Intro to Azure Monitor – Application Insights for SCOM Admins

Back in 2017 I moved away from working with SCOM to a role focused on Application Insights and monitoring in Azure. I always used to hear Application Insights is only for developers, but the more I use it, the more I see ways in which it could be useful to a broader audience.

It’s not to say the core audience isn’t still the more dev centric, it is, but even if coding isn’t part of your day-to-day work I think it’s useful to know how all the available tools in your toolbox work. Application monitoring is something everyone who works on monitoring needs to care about, not just developers.

Towards that end, I started a side-project recently to help anyone get up to speed on Azure Monitor – Application Insights. It doesn’t assume any developer knowledge, every step is recorded so even if you have never written a line of code before it’s possible to follow along. Having some degree of dev/scripting background will certainly help, but it isn’t required. I walk through each step, and if you don’t come from a traditional coding background this might give you that extra nudge to dig in and learn more.

For the first video all you need is a free copy of Visual Studio 2017 Community edition, and an Azure subscription. If you don’t have a subscription you can sign-up for a free subscription here.

During the Visual Studio install select ASP.NET and web development.

Keep the default optional components:

Now you should be all set, and ready to follow along:

If you are interested in learning more check-out the official docs here. If you like the video and would like to see more for topics like monitoring JavaScript, Java, .NET Core, availability monitoring, distributed tracing, etc, leave a comment here.

I think I have enough time to make a new video every two weeks, but having a sense of how much interest there is will help in setting aside time.

How do I: Monitor Azure AD Connect Sync with SCOM?

Back in the Fall, I had a question regarding monitoring Azure AD Connect Sync with SCOM. The preferred solution is Azure AD Connect Health, and if you have SCOM you couple that with various on premises AD/ADFS Management Packs to monitor your hybrid environment end-to-end.

I love that our product teams who build cloud services are taking a proactive approach to monitoring and thinking about it as integral to the product development cycle. A part of me would like to see a Product Group Management Pack for Azure AD Connect Sync, but I also understand that in this new cloud first world that you have to focus your resources carefully, and sometimes that means developing solutions that can potentially benefit a broader pool of customers.

The biggest challenge that I have seen for some Hybrid Cloud customers is that the out-of-box built-in notification mechanism of these monitoring solutions is e-mail only. Many of the customers I work with have fairly advanced notification/ticketing systems, and while e-mail is one avenue of alerting, it isn’t the only one. For customers with SCOM, they have often put in the leg work of integrating SCOM with their existing notification systems. So certain alerts are e-mails, others are tickets, some might kick-off a page or text to wake-up an engineer at 2 AM.

With some cloud services I can understand the argument that the paging at 2 AM is going to happen on the vendor/provider side, so your engineers can continue to sleep peacefully. But with a hybrid solution like Azure AD Connect Sync, that isn’t really the case. You can absolutely have a problem that only your engineers can fix, and you may want to have the flexibility to leverage your existing notification systems.

You could certainly explore integrating directly between your ticketing/notification system and Azure AD Connect Health, and for some customers this will be the correct path. (No need to add an extra hop/point of failure if you don’t need to.) But for those who have already invested heavily in SCOM, it would be nice to have a management pack that could provide basic integration with minimal development effort.

I didn’t have time to tackle this problem during the Fall, but I have a week of vacation next week so I spent this past weekend putting together a quick proof of concept Management Pack.

The MP is still very much in beta form, and it falls under the usual AS-IS/test heavily/use at your own risk disclaimer that accompanies all community based MPs. I am actively seeking feedback and will come out with additional versions as time allows, so if you have suggestions please feel free to send them my way. If you DM @OpsConfig on Twitter, or leave a comment I will respond via e-mail.

The core functionality of the MP is simple. It makes an API call to your instance of Azure AD Connect Sync Health for alerts every 15 minutes . If there is a new warning alert it will generate a corresponding warning alert in SCOM. If there is a new critical alert it will generate a corresponding critical alert. If an alert closes in Azure AD Connect Health the MP will automatically detect the resolution and close out the Alert in SCOM. Nothing fancy, but it works and is pretty lightweight.

I also added in a custom class/monitor that looks for instances of the Microsoft Azure AD Sync Service:

AAD Connect Health will monitor this too, but it doesn’t monitor it as real-time as SCOM can. It takes over an hour for AAD Connect Health to generate an alert and I would rather know within 60 seconds if Sync is down rather than having to wait.

In addition the MP monitors the core services which feed Azure AAD Connect Sync Health:

Again if these services go down you will eventually be alerted by AAD Connect Sync Health, but why wait? Since these services are delayed start, I built a custom Unit Monitor Type that gives them a little more leeway so we check the service state every 30 seconds but unlike the default NT Service Unit Monitor Type we wait until we have 6 consecutive samples of service stopped detected before we alert. Since these monitors are tied to the class based on the presence of the Azure AD Sync service, they will also alert if you have a server with the sync service which doesn’t have the Azure AD Connect Health Sync Agent/services installed. (If this is an issue, you can always override the monitors, but without those services installed and running you are losing 95% of the functionality provided by this pack.)

To get started with the pack there are some prerequisites:

  • You need Azure AD Connect Health to be installed and configured. I won’t go into the details for that, but you can find everything you need to know via the awesome guide/videos which can be found here:

https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health

  • For Authentication I leverage the Active Directory Authentication Library (ADAL). The key components being these two .dlls:

$ADAuthLib= “C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\ManagedCache\Microsoft.IdentityModel.Clients.ActiveDirectory.dll”
$ADAuthLibForms=”C:\Program Files (x86)\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\ManagedCache\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll”

If you download and install the Azure Powershell Module this should give you everything you need:

https://aka.ms/webpi-azps

You will need to install this on each of the management servers, as I leverage the All Management Servers Resource Pool as the source of API calls to allow for high-availability. (If having the ability to have a dedicated AAD Connect Health Watcher is more desirable than the AMSRP just let me know and I can make another version of the MP which can support this.)

Your management servers will need to allow communication to the following urls through both windows/network firewalls:

https://management.azure.com/
https://login.windows.net/

  • You will need a user account with necessary access to Azure AD Connect Health Sync.
  • When logged into https://portal.azure.com navigate to Azure Active Directory in the left hand pane.

Then select Azure AD Connect

Select Azure AD Connect Health

Right now you can see that my environment is unhealthy as I have intentionally stopped the Azure Active Directory Connect Sync Monitoring to force an error condition:

If you click Users – Add – select a role and add a user that we will later add to a Run As Profile in SCOM:

As this is still early in the testing phase I have lazily done most my testing with an account  with Owner privs. I believe Monitoring Reader Service Role should be sufficient (Subsequent testing shows that this works — see comments for details), but I need to do some more testing to insure that will always hold true.

There is one more prereq click Azure Active Directory Connect (Sync)

Then click the service name that you want to monitor:

Take note of the url in your browser bar as you will need to copy the small portion highlighted in yellow for an overridable parameter in SCOM:

Once you have all the above prerequisites in place you can download and import the MP from here:

Azure AD Connect Sync Custom MP

Once imported you will need to add your Azure AD Connect account configured above to a custom Run As Profile.

I use an account configured with Basic Auth that I then distribute to my management servers.

Once this is in place we need to modify the core rule that drives the MP:

Right-click Azure AD Connect Rule – Overrides – Override the Rule – For all objects of class: All Management Servers Resource Pool

Override AADSync URL (the portion of the url highlighted in yellow that you copied before) – Add your AdTenant – Set the rule to enabled.

Then any time an alert gets generated in Azure AD Connect Sync Health:

A corresponding alert will be generated in SCOM:

Once the alert closes in AAD Connect Sync Health it will close out in SCOM within 15 minutes.

When I get back from vacation I will put together a post or a video walking through the underlying mechanics of exactly how the MP works, and then I will most likely post the Visual Studio project files on GitHub. But in the meantime you are welcome to download and test it out from TechNet Gallery. Now I am off to my vacation. Cheers!

How do I: Create An Advanced SQL Database Backup Monitor In Visual Studio?

My favorite part of my job is getting to work with customers and understand exactly how they use, and also need a product to work. Some of the time this just means listening closely, answering questions, and relaying information back to the product group. But often there are those tiny changes and use cases that fall outside the realm of things the product group is likely to address.

A change that might be hugely valuable for Customer A, won’t happen if it breaks backwards compatibility for Customers B-Z.

One of my customers has a SCOM environment for SQL that monitors over 20,000 databases. Due to their size there are often cases where the out-of-box monitoring provided by the SQL Product Groups management packs isn’t able to completely meet their needs. While the pack provides fantastic monitoring for SQL, there are times where they need a more granular view of the health of their environment.

An instance of this from the past year was monitoring SQL Database backups. The SQL Product Group’s pack gives you the ability to alert if a database hasn’t been backed up in a certain number of days. By default it is set to 7 days, but you can override that to any integer value of days.

For my customer this wasn’t really good enough. They wanted to be able to drill down and alert on hours since last backup. They also wanted multiple severities so if it had been 20 hours since a backup, an e-mail could go out, but at 30 hours we would generate a page. The 20 & 30 hours would be customizable at the individual database level, and they also wanted some added logic that would check database backups for databases that had a status of “ONLINE”. We have other monitors that look at DB Status in general so in this case if a database was OFFLINE they either knew about it from the other monitors and were fixing it, or it was intentional in which case they didn’t want a backup alert.

The basic logic behind the SQL PG’s MP is a simple T-SQL query wrapped in a fairly complex vbscript. The unwrapped T-SQL is below:

The T-SQL modifications we need to make are relatively simple swap DAY to HOUR, and add in a line to only return database backup info for databases with a status of ONLINE.

To get this into a working Management Pack is a little bit more complex and requires isolating and cloning the Product Groups Database Backup Monitor in Visual Studio, and then making a few changes to the XML for our custom iteration.  To prevent screenshot overload I did a quick step-by-step walkthrough of the process. For this video I opted to leave out three-state severity request, and will show how to add that functionality in a follow up video.

If you have any questions or need any help, just leave a comment.

Sidenote/Tangent: C Programming & Key Loggers

One of my side projects over the past few months has been to teach myself the C programming language. It has been going pretty well, but it’s easy to get bored with the typical practice problems.To combat this I gave myself a slightly more real-world practice problem. I decided to write a Key Logger in native C using only the Win32 API. There are a few good examples online of the mechanics of how to do this, but what I quickly found after getting a working prototype up and running was that Windows Defender is actually pretty good in some cases at detecting/tagging key loggers as Trojans. I tried different example code from online, and in each case Windows Defender instantly caught it upon execution.

So the next challenge was how to write a Key logger in native C with the Win32 API which Windows Defender could not detect.

After a few modifications I thought I had it figured out, but what I came to realize is that Defender is built such that it can tell if you are repeatedly trying to vet code past it and it will temporarily stop intercepting it so you can’t tell if your modifications are working.

It is actually a fairly interesting problem in that Defender has to be able to recognize certain patterns common to Key Loggers, but at the same time it has to be able ignore programs that function like Notepad/Word/Games which have a completely legitimate reason for listening and responding instantly to keystrokes. This balance is where the room for vulnerability lies. It would be easy to alert anytime a new program was listening for keystrokes via the Win32 API’s, but you would have so many non-actionable events it would be pointless. So it becomes a game of whack-a-mole where the patterns for detecting key loggers need to be  permissive enough not to piss off users trying to run non-malicious code, but restrictive enough to hopefully catch/deter a less than determined adversary.

I have no insider knowledge into how Defender works (nor would I share any if I did), but after figuring out how to force Defender to try to quarantine my program every time it ran, I could slowly comment out aspects of my Key Logger code until I zeroed in on the characteristics it was using to make its diagnosis. Once I had that, the problem was solved.

It took a few hours, but I now have a basic functional Key Logger that doesn’t need to run as administrator and is completely invisible to Windows Defender. I also learned more about C and the Win32 API in the past few hours than from three weeks worth of reading.  As much as possible I am going to try to add in programming assignments like this one that have a bit more real-world application as they are able to maintain my interest better than writing Celsius to Fahrenheit temperature converters and the other example problems that are universal to almost every learn programming language X book.

I had debated not publishing the code, but a routine Bing/Google search will reveal plenty of similar alternate examples, and with C source code for programs like mimikatz readily available this would fall into the tamer categories of code available for aspiring white hats who want to learn more about programming and security.

The code is provided without warranty of any kind and is for educational purposes only, and in this case I am only including screenshots without the details of the work to vet the code against an antivirus application. If you want to create a working copy you have to type it out yourself which is in the end the best way to learn.

To start off launch Visual Studio.  (For my example I am using Visual Studio 2013)

File New Project (Ctrl — Shift — N)

Select Visual C++ (Win32 Console Application) -Even though the code we are writing is almost entirely C the C++ compiler is backwards compatible with any of our C code.

Select Empty project

Right-Click Source File — Add — New Item (Ctrl-Shift-A)

Give you .cpp files a name click Add

The code itself is pretty simple. The ShowWindow() function controls the visibility of the command prompt window.

While loop continues indefinitely until the End Key is pressed or the Console Window/associated process is closed/stopped. For loop cycles between keys 8-255.

GetAsyncKeyState() function let’s us know if the key we are cycling through in the for loop is down. http://www.cplusplus.com/forum/general/141404/ (Nice explanation of why to use & 0x0001)

Use if statements to determine what keys get written directly to file. Shift letters A-Z by 32 making all letters lowercase via ASCII character set. http://www.asciitable.com/

To map other keys you need to use win32 API Virtual-Key Codes:

https://msdn.microsoft.com/en-us/library/windows/desktop/dd375731(v=vs.85).aspx

If you have any suggestions on good C Programming resources let me know. I have exhausted K&R and K.N.King’s C Programming a Modern approach and am currently working my way through Robert Sedgewick’s Algorithms in C, but I am always happy to get new reading suggestions.

The contents of this site are provided “AS IS” with no warranties, or rights conferred. Example code could harm your environment, and is not intended for production use. Content represents point in time snapshots of information and may no longer be accurate. (I work @ MSFT. Thoughts and opinions are my own.)