Skip to main content

 

Splunk Lantern

Azure security policy review

 

Security recommendations are actions for you to take to secure your resources. Security Center periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to remediate those vulnerabilities. You want a list of the affected resource, a short description of the issue, and the remediation steps to implement the recommendation. 

Data required 

Microsoft Azure Security Center data

Procedure

  1. Configure the Microsoft Azure Add-on for Splunk.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:securityCenter:task"
|rex field=properties.securityTaskParameters.resourceId "\\/\\S+\\/(?<resource>\\S+)" 
|search resource="*" 
|stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource 
|search "properties.securityTaskParameters.policyName"=* 
|rename "properties.securityTaskParameters.severity" AS Severity, "properties.securityTaskParameters.resourceType" AS "Resource Type", "properties.securityTaskParameters.policyName" AS Policy, "properties.securityTaskParameters.category" AS "Alert Category", resource AS "Affected Resource" 
|sort + Severity, "Alert Category" 
|fields + _time, Severity, "Alert Category", "Affected Resource", "Resource Type", Policy

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="azure:securityCenter:task"

Search only Azure Security Center task data.

|rex field=properties.securityTaskParameters.resourceId "\\/\\S+\\/(?<resource>\\S+)" 

Extract the resource ID from the end of the path and captures it into a new field called "resource".

|search resource="*" 

Filter the results to only include events where the resource field is set to any string. 

|stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource 

Locate the latest instance of the indicated fields and rename them for better readability.  

|search "properties.securityTaskParameters.policyName"=* 

Filter the results to only include events where policyName is set to any value. 

|rename "properties.securityTaskParameters.severity" AS Severity, "properties.securityTaskParameters.resourceType" AS "Resource Type", "properties.securityTaskParameters.policyName" AS Policy, "properties.securityTaskParameters.category" AS "Alert Category", resource AS "Affected Resource" 

Rename the fields as shown for better readability.

|sort + Severity, "Alert Category" 

Sort the results according to the Severity field and then Alert Category with results in ascending order. 

|fields + _time, Severity, "Alert Category", "Affected Resource", "Resource Type", Policy

Show only the fields listed.

Next steps

Sample results for this search are shown in the table below. This output constitutes a set of security policy recommendations that the IT department can implement. The sample is small but provides sufficient information to be actionable. We know the severity, the resource affected, and the recommended action. Some of these actions could be candidates for automation with an orchestrator such as Splunk SOAR . 

_time Severity Alert Category Affected Resource Resource Type Policy

2020-10-25T00:08:05.000+0000

High

Compute

Ry-Win10

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T23:58:10.000+0000

High

Compute

Ryan

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T23:53:47.000+0000

High

Compute

SPLUNKHF01

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T23:20:10.000+0000

High

Compute

test

VirtualMachine

Disk encryption should be applied on virtual machines

2020-10-24T22:29:25.000+0000

High

Compute

Ry-Win10

VirtualMachine

Enable a vulnerability assessment solution on virtual machines

You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.