Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Monitor Adaptive Application Safelisting

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-013

Ensure that the monitoring of the adaptive application controls is enabled within your Microsoft Azure cloud account so that Microsoft Defender for Cloud can determine if the Adaptive Application Control feature is enabled for your eligible virtual machines (VMs). Adaptive Application Control is an automated application whitelisting solution provided by Microsoft Defender for Cloud that helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your Azure and non-Azure VMs (using both Windows and Linux).

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When the monitoring of the adaptive application controls is enabled within your Microsoft Azure account, it delegates Microsoft Defender for Cloud service to scan for adaptive application controls that enables you to control which applications can run on your eligible virtual machines (VMs) and helps you harden your VMs against malware. Microsoft Defender for Cloud uses machine learning to analyze the applications running on each eligible virtual machine and suggest the list of known-safe applications


Audit

To determine if the monitoring of the adaptive application controls for virtual machines is enabled within the Microsoft Defender for Cloud security policy, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab, uncheck Only show parameters that need input or review, and search for the following parameter: Adaptive application controls for defining safe applications should be enabled on your machines. If the Adaptive application controls for defining safe applications should be enabled on your machines parameter is set to Disabled, the adaptive application controls for Azure virtual machines are not enabled within the selected subscription.

08 Repeat steps no. 4 – 7 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to determine if the adaptive application controls for virtual machines are enabled within the current Azure subscription by checking the adaptiveApplicationControlsMonitoringEffect configuration parameter value:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.adaptiveApplicationControlsMonitoringEffect.value'

02 The command output should return the requested configuration parameter value:

"Disabled"

If the account get-access-token command output returns "Disabled", as shown in the output example above, the adaptive application controls for Azure virtual machines are not enabled within the current subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To turn on adaptive application controls for virtual machines using the Microsoft Defender for Cloud security policy, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Policy settings, choose Security policy.

06 In the Default initiative section, click on the name of the default initiative enabled for the selected subscription (i.e. ASC Default (subscription: <subscription-id>)).

07 Choose the Parameters tab and uncheck the Only show parameters that need input or review checkbox to list all the initiative parameters.

08 Select AuditIfNotExists from the Adaptive application controls for defining safe applications should be enabled on your machines parameter dropdown list to enable the adaptive application controls for the virtual machines provisioned within the selected Azure subscription.

09 Select Review + save to review the configuration changes, then choose Save to apply the changes. If the operation is successful, the following confirmation message should be displayed: "Updating policy assignment succeeded".

10 Repeat steps no. 4 – 9 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the adaptiveApplicationControlsMonitoringEffect parameter is enabled to turn on the adaptive application controls feature. Save the configuration document to a JSON file named enable-adaptive-application-controls.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure subscription details:

{
  "properties":{
     "displayName":"ASC Default (subscription: <azure-subscription-id>)",
     "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
     "scope":"/subscriptions/<azure-subscription-id>",
     "parameters":{
        "adaptiveApplicationControlsMonitoringEffect":{
           "value":"AuditIfNotExists"
        }
     }
  },
  "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type":"Microsoft.Authorization/policyAssignments",
  "name":"SecurityCenterBuiltIn",
  "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-adaptive-application-controls.json file), to enable adaptive application controls for the virtual machines provisioned within the selected Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-adaptive-application-controls.json"'

03 The command output should return information about the modified configuration parameter:

{
  "sku": {
    "name": "A0",
    "tier": "Free"
  },
  "properties": {
    "displayName": "ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
    "policyDefinitionId": "/providers/Microsoft.Authorization/policySetDefinitions/1234abcd-1234-1234-1234-abcd1234abcd",
    "scope": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd",
    "parameters": {
      "adaptiveApplicationControlsMonitoringEffect": {
        "value": "AuditIfNotExists"
      }
    },
    "metadata": {
      "createdBy": "abcdabcd-1234-1234-1234-abcdabcdabcd",
      "createdOn": "2019-05-17T15:38:40.3473931Z",
      "updatedBy": "1234abcd-1234-1234-1234-abcd1234abcd",
      "updatedOn": "2022-02-01T21:22:40.7422203Z"
    }
  },
  "id": "/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
  "type": "Microsoft.Authorization/policyAssignments",
  "name": "SecurityCenterBuiltIn",
  "location": "eastus"
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 31, 2019