Although the capability to query the Secure Score using API was already available and we already published some automations to leverage this capability, now you can also query your Secure Score using Azure Resource Graph (ARG). In addition, you will be able to calculate the score for the security controls and accurately calculate the aggregated score across multiple subscriptions. The following tables were added to allow you to query not only the secure score, but also the security controls:
Here an example of how to query your current secure score (percentage):
SecurityResources
| where type == 'microsoft.security/securescores'
| extend current = properties.score.current, max = todouble(properties.score.max)
| project subscriptionId, current, max, percentage = ((current / max)*100)
This query will return an output that looks like this one:
This corresponds to what you see in the UI for your subscription. In this case, Microsoft Defender for Cloud dashboard show the following Secure Score:
This other example below will list all security controls, the amount of unhealthy resources, their current score and their max score:
SecurityResources
| where type == 'microsoft.security/securescores/securescorecontrols'
| extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max
| project SecureControl , unhealthy, currentscore, maxscore
The output should look like the example below:
Calculating the Secure Score
For a single subscription the type of resource we are calling is the microsoft.security/securescores where we get the maximum score (∑ maximum scores of each security control) and the current score (∑ current scores of each security control). To obtain the secure score of a single subscription, the following formula is used:
To obtain the aggregated secure score for multiple subscriptions you should use the formula below:
As you can see in the formula, the aggregated score for multiple subscriptions is not the average, it uses the weight field that is provided in the query (ARG or API). The weight takes in account the size of the subscription (# of resources ) and hence allows to calculate a weighted score which is more accurate than a regular average between different subscriptions with different sizes. For more information refer to the secure score documentation page.
To see how this looks like, let’s use the query below as an example:
securityresources
| where type == "microsoft.security/securescores"
| extend subscriptionScore = todouble(properties.score.current)/todouble(properties.score.max)
| extend subScoreXsubWeight = todouble(subscriptionScore)*todouble(properties.weight)
| summarize upperValue = sum(subScoreXsubWeight), underValue = sum(todouble(properties.weight))
| extend overallScore = round(100*((upperValue)/(underValue)))
| project overallScore
The subscriptionScore is obtained dividing its current score by its maximum score. Then, the value subScoreXsubWeight holds the subscription secure score times the subscription weight. Finally, the overall score is the sum of subScoreXsubWeight divided by the sum of the subscriptions’ weights. The result is shown below:
One of the advantages of querying the secure score via ARG is that you can quickly use these queries to create custom dashboard with Azure Workbooks. If you are querying the secure score using API, you can send a GET Request as shown below:
In the JSON result you will see the weight field, which is used to calculate the secure score is also available as shown the sample below:
For more information about the Secure Score API, read the following articles:
Make sure to utilize this feature and provide your feedback in the comments below, or if you want to formally suggest improvements, provide your feedback at https://aka.ms/ascuservoice
Thanks to all Reviewers
Miri Landau, Senior PM – Microsoft Defender for Cloud Engineering Team
Meital Taran- Gutman, Principal PM – Microsoft Defender for Cloud Engineering Team
Fernanda Vela Huerta, PM – CxE Microsoft Defender for Cloud Team