From 18844788895e8dc51010689b72517e49dbda05e5 Mon Sep 17 00:00:00 2001 From: Jurjen Ladenius Date: Tue, 21 May 2024 15:07:48 +0200 Subject: [PATCH] - New subscriptions #100584 - Turned off Azure Defender for ignore storage accounts #100211 --- Custom roles/Storage Data Contributor.json | 4 +- Custom roles/Storage Data Reader.json | 4 +- ...torage Account Azure Defender settings.ps1 | 134 ++++++++++++++++++ 3 files changed, 140 insertions(+), 2 deletions(-) create mode 100644 Powershell/Tools/Storage Account Azure Defender settings.ps1 diff --git a/Custom roles/Storage Data Contributor.json b/Custom roles/Storage Data Contributor.json index aca74b2..5feeffa 100644 --- a/Custom roles/Storage Data Contributor.json +++ b/Custom roles/Storage Data Contributor.json @@ -76,6 +76,8 @@ "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6", "/subscriptions/e33c30f7-06c7-4765-86a9-7a8979b6d1cc", "/subscriptions/2021c41e-3582-40a1-85e5-59588741e6d3", - "/subscriptions/17a9bacf-5a67-44bf-a532-950a4b3bf25d" + "/subscriptions/17a9bacf-5a67-44bf-a532-950a4b3bf25d", + "/subscriptions/181146cf-2354-4167-a6db-94ad14329c4d", + "/subscriptions/38a6726a-7c4d-402c-8bc2-36677fc0c3b4" ] } \ No newline at end of file diff --git a/Custom roles/Storage Data Reader.json b/Custom roles/Storage Data Reader.json index 7276174..d0c3b1b 100644 --- a/Custom roles/Storage Data Reader.json +++ b/Custom roles/Storage Data Reader.json @@ -58,6 +58,8 @@ "/subscriptions/cea89b67-6bfd-47c6-b7fa-9b8006b664ea", "/subscriptions/2161debe-6042-4633-b10e-de77c06cabc6", "/subscriptions/2021c41e-3582-40a1-85e5-59588741e6d3", - "/subscriptions/17a9bacf-5a67-44bf-a532-950a4b3bf25d" + "/subscriptions/17a9bacf-5a67-44bf-a532-950a4b3bf25d", + "/subscriptions/181146cf-2354-4167-a6db-94ad14329c4d", + "/subscriptions/38a6726a-7c4d-402c-8bc2-36677fc0c3b4" ] } diff --git a/Powershell/Tools/Storage Account Azure Defender settings.ps1 b/Powershell/Tools/Storage Account Azure Defender settings.ps1 new file mode 100644 index 0000000..e969406 --- /dev/null +++ b/Powershell/Tools/Storage Account Azure Defender settings.ps1 @@ -0,0 +1,134 @@ +#Connect-AzAccount +function GetAzureDefender { + param ( + [string] $resourceId + ) + + #https://learn.microsoft.com/en-us/rest/api/defenderforcloud/defender-for-storage/create?view=rest-defenderforcloud-2022-12-01-preview&tabs=HTTP + + $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token + $url = "https://management.azure.com/$resourceId/providers/Microsoft.Security/defenderForStorageSettings/current?api-version=2022-12-01-preview" + + $head = @{ Authorization =" Bearer $access_token" } + $response = Invoke-RestMethod -Uri $url -Method Get -Headers $head -ContentType "application/json" + return ($response.properties.overrideSubscriptionLevelSettings -and !$response.properties.isEnabled) +} + +function TurnOffAzureDefender { + param ( + [string] $resourceId + ) + + $patchValue = ' + { + "properties": { + "isEnabled": false, + "sensitiveDataDiscovery": { + "isEnabled": false + }, + "malwareScanning": { + "onUpload": { + "isEnabled": false, + "capGBPerMonth": -1 + } + }, + "overrideSubscriptionLevelSettings": true + } + } + ' + + #https://learn.microsoft.com/en-us/rest/api/defenderforcloud/defender-for-storage/create?view=rest-defenderforcloud-2022-12-01-preview&tabs=HTTP + + $access_token = (Get-AzAccessToken -TenantId "e9792fd7-4044-47e7-a40d-3fba46f1cd09").Token + $url = "https://management.azure.com/$resourceId/providers/Microsoft.Security/defenderForStorageSettings/current?api-version=2022-12-01-preview" + + $head = @{ Authorization =" Bearer $access_token" } + Invoke-RestMethod -Uri $url -Method Put -Headers $head -Body $patchValue -ContentType "application/json" | Out-Null +} + +class ResourceCheck { + [string] $ManagementGroupId = "" + [string] $ManagementGroupName = "" + [string] $SubscriptionId = "" + [string] $SubscriptionName = "" + [string] $ResourceId = "" + [string] $ResourceGroupName = "" + [string] $StorageAccountName = "" + [string] $Location = "" + [string] $Tag_Team = "" + [string] $Tag_Product = "" + [string] $Tag_Environment = "" + [string] $Tag_Data = "" + [string] $Tag_CreatedOnDate = "" + [string] $Tag_Deployment = "" + [string] $Tag_BackupPolicy = "" + [string] $PreviousOverrideSubscription = "" + [string] $Action = "None" +} + +[string] $date = Get-Date -Format "yyyy-MM-dd HHmm" +$fileName = ".\$date Processed Storage Accounts.csv" + +Write-Host "======================================================================================================================================================================" +Write-Host "Updating Azure defender settings." +Write-Host "======================================================================================================================================================================" + +$managementGroups = Get-AzManagementGroup + +foreach ($managementGroup in $managementGroups) +{ + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + Write-Host "Management group [$($managementGroup.Name)]" + + $subscriptions = Get-AzManagementGroupSubscription -Group $managementGroup.Name | Where-Object State -eq "Active" | Where-Object DisplayName -NotLike "Visual Studio*" + + foreach ($subscription in $subscriptions) + { + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + $scope = $subscription.Id.Substring($subscription.Parent.Length, $subscription.Id.Length - $subscription.Parent.Length) + $subscriptionId = $scope.Replace("/subscriptions/", "") + Write-Host "Subscription [$($subscription.DisplayName) - $subscriptionId]" + Set-AzContext -SubscriptionId $subscriptionId | Out-Null + Write-Host "----------------------------------------------------------------------------------------------------------------------------------------------------------------------" + + [ResourceCheck[]]$Result = @() + + $allResources = Get-AzStorageAccount + + foreach ($resource in $allResources) { + + [ResourceCheck] $resourceCheck = [ResourceCheck]::new() + $resourceCheck.ManagementGroupId = $managementGroup.Id + $resourceCheck.ManagementGroupName = $managementGroup.DisplayName + $resourceCheck.SubscriptionId = $subscription.Id + $resourceCheck.SubscriptionName = $subscription.DisplayName + $resourceCheck.ResourceId = $resource.Id + $resourceCheck.Location = $resource.Location + $resourceCheck.StorageAccountName = $resource.StorageAccountName + $resourceCheck.ResourceGroupName = $resource.ResourceGroupName + $resourceCheck.Tag_Team = $resource.Tags.team + $resourceCheck.Tag_Product = $resource.Tags.product + $resourceCheck.Tag_Environment = $resource.Tags.environment + $resourceCheck.Tag_Data = $resource.Tags.data + $resourceCheck.Tag_CreatedOnDate = $resource.Tags.CreatedOnDate + $resourceCheck.Tag_Deployment = $resource.Tags.drp_deployment + $resourceCheck.Tag_BackupPolicy = $resource.Tags.drp_backup_policy + + $resourceCheck.PreviousOverrideSubscription = GetAzureDefender -resourceId $resource.Id + + # set overrideSubscriptionLevelSettings + if ($resourceCheck.Tag_BackupPolicy.ToLower() -eq "ignore" -and $resourceCheck.PreviousOverrideSubscription -eq "False") { + $resourceCheck.Action = "Turned off" + + TurnOffAzureDefender -resourceId $resource.Id + } + + $Result += $resourceCheck + } + + $Result | Export-Csv -Path $fileName -Append -NoTypeInformation + + } +} +Write-Host "======================================================================================================================================================================" +Write-Host "Done." \ No newline at end of file