Azure Security Center v2

Unified security management and advanced threat protection across hybrid cloud workloads. For more information see Azure Security Center documentation

Use Case

With Security Center, you can apply security policies across your workloads, limit your exposure to threats, and detect and respond to attacks.

Authentication

For more details about the authentication used in this integration, see Microsoft Integrations - Authentication .

  • After authorizing the Demisto app, you will get an ID, Token, and Key, which should be inserted in the integration instance configuration's corresponding fields. After giving consent, the application has to have a role assigned so it can access the relevant resources per subscription.
  • In order to assign a role to the application after consent was given:
    • Go to the Azure Portal UI.
    • Go to Subscriptions, and then Access Control (IAM).
    • Click Add.
    • Select a role that includes the following permissions:
      • Microsoft.Security/locations/read
      • Microsoft.Security/alerts/read
      • Microsoft.Security/locations/alerts/read
      • Microsoft.Storage/storageAccounts/read
      • Microsoft.Management/managementGroups/read
      • Microsoft.Security/advancedThreatProtectionSettings/*
      • Microsoft.Security/informationProtectionPolicies/read
      • Microsoft.Security/locations/jitNetworkAccessPolicies/*
      • Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action
    • Select the Azure Secruity Center application.

Configure Azure Security Center v2 on Demisto

  1. Navigate to Settings > Integrations  > Servers & Services.
  2. Search for Azure Security Center v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Microsoft Azure Management URL
    • ID (received from the admin consent - see Detailed Instructions (?)
    • Token (received from the admin consent - see Detailed Instructions (?) section)
    • Key (received from the admin consent - see Detailed Instructions (?)
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Default subscription ID to use
  4. Click Test to validate the new instance.

Commands

Subscription ID

Some commands require a subscription ID parameter in order to run. You can find your organization's subscriptions list in the Microsoft Azure Portal > Subscriptions or by running the azure-list-subscriptions command.

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. azure-sc-list-alert
  2. azure-sc-update-atp
  3. azure-sc-get-atp
  4. azure-sc-update-aps
  5. azure-sc-get-aps
  6. azure-sc-list-aps
  7. azure-sc-list-jit
  8. azure-sc-list-storage
  9. azure-list-subscriptions
  10. azure-sc-list-location
  11. azure-sc-get-alert

1. azure-sc-list-alert


Lists alerts for the subscription according to the specified filters.

Require Subscription ID

Base Command

azure-sc-list-alert

Input
Argument NameDescriptionRequired
resource_group_nameThe name of the resource group within the user's subscription. The name is case insensitive.Optional
asc_locationThe location where Azure Security Center stores the data of the subscription. Run the 'azure-sc-list-location' command to get the ascLocation. This command requires the resourceGroupName argument.Optional
filterOData filterOptional
selectOData selectOptional
expandOData expandOptional
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.Alert.AlertDisplayNamestringAlert display name
AzureSecurityCenter.Alert.CompromisedEntitystringThe entity on which the incident occurred
AzureSecurityCenter.Alert.DetectedTimeUtcdateTime the vendor detected the incident
AzureSecurityCenter.Alert.ReportedSeveritystringEstimated severity of this alert
AzureSecurityCenter.Alert.StatestringAlert state (Active, Dismissed, etc.)
AzureSecurityCenter.Alert.IDstringAlert ID
Command Example

!azure-sc-list-alert

Context Example
{
"AzureSecurityCenter.Alert": [
{
"ActionTaken": "Undefined",
"CompromisedEntity": "alerts",
"Description": "Azure security center has detected incoming traffic from IP addresses, which have been identified as IP addresses that should be blocked by the Adaptive Network Hardening control",
"DetectedTime": "2019-10-27T00:00:00Z",
"DisplayName": "Traffic from unrecommended IP addresses was detected",
"ID": "2518301663999999999_d1521d81-f4c1-40ae-b224-01456637790c",
"ReportedSeverity": "Information",
"State": "Active"
}
]
}
Human Readable Output

Azure Security Center - List Alerts

DisplayNameCompromisedEntityDetectedTimeReportedSeverityStateActionTakenDescriptionID
Traffic from unrecommended IP addresses was detectedalerts2019-10-27T00:00:00ZInformationActiveUndefinedAzure security center has detected incoming traffic from IP addresses, which have been identified as IP addresses that should be blocked by the Adaptive Network Hardening control2518301663999999999_d1521d81-f4c1-40ae-b224-01456637790c

2. azure-sc-update-atp


Updates Advanced Threat Detection settings.

Require Subscription ID

Base Command

azure-sc-update-atp

Input
Argument NameDescriptionRequired
resource_group_nameResource group nameRequired
setting_nameName of the Advanced Threat Detection setting, default is 'current'.Optional
storage_accountStorage name in your Azure accountRequired
is_enabledIndicates whether Advanced Threat Protection is enabled.Required
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.AdvancedThreatProtection.IDstringResource ID
AzureSecurityCenter.AdvancedThreatProtection.NamestringResource Name
AzureSecurityCenter.AdvancedThreatProtection.IsEnabledstringIndicates whether Advanced Threat Protection is enabled
Command Example

!azure-sc-update-atp resource_group_name=recouce_name

3. azure-sc-get-atp


Returns the Advanced Threat Protection setting.

Require Subscription ID

Base Command

azure-sc-get-atp

Input
Argument NameDescriptionRequired
resource_group_nameName of the resource group.Required
setting_nameName of Advanced Threat Detection setting, default setting's name is 'current'.Optional
storage_accountName of a storage in your azure account.Required
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.AdvancedThreatProtection.IDstringResource ID
AzureSecurityCenter.AdvancedThreatProtection.NamestringResource name
AzureSecurityCenter.AdvancedThreatProtection.IsEnabledstringIndicates whether Advanced Threat Protection is enabled
Command Example

!azure-sc-get-atp resource_group_name=resource_group storage_account=st_acc1

4. azure-sc-update-aps


Updates a specific auto provisioning setting.

Require Subscription ID

Base Command

azure-sc-update-aps

Input
Argument NameDescriptionRequired
setting_nameName of the auto provisioning setting, default setting's name is 'default'Required
auto_provisionDescribes the type of security agent provisioning action to take (On or Off)Required
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.AutoProvisioningSetting.NamestringSetting display name
AzureSecurityCenter.AutoProvisioningSetting.AutoProvisionstringDisplay the type of security agent provisioning action to take (On or Off)
AzureSecurityCenter.AutoProvisioningSetting.IDstringSetting resource ID
Command Example

!azure-sc-update-aps setting_name=default auto_provision=Off

Context Example
{
"AzureSecurityCenter.AutoProvisioningSetting": [
{
"AutoProvision": null,
"ID": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/autoProvisioningSettings/default",
"Name": "default"
}
]
}
Human Readable Output

Azure Security Center - Update Auto Provisioning Setting

NameID
default/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/autoProvisioningSettings/default

5. azure-sc-get-aps


Returns details of a specific auto provisioning setting.

Require Subscription ID

Base Command

azure-sc-get-aps

Input
Argument NameDescriptionRequired
setting_nameName of the auto provisioning settingRequired
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.AutoProvisioningSetting.NamestringSetting display name
AzureSecurityCenter.AutoProvisioningSetting.AutoProvisionstringDisplay the type of security agent provisioning action to take (On or Off)
AzureSecurityCenter.AutoProvisioningSetting.IDstringSet resource ID
Command Example

!azure-sc-get-aps setting_name=default

Context Example
{
"AzureSecurityCenter.AutoProvisioningSetting": [
{
"AutoProvision": "Off",
"ID": "/subscriptions/0xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/autoProvisioningSettings/default",
"Name": "default"
}
]
}
Human Readable Output

Azure Security Center - Get Auto Provisioning Setting

NameAutoProvisionID
defaultOff/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/autoProvisioningSettings/default

6. azure-sc-list-aps


Lists auto provisioning settings in the subscription.

Require Subscription ID

Base Command

azure-sc-list-aps

Input
Argument NameDescriptionRequired
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.AutoProvisioningSetting.NamestringSetting display name
AzureSecurityCenter.AutoProvisioningSetting.AutoProvisionstringDisplay the type of security agent provisioning action to take (On or Off)
AzureSecurityCenter.AutoProvisioningSetting.IDstringSetting resource ID
Command Example

!azure-sc-list-aps

Context Example
{
"AzureSecurityCenter.AutoProvisioningSetting": [
{
"AutoProvision": "Off",
"ID": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/autoProvisioningSettings/default",
"Name": "default"
}
]
}
Human Readable Output

Azure Security Center - List Auto Provisioning Settings

NameAutoProvisionID
defaultOff/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/autoProvisioningSettings/default

7. azure-sc-list-jit


Lists all policies for protecting resources using Just-in-Time access control.

Require Subscription ID

Base Command

azure-sc-list-jit

Input
Argument NameDescriptionRequired
asc_locationThe location where Azure Security Center stores the data of the subscription. Run the 'azure-sc-list-location' command to get the asc_location.Optional
resource_group_nameThe name of the resource group within the user's subscription. The name is case insensitive.Optional
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.JITPolicy.NamestringPoliyc display name
AzureSecurityCenter.JITPolicy.RulesstringCSV list of access rules for Microsoft.Compute/virtualMachines resource, in the format (VMName: allowPort1,...)
AzureSecurityCenter.JITPolicy.LocationstringLocation where the resource is stored
AzureSecurityCenter.JITPolicy.KindstringPolicy resource type
Command Example

!azure-sc-list-jit

8. azure-sc-list-storage


Lists all the storage accounts available under the subscription.

Require Subscription ID

Base Command

azure-sc-list-storage

Input
Argument NameDescriptionRequired
subscription_idSubscription ID to use. Can be retrieved from the azure-sc-list-subscriptions command. If not specified, the default subscripton ID will be used.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.Storage.NamestringName of the storage account
AzureSecurityCenter.Storage.ResourceGroupNamestringNames of the attached resource group
AzureSecurityCenter.Storage.LocationstringThe geo-location where the resource resides
Command Example

!azure-sc-list-storage

Context Example
{
"AzureSecurityCenter.Storage": [
{
"ID": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/cloud-shell-storage-eastus/providers/Microsoft.Storage/storageAccounts/cs20f907ea4bc8bx4c11x9d7",
"Location": "eastus",
"Name": "cs20f907ea4bc8bx4c11x9d7",
"ResourceGroupName": "cloud-shell-storage-eastus"
}
]
}
Human Readable Output

Azure Security Center - List Storage Accounts

NameResourceGroupNameLocation
cs20f907ea4bc8bx4c11x9d7cloud-shell-storage-eastuseastus
useastrgdiag204us-east-rgeastus
demistodevopscloud-shell-storage-eastuswesteurope

9. azure-list-subscriptions


List available subscriptions for this application.

Base Command

azure-list-subscriptions

Input

There are no input arguments for this command.

Context Output
PathTypeDescription
Azure.Subscription.IDStringSubscription ID
Azure.Subscription.NameStringSubscription Name
Azure.Subscription.EnabledStringSubscription state
Command Example

!azure-list-subscriptions

Context Example
{
"Azure.Subscription": [
{
"ID": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx",
"Name": "Pay-As-You-Go",
"State": "Enabled"
}
]
}
Human Readable Output

Azure Security Center - Subscriptions

IDNameState
/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxPay-As-You-GoEnabled

List of Subscriptions

IDNameState
/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxxPay-As-You-GoEnabled

10. azure-sc-list-location


The location of the responsible ASC of the specific subscription. For each subscription there is only one responsible location.

Require Subscription ID

Base Command

azure-sc-list-location

Input

There are no input arguments for this command.

Context Output

There are no context output for this command.

Command Example

!azure-sc-list-location

Context Example
{
"AzureSecurityCenter.Location": [
{
"HomeRegionName": "centralus",
"ID": "/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/locations/centralus",
"Name": "centralus"
}
]
}
Human Readable Output

Azure Security Center - List Locations

HomeRegionNameNameID
centraluscentralus/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/providers/Microsoft.Security/locations/centralus

11. azure-sc-get-alert


Get an alert that is associated a resource group or a subscription.

Require Subscription ID

Base Command

azure-sc-get-alert

Input
Argument NameDescriptionRequired
resource_group_nameThe name of the resource group within the user's subscription. The name is case insensitive.Optional
asc_locationThe location where Azure Security Center stores the data of the subscription. Run the 'azure-sc-list-location' command to get the ascLocation. This command requires the resourceGroupName argument.Required
alert_idThe alert ID.Optional
Context Output
PathTypeDescription
AzureSecurityCenter.Alert.DisplayNamestringThe display name of the alert.
AzureSecurityCenter.Alert.CompromisedEntitystringThe entity on which the incident occurred.
AzureSecurityCenter.Alert.DetectedTimedateThe time the vendor detected the incident.
AzureSecurityCenter.Alert.ReportedTimedateThe time the incident was reported to Microsoft.Security, in UTC.
AzureSecurityCenter.Alert.ReportedSeveritystringThe estimated severity of the alert.
AzureSecurityCenter.Alert.StatestringThe alert state (Active, Dismissed, etc.).
AzureSecurityCenter.Alert.ConfidenceScorestringLevel of confidence for the alert.
AzureSecurityCenter.Alert.ActionTakenstringThe action that was taken as a response to the alert (Active, Blocked etc.).
AzureSecurityCenter.Alert.CanBeInvestigatedstringWhether this alert can be investigated using Azure Security Center.
AzureSecurityCenter.Alert.RemediationStepsstringRecommended steps to remediate the incident.
AzureSecurityCenter.Alert.VendorNamestringName of the vendor that discovered the incident.
AzureSecurityCenter.Alert.AssociatedResourcestringAzure resource ID of the associated resource.
AzureSecurityCenter.Alert.AlertNamestringName of the alert type.
AzureSecurityCenter.Alert.InstanceIDstringInstance ID of the alert.
AzureSecurityCenter.Alert.IDstringThe alert ID.
AzureSecurityCenter.Alert.SubscriptionIDstringAzure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to.
AzureSecurityCenter.Alert.DescriptionstringDescription and explanation of the incident.
AzureSecurityCenter.Alert.ExtendedPropertiesstringChanging set of properties depending on the alert type.
AzureSecurityCenter.Alert.EntitiesstringObjects that are related to the alert.
Command Example

!azure-sc-get-alert asc_location="location" alert_id="alert_id"

Additional Information

For more information regarding roles, see the microsoft documentation.