Compliance Reporting for Azure

Published Mar 27 2020 10:56 AM 6,467 Views
Microsoft

The aim of the workbook is to consolidate many data sources into one report. 

 

I’ve called the workbook Azure Security Reporting (but you can use whatever name makes sense to you, when you import it). 

 

There is a lot of great data surfaced by Azure Resource Graph (ARG) and Log Analytics, I have laid this out into four Tabs on the workbook. 

 

This download isn't from the main Sentinel Github for Workbooks as it covers many technologies. Please download the Workbook and read the import instructions (in the readme) on my Github

 

Data sources: 

  • SecurityAlert  The table in Log Analytics (used by ASC and Azure Sentinel) 
  • Securityresources - Azure Resource Graph
  • Advisorresources - Azure Resource Graph 

 

The four tabs explained, Alerts, Compliance, Qualys and Advisor 

NoteARG uses data from api calls, so there is no timefiltertherefore you may see more data in these reports than in the filtered views provided by ASC or Azure Advisor for example.  

 

Tab1: Alerts and Incidents 

Today this covers the Security Alerts you usually see in ASC and Sentinel (more on Incidents in a follow-up post).     

 

Annotation 2020-03-27 163850.jpg

 

Please note the [Product selection] filter drop-down (this is useful on this page to filter by the Security Products you haveand it’s also used again in the “Qualys issues by Hostname” report. 

If you are unsure select ALL

 

Annotation 2020-03-27 164100.jpg

 

Tab2: Compliance 

This tab relies on data from Azure Security Center from the Standard Tier, so you will need ASC Standard for this Tab to produce any data. 

https://docs.microsoft.com/en-us/azure/security-center/security-center-compliance-dashboard 

 

Annotation 2020-03-27 164414.jpg

Annotation 2020-03-27 164458.jpg

 

The above shows the compliance controls and assessments.  You can select a filter for the compliance (all the supported or custom ones) e.g. ISO27001 and the state e.g. Failed.   

This isn’t something you can do in the ASC portaland I added a free form search bar, so you can use that to find other details. 

You can also export this data to Excel (see the arrow in the bottom right corner of image 2). 

 

I have also re-created the recommendations view you see in ASC (as closely as possible, I have Networking in the list as an addition).  

 

Annotation 2020-03-27 164742.jpg

 

Tab3: Qualys  

This tab relies on data from Azure Security Center from the Standard Tier.

The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys's scanner is the leading tool for real-time identification of vulnerabilities in your Azure Virtual Machines. It's only available to users on the standard pricing tier. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center. 

Source: https://docs.microsoft.com/en-us/azure/security-center/built-in-vulnerability-assessment 

 

This part of the report starts of with a summary for Severity, Description and Category.  Again, I have provided a drop-down filter, on Severity - would Category be a useful filter as well?

 

Annotation 2020-03-27 164935.jpg

The final two reports check for Qualys recommendations that relate to a host (Computer), I then merge the prior two outputs to show “Computers that have Alert AND a Qualys recommendation” Thanks for the idea @Ofer!   

This correlates a Computer to a Security tool like Azure Security Center or Azure Sentinel (or any you have in your list), where we also have a Qualys recommendation. 

 

Annotation 2020-03-27 165140.jpg

 

Tab4: Advisor  

Azure Advisor is often overlooked dataespecially the cost saving recommendations!  Azure Advisor now offers (or includes) Security recommendations 
 
Quickly and easily optimize your Azure deployments. Azure Advisor analyzes your configurations and usage telemetry and offers personalized, actionable recommendations to help you optimize your Azure resources for high availability, security, operational excellence, performance, and cost. 

Source: https://azure.microsoft.com/en-us/services/advisor/ and https://docs.microsoft.com/en-us/azure/advisor/advisor-security-recommendations 

 

 

The first set of reports are the ones you see in Azure Advisor, but you can scroll down for the Security recommendations section.

 

Annotation 2020-03-27 165426.jpg

 

Summary: I hope you find this Workbook useful to detect Security information and to consolidate various sources in one place.   

Feedback is very welcome (and your ideas) and I have plans to add more capabilities in the future, especially more correlation between the various data sources  

 

Thanks to Alp Babayigit for the initial idea and use case for this Workbook.

 

Thanks Clive 

   

6 Comments
Version history
Last update:
‎Nov 02 2021 05:51 PM
Updated by: