%3CLINGO-SUB%20id%3D%22lingo-sub-2162217%22%20slang%3D%22en-US%22%3ERe%3A%20Weekly%20Secure%20Score%20Progress%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162217%22%20slang%3D%22en-US%22%3E%3CP%3EI%20deployed%20the%20Logic%20App%20and%20it%20looks%20to%20be%20querying%20the%20SecureScores%20table%20in%20Log%20Analytics%20but%20this%20table%20does%20not%20exist.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20running%20the%20Logic%20App%20for%20%22%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FSecure%2520Score%2FGet-SecureScoreData%26quot%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FSecure%2520Score%2FGet-SecureScoreData%22%3C%2FA%3E%26nbsp%3Bwhich%20says%20that%20it%20pulls%20data%20from%20Security%20Center%20into%20Log%20Analytics%20but%20it%20seems%20to%20create%20different%20tables%20which%20does%20not%20work%20with%20this%20module.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2159354%22%20slang%3D%22en-US%22%3EWeekly%20Secure%20Score%20Progress%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2159354%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWith%20the%20increasing%20number%20of%20resources%20in%20your%20Azure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eenvironment%2C%20you%20need%20a%20way%20to%20understand%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%20prioritize%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthe%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esecurity%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehy%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Egiene%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bof%20your%20environment%20and%20that%E2%80%99s%20where%20Azure%20Security%20Center%20comes%20into%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Epicture.%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-introduction%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Security%20Center%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bcontinuously%20assess%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ees%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EAzure%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eresources%3C%2FSPAN%3E%3CSPAN%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewithin%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esubscription%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eto%20identify%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esecurity%20issues%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eprovides%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Ba%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Blist%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eof%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Esecurity%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Erecommendations%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewhich%20%3C%2FSPAN%3E%3CSPAN%3Eleverages%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity%2Fbenchmarks%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Security%20Benchmark.%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ERecommendations%20are%20grouped%20in%20Security%20Controls%20and%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Esome%20security%20controls%20will%20have%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Escore%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Battach%20to%20it.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEach%20control%20is%20a%20logical%20group%20of%20related%20security%20recommendations%20and%20reflects%20your%20vulnerable%20attack%20surfaces.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFrom%20the%20continuous%20improvement%20perspective%2C%20it%20is%20imperative%20that%20you%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ekeep%20track%20of%20your%20Secure%20Score%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eprogress.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EThis%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eblog%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bpost%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eintroduces%20an%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eautomation%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eplaybook%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethat%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byou%20can%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Elev%3C%2FSPAN%3E%3CSPAN%3Eerage%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20receive%20a%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWeekly%20Secure%20Score%20Progress%20report%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bvia%20email%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1973942033%22%20id%3D%22toc-hId-1973942033%22%20id%3D%22toc-hId-1973942033%22%3ERequirements%3C%2FH3%3E%0A%3CP%3EThis%20automation%20is%20querying%20Log%20Analytics%20Workspace%20data.%20Using%20Continuous%20export%20feature%20of%20Azure%20Security%20Center%2C%20make%20sure%20you%20are%20streaming%20Security%20Center%20data%20to%20the%20Log%20Analytics%20workspace.%20Also%20make%20sure%20you%20have%20enabled%20export%20of%20secure%20score.%20In%20the%20drop-down%20menu%20you%20can%20choose%20to%20export%20both%20the%20overall%20score%20of%20the%20subscription%20and%20the%20score%20per%20control.%20Please%20follow%20this%20article%20for%20enabling%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-security-center%2Fcontinuously-export-secure-score-for-over-time-tracking-and%2Fba-p%2F1922779%22%20target%3D%22_blank%22%3EContinuous%20export%20option%20%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAfter%20you%20deploy%20this%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eautomation%2C%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Byou%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ewill%20need%20to%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%3EAuthorize%20the%20%3CEM%3Eazuremonitorlogs%3C%2FEM%3E%20API%20connection%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Bto%20connect%20to%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eworkspace%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%3EAuthoriz%3C%2FSPAN%3E%3CSPAN%3Ee%20the%20%3CEM%3EOffice%20365%3C%2FEM%3E%20API%20connection%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Esend%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eemails%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3EAuthorize%20the%20Logic%20App%20managed%20identity%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-166487570%22%20id%3D%22toc-hId-166487570%22%20id%3D%22toc-hId-166487570%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1640966893%22%20id%3D%22toc-hId--1640966893%22%20id%3D%22toc-hId--1640966893%22%3EHow%20does%20it%20work%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThe%20automation%20playbook%20is%20a%20Logic%20App%20that%20runs%20weekly%2C%20queries%20your%20Log%20Analytics%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EWorkspace%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3Band%20gathers%20data%20to%20send%20you%20weekly%20notification%20email%20that%20will%20update%20you%20details%20on%20your%20current%20Secure%20Score%20as%20well%20as%20Secure%20Score%20overtime%20progress%20report%20displayed%20in%20a%20beautiful%20graph%20format.%20In%20case%20you%20notice%20a%20spectacular%20change%20in%20the%20graph%2C%20you%20can%20continue%20to%20review%20the%20current%20security%20controls%20that%20are%20open%20and%20that%20needs%20to%20be%20prioritized%20along%20with%20the%20top%20five%20most%20important%20Security%20controls%20that%20needs%20to%20be%20fixed%20as%20early%20as%20possible%20%E2%80%93%20all%20in%20one%20email.%20Having%20this%20kind%20of%20detailed%20visibility%20is%20super%20important%20for%20Security%20analytics%20to%20keep%20track%20of%20the%20environment%E2%80%99s%20security%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ehygiene.%20A%20sample%20email%20from%20the%20automation%E2%80%99s%20run%20is%20shown%20below%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Picture1.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F257040i3971AC4738180850%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Picture1.png%22%20alt%3D%22Image%201%3A%20Example%20Email%20output%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EImage%201%3A%20Example%20Email%20output%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20sections%20that%20follow%20will%20go%20in%20details%20on%20each%20one%20of%20those%20steps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-846545940%22%20id%3D%22toc-hId-846545940%22%20id%3D%22toc-hId-846545940%22%3EHow%20to%20deploy%20the%20automation%20playbook%3C%2FH3%3E%0A%3CP%3EYou%20can%20find%20an%20ARM%20template%20that%20will%20deploy%20the%20Logic%20App%20Playbook%20and%20all%20necessary%20API%20connections%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FSecure%2520Score%2FSecureScoreOverTimeReport%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Security%20Center%20GitHub%20repository%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3EThe%20ARM%20template%20uses%20your%20Log%20Analytics%20workspace%20and%20creates%20two%20API%20Connections%2C%20O365%20and%20an%20Azure%20Monitor%20Logs%20API%20connection.%20As%20part%20of%20the%20template%20parameters%2C%20you%20will%20need%20to%20enter%20your%20Log%20Analytics%20Workspace%20Subscription%20ID%2C%20Log%20Analytics%20Workspace%20Resource%20Group%20Name%20and%20Log%20Analytics%20Workspace%20Name.%20During%20the%20deployment%2C%20it%20is%20highly%20recommended%20to%20create%20a%20new%20resource%20group%2C%20which%20will%20contain%20all%20the%20required%20resources%20for%20the%20playbook.%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20deployed%20the%20ARM%20template%2C%20you%20will%20have%20some%20manual%20steps%20to%20take%20before%20it%20works%20as%20expected.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--960908523%22%20id%3D%22toc-hId--960908523%22%20id%3D%22toc-hId--960908523%22%3EAuthorize%20azuremonitorlogs%20API%20Connection%26nbsp%3B%3C%2FH3%3E%0A%3CP%3EThis%20API%20connection%20is%20used%20to%20connect%20to%20your%20Log%20Analytics%20workspace.%20To%20authorize%20the%20API%20connection%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EGo%20to%20the%20Resource%20Group%20you%20have%20used%20to%20deploy%20the%20template%20resources.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20azuremonitorlogs%20API%20connection%20and%20press%20'Edit%20API%20connection'.%3C%2FLI%3E%0A%3CLI%3EPress%20the%20'Authorize'%20button.%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20to%20authenticate%20against%20Azure%20AD.%3C%2FLI%3E%0A%3CLI%3EPress%20save%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId-1526604310%22%20id%3D%22toc-hId-1526604310%22%20id%3D%22toc-hId-1526604310%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--280850153%22%20id%3D%22toc-hId--280850153%22%20id%3D%22toc-hId--280850153%22%3EAuthorize%20Office%20365%20API%20Connection%26nbsp%3B%3C%2FH3%3E%0A%3CP%3EThis%20API%20connection%20is%20used%20to%20send%20weekly%20secure%20score%20progress%20report%20email.%20To%20authorize%20the%20API%20connection%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EGo%20to%20the%20Resource%20Group%20you%20have%20used%20to%20deploy%20the%20template%20resources.%3C%2FLI%3E%0A%3CLI%3ESelect%20the%20Office365%20API%20connection%20and%20press%20'Edit%20API%20connection'.%3C%2FLI%3E%0A%3CLI%3EPress%20the%20'Authorize'%20button.%3C%2FLI%3E%0A%3CLI%3EMake%20sure%20to%20authenticate%20against%20Azure%20AD.%3C%2FLI%3E%0A%3CLI%3EPress%20save.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId--2088304616%22%20id%3D%22toc-hId--2088304616%22%20id%3D%22toc-hId--2088304616%22%3EAuthorize%20the%20Logic%20App%E2%80%99s%20managed%20identity%3C%2FH3%3E%0A%3CP%3EThe%20playbook%20uses%20a%20Managed%20Identity.%20You%20need%20to%20assign%20reader%20permissions%20to%20the%20subscriptions%20you%20want%20to%20export%20for%20the%20Manage%20Identity%20(explained%20in%20detail%20below).%20Notice%20you%20can%20assign%20permissions%20only%20as%20an%20owner%20and%20make%20sure%20all%20selected%20subscriptions%20registered%20to%20Azure%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20grant%20the%20managed%20identity%20reader%20access%2C%20you%20need%20to%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EMake%20sure%20you%20have%20User%20Access%20Administrator%20or%20Owner%20permissions%20for%20this%20scope.%3C%2FLI%3E%0A%3CLI%3EGo%20to%20the%20subscription%2Fmanagement%20group%20page.%3C%2FLI%3E%0A%3CLI%3EPress%20'Access%20Control%20(IAM)'%20on%20the%20navigation%20bar.%3C%2FLI%3E%0A%3CLI%3EPress%20'%2BAdd'%20and%20'Add%20role%20assignment'.%3C%2FLI%3E%0A%3CLI%3EChoose%20%E2%80%98Reader%E2%80%99%E2%80%AFrole.%3C%2FLI%3E%0A%3CLI%3EAssign%20access%20to%20Logic%20App.%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20subscription%20where%20the%20logic%20app%20was%20deployed.%3C%2FLI%3E%0A%3CLI%3EChoose%20the%20Logic%20App%20you%20have%20just%20deployed.%3C%2FLI%3E%0A%3CLI%3EPress%20save.%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId-399208217%22%20id%3D%22toc-hId-399208217%22%20id%3D%22toc-hId-399208217%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1408246246%22%20id%3D%22toc-hId--1408246246%22%20id%3D%22toc-hId--1408246246%22%3EGitHub%20Sample%3C%2FH3%3E%0A%3CP%20aria-level%3D%221%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EYou%20can%20leverage%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EThis%20logic%20app%20as%20well%20as%20many%20other%20can%20be%20found%20here%3A%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3Bthis%20automation%20from%20our%20GitHub%20repository%20using%20the%20links%20below%3A%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Ftree%2Fmaster%2FSecure%2520Score%2FSecureScoreOverTimeReport%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDirect%20Link%20to%20GitHub%20sample%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAzure%20Security%20Center%20GitHub%20Repo%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EMake%20sure%20to%20take%20advantage%20of%20this%20automation%20artifact%20and%20stay%20on%20top%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eyour%20environment%E2%80%99s%20Security%20Posture%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ELet%20us%20know%20your%20feedback%20using%20any%20of%20the%20channels%20listed%20in%20the%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Security-Center%2Fwiki%23resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EResources%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%20Your%20feedback%20is%20highly%20appreciated.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-384103108%22%20id%3D%22toc-hId-384103108%22%20id%3D%22toc-hId-384103108%22%3EReviewer%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EThanks%20to%E2%80%AFthe%20amazing%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EYuri%20Diogenes%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%26nbsp%3B%3C%2FSPAN%3E%3CI%3E%3CSPAN%20data-contrast%3D%22none%22%3EPrincipal%20Program%20Manager%26nbsp%3B%3C%2FSPAN%3E%3C%2FI%3E%3CSPAN%20data-contrast%3D%22none%22%3Efor%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Eenvisioning%20this%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bwonderful%20automation%20idea%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Band%20for%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ehis%20feedbacks%20on%20thi%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bautomation%20and%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bthe%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Barticle%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2159354%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecure%20Score%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169665%22%20slang%3D%22en-US%22%3ERe%3A%20Weekly%20Secure%20Score%20Progress%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169665%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F977196%22%20target%3D%22_blank%22%3E%40rayphoon%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20great%20feedback%20and%20question.%20This%20automation%20does%20not%20use%20Get-securescore%20logicapp%20but%20uses%20Continuous%20export%20feature%20of%20Azure%20Security%20Center.%20I've%20edited%20the%20article%20to%20make%20that%20point%20clear%20under%20requirements%20section.%20Hope%20that%20helps.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E

With the increasing number of resources in your Azure environment, you need a way to understand and prioritize the security hygiene of your environment and that’s where Azure Security Center comes into picture. Azure Security Center continuously assesses Azure resourceswithin a subscription to identify security issues and provides a list of security recommendations which leverages Azure Security Benchmark. Recommendations are grouped in Security Controls and some security controls will have a score attach to it. Each control is a logical group of related security recommendations and reflects your vulnerable attack surfaces. 

From the continuous improvement perspective, it is imperative that you keep track of your Secure Score progress. This blog post, introduces an automation playbook that you can leverage to receive a Weekly Secure Score Progress report via email.  

 

Requirements

This automation is querying Log Analytics Workspace data. Using Continuous export feature of Azure Security Center, make sure you are streaming Security Center data to the Log Analytics workspace. Also make sure you have enabled export of secure score. In the drop-down menu you can choose to export both the overall score of the subscription and the score per control. Please follow this article for enabling Continuous export option

 

After you deploy this automation, you will need to: 

  • Authorize the azuremonitorlogs API connection to connect to the workspace 
  • Authorize the Office 365 API connection to send emails 
  • Authorize the Logic App managed identity

 

How does it work

The automation playbook is a Logic App that runs weekly, queries your Log Analytics Workspace and gathers data to send you weekly notification email that will update you details on your current Secure Score as well as Secure Score overtime progress report displayed in a beautiful graph format. In case you notice a spectacular change in the graph, you can continue to review the current security controls that are open and that needs to be prioritized along with the top five most important Security controls that needs to be fixed as early as possible – all in one email. Having this kind of detailed visibility is super important for Security analytics to keep track of the environment’s security hygiene. A sample email from the automation’s run is shown below:  

Image 1: Example Email outputImage 1: Example Email output

The sections that follow will go in details on each one of those steps.

 

How to deploy the automation playbook

You can find an ARM template that will deploy the Logic App Playbook and all necessary API connections in the Azure Security Center GitHub repository.

The ARM template uses your Log Analytics workspace and creates two API Connections, O365 and an Azure Monitor Logs API connection. As part of the template parameters, you will need to enter your Log Analytics Workspace Subscription ID, Log Analytics Workspace Resource Group Name and Log Analytics Workspace Name. During the deployment, it is highly recommended to create a new resource group, which will contain all the required resources for the playbook.

Once you have deployed the ARM template, you will have some manual steps to take before it works as expected.

 

Authorize azuremonitorlogs API Connection 

This API connection is used to connect to your Log Analytics workspace. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the azuremonitorlogs API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press save

 

Authorize Office 365 API Connection 

This API connection is used to send weekly secure score progress report email. To authorize the API connection:

  1. Go to the Resource Group you have used to deploy the template resources.
  2. Select the Office365 API connection and press 'Edit API connection'.
  3. Press the 'Authorize' button.
  4. Make sure to authenticate against Azure AD.
  5. Press save.

Authorize the Logic App’s managed identity

The playbook uses a Managed Identity. You need to assign reader permissions to the subscriptions you want to export for the Manage Identity (explained in detail below). Notice you can assign permissions only as an owner and make sure all selected subscriptions registered to Azure Security Center.

 

To grant the managed identity reader access, you need to:

  1. Make sure you have User Access Administrator or Owner permissions for this scope.
  2. Go to the subscription/management group page.
  3. Press 'Access Control (IAM)' on the navigation bar.
  4. Press '+Add' and 'Add role assignment'.
  5. Choose ‘Reader’ role.
  6. Assign access to Logic App.
  7. Choose the subscription where the logic app was deployed.
  8. Choose the Logic App you have just deployed.
  9. Press save.

 

GitHub Sample

You can leverage This logic app as well as many other can be found here: this automation from our GitHub repository using the links below: 

 

Direct Link to GitHub sample 

Azure Security Center GitHub Repo 

 

Make sure to take advantage of this automation artifact and stay on top of your environment’s Security Posture 

Let us know your feedback using any of the channels listed in the Resources. Your feedback is highly appreciated.  

 

Reviewer

Thanks to the amazing Yuri DiogenesPrincipal Program Manager for envisioning this wonderful automation idea and for his feedbacks on this automation and the article. 

2 Comments
Occasional Visitor

I deployed the Logic App and it looks to be querying the SecureScores table in Log Analytics but this table does not exist.

 

I tried running the Logic App for "https://github.com/Azure/Azure-Security-Center/tree/master/Secure%20Score/Get-SecureScoreData" which says that it pulls data from Security Center into Log Analytics but it seems to create different tables which does not work with this module.

 

@rayphoon Thanks for the great feedback and question. This automation does not use Get-securescore logicapp but uses Continuous export feature of Azure Security Center. I've edited the article to make that point clear under requirements section. Hope that helps.