Document Details

Packet Capture Alert Triggered
Home / Scan 41 / Packet Capture Alert Triggered
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation page demonstrates a strong Windows and PowerShell bias. All code examples for automation, authentication, and packet capture are provided exclusively in PowerShell, with no equivalent Bash, CLI, or Python examples for Linux users. The prerequisites and workflow focus on Azure PowerShell and Windows-centric tooling, and the authentication steps assume a Windows environment (e.g., file paths like C:\temp). Although there is a brief mention of a Linux VM extension, the actual automation and scripting guidance is entirely Windows/PowerShell-based, leaving Linux users without clear guidance.
Recommendations:
  • Provide equivalent examples using Azure CLI (az) and/or Bash scripts for Linux environments, especially for authentication and packet capture automation.
  • Include Python or REST API examples for cross-platform automation, as Azure Functions support multiple languages.
  • When referencing file paths or environment setup, include Linux-compatible paths and instructions (e.g., /tmp/PassEncryptKey.key).
  • Explicitly mention and link to documentation for Linux VM extensions and how to use them in automation scenarios.
  • Balance the order of presentation so that Linux and Windows approaches are given equal prominence, or present cross-platform solutions first.
  • Clarify which steps are platform-agnostic and which are OS-specific, and provide guidance for both.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ✅ Clean
2025-07-12 23:44 #41 in_progress ❌ Biased
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

(Get-AzSubscription -SubscriptionName "<subscriptionName>").TenantId
# Input bindings are passed in via parameter block param($Request, $TriggerMetadata) $essentials = $Request.body.data.essentials $alertContext = $Request.body.data.alertContext # Storage account ID to save captures in $storageaccountid = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}" # Packet capture variables $packetCaptureName = "PSAzureFunction" $packetCaptureLimit = 100 $packetCaptureDuration = 30 # Credentials # Set the credentials in the configurations $tenant = $env:AzureTenant $pw = $env:AzureCredPassword $clientid = $env:AzureClientId $password = ConvertTo-SecureString $pw -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($clientid, $password) Connect-AzAccount -ServicePrincipal -Tenant $tenant -Credential $credential #-WarningAction SilentlyContinue | out-null if ($alertContext.condition.allOf.metricNamespace -eq "Microsoft.Compute/virtualMachines") { # Get the VM firing this alert $vm = Get-AzVM -ResourceId $essentials.alertTargetIDs[0] # Get the Network Watcher instance in the VM's region $networkWatcher = Get-AzNetworkWatcher -Location $vm.Location # Get existing packet captures $packetCaptures = Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher # Remove an existing packet capture created by the function (if it exists) $packetCaptures | ForEach-Object { if ($_.Name -eq $packetCaptureName) { Remove-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName $packetCaptureName } } # Initiate packet capture on the VM that fired the alert if ($packetCaptures.Count -lt $packetCaptureLimit) { Write-Output "Initiating Packet Capture" New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $vm.Id -PacketCaptureName $packetCaptureName -StorageAccountId $storageaccountid -TimeLimitInSeconds $packetCaptureDuration } }
# Input bindings are passed in via parameter block param($Request, $TriggerMetadata) $details = $Request.RawBody | ConvertFrom-Json # Process alert request body $requestBody = $Request.Body.data # Storage account ID to save captures in $storageaccountid = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}" # Packet capture variables $packetCaptureName = "PSAzureFunction" $packetCaptureLimit = 100 $packetCaptureDuration = 30 # Credentials # Set the credentials in the configurations $tenant = $env:AzureTenant $pw = $env:AzureCredPassword $clientid = $env:AzureClientId $password = ConvertTo-SecureString $pw -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($clientid, $password) Connect-AzAccount -ServicePrincipal -Tenant $tenant -Credential $credential #-WarningAction SilentlyContinue | out-null if ($requestBody.context.resourceType -eq "Microsoft.Compute/virtualMachines") { # Get the VM firing this alert $vm = Get-AzVM -ResourceGroupName $requestBody.context.resourceGroupName -Name $requestBody.context.resourceName # Get the Network Watcher instance in the VM's region $networkWatcher = Get-AzNetworkWatcher -Location $vm.Location # Get existing packet captures packetCaptures = Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher # Remove an existing packet capture created by the function (if it exists) $packetCaptures | ForEach-Object { if ($_.Name -eq $packetCaptureName) { Remove-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName $packetCaptureName } } # Initiate packet capture on the VM that fired the alert if ($packetCaptures.Count -lt $packetCaptureLimit) { Write-Output "Initiating Packet Capture" New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $requestBody.context.resourceId -PacketCaptureName $packetCaptureName -StorageAccountId $storageaccountid -TimeLimitInSeconds $packetCaptureDuration } }
#Variables $keypath = "C:\temp\PassEncryptKey.key" $AESKey = New-Object Byte[] 32 $Password = "<insert a password here>" #Keys [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey) Set-Content $keypath $AESKey #Get encrypted password $secPw = ConvertTo-SecureString -AsPlainText $Password -Force $AESKey = Get-content $KeyPath $Encryptedpassword = $secPw | ConvertFrom-SecureString -Key $AESKey $Encryptedpassword
$app = New-AzADApplication -DisplayName "ExampleAutomationAccount_MF" -HomePage "https://exampleapp.com" -IdentifierUris "https://exampleapp1.com/ExampleFunctionsAccount" -Password "<same password as defined earlier>" New-AzADServicePrincipal -ApplicationId $app.ApplicationId Start-Sleep 15] New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId
#Variables $keypath = "C:\temp\PassEncryptKey.key" $AESKey = New-Object Byte[] 32 $Password = "<insert a password here>" #Keys [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey) Set-Content $keypath $AESKey #Get encrypted password $secPw = ConvertTo-SecureString -AsPlainText $Password -Force $AESKey = Get-content $KeyPath $Encryptedpassword = $secPw | ConvertFrom-SecureString -Key $AESKey $Encryptedpassword