Exporting Computers that are not Compliant with Security Baseline Recommendations in Azure Security Center

To enhance your security posture you must ensure that your computers are using the appropriate secure configuration, which may vary according to its role, for example: Web Servers will have a different security baseline compare to File Servers. In Security Center you can see the current security state of your computers by using the Security configurations mismatch (formerly known as Remediate OS vulnerabilities) in Compute’s recommendation, as shown below:

As you can see, these recommendations are based on CCE (Common Configuration Enumeration), and all rules that are tested are documented here. When you select one of those CCE rule, Security Center will open a blade to show the details about this particular rule, as shown below:

If you click the Search button on top of this blade, Security Center opens Log Analytics and automatically search for all computers that are not compliant with this security baseline rule. While this is very cool, the question that I received recently was: how can I export all this list to know which computers are not compliant with these listed rules? The answer is: you can use the following Log Analytics query to export all computers that are not compliant with these rules:

SecurityBaseline | where (BaselineType =~ "WindowsOS" or BaselineType =~ "Linux" or (isempty(BaselineType) and isnotempty(TimeGenerated))) and AnalyzeResult == "Failed" and CceId contains "CCE"

The result of this query will be a table with all computers, and within each line, you can expand and find many more info, including:

SourceSystem: OpsManager

TimeGenerated [UTC]: 2017-12-06T07:19:06.863Z

SubscriptionId: XXXX

ResourceGroup: ascdemorg

ResourceProvider: microsoft.compute

Resource: vm3

ResourceId: XXXX

ResourceType: virtualmachines

ComputerEnvironment: Azure

Computer: vm3

BaselineId: 6ba1ce80-e4e5-4b8a-bc88-257612e72185

BaselineType: WindowsOS

OSName: Windows Server 2012 R2 Datacenter

AssessmentId: XXXX

TimeAnalyzed [UTC]: 2017-12-06T07:18:58.672Z

CceId: CCE-37853-9

RuleSeverity: Informational

BaselineRuleType: Audit Policy

Description: Audit Policy: System: IPsec Driver

RuleSetting: 0cce9213-69ae-11d9-bed3-505054503030

ExpectedResult: Success and Failure

ActualResult: No Auditing

AnalyzeResult: Failed

BaselineRuleId: 107b8424-7ee8-4b6a-a859-b5256aa6596e

Type: SecurityBaseline

While there are lots of information in here, the fields Description, Vulnerability, Potential Impact, and Countermeasure are not available via this search. One way to correlate the CCID with these fields is by using the Security Compliance Manager (SCM), which although was retired this year still have the templates for Windows Server 2012. Here how you can find these fields from the CCID and export to an Excel file:

1. Select the template that you want from the list:

2. Export to Excel
3. Open the Excel file and click Customize Fields button.
4. Select CCE-ID 5.0 and click the >> button
5. Filter for the CCE that you want:

Stay safe!
@yuridiogenes