Document Details
Packet Capture Alert Triggered
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
powershell_heavy
missing_linux_example
windows_tools
windows_first
Summary
The documentation is heavily biased towards Windows and PowerShell. All code samples and automation steps use PowerShell exclusively, with no equivalent Bash, CLI, or Python examples for Linux users. The authentication and environment setup instructions assume a Windows-style file system and scripting environment. While there are brief mentions of a Linux VM extension, all practical guidance and tooling focus on Windows-first approaches, leaving Linux users without clear, actionable instructions.
Recommendations
- Provide equivalent examples using Azure CLI and/or Bash scripts for Linux environments, especially for authentication, environment variable setup, and packet capture initiation.
- Include Python or other cross-platform scripting options for Azure Functions, not just PowerShell.
- Show how to generate and store encrypted credentials on Linux (e.g., using OpenSSL or GPG) instead of only using Windows file paths and PowerShell encryption.
- Explicitly mention and demonstrate how to use the Linux Network Watcher extension, including any differences in setup or operation.
- Balance the order of presentation: introduce both Windows and Linux approaches side-by-side, or alternate which is presented first.
- Reference Linux-friendly tools for downloading and analyzing packet captures (e.g., azcopy, wget, tcpdump, tshark) alongside Windows tools.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2026-01-14 00:00 | #250 | in_progress |
Biased
|
| 2026-01-13 00:00 | #246 | completed |
Biased
|
| 2026-01-11 00:00 | #240 | completed |
Biased
|
| 2026-01-10 00:00 | #237 | completed |
Biased
|
| 2026-01-09 00:34 | #234 | completed |
Biased
|
| 2026-01-08 00:53 | #231 | completed |
Biased
|
| 2026-01-06 18:15 | #225 | cancelled |
 Clean
|
| 2025-08-17 00:01 | #83 | cancelled |
Clean
|
| 2025-07-13 21:37 | #48 | completed |
Clean
|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|
| 2025-07-09 13:09 | #3 | cancelled |
Clean
|
| 2025-07-08 04:23 | #2 | cancelled |
Biased
|
Flagged Code Snippets
(Get-AzSubscription -SubscriptionName "<subscriptionName>").TenantId
# Input bindings are passed in via parameter block
param($Request, $TriggerMetadata)
$details = $Request.RawBody | ConvertFrom-Json
# Process alert request body
$requestBody = $Request.Body.data
# Storage account ID to save captures in
$storageaccountid = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"
# Packet capture variables
$packetCaptureName = "PSAzureFunction"
$packetCaptureLimit = 100
$packetCaptureDuration = 30
# Credentials
# Set the credentials in the configurations
$tenant = $env:AzureTenant
$pw = $env:AzureCredPassword
$clientid = $env:AzureClientId
$password = ConvertTo-SecureString $pw -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($clientid, $password)
Connect-AzAccount -ServicePrincipal -Tenant $tenant -Credential $credential #-WarningAction SilentlyContinue | out-null
if ($requestBody.context.resourceType -eq "Microsoft.Compute/virtualMachines") {
# Get the VM firing this alert
$vm = Get-AzVM -ResourceGroupName $requestBody.context.resourceGroupName -Name $requestBody.context.resourceName
# Get the Network Watcher instance in the VM's region
$networkWatcher = Get-AzNetworkWatcher -Location $vm.Location
# Get existing packet captures
packetCaptures = Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher
# Remove an existing packet capture created by the function (if it exists)
$packetCaptures | ForEach-Object { if ($_.Name -eq $packetCaptureName)
{
Remove-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName $packetCaptureName
}
}
# Initiate packet capture on the VM that fired the alert
if ($packetCaptures.Count -lt $packetCaptureLimit) {
Write-Output "Initiating Packet Capture"
New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $requestBody.context.resourceId -PacketCaptureName $packetCaptureName -StorageAccountId $storageaccountid -TimeLimitInSeconds $packetCaptureDuration
}
}
#Variables $keypath = "C:\temp\PassEncryptKey.key" $AESKey = New-Object Byte[] 32 $Password = "<insert a password here>" #Keys [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey) Set-Content $keypath $AESKey #Get encrypted password $secPw = ConvertTo-SecureString -AsPlainText $Password -Force $AESKey = Get-content $KeyPath $Encryptedpassword = $secPw | ConvertFrom-SecureString -Key $AESKey $Encryptedpassword
$app = New-AzADApplication -DisplayName "ExampleAutomationAccount_MF" -HomePage "https://exampleapp.com" -IdentifierUris "https://exampleapp1.com/ExampleFunctionsAccount" -Password "<same password as defined earlier>"
New-AzADServicePrincipal -ApplicationId $app.ApplicationId
Start-Sleep 15]
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId
#Variables $keypath = "C:\temp\PassEncryptKey.key" $AESKey = New-Object Byte[] 32 $Password = "<insert a password here>" #Keys [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey) Set-Content $keypath $AESKey #Get encrypted password $secPw = ConvertTo-SecureString -AsPlainText $Password -Force $AESKey = Get-content $KeyPath $Encryptedpassword = $secPw | ConvertFrom-SecureString -Key $AESKey $Encryptedpassword
# Input bindings are passed in via parameter block
param($Request, $TriggerMetadata)
$essentials = $Request.body.data.essentials
$alertContext = $Request.body.data.alertContext
# Storage account ID to save captures in
$storageaccountid = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"
# Packet capture variables
$packetCaptureName = "PSAzureFunction"
$packetCaptureLimit = 100
$packetCaptureDuration = 30
# Credentials
# Set the credentials in the configurations
$tenant = $env:AzureTenant
$pw = $env:AzureCredPassword
$clientid = $env:AzureClientId
$password = ConvertTo-SecureString $pw -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($clientid, $password)
Connect-AzAccount -ServicePrincipal -Tenant $tenant -Credential $credential #-WarningAction SilentlyContinue | out-null
if ($alertContext.condition.allOf.metricNamespace -eq "Microsoft.Compute/virtualMachines") {
# Get the VM firing this alert
$vm = Get-AzVM -ResourceId $essentials.alertTargetIDs[0]
# Get the Network Watcher instance in the VM's region
$networkWatcher = Get-AzNetworkWatcher -Location $vm.Location
# Get existing packet captures
$packetCaptures = Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher
# Remove an existing packet capture created by the function (if it exists)
$packetCaptures | ForEach-Object { if ($_.Name -eq $packetCaptureName)
{
Remove-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName $packetCaptureName
}
}
# Initiate packet capture on the VM that fired the alert
if ($packetCaptures.Count -lt $packetCaptureLimit) {
Write-Output "Initiating Packet Capture"
New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $vm.Id -PacketCaptureName $packetCaptureName -StorageAccountId $storageaccountid -TimeLimitInSeconds $packetCaptureDuration
}
}