Document Details

Packet Capture Alert Triggered
Home / Scan 2 / Packet Capture Alert Triggered
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ missing_linux_example
⚠️ windows_tools
⚠️ windows_first
Summary:
The documentation is heavily biased towards Windows and PowerShell. All code samples and automation steps use PowerShell exclusively, with no equivalent Bash, CLI, or Python examples for Linux users. The authentication and environment setup instructions assume a Windows-style file system and scripting environment. While there are brief mentions of a Linux VM extension, all practical guidance and tooling focus on Windows-first approaches, leaving Linux users without clear, actionable instructions.
Recommendations:
  • Provide equivalent examples using Azure CLI and/or Bash scripts for Linux environments, especially for authentication, environment variable setup, and packet capture initiation.
  • Include Python or other cross-platform scripting options for Azure Functions, not just PowerShell.
  • Show how to generate and store encrypted credentials on Linux (e.g., using OpenSSL or GPG) instead of only using Windows file paths and PowerShell encryption.
  • Explicitly mention and demonstrate how to use the Linux Network Watcher extension, including any differences in setup or operation.
  • Balance the order of presentation: introduce both Windows and Linux approaches side-by-side, or alternate which is presented first.
  • Reference Linux-friendly tools for downloading and analyzing packet captures (e.g., azcopy, wget, tcpdump, tshark) alongside Windows tools.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ✅ Clean
2025-07-12 23:44 #41 in_progress ❌ Biased
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

(Get-AzSubscription -SubscriptionName "<subscriptionName>").TenantId
# Input bindings are passed in via parameter block param($Request, $TriggerMetadata) $details = $Request.RawBody | ConvertFrom-Json # Process alert request body $requestBody = $Request.Body.data # Storage account ID to save captures in $storageaccountid = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}" # Packet capture variables $packetCaptureName = "PSAzureFunction" $packetCaptureLimit = 100 $packetCaptureDuration = 30 # Credentials # Set the credentials in the configurations $tenant = $env:AzureTenant $pw = $env:AzureCredPassword $clientid = $env:AzureClientId $password = ConvertTo-SecureString $pw -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($clientid, $password) Connect-AzAccount -ServicePrincipal -Tenant $tenant -Credential $credential #-WarningAction SilentlyContinue | out-null if ($requestBody.context.resourceType -eq "Microsoft.Compute/virtualMachines") { # Get the VM firing this alert $vm = Get-AzVM -ResourceGroupName $requestBody.context.resourceGroupName -Name $requestBody.context.resourceName # Get the Network Watcher instance in the VM's region $networkWatcher = Get-AzNetworkWatcher -Location $vm.Location # Get existing packet captures packetCaptures = Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher # Remove an existing packet capture created by the function (if it exists) $packetCaptures | ForEach-Object { if ($_.Name -eq $packetCaptureName) { Remove-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName $packetCaptureName } } # Initiate packet capture on the VM that fired the alert if ($packetCaptures.Count -lt $packetCaptureLimit) { Write-Output "Initiating Packet Capture" New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $requestBody.context.resourceId -PacketCaptureName $packetCaptureName -StorageAccountId $storageaccountid -TimeLimitInSeconds $packetCaptureDuration } }
#Variables $keypath = "C:\temp\PassEncryptKey.key" $AESKey = New-Object Byte[] 32 $Password = "<insert a password here>" #Keys [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey) Set-Content $keypath $AESKey #Get encrypted password $secPw = ConvertTo-SecureString -AsPlainText $Password -Force $AESKey = Get-content $KeyPath $Encryptedpassword = $secPw | ConvertFrom-SecureString -Key $AESKey $Encryptedpassword
$app = New-AzADApplication -DisplayName "ExampleAutomationAccount_MF" -HomePage "https://exampleapp.com" -IdentifierUris "https://exampleapp1.com/ExampleFunctionsAccount" -Password "<same password as defined earlier>" New-AzADServicePrincipal -ApplicationId $app.ApplicationId Start-Sleep 15] New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $app.ApplicationId
#Variables $keypath = "C:\temp\PassEncryptKey.key" $AESKey = New-Object Byte[] 32 $Password = "<insert a password here>" #Keys [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($AESKey) Set-Content $keypath $AESKey #Get encrypted password $secPw = ConvertTo-SecureString -AsPlainText $Password -Force $AESKey = Get-content $KeyPath $Encryptedpassword = $secPw | ConvertFrom-SecureString -Key $AESKey $Encryptedpassword
# Input bindings are passed in via parameter block param($Request, $TriggerMetadata) $essentials = $Request.body.data.essentials $alertContext = $Request.body.data.alertContext # Storage account ID to save captures in $storageaccountid = "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}" # Packet capture variables $packetCaptureName = "PSAzureFunction" $packetCaptureLimit = 100 $packetCaptureDuration = 30 # Credentials # Set the credentials in the configurations $tenant = $env:AzureTenant $pw = $env:AzureCredPassword $clientid = $env:AzureClientId $password = ConvertTo-SecureString $pw -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential ($clientid, $password) Connect-AzAccount -ServicePrincipal -Tenant $tenant -Credential $credential #-WarningAction SilentlyContinue | out-null if ($alertContext.condition.allOf.metricNamespace -eq "Microsoft.Compute/virtualMachines") { # Get the VM firing this alert $vm = Get-AzVM -ResourceId $essentials.alertTargetIDs[0] # Get the Network Watcher instance in the VM's region $networkWatcher = Get-AzNetworkWatcher -Location $vm.Location # Get existing packet captures $packetCaptures = Get-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher # Remove an existing packet capture created by the function (if it exists) $packetCaptures | ForEach-Object { if ($_.Name -eq $packetCaptureName) { Remove-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -PacketCaptureName $packetCaptureName } } # Initiate packet capture on the VM that fired the alert if ($packetCaptures.Count -lt $packetCaptureLimit) { Write-Output "Initiating Packet Capture" New-AzNetworkWatcherPacketCapture -NetworkWatcher $networkWatcher -TargetVirtualMachineId $vm.Id -PacketCaptureName $packetCaptureName -StorageAccountId $storageaccountid -TimeLimitInSeconds $packetCaptureDuration } }