Monitor Security Score using KQL/ Kusto using Log Analytics Workspace

Question

Monitor Security Score using KQL/ Kusto using Log Analytics Workspace

Rahul 296

Hello Team,

The security Score in my Azure Subscription fluctuates every time. I'm trying to configure an Azure Monitor Alert using Log Analytics Workspace. I enabled Continuous Export features from Microsoft Defender for the cloud under my subscription to export security score logs in Log Analytics Workspace.
SecurityScores and SecurityScoreControls both tables provide info for current Secure Score in Log Analytics Workspace

I'm trying to Jon both the Tables using the below KQL Query that shows me an error. SecureScores
//| where CurrentScore < 60
| extend Percent=PercentageScore100
| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId
| where avg_Percent < 80
| join kind=leftouter (
SecureScoreControls
| extend Percent=PercentageScore100
| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId
)
on $left.CurrentScore == $right.CurrentScore
//on $left.AssessedResourceId == $right.AssessedResourceId and $left.SecureScoresSubscriptionId== $right.SecureScoresSubscriptionId
Does anyone have any input on this?
Thanks In advance

Ryan Hill 30,326 Reputation points Microsoft Employee Moderator

2023-04-20T13:36:56.8766667+00:00

Hi @Rahul we noticed you recently provided feedback on the answer provided. We thank you for taking the time to share your feedback, we greatly value it and are here to help to make your experience better. Please let us know what we could've done to make your experience better, we look forward to your reply.
Rahul 296 Reputation points

2023-04-23T15:10:16.2966667+00:00

Thanks. @Ryan Hill Im trying to compare Secure Score today with yesterday on azure subscription. If its changed today from yesterday thrn should receive an alert. Whats thr format for KQL Query for the same?
Ryan Hill 30,326 Reputation points Microsoft Employee Moderator

2023-04-24T20:19:27.3533333+00:00

Are you asking what's the KQL for comparing Secure Score between today and yesterday?
Rahul Dhande 20 Reputation points

2023-04-27T15:50:36.97+00:00

Correct @Ryan Hill

Clive Watson 7,946 MVP Volunteer Moderator

You can use the prev() command

SecureScores
//| where TimeGenerated > ago(30d)
| extend Percent=PercentageScore
| summarize avg_=avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, AssessedResourceId
| serialize 
| extend previousScore = prev(avg_)

Rahul 296 Reputation points

2023-04-27T22:58:20.1266667+00:00

Thanks @Clive Watson

At the moment your query shows me blank under previous score column. Is it will show the yesterday score if it's changed?

Clive Watson 7,946 MVP Volunteer Moderator

Is this better (also I couldn't see the screenshot, but that maybe just my browser)?

User's image

SecureScores
| where TimeGenerated > ago(1d)
| extend Percent=PercentageScore
| summarize avg_=round(avg(Percent),2) by bin(TimeGenerated,1d)
| order by TimeGenerated desc
| extend previousScore = round(next(avg_,1),2)
| extend previousScore = iif(previousScore ==0,'',tostring(previousScore))
| extend change = round(avg_ - todouble(previousScore),2)

Rahul 296 Reputation points

2023-04-28T11:00:24.5633333+00:00

Thanks @Clive Watson What exactly the change column will return? For me, it shows me zero. is that mean the score has not changed from yesterday?
Clive Watson 10 Reputation points

2023-04-28T11:03:51.01+00:00

Correct, zero (0) means no change - if its another value then that's the difference between the average yesterday compared to today.
Rahul 296 Reputation points

2023-04-28T11:13:20.9133333+00:00

Perfect @Clive Watson Thanks for the Support. Appreciated.
Rahul 296 Reputation points

2023-04-28T11:36:48.2333333+00:00

@Clive Watson How exactly do I need to set up the Monitor Alert? I don't want o get an alert if the Change value is zero (0). Only when the value Changed

Below is correct?

Answer accepted by question author

0 additional answers

Your answer

Ryan Hill 30,326 Reputation points Microsoft Employee Moderator

2023-04-20T13:36:56.8766667+00:00

Hi @Rahul we noticed you recently provided feedback on the answer provided. We thank you for taking the time to share your feedback, we greatly value it and are here to help to make your experience better. Please let us know what we could've done to make your experience better, we look forward to your reply.
Rahul 296 Reputation points

2023-04-23T15:10:16.2966667+00:00

Thanks. @Ryan Hill Im trying to compare Secure Score today with yesterday on azure subscription. If its changed today from yesterday thrn should receive an alert. Whats thr format for KQL Query for the same?
Ryan Hill 30,326 Reputation points Microsoft Employee Moderator

2023-04-24T20:19:27.3533333+00:00

Are you asking what's the KQL for comparing Secure Score between today and yesterday?
Rahul Dhande 20 Reputation points

2023-04-27T15:50:36.97+00:00

Correct @Ryan Hill
Clive Watson 7,946 Reputation points MVP Volunteer Moderator

2023-04-27T18:14:22.96+00:00

You can use the prev() command

SecureScores //| where TimeGenerated > ago(30d) | extend Percent=PercentageScore | summarize avg_=avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, AssessedResourceId | serialize | extend previousScore = prev(avg_)
Rahul 296 Reputation points

2023-04-27T22:58:20.1266667+00:00

Thanks @Clive Watson

At the moment your query shows me blank under previous score column. Is it will show the yesterday score if it's changed?
Clive Watson 7,946 Reputation points MVP Volunteer Moderator

2023-04-28T09:44:11.94+00:00

Is this better (also I couldn't see the screenshot, but that maybe just my browser)?

SecureScores | where TimeGenerated > ago(1d) | extend Percent=PercentageScore | summarize avg_=round(avg(Percent),2) by bin(TimeGenerated,1d) | order by TimeGenerated desc | extend previousScore = round(next(avg_,1),2) | extend previousScore = iif(previousScore ==0,'',tostring(previousScore)) | extend change = round(avg_ - todouble(previousScore),2)
Rahul 296 Reputation points

2023-04-28T11:00:24.5633333+00:00

Thanks @Clive Watson What exactly the change column will return? For me, it shows me zero. is that mean the score has not changed from yesterday?
Clive Watson 10 Reputation points

2023-04-28T11:03:51.01+00:00

Correct, zero (0) means no change - if its another value then that's the difference between the average yesterday compared to today.
Rahul 296 Reputation points

2023-04-28T11:13:20.9133333+00:00

Perfect @Clive Watson Thanks for the Support. Appreciated.
Rahul 296 Reputation points

2023-04-28T11:36:48.2333333+00:00

@Clive Watson How exactly do I need to set up the Monitor Alert? I don't want o get an alert if the Change value is zero (0). Only when the value Changed

Below is correct?

Answer 1

Clive Watson 7,946 MVP Volunteer Moderator

This will fix the KQL error, use had a error in the extend() lines and also hadn't mapped Current Score in the summarize commands, so the join wasn't possible.

SecureScores
| extend Percent=PercentageScore
| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, CurrentScore
| where avg_Percent < 80
| join kind=leftouter (
SecureScoreControls
| extend Percent=PercentageScore
| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, CurrentScore
)
on $left.CurrentScore == $right.CurrentScore


// Question, wouldn't you be better to join on something other than the Score % unless you are 100% sure they are // for the same resource?   Maybe try this instead?


SecureScores
| extend Percent=PercentageScore
| summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, AssessedResourceId
| join 
(
    SecureScoreControls
    | where AssessedResourceId has "ascScore"
    | parse AssessedResourceId with AssessedResourceId '/secureScoreControl' *
    | extend Percent=PercentageScore
    | summarize avg(Percent) by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, CurrentScore, AssessedResourceId
) on AssessedResourceId

Rahul 296 Reputation points

2023-04-18T23:38:00.2766667+00:00

Thanks @Clive Watson instead of Current score, can we show Control Name? Want to Monitor due to which Control name Secure score fluctuate in my azure subscription
Ryan Hill 30,326 Reputation points Microsoft Employee Moderator

2023-04-20T13:33:38.0833333+00:00

To include ControlName, add it to summarize statement in the SecureScoreControls table: summarize avg(Percent), ControlName by bin(TimeGenerated,1d), SubscriptionId=_SubscriptionId, CurrentScore, AssessedResourceId
Rahul 296 Reputation points

2023-04-27T23:02:47.76+00:00

Thanks @Clive Watson At the moment, previous score column shows me blank. Does will show the yeateesya score if it's dosen't match with today?

Share via

Monitor Security Score using KQL/ Kusto using Log Analytics Workspace

0 additional answers

Your answer