Moved files to new

 AzTS repo

ControlCoverage/Feature/Storage.md

@@ -0,0 +1,5 @@
+## Storage
+
+| ControlId | Dependent Azure API(s) and Properties | Control spec-let |
+|-----------|-------------------------------------|------------------|
+| <b>ControlId:</b><br>Azure_Storage_AuthN_Dont_Allow_Anonymous<br><b>DisplayName:</b><br>Ensure secure access to storage account containers.<br><b>Description: </b><br>The Access Type for containers must not be set to 'Anonymous'. | <b>ARM API to list Storage Account at subscription level: </b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Storage/storageAccounts?<br>api-version=2019-06-01 <br><b>Properties:</b><br>allowBlobPublicAccess, provisioningState, kind | <b>Passed: </b><br>Storage does not have any container with public access.<br><b>Failed: </b><br>Storage has at least one container with public access or provisioning state for storage is not 'Succeeded'.<br><b>Verify: </b><br>Not able to fetch container details for storage.<br><b>NotApplicable: </b><br>Storage is of type FileStorage.(Kind FileStorage does not support containers). |

ControlCoverage/Feature/SubscriptionCore.md

@@ -0,0 +1,8 @@
+## SubscriptionCore
+
+| ControlId | Dependent Azure API(s) and Properties | Control spec-let |
+|-----------|---------------------------------------|------------------|
+| <b>ControlId:</b><br>Azure_Subscription_Config_ASC_Enable_AutoProvisioning<br><b>DisplayName:</b><br>Turn on Microsoft Monitoring Agent (MMA) to enable Security Monitoring.<br><b>Description: </b><br>Auto Provisioning must be set to ON in Azure Security Center. | <b>ARM API to list auto provisioning settings at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Security/autoProvisioningSettings<br>/default?api-version=2017-08-01-preview<br><b>Property:</b><br>autoProvision | <b>Passed: </b><br>Auto Provisioning is enabled.<br><b>Failed: </b><br>Auto Provisioning is not enabled or if security center provider is not registered.<br><b>Verify: </b><br>Unable to verify Auto Provisioning detail. |
+| <b>ControlId:</b><br>Azure_Subscription_Config_ASC_Tier<br><b>DisplayName:</b><br>Enable all Azure Defender plans in Azure Security Center.<br><b>Description: </b><br>Standard tier must be enabled for Azure Security Center. | <b>ARM API to list Security Center pricing <br>configurations in the subscription:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Security/pricings?api-version=2018-06-01<br><b>Properties:</b><br>pricingTier, name | <b>Passed: </b><br>All required resource types are configured with ASC standard tier.<br><b>Failed: </b><br>Any of resource types is not configured with ASC standard tier or if security center provider is not registered. |
+| <b>ControlId:</b><br>Azure_Subscription_AuthZ_Dont_Use_NonAD_Identities<br><b>DisplayName:</b><br>Remove external accounts from Azure subscriptions<br><b>Description: </b><br>Do not grant permissions to external accounts (i.e., accounts outside the native directory for the subscription). | <b>PIM API to get role assignments:</b><br> /beta/privilegedAccess/azureResources<br>/resources/{uniquePIMIdentifier}/roleAssignments<br>?$expand=subject,roleDefinition<br>($expand=resource)&$filter=(memberType%20ne%20'{filterCondition}')<br><b>Property:</b><br>subject/principalName<br><br><b>ARM API to list classic role assignment at <br>subscription level:</b><br>subscriptions/{subscriptionId}/providers<br>/Microsoft.Authorization/classicAdministrators<br>?api-version=2015-06-01<br><b>Property:</b><br> emailAddress | <b>Passed: </b><br>No external account is found at subscription scope.<br><b>Failed: </b><br>External account is found at subscription scope.<br><b>Verify: </b><br>RBAC result not found (sufficient data is not available for evaluation). |
+| <b>ControlId:</b><br>Azure_Subscription_AuthZ_Remove_Deprecated_Accounts<br><b>DisplayName:</b><br>Remove deprecated accounts from your subscription(s).<br><b>Description: </b><br>Deprecated/stale accounts must not be present on the subscription. | <b>ARM API to list role assignment at scope:</b> <br>/{scope}/providers/Microsoft.Authorization/role<br>Assignments?api-version=2018-01-01-preview<br><b>Property:</b> principalId<br><br><b>PIM API to get role assignment:</b> /beta/privilegedAccess/azureResources<br>/resources/{uniquePIMIdentifier}/roleAssignments<br>?$expand=subject,roleDefinition<br>($expand=resource)&$filter=<br>(memberType%20ne%20'{filterCondition}')<br><b>Property:</b><br> subject/id<br><br><b>ARM API to list security assessments at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Security/assessments<br>?api-version=2020-01-01<br><b>Properties:</b><br>id, name, resourceDetails/Id, displayName, status/code, status, additionalData| <b>Passed: </b><br>No deprecated account is found at subscription scope (in both ASC and Reader scan).<br><b>Failed: </b><br>Deprecated account is found at subscription scope (in any one of ASC and Reader scan).<br><b>Verify: </b><br>ASC assessment status is not applicable or policy is missing. |

ControlCoverage/Feature/VirtualMachine.md

@@ -0,0 +1,10 @@
+## Virtual Machine
+
+| ControlId | Dependent Azure API(s) and Properties | Control spec-let |
+|-----------|---------------------------------------|------------------|
+| <b>ControlId:</b><br>Azure_VirtualMachine_SI_Enable_Vuln_Solution<br><b>DisplayName:</b><br>Install DSRE Qualys Cloud Agent on assets.<br><b>Description:</b><br>Vulnerability assessment solution should be installed on VM. | <b>ARM API to list Virtual Machine Extensions at <br>resource level:</b><br>/subscriptions/{subscriptionId}/resourceGroups/<br>{resourceGroupName}/providers/Microsoft.<br>Compute/virtualMachines/{vmName}<br>/extensions?api-version=2019-07-01<br><b>Properties:</b><br>publisher, type<br>| <b>Passed: </b><br>Required vulnerability assessment solution is present in VM.<br><b>Failed: </b><br>Required vulnerability assessment solution is not present in VM.<br><b>NotApplicable: </b><br>VM instance is part of AKS or ADB cluster.<br><b>Not Scanned: </b><br>VM OS type is null or empty. |
+| <b>ControlId:</b><br>Azure_VirtualMachine_SI_Enable_Monitoring_Agent<br><b>DisplayName:</b><br>All VMs must have Monitoring Agent enabled.<br><b>Description:</b><br>All VMs must have Monitoring Agent enabled. | <b>ARM API to list Virtual Machine Extensions at <br>resource level:</b><br>/subscriptions/{subscriptionId}/resourceGroups/<br>{resourceGroupName}/providers/Microsoft.<br>Compute/virtualMachines/{vmName}<br>/extensions?api-version=2019-07-01<br><b>Properties:</b><br>publisher, type| <b>Passed: </b><br>All required extensions are present in VM<br><b>Failed: </b><br>One or more required extensions are missing in VM.<br><b>NotApplicable: </b><br>VM is part of ADB cluster.<br><b>Not Scanned: </b><br>VM OS type is null or empty. |
+| <b>ControlId:</b><br>Azure_VirtualMachine_NetSec_Apply_ASC_Network_<br>Recommendations<br><b>DisplayName:</b><br>Apply Adaptive Network Hardening to your virtual machines.<br><b>Description:</b><br>Adaptive Network Hardening recommendations <br>should be applied on internet facing virtual machines. | <b>ARM API to list security assessments at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Security/assessments?<br>api-version=2020-01-01<br><b>Properties:</b><br>id, name, resourceDetails/Id, displayName, status/code, status, additionalData | <b>Passed: </b><br>ASC assessment found with Healthy status code.<br><b>Failed: </b><br>ASC assessment found with Unhealthy status code.|
+| <b>ControlId:</b><br>Azure_VirtualMachine_Config_Enable_NSG<br><b>DisplayName:</b><br>Secure internet-facing virtual machines.<br><b>Description:</b><br>NSG must be configured for Virtual Machine. | <b>ARM API to list Network Interfaces at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Network/networkInterfaces<br>?api-version=2019-04-01<br><b>Property:</b><br>publicIPAddress/id, networkSecurityGroup/id<br><br><b>ARM API to list Virtual Networks at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Network/virtualNetworks<br>?api-version=2019-11-01<br><b>Property:</b><br>networkSecurityGroup/id<br>| <b>Passed: </b><br>NSG is configured for the VM or VM does not have any public IP configured.<br><b>Failed: </b><br>No NSG found on the VM.<br><b>NotApplicable: </b><br>VM instance is part of ADB cluster.|
+| <b>ControlId:</b><br>Azure_VirtualMachine_NetSec_Dont_Open_Restricted_<br>Ports<br><b>DisplayName:</b><br>Secure internet-facing virtual machines.<br><b>Description:</b><br>Do not leave restricted ports open on Virtual Machines. | <b>ARM API to list Network Interfaces at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Network/networkInterfaces<br>?api-version=2019-04-01<br><b>Property:</b><br>networkSecurityGroup/id<br><br><b>ARM API to list Virtual Networks at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Network/virtualNetworks<br>?api-version=2019-11-01<br><b>Property:</b><br>networkSecurityGroup/id<br><br><b>ARM API to list Network Security Groups at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Network/networkSecurityGroups<br>?api-version=2019-04-01<br><b>Property:</b><br>destinationPortRange<br><br><b>ARM API to list JIT network access policies at <br>subscription level:</b><br>/subscriptions/{subscriptionId}/providers<br>/Microsoft.Security/jitNetworkAccessPolicies<br>?api-version=2020-01-01<br><b>Property:</b><br>virtualMachines/ports| <b>Passed: </b><br>NSG is configured and no inbound port is open or NSG is configured and no restricted ports are open<br><b>Failed: </b><br>No NSG is configured on VM or NSG is configured but restricted ports are open.<br><b>NotApplicable: </b><br>VM instance is part of ADB cluster.|
+

ControlCoverage/README.md

@@ -0,0 +1,18 @@
+## Security controls covered by Azure Tenant Security (AzTS)
+
+This page displays security controls that are automated via AzTS. Controls table listed under provide following details:
+- ControlId and Description
+- Dependent Azure API(s) and Properties
+- Control spec-let
+
+### Azure Services supported by AzTS
+
+Below resource types can be checked for validating the security controls:
+
+|Feature Name|Resource Type|
+|---|---|
+|[Subscription](Feature/SubscriptionCore.md)|
+|[Storage](Feature/Storage.md)|Microsoft.Storage/storageAccounts|
+|[VirtualMachine](Feature/VirtualMachine.md)|Microsoft.Compute/virtualMachines|
+
+

LAQueries.md

@@ -0,0 +1,140 @@
+
+
+Here is a summary of the data that is captured within each table
+
+| Log Type | Description |
+|----|----|
+| AzSK_SubInventory_CL | This table contains list of subscription scanned by the Tenant Security Solution |
+| AzSK_BaselineControlsInv_CL | This lists the controls supported by Tenant Security solution |
+| AzSK_ControlResults_CL	| This table contains control scan results for all the subscriptions scanned by the Tenant Security Solution|
+| AzSK_PerformanceMetrics_CL | This table contains performance metrics such as total time taken to scan each subscription, the time taken by individual components etc., |
+| AzSK_ProcessedSubscriptions_CL | This contains the events sent by the work item processor job to mark subscription scan progress |
+| AzSK_RBAC_CL	| This table contains RBAC role membership details including classic, permanent and PIM assignments |
+| AzSK_ResourceInvInfo_CL	| This table captures the list of resources in a subscription |
+| AzSK_RTExceptions_CL	| This table contains errors/exceptions generated during the Tenant Security scan | 
+| AzSK_SSAssessmentInv_CL	| This table contains Azure Security Centre assessment status |
+
+
+
+Log Analytics opens with a new query tab in the Query editor where you can run the following query as shown below:
+
+``` KQL
+
+AzSK_ControlResults_CL
+| where TimeGenerated > ago(2d) and JobId_d == toint(format_datetime(now(), 'yyyyMMdd'))
+| summarize arg_max(TimeGenerated,*) by ControlName_s, ResourceId = tolower(ResourceId)
+| project ControlName_s, ResourceName_s, VerificationResult_s, StatusReason_s
+
+```
+
+![Log Analytics Visualization: Query Logs](../Images/13_TSS_LAWS_Query_Logs.png)
+
+The query computes control scan result of the control scanned by the toolkit. There is a filter in the top right, which gives the easy option to select time ranges. This can be done via code as well.
+
+
+
+##### List of unhealthy Security Assessment recommendation in a subscription
+```KQL
+AzSK_SSAssessmentInv_CL
+| where TimeGenerated > ago(1d)
+| where JobId_d ==  toint(format_datetime(now(), 'yyyyMMdd'))
+| summarize arg_max(TimeGenerated, *) by AssessmentId_s
+| project SubscriptionId, RecommendationDisplayName_s, AzureResourceId_s, StatusCode_s, StatusMessage_s
+| where StatusCode_s =~ "Unhealthy"
+```
+
+
+##### List of Owner/Co-admin in a subscription
+
+```KQL
+// Get list of active subscriptions
+AzSK_SubInventory_CL
+| where TimeGenerated > ago(1d) and JobId_d ==  toint(format_datetime(now(), 'yyyyMMdd'))
+| where State_s != 'Disabled'
+| summarize arg_max(TimeGenerated, *) by SubscriptionId
+| distinct SubscriptionId, Name_s
+| join kind=leftouter (
+    // Get list of Owners in a subscription
+    AzSK_RBAC_CL
+    | where TimeGenerated > ago(2d) and JobId_d == toint(format_datetime(now(), 'yyyyMMdd')) 
+    | where RBACSource_s =~ "Subscription" 
+    | where RoleName_s in ("ServiceAdministrator", "CoAdministrator", "ServiceAdministrator;AccountAdministrator")
+    or RoleDefinitionId_s contains "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+    | summarize OwnerCount = count(),
+                PermanentOwnerCount = countif(IsPIMEligible_b == false),
+                ObjectIds = make_set(UserName_g) by SubscriptionId = NameId_g
+) on SubscriptionId
+| extend ObjectIds = iff(SubscriptionId1 == dynamic(null), "RBACNOTFOUND", ObjectIds)
+| project SubscriptionId, OwnerCount, PermanentOwnerCount, ObjectIds
+```
+
+
+##### View subscription scan status
+
+``` KQL
+// Filter list of active subscriptions
+AzSK_SubInventory_CL
+| where TimeGenerated > ago(1d)
+| where JobId_d ==  toint(format_datetime(now(), 'yyyyMMdd'))
+| where State_s != 'Disabled'
+| summarize arg_max(TimeGenerated, *) by SubscriptionId
+| project SubscriptionId
+| join kind= leftouter
+(
+   // List of subscriptions where processing has completed
+    AzSK_ProcessedSubscriptions_CL
+    | where TimeGenerated > ago(1d)
+    | where JobId_d ==  toint(format_datetime(now(), 'yyyyMMdd'))
+    | where EventType_s == 'Completed'
+    | summarize arg_max(TimeGenerated, *) by SubscriptionId
+)
+on SubscriptionId
+| extend Type = iff(SubscriptionId1 !=dynamic(null),"Completed", "NotCompleted")
+| summarize count() by Type
+```
+
+
+
+#### D. Tenant Security scan metrics
+
+##### REST API call metrics: Number of API calls made in last 1 day
+
+``` KQL
+AzSK_APIMetrics_CL
+| where TimeGenerated > ago(1d)
+| extend Key_s = iff(Key_s contains "https://", strcat("***#API#***", parse_url(Key_s).Host), Key_s) 
+| summarize APICount= sum(Value_d) by Key_s
+| order by APICount desc
+```
+
+##### Performance metrics: Get the average time buckets and subs count in each bucket
+
+```KQL
+let JobId = toint(format_datetime(now(), 'yyyyMMdd'));
+// Get count of control scanned for each subscription
+AzSK_ControlResults_CL
+| where TimeGenerated > ago(2d)
+| where JobId_d == JobId
+| summarize arg_max(TimeGenerated, *) by ResourceId,ControlName_s
+| summarize ControlsCount = count() by SubscriptionId
+| join kind= inner (
+    // Check performance metrics for total time taken by each subscription
+    AzSK_PerformanceMetrics_CL
+    | where TimeGenerated > ago(2d)
+    | where JobId_d == JobId
+    | summarize arg_max(TimeGenerated, *) by SubscriptionId
+    | where SubscriptionId != dynamic(null) 
+    | extend SubProcessingTime = iff(totimespan(TotalTimeTaken_s) > totimespan("00:02:00"),">2Min",iff(totimespan(TotalTimeTaken_s) > totimespan("00:01:00"),">1Min","<1Min"))
+) on SubscriptionId 
+| summarize SubscriptionCount = count(), avg(totimespan(TotalTimeTaken_s)) , avg(ControlsCount), max(ControlsCount), min(ControlsCount) by SubProcessingTime 
+```
+
+##### List of resources in a subscription
+
+``` KQL
+AzSK_ResourceInvInfo_CL
+| where TimeGenerated > ago(1d)
+| where JobId_d ==  toint(format_datetime(now(), 'yyyyMMdd'))
+| summarize arg_max(TimeGenerated, *) by ResourceId
+| project OrgTenantId_g, SubscriptionId, ResourceType, Location_s, ResourceId
+```