Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security Operations

Monitoring Windows Virtual Desktop environments (Fall 2019 release) with Azure Sentine

Azure Sentinel News Editor by Azure Sentinel News Editor
December 4, 2020
in Security Operations
0
Vectra AI and Microsoft partner on security integration
3.1kViews
417 Shares Share on Facebook Share on Twitter

Due to the COVID-19 health crisis, there has been an exponential increase in employees working from home and this has led to new challenges in the security monitoring space for SOC teams. We covered in two previous Tech Community articles how to monitor popular collaboration software – Teams and Zoom – using Azure Sentinel.

As part of this shift to remote work, some organizations have had to make rapid and sweeping changes to their endpoints. Windows Virtual Desktop (WVD) has enabled our customers to quickly provision Windows 10 virtual desktops to enable people who have traditionally not been remote workers to access a virtualized work desktop from home, and thus has enabled businesses to keep functioning. However, these new endpoints also need to be monitored to maintain an organization’s security posture and so in this blog, we will explore how you can use Azure Sentinel to monitor your WVD environment.

Overview of telemetry available in WVD

You can collect several types of telemetry signals from a WVD environment that can be ingested into Azure Sentinel for security monitoring:

  • Windows event logs.
  • Microsoft Defender Advanced Threat Protection (MDATP) alerts.
  • Logs from the WVD PaaS service itself (aka. WVD diagnostics).

Below is a summary of how WVD logs are ingested into Log Analytics.

WVD.PNG

WVD diagnostic logs being ingested to Sentinel via Log Analytics. Diagram by @Yoshiaki Oi.

Windows event logs

Windows event logs from the WVD environment are ingested into Azure Sentinel in the same manner as Windows event logs from other Windows machines outside of the WVD environment, so we won’t be covering this in detail in the blog post. In brief, you will need to install the Log Analytics agent (previously known as the OMS agent or the MMA agent) onto your Windows machine and configure the Windows event logs to be sent to the Log Analytics workspace. Click here for further information about how to install the Log Analytics agent; and for more information about how to configure Windows event logs to be forwarded to a Log Analytics workspace, click here.

MDATP alerts

Like Windows event logs, to configure MDATP for WVD you would follow the same onboarding procedure as you would with any other Windows endpoint. There is a detailed walkthrough on how to onboard endpoints to MDATP here. For further information about how to send MDATP alerts to Azure Sentinel using the product’s pre-wired connectors, click here.

WVD diagnostics

WVD diagnostics is a feature of the WVD PaaS service that logs information whenever someone assigned Windows Virtual Desktop role uses the service. Each log contains information about which Windows Virtual Desktop role was involved in the activity, any error messages that appear during the session, tenant information, and user information. The diagnostics feature creates activity logs for both user and administrative actions. For more information about WVD diagnostic logs for the Fall 2019 release of WVD, click here.

Ingesting WVD diagnostic logs into Azure Sentinel

Before you start

We need to configure WVD to send diagnostics to a Log Analytics workspace. If you have multiple Log Analytics workspaces in your environment, you will need decide which one you are going to send WVD diagnostic logs to.

NOTE: Different WVD tenants can be configured to send their diagnostics to different workspaces, so if you have multiple WVD tenants and Log Analytics workspaces within your environment – e.g. workspaces in different Azure regions for data sovereignty – this posture can be maintained.

Obtain your chosen Log Analytics workspace ID and the primary key; you will need this later in our setup. If you have never obtained your Log Analytics workspace ID and primary key before, details about how to get this workspace information can be found here.

Pushing WVD diagnostics to the Log Analytics workspace

If you’ve already created your WVD tenant, run the following PowerShell command to link the WVD tenant to your chosen Log Analytics workspace:

Set-RdsTenant -Name <TenantName> -AzureSubscriptionId <SubscriptionID> -LogAnalyticsWorkspaceId <String> -LogAnalyticsPrimaryKey <String>

f you’re creating a new WVD tenant, you can link it to your chosen Log Analytics workspace by running the following cmdlet to sign in to Windows Virtual Desktop with your TenantCreator user account:

Set-RdsTenant -Name <TenantName> -AzureSubscriptionId <SubscriptionID> -LogAnalyticsWorkspaceId <String> -LogAnalyticsPrimaryKey <String>

NOTE: As per the note above, you will need to complete one of the following operations for every WVD tenant individually to link it to a Log Analytics workspace.

Using WVD diagnostics in Azure Sentinel

WVD diagnostic logs are stored in tables called WVDActivityV1_CL, WVDErrorV1_CL and WVDCheckpointV1_CL.

Example queries of WVD diagnostic logs

This section will give you some examples of the kind of queries you could run for your WVD environment. These queries can be turned into either analytics rules or hunting queries (covered later in this blog post).

This first example shows connection activities initiated by users with supported remote desktop clients:

WVDActivityV1_CL 
| where Type_s == "Connection" 
| join kind=leftouter ( 
    WVDErrorV1_CL 
    | summarize Errors = makelist(pack('Time', Time_t, 'Code', ErrorCode_s , 'CodeSymbolic', ErrorCodeSymbolic_s, 'Message', ErrorMessage_s, 'ReportedBy', ReportedBy_s , 'Internal', ErrorInternal_s )) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g   
| join  kind=leftouter (  
    WVDCheckpointV1_CL 
    | summarize Checkpoints = makelist(pack('Time', Time_t, 'ReportedBy', ReportedBy_s, 'Name', Name_s, 'Parameters', Parameters_s) ) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g  
|project-away ActivityId_g, ActivityId_g1 

This next example query shows management activities by admins on tenants:

WVDActivityV1_CL 
| where Type_s == "Management" 
| join kind=leftouter ( 
    WVDErrorV1_CL 
    | summarize Errors = makelist(pack('Time', Time_t, 'Code', ErrorCode_s , 'CodeSymbolic', ErrorCodeSymbolic_s, 'Message', ErrorMessage_s, 'ReportedBy', ReportedBy_s , 'Internal', ErrorInternal_s )) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g   
| join  kind=leftouter (  
    WVDCheckpointV1_CL 
    | summarize Checkpoints = makelist(pack('Time', Time_t, 'ReportedBy', ReportedBy_s, 'Name', Name_s, 'Parameters', Parameters_s) ) by ActivityId_g 
    ) on $left.Id_g  == $right.ActivityId_g  
|project-away ActivityId_g, ActivityId_g1

Querying Azure AD for the number of WVD sign ins per user:

SigninLogs
| where TimeGenerated > ago(14d)
| where AppDisplayName contains "Windows Virtual Desktop"  
| summarize count() by Identity
| sort by count_ desc  

Other useful queries in a WVD environment

This next set of queries lean towards the more operational side of WVD, but can be useful for exploring platform behavior and can be tuned to your specific environment. These queries could also be used to create Workbooks for monitoring your WVD environment.

Count of Host pools

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by Details_SessionHostName_s

Unique users

WVDActivityV1_CL 
| summarize Sessions=dcount(UserName_s)

Session error

“User Profile Disk setup failed for”

Host pool usage

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by Details_SessionHostName_s

Usage over time

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by UserName_s, Host=Details_SessionHostName_s

Usage by user

WVDActivityV1_CL 
| where ActivityType_s == "Connection"  and Status_d == '1' | distinct StartTime_t, EndTime_t, UserName_s, Details_SessionHostName_s, Details_SessionHostPoolName_s | extend Seconds = datetime_diff('second', EndTime_t, StartTime_t) | extend Hours = Seconds / 3600.00 | summarize sum(Hours) by UserName_s

CPU by VM

Perf 
| where ObjectName == "Processor" and InstanceName == "_Total" | summarize AvgCPU = avg(CounterValue) by Computer, bin(TimeGenerated, 1h)

Memory usage in the last 24 hours

“% Committed Bytes In Use”

WVD disk space

Perf | where ObjectName == "LogicalDisk" and CounterName == "% Free Space" | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 1h)

Example detections for WVD environments

Access attempts to Windows Virtual Desktop by an unauthorized user, bad password, incorrect MFA or from a user account that does not exist.

let timeRange=ago(7d);
  SigninLogs
  | where TimeGenerated >= timeRange
  | where AppDisplayName contains "Windows Virtual Desktop"
  | where ResultType in ( "50126" , "50020", "50034", "50074", "50076", "50131")
  | extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
  | extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
  | extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress), 
  makeset(OS), makeset(Browser), makeset(City), AttemptCount = count() 
  by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State
  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName
  | sort by AttemptCount

User trying to log on to multiple host pools (more than the defined threshold of pools a user is expected to be a part of) within a one hour period.

let timeRange=ago(1h);
let Threshold = 5;
let Userlogintomultihostpool =
WVDActivityV1_CL
| where TimeGenerated >= timeRange 
| where Type_s == "Connection" 
| summarize dcount(SessionHostPoolName_s)  by UserName_s 
| where dcount_SessionHostPoolName_s  > Threshold
| project UserName_s ;
WVDActivityV1_CL
| where TimeGenerated >= timeRange 
| where Type_s == "Connection" 
| where UserName_s in (Userlogintomultihostpool)
| project SessionHostPoolName_s, UserName_s , ClientIPAddress_s , ClientType_s , TenantId_s , TimeGenerated , Id_g , Type_s , SessionHostIPAddress_s , SessionHostName_s , Outcome_s
| sort by UserName_s asc

Azure Audit Logs provide a wealth of information on the operations on your Azure resources. This query will help you look at some relatively interesting operations related to Windows Virtual Desktop in your environment:

let timeRange=ago(7d);
let RareOperations = dynamic(["Consent to application" ,  "Add delegated permission grant"]);
AuditLogs 
| where TimeGenerated >= timeRange
      | extend ModProps = TargetResources.[0].modifiedProperties
      | extend IpAddress = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)), 
      tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), tostring(parse_json(tostring(InitiatedBy.app)).ipAddress))
      | extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), 
      tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName))
      | extend TargetResourceName = tolower(tostring(TargetResources.[0].displayName))
      | mvexpand ModProps
      | extend PropertyName = tostring(ModProps.displayName), newValue = replace("\"","",tostring(ModProps.newValue))
      | where OperationName in (RareOperations)
      | where TargetResourceName contains "windows virtual desktop"
      | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() 
  by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id

Reference:https://techcommunity.microsoft.com/t5/azure-sentinel/monitoring-windows-virtual-desktop-environments-fall-2019/ba-p/1356632

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

What’s new: Microsoft Teams connector in Public Preview
Security Operations

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

January 25, 2021
What’s new: Microsoft Teams connector in Public Preview
Security Operations

How to Setup a Managed Identity for the Azure Sentinel Logic App Connector

January 21, 2021
Microsoft suspends 18 Azure accounts tied to China-based hackers
Security Operations

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

January 1, 2021
Next Post
Open Systems Augments its Cybersecurity Capabilities With Acquisition of Leading Microsoft Azure Sentinel Expert

Hunting Threats on Linux with Azure Sentinel

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Azure Sentinel Sigma & SOC Prime Integration (Part 3): Deploy to multiple workspaces and tenants

Microsoft improves Azure’s security to protect your business

Creating digital tripwires with custom threat intelligence feeds for Azure Sentinel

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Microsoft announces security, identity, management, and compliance updates across Azure and Office

Updated Azure Sentinel Workbook: MITRE ATTACK Framework Reference

2 months ago
What’s new: Microsoft Teams connector in Public Preview

Changes in How Running Hunting Queries Works in Azure Sentinel

2 weeks ago
Enriching Windows Security Events with Parameterized Function

HPC on Microsoft Azure: A Practical Guide

3 months ago
What’s new: Microsoft Teams connector in Public Preview

AMA for Azure Sentinel on the Microsoft Security Insights Podcast and Twitch Stream

1 month ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Azure Sentinel can now Analyze All Available Azure Active Directory Log Files

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

Understanding the Little Blue Permissions Locks in Azure Sentinel Data Connectors

Trending

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021
IR

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

by Azure Sentinel News Editor
February 22, 2021
0

The Azure Sentinel product group continues to crank out new Data Connector after new Data Connector. There...

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

February 17, 2021
What’s new: Microsoft Teams connector in Public Preview

New Search Capability for Azure Sentinel Incidents

February 16, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

February 16, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting February 22, 2021
  • New Items of Note on the Azure Sentinel GitHub Repo February 18, 2021
  • Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation February 17, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News