国内精品久久久久影院日本,日本中文字幕视频,99久久精品99999久久,又粗又大又黄又硬又爽毛片

Microsoft AMA Troubleshooter script

I recently had an issue with a new linux syslog server that was using Arc and had the AMA service enabled by a data collection rule in Sentinel.

I could see the Sentinel DCR (data collection rule) had been pushed out but the AMA agent wasn’t forwarding logs back up to Sentinel.

I suspected traffic was getting blocked but I wasn’t sure how to validate it.

This script will extract the Sentinel Workspace ID and perform a network connection test that simulates the connection from AMA to the data collection point or ODS(operational data store).

If the script fails, it means you need to talk to your firewall admin to open a connection to *.ods.opinsights.azure.com.

If you’re good at reading curl, you don’t need the script, just curl to
https://<workspaceid&gt;.ods.opinsights.azure.com

The script also checks the the AMA service is running and that you’re not out of disk space – 2 other common issues.

Have fun!

#!/bin/bash

# AMA Agent Validation Script
# Checks common issues with Azure Monitor Agent on Linux

set -e

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

echo -e "${BLUE}=== Azure Monitor Agent Validation Script ===${NC}"
echo "Started at: $(date)"
echo

# Function to check endpoint connectivity
check_endpoint() {
    local url=$1
    local description=$2
    echo -n "Testing $description... "
    
    if curl -s --connect-timeout 10 --max-time 30 "$url" >/dev/null 2>&1; then
        echo -e "${GREEN}OK${NC}"
        return 0
    else
        echo -e "${RED}FAILED${NC}"
        return 1
    fi
}

# Function to check SSL handshake specifically
check_ssl_handshake() {
    local host=$1
    local description=$2
    echo -n "Testing SSL handshake for $description... "
    
    if timeout 10 openssl s_client -connect "$host:443" -servername "$host" </dev/null >/dev/null 2>&1; then
        echo -e "${GREEN}OK${NC}"
        return 0
    else
        echo -e "${RED}FAILED${NC}"
        return 1
    fi
}

# 1. Check AMA service status
echo -e "${BLUE}1. AMA Service Status${NC}"
if systemctl is-active --quiet azuremonitoragent; then
    echo -e "Service status: ${GREEN}RUNNING${NC}"
    echo "Service uptime: $(systemctl show azuremonitoragent --property=ActiveEnterTimestamp --value)"
else
    echo -e "Service status: ${RED}NOT RUNNING${NC}"
    echo "Try: systemctl status azuremonitoragent"
fi
echo

# 2. Check disk space
echo -e "${BLUE}2. Disk Space Check${NC}"
AMA_PATH="/var/opt/microsoft/azuremonitoragent"
if [ -d "$AMA_PATH" ]; then
    DISK_USAGE=$(df -h "$AMA_PATH" | awk 'NR==2 {print $5}' | sed 's/%//')
    if [ "$DISK_USAGE" -gt 90 ]; then
        echo -e "Disk usage: ${RED}${DISK_USAGE}% (CRITICAL)${NC}"
        echo "Free space needed in $(df -h "$AMA_PATH" | awk 'NR==2 {print $1}')"
        du -sh "$AMA_PATH/events"/* 2>/dev/null | sort -hr | head -5
    elif [ "$DISK_USAGE" -gt 80 ]; then
        echo -e "Disk usage: ${YELLOW}${DISK_USAGE}% (WARNING)${NC}"
    else
        echo -e "Disk usage: ${GREEN}${DISK_USAGE}% (OK)${NC}"
    fi
else
    echo -e "${RED}AMA directory not found${NC}"
fi
echo

# 3. Extract endpoints from config
echo -e "${BLUE}3. Extracting Configured Endpoints${NC}"
CONFIG_DIR="/etc/opt/microsoft/azuremonitoragent/config-cache"
WORKSPACE_ID=""
ENDPOINTS=()

if [ -d "$CONFIG_DIR" ]; then
    # Extract workspace ID and endpoints
    WORKSPACE_ID=$(grep -r "ods.opinsights.azure.com" "$CONFIG_DIR" 2>/dev/null | head -1 | grep -o '[a-f0-9-]\{36\}\.ods\.opinsights\.azure\.com' | cut -d'.' -f1 || echo "")
    
    if [ -n "$WORKSPACE_ID" ]; then
        echo "Workspace ID: $WORKSPACE_ID"
        ENDPOINTS+=("https://${WORKSPACE_ID}.ods.opinsights.azure.com")
    fi
    
    # Add standard endpoints
    ENDPOINTS+=(
        "https://global.handler.control.monitor.azure.com"
        "https://centralus.monitoring.azure.com"
        "https://management.azure.com"
        "https://login.microsoftonline.com"
        "https://ods.opinsights.azure.com"
    )
else
    echo -e "${RED}Config directory not found${NC}"
    # Use default endpoints
    ENDPOINTS=(
        "https://global.handler.control.monitor.azure.com"
        "https://centralus.monitoring.azure.com"
        "https://management.azure.com"
        "https://login.microsoftonline.com"
        "https://ods.opinsights.azure.com"
    )
fi
echo

# 4. Test endpoint connectivity
echo -e "${BLUE}4. Network Connectivity Tests${NC}"
failed_endpoints=0

for endpoint in "${ENDPOINTS[@]}"; do
    if ! check_endpoint "$endpoint" "$endpoint"; then
        ((failed_endpoints++))
    fi
done
echo

# 5. Test SSL handshakes for critical endpoints
echo -e "${BLUE}5. SSL Handshake Tests${NC}"
ssl_failed=0

if [ -n "$WORKSPACE_ID" ]; then
    if ! check_ssl_handshake "${WORKSPACE_ID}.ods.opinsights.azure.com" "Workspace ODS"; then
        ((ssl_failed++))
    fi
fi

if ! check_ssl_handshake "global.handler.control.monitor.azure.com" "Control Plane"; then
    ((ssl_failed++))
fi
echo

# 6. Check for recent AMA errors
echo -e "${BLUE}6. Recent AMA Errors (last 1 hour)${NC}"
if command -v journalctl >/dev/null; then
    error_count=$(journalctl -u azuremonitoragent --since "1 hour ago" | grep -i "error\|failed\|ssl handshake" -c || echo "0")
    if [ "$error_count" -gt 0 ]; then
        echo -e "Recent errors: ${RED}$error_count${NC}"
        echo "Recent SSL handshake failures:"
        journalctl -u azuremonitoragent --since "1 hour ago" | grep -i "ssl handshake" | tail -3
        echo "Recent disk space errors:"
        journalctl -u azuremonitoragent --since "1 hour ago" | grep -i "no space left" | tail -3
    else
        echo -e "Recent errors: ${GREEN}0${NC}"
    fi
else
    echo "journalctl not available"
fi
echo

# 7. Check listening ports
echo -e "${BLUE}7. AMA Listening Ports${NC}"
if ss -tlnp | grep -q ":28330"; then
    echo -e "Port 28330 (syslog): ${GREEN}LISTENING${NC}"
else
    echo -e "Port 28330 (syslog): ${RED}NOT LISTENING${NC}"
fi
echo

# 8. System time check (critical for SSL)
echo -e "${BLUE}8. System Time Check${NC}"
current_time=$(date +%s)
ntp_time=$(curl -s "http://worldtimeapi.org/api/timezone/UTC" | grep -o '"unixtime":[0-9]*' | cut -d':' -f2 2>/dev/null || echo "$current_time")
time_diff=$((current_time - ntp_time))
time_diff=${time_diff#-}  # absolute value

if [ "$time_diff" -gt 300 ]; then
    echo -e "Time sync: ${RED}OUT OF SYNC (${time_diff}s difference)${NC}"
    echo "Current: $(date)"
    echo "Consider: ntpdate or chrony sync"
else
    echo -e "Time sync: ${GREEN}OK${NC}"
fi
echo

# Summary
echo -e "${BLUE}=== SUMMARY ===${NC}"
if [ "$failed_endpoints" -eq 0 ] && [ "$ssl_failed" -eq 0 ]; then
    echo -e "Overall status: ${GREEN}HEALTHY${NC}"
    echo "All endpoints accessible and SSL working correctly"
elif [ "$ssl_failed" -gt 0 ]; then
    echo -e "Overall status: ${RED}SSL ISSUES${NC}"
    echo "SSL handshake failures detected - check firewall/proxy settings"
    echo "Contact network team to whitelist Azure Monitor endpoints"
elif [ "$failed_endpoints" -gt 0 ]; then
    echo -e "Overall status: ${YELLOW}CONNECTIVITY ISSUES${NC}"
    echo "Some endpoints unreachable - check network connectivity"
else
    echo -e "Overall status: ${YELLOW}CHECK REQUIRED${NC}"
fi

echo
echo "Log locations:"
echo "  - AMA logs: journalctl -u azuremonitoragent"
echo "  - Config: /etc/opt/microsoft/azuremonitoragent/config-cache/"
echo "  - Events: /var/opt/microsoft/azuremonitoragent/events/"
echo
echo "Common fixes:"
echo "  - Disk space: Clean /var/opt/microsoft/azuremonitoragent/events/"
echo "  - SSL issues: Whitelist *.ods.opinsights.azure.com in firewall"
echo "  - Service: systemctl restart azuremonitoragent"

Adventures In Cybersecurity – New Front Page

I used openai to help me build a new front page for my cyber defense tutorials.

If anyone needs help learning any topics in cyber defense just ask!

https://spiderlabs.github.io/zpminternational/

https://www.linkedin.com/in/davidbroggytrustwave/

https://simple-security.ca/

https://mvp.microsoft.com/en-us/PublicProfile/5004963?fullName=David%20%20Broggy

#mvp #mvpbuzz

Adventures in Cybersecurity: The Defender Series. Now Live!

I’ve started a new series of posts on cyber defense architecture, implementation and workflows.

It will also include getting-started labs on over 30 cyber defense topics!

Check it out here and find out about the backstory of ZPM International and their adversary APT42a!

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/welcome-to-adventures-in-cybersecurity-the-defender-series/

Adventures in Cybersecurity: The Defender Series. Parts 1 to 14

I’m a bit behind on my updates, so if you haven’t seen, Trustwave has posted the first 5 of the posts from my ‘Defender Series’.

Cloud Architecture Frameworks and Benchmarks

Cost Management Tips for Cyber Admins

Cybersecurity Documentation Essentials

Evaluating Your Security Posture: Security Assessment Basics

Zero Trust Essentials

CSPM, CIEM, CWPP Oh My!

The Secret Cipher: Modern Data Loss Prevention Solutions

The Invisible Battleground: Essentials of EASM

EDR – The Multi-Tool of Security Defenses

Protecting Zion: InfoSec Encryption Concepts and Tips

Guardians of the Gateway: Identity and Access Management Best Practices

How to Create the Asset Inventory You Probably Don’t Have

Important Security Defenses to Help Your CISO Sleep at Night

Cyber Exterminators: Monitoring the Shop Floor with OT Security

Enjoy!

Microsoft SC-100 Security Architect Expert Certification Study Reference

If you’re studying for the SC-100 or you just want a decent reference to many of Microsoft’s security topics please feel free to try my reference sheet attached below.

Note that almost all of the (233) web links in this sheet reference the Microsoft Learn site (https://learn.microsoft.com) so you don’t have to worry about them being malicious :).

Enjoy!

Security Research and Defenses Gap Analysis with ChatGPT in seconds

  1. get a chatgpt plus account
  2. Enable the WebPilot plugin from the Plugin Store:

3. Research Red Team tools that hackers and pentesters commonly use and compare those tools to the defender tools available from Microsoft:

4. Do the same for a list of BlueTeam tools and compare to those available from Microsoft:

5. Use the above 2 tables (and whatever else you can dream up) to identify gaps in your security defenses and to educate you on Microsoft tools that may be of value.

Linux AMA syslog agents: How to identify DCRs that are causing duplicate data collection

If you’re using the Microsoft AMA agent, you’re likely familiar with Data Collection Rules.

This tip is specifically for AMA agents installed on linux servers for the purpose of collecting syslog data.

It’s pretty easy to create 2 or more DCRs that overlap in their logic and result in collecting duplicate data. A common example is to get duplicate syslog data showing up in both the Syslog and CommonSecurityLog tables.

It can be difficult to read through all of your DCRs to find the duplicate configuration.

One approach to fixing this issue is to login to your server where the AMA agent is installed and look at the json files under:

/etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/

Each json file represents a single Data Collection Rule. Here’s an example. Pay attention to the value following “agentConfigurations/dcr-<some alphanumeric>”

You’ll need that value to trace back to the DCR configuration in the Azure portal.

Now go to the Azure Portal and open the Resource Graph Explorer:

Run this query to get a list of your DCRs and their associated “dcr-xxx” values:

resources
| where type == 'microsoft.insights/datacollectionrules'
|extend immutableId = properties.immutableId
|project name, immutableId

Once you’ve identified a DCR you can simply delete it and after a few minutes you will see the .json file disappear from your AMA’s /configchunks/ directory.

Restarting the AMA agent might speed up the process of the json file being removed:

systemctl restart azuremonitoragent

or:

cd /var/lib/waagent/Microsoft.Azure.Monitor.AzureMonitorLinuxAgent-<agent version>
./shim.sh -disable
./shim.sh -enable

ls /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks/*.json

Getting Started With Defender for IoT/OT

Pressure is increasing on manufacturers to monitor their shop floors in order to avoid major disruptions in supply chains. A recent example of such a risk is CVE-2023-3595. This vulnerability has a CVSS score of 9.8 (i.e., very bad).

It involves the use of CIP (Common Industrial Protocol). As such, you wouldn’t expect there to be your typical IOCs like IP addresses and hashes that you could add to your SIEM to detect this vulnerability. You would need to sniff your factory network, looking for malicious use of the CIP protocol. This is where OT security tools like Defender for OT come in. (Since we’re just talking about OT here I’m going to drop the IoT…)

Here’s a quick walkthrough to getting started with Defender for OT:

Getting Started with Defender for OT

  • Login to the Azure portal and search for Defender for OT and select ‘Set up OT/ICS Security’
  • Download the sensor and install the ISO in a hypervisor like Hyper-V or VMWare. (when setting up your VM, make sure to use at least 2 network interfaces – 1 for management and 1 for sniffing)
  • Connect the ‘sniffing’ network interface from your VM to a SPAN port on your network. If you’re just playing around with the sensor you can just have it sniff your home network or whatever is safe for you to monitor.
  • After the sensor installation you will be provided 3 unique credentials to login to the sensor’s web interface, so don’t lose those credentials.
  • Get a license – there’s a 60 day trial license here in the M365 admin center:
    https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/getting-started
  • Go back to the Azure portal and register your sensor. Once the sensor is registered it will give you a zip file which is the license key for that sensor.

How to Test Your Sensor:

  • Download some sample pcap files like from here: https://github.com/EmreEkin/ICS-Pcaps
  • Login to your sensor (https://<ip address of sensor>) with the username ‘cyberx’ and the password that was given to you during the sensor installation.
  • Go to System Settings > Play Pcap, and upload one of your sample pcap files.
  • After selecting ‘play all’, your sensor will begin analyzing your pcap traffic.
  • If nothing interesting is seen in the alerts tab you may need to create a custom alert to trigger some alerts. Some experience with network traffic analysis and Wireshark can be very useful.

Next Steps: Connect Defender for OT to Sentinel

  • Back in the Azure portal, go to the Content Hub and install the Defender for OT solution bundle.
  • Now go to Connectors and enable the Defender for IoT connector
  • Finally go to Analytics, search the templates for all of the OT rules and enable whatever you like.
References:
https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/ot-deploy/install-software-ot-sensor

https://www.netresec.com/?page=PcapFiles