Enabling Diagnostics Logging for Azure Antimalware

imageHello Azure security community!

Yuri Diogenes (CSI Enterprise Mobility and Azure Security team) here. Recently we had a great discussion online about how to enable diagnostics logs for Antimalware in Azure. This is an important discussion because when you enable Antimalware through the Azure Portal, this action will not enable the diagnostics logs for Antimalware automatically. However, if you use Azure Antimalware PowerShell (Set-AzureServiceAntimalwareExtension) to enable Antimalware then you can leverage an option to enable diagnostics logs.

Below you have an example of how to enable diagnostics logging for Antimalware via PowerShell:

======================================

PS C:\> Add-AzureAccount

PS C:\> Select-AzureSubscription -SubscriptionName "<your subscription name>"

PS C:\> $StorageContext = New-AzureStorageContext -StorageAccountName "<your storage account name>" -StorageAccountKey (Get-AzureStorageKey -StorageAccountName "<your storage account name>").Primary

PS C:\> Set-AzureServiceAntimalwareExtension -ServiceName "<your azure cloud service name>" -Monitoring ON -StorageContext $StorageContext

======================================

Once you finish typing these commands, you should see an output similar to the one below:

clip_image002

If you go to the Worker Role, you can see the PaaSDiagnostics plug in:

clip_image004

Note:
You may not see events immediately as all events are not configured for collection. If you want to validate, you can try to copy an eicar.txt file (which is known for testing Antimalware) and see if the events 1116, 1117 are trigged and logged in WADWindowsEventLogsTable (shown below).

clip_image006

Note:
For more information see Microsoft Antimalware for Azure Cloud Services and Virtual Machines

Kudos to Rakesh Narayan and ASM Team for their contribution testing this solution.