How to acquire security information in Azure Defender using REST API?

wisdom_MTT 1 Reputation point
2020-11-12T09:18:03.557+00:00

I'm using REST API to acquire security information of resources in Security Center -> Azure Defender.

I learned that Azure Defender can be installed both in azure and third party resources.
Can I use single API to acquire:

  1. Alert Count by severity
  2. Resource Coverage
  3. Alert Details (if possible)
  4. Coverage Count Details (description, counted by installed or uncovered, if possible)

Or should I use multi API to form the complex alerts through APIs below:

  1. /providers/Microsoft.Security/alerts
  2. /providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/iotAlerts
    In this way, it seems that I can't find out the resouce coverage, as only resources with alerts are contained in the response.
    Actually I'm not using IoT features, so it's unnecessary to request IoT API for me.
    Coverage is shown on portal in the Security Center -> Azure Defender.

I'm not sure which API to use. I mainly refered to docs under Security Center.
https://video2.skills-academy.com/en-us/rest/api/securitycenter/alerts/list
https://video2.skills-academy.com/en-us/rest/api/securitycenter/iotalerts/list

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,908 questions
Azure Cost Management
Azure Cost Management
A Microsoft offering that enables tracking of cloud usage and expenditures for Azure and other cloud providers.
2,285 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,250 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. wisdom_MTT 1 Reputation point
    2020-11-13T05:59:49.097+00:00

    I previously needed these information:

    1. Alert Count by severity
    2. Resource Coverage
    3. Alert Details (if possible)
    4. Coverage Count Details (description, counted by installed or uncovered, if possible)

    1&3 comes from the Alerts REST API, but I can't find 2&4 in the related information.

    So I tried to analyze the request on Azure Portal, and I figured out that the resource coverage comes from the Pricings.

    39564-image.png

    It seems that missing bundle means counting all the free pricing tier, and the resource coverage means the proportion of Standard tier in all pricing tiers.
    I'm not sure whether I'm correctly calculating the resource coverage. If so. Should I use the Pricing REST API in Security Center to calculate the Resource Coverage?

  2. wisdom_MTT 1 Reputation point
    2020-11-16T01:13:31.44+00:00

    Yes, I referred to the azure defender plan in the screenshot.
    In my case, it shows like this in the screenshot below:
    39859-image.png

    I'm using plan on a specific subscription and I have enabled the plan (not in the 30 days free trial).
    I can see the plan has already been monitoring my 36 VMs and other resources if I add them in the future.

    39917-image.png
    In the Security Center dashboard, I'd like to know the resource coverage percentage and the plan I haven't enabled yet as the screenshot2 shows.

    39839-image.png
    The Pricings REST API correctly shows my setting.

    According to the request:
    | where type == "microsoft.security/pricings"
    | where properties.pricingTier =~ "free"
    | summarize numOfMissingBundleCoverage = make_list(data)
    ...
    | summarize resourceCoverage = countif(pricing =~ "standard") * 1.0 / countif(pricing !~ "") * 100
    | summarize resourceCoverage = make_list(data)
    | project numOfMissingBundleCoverage, resourceCoverage

    It seems that:

    1. The percentage = Standard Tier plan / All plan * 100
    2. Plans to be enabled = Free Tier plan

    So in my case:

    1. Percentage = 3 / 3 * 100 = 100
    2. Plans to be enabled = 0
      I'm not sure if I correctly caculated.

    [Extra ask]
    Can I acquire the count of VMs in the specific defender plan through API? In my case, it's 36.