With the increasing number of resources in your Azure environment, you need a way to understand and prioritize the security hygiene of your environment and that’s where Microsoft Defender for Cloud comes into picture. Microsoft Defender for Cloud continuously assesses Azure resources, within a subscription to identify security issues and provides a list of security recommendations which leverages Azure Security Benchmark. Recommendations are grouped in Security Controls and some security controls will have a score attach to it. Each control is a logical group of related security recommendations and reflects your vulnerable attack surfaces.
From the continuous improvement perspective, it is imperative that you keep track of your Secure Score progress. This blog post, introduces an automation playbook that you can leverage to receive a Weekly Secure Score Progress report via email.
Requirements
This automation is querying Log Analytics Workspace data. Using Continuous export feature of Microsoft Defender for Cloud, make sure you are streaming Defender for Cloud data to the Log Analytics workspace. Also make sure you have enabled export of secure score. In the drop-down menu you can choose to export both the overall score of the subscription and the score per control. Please follow this article for enabling Continuous export option
After you deploy this automation, you will need to:
- Authorize the azuremonitorlogs API connection to connect to the workspace
- Authorize the Office 365 API connection to send emails
- Authorize the Logic App managed identity
How does it work
The automation playbook is a Logic App that runs weekly, queries your Log Analytics Workspace and gathers data to send you weekly notification email that will update you details on your current Secure Score as well as Secure Score overtime progress report displayed in a beautiful graph format. In case you notice a spectacular change in the graph, you can continue to review the current security controls that are open and that needs to be prioritized along with the top five most important Security controls that needs to be fixed as early as possible – all in one email. Having this kind of detailed visibility is super important for Security analytics to keep track of the environment’s security hygiene. A sample email from the automation’s run is shown below:
The sections that follow will go in details on each one of those steps.
How to deploy the automation playbook
You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Microsoft Defender for Cloud GitHub repository.
The ARM template uses your Log Analytics workspace and creates two API Connections, O365 and an Azure Monitor Logs API connection. As part of the template parameters, you will need to enter your Log Analytics Workspace Subscription ID, Log Analytics Workspace Resource Group Name and Log Analytics Workspace Name. During the deployment, it is highly recommended to create a new resource group, which will contain all the required resources for the playbook.
Once you have deployed the ARM template, you will have some manual steps to take before it works as expected.
Authorize azuremonitorlogs API Connection
This API connection is used to connect to your Log Analytics workspace. To authorize the API connection:
- Go to the Resource Group you have used to deploy the template resources.
- Select the azuremonitorlogs API connection and press 'Edit API connection'.
- Press the 'Authorize' button.
- Make sure to authenticate against Azure AD.
- Press save
Authorize Office 365 API Connection
This API connection is used to send weekly secure score progress report email. To authorize the API connection:
- Go to the Resource Group you have used to deploy the template resources.
- Select the Office365 API connection and press 'Edit API connection'.
- Press the 'Authorize' button.
- Make sure to authenticate against Azure AD.
- Press save.
Authorize the Logic App’s managed identity
The playbook uses a Managed Identity. You need to assign reader permissions to the subscriptions you want to export for the Manage Identity (explained in detail below). Notice you can assign permissions only as an owner and make sure all selected subscriptions registered to Microsoft Defender for Cloud.
To grant the managed identity reader access, you need to:
- Make sure you have User Access Administrator or Owner permissions for this scope.
- Go to the subscription/management group page.
- Press 'Access Control (IAM)' on the navigation bar.
- Press '+Add' and 'Add role assignment'.
- Choose ‘Reader’ role.
- Assign access to Logic App.
- Choose the subscription where the logic app was deployed.
- Choose the Logic App you have just deployed.
- Press save.
GitHub Sample
You can leverage This logic app as well as many other can be found here: this automation from our GitHub repository using the links below:
Microsoft Defender for Cloud GitHub Repo
Make sure to take advantage of this automation artifact and stay on top of your environment’s Security Posture.
Let us know your feedback using any of the channels listed in the Resources. Your feedback is highly appreciated.
Reviewer
Thanks to the amazing Yuri Diogenes, Principal Program Manager for envisioning this wonderful automation idea and for his feedbacks on this automation and the article.