@givenscj
Slides 15 and 16 of the WDS trainer presentation do not have alt-text. Please upload a corrected PPT.
Thanks, Dawnmarie

Error: An invalid value was provided for 'accessPolicies'

{ "id": "/subscriptions/6618f5bd-7a40-4584-8a49-653c870e835c/resourceGroups/azsecurity-dr/providers/Microsoft.Resources/deployments/Microsoft.Template/operations/712FE71A26BC9911", "operationId": "712FE71A26BC9911", "properties": { "provisioningOperation": "Create", "provisioningState": "Failed", "timestamp": "2019-05-22T00:45:10.9057516Z", "duration": "PT0.655914S", "trackingId": "9b0b8e89-e127-4a03-acee-9bedf62fd50d", "serviceRequestId": "570ed2c2-d888-49e0-ac75-46765e070273", "statusCode": "BadRequest", "statusMessage": { "error": { "code": "BadRequest", "message": "An invalid value was provided for 'accessPolicies'." } }, "targetResource": { "id": "/subscriptions/6618f5bd-7a40-4584-8a49-653c870e835c/resourceGroups/azsecurity-dr/providers/Microsoft.KeyVault/vaults/kvpbclh5l2bei34", "resourceType": "Microsoft.KeyVault/vaults", "resourceName": "kvpbclh5l2bei34" }, "response": { "content": { "error": { "code": "BadRequest", "message": "An invalid value was provided for 'accessPolicies'." } } } }}

Please update file names to be in the correct template style.

In exercise 2 task 3 after adding mask , it is not replacing number with xxxx

The extension for the virtual machine "web-1" which is used to install InstallIIS is not working it is failing. I have also tried manually to run that script but it was not working .

The august-2018-testfix branch is ready for review and QC.

In Exercise 5:- task:-5 step 7 in Jupiter notebook Getting started.ipynb while running following query getting the parsing error:

Query:

%kql search in ({selected_table.value}) {selected_columns.value[0]}: '*local service' | take 5"

Error Message :

query execution error:
{
    "error": {
        "code": "BadArgumentError",
        "innererror": {
            "code": "SyntaxError",
            "innererror": {
                "code": "SYN0002",
                "line": 1,
                "message": "Query could not be parsed at ')' on line [1,48]",
                "pos": 48,
                "token": ")"
            },
            "message": "A recognition error occurred in the query."
        },
        "message": "The request had some invalid properties"
    }
}

Please take a look to the screenshot

Please add this link to the WDS Student Guide: https://docs.microsoft.com/en-us/azure/virtual-network/ddos-protection-overview for DDoS.

Thank you!

Hi ,

While performing this particular task (link is mentioned below)

https://github.com/microsoft/MCW-Security-baseline-on-Azure/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Security%20baseline%20on%20Azure.md#task-2-test-the-web-application-solution

We provided the correct value for the connection string and but we were facing issue while running the solution.

Could you please check this?

Also ,it would be really helpful if you could be more specific with the instructions for example, where to substitute the connection string in the web config file so that it could avoid confusion and also which value to be provided. It would be great if screenshots are provided.

Thanks
Bony

Since there is many UI/UX changes in azure portal, there are many confusions on how to perform some steps so can you please check on that.

https://github.com/microsoft/MCW-Security-baseline-on-Azure/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Security%20baseline%20on%20Azure.md#task-3-test-network-security-group-rules-2

in this particular task it is mentioned -> Port scan for port 1433 (SQL) to db-1 is successful, and web-1 is unsuccessful from the paw-1 machine.

but this didnt work for me.

https://github.com/microsoft/MCW-Security-baseline-on-Azure/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Security%20baseline%20on%20Azure.md#task-5-execute-jupyter-notebooks

in this particular task , it is specifying to search for Getting Started with Azure Sentinel Notebooks but it does show any rsults image for reference

https://github.com/microsoft/MCW-Security-baseline-on-Azure/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Security%20baseline%20on%20Azure.md#task-2-review-and-create-azure-blueprints

here in mentioned task -> step 12 , it is specifying to select this particular option -> Audit unrestricted network access to storage accounts

but that option is no longer available.

Can you please check into this.

thanks & regards
Bony

Lines 306 - 309 show **/ & **
Are we missing an image? Extra code?

Exercise 2, Task 2, Step 5
Application doesn't work! See image below. Cleaning/re-building doesn't help.
Am fairly sure it's not a mistake I made since I have a classroom full of students experiencing the same issue.

Hi All,

This issue is regarding that there are some UI/UX changes in azure and due to which it could cause confusions for the users to perform this particular workshop.

So we have forked the repo and made the changes in our repo. we have kept it for reference below :-

https://github.com/sumitmalik51/MCW-Security-baseline-on-Azure/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Security%20baseline%20on%20Azure.md

Is it possible to make the changes in Microsoft repo with new screenshots and also with all the steps updated according to the new UI/UX of azure ?

• Another issue while performing this particular task below : -

  https://github.com/microsoft/MCW-Security-baseline-on-Azure/blob/master/Hands-on%20lab/HOL%20step-by%20step%20-%20Security%20baseline%20on%20Azure.md#task-5-execute-jupyter-notebooks

  • Here we will select the particular option as mentioned in the below step and after that we will click on launch notebook.
    

  • When we click on launch notebook the below page will appear where we are asked to created the ML workspace, But in the guide it is not specified like so can you please update the steps accordingly in the repo so as to perform this task.
    

It would be great, if you can run through the whole lab and check from your end.

Thanks
Bony

This exercise covers two kinds of Key Vault usage - column encryption, and storing the connection string.

At the end of the exercise, I'd expect to see the app working. But it doesn't! Task 5 step 5 just says "Because you encrypted the column in the previous exercise, EntityFramework is not able to retrieve the value. You would need to...."

It's as if the lab is incomplete.

It would be MUCH better if the exercise was split in two, and fully implemented / validated at each step. E.g.

• Do the column encryption, get the app working, validate it
• Move the connection string to KeyVault, get the app working again, validate it.

Ex 2 Task 3
Nice to show data masking. But should also show how an app that needs the data can still get the unmasked data

Please review formatting in the Aug. test/fix - lines 525 - 559.
Comparing the Design section of the student guide with the design section of the trainer guide, 1) Questions asked in the student guide are not included in the trainer portion & 2) the answers are in a grey box...there's something off in the coding I think.
Thanks - Dawnmarie

There is no option fro adding the new firewall rule.
Exercise 2: Task 2 : step 2
in the packages.config there is an unwanted symbol "+" which is the reason for the error .

Please update ReadMe page with intro, target audience, and products & services.
Verify that WDS abstract is on the correct documents and HOL abstract is on the lab abstracts.

I updated the Before the lab document with the licensing information but it's missing requirements and a table of contents. I don't know code well enough to add, please use the template here to fix:

https://github.com/Microsoft/MCW-Template-Cloud-Workshop

Lab requires user to have access to

• Visual Studio 2019
• SQL Management Studio
• Power BI Desktop

That's simply not realistic. Some users are unwilling or unable to install these services. and some use MacOS.

The lab should instead provide a LabVM with all the necessary SW pre-installed.

Line 741 of the ARM template has a path to the Install_IIS.zip file that is the following: https://github.com/givenscj/mcw-azure-security/blob/master/Scripts/Install_IIS.zip?raw=true

Please update to: https://github.com/MCW-Azure-security-privacy-and-compliance/blob/master/Hands-on%20lab/Scripts/Install_IIS.zip?raw=true

This needs to be done after the testfix branch is merged to master.

ASC takes any where from 10 minutes to an hour+ to recommend JIT access on a VM.

The lab should be updated to highlight that yes ASC will eventually recommend it, but to go into each VM click -> Configure -> Emable JIT to speed up the process.

Ex 2 Task 1 Step 9
Need to explain how to open New Firewall Rule dialog, it's not obvious and doesn't open automaticaly.

Ex 3 Task 4
Refers to Client ID from Task 2. But Task 2 doesn't mention a Client ID. It only mentions an Application ID. Confusing.

Would love to see Azure Data Studio leveraged instead of SQL Server Management Studio. The advantage is that Azure Data Studio is lightweight and cross-platform, allowing more inclusion with this lab on MacOS, Linux and Windows.

https://docs.microsoft.com/sql/azure-data-studio/download

1.In Exercise 5 Task 1 : In Step 3 we are asked to select the Log Analytics resource but we don't have one. So we have to create a LogAnalytics Workspace 1st which is not mentioned in the lab guide.
2.Exercise 5 Task 2 : Was not able to complete since Set Alert Query given is wrong

3.Exercise 5 Task 4 : In step 7 we are asked to sign in to O365 account for receiving email Azure Security Center, but I don't receive any mails. Is an O365 account really required for this lab.
4.Exercise 5 Task 6 : In step 3 we are asked to open AzureDiagnostics which is not available in the list.

This lab guide needs to revalidate as many places the instruction was not clear because of Azure updates, some of the steps need to removed from the lab guide. Most of the screenshots need to update as the Azure UI is changing regularly.

After doing the same task, deleting resources and starting all over again, I can't get this to work. When I do the final point (run the project and navigate to the above page) It gives an error. I think the code or something is broken. It loads the http://localhost:24448

but does not load the http://localhost:24448/api/Users I am quite sure I followed the instructions to the letter, I started all over again at least 3 times.

In exercise 1 task 2 step 3 when we are enabling jit Manually i am able to see only 1 port

in exercise 4 task1 when we run the script it is failing and throwing error as the requested url does not exist on the server

@joelhulen @kylebunting
Solliance team -
This workshop is scheduled for an update in March. We will be combining this workshop with the Azure security and management workshop. Please update this issue with suggested content changes. Once done, we'll assign to our SME team for review and additional feedback.

Line spacing in WDS deck is horrible. Makes it very hard to read.

Hi,
While testing the workshop I am not able to add the packet capture in network watcher, I have tried reinstalling the extension multiple times. Getting this issue.

Couldn't get AzureSentinel part of lab to work at all. Needs accurate instructions, more screenshots, and needs to be fixed. Any timing sensitive issues (e.g. time for log data to appear) need to be called out.

Received this issue via email. Please review & advise:

The Security Baseline on Azure lab does not work with the Azure Passes anymore and needs a few minor changes in the Before HOL template: (link to arm template)

1. The schema should be HTTPS not HTTP

"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

2. The virtual machine types are not suitable and available for all subscriptions:

"virtualMachineSize": "Standard_D2_v2"
"vmSize": "Standard_DS1_v2"
"vmSize": "Standard_DS2_v2"
"vmSize": "Standard_DS1_v2"

I had to run the PowerShell command:

Get-AzComputeResourceSku | where {$_.Locations -icontains "eastus2"}

and find available types for my partners and change the template (I used Standard_E2_v3 as they are available for the subscriptions)

Wanted to let you know as many partners use the Azure Passes to run these labs 😊

Best regards,

1.Exercise 6 Task 4 : The UI Service Trust/Compliance Manager portal have changed a bit so please make the required changes, like creating a new group is asking more info as mentioned below.

Error in the jupyter notebook 's command
Below is the attached screenshot.

In the pre-lab work, the link for the deploy files is the Repo's root page. Link needs to be updated.

Open a browser window to the cloud workshop GitHub repository (https://github.com/Microsoft/MCW-Azure-Security-Privacy-and-Compliance)

Please review and fix at next scheduled test/fix.

1 microsoft.identitymodel.clients.activedirectory vulnerability found in …/InsuranceAPI/packages.config 4 days ago
Remediation
Upgrade microsoft.identitymodel.clients.activedirectory to version 5.2.0 or later. For example:

Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2019-1258
More information
moderate severity
Vulnerable versions: < 5.2.0
Patched version: 5.2.0
An elevation of privilege vulnerability exists in Azure Active Directory Authentication Library On-Behalf-Of flow, in the way the library caches tokens, aka 'Azure Active Directory Authentication Library Elevation of Privilege Vulnerability'.

The example analytics Kusto query doesn't ever seem to fire.

AzureDiagnostics | where Type != 'AzureMetric' and OperationName == 'NetworkSecurityGroupCounters' and type_s == 'block' and direction_s == 'In' and Resource == 'WEBTRAFFICONLY'

I don't think this query is doing what we want in the HOL. We need to check for any results where a rule counter is triggers higher than usual. The above query will always return the same number of results regardless of scanning activity.

Trainer Guide includes:

Alternately, an Azure Web App could be used to host the data collection web site, but not the corporate website (because Azure Web Apps does not offer any configuration that provides private, virtual network only endpoints, at least until App Service Environments leave preview). Cloud Services were ruled out so that Contoso could avoid changes to their development and deployment experience

That's very out of date! Please review rest of WDS materials similarly

Suggestion: add a note on the lab to ensure that the workspace name is unique and modify it on the template before provisioning:

{
"error": {
"code": "Conflict",
"message": "The workspace name 'azsecuritylogging' is not unique",
"target": "name"
}
}

On the template - \Hands-on lab\Scripts\template.json- line 38:

"resources": [
{
"type": "microsoft.operationalinsights/workspaces",
"name": "azsecuritylogging",
"apiVersion": "2015-11-01-preview",
"location": "eastus",
"scale": null,
"properties": {
"sku": {
"name": "standalone"
},
"retentionInDays": 31
},

I was recently testing the MCW-Security-baseline-on-Azure workshop. Everything was proceeding as expected until I got to Exercise 5: Azure Sentinel Logging and Reporting. I first ran into an issue with Task 1: Create a dashboard. During this Task; the instructions state "In the list of workbooks, select Azure Network Watcher, choose Save.". During this process; I noticed that the Azure Network Watcher workbook had a red circle with an x for the Required data types: AzureNetworkAnalytics_CL. I was able to "resolve" this issue by updating my Log Analytics configuration.

However, as I continued the workshop to Task 3: Investigate a custom alert incident I am now having another issues that I have not been able to resolve. Specifically, I cannot get any Incidents to appear as documented in Task 3: Investigate a custom alert incident. I am reviewing the Rule Query syntax provided in Task 2: Create an Analytics alert (since I assume this is the query that will generate the Incidents). I did notice that by using the "View query results" in the "Set Rule Login" setting that I received a "NO RESULTS FOUND" message. I was able to "correct" this by inserting the following argument into the query statement:" | where TimeGenerated > ago(48h)". This this added argument; I was able to get a single output result:
10.2.0.4 | UserRule_DenyAll | 10.2.0.4 | 31,014-- | -- | -- | --
but I still do not have any Incidents to view in the Sentinel Threat management | Incident view.

Can someone help understand how to resolve this issue? I plan to use this workshop for a training in mid-June, if possible.