Azure Sentinel PowerShell Module

“Azure Sentinel is a cloud-native SIEM that provides intelligent security analytics for your entire enterprise at cloud scale. Get limitless cloud speed and scale to help focus on what really matters. Easily collect data from all your cloud or on-premises assets, Office 365, Azure resources, and other clouds. Effectively detect threats with built-in machine learning from Microsoft’s security analytics experts. Automate threat response, using built-in orchestration and automation playbooks.” read more

Rules in Azure Sentinel create the basic logic on which Incidents get created. Currently the only way to add, change or delete rules is through the Azure portal. As we’re running a cloud Security Operations Center at Wortell with many customers connected, doing this manually is no option for us.

PowerShell Module

At the moment there is no documented API, ARM or PowerShell module to configure Azure Sentinel. After doing some research we were able to find the API’s that are currently being used by the Azure Portal and based on that we’ve written a PowerShell module to manage Azure Sentinel through PowerShell. Continue reading Azure Sentinel PowerShell Module

Infrastructure as Code – Deploy Azure VNet with dynamic subnets

A frequently asked question about rolling out Azure VNet with different subnets in a infrastructure as code environment is where and how to define the subnets in your Azure ARM template. In the most examples online the number of subnets is configured in the template and the name and addressPrefix is configured in the parameter file. The big disadvantage with this scenario is that when you deploy a VNet with for example two subnets and later you decide to add more subnets you have two choices both of which are uncomfortable for an Infrastructure as code release pipeline. Continue reading Infrastructure as Code – Deploy Azure VNet with dynamic subnets

Move Azure VM with Managed Disk to another Resource Group

At the moment of writing this blog it’s unfortunately not possible to move an Azure VM with Managed disk to another Resource Group or to another Description. However, Microsoft says on the Azure Portal that this will be possible in the near feature. For the time being, I have chosen to write a small PowerShell script that will do the move fully automated for you. At the moment the only way to move an Azure VM with Managed Disk to another resource group is redeploying the VM. To achieve this you need to perform the following steps (some from the portal and some from PowerShell) manually:

  1. Shutdown VM
  2. Collect the required information like Networking, VM size, Storage etc.
  3. Create a Snapshot
  4. Create or use an existing Azure Storage Account to copy the Snapshot to
  5. Remove the VM
  6. Create a new Azure VM in the new Resource Group with the collected information and Snapshot disk from the Azure Blob
  7. The Azure VM will start automatically, check if the VM functions as it should and remove the Snapshot and Azure Storage Account.

As you can see there are about 7 steps needed to move an Azure VM with a Managed Disk. The script that I have written will do all the steps automatically with only 3 variables that you need to define while running the script. Continue reading Move Azure VM with Managed Disk to another Resource Group

Install KMS Host License Pack for Office 2010 on Windows Server 2016

Currently when you try to install the KMS Host License Pack for Office 2010 on a Windows Server 2016 or Windows 10 you receive the following error message:

The cause of this problem relies in the VBS script that is being triggered at the end of the installation. In order to install the KMS Pack on newer operating systems than Windows server 2008R2 you need to perform the following steps:

  1.  Run KeyManagementServiceHost_en-us.exe until the error message appears. Don’t click OK.
  2. Go to the folder “C:\Program Files (x86)\MSECache\OfficeKMS” and copy the folder to somewhere like (C:\Temp\OfficeKMS)
  3. Click OK on the error message and press ENTER to close the program.
  4. Open the folder with the copy (C:\Temp\OfficeKMS) and edit the file kms_host.vbs:
    1. Search for the line 
      If (Ver(0) = "6" And Ver(1) >= "2") Or (Ver(0) >= "7") Then  
    2. And replace it with the line below, this line just says that Windows Server 2016 and Windows 10 (both having version number 10) are also supported:
      If (Ver(0) = "6" And Ver(1) >= "2") Or (Ver(0) >= "7") Or (Ver(0) = "10") Then
    3. Start Command prompt with administrative permissions, run the command below and follow the wizard.
      cd C:\Temp\OfficeKMS cscript.exe kms_host.vbs 
Greetings, Pouyan