qualys-remediate-unhealthy-vms.ps1 not working #267
Labels
enhancement
New feature or request
Comments
|
Hi @hassanbsee2071 - do you have unhealthy Azure Arc machines on the recommendation or just regular Azure VMs? |
|
Hi,
We have only unhealthy azure arc vms.
…On Sun, Dec 13, 2020, 9:26 PM Lior Arviv ***@***.***> wrote:
Hi @hassanbsee2071 <https://github.com/hassanbsee2071> - do you have
unhealthy Azure Arc machines on the recommendation or just regular Azure
VMs?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#267 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AL75JZWVEVIPHDSETKPHDETSUTTK5ANCNFSM4UVNYJSQ>
.
|
|
Thanks for the feedback. The current version does not support Azure Arc connected machines. I modified the script to include such support and now testing it. Will upload a new version by the end of tomorrow. |
liorarviv
added
enhancement
|
Thanks for the update.. Actually I am from Telenor group and we have
deployed all our infra on AWS and integrating with azure arc. I am writing
script to enable log analytics extension from the script. I think it is not
working properly. It would be great if you can check my script to see if
there is problem with script or with azure. Theoretically and practically
script should work fine and it works fine some time.. But unable to
identify the exact problem. Can you help me with this?
…On Sun, Dec 13, 2020, 10:02 PM Lior Arviv ***@***.***> wrote:
Thanks for the feedback. The current version does not support Azure Arc
connected machines. I modified the script to include such support and now
testing it. Will upload a new version by the end of tomorrow.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#267 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AL75JZUMJNWXRNDQO646AZLSUTXTVANCNFSM4UVNYJSQ>
.
|
|
@hassanbsee2071 I created a different issue for that matter. Can you please paste your script there? |
|
Yes, Sure,
Please find the script below mentioned... I have executed the script now
and one VM is successfully added. Comments are added in the script.
$Setting = @{ "workspaceId" = " XXXXXXXXXXXXXXXXXXXXXXX " }
$protectedSetting = @{ "workspaceKey" = " XXXXXXXXXXXXXXXXXXXXXXX " }
$query = @"
securityresources
| where type == "microsoft.security/assessments" and name ==
"27ac71b1-75c5-41c2-adc2-858f5db45b08" or name ==
"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1"
| extend resourceId = properties.resourceDetails.Id
| extend resourceName = tostring(split(resourceId, "/")[8])
| extend resourceGroup = (split(resourceId, "/")[4])
| extend status = properties.status.code
| extend recommendatioName = properties.displayName
| where status == "Unhealthy"
| project subscriptionId,
recommendatioName,
resourceName,
resourceGroup,
status,
resourceId,
name
"@
$vms = Search-AzGraph -Query $query
write-host "`n"
echo "Following VMs have been identified for Loga Analytics Extension"
$vms.resourceName
write-host "`n"
write-host "`n"
foreach ($vm in $vms) {
$vmName = ($vm.resourceName)
$resgrp = ($vm.resourceGroup)
if ($vm.name -match
'27ac71b1-75c5-41c2-adc2-858f5db45b08') {
Write-Host "This is Windows Platform
$vmName" -ForegroundColor Green
Write-Host "Adding log Analytics
Extention to VM $vmName. It will take eight minutes per vm:-)"
-ForegroundColor Green
New-AzConnectedMachineExtension -Name
MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location
"West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring"
-TypeHandlerVersion "1.0" -Settings $Setting -ProtectedSetting
$protectedSetting -ExtensionType "MicrosoftMonitoringAgent"
write-host "`n"
Get-AzConnectedMachineExtension
-ResourceGroupName $resgrp -MachineName $vmName
}
else {
Write-Host "This is Linux Platform
$vmName" -ForegroundColor Green
Write-Host "Adding log Analytics
Extention to VM $vmName. It will take eight minutes per vm:-)"
-ForegroundColor Green
Write-Host "$resgrp" -ForegroundColor
Green
New-AzConnectedMachineExtension -Name
MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location
"West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring"
-TypeHandlerVersion "1.13" -Settings $Setting -ProtectedSetting
$protectedSetting -ExtensionType "OmsAgentforLinux"
write-host "`n"
Get-AzConnectedMachineExtension
-ResourceGroupName $resgrp -MachineName $vmName
}
}
…On Sun, Dec 13, 2020 at 10:20 PM Lior Arviv ***@***.***> wrote:
@hassanbsee2071 <https://github.com/hassanbsee2071> I created a different
issue for that matter. Can you please paste your script there?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#267 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AL75JZRN7VYJ5QDLKZTQ6ZLSUTZVTANCNFSM4UVNYJSQ>
.
|
|
Hi,
I think I have identified the issue. Once Vms are connected with Azure Arc
agent. Then wait for one hour approximately for refresh recommendation and
similarly once they are disconnected we should wait for one hour to get
updated recommendations. Previously I tried immediately. It would be great
if you could take a look.
On Sun, Dec 13, 2020 at 10:32 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 <
hassan.bsee2071@iiu.edu.pk> wrote:
… Yes, Sure,
Please find the script below mentioned... I have executed the script now
and one VM is successfully added. Comments are added in the script.
$Setting = @{ "workspaceId" = " XXXXXXXXXXXXXXXXXXXXXXX " }
$protectedSetting = @{ "workspaceKey" = " XXXXXXXXXXXXXXXXXXXXXXX " }
$query = @"
securityresources
| where type == "microsoft.security/assessments" and name ==
"27ac71b1-75c5-41c2-adc2-858f5db45b08" or name ==
"720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1"
| extend resourceId = properties.resourceDetails.Id
| extend resourceName = tostring(split(resourceId, "/")[8])
| extend resourceGroup = (split(resourceId, "/")[4])
| extend status = properties.status.code
| extend recommendatioName = properties.displayName
| where status == "Unhealthy"
| project subscriptionId,
recommendatioName,
resourceName,
resourceGroup,
status,
resourceId,
name
"@
$vms = Search-AzGraph -Query $query
write-host "`n"
echo "Following VMs have been identified for Loga Analytics Extension"
$vms.resourceName
write-host "`n"
write-host "`n"
foreach ($vm in $vms) {
$vmName = ($vm.resourceName)
$resgrp = ($vm.resourceGroup)
if ($vm.name -match
'27ac71b1-75c5-41c2-adc2-858f5db45b08') {
Write-Host "This is Windows Platform
$vmName" -ForegroundColor Green
Write-Host "Adding log Analytics
Extention to VM $vmName. It will take eight minutes per vm:-)"
-ForegroundColor Green
New-AzConnectedMachineExtension -Name
MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location
"West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring"
-TypeHandlerVersion "1.0" -Settings $Setting -ProtectedSetting
$protectedSetting -ExtensionType "MicrosoftMonitoringAgent"
write-host "`n"
Get-AzConnectedMachineExtension
-ResourceGroupName $resgrp -MachineName $vmName
}
else {
Write-Host "This is Linux Platform
$vmName" -ForegroundColor Green
Write-Host "Adding log Analytics
Extention to VM $vmName. It will take eight minutes per vm:-)"
-ForegroundColor Green
Write-Host "$resgrp" -ForegroundColor
Green
New-AzConnectedMachineExtension -Name
MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location
"West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring"
-TypeHandlerVersion "1.13" -Settings $Setting -ProtectedSetting
$protectedSetting -ExtensionType "OmsAgentforLinux"
write-host "`n"
Get-AzConnectedMachineExtension
-ResourceGroupName $resgrp -MachineName $vmName
}
}
On Sun, Dec 13, 2020 at 10:20 PM Lior Arviv ***@***.***>
wrote:
> @hassanbsee2071 <https://github.com/hassanbsee2071> I created a
> different issue for that matter. Can you please paste your script there?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#267 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AL75JZRN7VYJ5QDLKZTQ6ZLSUTZVTANCNFSM4UVNYJSQ>
> .
>
|
|
Sorry I think I have posted on the wrong topic.
Just two questions. Below Qualys script works for an azure arc also. (1)
When I execute the query it shows azure arc vms. Did you mean it does not
remediate vulnerability assessment for azure arc vms. VMs are just shown
up in query only? I just skipped the condition which checks vm status
running or not.
and (2) can we do that with policy?
#Requires -Modules Az.Accounts, Az.ResourceGraph
if(-not (Get-AzContext)) {
Write-Host "Please authenticate to Azure using 'Connect-AzAccount'"
}
$query = @"
securityresources
| where type == 'microsoft.security/assessments' and name ==
'ffff0522-1e88-47fc-8382-2a80ba848f5d'
| extend status = properties.status.code, resourceid =
properties.resourceDetails.Id
| where status == 'Unhealthy'
| project resourceid
"@
$vms = Search-AzGraph -Query $query
foreach ($vm in $vms) {
$vmName = ($vm.resourceid -split '\/')[-1]
Write-Host "Working on $vmName" -ForegroundColor Green
$res = Invoke-AzRestMethod -Path
('{0}/providers/Microsoft.Security/serverVulnerabilityAssessments/default?api-Version=2015-06-01-preview'
-f $vm.resourceid) -Method PUT
if ($res.StatusCode -notmatch '200|202') {
Write-Host ($res.Content | ConvertFrom-Json).Error.message
-ForegroundColor Red
}
else {
Write-Host "Working on $vmName is Complete"
-ForegroundColor Green
}
On Sun, Dec 13, 2020 at 10:39 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 <
hassan.bsee2071@iiu.edu.pk> wrote:
… Hi,
I think I have identified the issue. Once Vms are connected with Azure Arc
agent. Then wait for one hour approximately for refresh recommendation and
similarly once they are disconnected we should wait for one hour to get
updated recommendations. Previously I tried immediately. It would be great
if you could take a look.
On Sun, Dec 13, 2020 at 10:32 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 <
***@***.***> wrote:
> Yes, Sure,
>
> Please find the script below mentioned... I have executed the script now
> and one VM is successfully added. Comments are added in the script.
>
> $Setting = @{ "workspaceId" = " XXXXXXXXXXXXXXXXXXXXXXX " }
> $protectedSetting = @{ "workspaceKey" = " XXXXXXXXXXXXXXXXXXXXXXX " }
>
>
> $query = @"
> securityresources
> | where type == "microsoft.security/assessments" and name ==
> "27ac71b1-75c5-41c2-adc2-858f5db45b08" or name ==
> "720a3e77-0b9a-4fa9-98b6-ddf0fd7e32c1"
> | extend resourceId = properties.resourceDetails.Id
> | extend resourceName = tostring(split(resourceId, "/")[8])
> | extend resourceGroup = (split(resourceId, "/")[4])
> | extend status = properties.status.code
> | extend recommendatioName = properties.displayName
> | where status == "Unhealthy"
> | project subscriptionId,
> recommendatioName,
> resourceName,
> resourceGroup,
> status,
> resourceId,
> name
> "@
>
> $vms = Search-AzGraph -Query $query
> write-host "`n"
> echo "Following VMs have been identified for Loga Analytics Extension"
> $vms.resourceName
> write-host "`n"
> write-host "`n"
> foreach ($vm in $vms) {
> $vmName = ($vm.resourceName)
> $resgrp = ($vm.resourceGroup)
> if ($vm.name -match
> '27ac71b1-75c5-41c2-adc2-858f5db45b08') {
>
>
> Write-Host "This is Windows Platform
> $vmName" -ForegroundColor Green
> Write-Host "Adding log Analytics
> Extention to VM $vmName. It will take eight minutes per vm:-)"
> -ForegroundColor Green
> New-AzConnectedMachineExtension -Name
> MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location
> "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring"
> -TypeHandlerVersion "1.0" -Settings $Setting -ProtectedSetting
> $protectedSetting -ExtensionType "MicrosoftMonitoringAgent"
> write-host "`n"
> Get-AzConnectedMachineExtension
> -ResourceGroupName $resgrp -MachineName $vmName
>
> }
> else {
>
> Write-Host "This is Linux Platform
> $vmName" -ForegroundColor Green
> Write-Host "Adding log Analytics
> Extention to VM $vmName. It will take eight minutes per vm:-)"
> -ForegroundColor Green
> Write-Host "$resgrp" -ForegroundColor
> Green
> New-AzConnectedMachineExtension -Name
> MMAExtension -ResourceGroupName $resgrp -MachineName $vmName -Location
> "West Europe" -Publisher "Microsoft.EnterpriseCloud.Monitoring"
> -TypeHandlerVersion "1.13" -Settings $Setting -ProtectedSetting
> $protectedSetting -ExtensionType "OmsAgentforLinux"
>
> write-host "`n"
> Get-AzConnectedMachineExtension
> -ResourceGroupName $resgrp -MachineName $vmName
> }
>
>
> }
>
>
> On Sun, Dec 13, 2020 at 10:20 PM Lior Arviv ***@***.***>
> wrote:
>
>> @hassanbsee2071 <https://github.com/hassanbsee2071> I created a
>> different issue for that matter. Can you please paste your script there?
>>
>> —
>> You are receiving this because you were mentioned.
>> Reply to this email directly, view it on GitHub
>> <#267 (comment)>,
>> or unsubscribe
>> <https://github.com/notifications/unsubscribe-auth/AL75JZRN7VYJ5QDLKZTQ6ZLSUTZVTANCNFSM4UVNYJSQ>
>> .
>>
>
|
|
Hi @hassanbsee2071 - Please try the latest version of the remediation script which now supports Azure Arc enabled servers. Let me know if it works for you. 🙏 |
|
Hi,
Thank you very much. Tomorrow we will do mass deployment and surely use
this script and will let you know.Thank you once again.
…On Mon, Dec 14, 2020 at 2:20 PM Lior Arviv ***@***.***> wrote:
Hi @hassanbsee2071 <https://github.com/hassanbsee2071> - Please try the latest
version
<https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/PowerShell>
of the remediation script which now supports Azure Arc enabled servers. Let
me know if it works for you. 🙏
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#267 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AL75JZX3VO6QTEYZOB4PVPDSUXKHRANCNFSM4UVNYJSQ>
.
|
|
Hi,
I have used the latest version for 25 Azure Arc VMs. The script works
perfectly. It is perfect. Amazing work.
Thank You.
On Mon, Dec 14, 2020 at 9:55 PM Syed Muhammad Hassan 2071-FET/BSEE/F13 <
hassan.bsee2071@iiu.edu.pk> wrote:
… Hi,
Thank you very much. Tomorrow we will do mass deployment and surely use
this script and will let you know.Thank you once again.
On Mon, Dec 14, 2020 at 2:20 PM Lior Arviv ***@***.***>
wrote:
> Hi @hassanbsee2071 <https://github.com/hassanbsee2071> - Please try the latest
> version
> <https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/PowerShell>
> of the remediation script which now supports Azure Arc enabled servers. Let
> me know if it works for you. 🙏
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#267 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AL75JZX3VO6QTEYZOB4PVPDSUXKHRANCNFSM4UVNYJSQ>
> .
>
|
|
Glad to hear! Thanks for the update @hassanbsee2071. I will go ahead and close this item. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am running qualys-remediate-unhealthy-vms.ps1 script but I am facing below issue. it would be great if you can help us.
Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-failure-cause, System.String[]], [x-ms-request-id,
System.String[]]…}
Version : 1.1
StatusCode : 400
Method : GET
Content : {"error":{"code":"NoRegisteredProviderFound","message":"No registered resource provider found for location 'westeurope' and API
version '2019-12-01' for type 'machines'. The supported api-versions are '2019-03-18-preview, 2019-08-02-preview, 2019-12-12,
2020-03-11-preview, 2020-07-30-preview, 2020-08-02, 2020-08-15-preview'. The supported locations are 'westcentralus, westus2,
westeurope, southeastasia, eastus, australiaeast, southcentralus, eastus2, northeurope, uksouth'."}}
The text was updated successfully, but these errors were encountered: