Azure Security Center – Secure Score Trending with #AzureAutomation and #AzureMonitor Logs

clip_image002One of the questions we often receive from customers is how they can easily show the trend of the Azure Security Center Secure Score.

As it is possible to access the Secure Score information using REST API, it is possible to extract this information on a regular basis and store it in a custom log in Azure Monitor Logs.

For this purpose, we have created a sample script that can be used in an Azure Automation runbook. This script can cycle through each of your subscriptions, connect to the REST API to extract the current score and possible score for each subscription, and then uses the Azure Monitor Logs HTTP Data Collector API to write the Secure Score data to the custom log.

To implement this script, you will need to do the following:

We would recommend running this script at least once a day, but not more than every four hours to ensure you do not overcollect data, especially as your secure score would probably not update that frequently.

Once implemented and it has run successfully once, you should be able to retrieve this data using a Kusto query. In the script, we have named the table in Azure Monitor Logs SecureScore_CL, so the example queries below will use this table name. If you have chosen to change the name of the table, you will need to adjust the queries with the name you’ve configured.

Current score for all subscriptions

| summarize arg_max(TimeGenerated, *) by ResourceId
| extend CurrentScore = round(todouble(CurrentScore_s))
| extend MaxScore = round(todouble(MaxScore_s))
| extend sScore = round((CurrentScore/MaxScore)*100)
| extend ScoreMessage = strcat("~",CurrentScore, " of ", MaxScore)
| project Subscription_s, CurrentScore, ScoreMessage, sScore, TimeGenerated

Secure Score trend over time

| summarize avg(todouble(CurrentScore_s)) by bin(TimeGenerated, 4h), Subscription_s
| render timechart


You can also use these queries to visualise this information in a workbook, e.g.


The query in this visualisation leverages off the Sparklines capability in Workbooks to show the trend over time.

One thought on “Azure Security Center – Secure Score Trending with #AzureAutomation and #AzureMonitor Logs

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s