://www.auditwolf.com/blog/configuration-drift

Lectures

Course Introduction - Compliance & Security Scanning - Security Center Demo - Preventing Drift - Desired State Configuration (DSC) - Azure Desired State Configuration Demo - Azure Automation State Configuration - VM Agents & Extensions - VM Agents & Extensions Demo - Security & Compliance Pipelines - Azure Pipelines & Gates Demo - Course Summary