Thursday, April 18, 2024

Mashford's Musings

My thoughts and experiences from working within the Microsoft Cloud.

Azure 

Programmatically onboard and manage your subscriptions in Azure Security Center

Anthony Mashford 0 Comments

This post was co-authored by Tiander Turpijn, Senior Program Manager.

Securing your Azure workloads has become easier with the release of Azure Security Center (ASC) official PowerShell Module!

Many organizations are looking to automate more tasks, as manual work is prone to human error and creates a potential for duplicative work. The need for automation is especially prevalent when it comes to large scale deployments that involve dozens of subscriptions with hundreds and thousands of resources – all of which must be secured from the beginning.

To streamline the security aspects of the DevOps lifecycle, ASC has recently released its official PowerShell module. This enables organizations to programmatically automate onboarding and management of their Azure resources in ASC and adding the necessary security controls.

This blog will focus on using PowerShell to onboard ASC. Future blog posts will demonstrate how you can use PowerShell to automate the management of your resources in ASC.

In this example, we will enable Security Center on a subscription with ID: d07c0080-170c-4c24-861d-9c817742786c and apply the recommended settings that provide a high level of protection, by implementing the standard tier of Security Center, which provides advanced threat protection and detection capabilities:

  1. Set the ASC to standard. Learn more about what ASC has to offer in its two tiers: Free and Standard.
  2. Set the Log Analytics workspace to which the Microsoft Monitoring Agent will send data it collects on the VMs associated with the subscription (in our case, an existing user defined workspace, as myWorkspace). To learn more, read data collection in ASC.
  3. Activate Security Center’s automatic agent provisioning which deploys to Microsoft Monitoring Agent.
  4. Set the organization’s CISO as the security contact for ASC alerts and notable events.
  5. Assign Security Center’s default security policies.

Pre-requisites: these steps should be performed prior to running the Security Center cmdlets, to ensure your environment has all pre-requisites and dependencies installed:

  1. Run powershell as admin
  2. Install-Module -Name PowerShellGet -Force
  3. Set-ExecutionPolicy -ExecutionPolicy AllSigned
  4. Import-Module PowerShellGet
  5. Install-Module -Name AzureRM.profile -RequiredVersion 5.5.0
  6. Restart powershell
  7. Install-Module -Name AzureRM.Security -AllowPrerelease –Force

a. Register your subscriptions to the Security Center Resource Provider

Set-AzureRmContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c”
Register-AzureRmResourceProvider -ProviderNamespace ‘Microsoft.Security’

b. Set the coverage level (pricing tier) of the subscriptions (This is optional. If it’s not defined, the pricing tier will be free.)

​​Set-AzureRmContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c”
Set-AzureRmSecurityPricing -Name "default" -PricingTier "Standard"

c. Configure the workspace to which the agents will report to (This is optional. If it’s not defined, the default workspace will be used.)

Pre-requisite: Create a Log Analytics workspace to which the subscription’s VMs will report to. You can define multiple subscriptions to report to the same workspace.

Set-AzureRmSecurityWorkspaceSetting -Name "default" -Scope "/subscriptions/d07c0080-170c-4c24-861d-9c817742786c" -WorkspaceId "/subscriptions/d07c0080-170c-4c24-861d-9c817742786c/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace"

d. Define automatic provisioning of the Microsoft Monitoring Agent on your Azure VMs (This is optional. If not automatic, the agent can be manually installed.)

Set-AzureRmContext -Subscription "d07c0080-170c-4c24-861d-9c817742786c”
Set-AzureRmSecurityAutoProvisioningSetting -Name "default" -EnableAutoProvision

e. Define security contact details (optional).

It is highly recommended you define the security contact details for the subscriptions you onboard, as these contacts will be used as the recipients of alerts and notifications generated by Security Center.

Set-AzureRmSecurityContact -Name "default1" -Email "CISO@my-org.com" -Phone "2142754038" -AlertsAdmin -NotifyOnAlert

f. Assign the default Security Center policy initiative

Register-AzureRmResourceProvider -ProviderNamespace 'Microsoft.PolicyInsights'
$Policy = Get-AzureRmPolicySetDefinition -Name ' [Preview]: Enable Monitoring in Azure Security Center'

New-AzureRmPolicyAssignment -Name 'ASC Default <d07c0080-170c-4c24-861d-9c817742786c>' -DisplayName 'Security Center Default <subscription ID>' -PolicySetDefinition $Policy -Scope ‘/subscriptions/d07c0080-170c-4c24-861d-9c817742786c’

You can now use the official PowerShell cmdlets with automation scripts to programmatically iterate on multiple subscriptions/resources, reducing the overhead caused by manually performing these actions, as well as reduce the potential risk of human error resulting from manual actions. For more information, refer to the ASC sample script.

To learn more about how you can use PowerShell to automate onboarding to Security Center, visit our documentation.

Source: Azure Blog Feed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.