Querying your Secure Score Across Multiple Subscriptions in Microsoft Defender for Cloud
Published Oct 06 2020 06:21 AM 6,805 Views
Microsoft

Although the capability to query the Secure Score using API was already available and we already published some automations to leverage this capability, now you can also query your Secure Score using Azure Resource Graph (ARG). In addition, you will be able to calculate the score for the security controls and accurately calculate the aggregated score across multiple subscriptions. The following tables were added to allow you to query not only the secure score, but also the security controls:

 

Fig1.JPG

Here an example of how to query your current secure score (percentage):

SecurityResources 

| where type == 'microsoft.security/securescores' 

| extend current = properties.score.current, max = todouble(properties.score.max)

| project subscriptionId, current, max, percentage = ((current / max)*100)

 

This query will return an output that looks like this one:

Fig2.JPG

This corresponds to what you see in the UI for your subscription. In this case, Microsoft Defender for Cloud dashboard show the following Secure Score:

 

Fig3.JPG

This other example below will list all security controls, the amount of unhealthy resources, their current score and their max score:

SecurityResources 

| where type == 'microsoft.security/securescores/securescorecontrols' 

| extend SecureControl = properties.displayName, unhealthy = properties.unhealthyResourceCount, currentscore = properties.score.current, maxscore = properties.score.max

| project SecureControl , unhealthy, currentscore, maxscore

 

The output should look like the example below:

 

Fig4.JPG

 

Calculating the Secure Score

For a single subscription the type of resource we are calling is the microsoft.security/securescores where we get the maximum score (∑ maximum scores of each security control) and the current score (∑ current scores of each security control).  To obtain the secure score of a single subscription, the following formula is used:

 

Fig5.JPG

To obtain the aggregated secure score for multiple subscriptions you should use the formula below:

 

Fig6.JPG

As you can see in the formula, the aggregated score for multiple subscriptions is not the average, it uses the weight field that is provided in the query (ARG or API). The weight takes in account the size of the subscription (# of resources ) and hence allows to calculate a weighted score which is more accurate than a regular average between different subscriptions with different sizes. For more information refer to the secure score documentation page.

 

To see how this looks like, let’s use the query below as an example:

securityresources

| where type == "microsoft.security/securescores"

| extend subscriptionScore = todouble(properties.score.current)/todouble(properties.score.max)

| extend subScoreXsubWeight = todouble(subscriptionScore)*todouble(properties.weight)

| summarize upperValue = sum(subScoreXsubWeight), underValue = sum(todouble(properties.weight))

| extend overallScore = round(100*((upperValue)/(underValue)))

| project overallScore

 

The subscriptionScore is obtained dividing its current score by its maximum score. Then, the value subScoreXsubWeight holds the subscription secure score times the subscription weight. Finally, the overall score is the sum of subScoreXsubWeight divided by the sum of the subscriptions’ weights. The result is shown below:

 

Fig7.JPG

 

One of the advantages of querying the secure score via ARG is that you can quickly use these queries to create custom dashboard with Azure Workbooks. If you are querying the secure score using API, you can send a GET Request as shown below:

 

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft....

 

In the JSON result you will see the weight field, which is used to calculate the secure score is also available as shown the sample below:

Fig8.JPG

For more information about the Secure Score API, read the following articles:

Make sure to utilize this feature and provide your feedback in the comments below, or if you want to formally suggest improvements, provide your feedback at https://aka.ms/ascuservoice

 

Thanks to all Reviewers

Miri Landau, Senior PM – Microsoft Defender for Cloud Engineering Team

Meital Taran- Gutman, Principal PM – Microsoft Defender for Cloud Engineering Team

Fernanda Vela Huerta, PM – CxE Microsoft Defender for Cloud Team

 

Co-Authors
Version history
Last update:
‎Oct 24 2021 02:24 AM
Updated by: