One of the questions we often receive from customers is how they can easily show the trend of the Azure Security Center Secure Score.
As it is possible to access the Secure Score information using REST API, it is possible to extract this information on a regular basis and store it in a custom log in Azure Monitor Logs.
For this purpose, we have created a sample script that can be used in an Azure Automation runbook. This script can cycle through each of your subscriptions, connect to the REST API to extract the current score and possible score for each subscription, and then uses the Azure Monitor Logs HTTP Data Collector API to write the Secure Score data to the custom log.
To implement this script, you will need to do the following:
- Create an Azure Automation account
- Create a Log Analytics workspace, or select one that you are already using
- Collect the Workspace ID and Key
- Grant the Azure Automation run-as account access to each subscription you want to interrogate using a Service Principal in Azure Active Directory
- Create two variables in the Azure Automation account
- LAWorkspaceId – this is the workspace ID you collected
- LAWorkspaceKey – this is the workspace key you collected
- Create a Powershell runbook in Azure Automation, using the script linked above.
- Create a schedule in Azure Automation and link the schedule to the runbook.
We would recommend running this script at least once a day, but not more than every four hours to ensure you do not overcollect data, especially as your secure score would probably not update that frequently.
Once implemented and it has run successfully once, you should be able to retrieve this data using a Kusto query. In the script, we have named the table in Azure Monitor Logs SecureScore_CL, so the example queries below will use this table name. If you have chosen to change the name of the table, you will need to adjust the queries with the name you’ve configured.
Current score for all subscriptions
SecureScore_CL
| summarize arg_max(TimeGenerated, *) by ResourceId
| extend CurrentScore = round(todouble(CurrentScore_s))
| extend MaxScore = round(todouble(MaxScore_s))
| extend sScore = round((CurrentScore/MaxScore)*100)
| extend ScoreMessage = strcat("~",CurrentScore, " of ", MaxScore)
| project Subscription_s, CurrentScore, ScoreMessage, sScore, TimeGenerated
Secure Score trend over time
SecureScore_CL
| summarize avg(todouble(CurrentScore_s)) by bin(TimeGenerated, 4h), Subscription_s
| render timechart
You can also use these queries to visualise this information in a workbook, e.g.
The query in this visualisation leverages off the Sparklines capability in Workbooks to show the trend over time.
One thought on “Azure Security Center – Secure Score Trending with #AzureAutomation and #AzureMonitor Logs”