Azure – You can now get notification when your Secure Score downgrade

After releasing a Power BI dashboard to follow up on the evolution of your Azure Secure Score (see https://t.co/U1I15FSuBP), you can now get an email notification if your Secure Score is reducing.

The playbook is available for deployment in the Azure Security Center Github repository here https://github.com/Azure/Azure-Security-Center/tree/master/Secure%20Score/Secure%20Score%20Reduction%20Alerts

Connect to the above URL and use the Deploy to Azure button

image_thumb

Then you may be asked to authenticate against your Azure tenant.

Once authenticated, fill up the deployment details as below:

  • Select the subscription where the playbook will be deployed
  • As well as the resource group
  • The region will be set automatically based on the above selection
  • Provide the Log Analytics name, resource group and subscription ID
  • Update (if needed) the frequency of reviewing the Secure Score and the percentage threshold reduction (meaning if the Secure Score reduces by x%)
  • The notification email

image_thumb[1]

Now you can complete the deployment

image_thumb[3]  image_thumb[4]

A Logic App called Send-SecureScoreReductionAlert with 2 API Connection called office365 and azuremonitorlogs been deployed.

You then need to grant Reader permission to the subscription(s) you want to get monitored for Secure Score reduction by accessing the Subscription Access Control blade

image_thumb[5]

Then select the Reader role to be assigned to a Logic App and then select the Send-SecureScoreReductionAlert

image_thumb[7]

Then go back to the resource group where the playbook has been deployed to edit the office365 API connection

image_thumb[8]

Access the Edit API connection and then hit the blue ribbon to Authorize the connection; an authentication prompt may appear to ask you to sign in

You should then see a blue notification on top if the authorization has been successful; you can now save the modification

image_thumb[11]  image_thumb[12]

Repeat the same with the other API connection azuremonitorlogs

You can review above operations has been successful by accessing the Send-SecureScoreReductionAlert Logic app and then looking at the Run query and list results action available within the For Each loop using the Logic app designer blade; you should see the Connected to azuremonitorlogs information

image_thumb[13]  image_thumb[14]

Then you can force an initial run using the Run Trigger

image_thumb[15]

Then if the reduction threshold is reached you will get the following type of notification

image_thumb[16]