This article is contributed. See the original author and article here.

Using continuous export of secure score (preview), you can stream secure score changes in real-time to an Event Hub or a Log Analytics workspace. This will enable you to track secure score over time with dynamic reports, export secure score data to Azure Sentinel or other 3rd party SIEM solutions, and integrate this data type with any internal processes you might already be using to monitor secure score in your organization.


 


Implementation


To enable continuous export for secure score, follow the steps below:



  1. In the Azure Portal go to ‘Security Center’.

  2. Click on Pricing & settings.

  3. Select the desired subscription.

  4. Click on Continuous export.

  5. Enable export of secure score. In the drop-down menu you can choose whether to export both the overall score of the subscription and the score per control, or only one of them.

  6. Choose the Resource Group in which the automation resource will be created.

  7. Fill in the details of your export destination (Event Hub/Log Analytics workspace).

  8. Click Save.


securescore2.png


 


Please note


1. Continuous export exports only updates to the score, and not the baseline. From the moment of enabling continuous export every change to the score will be exported.


2. Update to score is not exported when:



  • The number of resources changed but the overall score didn’t.

  • The change in the control score is less than 0.01.

  • The score of a control with max score of 0 is updated.


 


Data schemas


For export to Event Hub, the data schemas are in line with the Secure Scores and Secure Score Controls APIs. When exporting the data to Log Analytics workspace the overall secure score will be exported to SecureScores table, and secure score per control to SecureScoreControls table, in the following schemas:


 


SecureScores


OrSerokJeppa_1-1606121502525.png


 


SecureScoreControls


OrSerokJeppa_2-1606121502530.png


 


Common queries for Log Analytics workspace


When consuming secure score data from Log Analytics workspace, you might like to further analyze the data. For example, track secure score over time or find what recommendations and resources are lowering your score. Below are common queries for these scenarios, follow the steps below to use them:



  1. In Azure Portal, navigate to the Log Analytics workspace to which you enabled continuous export.

  2. Click on Logs.

  3. Copy and paste a query from the samples described below.

  4. Set the desired Time range.

  5. Click Run.


Sample queries


Track secure score over time by subscription:


SecureScores


| extend Percent=PercentageScore*100


| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId


| render timechart


 


Track secure score per control over time by subscription:


SecureScoreControls


| extend Percent=PercentageScore*100


| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId


| render timechart


 


Count unhealthy resources per control and recommendation for each subscription:


SecureScoreControls


| extend SubscriptionId=SecureScoresSubscriptionId


| mv-expand ControlRecommendations


| extend id_ = tostring(parse_json(ControlRecommendations).id)


| extend RecommendationId = extract(@”(.+)/(.+)”, 2, id_)


| join kind=inner (SecurityRecommendation


| extend SubscriptionId=(extract(@”/subscriptions/(.+)/resourceGroups”, 1, AssessedResourceId)


)) on SubscriptionId, RecommendationId


| where RecommendationState == “Unhealthy”


| summarize UnhealthyResources=dcount(AssessedResourceId) by ControlName, RecommendationDisplayName, SubscriptionId


 


Get all unhealthy resources by control:


SecureScoreControls


| extend SubscriptionId=SecureScoresSubscriptionId


| mv-expand ControlRecommendations


| extend id_ = tostring(parse_json(ControlRecommendations).id)


| extend RecommendationId = extract(@”(.+)/(.+)”, 2, id_)


| join kind=inner (SecurityRecommendation


| extend SubscriptionId=(extract(@”/subscriptions/(.+)/resourceGroups”, 1, AssessedResourceId)


)) on SubscriptionId, RecommendationId


| where RecommendationState == “Unhealthy”


 


Export to CSV file


You might like to export the results to a CSV file for further offline analysis, sharing with others or for other needs. Follow the steps below to do that:



  1. Click on Export.

  2. Choose the appropriate export type.


OrSerokJeppa_3-1606121502543.png


 


To learn more about Continuous Export, make sure to watch Episode 5 of Azure Security Center in the Field where we give more insights on this feature.


To learn more about Secure Score and how it is calculated, visit secure score documentation.


To learn more about querying Secure Score with Azure Resource Graph visit Querying your Secure Score Across Multiple Subscriptions in Azure Security Center.


 


Reviewers


Yuri Diogenes, Principal Program Manager (@Yuri Diogenes)


Sulaiman Abu Rashed, Software Engineer


Miri Kreitenberger, Senior Software Engineer Manager


Meital Taran- Gutman, Principal PM Manager (@Meital Taran- Gutman)


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.