Drew Robinson's Blog

Azure, Powershell and Security things

Accesing Azure Security Center API with Powershell Invoke-RestMethod

Accessing Azure Security Center API with Powershell Invoke-RestMethod

asc112-1

Listing missing patches on Azure VMs with Collection Results API

asc112-2-patches

Listing Alerts using the Alert API, such as RDP brute force attempts showing failed and successful logons:

rdp-bruteforce

 

The following will allow you monitor or set your Azure Security Center settings via Powershell/REST

Getting started:

You will first need to provision a service principal that can access your Azure subscription (Windows Azure Service Management API), so your REST call can auth into your subscription. 

asc112-auth

blogupdate1

2. Save the following: application name, client id, client secret (key), note: you can’t recall the key.. so important to save it at time of creation.

 

Via Azure Portal – Subscriptions, Subscription – IAM

blogupdate2

Set subscription access (you can change this at anytime):  

  • read (view ASC status, policy)
  • contribute (change/update ASC policy, ack alerts)

Plan on how you will use the ASC API: https://msdn.microsoft.com/en-us/library/mt704039.aspx

Azure Security resources listed in red:

blogupdate3

Example, we are interested in Azure Security Status:  https://msdn.microsoft.com/en-us/library/mt704041.aspx

We will use the following: https://<endpoint>/subscriptions/{subscriptionId}/providers/microsoft.Security/securityStatuses?api-version={api-version}

asc112-api-example-222

CODE:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
$Tenant="yourAzureADTenantName.onmicrosoft.com"
 $ClientID="YourClientIDfromAzureAzureADApp"
 $ClientSecret="YourClientSecretfromAzureADApp"
 $subscriptionid="AzureSubscriptionGUID"
 
 #Create Access Token
 $Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
 
 #ASC RESTAPI endpoint
 $SubscriptionURI="https://management.azure.com/subscriptions/$SubscriptionID/providers/microsoft.Security/securitystatuses" +'?api-version=2015-06-01-preview'
    $Headers = @{
    'authorization'="Bearer $($Token.access_token)"
    }

 #Request 
    $Request = Invoke-RestMethod -Method GET -Headers $Headers -ContentType "application/x-www-form-urlencoded" -Uri $SubscriptionURI 

Output for $request.value

blogupdate5

Selecting the first resource group [0] and listing ASC properties

 

Outputting two ASC properties from collection 0

 

$Request.value[0].properties.antimalwarescannerdata

$Request.value[0].properties.patchscannerdata

 

blogupdate7

Setting ASC policy via API.

Rerernce: https://msdn.microsoft.com/en-us/library/mt704062.aspx

blogupdate8

CODE: (Notice the URI has changed)

$Tenant="YourAzureADTenantname.onmicrosoft.com"
 $ClientID="YourClientID"
 $ClientSecret="YourClientSecret"
 $Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
 $subscriptionid="Your Azure Subscription ID"
 $SubscriptionURI="https://management.azure.com/subscriptions/$SubscriptionID/providers/microsoft.Security/policies/default" +'?api-version=2015-06-01-preview'

$params = @{
 ContentType = 'application/json'
 Headers = @{
 'authorization'="Bearer $($Token.access_token)"
 }
 Method = 'get'
 URI = $SubscriptionURI
 }

$Request = Invoke-RestMethod @params

 

Showing settings via $Request.properties

blogupdate9

  • all recommendations
  • no email notification
  • free tier

To set ASC policy, we create the following json for a PUT request

 "properties": {
 "logCollection": "On",
 "recommendations": {
 "patch": "On",
 "baseline": "On",
 "antimalware": "On",
 "acls": "On",
 "waf": "Off",
 "ngfw": "Off",
 "sqlAuditing": "On",
 "sqlTde": "On",
 "vulnerabilityAssessment": "On",
 "storageEncryption": "On"
 },
 "securityContactConfiguration": {
 "securityContactEmails": "drewwho@microsoft.com",
 "areNotificationsOn": "true"
 },
 "pricingConfiguration": {
 "selectedPricingTier":"standard"
 
 } 
 

blogupdate10

CODE:

$Tenant="YourAzureADTenantname.onmicrosoft.com"
 $ClientID="YourClientID"
 $ClientSecret="YourClientSecret"
 $Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
 $subscriptionid="subscriptionid"
 $SubscriptionURI="https://management.azure.com/subscriptions/$SubscriptionID/providers/microsoft.Security/policies/default" +'?api-version=2015-06-01-preview'

$ASCPolicy='
 {
 "properties": {
 "logCollection": "On",
 "recommendations": {
 "patch": "On",
 "baseline": "On",
 "antimalware": "On",
 "acls": "On",
 "waf": "Off",
 "ngfw": "Off",
 "sqlAuditing": "On",
 "sqlTde": "On",
 "vulnerabilityAssessment": "On",
 "storageEncryption": "On"
 },
 "securityContactConfiguration": {
 "securityContactEmails": "drewwho@microsoft.com",
 "areNotificationsOn": "true"
 },
 "pricingConfiguration": {
 "selectedPricingTier":"standard"

}
 }'

$params = @{
 ContentType = 'application/json'
 Headers = @{
 'authorization'="Bearer $($Token.access_token)"
 }
 Method = 'put'
 URI = $SubscriptionURI
 Body = $ASCPolicy
 }

Invoke-RestMethod @params


Confirming Policy via get request, CODE (notice method is now ‘get’  and json remove)

blogupdate11

Output:  $request.properties

blogupdate12

Nicely formatted output

blogpostupdate13