azure / simuland Goto Github PK
View Code? Open in Web Editor NEWUnderstand adversary tradecraft and improve detection strategies
License: MIT License
Understand adversary tradecraft and improve detection strategies
License: MIT License
Hello, I am getting the below errors when deploying the lab.
Any insights or workaround on how I can go about the deployment in CLI.
"VM has reported a failure when processing extension 'SetUpADFS'. Error message: "Failed to download all specified files. Exiting. Error Message: invalid uri https://STORAGE ACCOUNT.blob.core.windows.net/pfx_blob/ADFS.PFX?[REDACTED]"
See below the JSON output from the deployment status.
{
"id": "/subscriptions/10f7ae7a-8e1f-4243-a7c8-a9cad049be4e/resourceGroups/azhybrid/providers/Microsoft.Resources/deployments/deployWinADFS/operations/84336BFFBEA14038",
"operationId": "84336BFFBEA14038",
"properties": {
"duration": "PT1M50.7129958S",
"provisioningOperation": "Create",
"provisioningState": "Failed",
"request": null,
"response": null,
"serviceRequestId": null,
"statusCode": "Conflict",
"statusMessage": {
"error": {
"additionalInfo": null,
"code": "VMExtensionProvisioningError",
"details": null,
"message": "VM has reported a failure when processing extension 'SetUpADFS'. Error message: "Failed to download all specified files. Exiting. Error Message: invalid uri https://STORAGE ACCOUNT.blob.core.windows.net/pfx_blob/ADFS.PFX?[REDACTED]\r\n"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot ",
"target": null
},
"status": "Failed"
"resourceGroup": "azhybrid"
},
{
"id": "/subscriptions/10f7ae7a-8e1f-4243-a7c8-a9cad049be4e/resourceGroups/azhybrid/providers/Microsoft.Resources/deployments/deployWinADFS/operations/FBD2AF13D8CFDC7A",
"operationId": "FBD2AF13D8CFDC7A",
"properties": {
"duration": "PT1M56.9860345S",
"provisioningOperation": "Create",
"provisioningState": "Failed",
"request": null,
"response": null,
"serviceRequestId": null,
"statusCode": "Conflict",
"statusMessage": {
"error": {
"additionalInfo": null,
"code": "VMExtensionProvisioningError",
"details": null,
"message": "VM has reported a failure when processing extension 'SetUpDC'. Error message: "Failed to download all specified files. Exiting. Error Message: invalid uri https://STORAGE ACCOUNT.blob.core.windows.net/pfx_blob/ADFS.PFX?[REDACTED]\r\n"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot ",
"target": null
},
"status": "Failed"
},
"targetResource": {
"id": "/subscriptions/10f7ae7a-8e1f-4243-a7c8-a9cad049be4e/resourceGroups/azhybrid/providers/Microsoft.Compute/virtualMachines/DC01/extensions/SetUpDC",
"resourceGroup": "azhybrid",
This Article Add Credentials to Application
as s broken link to Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Solorigate]
The command listed at the bottom of the "Elevate Account Access" section didn't work for me (I received an "argument --assignee-object-id: expected one argument" error). I think this is because the "az ad signed-in-user" command didn't return an "objectId", just an "Id". [I'm using azure CLI version 2.39.0]
I guess that replacing the following:
az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query objectId) --assignee-principal-type User
with:
az role assignment create --scope '/' --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query Id) --assignee-principal-type User
is the correct fix, but it would be good for someone more familiar with the lab to confirm.
Hi,
I am getting a conflict error on the deployment script and work what the issue is, just wondering if theres something obvious I am missing:
I have uploaded the full error txt.
Should the CreateADForest Resource exist in both deployWinADFS and CreateADForest like this?
Dependency error
az : ERROR: {"code": "MultipleErrorsOccurred", "message": "Multiple error occurred: BadRequest,BadRequest. Please see details."}
At line:1 char:1
+ CategoryInfo : NotSpecified: (ERROR: {"code":... see details."}:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Inner Errors:
{"code": "InvalidContentLink", "message": "Unable to download deployment content from
'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonCreated/vimFileEventMicrosoftSysmonCreated.json'. The
tracking Id is '45248d57-7b06-44c0-8586-6782a58ae30b'. Please see https://aka.ms/arm-deploy-resources for usage details."}
Inner Errors:
{"code": "InvalidContentLink", "message": "Unable to download deployment content from
'https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSysmonDeleted/vimFileEventMicrosoftSysmonDeleted.json'. The
tracking Id is '45248d57-7b06-44c0-8586-6782a58ae30b'. Please see https://aka.ms/arm-deploy-resources for usage details."}
Your issue content here.
Howdy folks,
I'm trying to deploy in Azure this template and I'm getting this error message:
Any guidance would be welcomed.
Many thanks!
{"code": "MultipleErrorsOccurred", "message": "Multiple error occurred: BadRequest,BadRequest. Please see details."}
Inner Errors:
{"code": "InvalidTemplate", "target": "/subscriptions/fXXXXXXXXXXXX/resourceGroups/rsg-adfslab/providers/Microsoft.Resources/deployments/CreateADForest", "message": "Deployment template validation failed: 'The value for the template parameter 'domainNetbiosName' at line '14' and column '30' is not provided. Please see https://aka.ms/arm-create-parameter-file for usage details.'.", "additionalInfo": [{"type": "TemplateViolation", "info": {"lineNumber": 14, "linePosition": 30, "path": "parameters.domainNetbiosName"}}]}
Inner Errors:
{"code": "InvalidTemplate", "target": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/resourceGroups/rsg-adfslab/providers/Microsoft.Resources/deployments/JoinADFSServer", "message": "Deployment template validation failed: 'The value for the template parameter 'domainNetbiosName' at line '17' and column '30' is not provided. Please see https://aka.ms/arm-create-parameter-file for usage details.'.", "additionalInfo": [{"type": "TemplateViolation", "info": {"lineNumber": 17, "linePosition": 30, "path": "parameters.domainNetbiosName"}}]}
I've gotten this specific deployment to work at least once (was able to validate endpoints registered in MDE, and workstation and ADFS were domain joined, and validated ADFS was working by signing in from the workstation with the ADFS user account, and Sentinel was connected.) I was not seeing MDI agents deployed, so restarted. But I have gotten this error at least 3 separate times where the deployment fails on ADFS01/SetUpADFS and DC01/SetUpDC. Any thoughts on troubleshooting or what I need to change? it's erroring on vm extensions for both. I see resources created -- but ADFS service is not running.
{
"status": "Failed",
"error": {
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'SetUpADFS'. Error message: "Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (404) Not Found."\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot "
}
}
{
"status": "Failed",
"error": {
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'SetUpDC'. Error message: "Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (404) Not Found."\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot "
}
}
Hello, there seems to be an error for the link mentionned below in my picture.
I did go to the github repository and it seems like it has been changed 3 days ago.
The new links are : (Directory changed from ASimRegistery to ASimRegisteryEvent)
and
Is it possible to update the deployment json file to point to the correct link?
In grantDelegatedPermissionsToApplication.md, the last step before the detections is a POST for the permissions grant against the service principals. As I work through this, I get a 409 conflict which upon additional research seems to indicate that the permissions already exist. It isn't clear to me that because we have done the permissions for mail.read in an earlier step if that is why it is throwing this message or what or if this needs to be a patch instead. Can that be clarified a bit? BTW, this is fantastic work.
[Orginal document]
4. On the same elevated PowerShell session, run the following commands to install AADInternals if it is not installed yet:
Install-Module –Name AADInternals –RequiredVersion 0.4.8 -Force
Import-Module –Name AADInternals
I got errors when I run it but to get over the error by running the above scripts, I can use these instead
Install-Module -Name AADInternals -RequiredVersion 0.4.8
Import-Module AADInternals
When attempting to deploy simuland, and completing all the required fields, we keep on getting "Template Validation Error". This seems to be an error from the downstream Win10-AD-ADFS template. Our desired configuration is to use AzureBastion. We selected AzureBastionHost and left the "Allowed IP Addresses" blank. Can't seem to figure out how to fix this in our deployment. Thanks.
When trying to set up Azure AD Connect on the domain controller for this deployment: https://github.com/Azure/SimuLand/tree/main/2_deploy/aadHybridIdentityADFS, I got a message saying that TLS 1.2 needed to be enabled on the server.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement
Hi!
Getting this error while trying to deploy the template, azureSentinel2Go succeeds and all else seems to build normally. Wondering if you had encountered it before and what I may be missing, google is not cooperating too much on this one!
AADConnector-7bolxxjg3amwg
microsoft.aadiam/diagnosticSettings
NotFound
Operation details
{
"status": "Failed",
"error": {
"code": "OperationNotFound",
"message": "Path: '/subscriptions/.../resourcegroups/azhybrid/providers/microsoft.aadiam/diagnosticSettings/AADConnector-7bolxxjg3amwg' is not supported"
}
}
Hello - on part two - deployment steps - I'm getting a conflict error on enabling data connectors. Any insights or how to fix this would be greatly appreciated. My connector for Office ATP and Microsoft Threat Protection states not support api version. This is in my commercial test tenant.
Conflict
{
"status": "Failed",
"error": {
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n "error": {\r\n "code": "BadRequest",\r\n "message": "Connector kind 'MicrosoftThreatProtection' is not supported in api-version: '2020-01-01'"\r\n }\r\n}"
},
{
"code": "BadRequest",
"message": "{\r\n "error": {\r\n "code": "BadRequest",\r\n "message": "Connector kind 'OfficeATP' is not supported in api-version: '2020-01-01'"\r\n }\r\n}"
},
{
"code": "Unauthorized",
"message": "{\r\n "error": {\r\n "code": "InvalidLicense",\r\n "message": "Missing consent"\r\n }\r\n}"
}
]
}
}
{
"status": "Failed",
"error": {
"code": "InvalidContentLink",
"message": "Unable to download deployment content from 'https://raw.githubusercontent.com/Azure/SimuLand/main/2_deploy/aadHybridIdentityADFS/linkedtemplates/IdentityWorkbookARM.json'. The tracking Id is '387c21cf-d5e9-49ab-b1a6-f8dbdb487447'. Please see https://aka.ms/arm-deploy for usage details."
}
}
Getting permissions problems when trying to deploy the AD FS
Keep getting the error ''You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'.''
Tried with both global administrator and root account. Tried to toggle to yes in the AD properties Access management for Azure resources .
Has anyone encounter that problem before?
The installation of ADFS and DC's VM extension is failing. I've been trying to debug where exactly this is failing. I'm getting a 403 Forbidden, Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (403) Forbidden.
Is there something that can be looked into further on the 403 Forbidden error?
Verbose error JSON:
{
"status": "Failed",
"error": {
"code": "VMExtensionProvisioningError",
"message": "VM has reported a failure when processing extension 'SetUpADFS'. Error message: \"Failed to download all specified files. Exiting. Error Message: The remote server returned an error: (403) Forbidden.\"\r\n\r\nMore information on troubleshooting is available at https://aka.ms/VMExtensionCSEWindowsTroubleshoot "
}
}
The VM extensions return OK / Success for the DC and ADFS.
In step 5 it stated to go to the "Office 365 security & compliance" when it should say "Microsoft 365 compliance center"
Please provide some guidance about the sequential order for the preparation steps. This will help to simplify the deployment by ensuring that dependencies are addressed.
Getting certificate thumbprint error in Install-ADFS
Scenario :
Been trying to deploy this environment for weeks! We are trying to deploy the environment in our current Azure environment that already has a domain and AD within.
We tried first to deploy using that domain name as the FQDM but we would not able to AD connect in the DC because the federation existed already.
We then tried to redeploy using a subdomain as our FQDN (ex: simuland.example.com ) changed the ps1 template for the AD to match : (as previously mentioned in another issue. )
$DomainName1,$DomainName2,$DomainName3 = ($using:domainFQDN).split('.')
$ParentPath = "DC=$DomainName1,DC=$DomainName2,DC=$DomainName3 "
Everything deploys correctly up to Install-ADFS and this certificate thumbprint error. I am wondering if we have a wildcard certificate for our domain name ( *.example.com ) if that is enough or do we need an extra wildcard certificate for the subdomain as well ( *.simuland.example.com ) to satisfy the requirements of the newly create federation which will be adfs.simuland.example.com ? Trying to be as clear as possible here.
Running a little short on solutions here and would really appreciate to get this environment going for our team!
Thanks in advance.
According to Microsoft docs, the new Windows Security Events connector lets you stream security events from any Windows server (physical or virtual, on-premises or in any cloud) connected to your Azure Sentinel workspace. There are now two versions of this connector:
We also need to use DCRs to handle the collection of events from other Windows event providers besides Microsoft-Windows-Security-Auditing
Greetings,
Running into an issue when attempting to run the powershell command to enable Audit Log Search in O365:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Error message is:
The command you tried to run isn't currently allowed in your organization. To run this command, you first need to run
the command: Enable-OrganizationCustomization.
+ CategoryInfo : NotSpecified: (AdminAuditLogConfig:String) [Set-AdminAuditLogConfig], InvalidOperatio...
ontextException
+ FullyQualifiedErrorId : [Server=CY4PR16MB1782,RequestId=eaf15b8e-3f95-4ddf-b33f-740a5ea2a87c,TimeStamp=8/15/2021
2:16:58 AM] [FailureCategory=Cmdlet-InvalidOperationInDehydratedContextException] 5B0EC96F,Microsoft.Exchange.Man
agement.SystemConfigurationTasks.SetAdminAuditLogConfig
+ PSComputerName : outlook.office365.com
Ran the suggested Enable-OrganizationCustomization command and it reported the command was not needed because customization already turned on.
Attempted to turn on Auditing in the O365 SCC GUI but receive an error there as well:
Sorry! We couldn't update your organization settings. Please try again.
I do see the following note in the Prereqs for this section:
You must be assigned the Audit Logs role in Exchange Online to turn audit log search on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online.
Looking in Exchange Admin Center, the single global admin account that I created when setting up the environment is in the TenantAdmins role group, and that group is assigned the Organization Management role. I did attempt to add the Admin account directly to see if that would have any impact but still the same issue for me.
Any guidance would be appreciated!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.