Microsoft Azure Security Center policies runner

Microsoft.RomeDetection.EnableAscPolicies (Rule)

Enable all the required policies for Azure Security Center detection engine

Element properties:

Member Modules:

Source Code:

<Rule ID="Microsoft.RomeDetection.EnableAscPolicies" Target="Windows!Microsoft.Windows.Computer" Enabled="false" ConfirmDelivery="false" Remotable="false" Priority="Normal" DiscardLevel="100">

  <Category>Custom</Category>

  <DataSources>

    <DataSource ID="Scheduler" TypeID="System!System.Scheduler">

      <Scheduler>

        <SimpleReccuringSchedule>

          <Interval Unit="Days">1</Interval>

        </SimpleReccuringSchedule>

        <ExcludeDates/>

      </Scheduler>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Microsoft.RomeDetection.EnableAscPoliciesScriptWriteAction" TypeID="Windows!Microsoft.Windows.PowerShellWriteAction">

      <ScriptName>EnableAscPolicies.ps1</ScriptName>

      <ScriptBody><Script>#

#   Implements the main logic for policies changes on Asc customers machines

#	Policies changes:

#		- Enable 4688 events (process creation)

#		- Enable command line arguments field in 4688 events (this field contains the process name and the supplied arguments)

#



$WINDWOS_AUDIT_REG_PATH = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\"

$OMS_AGENT_PARAMETERS_REG_PATH = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters"

$ASC_POLICIES_STATE_REG_KEY = "Asc Policies State"

$LOG_SCRIPT_NAME = "Asc Enable Policies"





# AscPolicies States

$ASC_POLICIES_SET = 1

$ASC_POLICIES_NOT_SET = 0



# Create MOM API object

$momAPI = new-object -comObject MOM.ScriptAPI

Function LogInformation {

    param(

        [Parameter(Position = 0, Mandatory = $true)]

        [String]$Message

    )



    $EVENT_VIEWER_INFO_LOG_ID = 9601

    $EVENT_VIEWER_INFO_LOG_LEVEL = 0

    $momAPI.LogScriptEvent($LOG_SCRIPT_NAME, $EVENT_VIEWER_INFO_LOG_ID , $EVENT_VIEWER_INFO_LOG_LEVEL, $Message)

}



Function LogWarning {

    param(

        [Parameter(Position = 0, Mandatory = $true)]

        [String]$Message

    )



    $EVENT_VIEWER_WARN_LOG_ID = 9602

    $EVENT_VIEWER_WARN_LOG_LEVEL = 2

    $momAPI.LogScriptEvent($LOG_SCRIPT_NAME, $EVENT_VIEWER_WARN_LOG_ID, $EVENT_VIEWER_WARN_LOG_LEVEL, $Message)

}



Function LogError {

    param(

        [Parameter(Position = 0, Mandatory = $true)]

        [String]$Message

    )



    $EVENT_VIEWER_ERROR_LOG_ID = 9603

    $EVENT_VIEWER_ERROR_LOG_LEVEL = 1

    $momAPI.LogScriptEvent($LOG_SCRIPT_NAME, $EVENT_VIEWER_ERROR_LOG_ID, $EVENT_VIEWER_ERROR_LOG_LEVEL, $Message)

}



Function Test-RegistryKeyExists {

    param(

        [Parameter(Mandatory = $true)]

        [String]$Path,

        [Parameter(Mandatory = $true)]

        [String]$ValueName

    )



    $keyExists = $false

    if (Test-Path $Path) {

        $Key = Get-Item -LiteralPath $Path

        if ($Key.GetValue($ValueName) -ne $null) {

            $keyExists = $true

        }

    }



    $keyExists

}



Function Test-IsAzureVM {

    $AzureSMBIOSAssetTag = "7783-7084-3265-9085-8269-3286-77"

    try {

        $smBiosAssetTag = (Get-WmiObject -class Win32_SystemEnclosure).SMBIOSAssetTag

        return $smBiosAssetTag -eq $AzureSMBIOSAssetTag

    }

    catch {

        return $false

    }

}



Function Enable-ProcessCreationCommandLine {

    $COMMAND_LINE_REG_KEY = "ProcessCreationIncludeCmdLine_Enabled"

    $COMMAND_LINE_ENABLE_VALUE = 1



    # Check if the CommandLine registry key exists

    if (Test-RegistryKeyExists -Path $WINDWOS_AUDIT_REG_PATH -ValueName $COMMAND_LINE_REG_KEY) {

        $commandLinePolicyValue = (Get-ItemProperty -Path $WINDWOS_AUDIT_REG_PATH -Name $COMMAND_LINE_REG_KEY).$COMMAND_LINE_REG_KEY

        $isCommandLinePolicyEnabled = $commandLinePolicyValue -eq $COMMAND_LINE_ENABLE_VALUE

        

        # Enable the CommandLine policy only if it not already enabled

        if($isCommandLinePolicyEnabled) {

            LogInformation "CommandLine policy is already enabled, do nothing"

            return

        }

        

        # The command line registry key exists but disabled - enable it

        Set-ItemProperty -Path $WINDWOS_AUDIT_REG_PATH -Name $COMMAND_LINE_REG_KEY -Value $COMMAND_LINE_ENABLE_VALUE | Out-Null

		LogInformation "Enabled CommandLine policy"

    }

    else {

        # The CommandLine registry key does not exist so create it with enable state

        New-ItemProperty -Path $WINDWOS_AUDIT_REG_PATH -Name $COMMAND_LINE_REG_KEY -Value $COMMAND_LINE_ENABLE_VALUE -Type DWord | Out-Null

		LogInformation "Create a new registry value to enable CommandLine arguments in process creation events"

    }

}



Function Enable-ProcessCreationEvents {

    $PROCESS_CREATION_SUCCESS_ENABLE = "Success"

    $PROCESS_CREATION_SUBCATEGORY = "process creation"

    $PROCESS_CREATION_INDEX = 4



    $processCreationPolicy = auditpol.exe /get /subcategory:$PROCESS_CREATION_SUBCATEGORY

    $isProcessCreationPolicyEnable = $processCreationPolicy[$PROCESS_CREATION_INDEX].Contains($PROCESS_CREATION_SUCCESS_ENABLE)

    if ($isProcessCreationPolicyEnable) {

		LogInformation "Process Creation policy is already enabled, do nothing"

        return

    }

    

    # Eanble the process creation policy - enable 4688 events

    LogInformation "Enable ProcessCreation Policy"

    auditpol.exe /set /subcategory:$PROCESS_CREATION_SUBCATEGORY /success:enable | Out-Null

}



Function Get-AscPoliciesState {

    # if the AscPolicies registry value not exists - return default value

    $state = $ASC_POLICIES_NOT_SET



    # Check if the AscPolicies registry value exists

    if (Test-RegistryKeyExists -Path $OMS_AGENT_PARAMETERS_REG_PATH -ValueName $ASC_POLICIES_STATE_REG_KEY) {

        $state = $ASC_POLICIES_SET

    }

    $state

}



Function Set-AscPoliciesState {

    param(

        [Parameter(Mandatory = $true)]

        [Int]$State

    )



    if (Test-RegistryKeyExists -Path $OMS_AGENT_PARAMETERS_REG_PATH -ValueName $ASC_POLICIES_STATE_REG_KEY) {

        # The Asc policies state registry value already exists, set the given value

        Set-ItemProperty -Path $OMS_AGENT_PARAMETERS_REG_PATH -Name $ASC_POLICIES_STATE_REG_KEY -Value $State | Out-Null

    }

    else {

        # The Asc Policies state registry value is not exists create it and set the value        

        LogInformation "Create a new registry value: $($ASC_POLICIES_STATE_REG_KEY)=$($State)"

        New-ItemProperty -Path $OMS_AGENT_PARAMETERS_REG_PATH -Name $ASC_POLICIES_STATE_REG_KEY -Type DWord -Value $State | Out-Null

    }

}



Function Enable-AscPolicies {

	try {

		LogInformation "Asc Enable Policies Start"



        $ascPoliciesState = Get-AscPoliciesState

        if ($ascPoliciesState -eq $ASC_POLICIES_NOT_SET){

            # Enable the Asc Policies and mark the computer with Asc Policies State=1

            LogInformation "Set Asc Policies"

            Enable-ProcessCreationEvents

            Enable-ProcessCreationCommandLine

            Set-AscPoliciesState -State $ASC_POLICIES_SET

        }

        elseif ($ascPoliciesState -eq $ASC_POLICIES_SET) {

            LogInformation "Asc Policies has already been set - do nothing"

        }

        else {

            LogInformation "Invalid value found in registry value: '$($OMS_AGENT_PARAMETERS_REG_PATH)\$($ASC_POLICIES_STATE_REG_KEY)' the value '$($ascPoliciesState)' is invalid"

        }



		LogInformation "Asc Enable Policies End"

    }

    catch {

        $errorMessage = "Script failed, exception: $($_.Exception.Message)"

		LogError $errorMessage

    }

}



# Enable Asc policies on the machine

Enable-AscPolicies</Script></ScriptBody>

      <TimeoutSeconds>300</TimeoutSeconds>

    </WriteAction>

  </WriteActions>

</Rule>