Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. SOC team are looking for a way of ingesting Secure Score logs, profiles & recommendations to Azure Sentinel.

Overview

Thanks to Matt_Lowe (Program Manager - Azure Sentinel) and BenjiSec  (Program Manager - Azure Sentinel) for the technical brainstorming, contribution, implementation and proof reading! 

Microsoft Secure score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. Azure Sentinel is a SaaS Security Information and Event Management solution providing visibility and management of the threats in an environment.  The following blog shows how you can leverage Azure Sentinel to gain visibility into Microsoft Secure Score alongside other security data.  

Requirements & Use Cases

SOC team want to pull and ingest Microsoft Secure Score data, recommendations, profiles, Azure Defender , Microsoft 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security data to Azure Sentinel for further investigation, compliance and hygiene security purpose to have a consolidated unified security posture view in addition to the following use cases:

\n
• Monitor, track and report on their organization configuration baseline and score in downstream reporting tools.
\n
• Integrate the data into compliance or cybersecurity insurance applications.
\n
• Integrate Secure Score data to drive a hybrid or multi-cloud framework for security analytics.
\n

Microsoft Secure Score

Microsoft Secure Score helps organizations:

\n
• Report on the current state of the organization's security posture.
\n
• Improve their security posture by providing discoverability, visibility, guidance, and control.
\n
• Compare with benchmarks and establish key performance indicators (KPIs).
\n

To help you find the information you need more quickly, Microsoft improvement actions are organized into groups:

\n
• Identity (Azure Active Directory accounts, roles, Microsoft Defender for Identity)
\n
• Device (Microsoft Defender for Endpoint)
\n
• Apps (email and cloud apps, including Office 365 & Microsoft Cloud App Security)
\n

In the Microsoft Secure Score overview page (under the Microsoft 365 Security Portal), view how points are split between these groups and what points are available. You can also get an all-up view of the total score, historical trend of your secure score with benchmark comparisons, and prioritized improvement actions that can be taken to improve your score:

You're given points for the following actions:

\n
• Configuring recommended security features
\n
• Doing security-related tasks
\n
• Addressing the improvement action with a third-party application or software, or an alternate mitigation
\n

The following are scores you can add to your view of your overall score to give you a fuller picture of your overall score:

\n
• Planned score: Show projected score when planned actions are completed
\n
• Current license score: Show score that can be achieved with your current Microsoft license
\n
• Achievable score: Show score that can be achieved with your Microsoft licenses and current risk acceptance
\n

Your score is updated in real time to reflect the information presented in the visualizations and improvement action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.

For more details, please visit Assess your security posture with Microsoft Secure Score & Microsoft Secure Score

Implementing Secure Score data into Azure Sentinel

The Security API in Microsoft Graph makes it easy to connect with Microsoft Secure Score in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites:

\n
• 1st, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model, If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.
\n
• 2nd, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. 
\n

Below is the list of Secure Score exposed APIs:

Step(1): Register an App 

Create and register Azure AD App to handle the authentication and authorization to collect the Secure Score data from the Graph API and Microsoft Defender for Endpoint API. Here are the steps - navigate to the Azure Active Directory blade of your Azure portal and follow the steps below: 

\n
1. Click on ‘App Registrations’  
\n
2. Select ‘New Registration’  
\n
3. Give it a name and click Register.  
\n
4. Click ‘API Permissions’ blade.  
\n
5. Click ‘Add a Permission’.  
\n
6. Click ‘Microsoft Graph’.  
\n
7. Click ‘Application Permissions’.  
\n
8. Search for 'SecurityEvents', Check SecurityEvents.Read.All  and SecurityEvents.ReadWrite.All and 'Click ‘Add permissions’.  
\n
9. Click ‘grant admin consent’. 
\n
10. Click ‘Certificates and Secrets’.  
\n
11. Click ‘New Client Secret’  
\n
12. Enter a description, select ‘never’. Click ‘Add’.  
\n
13. Note- Click copy next to the new secret and store it somewhere temporarily. You cannot come back to get the secret once you leave the blade.  
\n
14. Copy the client Id from the application properties and store it.  
\n
15. Copy the tenant Id from the main Azure Active Directory blade and store it.  
\n
16. Now we need to add permissions connected to Microsoft Defender for Endpoint:\n
    \n
    1. Click on +Add a permission and click on APIs my organization use. Search for WindowsDefenderATP and select it. Select Application permissions and then search and select Score.Read.All and click on Add permission 
    \n
    2. Click on +Add a permission and click on APIs my organization use. Search for WindowsDefenderATP and select it. Select Application permissions and then search and select SecurityRecommendation.Read.All and click on Add permission 
    \n
    3. Click on +Add a permission and click on APIs my organization use. Search for WindowsDefenderATP and select it. Select Application permissions and then search and select Vulnerability.Read.All and click on Add permission 
    \n
    \n
\n

Next, go to Azure portal (portal.azure.com) and get your Log Analytics Workspace ID & Key. Search for Log Analytics workspaces, and open workspace on which you have Sentinel connected to. Click on Agents management from left menu and copy Workspace ID and Primary key. 

Additionally, we need to make sure that our Microsoft Cloud Application Security data connector is on and that we are ingesting Shadow IT data (Cloud Discovery Logs). If MCAS data connector isn’t enabled, please follow this instructions - Connect Cloud App Security data to Azure Sentinel | Microsoft Docs. 

Step(2): Deploy Microsoft Security Posture Connector - Playbook 

The M365 Security Posture connector template will deploy an Azure Logic App that is configured to ingest data from the different M365 Defender products to highlight the statuses of entities within the environment. The connector calls upon HTTP API to gather this data from the different products, with the products being:

\n
• Microsoft Defender for Endpoint
\n
• Microsoft 365 Defender
\n

Azure Defender and Microsoft Cloud App Security data will be referenced in the related workbook via the built-in connectors and data ingestion channels.

The connector will be fetching logs such as:

\n
• MDE Secure Score
\n
• MDE Exposure Score
\n
• MDE Recommendations
\n
• MDE Vulnerabilities
\n
• M365 Secure Score
\n

The workbook will also be referencing data from Azure Security Center and Microsoft Cloud App Security such as:

\n
• ASC Secure Score
\n
• ASC Recommendations and Regulatory Compliance
\n
• MCAS ShadowIT
\n

Option (1):

\n
1. Click on the \"Deploy to Azure\" button (Showing below)
\n
2. Once in the Azure Portal, select the Subscription and Resource Group that Azure Sentinel is under.
\n
3. Enter the details that are required for the Playbook.
\n
4. Click \"Review and Create\".
\n
5. Click \"Create\".
\n
6. Within a minute or two, the template should deploy and the Playbook should appear within the Azure Sentinel environment.
\n

Option (2):

\n
1. Enter the template within the GitHub folder.
\n
2. In the top right corner, select Raw.
\n
3. Copy the raw text within the template.
\n
4. Go to the Azure Portal.
\n
5. Within the search bar at the top, type \"Deploy\" and select \"Deploy a custom template\".
\n
6. Select \"build my own template in the editor\".
\n
7. Within the template space, paste the text copied from GitHub.
\n
8. Select the Subscription and Resource Group that Azure Sentinel is under.
\n
9. Enter the details that are required for the Playbook.
\n
10. Click \"Review and Create\".
\n
11. Click \"Create\".
\n
12. Within a minute or two, the template should deploy and the Playbook should appear within the Azure Sentinel environment.
\n

Step(3): Deploy Microsoft Security Posture Workbook

Purpose of this Workbook is to show different Microsoft Secure Scores at one place with the information about possible vulnerabilities and recommendations how to improve secure score. We will be covering Azure Security Center, Microsoft 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security data. 

We need to ingest the data from Microsoft 365 Security about secure scores and exposure score, as well as the list of controls, vulnerabilities, and recommendations. 

Now we can create a new workbook and update the json (M365SecurityPosture.json - workbook json code uploaded to Azure Sentinel official github repo), go to Sentinel environment and click on Workbooks and click on +Add workbook. Click on Edit and choose Advanced editor , then Enter the name of you Workbook (ex. Microsoft Security Posture) and click on Save:

Notes & Consideration

\n
• You can customize the parsers at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
\n
• Azure Function can be used to create the custom connector as well
\n
• Couple of points to be considered while using Logic Apps:\n
  \n
  • Cost (standard / enterprise connectors)
  \n
  • Considerations & Configurations
  \n
  • Non standard schema
  \n
  • Rewriting rules
  \n
  \n
\n

Get started today!

We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Overview

Thanks to  (Program Manager - Azure Sentinel) and   (Program Manager - Azure Sentinel) for the technical brainstorming, contribution, implementation and proof reading! 

Microsoft Secure score is a security analytics solution that gives you visibility into your security portfolio and how to improve it. Azure Sentinel is a SaaS Security Information and Event Management solution providing visibility and management of the threats in an environment.  The following blog shows how you can leverage Azure Sentinel to gain visibility into Microsoft Secure Score alongside other security data.  

Requirements & Use Cases

SOC team want to pull and ingest Microsoft Secure Score data, recommendations, profiles, Azure Defender , Microsoft 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security data to Azure Sentinel for further investigation, compliance and hygiene security purpose to have a consolidated unified security posture view in addition to the following use cases:

\n
• Monitor, track and report on their organization configuration baseline and score in downstream reporting tools.
\n
• Integrate the data into compliance or cybersecurity insurance applications.
\n
• Integrate Secure Score data to drive a hybrid or multi-cloud framework for security analytics.
\n

Microsoft Secure Score

Microsoft Secure Score helps organizations:

\n
• Report on the current state of the organization's security posture.
\n
• Improve their security posture by providing discoverability, visibility, guidance, and control.
\n
• Compare with benchmarks and establish key performance indicators (KPIs).
\n

To help you find the information you need more quickly, Microsoft improvement actions are organized into groups:

\n
• Identity (Azure Active Directory accounts, roles, Microsoft Defender for Identity)
\n
• Device (Microsoft Defender for Endpoint)
\n
• Apps (email and cloud apps, including Office 365 & Microsoft Cloud App Security)
\n

In the Microsoft Secure Score overview page (under the Microsoft 365 Security Portal), view how points are split between these groups and what points are available. You can also get an all-up view of the total score, historical trend of your secure score with benchmark comparisons, and prioritized improvement actions that can be taken to improve your score:

You're given points for the following actions:

\n
• Configuring recommended security features
\n
• Doing security-related tasks
\n
• Addressing the improvement action with a third-party application or software, or an alternate mitigation
\n

The following are scores you can add to your view of your overall score to give you a fuller picture of your overall score:

\n
• Planned score: Show projected score when planned actions are completed
\n
• Current license score: Show score that can be achieved with your current Microsoft license
\n
• Achievable score: Show score that can be achieved with your Microsoft licenses and current risk acceptance
\n

Your score is updated in real time to reflect the information presented in the visualizations and improvement action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.

For more details, please visit Assess your security posture with Microsoft Secure Score & Microsoft Secure Score

Implementing Secure Score data into Azure Sentinel

The Security API in Microsoft Graph makes it easy to connect with Microsoft Secure Score in the Intelligent Security Graph. It allows you to more readily realize and enrich the value of these solutions.

Acquiring the Secure Score data from the API requires you to setup a few pre-requisites:

\n
• 1st, you should choose your consumption model. If you plan to have a non-user-interactive application to retrieve data from the API, you should opt for the Service-To-Service Authentication model, If your application will require an administrator to provide their logon credentials each time you pull data from the API, you should opt for the user OAuth model. Reference information about this model is located here. If you are a CSP application developer partner you can also find information here.
\n
• 2nd, you will need to register your application in Azure Active Directory in order to call the API. You need to grant the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All permission scopes. 
\n

Below is the list of Secure Score exposed APIs:

Step(1): Register an App 

Create and register Azure AD App to handle the authentication and authorization to collect the Secure Score data from the Graph API and Microsoft Defender for Endpoint API. Here are the steps - navigate to the Azure Active Directory blade of your Azure portal and follow the steps below: 

\n
1. Click on ‘App Registrations’  
\n
2. Select ‘New Registration’  
\n
3. Give it a name and click Register.  
\n
4. Click ‘API Permissions’ blade.  
\n
5. Click ‘Add a Permission’.  
\n
6. Click ‘Microsoft Graph’.  
\n
7. Click ‘Application Permissions’.  
\n
8. Search for 'SecurityEvents', Check SecurityEvents.Read.All  and SecurityEvents.ReadWrite.All and 'Click ‘Add permissions’.  
\n
9. Click ‘grant admin consent’. 
\n
10. Click ‘Certificates and Secrets’.  
\n
11. Click ‘New Client Secret’  
\n
12. Enter a description, select ‘never’. Click ‘Add’.  
\n
13. Note- Click copy next to the new secret and store it somewhere temporarily. You cannot come back to get the secret once you leave the blade.  
\n
14. Copy the client Id from the application properties and store it.  
\n
15. Copy the tenant Id from the main Azure Active Directory blade and store it.  
\n
16. Now we need to add permissions connected to Microsoft Defender for Endpoint:\n
    \n
    1. Click on +Add a permission and click on APIs my organization use. Search for WindowsDefenderATP and select it. Select Application permissions and then search and select Score.Read.All and click on Add permission 
    \n
    2. Click on +Add a permission and click on APIs my organization use. Search for WindowsDefenderATP and select it. Select Application permissions and then search and select SecurityRecommendation.Read.All and click on Add permission 
    \n
    3. Click on +Add a permission and click on APIs my organization use. Search for WindowsDefenderATP and select it. Select Application permissions and then search and select Vulnerability.Read.All and click on Add permission 
    \n
    \n
\n

Next, go to Azure portal (portal.azure.com) and get your Log Analytics Workspace ID & Key. Search for Log Analytics workspaces, and open workspace on which you have Sentinel connected to. Click on Agents management from left menu and copy Workspace ID and Primary key. 

Additionally, we need to make sure that our Microsoft Cloud Application Security data connector is on and that we are ingesting Shadow IT data (Cloud Discovery Logs). If MCAS data connector isn’t enabled, please follow this instructions - Connect Cloud App Security data to Azure Sentinel | Microsoft Docs. 

Step(2): Deploy Microsoft Security Posture Connector - Playbook 

The M365 Security Posture connector template will deploy an Azure Logic App that is configured to ingest data from the different M365 Defender products to highlight the statuses of entities within the environment. The connector calls upon HTTP API to gather this data from the different products, with the products being:

\n
• Microsoft Defender for Endpoint
\n
• Microsoft 365 Defender
\n

Azure Defender and Microsoft Cloud App Security data will be referenced in the related workbook via the built-in connectors and data ingestion channels.

The connector will be fetching logs such as:

\n
• MDE Secure Score
\n
• MDE Exposure Score
\n
• MDE Recommendations
\n
• MDE Vulnerabilities
\n
• M365 Secure Score
\n

The workbook will also be referencing data from Azure Security Center and Microsoft Cloud App Security such as:

\n
• ASC Secure Score
\n
• ASC Recommendations and Regulatory Compliance
\n
• MCAS ShadowIT
\n

Option (1):

\n
1. Click on the \"Deploy to Azure\" button (Showing below)
\n
2. Once in the Azure Portal, select the Subscription and Resource Group that Azure Sentinel is under.
\n
3. Enter the details that are required for the Playbook.
\n
4. Click \"Review and Create\".
\n
5. Click \"Create\".
\n
6. Within a minute or two, the template should deploy and the Playbook should appear within the Azure Sentinel environment.
\n

Option (2):

\n
1. Enter the template within the GitHub folder.
\n
2. In the top right corner, select Raw.
\n
3. Copy the raw text within the template.
\n
4. Go to the Azure Portal.
\n
5. Within the search bar at the top, type \"Deploy\" and select \"Deploy a custom template\".
\n
6. Select \"build my own template in the editor\".
\n
7. Within the template space, paste the text copied from GitHub.
\n
8. Select the Subscription and Resource Group that Azure Sentinel is under.
\n
9. Enter the details that are required for the Playbook.
\n
10. Click \"Review and Create\".
\n
11. Click \"Create\".
\n
12. Within a minute or two, the template should deploy and the Playbook should appear within the Azure Sentinel environment.
\n

Step(3): Deploy Microsoft Security Posture Workbook

Purpose of this Workbook is to show different Microsoft Secure Scores at one place with the information about possible vulnerabilities and recommendations how to improve secure score. We will be covering Azure Security Center, Microsoft 365, Microsoft Defender for Endpoint, and Microsoft Cloud App Security data. 

We need to ingest the data from Microsoft 365 Security about secure scores and exposure score, as well as the list of controls, vulnerabilities, and recommendations. 

Now we can create a new workbook and update the json (M365SecurityPosture.json - workbook json code uploaded to Azure Sentinel official github repo), go to Sentinel environment and click on Workbooks and click on +Add workbook. Click on Edit and choose Advanced editor , then Enter the name of you Workbook (ex. Microsoft Security Posture) and click on Save:

Notes & Consideration

\n
• You can customize the parsers at the connector's flow with the required and needed attributed / fields based on your schema / payload before the ingestion process, also you can create custom Azure Functions once the data being ingested to Azure Sentinel
\n
• Azure Function can be used to create the custom connector as well
\n
• Couple of points to be considered while using Logic Apps:\n
  \n
  • Cost (standard / enterprise connectors)
  \n
  • Considerations & Configurations
  \n
  • Non standard schema
  \n
  • Rewriting rules
  \n
  \n
\n

Get started today!

We encourage you to try it now!

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.

Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft 365 security center, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. SOC team are looking for a way of ingesting Secure Score logs, profiles & recommendations to Azure Sentinel.

Please add some information about the minimum role required to implement this 

Hi wondering if you can help me? I have got the everything running perfectly in my own tenant (Great job by the way! love the workbook). I am looking to replicate this in a second tenant but I would like to use the same Service principal I have registered in my own tenant.

I have registered the app in the second tenant (with a Global administrator account) using this link https://login.microsoftonline.com/organizations/v2.0/adminconsent?client_id=<your client id>&scope=https://graph.microsoft.com/.default.

When I run the logic app I use the same client secret and the same application ID but the tenant ID of the second tenant. It comes back as 403 forbidden when attempting the first GET request to security/SecureScores endpoint. Is there anything I am missing I would need to do when using this method? In the enterprise applications section in the second tenant, all of the permissions are there:

Any help hugely appreciated, thanks!

LaurenChild , BinTN 
Issue in the playbooks is resolved. Once the new version is approved in GitHub, re-deploy the playbook and playbook and Workbook will work with no issues.
Fixed error in sending Secure Score by BenjiSec · Pull Request #4399 · Azure/Azure-Sentinel (github.com)

I am also seeing the same error as LaurenChild. I did not make the edit they suggested as it appears the workbook will not work anyway. 

Any updates? I would love to get this working. 

Hi LaurenChild 

Thanks for the feedback. We will be checking this solution during the week and will update this/next week with more info.

This doesn't seem to be working.  Looking at the Get-SecureScore-Information logic app I see it failing at the M365 Secure Score Parse JSON stage with ValidationFailed.

Digging in there are 4 messages of \"Invalid type. Expected Integer but got Number.\" all showing the number has a decimal point.

EDIT:  I changed the types to number instead of integer.  The Logic app now works, but the workbook doesn't, so I think it's more broken. BenjiSec 

richlilly - As I can recall, there is no option to assign Azure AD roles to Managed Identity, which we need to grab M365 and MDE data. Only Azure roles are supported. There is option to assign API permissions to the Managed Identity via PowerShell, but I found that option after creating and publishing the playbook. If I update the playbook, that will be one of the reasons. 

Hesham_Saad Any reason to not use a Managed Identity assigned to Security Reader instead of an app reg and Client ID/Secret?