This is cool stuff! At least I like it 🙂
With Microsoft Security DevOps Kit tool called AzSk you can scan your whole subscription (including most of the deployed components) security related configuration in short period of time. Totally different topic is how much time you need to analyze all the results you receive from scanning operation.
Log Analytics integration via REST API has been available there for a while. With it it’s possible to send scanning data to Log Analytics workspace and create dashboard which visualizes the scanned data, how cool is that?
Pre-Requirements
Ensure that you have PowerShell version 5.0 or higher
- Verify with command $PSVersionTable
Install AzSk module
- Install-Module AzSK -Scope CurrentUser
Azure subscription & Log Analytics Workspace
Configuration
To configure AzSk monitoring solutions you have different options depending on your needs, these are listed below:
- Development (referred to as “SDL”)
- Build/Deployment (“CICD”)
- Continuous Assurance (“CA”)
In my environment I’m configured monitoring solution as development SDL. This means that every time I run a scan against my subscription or deployed components the scanning data will be sent to Log Analytics workspace. Another alternative solution would be continuous assurance where scanning is totally automated and results can be found from Log Analytics workspace for deeper investigation.
SDL stage, the following command can be used to set the Log Analytics workspace that will collect events generated via various AzSK-scripts/SVTs etc. in a subscription:
Set-AzSKOMSSettings -OMSWorkspaceID -OMSSharedKey
Ready for testing. Start the AzSk tool and you should see that results are send to Log Analytics workspace directly.
Deploy AzSk Monitoring Solution
To deploy AzSk monitoring solution run following script (change your own subscription and OMS ID’s). The script below is from DevOps kit instructions
#Connect AzureRM
Login-AzAccount -Subscription 'a4bc2f71-xxxx-xxxx-xxxx-720a4cacc525' #switch to the Log Analytics subscription
Get-AzOperationalInsightsWorkspace #get info about the Log Analytics workspace (we'll need that below)
$omsSubId ='a4bc2f71-xxxx-xxxx-xxxx-720a4cacc525' #subscription hosting the Log Analytics workspace
$omsWSId ='76943b6a-xxxx-xxxx-xxxx-f-xxxxxxx'
#$tenant =
$omsRGName ='fetaoms' #RG where the Log Analytics workspace is hosted (See 1-a)
$azSkViewName = 'Feta-AzSk' #This will identify the tile for AzSK view in Log Analytics workspace. E.g., MyApp-View-1
#This command will deploy the AzSK view in the Log Analytics workspace.
Import-Module AzSk
Install-AzSKMonitoringSolution -OMSSubscriptionId $omsSubId `
-OMSResourceGroup $omsRGName `
-OMSWorkspaceId $omsWSId `
-ViewName $azSkViewName
Result should be something like this
The Dashboard
When everything is in place and configuration finished without errors, scan your subscription and navigate to Log Analytics workspace you defined to AzSk tool. There you will find nice graphical visualization for scanning data which can be further analyzed from logs also.
This is so cool!! I use this tool at weekly basis so I’m quite exited for ability to get scanning data to Log Analytics workspace.
Happy monitoring!
Sam's Corner 