This article is contributed. See the original author and article here.
Using continuous export of secure score (preview), you can stream secure score changes in real-time to an Event Hub or a Log Analytics workspace. This will enable you to track secure score over time with dynamic reports, export secure score data to Azure Sentinel or other 3rd party SIEM solutions, and integrate this data type with any internal processes you might already be using to monitor secure score in your organization.
Implementation
To enable continuous export for secure score, follow the steps below:
- In the Azure Portal go to ‘Security Center’.
- Click on Pricing & settings.
- Select the desired subscription.
- Click on Continuous export.
- Enable export of secure score. In the drop-down menu you can choose whether to export both the overall score of the subscription and the score per control, or only one of them.
- Choose the Resource Group in which the automation resource will be created.
- Fill in the details of your export destination (Event Hub/Log Analytics workspace).
- Click Save.
Please note
1. Continuous export exports only updates to the score, and not the baseline. From the moment of enabling continuous export every change to the score will be exported.
2. Update to score is not exported when:
- The number of resources changed but the overall score didn’t.
- The change in the control score is less than 0.01.
- The score of a control with max score of 0 is updated.
Data schemas
For export to Event Hub, the data schemas are in line with the Secure Scores and Secure Score Controls APIs. When exporting the data to Log Analytics workspace the overall secure score will be exported to SecureScores table, and secure score per control to SecureScoreControls table, in the following schemas:
SecureScores
SecureScoreControls
Common queries for Log Analytics workspace
When consuming secure score data from Log Analytics workspace, you might like to further analyze the data. For example, track secure score over time or find what recommendations and resources are lowering your score. Below are common queries for these scenarios, follow the steps below to use them:
- In Azure Portal, navigate to the Log Analytics workspace to which you enabled continuous export.
- Click on Logs.
- Copy and paste a query from the samples described below.
- Set the desired Time range.
- Click Run.
Sample queries
Track secure score over time by subscription:
SecureScores
| extend Percent=PercentageScore*100
| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId
| render timechart
Track secure score per control over time by subscription:
SecureScoreControls
| extend Percent=PercentageScore*100
| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId
| render timechart
Count unhealthy resources per control and recommendation for each subscription:
SecureScoreControls
| extend SubscriptionId=SecureScoresSubscriptionId
| mv-expand ControlRecommendations
| extend id_ = tostring(parse_json(ControlRecommendations).id)
| extend RecommendationId = extract(@”(.+)/(.+)”, 2, id_)
| join kind=inner (SecurityRecommendation
| extend SubscriptionId=(extract(@”/subscriptions/(.+)/resourceGroups”, 1, AssessedResourceId)
)) on SubscriptionId, RecommendationId
| where RecommendationState == “Unhealthy”
| summarize UnhealthyResources=dcount(AssessedResourceId) by ControlName, RecommendationDisplayName, SubscriptionId
Get all unhealthy resources by control:
SecureScoreControls
| extend SubscriptionId=SecureScoresSubscriptionId
| mv-expand ControlRecommendations
| extend id_ = tostring(parse_json(ControlRecommendations).id)
| extend RecommendationId = extract(@”(.+)/(.+)”, 2, id_)
| join kind=inner (SecurityRecommendation
| extend SubscriptionId=(extract(@”/subscriptions/(.+)/resourceGroups”, 1, AssessedResourceId)
)) on SubscriptionId, RecommendationId
| where RecommendationState == “Unhealthy”
Export to CSV file
You might like to export the results to a CSV file for further offline analysis, sharing with others or for other needs. Follow the steps below to do that:
- Click on Export.
- Choose the appropriate export type.
To learn more about Continuous Export, make sure to watch Episode 5 of Azure Security Center in the Field where we give more insights on this feature.
To learn more about Secure Score and how it is calculated, visit secure score documentation.
To learn more about querying Secure Score with Azure Resource Graph visit Querying your Secure Score Across Multiple Subscriptions in Azure Security Center.
Reviewers
Yuri Diogenes, Principal Program Manager (@Yuri Diogenes)
Sulaiman Abu Rashed, Software Engineer
Miri Kreitenberger, Senior Software Engineer Manager
Meital Taran- Gutman, Principal PM Manager (@Meital Taran- Gutman)
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments