Azure security policy review
Security recommendations are actions for you to take to secure your resources. Security Center periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to remediate those vulnerabilities. You want a list of the affected resource, a short description of the issue, and the remediation steps to implement the recommendation.
Data required
Microsoft: Azure Security Center data
Procedure
- Configure the Microsoft Azure Add-on for Splunk.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:securityCenter:task" |rex field=properties.securityTaskParameters.resourceId "\\/\\S+\\/(?<resource>\\S+)" |search resource="*" |stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource |search "properties.securityTaskParameters.policyName"=* |rename "properties.securityTaskParameters.severity" AS Severity, "properties.securityTaskParameters.resourceType" AS "Resource Type", "properties.securityTaskParameters.policyName" AS Policy, "properties.securityTaskParameters.category" AS "Alert Category", resource AS "Affected Resource" |sort + Severity, "Alert Category" |fields + _time, Severity, "Alert Category", "Affected Resource", "Resource Type", Policy
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype="azure:securityCenter:task" |
Search only Azure Security Center task data. |
|
|rex field=properties.securityTaskParameters.resourceId "\\/\\S+\\/(?<resource>\\S+)" |
Extract the resource ID from the end of the path and captures it into a new field called "resource". |
|
|search resource="*" |
Filter the results to only include events where the resource field is set to any string. |
|
|stats latest(_time) AS _time by properties.securityTaskParameters.severity, properties.securityTaskParameters.resourceType, properties.securityTaskParameters.policyName, properties.securityTaskParameters.category, resource |
Locate the latest instance of the indicated fields and rename them for better readability. |
|
|search "properties.securityTaskParameters.policyName"=* |
Filter the results to only include events where policyName is set to any value. |
|
|rename "properties.securityTaskParameters.severity" AS Severity, "properties.securityTaskParameters.resourceType" AS "Resource Type", "properties.securityTaskParameters.policyName" AS Policy, "properties.securityTaskParameters.category" AS "Alert Category", resource AS "Affected Resource" |
Rename the fields as shown for better readability. |
|
|sort + Severity, "Alert Category" |
Sort the results according to the Severity field and then Alert Category with results in ascending order. |
|
|fields + _time, Severity, "Alert Category", "Affected Resource", "Resource Type", Policy |
Show only the fields listed. |
Next steps
Sample results for this search are shown in the table below. This output constitutes a set of security policy recommendations that the IT department can implement. The sample is small but provides sufficient information to be actionable. We know the severity, the resource affected, and the recommended action. Some of these actions could be candidates for automation with an orchestrator such as Splunk SOAR .
| _time | Severity | Alert Category | Affected Resource | Resource Type | Policy |
|---|---|---|---|---|---|
|
2020-10-25T00:08:05.000+0000 |
High |
Compute |
Ry-Win10 |
VirtualMachine |
Disk encryption should be applied on virtual machines |
|
2020-10-24T23:58:10.000+0000 |
High |
Compute |
Ryan |
VirtualMachine |
Disk encryption should be applied on virtual machines |
|
2020-10-24T23:53:47.000+0000 |
High |
Compute |
SPLUNKHF01 |
VirtualMachine |
Disk encryption should be applied on virtual machines |
|
2020-10-24T23:20:10.000+0000 |
High |
Compute |
test |
VirtualMachine |
Disk encryption should be applied on virtual machines |
|
2020-10-24T22:29:25.000+0000 |
High |
Compute |
Ry-Win10 |
VirtualMachine |
Enable a vulnerability assessment solution on virtual machines |
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.