Skip to main content
Splunk Lantern

Azure security policy review

You might want to review the security state of your Azure resources when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Security recommendations are actions for you to take to secure your resources. Security Center periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to remediate those vulnerabilities. You want a list of the affected resource, a short description of the issue, and the remediation steps to implement the recommendation. 

NOTE: To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype="azure:securityCenter:task"
|rex field=properties.securityTaskParameters.resourceId "\\/\\S+\\/(?<resource>\\S+)" 
|search resource="*" 
|stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource 
|search "properties.securityTaskParameters.policyName"=* 
|rename "properties.securityTaskParameters.severity" AS Severity, "properties.securityTaskParameters.resourceType" AS "Resource Type", "properties.securityTaskParameters.policyName" AS Policy, "properties.securityTaskParameters.category" AS "Alert Category", resource AS "Affected Resource" 
|sort + Severity, "Alert Category" 
|fields + _time, Severity, "Alert Category", "Affected Resource", "Resource Type", Policy

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="azure:securityCenter:task"

Search only Azure Security Center task data.

|rex field=properties.securityTaskParameters.resourceId "\\/\\S+\\/(?<resource>\\S+)" 

Extract the resource ID from the end of the path and captures it into a new field called "resource".

|search resource="*" 

Filter the results to only include events where the resource field is set to any string. 

|stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource 

Locate the latest instance of the indicated fields and rename them for better readability.  

|search "properties.securityTaskParameters.policyName"=* 

Filter the results to only include events where policyName is set to any value. 

|rename "properties.securityTaskParameters.severity" AS Severity, "properties.securityTaskParameters.resourceType" AS "Resource Type", "properties.securityTaskParameters.policyName" AS Policy, "properties.securityTaskParameters.category" AS "Alert Category", resource AS "Affected Resource" 

Rename the fields as shown for better readability.

|sort + Severity, "Alert Category" 

Sort the results according to the Severity field and then Alert Category with results in ascending order. 

|fields + _time, Severity, "Alert Category", "Affected Resource", "Resource Type", Policy

Show only the fields listed.

Result

Sample results for this search are shown in the table below. This output constitutes a set of security policy recommendations that the IT department can implement. The sample is small but provides sufficient information to be actionable. We know the severity, the resource affected, and the recommended action. Some of these actions could be candidates for automation with an orchestrator such as Splunk SOAR . 

_time Severity Alert Category Affected Resource Resource Type Policy

2020-10-25T00:08:05.000+0000

High

Compute

Ry-Win10

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T23:58:10.000+0000

High

Compute

Ryan

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T23:53:47.000+0000

High

Compute

SPLUNKHF01

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T23:20:10.000+0000

High

Compute

test

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T22:29:25.000+0000

High

Compute

Ry-Win10

VirtualMachine

Enable a vulnerability assessment solution on virtual machines

  • Was this article helpful?