Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Continuously Export Secure Score for Over-Time Tracking and Reporting (Preview)
Published Feb 16 2021 03:49 AM 16.1K Views
Microsoft

Using continuous export of secure score (preview), you can stream secure score changes in real-time to an Event Hub or a Log Analytics workspace. This will enable you to track secure score over time with dynamic reports, export secure score data to Microsoft Sentinel or other 3rd party SIEM solutions, and integrate this data type with any internal processes you might already be using to monitor secure score in your organization.

 

Implementation

To enable continuous export for secure score, follow the steps below:

  1. In the Azure Portal go to ‘Microsoft Defender for Cloud’.
  2. Click on Pricing & settings.
  3. Select the desired subscription.
  4. Click on Continuous export.
  5. Enable export of secure score. In the drop-down menu you can choose whether to export both the overall score of the subscription and the score per control, or only one of them.
  6. Choose the Resource Group in which the automation resource will be created.
  7. Fill in the details of your export destination (Event Hub/Log Analytics workspace).
  8. Click Save.

continousexport.png

 

Please note

1. Continuous export exports only updates to the score, and not the baseline. From the moment of enabling continuous export every change to the score will be exported.

2. Update to score is not exported when:

  • The number of resources changed but the overall score didn’t.
  • The change in the control score is less than 0.01.
  • The score of a control with max score of 0 is updated.

 

Data schemas

For export to Event Hub, the data schemas are in line with the Secure Scores and Secure Score Controls APIs. When exporting the data to Log Analytics workspace the overall secure score will be exported to SecureScores table, and secure score per control to SecureScoreControls table, in the following schemas:

 

SecureScores

OrSerokJeppa_0-1613060162945.png

 

SecureScoreControls

OrSerokJeppa_0-1613059845250.png

 

 

Common queries for Log Analytics workspace

When consuming secure score data from Log Analytics workspace, you might like to further analyze the data. For example, track secure score over time or find what recommendations and resources are lowering your score. Below are common queries for these scenarios, follow the steps below to use them:

  1. In Azure Portal, navigate to the Log Analytics workspace to which you enabled continuous export.
  2. Click on Logs.
  3. Copy and paste a query from the samples described below.
  4. Set the desired Time range.
  5. Click Run.

Sample queries

Track secure score over time by subscription:

SecureScores

| extend Percent=PercentageScore*100

| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId

| render timechart

 

Track secure score per control over time by subscription:

SecureScoreControls

| extend Percent=PercentageScore*100

| summarize avg(Percent) by bin(TimeGenerated,1d), ControlName, SubscriptionId=_SubscriptionId

| render timechart

 

Count unhealthy resources per control and recommendation for each subscription:

SecureScoreControls

| extend SubscriptionId=SecureScoresSubscriptionId

| mv-expand RecommendationResourceIds

| extend id_ = tostring(parse_json(RecommendationResourceIds).id)

| extend RecommendationId = extract(@"(.+)/(.+)", 2, id_)

| join kind=inner (SecurityRecommendation

| extend SubscriptionId=(extract(@"/subscriptions/(.+)/resourceGroups", 1, AssessedResourceId)

)) on SubscriptionId, RecommendationId

| where RecommendationState == "Unhealthy"

| summarize UnhealthyResources=dcount(AssessedResourceId) by ControlName, RecommendationDisplayName, SubscriptionId

 

Get all unhealthy resources by control:

SecureScoreControls

| extend SubscriptionId=SecureScoresSubscriptionId

| mv-expand RecommendationResourceIds

| extend id_ = tostring(parse_json(RecommendationResourceIds).id)

| extend RecommendationId = extract(@"(.+)/(.+)", 2, id_)

| join kind=inner (SecurityRecommendation

| extend SubscriptionId=(extract(@"/subscriptions/(.+)/resourceGroups", 1, AssessedResourceId)

)) on SubscriptionId, RecommendationId

| where RecommendationState == "Unhealthy"

 

Export to CSV file

You might like to export the results to a CSV file for further offline analysis, sharing with others or for other needs. Follow the steps below to do that:

  1. Click on Export.
  2. Choose the appropriate export type.

OrSerokJeppa_3-1606121502543.png

 

To learn more about Continuous Export, make sure to watch Episode 5 of Microsoft Defender for Cloud in the Field where we give more insights on this feature.

To learn more about Secure Score and how it is calculated, visit secure score documentation.

To learn more about querying Secure Score with Azure Resource Graph visit Querying your Secure Score Across Multiple Subscriptions in Microsoft Defender for Cloud.

 

Reviewers

Yuri Diogenes, Principal Program Manager (@Yuri Diogenes)

Sulaiman Abu Rashed, Software Engineer

Miri Kreitenberger, Senior Software Engineer Manager

Meital Taran- Gutman, Principal PM Manager (@Meital Taran- Gutman)

 

6 Comments
Co-Authors
Version history
Last update:
‎Nov 02 2021 04:56 PM
Updated by: