Conditions and Terms of Use

Microsoft Confidential

Copyright and Trademarks

© 2021 Microsoft Corporation. All rights reserved.

http://www.microsoft.com/en-us/legal/intellectualproperty/Permissions/default.aspx
 Agenda

• Workflow Automation
• Logic Apps
• Security Center GitHub Community
• REST APIs for Security Center
• Automating with PowerShell
• Microsoft Security Code Analysis
Azure Security Center

Leveraging
Cloud Security Posture Management Cloud Workload Protection Platform Azure Arc

Strengthen multi cloud Protect your hybrid cloud

security posture with Azure Defender

Secure Policies and Improved Vulnerability

For For Advanced
cloud native Detection and
For databases
Score compliance automation assessment
servers protection
workloads response
and storage

For Azure For IoT

service layers devices

Streamline security management

 Azure Security Center API Integration

• Security Center supports integrated

workflows that can be used to automate Cloud Security Posture Management
and orchestrate tasks that are critical
for DevSecOps and other teams in your
Strengthen multi cloud
organization security posture

Secure Policies and Improved

Score compliance automation
 Workflow Automation
What is workflow automation?
• The Workflow automation feature in Security Center can be used to trigger Logic Apps on security Alerts and
Recommendations

• Automating a response helps you respond quickly to alerts, or to apply specific remediation steps which would
otherwise have to be performed manually

• You can define when and if a Logic App should run automatically, which will further reduce the overhead of
manual interaction

• To work with Azure Logic Apps workflows, you must have the following Logic Apps roles/permissions:

• Logic App Operator permissions are required for Logic App read/trigger access - this role can't create or
edit Logic Apps, only run existing ones
• Logic App Contributor permissions are required for Logic App creation and modification

• If you want to use Logic App Connectors to other applications, you may need additional credentials to sign into
the respective services (for example, Outlook/Teams/Slack/ServiceNow instances)
 Workflow Automation
Getting started with Workflow automation
Add workflow automation
• Select the Workflow automation blade in
Security Center
• To create a new workflow, select Add
workflow automation
• Give the workflow a name
• You can choose the data type for the trigger
condition
• Threat Detection alerts
• Security Center recommendations
• If you don’t have an existing Logic app, you
must create a new one
 Workflow Automation
Creating a Logic App
Logic App
• In the Logic Apps Designer you can create a Select a Subscription and
Resource Group for the
custom Logic App from scratch, or use the built- Logic
Now you can App
add
in templates triggers and additional
automation steps to your
• Especially when designing your own custom Logic App
Provide a name
Logic App, planning and testing is needed to Once the Logic App is for the Logic App
make sure your Logic App works properly created you can choose a
template

• Using the built-in templates, you will need to add Select the region
the specific criteria specified in the template Turn on Log Analytics

• There are also many built-in Actions options that Select visit Logic Apps page
can be configured in the Logic App, such as a
When you turn on Log
remediation action step
Analytics you can push the
Logic App runtime events
to Log Analytics to help
monitor your workflows
 Workflow Automation
Manually Trigger a Logic App
• When you receive an Alert in Security Center you can manually Trigger a Logic App

• While investigating security alerts you will have the option to take additional action

• You will be able to manually select a Logic App you want to Trigger
 Security Center GitHub Community
GitHub
• Azure Security Center’s community is on GitHub

• GitHub is home to more than 36 million people who create and share code, manage projects, and build
software together

Why?
• Using the Azure Security Center repository on GitHub lets you explore new code samples:
programmatic remediation tools for security recommendations; PowerShell scripts; Logic App
templates; and more

Community Collaboration
• Sharing with the open source community allows easy collaboration with partners and customers
 Security Center GitHub Community
Find the Community GitHub area
 Security Center GitHub Community
Azure-Security-Center repository
The Azure-Security-Center repository contains:

• Security Recommendations in public preview

• Programmatic remediation tools for security

recommendations

• PowerShell scripts for programmatic management

• Azure Policy custom definitions for at-scale

management via Azure Policy

• Logic App templates that work with Security Center's

Logic App connectors (to automate response to
Security alerts and recommendations)
 Security Center GitHub Community

Be a part of the community

• Create a GitHub account

• Download content

• File Issues

• Share ideas and practices

 Security Center Tech Community

Be a part of the community

• The importance of technology experts sharing their knowledge and collaborating plays a valuable role and
benefits the entire community
• From the Community blade you will also find links to the Community forum, Community Blog and UserVoice
 REST APIs for Security Center
REST Operation Groups
Security Center enables you to take advantage of unified security management and advanced threat protection
across hybrid cloud workloads with its REST APIs

Operation Group Description

Alerts Alerts on security events that happened on the subscription
Adaptive Application Controls Configuration of application control rules on groups of VMs/servers
Auto Provisioning Settings Details of specific settings
Compliances Details of specific Compliances
Discovered Security Solutions Details of specific discovered Security Solution
External Security Solutions External Security Solutions for the subscription and location
Jit Network Access Policies Policies for protecting resources using Just-in-Time access control
Locations Details of specific locations
Operations All available operations
Pricings Security pricing configuration in the resource group
Security Contacts Security contact configurations for the subscription
Tasks Recommended tasks that will help improve the security of the subscription proactively
Workspace Settings Settings about where we should store your security data and logs

* See complete list of REST Operation Groups https://docs.microsoft.com/en-us/rest/api/securitycenter/

 REST APIs for Security Center
Enhancing your custom recommendations with detailed information
• The built-in recommendations supplied with Azure Security Center include details such as severity levels and
remediation instructions

• If you want to add this type of information to your custom recommendations so that it appears in the Azure
portal (or wherever you access your recommendations), you'll need to use the REST API.

The two types of information you can add are:

• RemediationDescription – String
• Severity – Enum [Low, Medium, High]

• The metadata should be added to the policy definition for a policy that is part of the custom initiative. It
should be in the ‘securityCenter’ property, as shown in JSON

"metadata": {
"securityCenter": {
"RemediationDescription": "Custom description goes here",
"Severity": "High",
},
 REST APIs for Security Center
REST API Examples
Alerts - Get Subscription Level Alert
Get security alert on a subscription from security data
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/
{alertName}?api-version=2019-01-01

JIT Network Access Policies - Create Or Update

Create a policy for protecting resources using Just-in-Time access control
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/
locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}?api-version=2015-06-01-preview

Regulatory Compliance Controls - Get

Get selected regulatory compliance control details and state
GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/
regulatoryComplianceStandards/PCI-DSS-3.2/regulatoryComplianceControls/1.1?api-version=2019-01-01-preview
 REST APIs for Security Center
REST API Examples
Secure Score - build your own reporting mechanism of your secure scores over time

• Use Secure Scores API to get the score for a specific subscription

• Secure Score Controls API can be used to list the security controls and the current score of your subscriptions

• Get started by using the GitHub examples Azure/Azure-Security-Center/Secure Score/

Secure Scores – Get

Get secure score for a specific Security Center initiative within your current scope. For the ASC Default initiative,
use 'ascScore'
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScores/{secureScoreName}?api-
version=2020-01-01-preview

Secure Scores – List

List secure scores for all your Security Center initiatives within your current scope.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/secureScores/{secureScoreName}?api-
version=2020-01-01-preview
 Automate with PowerShell
Automate in Security Center using PowerShell
Az.Security gives you the ability to configure and control security features in Security Center
Disable-AzSecurityAdvancedThreatProtection Disables the advanced threat protection policy for a storage account
Enable-AzSecurityAdvancedThreatProtection Enables the advanced threat protection policy for a storage account
Get-AzDiscoveredSecuritySolution Gets security solutions that were discovered by Azure Security Center
Get-AzExternalSecuritySolution Get external security solution
Get-AzJitNetworkAccessPolicy Gets the JIT network access policies
Get-AzSecurityAdvancedThreatProtection Gets the advanced threat protection policy for a storage account
Get-AzSecurityAlert Gets security alerts that were detected by Azure Security Center
Get-AzSecurityAutoProvisioningSetting Gets the security automatic provisioning settings
Get-AzSecurityCompliance Get the security compliance of a subscription over time
Get-AzSecurityContact Gets security contacts that were configured on this subscription
Get-AzSecurityLocation Gets the location where Azure Security Center will automatically save data for the specific subscription
Get-AzSecurityPricing Gets the pricing tier data for Azure Security Center for a scope
Get-AzSecurityTask Gets the security tasks that Azure Security Center recommends you do in order to strengthen your security posture
Get-AzSecurityWorkspaceSetting Gets the configured security workspace settings on a subscription
Remove-AzJitNetworkAccessPolicy Deletes a JIT network access policy
Remove-AzSecurityContact Deletes a security contact
Remove-AzSecurityWorkspaceSetting Deletes the security workspace setting for this subscription
Set-AzJitNetworkAccessPolicy Updates JIT network access policy
Set-AzSecurityAlert Updates a security alert state
Set-AzSecurityAutoProvisioningSetting Updates automatic provisioning setting
 Automating with PowerShell
Az.Security Examples
Get-AzSecurityAlert gets security alerts that were detected by Azure Security Center
 Automating with PowerShell
Az.Security Examples
Security Center scans your resources to detect potential security issues.
The Get-AzSecurityTask cmdlet lets you discover the security tasks (recommendations) that Security Center
recommends you configure

This will get all the security recommendations that were discovered for resources inside a Resource Group:
Get-AzSecurityTask -ResourceGroupName "MyRG"
 Assessments Metadata APIs for Security Center
Assessments Metadata is a new API that can be used to get metadata information from an assessment type.

Example: In the response from SecurityAssessmentMetadataList you could use assessmentType to determine if the
assessment was based on a built-in Azure Policy definition, CustomPolicy, Custom Azure definition or a VerifiedPartner.

Assessments Metadata Operations:

Create In Subscription - Create metadata information on an assessment type in a specific
subscription.

Delete In Subscription - Delete metadata information on an assessment type in a specific

subscription, will cause the deletion of all the assessments of that type in that subscription.

Get - Get metadata information on an assessment type.

Get In Subscription - Get metadata information on an assessment type in a specific

subscription.

List - Get metadata information on all assessment types.

List By Subscription - Get metadata information on all assessment types in a specific

subscription.
 Assessments APIs for Security Center
Assessments is a new API that can be used to get metadata information from an assessment.

Example: In the response from SecurityAssessment you could use ResourceDetails to determine if it’s an
AzureResource or OnPremises resource.

Assessments Operations:
Create Or Update - Create a security assessment on your resource. An
assessment metadata that describes this assessment must be predefined
with the same name before inserting the assessment result.

Delete - Delete a security assessment on your resource. An assessment

metadata that describes this assessment must be predefined with the
same name before inserting the assessment result.

Get - Get a security assessment on your scanned resource.

List - Get security assessments on all your scanned resources inside a

scope.
 Microsoft Security Code Analysis
Good security practices for Azure DevOps
• Azure DevOps (formerly VSTO) teams that are developing code for deployments can now have their code run
through Microsoft Security Code Analysis Extension to help identify security risks, using Microsoft-managed
and open-source tools

• An easy-to install extension hides the complexity of running and maintaining security scanning tools within your
own pipelines

• The Microsoft Security Code Analysis tool set consist of many tools available in the Extension:
• Anti-Malware Scanner
• BinSkim
• Credential Scanner
• Microsoft Security Risk Detection
• Roslyn Analyzers
• TSLint

• More information: https://docs.microsoft.com/en-us/azure/security/develop/security-code-analysis-overview

Questions?