az security task list recommendation results have Severity incorrectly reported as High.
See original GitHub issue
az feedback
auto-generates most of the information requested below, as of CLI version 2.0.62
Related command $findings = ` az security task list -g ${{ parameters.resourceGroupName }} --query “[?contains(securityTaskParameters.severity, ‘High’)]” | ConvertFrom-Json
Describe the bug Result set includes incorrect/inaccurate list of High Severity recommendations when compared to same result set as viewed in the Azure Portal.
To Reproduce Create a resource group with storage accounts and VMs. Apply policy Initiatives ASC Default, HIPAA HITRUST, ISO 27001:2013 to the resource group. Wait for Azure Defender to evaluate the resource group against the Initiatives.
Expected behavior When reviewing findings/recommendations in the Azure Portal, those severity levels are expected to match the same set of findings as reported from the “az security task list”, yet the az command will report items as “severity”: “High” that at the same time are reported in the Portal with a Low Severity.
Environment summary Command is running from Azure DevOps pipeline. The environment summary is taken from the pipeline execution log.
C:\Windows\system32\cmd.exe /D /S /C ““C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\wbin\az.cmd” --version” azure-cli 2.36.0 core 2.36.0 telemetry 1.0.6
Additional context Starting: Azure Security Center Findings for Resource Group azure-devops 0.25.0 dataprotection 0.3.0 Dependencies: msal 1.17.0 azure-mgmt-resource 20.0.0 Python (Windows) 3.10.4 (tags/v3.10.4:9d38120, Mar 23 2022, 22:57:10) [MSC v.1929 32 bit (Intel)]
Issue Analytics
- State:
- Created a year ago
- Comments:10 (4 by maintainers)
Top GitHub Comments
@RakeshMohanMSFT, The original az Security command can be replaced with either the “az graph query” or Search-AzGraph command.
Set target subscription and resource group. $Subscription=‘targetSubscription’ ; $resourceGroup=‘targetResourceGroup’ Select-AzSubscription -SubscriptionName $Subscription ; $vsub=Get-AzSubscription -SubscriptionName $Subscription
az security task list is looking at the severity from a static file (GenericRecommendationsConstant) instead of Azure Resource Graph. az account set -s $Subscription Returns result as JSON. Sometimes incorrectly with Severity = High. az security task list -g $resourceGroup
Because the above az command is not always correctly returning the value for the Severity, the below is an alternate solution.
Setting Azure Resource Graph Query statement. $securityTaskList = " SecurityResources | where type == ‘microsoft.security/assessments’ | where subscriptionId == ‘" + $vsub.SubscriptionID + "’ | where properties.status.code == ‘Unhealthy’ | where properties.metadata.severity == ‘High’ | extend resourceId=properties.resourceDetails.Id | extend resourceName = tostring(split(resourceId, ‘/’)[8]) | extend resourceGroup = tostring(split(resourceId, ‘/’)[4]) | where resourceGroup == ‘" + $resourceGroup + "’ | extend status = properties.status.code | extend severity = properties.metadata.severity | extend recommendatioName = properties.displayName | project subscriptionId, recommendatioName, resourceName,resourceGroup,status,severity,resourceId"
Returns result as JSON. az graph query -q $securityTaskList
Returns result as Table. Search-AzGraph -Query $securityTaskList
@RakeshMohanMSFT - The issue is unrelated to the number of rows returned by the command:
az security task list
The issue is that the command will report some recommendations with the Severity reported as High while the exact same recommendation viewed in the Azure Portal is reported as Low or Medium. A support request was opened with Microsoft and a summary of the reply provided below.
The work around is to use the resource graph as shown below:
Search-AzGraph -Query “securityresources”
However, the workaround provided per the support request does not exactly replicate the “az security task list” command because the AzGraph command lacks the ability to filter based on the resource group and this is key, and quite important, to how we leverage the az command.
Finally, this is how we leverage “az security task list”. As a final task in any CI/CD deployment in a non-production environment, we check all security recommendations for the effected resource group and if any are found to be High, the deployment is not allowed to go to production. Instead, the developer who published the change is required to remediate the change and redeploy the change to the non-production environment. If the recommendation can not be remediated or if the recommendation related issue is acceptable, we manually create a policy exception/exemption with an end date and only the exemption will allow the deployment to proceed. However the policy exception/exemption will expire after a time as a way of forcing us to re-evaluate that particular recommendation and determine whether the exemption is still valid.