Logo of Trend Micro

Enable Adaptive Application Safelisting Monitoring

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-013

Ensure that the monitoring of the adaptive application controls is enabled within your Microsoft Azure cloud account so that Azure Security Center can determine if Adaptive Application Control feature is enabled for eligible virtual machines (VMs). Adaptive Application Control is an automated application safelisting solution provided by Azure Security Center, that helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your Azure and non-Azure VMs (using both Windows and Linux).

This rule resolution is part of the Cloud Conformity Security & Compliance tool for Azure

Security

When "Monitor Adaptive Application Controls" feature is enabled within your Microsoft Azure account, it delegates Azure Security Center to scan for adaptive application controls that enables you to control which applications can run on your eligible virtual machines and helps you harden your VMs against malware.

Audit

To determine if adaptive application safelisting monitoring is enabled within Azure Security Center, perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, in the Compute and Apps category, check the Adaptive Application Controls should be enabled on virtual machines configuration setting status. If the setting is set to Disabled, the adaptive application whitelisting monitoring is not enabled for the Microsoft Azure virtual machines (VMs) provisioned in the current subscription.

06 Repeat step no. 4 and 5 for each Microsoft Azure subscription available in your account.

Using Azure CLI and PowerShell

01 Run account get-access-token command (Windows/macOS/Linux) using custom query filters to get the "Monitor Adaptive Application Controls" feature status for the current Azure account subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01' | jq 'select(.name=="SecurityCenterBuiltIn")'|jq '.properties.parameters.adaptiveApplicationControlsMonitoringEffect.value'

02 The command output should return the adaptive application safelisting monitoring configuration status: 

"Disabled"

If the command output returns "Disabled", as shown in the example above, the monitoring of the adaptive application controls is not enabled for the Microsoft Azure virtual machines (Windows and Linux) available in the selected subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your account.

Remediation / Resolution

To enable "Monitor Adaptive Application Controls" feature for your Microsoft Azure virtual machines (VMs), perform the following actions:

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the navigation panel, choose Security policy to access Policy Management portal.

04 On the Policy Management page, click on the name of the subscription that you want to examine to access the selected subscription configuration settings.

05 On the Security Policy page, click on the ASC Default (subscription: <azure-subscription-id>) policy assignment to edit the policy configuration.

06 On the selected policy assignment page, in the PARAMETERS section, select AuditIfNotExists from Monitor application whitelisting dropdown list to enable the monitoring of application safelisting in Azure Security Center, for the selected Microsoft Azure subscription.

07 Click Save to apply the changes. If successful, the following message should be displayed: "Updating policy assignment succeeded". Once the configuration changes are saved, the "Monitor Adaptive Application Controls" feature becomes active for the selected Azure subscription.

08 If required, repeat steps no. 4 – 7 for other Microsoft Azure cloud subscription available.

Using Azure CLI and PowerShell

01 Define the necessary parameters for the account get-access-token command where the adaptiveApplicationControlsMonitoringEffect configuration parameter is enabled. Save the following content to a JSON file named enable-adaptive-application-safelisting-monitoring.json and replace the highlighted details, i.e. <azure-subscription-id> and <policy-definition-id>, with your own Azure account details: 

{
   "properties":{
      "displayName":"ASC Default (subscription: <azure-subscription-id>)",
      "policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/<policy-definition-id>",
      "scope":"/subscriptions/<azure-subscription-id>",
      "parameters":{
         "adaptiveApplicationControlsMonitoringEffect":{
            "value":"AuditIfNotExists"
         }
      }
   },
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration parameters defined within the JSON document at the previous step, to enable the monitoring of application safelisting in Azure Security Center, for the selected Microsoft Azure subscription: 

az account get-access-token
	--query "{subscription:subscription,accessToken:accessToken}"
	--out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn?api-version=2018-05-01 -d@"enable-adaptive-application-safelisting-monitoring.json"'

03 If successful, the command output should return the updated Azure Security Center policy, e.g.: 

{
   "sku":{
  	"name":"A0",
  	"tier":"Free"
   },
   "properties":{
  	"displayName":"ASC Default (subscription: abcdabcd-1234-1234-1234-abcdabcdabcd)",
  	"parameters":{
     	"adaptiveApplicationControlsMonitoringEffect":{
        	"value":"AuditIfNotExists"
     	}
  	},

  	...

   },
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn",
   "type":"Microsoft.Authorization/policyAssignments",
   "name":"SecurityCenterBuiltIn",
   "location":"eastus"
}

04 If required, repeat steps no. 1 – 3 for other Microsoft Azure cloud subscription available.

References

Publication date May 31, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Adaptive Application Safelisting Monitoring

Risk level: Medium