Using Azure’s Change Tracking feature is crucial for security and troubleshooting purposes in any organization. This allows the administrator to see what has changed (services, software installation, registry keys, and files) on any given server and when correlated with another type of information helps to pinpoint a root cause for an issue or an attack.
Another benefit is the ability to trigger alerts when a specified action is taken. For example, if the hosts’ files on any given server have changed, an alert to the security team should be triggered due to the suspicious activity. Microsoft Azure offers the Automation Account and Log Analytics, which combined can monitor, maintain, analyze, and inform when issues are found.
This Change Tracking feature can be used on VMs running in Azure or on-premises environments. It supports Windows Server 2008 and higher, and several Linux distributions.
Creating the Automation Account and enabling Change Tracking
The first step is to create the Automation Account and enable the Change Tracking feature, and we will explore the steps involved to achieve this goal of this section using the Azure Portal.
Logged on the Azure Portal, click on Create a resource, type in Automation and select Automation item, which is provided by Microsoft in the Developer Tools category.
In the new blade, a short summary about an Automation Account will be displayed. Click on Create to start the process.
The Automation Account requires a name to be defined, resource group, location, and if the Azure Run As accounts will be created as part of the provisioning. When Azure Run As account is selected to Yes, then a Service Principal account will be created, and that account will have Contributor at the subscription level, which basically enables Runbooks to use that Run As accounts to have access to the Azure Subscription resources and settings, thus performing more tasks.
Note: If you want an existent Automation Account to check the Service Principal created as part of the provision (or created later on), we can always click on Run As accounts item located on the left side of the desired Automation Account resource. In the new blade, both Run As (Azure Run As and Azure Classic Run as) will be listed.
To enable the Change Tracking feature, click on Change Tracking item on the left side. When enabling Change Tracking we are also enabling the Inventory feature. During the creation, we can select an existent Log Analytics where the information gathered by the agents on the VMs will be stored or create a brand new one. After making the decisions, click on Create to enable the feature.
Note: If you want to use a specific one, it is important to create the Log Analytics before enabling the Change Tracking feature.
The process of enabling the Change Tracking feature will change settings and it will create links between the Automation Account and the Log Analytics/Workspace.
We can see a summary of the changes in the picture depicted below. On the left side we can see under Linked workspaces item in the Automation Account a reference to the Log Analytics/workspace, and at the same time, we can see a new solution called ChangeTracking listed in the Log Analytics/Workspace.
Another change is the creation of a brand-new item called ChangeTracking in the Log Analytics/Workspace, that is going to be the location of the information that will be gathered later on from the agents. We can check it out that location using Azure Log Analytics.
First view of the Change Tracking feature
When Change Tracking is enabled, the first page will be a summary of all five types, which are Events, Daemons, Files, Registry, Software, and Windows Services in the last 24 hours. (That range can be easily adjusted.)
At the bottom, we are going to have a list of all changes on all machines that are part of this Automation Account and another tab for the Events.
Going back to the graph, we can use the arrows located at the bottom to reduce the time window to narrow down the results.
Managing what is being tracked
Now that we checked the first page where the information that will be populated will start showing up, we also covered how to enable the feature and where are the connections between Automation Account and Log Analytics when using Change Tracking feature. Our next logical step is to configure the settings and start tracking our future resources with relevant settings for our Security and Operations requirements.
In the initial page, we have several types to see the tracking. The first one is Events, and they are related to the events that happen at the Management plane of Microsoft Azure. To start tracking those, we need to click on Manage Activity Log Connection and on the new blade, click on Connect.
All other settings can be configured by clicking on the Edit Settings. A new blade with several tabs for each type of component that will be tracked will be displayed. We will explore each one of them.
In the Windows Registry tab, the solution comes with some critical Registry key pre-populated. All of them are disabled, however. They are registry key paths where malware and third-party code can be added. Make sure to enable the ones that are valid for your organization. We also have the option to Add new registry key paths using the Add button.
In the Windows Files/Linux Files tabs, we can configure files to be tracked. A great strategy for the security professional is to track the hosts file to make sure that any malicious user/app can’t change the file without a proper notification.
My favorite feature is the ability to see through Azure Portal the contents changed of any given file that we are monitoring. There are two views of the file, before and after the changes, along with visual aids to help the cloud security administrator see the changes between versions. In the File Content tab, click on Link and select a Storage Account to be linked.
When linking a file by selecting the storage account to be used, there is an option to upload the files being monitored to the Storage Account.
In the Windows Services tab, we can define the frequency to check the services on the servers that are being tracked. We can go as low as 10 seconds to a maximum of 30 minutes.
Change Tracking checklist
If you are planning to use Change Tracking, these following key points will help you to avoid most of the road blocks you may have during the deployment of this fantastic feature:
- Provision your Storage Account that will be used for the File Content option before creating the Automation Account.
- Provision your Log Analytics/Workspace before the Automation Account deployment. That helps create a resource using your naming convention instead of a random name.
- Enable the Registry Keys (by default they are all disabled) based on your security requirements.
- Enable Activity Logs (Management Plane) in the Change Tracking feature.
- Create a list of files that are important to add to the Change Tracking.
- Plan and secure your Run As accounts.
In this article, we covered the steps to enable and configure the Change Tracking feature and our focus was on the process to enable and configure the feature. In our next article, we will be exploring the features that we enabled and see how we can use the Change Tracking feature and combine it with different solutions in Azure, such as Alerting and OMS.
Featured image: Shutterstock