This is part two of three on adding additional security to the Azure SharePoint Reference Architecture. In this post, I am just going to cover the additional monitoring that you can add specifically to the NVAs. Part One is here.
Because you can automate a logic app workflow based on an event we can monitor the NVAs availability and more importantly we can monitor for any changes to the VM indicating a possible compromise of the NVA.
How it works
The way these work together is that resources like a VM publish events to Azure Event Grid. With our logic app that we are going to build, we subscribe to events in Event Grid, for example, a specific event ID in the Event Log indicating a change in a VMs config. When the resource, or VM, publishes that event to Event Grid, Event Grid then pushes that event to any subscriber of the event. We will configure
Use this as a basic, additional, method to monitor your NVAs and jumpbox.
We will setup an automated email to be dispatched based on an event in the VMs event log.
In this example, we will:
- Create a logic app that monitors events from event grid.Logic
- Add a condition that specifically checks for virtual machine changes.
- Send email when your virtual machine changes
There are two prerequisites for this example to work.
- An email account from any email provider supported by Azure Logic Apps, for sending notifications.
A virtual machine for testing
(1) In the Azure portal add a new Logic App and deploy it to Azure.
(2) Fill out the required parameters for the logic app.
(3) Once the logic app has been deployed successfully, launch it from the console and then open the Logic Apps Designer.
(4) In the Templates section of the page just below what you see in the previous image choose the Blank Logic App
With that, you are presented with connectors and triggers to start building your logic app.
- Connectors are what connects your logic app to a service, like O365.
- Triggers are what starts the workflow process when an event occurs, say a new email arrives in your Inbox.
If you recall we are using the new Azure Service Event Grid, and this is where we tie that service back in.
(5) In the search field just enter Event Grid. Once the icon is displayed in the results select it as the connector. Then choose the “On a resource event” trigger.
(6) You are asked to sign in. Make sure you use a work email address and the account has rights to manage the test VM.
Now subscribe your logic app to publisher events.
(7) In the “When a resource event occurs” dialog provides the following information.
- Enter the subscription
ID your test VM is located in.
- For the “Resource type” dropdown list choose Microsoft.Resources.resourceGroups.
- in the “Resource Name” field enter the resource group that your test VM is in.
This is the same dialog completed with my details once you have completed this step, save your changes to your logic app using the save button in the designer console.
We have completed the first step, creating a logic app that monitors events.
(1) Moving on to the second step, click the menu bar in the action you just configured so it collapses in the designer.
(2) Then click on the New Step button and select Add a condition. This will add a new empty condition to in your workflow.
(3) In the Condition box, choose Edit in advanced mode. Enter this expression:
If spellcheck didn’t fix the expression for you, the condition should look like this
You can build your own expressions based on the Event Grid event schema found here.
This expression will check the body of an event for a data object where the operationName property is ‘Microsoft.Compute/virtualMachines/write’
(4) Click on the conditions ellipse and choose Rename to give it a name.
(5) Change the edit mode to basic and the expression will be resolved automatically and populate the condition. If it resolves then save your logic app using the save button in the designer.
The last step is to add an action that will generate an email alert.
(1) In the conditions “if true” box select the “Add and action” button.
This will bring up the action window allowing you to choose what connector you want to use for the action.
(2) Type “email” into the search and then select “Office 365 Outlook – Send an email” or your connector type.
(3) Enter your account information if it prompts you. This only happens if you haven’t configured the connector prior.
(4) Populate the fields below following the steps in order.
If you don’t see the flyout menu like as above click on the “Add dynamic content” link.
See the image below for a completed example.
Once you have these fields filled out you have completed the setup of the logic app to monitor you NVAs. Before you leave the designer click the save button once more.
To test the logic app simply resize the test VM and within a few minutes, you should get an email.
You can also check the overview blade of your logic app for a list of actions that have been triggered.
Is part three where I walk through the steps to add the additional infrastructure to the reference architecture making the entire solution automated and reusable in DevOps as IaC.