Apply Adaptive Network Hardening across multiple Subscriptions

Published Jul 31 2021 06:38 AM 2,572 Views
Microsoft
Applying network security groups (NSG) to filter traffic to and from resources, improves your network security posture. However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. Adaptive network hardening provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.
 
For example, let's say the existing NSG rule is to allow traffic from 100.xx.xx.10/24 on port 8081. Based on traffic analysis, adaptive networkhardening might recommend narrowing the range to allow traffic from 100.xx.xx.10/29 and deny all other traffic to that port. Adaptive network hardening recommendations are only supported on the following specific ports (for both UDP and TCP): 13, 17, 19, 22, 23, 53, 69, 81, 111, 119, 123, 135, 137, 138, 139, 161, 162, 389, 445, 512, 514, 593, 636, 873, 1433, 1434, 1900, 2049, 2301, 2323, 2381, 3268, 3306, 3389, 4333, 5353, 5432, 5555, 5800, 5900, 5900, 5985, 5986, 6379, 6379, 7000, 7001, 7199, 8081, 8089, 8545, 9042, 9160, 9300, 11211, 16379, 26379, 27017, 37215
 
Pre-Requisite:
 - Az Modules must be installed
 - Service principal created as part of Step 1 must be having contributor access to all subscriptions
 
Steps to follow:
Step 1: Create a service principal
Post creation of service principal, please retrieve below values.
  1. Tenant Id
  2. Client Secret
  3. Client Id
Step 2: Create a PowerShell function which will be used in generating authorization token
function Get-apiHeader{
[CmdletBinding()]
Param
(
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $TENANTID,
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $ClientId,
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $PasswordClient,
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $resource
)
$tokenresult=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://$resource/"; "client_id" = "$ClientId"; "client_secret" = "$PasswordClient" }
$token=$tokenresult.access_token
$Header=@{
  'Authorization'="Bearer $token"
  'Host'="$resource"
  'Content-Type'='application/json'
  }
return $Header
}

 

Step 3: Invoke API to retrieve authorization token using function created in above step
Note: Replace $TenantId, $ClientId and $ClientSecret with value captured in step 1
$AzureApiheaders = Get-apiHeader -TENANTID $TenantId -ClientId $ClientId -PasswordClient $ClientSecret -resource "management.azure.com"

 

Step 4: Extracting csv file containing list of all adaptive network hardening suggestion from Azure Resource Graph

Please referhttps://github.com/MicrosoftDocs/azure-docs/blob/master/articles/governance/resource-graph/first-que...

Azure Resource graph explorer: https://docs.microsoft.com/en-us/azure/governance/resource-graph/overview

Query:

securityresources
        | where type == "microsoft.security/assessments"
        | extend source = tostring(properties.resourceDetails.Source)
        | extend resourceId =
            trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,
                                            source =~ "aws", properties.resourceDetails.AzureResourceId,
                                            source =~ "gcp", properties.resourceDetails.AzureResourceId,
                                            extract("^(.+)/providers/Microsoft.Security/assessments/.+$",1,id)))))
        | extend status = trim(" ", tostring(properties.status.code))
        | extend cause = trim(" ", tostring(properties.status.cause))
        | extend assessmentKey = tostring(name)
        | where assessmentKey == "f9f0eed0-f143-47bf-b856-671ea2eeed62"
data1.JPG
 
Click on "Download as CSV" and store at location where adaptive network hardening script is present. Rename the file as "adaptivehardeningextract"
 
Set-Location $PSScriptRoot
$RootFolder = Split-Path $MyInvocation.MyCommand.Path
$ParameterCSVPath =$RootFolder + "\adaptivehardeningextract.csv"
if(Test-Path -Path $ParameterCSVPath)                                                                          
  { 
  $TableData = Import-Csv $ParameterCSVPath
  }

foreach($Data in $TableData)
{
  $resourceid=$Data.resourceid
  $resourceURL="https://management.azure.com$resourceid/providers/Microsoft.Security/adaptiveNetworkHardenings/default?api-version=2020-01-01"
  $resourcedetails=(Invoke-RestMethod  -Uri $resourceURL -Headers $AzureApiheaders -Method GET)
  $resourceDetailjson = $resourcedetails.properties.rules | ConvertTo-Json
  $nsg = $resourcedetails.properties.effectiveNetworkSecurityGroups.networksecuritygroups | ConvertTo-Json
  if($resourceDetailjson -ne $null)
  {         
    $body=@"
    {
      "rules": [$resourceDetailjson] ,
      "networkSecurityGroups": [$nsg] 
    }
    "@
    $enforceresourceURL = "https://management.azure.com$resourceid/providers/Microsoft.Security/adaptiveNetworkHardenings/default/enforce?api-version=2020-01-01"
    $Enforcedetails=(Invoke-RestMethod  -Uri $enforceresourceURL -Headers $AzureApiheaders -Method POST -Body $body)
  }             
}
 
3 Comments
Established Member

Nice post!
But in your Azure Resource Graph query you are using a hard-coded value for assessmentKey. Could elaborate on that part - is this value fixed? Is this specific to your environment? How to find the value we have to put there? How did you come up with that value?

Visitor

@astaykov I refer to this Azure Resource Graph sample queries to find out assessmentKey of your own Azure subscription.

https://docs.microsoft.com/en-us/azure/container-registry/resource-graph-samples?WT.mc_id=AZ-MVP-500...

 

SithuKyaw_1-1628003540279.png

 

Microsoft

hi @astaykov this is independent of tenant or environment. This can be easily check under Azure policy

 

"type""Microsoft.Security/assessments",
 "name""f9f0eed0-f143-47bf-b856-671ea2eeed62",
%3CLINGO-SUB%20id%3D%22lingo-sub-2313912%22%20slang%3D%22en-US%22%3EApply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2313912%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CSPAN%3EApplying%20network%20security%20groups%20(NSG)%20to%20filter%20traffic%20to%20and%20from%20resources%2C%20improves%20your%20network%20security%20posture.%20However%2C%20there%20can%20still%20be%20some%20cases%20in%20which%20the%20actual%20traffic%20flowing%20through%20the%20NSG%20is%20a%20subset%20of%20the%20NSG%20rules%20defined.%20%3C%2FSPAN%3E%3CSPAN%3EAdaptive%20network%20hardening%20provides%20recommendations%20to%20further%20harden%20the%20NSG%20rules.%20It%20uses%20a%20machine%20learning%20algorithm%20that%20factors%20in%20actual%20traffic%2C%20known%20trusted%20configuration%2C%20threat%20intelligence%2C%20and%20other%20indicators%20of%20compromise%2C%20and%20then%20provides%20recommendations%20to%20allow%20traffic%20only%20from%20specific%20IP%2Fport%20tuples.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EFor%26nbsp%3Bexample%2C%26nbsp%3Blet's%26nbsp%3Bsay%26nbsp%3Bthe%26nbsp%3Bexisting%26nbsp%3BNSG%26nbsp%3Brule%26nbsp%3Bis%26nbsp%3Bto%26nbsp%3Ballow%26nbsp%3Btraffic%26nbsp%3Bfrom%26nbsp%3B100.xx.xx.10%2F24%26nbsp%3Bon%26nbsp%3Bport%26nbsp%3B8081.%26nbsp%3BBased%26nbsp%3Bon%26nbsp%3Btraffic%26nbsp%3Banalysis%2C%26nbsp%3Badaptive%26nbsp%3Bnetworkhardening%26nbsp%3Bmight%26nbsp%3Brecommend%26nbsp%3Bnarrowing%26nbsp%3Bthe%26nbsp%3Brange%26nbsp%3Bto%26nbsp%3Ballow%26nbsp%3Btraffic%26nbsp%3Bfrom%26nbsp%3B100.xx.xx.10%2F29%26nbsp%3Band%26nbsp%3Bdeny%26nbsp%3Ball%26nbsp%3Bother%26nbsp%3Btraffic%26nbsp%3Bto%26nbsp%3Bthat%26nbsp%3Bport.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EAdaptive%26nbsp%3Bnetwork%26nbsp%3Bhardening%26nbsp%3Brecommendations%26nbsp%3Bare%26nbsp%3Bonly%26nbsp%3Bsupported%26nbsp%3Bon%26nbsp%3Bthe%26nbsp%3Bfollowing%26nbsp%3Bspecific%26nbsp%3Bports%26nbsp%3B(for%26nbsp%3Bboth%26nbsp%3BUDP%26nbsp%3Band%26nbsp%3BTCP)%3A%26nbsp%3B13%2C%26nbsp%3B17%2C%26nbsp%3B19%2C%26nbsp%3B22%2C%26nbsp%3B23%2C%26nbsp%3B53%2C%26nbsp%3B69%2C%26nbsp%3B81%2C%26nbsp%3B111%2C%26nbsp%3B119%2C%26nbsp%3B123%2C%26nbsp%3B135%2C%26nbsp%3B137%2C%26nbsp%3B138%2C%26nbsp%3B139%2C%26nbsp%3B161%2C%26nbsp%3B162%2C%26nbsp%3B389%2C%26nbsp%3B445%2C%26nbsp%3B512%2C%26nbsp%3B514%2C%26nbsp%3B593%2C%26nbsp%3B636%2C%26nbsp%3B873%2C%26nbsp%3B1433%2C%26nbsp%3B1434%2C%26nbsp%3B1900%2C%26nbsp%3B2049%2C%26nbsp%3B2301%2C%26nbsp%3B2323%2C%26nbsp%3B2381%2C%26nbsp%3B3268%2C%26nbsp%3B3306%2C%26nbsp%3B3389%2C%26nbsp%3B4333%2C%26nbsp%3B5353%2C%26nbsp%3B5432%2C%26nbsp%3B5555%2C%26nbsp%3B5800%2C%26nbsp%3B5900%2C%26nbsp%3B5900%2C%26nbsp%3B5985%2C%26nbsp%3B5986%2C%26nbsp%3B6379%2C%26nbsp%3B6379%2C%26nbsp%3B7000%2C%26nbsp%3B7001%2C%26nbsp%3B7199%2C%26nbsp%3B8081%2C%26nbsp%3B8089%2C%26nbsp%3B8545%2C%26nbsp%3B9042%2C%26nbsp%3B9160%2C%26nbsp%3B9300%2C%26nbsp%3B11211%2C%26nbsp%3B16379%2C%26nbsp%3B26379%2C%26nbsp%3B27017%2C%26nbsp%3B37215%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3EPre-Requisite%3A%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAz%26nbsp%3BModules%26nbsp%3Bmust%26nbsp%3Bbe%26nbsp%3Binstalled%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B-%20Service%20principal%20created%20as%20part%20of%20Step%201%20must%20be%20having%20contributor%20access%20to%20all%20subscriptions%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3ESteps%20to%20follow%3A%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSTRONG%3EStep%26nbsp%3B1%3C%2FSTRONG%3E%3A%26nbsp%3BCreate%26nbsp%3Ba%26nbsp%3Bservice%26nbsp%3Bprincipal%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSTRONG%3EPlease%20refer%3A%3C%2FSTRONG%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-create-service-principal-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-create-service-principal-porta...%3C%2FA%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fcreate-azure-service-principal-azureps%3Fview%3Dazps-5.7.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fcreate-azure-service-principal-azureps%3Fview%3Dazps-5...%3C%2FA%3E%3C%2FDIV%3E%0A%3CDIV%3EPost%20creation%20of%20service%20principal%2C%20please%20retrieve%20below%20values.%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3ETenant%20Id%3C%2FLI%3E%0A%3CLI%3EClient%20Secret%3C%2FLI%3E%0A%3CLI%3EClient%20Id%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSTRONG%3EStep%26nbsp%3B2%3C%2FSTRONG%3E%3A%26nbsp%3BCreate%26nbsp%3Ba%20PowerShell%26nbsp%3Bfunction%26nbsp%3Bwhich%26nbsp%3Bwill%26nbsp%3Bbe%26nbsp%3Bused%26nbsp%3Bin%26nbsp%3Bgenerating%26nbsp%3Bauthorization%26nbsp%3Btoken%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Efunction%20Get-apiHeader%7B%0A%5BCmdletBinding()%5D%0AParam%0A(%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24TENANTID%2C%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24ClientId%2C%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24PasswordClient%2C%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24resource%0A)%0A%24tokenresult%3DInvoke-RestMethod%20-Uri%20https%3A%2F%2Flogin.microsoftonline.com%2F%24TENANTID%2Foauth2%2Ftoken%3Fapi-version%3D1.0%20-Method%20Post%20-Body%20%40%7B%22grant_type%22%20%3D%20%22client_credentials%22%3B%20%22resource%22%20%3D%20%22https%3A%2F%2F%24resource%2F%22%3B%20%22client_id%22%20%3D%20%22%24ClientId%22%3B%20%22client_secret%22%20%3D%20%22%24PasswordClient%22%20%7D%0A%24token%3D%24tokenresult.access_token%0A%24Header%3D%40%7B%0A%20%20'Authorization'%3D%22Bearer%20%24token%22%0A%20%20'Host'%3D%22%24resource%22%0A%20%20'Content-Type'%3D'application%2Fjson'%0A%20%20%7D%0Areturn%20%24Header%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3E%3CSTRONG%3EStep%26nbsp%3B3%3C%2FSTRONG%3E%3A%26nbsp%3BInvoke%26nbsp%3BAPI%20to%20retrieve%26nbsp%3Bauthorization%26nbsp%3Btoken%20using%20function%20created%20in%20above%20step%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CEM%3ENote%3A%26nbsp%3BReplace%20%24TenantId%2C%20%24ClientId%26nbsp%3Band%20%24ClientSecret%20with%20value%26nbsp%3Bcaptured%26nbsp%3Bin%26nbsp%3Bstep%26nbsp%3B1%3C%2FEM%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24AzureApiheaders%20%3D%20Get-apiHeader%20-TENANTID%20%24TenantId%20-ClientId%20%24ClientId%20-PasswordClient%20%24ClientSecret%20-resource%20%22management.azure.com%22%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%204%3C%2FSTRONG%3E%3A%20Extracting%20csv%20file%20containing%20list%20of%20all%20adaptive%20network%20hardening%20suggestion%20from%20Azure%20Resource%20Graph%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPlease%20refer%3C%2FSTRONG%3E%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fgovernance%2Fresource-graph%2Ffirst-query-portal.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fgovernance%2Fresource-graph%2Ffirst-que...%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAzure%20Resource%20graph%20explorer%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fresource-graph%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fresource-graph%2Foverview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EQuery%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Esecurityresources%0A%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%22microsoft.security%2Fassessments%22%0A%20%20%20%20%20%20%20%20%7C%20extend%20source%20%3D%20tostring(properties.resourceDetails.Source)%0A%20%20%20%20%20%20%20%20%7C%20extend%20resourceId%20%3D%0A%20%20%20%20%20%20%20%20%20%20%20%20trim(%22%20%22%2C%20tolower(tostring(case(source%20%3D~%20%22azure%22%2C%20properties.resourceDetails.Id%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%3D~%20%22aws%22%2C%20properties.resourceDetails.AzureResourceId%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%3D~%20%22gcp%22%2C%20properties.resourceDetails.AzureResourceId%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20extract(%22%5E(.%2B)%2Fproviders%2FMicrosoft.Security%2Fassessments%2F.%2B%24%22%2C1%2Cid)))))%0A%20%20%20%20%20%20%20%20%7C%20extend%20status%20%3D%20trim(%22%20%22%2C%20tostring(properties.status.code))%0A%20%20%20%20%20%20%20%20%7C%20extend%20cause%20%3D%20trim(%22%20%22%2C%20tostring(properties.status.cause))%0A%20%20%20%20%20%20%20%20%7C%20extend%20assessmentKey%20%3D%20tostring(name)%0A%20%20%20%20%20%20%20%20%7C%20where%20assessmentKey%20%3D%3D%20%22f9f0eed0-f143-47bf-b856-671ea2eeed62%22%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22data1.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277291iF7C7D9070F5B9F32%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22data1.JPG%22%20alt%3D%22data1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EClick%20on%20%22Download%20as%20CSV%22%20and%20store%20at%20location%20where%20adaptive%20network%20hardening%20script%20is%20present.%20Rename%20the%20file%20as%20%22%3C%2FSPAN%3E%3CEM%3Eadaptivehardeningextract%3C%2FEM%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-Location%20%24PSScriptRoot%0A%24RootFolder%20%3D%20Split-Path%20%24MyInvocation.MyCommand.Path%0A%24ParameterCSVPath%20%3D%24RootFolder%20%2B%20%22%5Cadaptivehardeningextract.csv%22%0Aif(Test-Path%20-Path%20%24ParameterCSVPath)%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0A%20%20%7B%20%0A%20%20%24TableData%20%3D%20Import-Csv%20%24ParameterCSVPath%0A%20%20%7D%0A%0Aforeach(%24Data%20in%20%24TableData)%0A%7B%0A%20%20%24resourceid%3D%24Data.resourceid%0A%20%20%24resourceURL%3D%22https%3A%2F%2Fmanagement.azure.com%24resourceid%2Fproviders%2FMicrosoft.Security%2FadaptiveNetworkHardenings%2Fdefault%3Fapi-version%3D2020-01-01%22%0A%20%20%24resourcedetails%3D(Invoke-RestMethod%20%20-Uri%20%24resourceURL%20-Headers%20%24AzureApiheaders%20-Method%20GET)%0A%20%20%24resourceDetailjson%20%3D%20%24resourcedetails.properties.rules%20%7C%20ConvertTo-Json%0A%20%20%24nsg%20%3D%20%24resourcedetails.properties.effectiveNetworkSecurityGroups.networksecuritygroups%20%7C%20ConvertTo-Json%0A%20%20if(%24resourceDetailjson%20-ne%20%24null)%0A%20%20%7B%20%20%20%20%20%20%20%20%20%0A%20%20%20%20%24body%3D%40%22%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22rules%22%3A%20%5B%24resourceDetailjson%5D%20%2C%0A%20%20%20%20%20%20%22networkSecurityGroups%22%3A%20%5B%24nsg%5D%20%0A%20%20%20%20%7D%0A%20%20%20%20%22%40%0A%20%20%20%20%24enforceresourceURL%20%3D%20%22https%3A%2F%2Fmanagement.azure.com%24resourceid%2Fproviders%2FMicrosoft.Security%2FadaptiveNetworkHardenings%2Fdefault%2Fenforce%3Fapi-version%3D2020-01-01%22%0A%20%20%20%20%24Enforcedetails%3D(Invoke-RestMethod%20%20-Uri%20%24enforceresourceURL%20-Headers%20%24AzureApiheaders%20-Method%20POST%20-Body%20%24body)%0A%20%20%7D%20%20%20%20%20%20%20%20%20%20%20%20%20%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CP%3E%3CSTRONG%3EReferences%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-adaptive-network-hardening%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-adaptive-network-hardening%3C%2FA%3E%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2313912%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2602638%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2602638%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20post!%3CBR%20%2F%3EBut%20in%20your%20Azure%20Resource%20Graph%20query%20you%20are%20using%20a%20hard-coded%20value%20for%20assessmentKey.%20Could%20elaborate%20on%20that%20part%20-%20is%20this%20value%20fixed%3F%20Is%20this%20specific%20to%20your%20environment%3F%20How%20to%20find%20the%20value%20we%20have%20to%20put%20there%3F%20How%20did%20you%20come%20up%20with%20that%20value%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2605184%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2605184%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F246566%22%20target%3D%22_blank%22%3E%40astaykov%3C%2FA%3E%26nbsp%3BI%20refer%20to%20this%26nbsp%3BAzure%20Resource%20Graph%20sample%20queries%20to%20find%20out%26nbsp%3B%3CSPAN%3EassessmentKey%20of%20your%20own%3C%2FSPAN%3E%26nbsp%3BAzure%20subscription.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcontainer-registry%2Fresource-graph-samples%3FWT.mc_id%3DAZ-MVP-5003408%26amp%3Btabs%3Dazure-cli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcontainer-registry%2Fresource-graph-samples%3FWT.mc_id%3DAZ-MVP-5003408%26amp%3Btabs%3Dazure-cli%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SithuKyaw_1-1628003540279.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300182iA46E9EE76C44DB04%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22SithuKyaw_1-1628003540279.png%22%20alt%3D%22SithuKyaw_1-1628003540279.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2615149%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2615149%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F246566%22%20target%3D%22_blank%22%3E%40astaykov%3C%2FA%3E%26nbsp%3Bthis%20is%20independent%20of%20tenant%20or%20environment.%20This%20can%20be%20easily%20check%20under%20Azure%20policy%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Microsoft.Security%2Fassessments%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22name%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22f9f0eed0-f143-47bf-b856-671ea2eeed62%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 02 2021 12:05 PM
Updated by: