Get Azure Overall Secure Score from REST API

5 Min. Read

Azure Security Center has two main goals: the first one is to help you understand your current security situation, and the second one is to help you efficiently and effectively improve your security posture. The central aspect of Azure Security Center that enables you to achieve those goals is the Secure Score.

In this article, I will share with you how to get the overall secure score in Azure Security Center from the REST API.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Help you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS). CSPM in Security Center is available for free to all Azure users.
  2. Azure Defender / Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or different clouds such as Amazon AWS or Google GCP, in addition to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Last year, Microsoft Security Team announced that Azure Secure Score API is now available to customers, so you can bring even more innovation to use Azure Secure Score programmatically instead of relying only on the Secure Score UI dashboard. Kudos to the Azure Security Center team behind this great innovation!

At the time of this writing, you can get Azure Secure Score from the REST API by subscription, or by control definitions, or by security controls. All REST APIs for resources in Azure have to have a scope either Subscription, Management Group, or Tenant, however, Microsoft currently only supports subscription scope for Secure Score API.

What about if you want to get the overall secure score for all subscriptions via Rest API?

Get Azure Overall Secure Score from Azure Resource Graph REST API

At the time of this writing, this is not possible yet. However, as a workaround, we could leverage the Azure Resource Graph (ARG) REST API to get secure scores for all subscriptions. In this quick article, I will share with you how to get the overall secure score for Azure Security Center from the Azure Resource Graph (ARG) REST API and from the Azure Resource Graph Explorer.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center Free or Azure Defender enabled. Azure Secure Score is part of the free tier in Azure Security Center.

Azure Resource Graph overview

If you are new to Azure Resource Graph (ARG), ARG provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It’s a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. To learn more about Azure Resource Graph, please check the official documentation from Microsoft here.

Get the overall secure score from REST API

To access the secure score for all subscriptions with Azure Resource Graph (ARG) REST API, take the following steps:

Browse to the following URI: Resources – Resources (Azure Resource Graph REST API) | Microsoft Docs

Then click on >Try it as shown in the figure below:

Azure Resource Graph REST API

Then you need to Sign in and authenticate to your Tenant with your Azure account assuming you have the right permissions.

In the Body section of the REST API Try It, you need to enter the query below by adding the list of all your subscriptions Ids between quotes, i.e. “subscriptionId1”, “subscriptionId2”, “subscriptionId3” as shown in the ‘Code Block’ below.

{
  "subscriptions": [
    "subscriptionId1", "subscriptionId2", "subscriptionId3"
  ],
  "query": "securityresources| where type == 'microsoft.security/securescores'| extend subscriptionTotal = iff(properties.score.max == 0, 0.00, round(tolong(properties.weight) * todouble(properties.score.current)/tolong(properties.score.max),2))| summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(tolong(iff(properties.weight == 0, 1, properties.weight))), resultsNum = count()| extend secureScore = iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2))| extend columnForJoin = '0'"
}

Then click on Run> the green button, you should get a Response Code: 200 as shown in the figure below.

Azure Resource Graph REST API Response Code

Then browse to the Body section further down and see the results in JSON. Under the rows section, you will see the overall Secure Score of all subscriptions as a percentage (in this example it’s 30.23), the sum total of all subscriptions, the total number of subscriptions you have, and their weight.

Azure Resource Graph REST API Body

If you look at your overall Secure Score in the Azure Security Center dashboard, you will see the same secure score percentage number.

This of course just an example of trying Azure Resource Graph REST API from the Microsoft docs, you could use Postman or Curl to call Azure overall Secure Score REST API.

As a side note, you can use the Azure Resource Graph (ARG) REST API to get anything you want in Azure and not only Secure Score.

Get the overall secure score from ARG Explorer

You can also access the overall secure score for all subscriptions with the Azure Resource Graph Explorer without using REST API. Take the following steps:

From the Azure portal, search for Resource Graph Explorer as shown in the figure below:

Azure Resource Graph Explorer

Enter the Kusto query below. This query returns the overall Secure Score of all your subscriptions as a percentage (in this example it’s 27.89), the sum total of all subscriptions, the total number of subscriptions you have, and their weight.

securityresources
    | where type == "microsoft.security/securescores"
    | extend subscriptionTotal = iff(properties.score.max == 0, 0.00, round(tolong(properties.weight) * todouble(properties.score.current)/tolong(properties.score.max),2))
    | summarize sumSubs = sum(subscriptionTotal), sumWeight = sum(tolong(iff(properties.weight == 0, 1, properties.weight))), resultsNum = count()
    | extend secureScore = iff(tolong(resultsNum) == 0, 404.00, round(sumSubs/sumWeight*100,2))
    | extend columnForJoin = "0"

Overall Secure Score from Azure Resource Graph

If I look at my overall Secure Score in the Azure Security Center dashboard, I can see the same secure score of 28%.

Overall Secure Score from Azure Security Center Dashboard

That’s it there you have it!

I want to thanks the Azure Security Center team for guiding me in getting the needed results, much appreciated!

Summary

This article described different ways on how to get Azure Security Center Secure Score using the Azure REST APIs. Leveraging the Azure Secure Score API is a great way to get your Azure security posture in a programmatic way so you can automate and build custom dashboards using PowerBI for example, and then tailor it based on your organization’s needs. This could be very useful to share these dashboards with your security officer (CISO), top management, or your security team without giving them access to the Azure Portal.

I hope that the security team will also add management group support to secure score API, so it would be more efficient to query at the management group level to get the secure score instead of an individual subscription.

Additional resources I highly encourage you to check:

How are you going to use Azure Secure Score API in your environment? You are welcome to share your thoughts in the comment section below.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Backup Best Practices in Action – The Backup Bible Complete Edition

AZ-140 Exam Study Guide: Configuring and Operating Windows Virtual Desktop on Microsoft Azure

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in Black.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!

ads