search

Azure / Microsoft-Defender-for-Cloud

Welcome to the Microsoft Defender for Cloud community repository
https://azure.microsoft.com/en-us/services/security-center/
MIT License
1.68k stars 750 forks source link

Registering Microsoft.Security on subscriptions does not start secure score retrieval #720

Closed Agazoth closed 8 months ago

Agazoth commented 1 year ago

I work for a CSP provider with 1000+ customers. We want to activate Microsoft Defender for Cloud on all subscriptions in order to monitor and enhance their secure score.

We use the API to activate the Microsoft.Security provider on all subscriptions. This activation works as expected and the provider gets registered.

BUT the Secure Score assessment does not start until someone logs on to the portal and clicks on the Microsoft Defender for Cloud blade

To Reproduce Steps to reproduce the behavior:

  1. Activate Microsoft.Security on a subscription in a tenant that has not opened the Microsoft Defender for Cloud blade before
  2. Wait up to 48 hours
  3. Try to retrieve SecureScores via the API
  4. This is error occours:
{"Error":{"Code":"ResourceNotFound","Message":"Secure score 'ascScore' does not exist in scope 'SubscriptionGuid'"}}

Expected behavior ascScore should have started within the 48 hours and have delivered something like:

id         : /subscriptions/SubscriptionGuid/providers/Microsoft.Security/secureScores/ascScore
name       : ascScore
type       : Microsoft.Security/secureScores
properties : @{displayName=ASC score; score=; weight=0}

Additional context I have tested on several tenants, that logging on to the tenant and clicking the Microsoft Defender for Cloud is required before ascScore retrieval is triggered. I still have 1000+ tenants with several subscriptions each, where the Microsoft.Security provider has been registered for 30+ days, but ascScore has no secure scores generated.

I made a MS support case on the issue, and this is what they answered: image

According to that statement, logging on to the portal once a month is required to get continuous generation of Secure Score.

Is there any way to trigger the portal logon to Microsoft Defender for Cloud so we don't have to do this logon manually.

chshum commented 1 year ago

Hi,

This behavior is for free customers only. Paying customers will always have fresh data.

We've deployed a fix for this where all new registrations will have their activity status reset.

For existing free customers who are already registered, you can try setting the pricing tier to its existing state to reset activity status, or querying securityStatuses API

For example:

PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/pricings/{pricingName}?api-version=2023-01-01 { "properties": { "pricingTier": "Free" } }

Agazoth commented 1 year ago

@chshum Thanks for your reply. That is much appreciated!

Does: "We've deployed a fix for this where all new registrations will have their activity status reset." mean, that customers on the free tier will also get the basic securescores if we "reset" their pricing tier as described?

jikuja commented 11 months ago

I have tested on several tenants, that logging on to the tenant and clicking the Microsoft Defender for Cloud is required before ascScore retrieval is triggered.

I think there is really simple but hard to notice explanation for this. Some action, e.g. opening Defender UI, triggers background processes.

E.g. Microsoft cloud security benchmark policy initiative is being assigned automatically on subscription when TBD is done on portal.

Exact action seen in the brand new subscription activity log: 1) Windows Azure Security Resource Provider registers Microsoft.GuestConfiguration 1) Windows Azure Security Resource Provider registers Microsoft.PolicyInsights 2) Windows Azure Security Resource Provider creates policy inititative assignment:

"requestbody": "{\"id\":\"/subscriptions/x-x-x-x-x/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn\",\"name\":\"SecurityCenterBuiltIn\",\"type\":\"Microsoft.Authorization/policyAssignments\",\"sku\":{\"name\":\"A1\",\"tier\":\"Standard\"},\"properties\":{\"parameters\":\"******\",\"description\":\"This is the default set of policies monitored by Azure Security Center. It was automatically assigned as part of onboarding to Security Center. The default assignment contains only audit policies. For more information please visit https://aka.ms/ascpolicies\",\"displayName\":\"ASC Default (subscription: 731f3bda-584f-4578-a54e-addf20109a8e)\",\"scope\":\"/subscriptions/731f3bda-584f-4578-a54e-addf20109a8e\",\"policyDefinitionId\":\"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8\",\"metaData\":\"******\"}}"

Afaik Defender plans have really minimal effect on secure score if any.

Ps. Shame on MSFT not documenting this properly. Assignment of the policy initiative is part of the some landing zones: https://github.com/search?q=repo%3AAzure%2FALZ-Bicep%20%2F1f3afdf9-d0c9-4c3d-847f-89da613e70a8%2F&type=code

TomJanetscheck commented 8 months ago

Closing as a solution was provided