Drew Robinson's Blog

Azure, Powershell and Security things

Accesing Azure Security Center API with Powershell Invoke-RestMethod

Accessing Azure Security Center API with Powershell Invoke-RestMethod

The following will allow you to set, monitor and change your Azure Security settings via Powershell, you  can also review alerts and recommendations

You will first need to provision a service principal that can access your Azure subscription (Windows Azure Service Management API)

blogupdate1

 

Per the above link, decide if you want API access to read (I just want to view ASC status or ASC policy) or contribute (I want to be able to change/update ASC

Save the following: application name, client id, client secret (key), note: you can’t recall the key.. so important to save it at time of creation.

 

blogupdate2

 

Plan on how you will use the ASC API: https://msdn.microsoft.com/en-us/library/mt704039.aspx

Azure Security resources listed in red:

blogupdate3

Example, we are interested in Azure Security Status:  https://msdn.microsoft.com/en-us/library/mt704041.aspx

We will use the following: https://<endpoint>/subscriptions/{subscriptionId}/providers/microsoft.Security/securityStatuses?api-version={api-version}

blogupdate4

CODE:

$Tenant="YourAzureADTenantname.onmicrosoft.com"
 $ClientID="YourClientID"
 $ClientSecret="YourClientSecret"
 $Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
 $subscriptionid="Your Azure Subscription ID"
 $SubscriptionURI="https://management.azure.com/subscriptions/$SubscriptionID/providers/microsoft.Security/securitystatuses" +'?api-version=2015-06-01-preview'
 $params = @{
 ContentType = 'application/x-www-form-urlencoded'
 Headers = @{
 'authorization'="Bearer $($Token.access_token)"
 }
 Method = 'get'
 URI = $SubscriptionURI
 }

$Request = Invoke-RestMethod @param

 

Output for $request.value

blogupdate5

Selecting the first resource group [0] and listing ASC properties

blogpostupdate6

 

Outputting two ASC properties from collection 0

 

$Request.value[0].properties.antimalwarescannerdata

$Request.value[0].properties.patchscannerdata

 

blogupdate7

Setting ASC policy via API.

Rerernce: https://msdn.microsoft.com/en-us/library/mt704062.aspx

blogupdate8

CODE: (Notice the URL)

$Tenant="YourAzureADTenantname.onmicrosoft.com"
 $ClientID="YourClientID"
 $ClientSecret="YourClientSecret"
 $Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
 $subscriptionid="Your Azure Subscription ID"
 $SubscriptionURI="https://management.azure.com/subscriptions/$SubscriptionID/providers/microsoft.Security/policies/default" +'?api-version=2015-06-01-preview'

$params = @{
 ContentType = 'application/json'
 Headers = @{
 'authorization'="Bearer $($Token.access_token)"
 }
 Method = 'get'
 URI = $SubscriptionURI
 }

$Request = Invoke-RestMethod @params

 

Showing settings via $Request.properties

blogupdate9

  • all recommendations
  • no email notification
  • free tier

To set ASC policy, we create the following json for a PUT request

 “properties”: {
 "logCollection": "On",
 "recommendations": {
 "patch": "On",
 "baseline": "On",
 "antimalware": "On",
 "acls": "On",
 "waf": "Off",
 "ngfw": "Off",
 "sqlAuditing": "On",
 "sqlTde": "On",
 "vulnerabilityAssessment": "On",
 "storageEncryption": "On"
 },
 "securityContactConfiguration": {
 "securityContactEmails": "anrobin@microsoft.com",
 "areNotificationsOn": "true"
 },
 "pricingConfiguration": {
 "selectedPricingTier":"standard"
 
 } 
 

blogupdate10

CODE:

$Tenant="YourAzureADTenantname.onmicrosoft.com"
 $ClientID="YourClientID"
 $ClientSecret="YourClientSecret"
 $Token = Invoke-RestMethod -Uri https://login.microsoftonline.com/$tenant/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = $ClientID; "client_secret" = $ClientSecret}
 $subscriptionid="subscriptionid"
 $SubscriptionURI="https://management.azure.com/subscriptions/$SubscriptionID/providers/microsoft.Security/policies/default" +'?api-version=2015-06-01-preview'

$ASCPolicy='
 {
 “properties”: {
 "logCollection": "On",
 "recommendations": {
 "patch": "On",
 "baseline": "On",
 "antimalware": "On",
 "acls": "On",
 "waf": "Off",
 "ngfw": "Off",
 "sqlAuditing": "On",
 "sqlTde": "On",
 "vulnerabilityAssessment": "On",
 "storageEncryption": "On"
 },
 "securityContactConfiguration": {
 "securityContactEmails": "anrobin@microsoft.com",
 "areNotificationsOn": "true"
 },
 "pricingConfiguration": {
 "selectedPricingTier":"standard"

}
 }'

$params = @{
 ContentType = 'application/json'
 Headers = @{
 'authorization'="Bearer $($Token.access_token)"
 }
 Method = 'put'
 URI = $SubscriptionURI
 Body = $ASCPolicy
 }

Invoke-RestMethod @params


Confirming Policy via get request, CODE (notice method is now ‘get’  and json remove)

blogupdate11

Output:  $request.properties

blogupdate12

Nicely formatted output

blogpostupdate13