Azure Policy Guest Configuration – Part 1 – Creating a Custom Policy

I’ve been working quite a bit with custom Azure Policy Guest Configuration lately, and after encountering a few early bumps I’ve become a big fan. Guest Configuration policies are quite flexible, which in essence gives you the ability to bring almost anything we can do in PowerShell and/or DSC into Azure Policy. Very cool!

The first two use cases I’ve worked on were as follows:

  1. Audit base OS hardening compliance for Windows VMs in Azure.
  2. Audit antimalware compliance for Windows Vms in Azure.

Creating the Guest Configuration Package

For part 1 of this post, let’s focus on use case #1. To accomplish this use case, you’ll use the Microsoft Security Configuration Baseline as the base DSC template by converting the GPO provided in the “BaselineManagement” module to PowerShell DSC. This step is described in detail in Microsoft’s “Convert Group Policy into DSC” quickstart documentation.

Continue reading

Azure Monitor Guest OS Metrics and Alerting Explained

The proper way to alert on Azure hosted VM guest OS metrics in Azure Monitor is a topic that is repeatedly raised when our engineers and developers start to configure alerting for their applications. In most cases, Log Analytics is enabled for each subscription (DevOps model), in addition to the base metrics available at the resource level for each VM. There is of course the option to enable guest OS diagnostic logs for extended performance metrics as well, so without some background into how these capabilities work under the hood it can be quite confusing to figure out from which tool metrics are generated and which metrics to use when configuring alerts in Azure Monitor Alerts.

Let’s start with the basics:

Continue reading

Schedule an Azure Automation Runbook Using Minutes

I was working with a customer recently and we realized that when using the “Schedule” functionality the most granular re-occurrence interval available is 1 hour.  In this particular case, we needed to check service status every 5 minutes and send the data to Log Analytics to alert and trigger a remediation runbook, so 1 hour would not suffice.  I had recently spoken with a member of the product group around a custom Log Analytics solution and specifically remembered him saying that his runbook was running every 5 minutes….so I was off to investigate.

Continue reading

Monitor and Recover Stopped Automatic Services with Log Analytics

Update: This can now be accomplished using the Change Tracking and Inventory solution as well (see here).

I was working with a customer recently and one of the asks was to configure Log Analytics to monitor for stopped automatic services on servers throughout the environment.  Since I first posted this blog updates have been made to the Change Tracking and Inventory solution which allow for 1 minute collection intervals, and therefore using Log Analytics becomes an option for a simpler configuration to accomplish this task. The following query can be used for a simple service stopped alert:

Continue reading