In this lab you will get an overview of Secure Scores and learn how to do the following:
Log in to the Azure CLI
Query Secure Scores and definitions
Query alerts
Step 1 - Logging In
Run this command to log in to the Azure account:
az login -u $username -p $password
After you log in, you should get a block of JSON with details about your sign-in.
You can view the Azure account username with this command:
echo $username
Step 2 - Setup
The Microsoft Defender for Cloud is a one-stop service to evaluate the health and security configurations of all your resources. It is natively embedded in all the services you create, but presents them all in a centralized and unified fashion. It also will feed recommendations to the Azure Advisor service, which is covered in a separate lab. Here we will explore the security center and its scoring metrics.
When you spin up resources on Azure, Microsoft will automatically apply security initiatives, which are a set of security policies. A security policy is a rule dictating security specifications you want controlled. While many policies are provided, you also have the ability to create your own. The default initiative applied to every resource by default is the Azure Security Benchmark and contains common policies like not exposing storage to outside networks.
Azure will regularly scan your resources and determine what is out of compliance and then provide a score across different categories. It will then provide recommendations on how to remedy these compliance issues.
First, we need a resource group.
Resource group with a name saved to the variable $resource, which was created with this command:
az group create --name $resource --location eastus
az vm create --name 'MyVM' \
--image UbuntuLTS \
--location eastus \
--resource-group $resource \
--admin-username azureuser \
--public-ip-sku Basic
Step 3 - Security Score Definitions
To see all the definitions of what drives our Secure Score in Azure, you can run this command. I recommend outputting this as a table first:
az security secure-score-control-definitions list --output table
Notice you will see different categories, from multifactor authentication (MFA) to encryption and port security. All of these categories drive your Secure Score in Azure, and note also the MaxScore each of these categories get.
When you run the full JSON output of this command, note you get some more details, particularly the IDs of definitions:
az security secure-score-control-definitions list
Azure will not have a chance to run its security scans in this lab, so we are not going to get any results with these commands. Regardless, here is the command that would return the Secure Scores. It would detail the results and the current state:
az security secure-scores list
You could also list each of the controls individually with their current status:
az security secure-score-controls list
Step 4 - Viewing Alerts
To view current alerts, you would run the following command. This would show actions that need to be taken based the security initiatives and definitions:
az security alert list
You could also provide a resource group to restrict scope to that resource group:
az security alert list --resource-group $resource
As you can see if you run these, you do not have any alerts because we have not done much other than create a VM in this lab. Over time, security will monitor for vulnerabilities, and if we took insecure actions, like opening up the VM ports to liberally, it should pop up here as an alert.
This wraps up our tour of the security center and the commands to retrieve Secure Scores.