Apply Adaptive Network Hardening across multiple Subscriptions

Published Jul 31 2021 06:38 AM 4,518 Views
Microsoft
Applying network security groups (NSG) to filter traffic to and from resources, improves your network security posture. However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. Adaptive network hardening provides recommendations to further harden the NSG rules. It uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.
 
For example, let's say the existing NSG rule is to allow traffic from 100.xx.xx.10/24 on port 8081. Based on traffic analysis, adaptive networkhardening might recommend narrowing the range to allow traffic from 100.xx.xx.10/29 and deny all other traffic to that port. Adaptive network hardening recommendations are only supported on the following specific ports (for both UDP and TCP): 13, 17, 19, 22, 23, 53, 69, 81, 111, 119, 123, 135, 137, 138, 139, 161, 162, 389, 445, 512, 514, 593, 636, 873, 1433, 1434, 1900, 2049, 2301, 2323, 2381, 3268, 3306, 3389, 4333, 5353, 5432, 5555, 5800, 5900, 5900, 5985, 5986, 6379, 6379, 7000, 7001, 7199, 8081, 8089, 8545, 9042, 9160, 9300, 11211, 16379, 26379, 27017, 37215
 
Pre-Requisite:
 - Az Modules must be installed
 - Service principal created as part of Step 1 must be having contributor access to all subscriptions
 
Steps to follow:
Step 1: Create a service principal
Post creation of service principal, please retrieve below values.
  1. Tenant Id
  2. Client Secret
  3. Client Id
Step 2: Create a PowerShell function which will be used in generating authorization token
function Get-apiHeader{
[CmdletBinding()]
Param
(
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $TENANTID,
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $ClientId,
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $PasswordClient,
 [Parameter(Mandatory=$true)]
 [System.String]
 [ValidateNotNullOrEmpty()]
 $resource
)
$tokenresult=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://$resource/"; "client_id" = "$ClientId"; "client_secret" = "$PasswordClient" }
$token=$tokenresult.access_token
$Header=@{
  'Authorization'="Bearer $token"
  'Host'="$resource"
  'Content-Type'='applicationhttps://techcommunity.microsoft.com/json'
  }
return $Header
}

 

Step 3: Invoke API to retrieve authorization token using function created in above step
Note: Replace $TenantId, $ClientId and $ClientSecret with value captured in step 1
$AzureApiheaders = Get-apiHeader -TENANTID $TenantId -ClientId $ClientId -PasswordClient $ClientSecret -resource "management.azure.com"

 

Step 4: Extracting csv file containing list of all adaptive network hardening suggestion from Azure Resource Graph

Please referhttps://github.com/MicrosoftDocs/azure-docs/blob/master/articles/governance/resource-graph/first-que...

Azure Resource graph explorer: https://docs.microsoft.com/en-us/azure/governance/resource-graph/overview

Query:

securityresources
        | where type == "microsoft.security/assessments"
        | extend source = tostring(properties.resourceDetails.Source)
        | extend resourceId =
            trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,
                                            source =~ "aws", properties.resourceDetails.AzureResourceId,
                                            source =~ "gcp", properties.resourceDetails.AzureResourceId,
                                            extract("^(.+)/providers/Microsoft.Security/assessments/.+$",1,id)))))
        | extend status = trim(" ", tostring(properties.status.code))
        | extend cause = trim(" ", tostring(properties.status.cause))
        | extend assessmentKey = tostring(name)
        | where assessmentKey == "f9f0eed0-f143-47bf-b856-671ea2eeed62"
data1.JPG
 
Click on "Download as CSV" and store at location where adaptive network hardening script is present. Rename the file as "adaptivehardeningextract"
 
Set-Location $PSScriptRoot
$RootFolder = Split-Path $MyInvocation.MyCommand.Path
$ParameterCSVPath =$RootFolder + "\adaptivehardeningextract.csv"
if(Test-Path -Path $ParameterCSVPath)                                                                          
  { 
  $TableData = Import-Csv $ParameterCSVPath
  }

foreach($Data in $TableData)
{
  $resourceid=$Data.resourceid
  $resourceURL="https://management.azure.com$resourceid/providers/Microsoft.Security/adaptiveNetworkHardenings/default?api-version=2020-01-01"
  $resourcedetails=(Invoke-RestMethod  -Uri $resourceURL -Headers $AzureApiheaders -Method GET)
  $resourceDetailjson = $resourcedetails.properties.rules | ConvertTo-Json
  $nsg = $resourcedetails.properties.effectiveNetworkSecurityGroups.networksecuritygroups | ConvertTo-Json
  if($resourceDetailjson -ne $null)
  {         
    $body=@"
    {
      "rules": [$resourceDetailjson] ,
      "networkSecurityGroups": [$nsg] 
    }
    "@
    $enforceresourceURL = "https://management.azure.com$resourceid/providers/Microsoft.Security/adaptiveNetworkHardenings/default/enforce?api-version=2020-01-01"
    $Enforcedetails=(Invoke-RestMethod  -Uri $enforceresourceURL -Headers $AzureApiheaders -Method POST -Body $body)
  }             
}
 
3 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2313912%22%20slang%3D%22en-US%22%3EApply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2313912%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CSPAN%3EApplying%20network%20security%20groups%20(NSG)%20to%20filter%20traffic%20to%20and%20from%20resources%2C%20improves%20your%20network%20security%20posture.%20However%2C%20there%20can%20still%20be%20some%20cases%20in%20which%20the%20actual%20traffic%20flowing%20through%20the%20NSG%20is%20a%20subset%20of%20the%20NSG%20rules%20defined.%20%3C%2FSPAN%3E%3CSPAN%3EAdaptive%20network%20hardening%20provides%20recommendations%20to%20further%20harden%20the%20NSG%20rules.%20It%20uses%20a%20machine%20learning%20algorithm%20that%20factors%20in%20actual%20traffic%2C%20known%20trusted%20configuration%2C%20threat%20intelligence%2C%20and%20other%20indicators%20of%20compromise%2C%20and%20then%20provides%20recommendations%20to%20allow%20traffic%20only%20from%20specific%20IP%2Fport%20tuples.%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EFor%26nbsp%3Bexample%2C%26nbsp%3Blet's%26nbsp%3Bsay%26nbsp%3Bthe%26nbsp%3Bexisting%26nbsp%3BNSG%26nbsp%3Brule%26nbsp%3Bis%26nbsp%3Bto%26nbsp%3Ballow%26nbsp%3Btraffic%26nbsp%3Bfrom%26nbsp%3B100.xx.xx.10%2F24%26nbsp%3Bon%26nbsp%3Bport%26nbsp%3B8081.%26nbsp%3BBased%26nbsp%3Bon%26nbsp%3Btraffic%26nbsp%3Banalysis%2C%26nbsp%3Badaptive%26nbsp%3Bnetworkhardening%26nbsp%3Bmight%26nbsp%3Brecommend%26nbsp%3Bnarrowing%26nbsp%3Bthe%26nbsp%3Brange%26nbsp%3Bto%26nbsp%3Ballow%26nbsp%3Btraffic%26nbsp%3Bfrom%26nbsp%3B100.xx.xx.10%2F29%26nbsp%3Band%26nbsp%3Bdeny%26nbsp%3Ball%26nbsp%3Bother%26nbsp%3Btraffic%26nbsp%3Bto%26nbsp%3Bthat%26nbsp%3Bport.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EAdaptive%26nbsp%3Bnetwork%26nbsp%3Bhardening%26nbsp%3Brecommendations%26nbsp%3Bare%26nbsp%3Bonly%26nbsp%3Bsupported%26nbsp%3Bon%26nbsp%3Bthe%26nbsp%3Bfollowing%26nbsp%3Bspecific%26nbsp%3Bports%26nbsp%3B(for%26nbsp%3Bboth%26nbsp%3BUDP%26nbsp%3Band%26nbsp%3BTCP)%3A%26nbsp%3B13%2C%26nbsp%3B17%2C%26nbsp%3B19%2C%26nbsp%3B22%2C%26nbsp%3B23%2C%26nbsp%3B53%2C%26nbsp%3B69%2C%26nbsp%3B81%2C%26nbsp%3B111%2C%26nbsp%3B119%2C%26nbsp%3B123%2C%26nbsp%3B135%2C%26nbsp%3B137%2C%26nbsp%3B138%2C%26nbsp%3B139%2C%26nbsp%3B161%2C%26nbsp%3B162%2C%26nbsp%3B389%2C%26nbsp%3B445%2C%26nbsp%3B512%2C%26nbsp%3B514%2C%26nbsp%3B593%2C%26nbsp%3B636%2C%26nbsp%3B873%2C%26nbsp%3B1433%2C%26nbsp%3B1434%2C%26nbsp%3B1900%2C%26nbsp%3B2049%2C%26nbsp%3B2301%2C%26nbsp%3B2323%2C%26nbsp%3B2381%2C%26nbsp%3B3268%2C%26nbsp%3B3306%2C%26nbsp%3B3389%2C%26nbsp%3B4333%2C%26nbsp%3B5353%2C%26nbsp%3B5432%2C%26nbsp%3B5555%2C%26nbsp%3B5800%2C%26nbsp%3B5900%2C%26nbsp%3B5900%2C%26nbsp%3B5985%2C%26nbsp%3B5986%2C%26nbsp%3B6379%2C%26nbsp%3B6379%2C%26nbsp%3B7000%2C%26nbsp%3B7001%2C%26nbsp%3B7199%2C%26nbsp%3B8081%2C%26nbsp%3B8089%2C%26nbsp%3B8545%2C%26nbsp%3B9042%2C%26nbsp%3B9160%2C%26nbsp%3B9300%2C%26nbsp%3B11211%2C%26nbsp%3B16379%2C%26nbsp%3B26379%2C%26nbsp%3B27017%2C%26nbsp%3B37215%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3EPre-Requisite%3A%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E-%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3BAz%26nbsp%3BModules%26nbsp%3Bmust%26nbsp%3Bbe%26nbsp%3Binstalled%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B-%20Service%20principal%20created%20as%20part%20of%20Step%201%20must%20be%20having%20contributor%20access%20to%20all%20subscriptions%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSTRONG%3ESteps%20to%20follow%3A%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSTRONG%3EStep%26nbsp%3B1%3C%2FSTRONG%3E%3A%26nbsp%3BCreate%26nbsp%3Ba%26nbsp%3Bservice%26nbsp%3Bprincipal%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSTRONG%3EPlease%20refer%3A%3C%2FSTRONG%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-create-service-principal-portal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fhowto-create-service-principal-porta...%3C%2FA%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fcreate-azure-service-principal-azureps%3Fview%3Dazps-5.7.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fazure%2Fcreate-azure-service-principal-azureps%3Fview%3Dazps-5...%3C%2FA%3E%3C%2FDIV%3E%0A%3CDIV%3EPost%20creation%20of%20service%20principal%2C%20please%20retrieve%20below%20values.%3C%2FDIV%3E%0A%3COL%3E%0A%3CLI%3ETenant%20Id%3C%2FLI%3E%0A%3CLI%3EClient%20Secret%3C%2FLI%3E%0A%3CLI%3EClient%20Id%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%3CSTRONG%3EStep%26nbsp%3B2%3C%2FSTRONG%3E%3A%26nbsp%3BCreate%26nbsp%3Ba%20PowerShell%26nbsp%3Bfunction%26nbsp%3Bwhich%26nbsp%3Bwill%26nbsp%3Bbe%26nbsp%3Bused%26nbsp%3Bin%26nbsp%3Bgenerating%26nbsp%3Bauthorization%26nbsp%3Btoken%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Efunction%20Get-apiHeader%7B%0A%5BCmdletBinding()%5D%0AParam%0A(%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24TENANTID%2C%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24ClientId%2C%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24PasswordClient%2C%0A%20%5BParameter(Mandatory%3D%24true)%5D%0A%20%5BSystem.String%5D%0A%20%5BValidateNotNullOrEmpty()%5D%0A%20%24resource%0A)%0A%24tokenresult%3DInvoke-RestMethod%20-Uri%20https%3A%2F%2Flogin.microsoftonline.com%2F%24TENANTID%2Foauth2%2Ftoken%3Fapi-version%3D1.0%20-Method%20Post%20-Body%20%40%7B%22grant_type%22%20%3D%20%22client_credentials%22%3B%20%22resource%22%20%3D%20%22https%3A%2F%2F%24resource%2F%22%3B%20%22client_id%22%20%3D%20%22%24ClientId%22%3B%20%22client_secret%22%20%3D%20%22%24PasswordClient%22%20%7D%0A%24token%3D%24tokenresult.access_token%0A%24Header%3D%40%7B%0A%20%20'Authorization'%3D%22Bearer%20%24token%22%0A%20%20'Host'%3D%22%24resource%22%0A%20%20'Content-Type'%3D'application%2Fjson'%0A%20%20%7D%0Areturn%20%24Header%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%3CSPAN%3E%3CSTRONG%3EStep%26nbsp%3B3%3C%2FSTRONG%3E%3A%26nbsp%3BInvoke%26nbsp%3BAPI%20to%20retrieve%26nbsp%3Bauthorization%26nbsp%3Btoken%20using%20function%20created%20in%20above%20step%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CEM%3ENote%3A%26nbsp%3BReplace%20%24TenantId%2C%20%24ClientId%26nbsp%3Band%20%24ClientSecret%20with%20value%26nbsp%3Bcaptured%26nbsp%3Bin%26nbsp%3Bstep%26nbsp%3B1%3C%2FEM%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24AzureApiheaders%20%3D%20Get-apiHeader%20-TENANTID%20%24TenantId%20-ClientId%20%24ClientId%20-PasswordClient%20%24ClientSecret%20-resource%20%22management.azure.com%22%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%204%3C%2FSTRONG%3E%3A%20Extracting%20csv%20file%20containing%20list%20of%20all%20adaptive%20network%20hardening%20suggestion%20from%20Azure%20Resource%20Graph%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPlease%20refer%3C%2FSTRONG%3E%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fgovernance%2Fresource-graph%2Ffirst-query-portal.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fblob%2Fmaster%2Farticles%2Fgovernance%2Fresource-graph%2Ffirst-que...%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EAzure%20Resource%20graph%20explorer%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fresource-graph%2Foverview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fgovernance%2Fresource-graph%2Foverview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EQuery%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Esecurityresources%0A%20%20%20%20%20%20%20%20%7C%20where%20type%20%3D%3D%20%22microsoft.security%2Fassessments%22%0A%20%20%20%20%20%20%20%20%7C%20extend%20source%20%3D%20tostring(properties.resourceDetails.Source)%0A%20%20%20%20%20%20%20%20%7C%20extend%20resourceId%20%3D%0A%20%20%20%20%20%20%20%20%20%20%20%20trim(%22%20%22%2C%20tolower(tostring(case(source%20%3D~%20%22azure%22%2C%20properties.resourceDetails.Id%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%3D~%20%22aws%22%2C%20properties.resourceDetails.AzureResourceId%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%3D~%20%22gcp%22%2C%20properties.resourceDetails.AzureResourceId%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20extract(%22%5E(.%2B)%2Fproviders%2FMicrosoft.Security%2Fassessments%2F.%2B%24%22%2C1%2Cid)))))%0A%20%20%20%20%20%20%20%20%7C%20extend%20status%20%3D%20trim(%22%20%22%2C%20tostring(properties.status.code))%0A%20%20%20%20%20%20%20%20%7C%20extend%20cause%20%3D%20trim(%22%20%22%2C%20tostring(properties.status.cause))%0A%20%20%20%20%20%20%20%20%7C%20extend%20assessmentKey%20%3D%20tostring(name)%0A%20%20%20%20%20%20%20%20%7C%20where%20assessmentKey%20%3D%3D%20%22f9f0eed0-f143-47bf-b856-671ea2eeed62%22%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22data1.JPG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277291iF7C7D9070F5B9F32%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22data1.JPG%22%20alt%3D%22data1.JPG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3EClick%20on%20%22Download%20as%20CSV%22%20and%20store%20at%20location%20where%20adaptive%20network%20hardening%20script%20is%20present.%20Rename%20the%20file%20as%20%22%3C%2FSPAN%3E%3CEM%3Eadaptivehardeningextract%3C%2FEM%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESet-Location%20%24PSScriptRoot%0A%24RootFolder%20%3D%20Split-Path%20%24MyInvocation.MyCommand.Path%0A%24ParameterCSVPath%20%3D%24RootFolder%20%2B%20%22%5Cadaptivehardeningextract.csv%22%0Aif(Test-Path%20-Path%20%24ParameterCSVPath)%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0A%20%20%7B%20%0A%20%20%24TableData%20%3D%20Import-Csv%20%24ParameterCSVPath%0A%20%20%7D%0A%0Aforeach(%24Data%20in%20%24TableData)%0A%7B%0A%20%20%24resourceid%3D%24Data.resourceid%0A%20%20%24resourceURL%3D%22https%3A%2F%2Fmanagement.azure.com%24resourceid%2Fproviders%2FMicrosoft.Security%2FadaptiveNetworkHardenings%2Fdefault%3Fapi-version%3D2020-01-01%22%0A%20%20%24resourcedetails%3D(Invoke-RestMethod%20%20-Uri%20%24resourceURL%20-Headers%20%24AzureApiheaders%20-Method%20GET)%0A%20%20%24resourceDetailjson%20%3D%20%24resourcedetails.properties.rules%20%7C%20ConvertTo-Json%0A%20%20%24nsg%20%3D%20%24resourcedetails.properties.effectiveNetworkSecurityGroups.networksecuritygroups%20%7C%20ConvertTo-Json%0A%20%20if(%24resourceDetailjson%20-ne%20%24null)%0A%20%20%7B%20%20%20%20%20%20%20%20%20%0A%20%20%20%20%24body%3D%40%22%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22rules%22%3A%20%5B%24resourceDetailjson%5D%20%2C%0A%20%20%20%20%20%20%22networkSecurityGroups%22%3A%20%5B%24nsg%5D%20%0A%20%20%20%20%7D%0A%20%20%20%20%22%40%0A%20%20%20%20%24enforceresourceURL%20%3D%20%22https%3A%2F%2Fmanagement.azure.com%24resourceid%2Fproviders%2FMicrosoft.Security%2FadaptiveNetworkHardenings%2Fdefault%2Fenforce%3Fapi-version%3D2020-01-01%22%0A%20%20%20%20%24Enforcedetails%3D(Invoke-RestMethod%20%20-Uri%20%24enforceresourceURL%20-Headers%20%24AzureApiheaders%20-Method%20POST%20-Body%20%24body)%0A%20%20%7D%20%20%20%20%20%20%20%20%20%20%20%20%20%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FDIV%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CDIV%3E%0A%3CP%3E%3CSTRONG%3EReferences%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-adaptive-network-hardening%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-adaptive-network-hardening%3C%2FA%3E%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2313912%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2602638%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2602638%22%20slang%3D%22en-US%22%3E%3CP%3ENice%20post!%3CBR%20%2F%3EBut%20in%20your%20Azure%20Resource%20Graph%20query%20you%20are%20using%20a%20hard-coded%20value%20for%20assessmentKey.%20Could%20elaborate%20on%20that%20part%20-%20is%20this%20value%20fixed%3F%20Is%20this%20specific%20to%20your%20environment%3F%20How%20to%20find%20the%20value%20we%20have%20to%20put%20there%3F%20How%20did%20you%20come%20up%20with%20that%20value%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2605184%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2605184%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F246566%22%20target%3D%22_blank%22%3E%40astaykov%3C%2FA%3E%26nbsp%3BI%20refer%20to%20this%26nbsp%3BAzure%20Resource%20Graph%20sample%20queries%20to%20find%20out%26nbsp%3B%3CSPAN%3EassessmentKey%20of%20your%20own%3C%2FSPAN%3E%26nbsp%3BAzure%20subscription.%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcontainer-registry%2Fresource-graph-samples%3FWT.mc_id%3DAZ-MVP-5003408%26amp%3Btabs%3Dazure-cli%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fcontainer-registry%2Fresource-graph-samples%3FWT.mc_id%3DAZ-MVP-5003408%26amp%3Btabs%3Dazure-cli%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SithuKyaw_1-1628003540279.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F300182iA46E9EE76C44DB04%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22SithuKyaw_1-1628003540279.png%22%20alt%3D%22SithuKyaw_1-1628003540279.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2615149%22%20slang%3D%22en-US%22%3ERe%3A%20Apply%20Adaptive%20Network%20Hardening%20across%20multiple%20Subscriptions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2615149%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F246566%22%20target%3D%22_blank%22%3E%40astaykov%3C%2FA%3E%26nbsp%3Bthis%20is%20independent%20of%20tenant%20or%20environment.%20This%20can%20be%20easily%20check%20under%20Azure%20policy%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Microsoft.Security%2Fassessments%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22name%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22f9f0eed0-f143-47bf-b856-671ea2eeed62%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 02 2021 12:05 PM
Updated by:
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE