Enable Adaptive Application Controls in Azure Security Center

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Updated – 05/08/2020 – Adaptive application controls updated with a new recommendation and support for wildcards in path rules.

In this article, I will show you how to enable adaptive application controls in Azure Security Center so you can whitelist your applications for Windows and Linux machines and protect your systems.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two main value propositions:

1) Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).

2) Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or other clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Defender is an evolution of the threat-protection technologies in Azure Security Center, protecting Azure and hybrid environments. When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

• Azure Defender for servers
• Azure Defender for App Service
• Azure Defender for Storage
• Azure Defender for SQL
• Azure Defender for Kubernetes
• Azure Defender for container registries
• Azure Defender for Key Vault
• Azure Defender for Azure DNS
• Azure Defender for Resource Manager

Adaptive Application Controls (AAC) is one of the advanced protection that is included in the Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) for threat detection and response, which is something you must consider for your Windows and Linux systems whether they are running on Azure, on-premises or in other cloud environments.

Many companies are using Security Center but are not leveraging this powerful cloud defense capability which might not be a good thing for the long run. Application control helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your virtual machines and servers.

Adaptive Application Controls overview

One of the biggest challenges of dealing with the whitelisting application is how to maintain that list. The traditional approach of using AppLocker in Windows is a good solution, but still has the overhead of keeping up with the applications and making the initial baseline work properly for your needs.

With adaptive application controls, Azure Security Center leverages machine learning which is going to learn how the apps behave on your server(s) and is going to suggest a list of applications that should be whitelisted based on some patterns, behaviors, and also security analytics. That’s very important because you want to make sure that you don’t have the wrong applications running, unwanted applications running on the servers. And you want to make sure that if there is a known vulnerable application, you should be notified. This capability works for Windows VMs, as well as on-premises machines running Windows or Linux.

At the time of writing this article, please note that Azure and non-Azure (Windows and Linux) machines are only supported in audit mode as documented by Microsoft. What that means is in audit mode, adaptive application controls will not block the execution of the application, it will only notify you.

Non-Azure Virtual Machine (Windows and Linux)

Prerequisites

To follow this article, you need to have the following:

1) Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.

2) Azure Security Center – Azure Defender enabled. Adaptive application control is part of Azure Defender in Azure Security Center. Please note that you can use Azure Defender free for 30 days.

3) Log Analytics Workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.

4) Windows or Linux machines running on Azure VMs or on-premises with the Microsoft Monitoring Agent (MMA) installed and connected to the Log Analytics workspace. Check the following article to learn more on how to onboard Windows machines to Security Center.

Planning for Adaptive Application Controls

There are very important points that you should take into consideration during the planning phase before you enable this feature.

Adaptive application controls do not support Windows machines for which AppLocker policy is already enabled by either group policy objects (GPO) or local security policy. As a security best practice, Azure Security Center will always try to create a publisher rule for applications that are selected to be allowed. And if an application doesn’t have publishing information, which means is not signed, a path rule will be created for that full path of the specified application. So just keep that in mind.

Enable Adaptive Application Controls

To enable and access adaptive application controls from the Azure Security Center dashboard, take the following steps:

1) Open Azure Portal and sign in with a user who has Security Admin privileges.

2) On the left navigation pane, click Security Center.

3) From Security Center’s sidebar, under the ADVANCED CLOUD DEFENSE, open the Adaptive application controls page.

4) The Adaptive application controls appear, you will see that there are groups that potentially are already created, in case you did already the configuration. But if this is a brand-new configuration, the ‘Configured‘ tab is going to be blank, because everything else will be under the ‘Recommended‘ tab.

5) Under the ‘Recommended‘ tab, you will have multiple groups that are an aggregation that actually contains servers with similar patterns of applications, behavior, and execution.

6) If you open one of those groups, you will have more information about the ‘VMs/servers‘ that belong to that group, the current state of that server, and severity, which means that the adaptive application controls policy was not applied.

7) The ‘Recommended applications‘ section contains a list of all applications that are frequently used and identified by those VMs, and it is highly recommended that you whitelist those in the first place.

8) Then you also have ‘More applications‘, which is a list of applications that are less frequently used within this group. But you could also whitelist those if you want to. This is the initial configuration, where you basically need to review some of these options and then click on the ‘Audit‘ button. So, this is a very straightforward process.

9) When you click on ‘Audit‘, Security Center automatically creates the appropriate rules on top of the built-in application which will take a couple of minutes to complete. The allow list solution available on the Windows Server is via utilizing the AppLocker feature in the background. Now that the rule is configured, you will see that the group is going to appear under the ‘Configured‘ tab as shown in the figure below.

10) When you click on that group, you will be able to make changes if you want to. Some of the changes that you can make here is regarding the ‘Publisher whitelisting rules‘, you can make a modification if you want to, then you can add a new rule and customize the publisher for EXE file, MSI (in case of Windows machines), SCRIPT or All. You can also see the existing ‘File Types‘ which were selected.

11) You can see the ‘Path whitelisting rules‘ and the ‘Hash whitelisting rules‘ as well if there are ones created. You can also create and add a new rule(s) if needed. The rule type could be ‘Publisher‘, ‘Path‘, or ‘Hash‘.

12) Under the ‘Configured VMs/servers‘ section, you can see which servers are part of this group that will be affected by those settings.

13) And finally, if there are any alerts that are correlated with this group, you can visualize these security alerts under the ‘Recent Alerts‘ section, or you can go back to the main Security alerts dashboard and visualize from there.

Application violation

In this section, I want to show you how application violation is going to look like in Azure Security Center.

Under Security Center | Security alerts dashboard, I have two security alerts that were triggered by adaptive application controls as shown in the below figure.

If I click on any of these alerts ‘Adaptive application control policy violation was audited‘, I can see two servers that have an app that violated the policy that was established by adaptive application controls.

When you click on the ‘Attacked Resource‘, you will see the explanation about this particular alert, and then you can see the explanation about which application was executed. So in this example, ‘CERTWAC.EXE‘ application is not part of my whitelist, which means that this is a violation of the policy. Therefore, the alert is triggered, and then you can validate it here.

If you’ve already integrated Azure Security Center with Azure Monitor, then you will also receive a notification based on the action group that you specified. As shown below, I am using email notification. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

This is a great opportunity if you are in audit mode to reveal if this is a really malicious application that should be blocked, or if it is a false positive and perhaps you need to change the policy and add this application to the whitelist. So you have that option as well.

How it works…

Azure Security Center relies on a minimum of two weeks of data in order to create a baseline and populate the unique recommendations per group of your virtual machines. So, what happened is the Security Center proprietary clustering algorithm is going to create those groups that have similar activities in apps to get the optional recommendation for the application control. So those groups are automatically created by Security Center, and within each group, you will have multiple servers, and the application whitelisting will be suggested for that group and applied to the group.

Keep in mind that the way Azure Security Center operates is, if the whitelisting is in audit mode, it is going to generate security alerts every time that there is a violation in the policy. Every time you have a violation of the policy, let’s say that your whitelist has only allowed, like, two applications to run. If app number three is launched, it’s going to work because it is in audit mode, however, it is going to generate a security alert.

I highly recommend to enable audit mode for all your VMs first and then enforce as needed. In audit mode, applications will NOT get blocked.

Adaptive application controls updated

The adaptive application controls feature has received two significant updates in July 2020:

• A new recommendation identifies potentially legitimate behavior that hasn’t previously been allowed. The new recommendation, Allowlist rules in your adaptive application control policy should be updated, prompts you to add new rules to the existing policy to reduce the number of false positives in adaptive application controls violation alerts.
• Path rules now support wildcards (*). From this update, you can configure allowed path rules using wildcards. There are two supported scenarios:
• • Using a wildcard at the end of a path to allow all executables within this folder and sub-folders.
  • Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (e.g. personal user folders with a known executable, automatically generated folder names, etc).

Summary

Adaptive application control is an intelligent, automated, end-to-end solution from Azure Security Center which helps you control which applications can run on your Azure and non-Azure VMs (Windows and Linux). In the background, Azure Security Center uses machine learning to analyze the applications running on your VMs and creates an allowed list from this intelligence. Security Center uses a proprietary clustering algorithm to create groups of VMs, making sure that similar VMs get the optimal recommended application control policy.

In this article, you learned how to enable adaptive application controls in Azure Security Center to whitelist applications running in Azure and non-Azure VMs. How are you going to use adaptive application controls in your environment? You are welcome to share your thoughts in the comment section below.

Additional resources I highly encourage you to check:

• Learn more about how to integrate Azure Security Center with Azure Monitor Alerts.
• Learn more about how to integrate Azure Security Center with Azure Sentinel cloud-native (SIEM).
• Learn how to enable file integrity monitoring for Windows and Linux Machines in Azure Security Center.
• Learn more about Azure Security Center, check the official documentation from Microsoft.
• Learn more about Adaptive application controls, check the official documentation from Microsoft.
• Learn how to export Azure Security Center Alerts and Recommendations.
• Workflow automation in Azure Security Center to automate your security response operations.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-