Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

Weekly Secure Score Progress Report

Safeena Begum Lepakshi's avatar
Feb 25, 2021

With the increasing number of resources in your Azure environment, you need a way to understand and prioritize the security hygiene of your environment and that’s where Microsoft Defender for Cloud comes into picture. Microsoft Defender for Cloud continuously assesses Azure resourceswithin a subscription to identify security issues and provides a list of security recommendations which leverages Azure Security Benchmark. Recommendations are grouped in Security Controls and some security controls will have a score attach to it. Each control is a logical group of related security recommendations and reflects your vulnerable attack surfaces. 

From the continuous improvement perspective, it is imperative that you keep track of your Secure Score progress. This blog post, introduces an automation playbook that you can leverage to receive a Weekly Secure Score Progress report via email.  

 

Requirements

This automation is querying Log Analytics Workspace data. Using Continuous export feature of Microsoft Defender for Cloud, make sure you are streaming Defender for Cloud data to the Log Analytics workspace. Also make sure you have enabled export of secure score. In the drop-down menu you can choose to export both the overall score of the subscription and the score per control. Please follow this article for enabling Continuous export option

 

After you deploy this automation, you will need to: 

  • Authorize the azuremonitorlogs API connection to connect to the workspace 
  • Authorize the Office 365 API connection to send emails 
  • Authorize the Logic App managed identity

 

How does it work

The automation playbook is a Logic App that runs weekly, queries your Log Analytics Workspace and gathers data to send you weekly notification email that will update you details on your current Secure Score as well as Secure Score overtime progress report displayed in a beautiful graph format. In case you notice a spectacular change in the graph, you can continue to review the current security controls that are open and that needs to be prioritized along with the top five most important Security controls that needs to be fixed as early as possible – all in one email. Having this kind of detailed visibility is super important for Security analytics to keep track of the environment’s security hygiene. A sample email from the automation’s run is shown below:  

Image 1: Example Email output

The sections that follow will go in details on each one of those steps.

 

How to deploy the automation playbook

You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Microsoft Defender for Cloud GitHub repository.

The ARM template uses your Log Analytics workspace and creates two API Connections, O365 and an Azure Monitor Logs API connection. As part of the template parameters, you will need to enter your Log Analytics Workspace Subscription ID, Log Analytics Workspace Resource Group Name and Log Analytics Workspace Name. During the deployment, it is highly recommended to create a new resource group, which will contain all the required resources for the playbook.

Once you have deployed the ARM template, you will have some manual steps to take before it works as expected.

 

Authorize azuremonitorlogs API Connection 

This API connection is used to connect to your Log Analytics workspace. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the azuremonitorlogs API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press save

 

Authorize Office 365 API Connection 

This API connection is used to send weekly secure score progress report email. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the Office365 API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press save.

Authorize the Logic App’s managed identity

The playbook uses a Managed Identity. You need to assign reader permissions to the subscriptions you want to export for the Manage Identity (explained in detail below). Notice you can assign permissions only as an owner and make sure all selected subscriptions registered to Microsoft Defender for Cloud.

 

To grant the managed identity reader access, you need to:

  1. Make sure you have User Access Administrator or Owner permissions for this scope.
  2. Go to the subscription/management group page.
  3. Press 'Access Control (IAM)' on the navigation bar.
  4. Press '+Add' and 'Add role assignment'.
  5. Choose ‘Reader’ role.
  6. Assign access to Logic App.
  7. Choose the subscription where the logic app was deployed.
  8. Choose the Logic App you have just deployed.
  9. Press save.

 

GitHub Sample

You can leverage This logic app as well as many other can be found here: this automation from our GitHub repository using the links below: 

 

Direct Link to GitHub sample 

Microsoft Defender for Cloud GitHub Repo 

 

Make sure to take advantage of this automation artifact and stay on top of your environment’s Security Posture 

Let us know your feedback using any of the channels listed in the Resources. Your feedback is highly appreciated.  

 

Reviewer

Thanks to the amazing Yuri DiogenesPrincipal Program Manager for envisioning this wonderful automation idea and for his feedbacks on this automation and the article. 

Updated Oct 31, 2021
Version 5.0
  • rayphoon Thanks for the great feedback and question. This automation does not use Get-securescore logicapp but uses Continuous export feature of Azure Security Center. I've edited the article to make that point clear under requirements section. Hope that helps. 

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    Can this same concept be used for the Identity Secure Score in Azure AD?

  • Dean_Gross  Thanks for reaching out. Identity Secure Score is not part of Azure Security Center. Azure Security Center focuses on infrastructure and platform services, not on identities. In case you want to have this feature included in ASC, please make sure to post or upvote in the ASC Uservoice

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    Thanks for the link to the UserVoice site but it’s my understanding that Microsoft is going to stop using that very soon so I think I will wait until the new system is available 

  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    Also, it appears that we have different definitions of cloud security posture management. When I see this term, I think of a comprehensive system that doesn’t exclude identity, which, as we all know, it the most important pillar. If asc is really going to become the cspm tool, it should not exclude identity 

  • MaziJT's avatar
    MaziJT
    Copper Contributor

    Thanks for this great article Safeena. I was able to deploy the logic app, however, when I try to authorize the office365 API connection I keep getting the error: 'Test connection failed. Error 'REST API is not yet supported for this mailbox. This error can occur for sandbox (test) accounts or for accounts that are on a dedicated (on-premise) mail server.' Any idea how I can fix this

  • akssingh_shs's avatar
    akssingh_shs
    Copper Contributor

    Regarding this option .. Could you please suggest if i enable continues export first time , in that case how & when data will be ingested inside Log analytics workspace  (LAW). I am clear about streaming ,my question more related to first time data ingestion and snapshot (which day of week) . Any option to configure Snapshots schedule ..

     Select the appropriate export frequency:

    • Streaming – assessments will be sent when a resource’s health state is updated (if no updates occur, no data will be sent).
    • Snapshots – a snapshot of the current state of all regulatory compliance assessments will be sent every week (this is a preview feature for weekly snapshots of secure scores and regulatory compliance data).
  • Great Article Safeena! Thank you. 

     

    It seems to me that "top 5 PotentialScoreIncrease" can be changed to higher number (top 10) in KQL Querry. Or am I mistaking?