[Feature Request] Use existing Get-SecureScoreData Log Analytics workspace for Secure Score reduction alerts about microsoft-defender-for-cloud HOT 26 CLOSED

Hi @TomJanetscheck , thanks for your respond. I have deployed Send-SecureScoreBriefing LogicApp, which connect to the existing workspace to get the result. Thanks.

from microsoft-defender-for-cloud.

Hi @famjunxiang, Uploaded the ARM template that you can use with existing Log Analytics Workspace. Thank you.

from microsoft-defender-for-cloud.

Hi @famjunxiang,

you can already use the existing workspace by manually changing the connections within the LogicApp. However, the LogicApp will create another Customer Log (dailyAscScore_CL) within that workspace. Today, we do not have a LogicApp that connects and uses data from the existing tables. Adding @safeenab786 as the code owner to see if she can provide another ARM Template which will connect to the existing workspace instead of creating a new one.

from microsoft-defender-for-cloud.

Hi @TomJanetscheck , Good day to you, may i know the ETA for this enhancement?
Thanks.

from microsoft-defender-for-cloud.

Hi @famjunxiang,
adding @safeenab786 who is currently working on this enhancement to reply with an ETA.

from microsoft-defender-for-cloud.

Closing this issue as a solution was provided with PR #175 .

from microsoft-defender-for-cloud.

Hi @safeenab786, i hit error at Append to string variable
InvalidTemplate. Unable to process template language expressions in action 'Append_to_string_variable' inputs at line '1' and column '3354': 'The template language function 'substring' parameters are out of range: 'start index' and 'length' must be non-negative integers and their sum must be no larger than the length of the string. Please see https://aka.ms/logicexpressions#substring for usage details.'.

from microsoft-defender-for-cloud.

@famjunxiang Hello, what is the secure score at the moment in the subscription that you're deploying this template on?

from microsoft-defender-for-cloud.

@safeenab786 i have 23 subscription at the moment, each subscription have different score. and I have assigned managed identity reader role for the Send-SecureScoreReductionAlert at the root management group.

from microsoft-defender-for-cloud.

Reopening due to errors during LogicApp run.

from microsoft-defender-for-cloud.

@famjunxiang - I could reproduce the behavior you mentioned above in my environment with subscriptions that have a Secure Score of 0, which should not apply to productive environments. In that case, the substring function does not work correctly. In case you have subscriptions with a Secure Score of 0, could you please remove the role assignment from the management group and then re-create it on all subscriptions with a Secure Score > 0 for testing?

from microsoft-defender-for-cloud.

Hi, @TomJanetscheck, i try run the query at the failed subscription, found out the subscription with Secure Score is 100 not 0

from microsoft-defender-for-cloud.

Hi @safeenab786, any feedback for the report bug? Thanks.

from microsoft-defender-for-cloud.

Hi @famjunxiang Please help me understand, the secure score in all the subscriptions you're trying this automation on is >single digit or >0%?
I'm using the substring here is to minimize the characters that it shows in the output (email) and if it finds 0 as the secure score, it errors out at the Append to String. This is not a bug, and it is by design.

from microsoft-defender-for-cloud.

Hi @safeenab786, we have subscriptions that disabled, so the secure score is 0. And we have subscription with 100 secure score, 3 digit and it will hit the error as well.

from microsoft-defender-for-cloud.

Hi @famjunxiang Kindly run the script against those subscriptions that has a score to display. Please don't combine the subscriptions with 0 score and the ones with a score. Let me know how it goes.

from microsoft-defender-for-cloud.

Hi @safeenab786 , I have assigned the reader role for the logic app at the root management group, it will run the script against all subscriptions. This is to ensure new subscription is covered as well. Thanks,

from microsoft-defender-for-cloud.

Hi @safeenab786 , any feedback from your end? Thanks

from microsoft-defender-for-cloud.

Hi @famjunxiang Thanks for the confirmation. I'm working on it, I hope to get back to you soon.

from microsoft-defender-for-cloud.

Hi @safeenab786 , thanks for your feedback.

from microsoft-defender-for-cloud.

Hi @safeenab786 , may i know the new merged is it the fix? Thanks.

from microsoft-defender-for-cloud.

Hi @famjunxiang Yes it is. Request you to try it out and let us know your feedback. Thank you.

from microsoft-defender-for-cloud.

Hi @safeenab786 , best to remove everything and redeploy? or ?

from microsoft-defender-for-cloud.

Hi @famjunxiang I've made modifications in the code, yes please redeploy with the new template.

from microsoft-defender-for-cloud.

Hi @safeenab786 Good day to you.
It currently hit error at the subscription that already disable under Logic App>HTTP

{
"Error": {
"Code": "ResourceNotFound",
"Message": "Secure score 'ascScore' does not exist in scope 'XXX-XXXX-XXXX-XXXX'"
}
}

from microsoft-defender-for-cloud.

This issue is closed and therefore no longer monitored. Please create a new issue using our Bug report template.

from microsoft-defender-for-cloud.