Azure CSPM - Multiple questions

Hello,

So I just enabled Azure CSPM (8.12.2) and I have some questions:

  • Is there is a way to snooze / acknowledge / ignore findings? Some of the findings are not applicable to our organization and we would like to ignore them or acknowledge them.

  • Where is the compliance score stored? Or is it a calculated value? I would like to show this score on a custom dashboard we use for reporting to our management. How can I create a Lens metric visualisation which show this score?

  • Is there a way to visualize the evolution of the compliance score? If we'd fix some things, I'd like to show to my management the evolution of our compliance score somehow.

  • Is it documented somewhere what Azure ur'ls need to be acessible so I can open only those in our perimeter firewall? For example what url's in this list do I need to open? Allow the Azure portal URLs on your firewall or proxy server - Azure portal | Microsoft Learn

Thanks.

Willem

3 Likes

@willemdh Thank you for your questions and exploring latest Azure CSPM coverage in our Product. Please find responses below:

  • Is there is a way to snooze / acknowledge / ignore findings? Some of the findings are not applicable to our organization and we would like to ignore them or acknowledge them.

It was one of the top asks from customers and we have prioritised and worked on delivering this capability in version 8.13 which will be released later this month. We plan to release the "enable/disable" functionality for benchmark rules. It will be possible to disable/mute specific rules so they are not producing any findings and don't participate in the score calculation. Lookout for 8.13 release updates.

  • Where is the compliance score stored? Or is it a calculated value? I would like to show this score on a custom dashboard we use for reporting to our management. How can I create a Lens metric visualisation which show this score?

The percentage score is a calculated value, but all the base numbers for the score are stored in the index logs-cloud_security_posture.scores-default and it should be possible to use it in Lens. You need to create a Data View with this index first so it shows up in Lens, but then you should be able to build any custom visualisation based on this data

  • Is there a way to visualize the evolution of the compliance score? If we'd fix some things, I'd like to show to my management the evolution of our compliance score somehow.

Should be possible with a custom visualisation. The score data is stored in the logs-cloud_security_posture.scores-default index every 5 mins, so it is possible to show a trendline of the score

Is it documented somewhere what Azure ur'ls need to be acessible so I can open only those in our perimeter firewall? For example what url's in this list do I need to open?

We recommend to enable all listed endpoints in Microsoft's documentation.

Let me know if you have any follow up questions on these or related topics.

3 Likes

Thank you very much for all the info. I'll look into the scores indices and will look for the compliance score.

@smriti0321 Are you sure I should be able to recreate the percentage score? I gave it a try, but the low / medium / high / critical scores always seem 0...

The index also only has very limited fields:

So not sure what's going on here and where else I should look.

hi @willemdh, on the screenshot I see that you are looking at documents with policy_template: vuln_mgmt. The index logs-cloud_security_posture.scores-default contains scores from all our integrations CSPM, KSPM, and CNVM. Here is how you can distinguish them:
CSPM: policy_template: cspm
KSPM: policy_template: kspm
CNVM: policy_template: vuln_mgmt
As you mentioned that you installed CSPM Azure, look for documents with policy_template: cspm. Mind that they have a different structure than the vuln_mgmt ones so that you won't have critical, high, etc. attributes on them, but there should be other attributes you can use for your usecase, eg. failed_findings and passed_findings

1 Like

Hi @maxcold ,

I can assure you I have no data with:

policy_template: cspm

in logs-cloud_security_posture.scores-*

Willem

Do you see any data in the Security > Dashboards > Cloud Security Posture, the URL should be /app/security/cloud_security_posture/dashboard/cspm ? Do you see any findings in the Security > Findings > Misconfigurations?
The stats for the indices you see in Stack Management > Index Managements > Indecies when you search for logs-cloud_security_posture in the search bar would also be helpful

Yes, the CSPM found misconfigurations.

image

health status index                                                              uuid                   pri rep docs.count docs.deleted creation.date.string     store.size pri.store.size
green  open   .ds-logs-cloud_security_posture.findings-default-2024.03.15-000001 ex-rujcBRr-6biMof8YEsQ   1   1      19077            0 2024-03-15T15:23:21.955Z     65.2mb         32.6mb
green  open   .ds-logs-cloud_security_posture.findings-default-2024.04.14-000002 0dwgNQDkRVedn5UkvcOcMA   1   1       5841            0 2024-04-14T15:24:23.705Z     21.1mb         10.5mb
green  open   logs-cloud_security_posture.findings_latest-default                TBa-oWEXTZarG8pTkLCb4w   1   1        531            0 2024-03-14T15:23:09.353Z      1.9mb         1007kb
green  open   logs-cloud_security_posture.scores-default                         VEGDQvXWTFm9zfHvuqMPNg   1   1      10164            0 2024-03-14T15:23:09.682Z      1.2mb        648.9kb
green  open   logs-cloud_security_posture.vulnerabilities_latest-default         BtbkSROYT5WkziDp2u7pMA   1   1          0            0 2024-03-14T15:23:10.012Z       498b           249b

Thanks for providing more information! I'm assuming you also have data in the Compliance Score, trendline, and the split between failed and passed findings. this data is based on the policy_template: cspm documents in logs-cloud_security_posture.scores-default, unless I'm missing smth obvious.
You can try doing the following request in the Dev Tools of Kibana (search for Dev Tools in the global Kibana search)

POST /logs-cloud_security_posture.scores-default/_search
{
  "size": 1,
  "query": {
    "term": {
      "policy_template": {
        "value": "cspm"
      }
    }
  }
}

And see if it returns one document

Yes we are seeing the compliance score and failed and passed findings.

The query doesn't give any results:

image

This is interesting, I'm out of obvious ideas. It seems it requires a more thorough investigation, I'll get back to you after I do some digging myself into why it can happen that you don't see documents in logs-cloud_security_posture.scores-default index while the CSPM dashboard works fine.
In the meantime, you can also check if you have any special setup around access control (in Users and Roles) and look in more detail into the documents of logs-cloud_security_posture.scores-default, what policy_template values you have there on the documents and you can spot smth off with this index in the Index Management

1 Like

@willemdh one more thing I want to check, do you see the trendlines in the CSP dashboard? Or do you see "No data to display" message instead of trendlines? Here is how the trendline chart should look like

1 Like

Hey @maxcold

Indeed I see "No data to display"

image

I can see all data in this cluster, so it shouldn't be a privilege issue.

The indices in Index Management:

I only see policy_template "vuln_mgmt" in the scores index.

Willem

@willemdh thanks for your patience and for providing all this information! You seem to hit a bug which we fixed in 8.13. We are working on a fix for 8.12, it should be a part of an integration version update, not the stack update when implemented. We will keep you posted on the progress. The bug leads to no CSPM data being stored in the scores index, therefore you only see the current posture, but not the history and trendline.

Hi @willemdh

As mentioned by @maxcold, we worked on backporting the fix for Kibana 8.12, a fix was patched today, and the only step to apply the fix is to upgrade the Security Posture Management integration to v1.7.5.

You can refer to this documentation about how to upgrade an integration in case it was not set for automatic upgrades.

Once the Security Posture Management integration is upgraded to version 1.7.5 the Dashboard should be fixed the next time the elastic agent sends the Azure findings data.

Once again, thank you for providing all the information and exploring Azure CSPM coverage in Elastic.

Let us know if you have any other questions

Hi @maxcold @Paulo_Henrique

So weird, I didn't update CSPM Integration, but now it is on 1.7.5 and we have a trendline now. So is this the only integration which is automatically updated?

Anyway, thanks for the fix.

Just an fyi, we have another CSPM related issue where superusers can see the findings in all Spaces, but our cloud engineers can only see it in the default Space (to which they do not have all access too). This is not very logical. See support case 01585364 and enhancement request 21439.

Willem

1 Like

So for future reference, this is what I needed to visualise the score in a Lens Metric formula

last_value(passed_findings, kql='"passed_findings": *') / last_value(total_findings, kql='"total_findings": *')

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.