How to add Azure-Adaptive Application Control
-Open Azure Portal
-Open the Security Center dashboard
-In the left pane, select Adaptive application controls located under Advanced cloud defense.
-The Adaptive application controls page appears
-Configure a new application control policy
- Click on the Recommended tab for a list of groups with application control recommendations:
The list includes:
- NAME: the name of the subscription and group
- VMs: the number of virtual machines in the group
- STATE: the state of the recommendations
- SEVERITY: the severity level of the recommendations
2. Click on a group to open the Create application control rules option.
3. In the Select VMs, review the list of recommended VMs and uncheck any you do not want to apply an application whitelisting policy to. Next, you see two lists:
- Recommended applications: a list of applications that are frequent on the VMs within this group and are recommended to be allowed to run.
- More applications: a list of applications that are either less frequent on the VMs within this group or that are known as Exploitable (see more below), and recommended for review.
4.Review the applications in each of the lists and uncheck any you do not want to apply. Each list includes:
- NAME: the certificate information or the full path of an application
- FILE TYPES: the application file type. This can be EXE, Script, MSI, or any permutation of these types.
- EXPLOITABLE: a warning icon indicates if a specific application could be used by an attacker to bypass an application whitelisting solution. It is recommended to review these applications prior to their approval.
- USERS: users that are recommended to be allowed to run an application
5. Once you finish your selections, select Create.
After you select Create, Azure Security Center automatically creates the appropriate rules on top of the built-in application whitelisting solution available on Windows servers (AppLocker).
Editing and monitoring a group configured with application control
- To edit and monitor a group configured with an application whitelisting policy, return to the Adaptive application controls page and select CONFIGURED under Groups of VMs:
The list includes:
- Name: the name of the subscription and group
- VMs: the number of virtual machines in the group
- Mode: Audit mode will log attempts to run non-whitelisted applications; Enforce will not allow non-whitelisted applications to run
- Alerts: any current violations
2. Click on a group to make changes in the Edit application control policy page.
3. Under Protection mode, you have the option to select between the following:
- Audit: in this mode, the application control solution does not enforce the rules, and only audits the activity on the protected VMs. This is recommended for scenarios where you want to first observe the overall behavior before blocking an app to run in the target VM.
- Enforce: in this mode, the application control solution does enforce the rules, and makes sure that applications that are not allowed to run are blocked.
4. Under Policy extension, add any application path that you want to allow. After you add these paths, Security Center updates the application whitelisting policy on the VMs within the selected group of VMS and creates the appropriate rules for these applications, in addition to the rules that are already in place.
5. Review the current violations listed in the Recent alerts section. Click on each line to be redirected to the Alerts page within Azure Security Center, and view all the alerts that were detected by Azure Security Center on the associated VMs.
- Alerts: any violations that were logged.
- No. of VMs: the number of virtual machines with this alert type.
6. Under Publisher whitelisting rules, Path whitelisting rules, and Hash whitelisting rules you can see which application whitelisting rules are currently configured on the VMs within a group, according to the rule collection type. For each rule you can see:
- Rule: The specific parameters according to which an application is examined by AppLocker to determine if an application is allowed to run.
- File type: The file types that are covered by a specific rule. This can be any of the following: EXE, Script, MSI, or any permutation of those file types.
- Users: Name or number of users who are allowed to run an application that is covered by an application whitelisting rule.
7. Click on the three dots at the end of each line if you want to delete the specific rule or edit the allowed users.
8. After making changes to an Adaptive application controls policy, click Save.
Not recommended list
Security Center only recommends application whitelisting policies for virtual machines running a stable set of applications. Recommendations are not created if applications on the associated VMs keep changing.
The list contains:
- NAME: the name of the subscription and group
- VMs: the number of virtual machines in the group
Azure Security Center enables you to define an application whitelisting policy on non-recommended groups of VMs as well. Follow the same principles as were previously described, to configure an application whitelisting policy on those groups as well.