During Build 2020 Microsoft released some new features within Microsoft Defender for Cloud. Of those was a feature much desired by our customers, the ability to obtain the Security Score of subscriptions and details around the Security Controls and definitions using an API call. Cloud security posture management (CSPM) has been traditionally delivered as a point in time view of your organization security posture. Now with the ability to export the score and security control details, one of the exciting things we can do is build a historical baseline of the score in your organization.
By leveraging a Microsoft Logic App Get-SecureScoreData you can export the Security Score and control details as daily snapshots into Log Analytics Workspace. With the historical data being kept we can build dashboards, search through and do advanced triggering on multiple recommendations, and even build end of month forecasted scores using time series insights.
The focus here will be another way you can leverage the historical data and deliver with Logic Apps a Security Score weekly briefing to your compliance, audit, and security teams. Weekly briefings can be great and useful as your team and others in the organization start the week looking to drive Security Score, reducing risk and closing security gaps due to misconfiguration of cloud resources.
To deliver this example you can check out the Logic App sample here Send-SecureScoreBriefing
Let’s walkthrough what we can do with Logic Apps to store historical data of Secure Score and Security Control details.
Building the Logic App
To deliver a Weekly briefing you want to start with a trigger that runs weekly, or in a different frequency for your team's needs, as shown in the sample below:
There are some nice abilities as well like setting the trigger to a time zone your compliance and security teams operate in or on a specific minute of the hour so 9:45 AM.
Next, you need to create the visualization from the Log Analytics workspace. The Azure Monitor Connector has a great feature to do that – run query and visualize results as shown below:
You will get an easy to use input box where you can fill in the query to produce a desired visualization.
You need to go to the Log Analytics workspace where the Secure Score data is being ingested and test a few queries to make sure you have the desired result.
*Note you can choose the time range and chart type and will not have to put them in the final query.
Within Log Analytics, query the Custom Log DataTables using SecureScore_CL or SecureScoreControls_CL as shown in the example below:
You can see that the data coming in from the Secure Score API has a Current Score and Max Score per subscription. This is not the percentage we are used to seeing in the Microsoft Defender for Cloud dashboard, as shown in the example below:
Using Kusto Query Language (KQL) you can use some functions to round up and some math to produce the percentages in the Time Series Graph we want to produce.
SecureScore_CL
| extend ScorePrecent = round((round(properties_score_current_d, 0)*100)/properties_score_max_d, 0), Subscription = strcat(split(id_s, '/')[2])
| summarize by TimeGenerated, ScorePrecent, Subscription
You also want to clean up the column names and pulling just the Subscription ID from the long string, to accomplish that, use strcat and split.
Finally, you need to to summarize the result. Since this is a time series graph, you need to start with TimeGenerated first, then ScorePercentage, and finally group them by Subscription. The nice result is shown in the sample below:
You can see that this organization has been making great progress to improve their security posture, but on one subscription not so much it is a flat line. You need to work with the business unit, IT teams, and developers to improve that score next week.
Now that you have the query, you can place it in the Logic App and define the time range, since this is a weekly briefing you want to look back 7 days, as shown in the example below:
Make sure to also configure the chart type for Time Series, as shown below:
Since you will be embedding the image generated into an email, you need to initialize a variable as a string and define in HTML the attachment name
If you want a nice HTML Table as well after the trending graph to infer what Security Controls they want to target to drive the score further, select Html Table under Chart Type:
To send an email you will use the initialized variable plus the attachment to deliver the time series chart. For the HTML Table, because it is HTML, you can just reference it within the body of the email as the attachment content.
In addition, you want to add a nice hyperlink back to the Microsoft Defender for Cloud – Secure Score blade in the event our compliance team wants to dig into the details of the Security Controls further.
The screenshot below reflects the Security Score weekly briefing email sample:
We learned we can use the Secure Score API in some interesting ways. One such way is to build visualizations that show our daily progress for the week and areas we should tackle next by delivering an email that acts as a weekly briefing.
Special thanks to:
@YuriDiogenes for reviewing this port
@NicholasDiCola for creating the Get-SecureScoreData Logic App
What will you build with Secure Score API ?