Azure Security Center offers vulnerability assessment solutions for various resource types (e.g. Virtual Machines, SQL servers and databases and Container Registries). Vulnerability assessment solutions scan your resources periodically and help you monitor and remediate health issues on your resources. Security Center provides security recommendations that include all found vulnerabilities, along with remediation steps, and are updated with each scan when any new vulnerability is found. Each vulnerability is a security finding, and all security findings are available in the Security Center Portal under the related recommendation.
Using continuous export you can export these security findings in real-time (with every periodic scan of your resources) to Event Hub or Log Analytics workspace, for further analysis or integration with external workflows.
Implementation
To enable continuous export for security findings, follow the steps below:
- In the Azure Portal go to ‘Security Center’.
- Click on Pricing & settings.
- Select the desired subscription.
- Click on Continuous export.
- Enable export of security recommendations. Make sure that the recommendations you would like to export security findings for are selected in the recommendations drop down menu.
- Choose the Resource Group in which the automation resource will be created.
- Fill in the details of your export destination (Event Hub/Log Analytics workspace).
- Click on the Include security findings toggle to enable export of the security findings.
- Click Save.
Please note that to receive security findings on your resources, you should first install the vulnerability assessment solution on the relevant resources.
Data schemas
For export to Event Hub, the data schema is in line with the Sub Assessments API. When exporting the data to Log Analytics workspace the data will be exported to SecurityNestedRecommendation table, in the following schema:
Please note that the data is exported as one line per vulnerability per resource.
Common queries for Log Analytics workspace
When consuming security findings data through Log Analytics workspace, you might like to further analyze the data. Below are common queries for different vulnerability assessment solutions, follow the steps below to use them:
- In Azure Portal, navigate to the Log Analytics workspace to which you enabled continuous export.
- Click on Logs.
- Copy and paste a query from the samples described below.
- Set the desired Time range.
- Click Run.
Sample queries
Join security findings with security recommendations table:
SecurityNestedRecommendation
| extend RecommendationId=ParentRecommendationId, SubscriptionId=RecommendationSubscriptionId
| join kind=inner (
SecurityRecommendation
| extend SubscriptionId= extract(@"/subscriptions/(.+)/resourceGroup",1,AssessedResourceId))
on SubscriptionId, RecommendationId
Extract server name and database name for SQL recommendation Vulnerability Assessment findings on your SQL databases should be remediated:
SecurityNestedRecommendation
| where ParentRecommendationId == "82e20e14-edc5-4373-bfc4-f13121257c37" //Vulnerability Assessment findings on your SQL databases should be remediated
| extend ServerName = extract(@"/servers/(.+)/databases", 1, AssessedResourceId)
| extend DatabaseName = extract(@"(.+)/(.+)", 2, AssessedResourceId)
Extract computer name for VM recommendation Vulnerabilities in your virtual machines should be remediated:
SecurityNestedRecommendation
| where ParentRecommendationId == "1195afff-c881-495e-9bc5-1486211ae03f" //Vulnerabilities in your virtual machines should be remediated
| extend VMName = extract(@"(.+)/(.+)", 2, AssessedResourceId)
Extract registry resource Id, repository and image digest for Containers recommendation Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys):
SecurityNestedRecommendation
| where ParentRecommendationId == "dbd0cb49-b563-45e7-9724-889e799fa648"//Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
| extend RegistryResourceId = extract(@"/registries/(.+)/repositories", 1, AssessedResourceId)
| extend Repository = tostring(AdditionalData.RepositoryName)
| extend ImageDigest = tostring(AdditionalData.ImageDigest)
Container Registry image vulnerability assessment results per scan, for Containers recommendation Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys):
SecurityNestedRecommendation
| where ParentRecommendationId == "dbd0cb49-b563-45e7-9724-889e799fa648"//Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
| extend RegistryResourceId = extract(@"/registries/(.+)/repositories", 1, AssessedResourceId)
| extend Repository = tostring(AdditionalData.RepositoryName)
| extend ImageDigest = tostring(AdditionalData.ImageDigest)
| extend ScanStatus = RecommendationState
| extend ScanTime = TimeGenerated
| summarize scanFindingSeverityCount = count() by RecommendationSeverity, RegistryResourceId, Repository, ImageDigest, ScanStatus, ScanTime
| summarize severitySummary = make_bag(pack(RecommendationSeverity, scanFindingSeverityCount)) by RegistryResourceId, Repository, ImageDigest, ScanStatus, ScanTime
| order by RegistryResourceId, Repository, ImageDigest,ScanTime
Export to CSV file
You might like to export the results to CSV file for further analysis and tracking. Follow the steps below to do that:
- Click on Export.
- Choose the appropriate export type.
To learn more about Continuous Export, make sure to watch Episode 5 of Azure Security Center in the Field where we give more insights on this feature.
Reviewers
Yuri Diogenes, Principal Program Manager (@Yuri Diogenes)
Sulaiman Abu Rashed, Software Engineer
Miri Kreitenberger, Senior Software Engineer Manager
Meital Taran- Gutman, Principal PM Manager (@Meital Taran- Gutman)
Special Thanks to Maya Herskovic, Senior Program Manager