Tessl Tile for pypi/azure-mgmt-security@7.0.0

or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

application-api-security.md cloud-security-posture.md compliance-governance.md configuration-settings.md devops-security.md index.md network-security.md security-assessment-monitoring.md vulnerability-management.md

application-api-security.mddocs/

0
# Application and API Security
1

2
Application and API security management capabilities for Azure Security Center, providing adaptive application controls, API discovery and protection, application security configuration, and comprehensive application security posture management.
3

4
## Capabilities
5

6
### Adaptive Application Controls
7

8
Manage adaptive application controls that provide application allowlisting and security recommendations.
9

10
```python { .api }
11
def list(
12
    include_path_recommendations: Optional[bool] = None,
13
    summary: Optional[bool] = None,
14
    **kwargs: Any
15
) -> Iterator[AdaptiveApplicationControlGroup]:
16
    """
17
    List adaptive application control groups.
18
    
19
    Parameters:
20
    - include_path_recommendations (bool, optional): Include path recommendations
21
    - summary (bool, optional): Return summary information only
22
    
23
    Returns:
24
    Iterator[AdaptiveApplicationControlGroup]: Iterator of control group objects
25
    """
26

27
def get(
28
    group_name: str,
29
    **kwargs: Any
30
) -> AdaptiveApplicationControlGroup:
31
    """
32
    Get details of a specific adaptive application control group.
33
    
34
    Parameters:
35
    - group_name (str): Name of the application control group
36
    
37
    Returns:
38
    AdaptiveApplicationControlGroup: Application control group details
39
    """
40

41
def put(
42
    group_name: str,
43
    body: AdaptiveApplicationControlGroup,
44
    **kwargs: Any
45
) -> AdaptiveApplicationControlGroup:
46
    """
47
    Create or update an adaptive application control group.
48
    
49
    Parameters:
50
    - group_name (str): Name of the application control group
51
    - body (AdaptiveApplicationControlGroup): Control group data
52
    
53
    Returns:
54
    AdaptiveApplicationControlGroup: Created or updated control group
55
    """
56

57
def delete(
58
    group_name: str,
59
    **kwargs: Any
60
) -> None:
61
    """
62
    Delete an adaptive application control group.
63
    
64
    Parameters:
65
    - group_name (str): Name of the application control group
66
    
67
    Returns:
68
    None
69
    """
70
```
71

72
### Application Management
73

74
Manage application security configurations and monitoring.
75

76
```python { .api }
77
def get(
78
    application_id: str,
79
    **kwargs: Any
80
) -> Application:
81
    """
82
    Get details of a specific application.
83
    
84
    Parameters:
85
    - application_id (str): ID of the application
86
    
87
    Returns:
88
    Application: Application details
89
    """
90

91
def create_or_update(
92
    application_id: str,
93
    application: Application,
94
    **kwargs: Any
95
) -> Application:
96
    """
97
    Create or update an application configuration.
98
    
99
    Parameters:
100
    - application_id (str): ID of the application
101
    - application (Application): Application configuration data
102
    
103
    Returns:
104
    Application: Created or updated application
105
    """
106

107
def delete(
108
    application_id: str,
109
    **kwargs: Any
110
) -> None:
111
    """
112
    Delete an application configuration.
113
    
114
    Parameters:
115
    - application_id (str): ID of the application
116
    
117
    Returns:
118
    None
119
    """
120
```
121

122
### Applications Management
123

124
Manage multiple applications and their security configurations.
125

126
```python { .api }
127
def list(
128
    **kwargs: Any
129
) -> Iterator[Application]:
130
    """
131
    List applications in the subscription.
132
    
133
    Returns:
134
    Iterator[Application]: Iterator of Application objects
135
    """
136
```
137

138
### Security Connector Applications
139

140
Manage applications within security connectors for multi-cloud environments.
141

142
```python { .api }
143
def get(
144
    resource_group_name: str,
145
    security_connector_name: str,
146
    application_id: str,
147
    **kwargs: Any
148
) -> Application:
149
    """
150
    Get details of a security connector application.
151
    
152
    Parameters:
153
    - resource_group_name (str): Name of the resource group
154
    - security_connector_name (str): Name of the security connector
155
    - application_id (str): ID of the application
156
    
157
    Returns:
158
    Application: Application details
159
    """
160

161
def create_or_update(
162
    resource_group_name: str,
163
    security_connector_name: str,
164
    application_id: str,
165
    application: Application,
166
    **kwargs: Any
167
) -> Application:
168
    """
169
    Create or update a security connector application.
170
    
171
    Parameters:
172
    - resource_group_name (str): Name of the resource group
173
    - security_connector_name (str): Name of the security connector
174
    - application_id (str): ID of the application
175
    - application (Application): Application configuration data
176
    
177
    Returns:
178
    Application: Created or updated application
179
    """
180

181
def delete(
182
    resource_group_name: str,
183
    security_connector_name: str,
184
    application_id: str,
185
    **kwargs: Any
186
) -> None:
187
    """
188
    Delete a security connector application.
189
    
190
    Parameters:
191
    - resource_group_name (str): Name of the resource group
192
    - security_connector_name (str): Name of the security connector
193
    - application_id (str): ID of the application
194
    
195
    Returns:
196
    None
197
    """
198
```
199

200
### Security Connector Applications Collection
201

202
Manage collections of applications within security connectors.
203

204
```python { .api }
205
def list(
206
    resource_group_name: str,
207
    security_connector_name: str,
208
    **kwargs: Any
209
) -> Iterator[Application]:
210
    """
211
    List applications in a security connector.
212
    
213
    Parameters:
214
    - resource_group_name (str): Name of the resource group
215
    - security_connector_name (str): Name of the security connector
216
    
217
    Returns:
218
    Iterator[Application]: Iterator of Application objects
219
    """
220
```
221

222
### API Collections
223

224
Manage API collections for API security and discovery.
225

226
```python { .api }
227
def list(
228
    **kwargs: Any
229
) -> Iterator[ApiCollection]:
230
    """
231
    List API collections in the subscription.
232
    
233
    Returns:
234
    Iterator[ApiCollection]: Iterator of ApiCollection objects
235
    """
236

237
def get(
238
    resource_group_name: str,
239
    service_name: str,
240
    api_collection_id: str,
241
    **kwargs: Any
242
) -> ApiCollection:
243
    """
244
    Get details of a specific API collection.
245
    
246
    Parameters:
247
    - resource_group_name (str): Name of the resource group
248
    - service_name (str): Name of the service
249
    - api_collection_id (str): ID of the API collection
250
    
251
    Returns:
252
    ApiCollection: API collection details
253
    """
254

255
def list_by_resource_group(
256
    resource_group_name: str,
257
    service_name: str,
258
    **kwargs: Any
259
) -> Iterator[ApiCollection]:
260
    """
261
    List API collections in a resource group and service.
262
    
263
    Parameters:
264
    - resource_group_name (str): Name of the resource group
265
    - service_name (str): Name of the service
266
    
267
    Returns:
268
    Iterator[ApiCollection]: Iterator of ApiCollection objects
269
    """
270
```
271

272
### API Collection Operations
273

274
Manage API collection onboarding and offboarding operations.
275

276
```python { .api }
277
def onboard(
278
    resource_group_name: str,
279
    service_name: str,
280
    api_collection_id: str,
281
    **kwargs: Any
282
) -> None:
283
    """
284
    Onboard an API collection for security monitoring.
285
    
286
    Parameters:
287
    - resource_group_name (str): Name of the resource group
288
    - service_name (str): Name of the service
289
    - api_collection_id (str): ID of the API collection
290
    
291
    Returns:
292
    None
293
    """
294

295
def offboard(
296
    resource_group_name: str,
297
    service_name: str,
298
    api_collection_id: str,
299
    **kwargs: Any
300
) -> None:
301
    """
302
    Offboard an API collection from security monitoring.
303
    
304
    Parameters:
305
    - resource_group_name (str): Name of the resource group
306
    - service_name (str): Name of the service
307
    - api_collection_id (str): ID of the API collection
308
    
309
    Returns:
310
    None
311
    """
312
```
313

314
### Single API Collection Management
315

316
Manage individual API collections with detailed configuration.
317

318
```python { .api }
319
def get_by_azure_api_management_service(
320
    resource_group_name: str,
321
    service_name: str,
322
    api_collection_id: str,
323
    **kwargs: Any
324
) -> ApiCollection:
325
    """
326
    Get an API collection by Azure API Management service.
327
    
328
    Parameters:
329
    - resource_group_name (str): Name of the resource group
330
    - service_name (str): Name of the API Management service
331
    - api_collection_id (str): ID of the API collection
332
    
333
    Returns:
334
    ApiCollection: API collection details
335
    """
336
```
337

338
## Types
339

340
```python { .api }
341
class AdaptiveApplicationControlGroup:
342
    id: Optional[str]
343
    name: Optional[str]
344
    type: Optional[str]
345
    location: Optional[str]
346
    enforcement_mode: Optional[str]            # Audit, Enforce, None
347
    protection_mode: Optional[ProtectionMode]
348
    configuration_status: Optional[str]        # Configured, NotConfigured, InProgress, Failed, NoStatus
349
    recommendation_status: Optional[str]       # Recommended, NotRecommended, NotAvailable, NoStatus
350
    issues: Optional[List[AdaptiveApplicationControlIssueSummary]]
351
    source_system: Optional[str]               # Azure_AppLocker, Azure_AuditD, NonAzureAppLocker
352
    vm_recommendations: Optional[List[VmRecommendation]]
353
    path_recommendations: Optional[List[PathRecommendation]]
354

355
class Application:
356
    id: Optional[str]
357
    name: Optional[str]
358
    type: Optional[str]
359
    system_data: Optional[SystemData]
360
    display_name: Optional[str]
361
    description: Optional[str]
362
    source_resource_type: Optional[str]        # Assessments
363
    condition_sets: Optional[List[ApplicationConditionSet]]
364

365
class ApiCollection:
366
    id: Optional[str]
367
    name: Optional[str]
368
    type: Optional[str]
369
    display_name: Optional[str]
370
    discovered_via: Optional[str]
371
    base_url: Optional[str]
372
    number_of_api_endpoints: Optional[int]
373
    number_of_api_endpoints_with_sensitive_data_exposed: Optional[int]
374
    number_of_external_api_endpoints: Optional[int]
375
    number_of_internal_api_endpoints: Optional[int]
376
    number_of_inactive_api_endpoints: Optional[int]
377
    number_of_unauthenticated_api_endpoints: Optional[int]
378
    sensitivity_label: Optional[str]
379

380
class VmRecommendation:
381
    configuration_status: Optional[str]
382
    recommendation_action: Optional[str]       # Recommended, Add, Remove
383
    resource_id: Optional[str]
384
    enforcement_support: Optional[str]         # Supported, NotSupported, Unknown
385

386
class PathRecommendation:
387
    path: Optional[str]
388
    action: Optional[str]                      # Recommended, Add, Remove
389
    type: Optional[str]                        # File, FileHash, PublisherSignature, ProductSignature, BinarySignature, VersionAndAboveSignature
390
    publisher_info: Optional[PublisherInfo]
391
    common: Optional[bool]
392
    user_sids: Optional[List[str]]
393
    usernames: Optional[List[str]]
394
    file_type: Optional[str]                   # Exe, Dll, Msi, Script, Executable, Unknown
395
    configuration_status: Optional[str]
396

397
class AdaptiveApplicationControlIssueSummary:
398
    issue: Optional[str]                       # ViolationsAudited, ViolationsBlocked, MsiAndScriptViolationsAudited, MsiAndScriptViolationsBlocked, ExecutableViolationsAudited, RulesViolatedManually
399
    number_of_vms: Optional[float]
400

401
class ApplicationConditionSet:
402
    conditions: Optional[List[ApplicationCondition]]
403

404
class ApplicationCondition:
405
    property: Optional[str]
406
    value: Optional[str]
407
    operator: Optional[str]                    # Equals, EqualsIgnoreCase, NotEquals, NotEqualsIgnoreCase, GreaterThan, GreaterThanOrEqual, LessThan, LessThanOrEqual, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith
408

409
class PublisherInfo:
410
    publisher_name: Optional[str]
411
    product_name: Optional[str]
412
    binary_name: Optional[str]
413
    version: Optional[str]
414

415
class ProtectionMode:
416
    exe: Optional[str]                         # Audit, Enforce, None
417
    msi: Optional[str]                         # Audit, Enforce, None
418
    script: Optional[str]                      # Audit, Enforce, None
419
    executable: Optional[str]                  # Audit, Enforce, None
420
```
421

422
## Usage Examples
423

424
### Adaptive Application Controls Management
425

426
```python
427
from azure.identity import DefaultAzureCredential
428
from azure.mgmt.security import SecurityCenter
429

430
credential = DefaultAzureCredential()
431
client = SecurityCenter(credential, "subscription-id")
432

433
# List all adaptive application control groups
434
control_groups = client.adaptive_application_controls.list(
435
    include_path_recommendations=True,
436
    summary=False
437
)
438

439
for group in control_groups:
440
    print(f"Control Group: {group.name}")
441
    print(f"Enforcement Mode: {group.enforcement_mode}")
442
    print(f"Configuration Status: {group.configuration_status}")
443
    print(f"Protection Mode - EXE: {group.protection_mode.exe if group.protection_mode else 'N/A'}")
444
    
445
    # Show VM recommendations
446
    if group.vm_recommendations:
447
        print(f"VM Recommendations: {len(group.vm_recommendations)}")
448
        for vm_rec in group.vm_recommendations:
449
            print(f"  VM: {vm_rec.resource_id}")
450
            print(f"  Action: {vm_rec.recommendation_action}")
451
            print(f"  Status: {vm_rec.configuration_status}")
452
    
453
    # Show path recommendations
454
    if group.path_recommendations:
455
        print(f"Path Recommendations: {len(group.path_recommendations)}")
456
        for path_rec in group.path_recommendations[:5]:  # Show first 5
457
            print(f"  Path: {path_rec.path}")
458
            print(f"  Action: {path_rec.action}")
459
            print(f"  Type: {path_rec.type}")
460
            print(f"  Common: {path_rec.common}")
461
    
462
    # Show issues
463
    if group.issues:
464
        print(f"Issues: {len(group.issues)}")
465
        for issue in group.issues:
466
            print(f"  Issue: {issue.issue}")
467
            print(f"  Affected VMs: {issue.number_of_vms}")
468

469
# Get specific control group
470
specific_group = client.adaptive_application_controls.get("group-name")
471
print(f"Specific Group: {specific_group.name}")
472
print(f"Location: {specific_group.location}")
473
print(f"Source System: {specific_group.source_system}")
474

475
# Update control group enforcement mode
476
updated_group = {
477
    "enforcement_mode": "Enforce",
478
    "protection_mode": {
479
        "exe": "Enforce",
480
        "msi": "Audit", 
481
        "script": "Audit",
482
        "executable": "Enforce"
483
    }
484
}
485

486
result = client.adaptive_application_controls.put(
487
    "group-name",
488
    updated_group
489
)
490
print(f"Updated enforcement mode to: {result.enforcement_mode}")
491
```
492

493
### Application Security Management
494

495
```python
496
# List all applications
497
applications = client.applications.list()
498

499
for app in applications:
500
    print(f"Application: {app.display_name}")
501
    print(f"Description: {app.description}")
502
    print(f"Source Resource Type: {app.source_resource_type}")
503
    
504
    # Show condition sets
505
    if app.condition_sets:
506
        print(f"Condition Sets: {len(app.condition_sets)}")
507
        for condition_set in app.condition_sets:
508
            if condition_set.conditions:
509
                for condition in condition_set.conditions:
510
                    print(f"  Condition: {condition.property} {condition.operator} {condition.value}")
511

512
# Create a new application
513
new_application = {
514
    "display_name": "Critical Web Application",
515
    "description": "Web application handling sensitive customer data",
516
    "source_resource_type": "Assessments",
517
    "condition_sets": [{
518
        "conditions": [{
519
            "property": "$.AssessmentDisplayName",
520
            "value": "Web application",
521
            "operator": "Contains"
522
        }, {
523
            "property": "$.ResourceType", 
524
            "value": "Microsoft.Web/sites",
525
            "operator": "Equals"
526
        }]
527
    }]
528
}
529

530
app = client.application.create_or_update(
531
    "app-001",
532
    new_application
533
)
534
print(f"Created application: {app.display_name}")
535

536
# Get specific application details
537
app_details = client.application.get("app-001")
538
print(f"Application Details: {app_details.display_name}")
539
print(f"System Data: {app_details.system_data}")
540
```
541

542
### Security Connector Application Management
543

544
```python
545
# List applications in a security connector
546
connector_apps = client.security_connector_applications.list(
547
    "security-rg",
548
    "multi-cloud-connector"
549
)
550

551
for app in connector_apps:
552
    print(f"Connector Application: {app.display_name}")
553
    print(f"Description: {app.description}")
554

555
# Create application in security connector
556
connector_app = {
557
    "display_name": "AWS Lambda Security Assessment",
558
    "description": "Security assessment for AWS Lambda functions",
559
    "source_resource_type": "Assessments",
560
    "condition_sets": [{
561
        "conditions": [{
562
            "property": "$.CloudProvider",
563
            "value": "AWS",
564
            "operator": "Equals"
565
        }, {
566
            "property": "$.ResourceType",
567
            "value": "AWS::Lambda::Function", 
568
            "operator": "Equals"
569
        }]
570
    }]
571
}
572

573
app = client.security_connector_application.create_or_update(
574
    "security-rg",
575
    "multi-cloud-connector",
576
    "aws-lambda-app",
577
    connector_app
578
)
579
print(f"Created connector application: {app.display_name}")
580

581
# Get connector application details
582
app_details = client.security_connector_application.get(
583
    "security-rg",
584
    "multi-cloud-connector", 
585
    "aws-lambda-app"
586
)
587
print(f"Connector App Details: {app_details.display_name}")
588
```
589

590
### API Security Management
591

592
```python
593
# List all API collections
594
api_collections = client.api_collections.list()
595

596
for collection in api_collections:
597
    print(f"API Collection: {collection.display_name}")
598
    print(f"Base URL: {collection.base_url}")
599
    print(f"Total Endpoints: {collection.number_of_api_endpoints}")
600
    print(f"External Endpoints: {collection.number_of_external_api_endpoints}")
601
    print(f"Internal Endpoints: {collection.number_of_internal_api_endpoints}")
602
    print(f"Unauthenticated Endpoints: {collection.number_of_unauthenticated_api_endpoints}")
603
    print(f"Endpoints with Sensitive Data: {collection.number_of_api_endpoints_with_sensitive_data_exposed}")
604
    print(f"Inactive Endpoints: {collection.number_of_inactive_api_endpoints}")
605
    print(f"Sensitivity Label: {collection.sensitivity_label}")
606
    print(f"Discovered Via: {collection.discovered_via}")
607

608
# Get specific API collection
609
api_collection = client.api_collections.get(
610
    "api-rg",
611
    "api-management-service",
612
    "collection-001"
613
)
614
print(f"API Collection: {api_collection.display_name}")
615

616
# List API collections by resource group
617
rg_collections = client.api_collections.list_by_resource_group(
618
    "api-rg",
619
    "api-management-service"
620
)
621

622
high_risk_collections = []
623
for collection in rg_collections:
624
    # Identify high-risk collections
625
    risk_score = 0
626
    
627
    if collection.number_of_unauthenticated_api_endpoints and collection.number_of_unauthenticated_api_endpoints > 0:
628
        risk_score += 3
629
    
630
    if (collection.number_of_api_endpoints_with_sensitive_data_exposed and 
631
        collection.number_of_api_endpoints_with_sensitive_data_exposed > 0):
632
        risk_score += 5
633
    
634
    if collection.number_of_external_api_endpoints and collection.number_of_external_api_endpoints > 0:
635
        risk_score += 1
636
    
637
    if risk_score >= 4:
638
        high_risk_collections.append((collection, risk_score))
639

640
print(f"\nHigh-Risk API Collections: {len(high_risk_collections)}")
641
for collection, score in high_risk_collections:
642
    print(f"  {collection.display_name} (Risk Score: {score})")
643
    print(f"    Base URL: {collection.base_url}")
644
    print(f"    Unauthenticated: {collection.number_of_unauthenticated_api_endpoints}")
645
    print(f"    Sensitive Data Exposed: {collection.number_of_api_endpoints_with_sensitive_data_exposed}")
646

647
# Onboard/Offboard API collections
648
client.api_collection_onboarding.onboard(
649
    "api-rg",
650
    "api-management-service", 
651
    "collection-001"
652
)
653
print("API collection onboarded for security monitoring")
654

655
# Later, if needed
656
# client.api_collection_offboarding.offboard(
657
#     "api-rg",
658
#     "api-management-service",
659
#     "collection-001"
660
# )
661
```
662

663
### Application Security Dashboard
664

665
```python
666
def create_application_security_dashboard():
667
    """Create a comprehensive application security dashboard."""
668
    
669
    print("Application Security Dashboard")
670
    print("=" * 50)
671
    
672
    # Adaptive Application Controls
673
    print("\n1. Adaptive Application Controls:")
674
    control_groups = client.adaptive_application_controls.list(summary=True)
675
    
676
    total_groups = 0
677
    enforced_groups = 0
678
    groups_with_issues = 0
679
    
680
    for group in control_groups:
681
        total_groups += 1
682
        if group.enforcement_mode == "Enforce":
683
            enforced_groups += 1
684
        if group.issues and len(group.issues) > 0:
685
            groups_with_issues += 1
686
    
687
    print(f"   Total Control Groups: {total_groups}")
688
    print(f"   Enforced Groups: {enforced_groups}")
689
    print(f"   Groups with Issues: {groups_with_issues}")
690
    
691
    # Applications
692
    print("\n2. Applications:")
693
    applications = client.applications.list()
694
    app_count = sum(1 for _ in applications)
695
    print(f"   Total Applications: {app_count}")
696
    
697
    # API Collections
698
    print("\n3. API Collections:")
699
    api_collections = client.api_collections.list()
700
    
701
    total_apis = 0
702
    total_endpoints = 0
703
    sensitive_endpoints = 0
704
    unauthenticated_endpoints = 0
705
    
706
    for collection in api_collections:
707
        total_apis += 1
708
        if collection.number_of_api_endpoints:
709
            total_endpoints += collection.number_of_api_endpoints
710
        if collection.number_of_api_endpoints_with_sensitive_data_exposed:
711
            sensitive_endpoints += collection.number_of_api_endpoints_with_sensitive_data_exposed
712
        if collection.number_of_unauthenticated_api_endpoints:
713
            unauthenticated_endpoints += collection.number_of_unauthenticated_api_endpoints
714
    
715
    print(f"   Total API Collections: {total_apis}")
716
    print(f"   Total API Endpoints: {total_endpoints}")
717
    print(f"   Sensitive Data Endpoints: {sensitive_endpoints}")
718
    print(f"   Unauthenticated Endpoints: {unauthenticated_endpoints}")
719
    
720
    # Security Recommendations
721
    print("\n4. Security Recommendations:")
722
    if total_endpoints > 0:
723
        auth_coverage = ((total_endpoints - unauthenticated_endpoints) / total_endpoints) * 100
724
        sensitive_ratio = (sensitive_endpoints / total_endpoints) * 100 if total_endpoints > 0 else 0
725
        
726
        print(f"   Authentication Coverage: {auth_coverage:.1f}%")
727
        print(f"   Sensitive Data Exposure: {sensitive_ratio:.1f}%")
728
        
729
        if auth_coverage < 90:
730
            print("   ⚠️  Low authentication coverage detected")
731
        if sensitive_ratio > 10:
732
            print("   ⚠️  High sensitive data exposure detected")
733
    
734
    return {
735
        "control_groups": total_groups,
736
        "enforced_groups": enforced_groups,
737
        "groups_with_issues": groups_with_issues,
738
        "applications": app_count,
739
        "api_collections": total_apis,
740
        "total_endpoints": total_endpoints,
741
        "sensitive_endpoints": sensitive_endpoints,
742
        "unauthenticated_endpoints": unauthenticated_endpoints
743
    }
744

745
# Generate the dashboard
746
dashboard_data = create_application_security_dashboard()
747
```

Version

Tile

Files

application-api-security.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/

application-api-security.mddocs/