Following the example in your README.md; I am stuck at the following line...

# Apply the mappings and persist to Azure Policy
Update-AzSecurityCenterSecureScoreControlMappings -PolicySetDefinition $policySetDef -ControlMappings $secureScoreMappings -PersistToAzurePolicy

Running this gives the below error:

Unable to find type [Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicySetDefinition].
+         [Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementat ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Azure...cySetDefinition:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

Secure score 'ascScore' does not exist in scope 'XXX-XXXX-XXXX-XXXX' for Logic App - Send-SecureScoreReductionAlert
It currently hit error at the subscription that already disable under Logic App>HTTP

{ "Error": { "Code": "ResourceNotFound", "Message": "Secure score 'ascScore' does not exist in scope 'bdba744a-aa0f-4c8a-a882-ff226efab87e'" } }

Would be great if you can add ARC support for Linux and Windows servers.

Hi,

https://github.com/Azure/Azure-Security-Center/blob/master/Workflow%20automation/Export-ASCDataToEventHub/readme.md#export-asc-data-to-azure-eventhub mentions that users need to be Owners of a subscription in order to assign permissions.
While this is one way, it's overly privileged and encourages bad behaviour (users asking for this set of permissions) where it's not required.

User Access Administrator should be the role users need to ask for.
While it can be argued that once you have access to this particular role you can escalate your privileges from here I raise the issue on principal that users need to start using the principal of least privilege.

The script Powershell scripts/Vulnerability Solution/New-ASCVASolution.ps1 is incompatible with the Azure PowerShell Az module version 5 and higher (or module Az.Accounts version 2.2.0 and higher).

A breaking change was introduced in the Az module v5.0.0 that doesn't allow the access token to be retrieved using the Get-AzCachedAccessToken() function. The Az module now has a built-in cmdlet for retrieving the access token: Get-AzAccessToken.

To Reproduce
Steps to reproduce the behavior:

1. Update to the latest Az or Az.Accounts PowerShell module, using Update-Module -Name Az.
2. Run the script.

Expected behavior
The script should create a new vulnerability assessment solution in Azure Security Center. Instead, the following error is shown: The Authorization header is missing

Pull Request
I have created PR #293 where I updated the script to make it compatible with the Az module v5 and higher, and Az.Accounts v2.2.0 and higher. Feedback on the PR is highly appreciated.

Is your feature request related to a problem? Please describe.
The current ASCQualysDashboard workbook does not include containers assessments from the Qualys VA scan performed on Azure Container Registry images.

Describe the solution you'd like
Currently working on a v2 to include containers assessments - ETA Sept.20

Additional context
Please feel free to suggest further enhancements to the ASCQualysDashboard workbook, I would be glad to incorporate your feedback.

Hi @safeenab786, i hit error at Append to string variable
InvalidTemplate. Unable to process template language expressions in action 'Append_to_string_variable' inputs at line '1' and column '3354': 'The template language function 'substring' parameters are out of range: 'start index' and 'length' must be non-negative integers and their sum must be no larger than the length of the string. Please see https://aka.ms/logicexpressions#substring for usage details.'.

Originally posted by @famjunxiang in #169 (comment)

Hello,
I created the following Azure Policy for the automatic installation of the Qualys extension to the VMs but it also installs to the AKS nodes. Will it be a problem for the AKS cluster? How can I exclude the AKS nodes in this Policy?

https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/Azure%20Policy

As far as I know, AKS nodes don't support Qualys Vulnerability Assessment extension installation in Security Center.

None of the wokbooks https://github.com/Azure/Azure-Security-Center/tree/master/Workbooks/ASCQualysDashboard is working at the moment after ARG was changed.

Thanks for the update.. Actually I am from Telenor group and we have
deployed all our infra on AWS and integrating with azure arc. I am writing
script to enable log analytics extension from the script. I think it is not
working properly. It would be great if you can check my script to see if
there is problem with script or with azure. Theoretically and practically
script should work fine and it works fine some time.. But unable to
identify the exact problem. Can you help me with this?

On Sun, Dec 13, 2020, 10:02 PM Lior Arviv [email protected] wrote:

Thanks for the feedback. The current version does not support Azure Arc
connected machines. I modified the script to include such support and now
testing it. Will upload a new version by the end of tomorrow.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#267 (comment),
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AL75JZUMJNWXRNDQO646AZLSUTXTVANCNFSM4UVNYJSQ
.

Originally posted by @hassanbsee2071 in #267 (comment)

I'm trying to install the Secure Score Over Time app in my Power BI service but I cannot find it. I've verified that the setting to install non-AppSource template apps is enabled and scoped to a group and that I'm a member of the group. However, when I search Apps for the app nothing turns up. The link in step 1 doesn't prompt to install an app, but just brings me to my Power BI home page.

https://github.com/Azure/Azure-Security-Center/tree/master/Secure%20Score/Secure%20Score%20Reduction%20Alerts

For Send Email notification on Secure Score downgrade , may i know instead of create new log analytic workspace, could we utilize the existing log analytic workspace - get-securescore?

We are using Azure monitor alerts with query below:

SecurityRecommendation
| where RecommendationState == "Unhealthy" and TimeGenerated > startofmonth(now()) 

How can we exclude recommendations which are in PREVIEW in query ? Looks like this is not possible now
we can't use IDs because need to get alerts where recommendation will be GA

I am seeing this rule "IP forwarding on your virtual machine should be disabled (Preview)" detected for AKS cluster nodes. These nodes were built using the default AKS templates so I wonder if this is a bug in detecting this on AKS (should the be exceptions) or should we lock down AKS? I do see that AKS needs IP forwarding for pods to communicate. Should AKS be excluded from this rule? Please confirm.

Some of the rules have expected values that work most of the time but don't work for specific server roles that need exceptions (e.g. when IIS or SQL Server is installed)

Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'
Potential impact: However, if you have installed the Web Server (IIS) Role with Web Services Role Service, you will need to allow the IIS application pool(s) to be granted this User Right Assignment.
EXPECTED VALUE | LOCAL SERVICE, NETWORK SERVICE

'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE, IIS APPPOOL\DefaultAppPool'
POTENTIAL IMPACT | On most computers, this is the default configuration and there will be no negative impact. However, if you have installed the Web Server (IIS) Role with Web Services Role Service, you will need to allow the IIS application pool(s) to be granted this User Right Assignment.
EXPECTED VALUE | Local Service, Network Service, IIS APPPOOL\DefaultAppPoo

It would be much better if the rule automatically adjusted the expected value to account for the server role. For example, when IIS is installed the expected value should include all the accounts that IIS requires to be present (app pools, IWAM_ etc). Alternatively have variants of the same rule for different server roles (e.g. the above rules have with-IIS and without-IIS variants)

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token#potential-impact

While it might be possible to manually create exemption rules (once this is out of preview) to fix this it's much better if this just worked "out of the box" to reduce noise.

Hi,
I don't see any instructions in the readme file, so I went directly and deployed the template to my test environment. After deploying the whole thing the logic app was unable to run a trigger and when I tried to run it manually I got the below error.

InvalidTemplate. Unable to process template language expressions in action 'Create_or_update_a_template_deployment' inputs at line '1' and column '3033': 'The template language function 'split' expects its first parameter to be of type string. The provided value is of type 'Null'. Please see https://aka.ms/logicexpressions#split for usage details.'.

I am not sure if there is something that I have to do before deploying the template, could you please advise?

Hello,

While testing the Alerts - List by Resource Group REST API yesterday the JSON response changed between executions. This makes parsing the JSON impossible.

This results in Logic App failures because PARSE JSON action does not work:

Please advise on whether this was intentional or an anomaly.

Thank you

Example:

• At 6/24/2020 5:40PM PDT, the JSON response from this request https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Security/alerts?api-version=2019-01-01 is shown below:

{
  "value": [
    {
      "properties": {
        "reportedTimeUtc": "2020-06-24T00:33:05.0257171Z",
        "detectedTimeUtc": "2020-06-23T23:40:37.472Z",
        "alertDisplayName": "Potential malware uploaded to a storage account",
        "alertName": "Storage.Blob_MalwareHashReputation",
        "vendorName": "Microsoft",
        "reportedSeverity": "Medium",
        "associatedResource": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
        "compromisedEntity": "REDACTED",
        "state": "Active",
        "isIncident": false,
        "correlationKey": "RYwSG8FW/l7l/PH4LvZ6RZ3ZeaYtW46exwOTW+4QEG8=",
        "description": "Someone has uploaded potential malware to your Azure Storage account 'REDACTED'.",
        "remediationSteps": "• Remove the malicious blob from your storage account.\r\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\r\n• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\r\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.",
        "actionTaken": "Undefined",
        "subscriptionId": "REDACTED",
        "instanceId": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
        "extendedProperties": {
          "alert Id": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
          "azure AD user": "N/A (Azure AD authentication was not used)",
          "user agent": "Azure-Storage/2.0.0-2.0.1 (Python CPython 3.6.10; Linux 5.3.0-59-generic) AZURECLI/2.7.0 (DEB)",
          "client IP address": "REDACTED",
          "client location": "Seattle, United States",
          "authentication type": "Shared access signature (SAS)",
          "investigation steps": "{\"displayValue\":\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2075734\"}",
          "operations types": "PutBlob",
          "service type": "Azure Blobs",
          "container": "REDACTED",
          "blob": "eicar_test.txt",
          "malware description": "File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File",
          "detection source": "Team Cymru",
          "mD5 hash": "44D88612FEA8A8F36DE82E1278ABB02F",
          "threat report": "{\"displayValue\":\"View report\",\"kind\":\"Link\",\"value\":\"https:\\/\\/interflowwebportalext.trafficmanager.net\\/reports\\/DisplayReport?callerIdentity=11f6b1d5-4924-41e8-bc4d-011d503247d5&reportCreateDateTime=2020-06-24T00%3a33%3a03&reportName=MSTI-TS-EICAR-File.pdf&tenantId=797d4884-c830-4b7f-a13a-eeb3e6e25ae4&urlCreateDateTime=2020-06-24T00%3a33%3a03&token=REDACTED"}",
          "threat report summary": "The European Institute for Computer Antivirus Research (EICAR)  and the Computer Antivirus Research Organization (CARO)  jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.",
          "potential causes": "This alert indicates that a blob containing potential malware has been uploaded to your storage account.\r\nPotential causes:\r\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\r\n• A legitimate user has unintentionally uploaded a malicious blob.\r\n• A legitimate user is performing tests on the system (e.g. penetration testing).",
          "resourceType": "Storage",
          "killChainIntent": "LateralMovement"
        },
        "workspaceArmId": "/subscriptions/REDACTED/resourcegroups/REDACTED/providers/microsoft.operationalinsights/workspaces/azbisqlalertlogworkspace",
        "confidenceReasons": [],
        "canBeInvestigated": true,
        "entities": [
          {
            "$id": "centralus_1",
            "address": "REDACTED",
            "location": {
              "countryName": "United States",
              "city": "Seattle"
            },
            "type": "ip"
          },
          {
            "$id": "centralus_2",
            "sourceAddress": {
              "$ref": "centralus_1"
            },
            "protocol": "Tcp",
            "type": "network-connection"
          },
          {
            "$id": "centralus_3",
            "resourceId": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
            "type": "azure-resource"
          }
        ]
      },
      "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Security/locations/centralus/alerts/2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264",
      "type": "Microsoft.Security/Locations/alerts",
      "name": "2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264"
    }
  ]
}

• At 6/24/2020 5:58PM PDT (18mins later), the JSON response from the same request https://management.azure.com/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Security/alerts?api-version=2019-01-01 is shown below

  "value": [
    {
      "properties": {
        "detectedTimeUtc": "2020-06-23T23:40:37.472Z",
        "vendorName": "Microsoft",
        "alertDisplayName": "Potential malware uploaded to a storage account",
        "alertName": "Storage.Blob_MalwareHashReputation",
        "description": "Someone has uploaded potential malware to your Azure Storage account 'stgvendorenscodev'.",
        "remediationSteps": "• Remove the malicious blob from your storage account.\r\n• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2075737.\r\n• Revoke all storage access tokens that may be compromised and ensure that your access tokens are only shared with authorized users.\r\n• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email.",
        "actionTaken": "Undefined",
        "reportedSeverity": "Medium",
        "compromisedEntity": "REDACTED",
        "associatedResource": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
        "subscriptionId": "REDACTED",
        "instanceId": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
        "extendedProperties": {
          "alert Id": "ada17f78-31e6-4e32-9cb8-ba6a55379264",
          "azure AD user": "N/A (Azure AD authentication was not used)",
          "user agent": "Azure-Storage/2.0.0-2.0.1 (Python CPython 3.6.10; Linux 5.3.0-59-generic) AZURECLI/2.7.0 (DEB)",
          "client IP address": "REDACTED",
          "client location": "Seattle, United States",
          "authentication type": "Shared access signature (SAS)",
          "investigation steps": "{\"displayValue\":\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\",\"kind\":\"Link\",\"value\":\"https:\\/\\/go.microsoft.com\\/fwlink\\/?linkid=2075734\"}",
          "operations types": "PutBlob",
          "service type": "Azure Blobs",
          "container": "REDACTED",
          "blob": "eicar_test.txt",
          "malware description": "File was identified as malicious, MalwareFamily = Virus:DOS/EICAR_Test_File",
          "detection source": "Team Cymru",
          "mD5 hash": "44D88612FEA8A8F36DE82E1278ABB02F",
          "threat report": "{\"displayValue\":\"View report\",\"kind\":\"Link\",\"value\":\"https:\\/\\/interflowwebportalext.trafficmanager.net\\/reports\\/DisplayReport?callerIdentity=11f6b1d5-4924-41e8-bc4d-011d503247d5&reportCreateDateTime=2020-06-24T00%3a33%3a03&reportName=MSTI-TS-EICAR-File.pdf&tenantId=797d4884-c830-4b7f-a13a-eeb3e6e25ae4&urlCreateDateTime=2020-06-24T00%3a33%3a03&token=REDACTED"}",
          "threat report summary": "The European Institute for Computer Antivirus Research (EICAR)  and the Computer Antivirus Research Organization (CARO)  jointly developed a standard test file protocol called the “EICAR test file” which allows users to test their antivirus solution. The EICAR file is completely benign; however, when scanned, compliant antivirus solutions report the file in the same way as an actual malicious file. This does not mean that the computer is infected with malware, but rather it shows that the computer’s antivirus is functioning as expected.",
          "potential causes": "This alert indicates that a blob containing potential malware has been uploaded to your storage account.\r\nPotential causes:\r\n• An attacker has gained access to the storage account and has intentionally uploaded a malicious blob.\r\n• A legitimate user has unintentionally uploaded a malicious blob.\r\n• A legitimate user is performing tests on the system (e.g. penetration testing).",
          "resourceType": "Storage",
          "killChainIntent": "LateralMovement"
        },
        "state": "Active",
        "reportedTimeUtc": "2020-06-24T00:33:05.0257171Z",
        "workspaceArmId": "/subscriptions/REDACTED/resourcegroups/REDACTED/providers/microsoft.operationalinsights/workspaces/azbisqlalertlogworkspace",
        "confidenceReasons": [],
        "canBeInvestigated": true,
        "isIncident": false,
        "entities": [
          {
            "$id": "centralus_1",
            "address": "REDACTED",
            "location": {
              "countryName": "United States",
              "city": "Seattle"
            },
            "type": "ip"
          },
          {
            "$id": "centralus_2",
            "sourceAddress": {
              "$ref": "centralus_1"
            },
            "protocol": "Tcp",
            "type": "network-connection"
          },
          {
            "$id": "centralus_3",
            "resourceId": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Storage/storageAccounts/REDACTED",
            "type": "azure-resource"
          }
        ],
        "correlationKey": "RYwSG8FW/l7l/PH4LvZ6RZ3ZeaYtW46exwOTW+4QEG8="
      },
      "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Security/locations/centralus/alerts/2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264",
      "name": "2518093451625279999_ada17f78-31e6-4e32-9cb8-ba6a55379264",
      "type": "Microsoft.Security/Locations/alerts"
    }
  ]
}

The schema has remained in this format since then.

Writing a policy that meets all the requirement on the microsoft documention, but I'm still getting errors. the policy will will attach a NSG onto a subnet if one does not exist using the deployIfNotExist effect. It works only if the addressPrefix is hard coded to the existing subnets addressPrefix. When I get a reference using the resource Id I get an error of a circular dependency. When I leave it out of the json - I get an error requiring it to not be null or empty. When the documentations says it is optional to even have a addressPrefix. I'm hoping to get some guidance around going forward. Thanks.

Tried the following policy definition here:

https://github.com/Azure/Azure-Security-Center/blob/master/Remediation%20scripts/Enable%20Network%20Security%20Groups%20on%20subnets/DeployIfNotExists/NSG%20DeployIfNotExists.json

After trying this we are getting the following error:

we checked and seems that this part was missing:

Seems that this part is missing:

"mode": "All",
"parameters": {
"nsgId": {
"type": "String",
"metadata": {
"displayName": "NSG Id",
"description": "Resource Id of the Network Security Group"
}
}
},
"policyRule": {

we added the parameter: in the ResourceId as the policy assignment parameter, I created the Vnet in the same region as the default NSG and waited for the deployIfNotExists to run. I got the following error:

Any suggestions? thanks.

Describe the bug
A clear and concise description of what the bug is.
For step 4 connecting to the log analytics workspace, the Screen shot shows logging in as Anonymous but the text say to use Oauth, which is correct.?

Set up went well till the last step on "Connect your data". We received "ailed to update data source credentials: The credentials provided for the Web source are invalid" Status code 400 message. Any idea on how to fix this? TIA

Describe the bug
Since the value of NSG rule name and Priority are hardcoded , It wont be possible to create a new rule to block a new IP address on the same machines

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...], I'm looking for [...]
I don't understand how to get this workbook added to Azure Monitor. I have never added a workbook for use with ASC and I'm not quite sure what to do. The readme page seems to be missing some steps. Please add some more information to help people like me
Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Describe the bug
A clear and concise description of what the bug is.

Ran below PowerShell

code to call REST API by defining parameter subscription ID, Resource Group and vulnerability solution type

.\New-ASCVASolution.ps1 -subscriptionId 'xxxxxxxxxxxxxxxxxxxxxxxx' -resourceGroupName 'xxxxxxxxxx' -vaSolutionName 'QualysVa001' -vaType 'Qualys' -autoUpdate 'false' -licenseCode '***********' -publicKey ''

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Invoke-RestMethod : {"error":{"code":"InvalidResourceType","message":"The resource type could not be found in
the namespace 'Microsoft.Security' for api version '2015-06-01-preview'."}}

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information if applicable):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information if applicable):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Describe the bug
SecureScoreWorkbook is unable to open due to invalid JSON.

To Reproduce
Steps to reproduce the behavior:

1. Go to the newly deployed SecureScoreWorkbook and view the Overview tab.
2. Click on the 'Open Workbook" button
3. See error "The workbook content failed to load."

Expected behavior
The workbook should open without errors.

Screenshots

"Deploy to Azure" button link is redirecting to the Disk Encryption template in Azure. Could you change the link to the right template?

https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/Logic%20App

I am running qualys-remediate-unhealthy-vms.ps1 script but I am facing below issue. it would be great if you can help us.

Headers : {[Cache-Control, System.String[]], [Pragma, System.String[]], [x-ms-failure-cause, System.String[]], [x-ms-request-id,
System.String[]]…}
Version : 1.1
StatusCode : 400
Method : GET
Content : {"error":{"code":"NoRegisteredProviderFound","message":"No registered resource provider found for location 'westeurope' and API
version '2019-12-01' for type 'machines'. The supported api-versions are '2019-03-18-preview, 2019-08-02-preview, 2019-12-12,
2020-03-11-preview, 2020-07-30-preview, 2020-08-02, 2020-08-15-preview'. The supported locations are 'westcentralus, westus2,
westeurope, southeastasia, eastus, australiaeast, southcentralus, eastus2, northeurope, uksouth'."}}

I have not understood the bug myself, can some one enlighten me of the bug and it adverse effects.

I get the following error when I execute the PowerShell script

README.md suggests

1. Logging into your tenant - suggested global admin to get full tenant/all subscrption infromation

I think it would be better if this suggests some least priviliged RBAC role.

For installing extension to the VMs, What should be done in Azure (MSI enable, role assignment, etc.) after the following link deployment? Could you write in Readme, please?

https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines%20(powered%20by%20Qualys)/Logic%20App

The following no longer works/deploys:

https://github.com/Azure/Azure-Security-Center/tree/master/Workflow%20automation/Open-DevOpsTaskRecommendation

This documentation states that The Free tier is enabled on all your Azure subscriptions once you visit the Azure Security Center dashboard in the Azure portal for the first time, or if enabled programmatically via API but it does not go into detail into how to do so.

I've examined the Rest API documentation for security center but cannot find anything that relates to enabling it, only configuring one that is already enabled.

In the navigation pane to the left in the above documentation there's a sub page about automating on-boarding using Powershell in which this code is given:
Set-AzContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c" Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security'

Is this the correct way of enabling the free version of Security Center without visiting the associated blade in the Portal ? and if so I'm assuming the az cli or Azure Rest API supports the same and it's not PowerShell specific functionality ?

Request to have an exclusion policy for ASC to prevent auto-provisioning of VMs or defined RGs. This would also be great to be defined based on specific tags (i.e. no-ASC, custom tag).

Running VMs with 3rd party custom software that I would like to be included from agents being installed.

A former co-worker created the Get-SecureScoreData Logic App for my company and scoped it to a single subscription. I now need to modify this Logic App to include other subscriptions (same tenant) and I'm not sure how to do it. The instructions mention that this can be done in the parameters, but when viewing the app in Logic App designer, the parameters appear to be empty so I'm not sure where to add other subscriptions. Hoping for a bit of direction on how I should be doing this.

When trying to create a Workflow Automation linked to an Azure Logic App, I receive the following error after clicking "Create".

Failure creating workflow automation

The json value of eventSourceVersionFrom failed validation with reason: EventSourceVersionFrom : value is not a correctly
formatter version! (sic), error tracking number: 6ca7195b-55b0-4d65-ad48-ac0b20b6cd5b

What is the cause of this and how do I get around it?

Thank you

In Portal, I can see the full list of an ACR vulnerability like above.
I tried this API: https://docs.microsoft.com/en-us/rest/api/securitycenter/subassessments/list
For each vulnerability in one repo, it returns only one digest.

It is important to get the full list for our team. Could you guide me how to do this? Thanks a bunch!

I have deployed the Get-SecureScoreData since mid of July, managed identity role assigned at the root management group with Reader role which is the preferred method.
https://github.com/Azure/Azure-Security-Center/tree/master/Secure%20Score/Get-SecureScoreData

Running well and recently not sure what changes to the API at the Microsoft end, The logic at failed to run since 23 August 2020., It hit error when get the secure score from a disabled subscription.

{
"statusCode": 404,
"headers": {
"Pragma": "no-cache",
"x-ms-ratelimit-remaining-subscription-resource-requests": "749",
"x-ms-request-id": "XXXX",
"x-ms-correlation-request-id": "XXXX",
"x-ms-routing-request-id": "XXXX",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Content-Type-Options": "nosniff",
"Cache-Control": "no-cache",
"Date": "Thu, 27 Aug 2020 00:46:06 GMT",
"Content-Length": "136",
"Content-Type": "application/json",
"Expires": "-1"
},
"body": {
"Error": {
"Code": "ResourceNotFound",
"Message": "Secure score 'ascScore' does not exist in scope 'XXXX"
}
}
}

There was an error loading the template from URI 'https://raw.githubusercontent.com/Azure/Azure-Security-Center/master/Secure Score/Secure Score Reduction Alerts'. Ensure that the template is publicly accessible and does not have any comments.

The deployed workbook fails to load with below error.

The workbook content failed to load.

The saved version of this workbook may be invalid or corrupt. You may be able to manually fix the content below to recover this workbook.

The error was:
SyntaxError: Unexpected token v in JSON at position 3

Please correct the JSON and use 'Apply' to try again.

To Reproduce
Steps to reproduce the behavior:

1. Go to the resource group'
2. Click on the deployed workbook
3. Then click on open workbook
4. See error

Expected behavior
workbook should show the secure score data

Screenshots
If applicable, add screenshots to help explain your problem.

Describe the bug
VM in excluded resource group are reported in security configuration vulnerabilities.

To Reproduce

• Set resource group exclusion on security policy
• Create VM with security issu (like SMB v1 enabled for samba) in excluded resourcegroup

Expected behavior
Do not report security issues for VM in excluded resource group.

Screenshots
All VM below are databricks cluter in resource group excluded.

Desktop (please complete the following information if applicable):

Smartphone (please complete the following information if applicable):

Additional context

Hello,

I have used following link for implementing Vulnerability Assessment automatic installation.
https://github.com/Azure/Azure-Security-Center/tree/master/Remediation%20scripts/Enable%20the%20built-in%20vulnerability%20assessment%20solution%20on%20virtual%20machines/Logic%20App
Could you add the "skipping turned off VMs" feature to the mentioned Logic App actions? Logic Apps status is looking failed if it detects VM is turned off.

Hi,

I have a question more than an issue. I've got an AKS cluster with VMSS and oms_agent enabled. However Security Center still recommend to enable MicrosoftMonitoringAgent on VMSS itself. Is it a valid recommendation? Does these two agents not overlaps? I do not want to log same things twice.

Is your feature request related to a problem? Please describe.
I am looking for adding into the data returned from ARG the affected package as property.
For example:

{
    "description": "Debian has released security update for systemd to fix the vulnerabilities.<P>",
    "displayName": "Debian Security Update for systemd",
    "resourceDetails": {
        "source": "Azure",
        "id": "/repositories/myrepo/manyvuln/images/sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
    },
    "additionalData": {
        "assessedResourceType": "ContainerRegistryVulnerability",
        "vendorReferences": [
            {
                "title": "CVE-2018-1049",
                "link": "https://security-tracker.debian.org/tracker/CVE-2018-1049"
            },
            {
                "title": "CVE-2018-15686",
                "link": "https://security-tracker.debian.org/tracker/CVE-2018-15686"
            }
        ],
        "publishedTime": "2019-05-06T10:54:00.0000000Z",
        "patchable": true,
        "type": "Vulnerability",
        "cvss": {
            "2.0": {
                "base": 10
            },
            "3.0": {
                "base": 9.8
            }
        },
        "cve": [
            {
                "title": "CVE-2018-1049",
                "link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1049"
            },
            {
                "title": "CVE-2018-15686",
                "link": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15686"
            }
        ],
        "repositoryName": "myrepo/manyvuln",
        "registryHost": "myregistry.azurecr.io",
        "imageDigest": "sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
    },
    "status": {
        "severity": "High",
        "code": "Unhealthy"
    },
    "timeGenerated": "2020-10-17T07:35:03.4900000Z",
    "remediation": "Refer to <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">Debian 9 - CVE-2018-15686</A> and <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-1049\" TARGET=\"_blank\">Debian 9 - CVE-2018-1049</A> to address this issue and obtain further details.\n<P>Patch:<BR>\nFollowing are links for downloading patches to fix the vulnerabilities:\n<P> <A HREF=\"https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">CVE-2018-15686: Debian</A><P> <A HREF=\"https://security-tracker.debian.org/tracker/https://security-tracker.debian.org/tracker/CVE-2018-15686\" TARGET=\"_blank\">CVE-2018-1049: Debian</A>",
    "category": "Debian",
    "id": "176875",
    "impact": "This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability."
}

The findings are on systemd package - it’s noted in the description field , however there is no field in the properties that this information is available .

Normally - the information includes the vulnerable package name and vulnerable package version

Describe the solution you'd like
For this query

securityresources
| where type == "microsoft.security/assessments"
//| where properties.displayName contains "Vulnerabilities in Azure Container Registry images should be remediated"
| summarize by assessmentKey=name //the ID of the assessment
| join kind=inner (
    securityresources
     | where type == "microsoft.security/assessments/subassessments"
     | extend assessmentKey = extract(".*assessments/(.+?)/.*",1,  id)
 ) on assessmentKey
| project assessmentKey, subassessmentKey=name, id, parse_json(properties), resourceGroup, subscriptionId, tenantId
| where properties.additionalData.imageDigest == "sha256:4343f035d365cc3968f4276e712dbb42908de6f5538611668b03b7b69c142593"
| extend description = properties.description,
         displayName = properties.displayName,
         resourceId = properties.resourceDetails.id,
         resourceSource = properties.resourceDetails.source,
         category = properties.category,
         severity = properties.status.severity,
         code = properties.status.code,
         timeGenerated = properties.timeGenerated,
         remediation = properties.remediation,
         impact = properties.impact,
         vulnId = properties.id,
         additionalData = properties.additionalData,
	repositoryName = properties.additionalData.repositoryName,
        imageDigest = properties.additionalData.imageDigest

Describe alternatives you've considered
It appears that information is not available presently based on #64

Additional context
Here's an example: https://docs.aws.amazon.com/cli/latest/reference/ecr/describe-image-scan-findings.html

By default Macs use a case-insensitive file system that tries to hide as a case-sensitive FS... but you can't have two files in the same directory with the same set of letters/etc (e.g. "Foo" and "foo"). When cloning this repo it shows two files that collide - Set-BlockVMMAnagementPorts.ps1' and Set-BlockVMManagementPorts.ps1 (...MMA... vs ...MMa...) They look like they could be the same file, just checked in twice with the nearly identical names.

$ git clone https://github.com/Azure/Azure-Security-Center
cloning https://github.com/Azure/Azure-Security-Center to Azure-Security-Center

Cloning into 'Azure-Security-Center'...
remote: Enumerating objects: 214, done.
remote: Counting objects: 100% (214/214), done.
remote: Compressing objects: 100% (179/179), done.
remote: Total 4036 (delta 95), reused 94 (delta 27), pack-reused 3822
Receiving objects: 100% (4036/4036), 7.08 MiB | 3.59 MiB/s, done.
Resolving deltas: 100% (2201/2201), done.
warning: the following paths have collided (e.g. case-sensitive paths
on a case-insensitive filesystem) and only one from the same
colliding group is in the working tree:

  'Remediation scripts/Access to management ports on your Virtual Machines should be restricted/PowerShell/Set-BlockVMMAnagementPorts.ps1'
  'Remediation scripts/Access to management ports on your Virtual Machines should be restricted/PowerShell/Set-BlockVMManagementPorts.ps1'

Is your feature request related to a problem? Please describe.
Currently, ASC creates security alerts when a failed or successful bruteforce attack is found, but there is no builtin automation to react on this threat available.

Describe the solution you'd like
A LogicApp Playbook which reacts on the "When an Azure Security Center Alert is created" trigger will create a security rule in the NSG attached to the VM to deny inbound traffic from the IP address(es) attached to the alert (which are appearing in the 'entities' field of the alert)

Describe alternatives you've considered
Alternatives would be to manually react on the alert and block the IP address(es) in the NSG.

Additional context
-none-

https://github.com/Azure/Azure-Security-Center/blob/5b2600f6069e89af964412f168dae3d610ebde49/Powershell%20scripts/Vulnerability%20Solution/New-ASCVASolution.ps1#L127

The security location hard coded on line 127. I ran into the error below. I updated the line below to reflect $loc instead of centralus, and that corrected the error message and the security solution was successfully deployed.

/providers/Microsoft.Security/locations/centralus/securitySolutions/

{"error":{"code":"GeneralError","message":"Location in the request is invalid. Please make a call to cus.rp.solutions.security.azure.com/subscriptions/3c3d7189-0943-47c3-b053-11aaeaa605ea/providers/Microsoft.Security/locations in order to get the correct location, and then repeat the call with the location returned to you in the response, as the "locations" parameter in the URI"}}}

Hi,

I think nobody has noticed so far but the repository description has a typo.

"Welocme to the Azure Security Center community repository"

Regards,
Ricardo Cabral

I keep getting error
{
"status": "Failed",
"error": {
"code": "Conflict",
"target": "name",
"message": "The workspace name 'asclab-la-y3wfs4anr2gxe' is not unique"
}
}
I have gone thru my entire subscription and I can't find this resource even after I deleted the RGs and started over.
Looking for guidance on how to get around this error
thx

Typo 'Subscrption' in directory name:

https://github.com/Azure/Azure-Security-Center/tree/master/Powershell%20samples/Subscrption%20Management

Describe the bug
Allowed container images regex field, examples and syntax validation required.
The help for this field shows
"The RegEx rule used to match allowed container images in a Kubernetes cluster. For example, to allow any Azure Container Registry image by matching partial path: ^.+azurecr.io/.+$"
but is not considering the right syntax for multiple items, what would be a good example to multiple items, which is a good separator to be used?

To Reproduce
Steps to reproduce the behavior:
1 from azure portal , search for security center
2 from the left column click on security policy
3 select the subscription
4 click on view effective policy button
5 from top of next page , select ASC default.... the policy with hyperlinked text.
6 On next screen select Parameters.

Expected behavior
A clear and concise description of the syntax, a validation check for the syntax that explains the format expected to be entered in the field.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information if applicable):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]