tessl/pypi-azure-mgmt-security
Microsoft Azure Security Center Management Client Library for Python
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
application-api-security.mddocs/
Application and API Security
Application and API security management capabilities for Azure Security Center, providing adaptive application controls, API discovery and protection, application security configuration, and comprehensive application security posture management.
Capabilities
Adaptive Application Controls
Manage adaptive application controls that provide application allowlisting and security recommendations.
def list(
include_path_recommendations: Optional[bool] = None,
summary: Optional[bool] = None,
**kwargs: Any
) -> Iterator[AdaptiveApplicationControlGroup]:
"""
List adaptive application control groups.
Parameters:
- include_path_recommendations (bool, optional): Include path recommendations
- summary (bool, optional): Return summary information only
Returns:
Iterator[AdaptiveApplicationControlGroup]: Iterator of control group objects
"""
def get(
group_name: str,
**kwargs: Any
) -> AdaptiveApplicationControlGroup:
"""
Get details of a specific adaptive application control group.
Parameters:
- group_name (str): Name of the application control group
Returns:
AdaptiveApplicationControlGroup: Application control group details
"""
def put(
group_name: str,
body: AdaptiveApplicationControlGroup,
**kwargs: Any
) -> AdaptiveApplicationControlGroup:
"""
Create or update an adaptive application control group.
Parameters:
- group_name (str): Name of the application control group
- body (AdaptiveApplicationControlGroup): Control group data
Returns:
AdaptiveApplicationControlGroup: Created or updated control group
"""
def delete(
group_name: str,
**kwargs: Any
) -> None:
"""
Delete an adaptive application control group.
Parameters:
- group_name (str): Name of the application control group
Returns:
None
"""Application Management
Manage application security configurations and monitoring.
def get(
application_id: str,
**kwargs: Any
) -> Application:
"""
Get details of a specific application.
Parameters:
- application_id (str): ID of the application
Returns:
Application: Application details
"""
def create_or_update(
application_id: str,
application: Application,
**kwargs: Any
) -> Application:
"""
Create or update an application configuration.
Parameters:
- application_id (str): ID of the application
- application (Application): Application configuration data
Returns:
Application: Created or updated application
"""
def delete(
application_id: str,
**kwargs: Any
) -> None:
"""
Delete an application configuration.
Parameters:
- application_id (str): ID of the application
Returns:
None
"""Applications Management
Manage multiple applications and their security configurations.
def list(
**kwargs: Any
) -> Iterator[Application]:
"""
List applications in the subscription.
Returns:
Iterator[Application]: Iterator of Application objects
"""Security Connector Applications
Manage applications within security connectors for multi-cloud environments.
def get(
resource_group_name: str,
security_connector_name: str,
application_id: str,
**kwargs: Any
) -> Application:
"""
Get details of a security connector application.
Parameters:
- resource_group_name (str): Name of the resource group
- security_connector_name (str): Name of the security connector
- application_id (str): ID of the application
Returns:
Application: Application details
"""
def create_or_update(
resource_group_name: str,
security_connector_name: str,
application_id: str,
application: Application,
**kwargs: Any
) -> Application:
"""
Create or update a security connector application.
Parameters:
- resource_group_name (str): Name of the resource group
- security_connector_name (str): Name of the security connector
- application_id (str): ID of the application
- application (Application): Application configuration data
Returns:
Application: Created or updated application
"""
def delete(
resource_group_name: str,
security_connector_name: str,
application_id: str,
**kwargs: Any
) -> None:
"""
Delete a security connector application.
Parameters:
- resource_group_name (str): Name of the resource group
- security_connector_name (str): Name of the security connector
- application_id (str): ID of the application
Returns:
None
"""Security Connector Applications Collection
Manage collections of applications within security connectors.
def list(
resource_group_name: str,
security_connector_name: str,
**kwargs: Any
) -> Iterator[Application]:
"""
List applications in a security connector.
Parameters:
- resource_group_name (str): Name of the resource group
- security_connector_name (str): Name of the security connector
Returns:
Iterator[Application]: Iterator of Application objects
"""API Collections
Manage API collections for API security and discovery.
def list(
**kwargs: Any
) -> Iterator[ApiCollection]:
"""
List API collections in the subscription.
Returns:
Iterator[ApiCollection]: Iterator of ApiCollection objects
"""
def get(
resource_group_name: str,
service_name: str,
api_collection_id: str,
**kwargs: Any
) -> ApiCollection:
"""
Get details of a specific API collection.
Parameters:
- resource_group_name (str): Name of the resource group
- service_name (str): Name of the service
- api_collection_id (str): ID of the API collection
Returns:
ApiCollection: API collection details
"""
def list_by_resource_group(
resource_group_name: str,
service_name: str,
**kwargs: Any
) -> Iterator[ApiCollection]:
"""
List API collections in a resource group and service.
Parameters:
- resource_group_name (str): Name of the resource group
- service_name (str): Name of the service
Returns:
Iterator[ApiCollection]: Iterator of ApiCollection objects
"""API Collection Operations
Manage API collection onboarding and offboarding operations.
def onboard(
resource_group_name: str,
service_name: str,
api_collection_id: str,
**kwargs: Any
) -> None:
"""
Onboard an API collection for security monitoring.
Parameters:
- resource_group_name (str): Name of the resource group
- service_name (str): Name of the service
- api_collection_id (str): ID of the API collection
Returns:
None
"""
def offboard(
resource_group_name: str,
service_name: str,
api_collection_id: str,
**kwargs: Any
) -> None:
"""
Offboard an API collection from security monitoring.
Parameters:
- resource_group_name (str): Name of the resource group
- service_name (str): Name of the service
- api_collection_id (str): ID of the API collection
Returns:
None
"""Single API Collection Management
Manage individual API collections with detailed configuration.
def get_by_azure_api_management_service(
resource_group_name: str,
service_name: str,
api_collection_id: str,
**kwargs: Any
) -> ApiCollection:
"""
Get an API collection by Azure API Management service.
Parameters:
- resource_group_name (str): Name of the resource group
- service_name (str): Name of the API Management service
- api_collection_id (str): ID of the API collection
Returns:
ApiCollection: API collection details
"""Types
class AdaptiveApplicationControlGroup:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
enforcement_mode: Optional[str] # Audit, Enforce, None
protection_mode: Optional[ProtectionMode]
configuration_status: Optional[str] # Configured, NotConfigured, InProgress, Failed, NoStatus
recommendation_status: Optional[str] # Recommended, NotRecommended, NotAvailable, NoStatus
issues: Optional[List[AdaptiveApplicationControlIssueSummary]]
source_system: Optional[str] # Azure_AppLocker, Azure_AuditD, NonAzureAppLocker
vm_recommendations: Optional[List[VmRecommendation]]
path_recommendations: Optional[List[PathRecommendation]]
class Application:
id: Optional[str]
name: Optional[str]
type: Optional[str]
system_data: Optional[SystemData]
display_name: Optional[str]
description: Optional[str]
source_resource_type: Optional[str] # Assessments
condition_sets: Optional[List[ApplicationConditionSet]]
class ApiCollection:
id: Optional[str]
name: Optional[str]
type: Optional[str]
display_name: Optional[str]
discovered_via: Optional[str]
base_url: Optional[str]
number_of_api_endpoints: Optional[int]
number_of_api_endpoints_with_sensitive_data_exposed: Optional[int]
number_of_external_api_endpoints: Optional[int]
number_of_internal_api_endpoints: Optional[int]
number_of_inactive_api_endpoints: Optional[int]
number_of_unauthenticated_api_endpoints: Optional[int]
sensitivity_label: Optional[str]
class VmRecommendation:
configuration_status: Optional[str]
recommendation_action: Optional[str] # Recommended, Add, Remove
resource_id: Optional[str]
enforcement_support: Optional[str] # Supported, NotSupported, Unknown
class PathRecommendation:
path: Optional[str]
action: Optional[str] # Recommended, Add, Remove
type: Optional[str] # File, FileHash, PublisherSignature, ProductSignature, BinarySignature, VersionAndAboveSignature
publisher_info: Optional[PublisherInfo]
common: Optional[bool]
user_sids: Optional[List[str]]
usernames: Optional[List[str]]
file_type: Optional[str] # Exe, Dll, Msi, Script, Executable, Unknown
configuration_status: Optional[str]
class AdaptiveApplicationControlIssueSummary:
issue: Optional[str] # ViolationsAudited, ViolationsBlocked, MsiAndScriptViolationsAudited, MsiAndScriptViolationsBlocked, ExecutableViolationsAudited, RulesViolatedManually
number_of_vms: Optional[float]
class ApplicationConditionSet:
conditions: Optional[List[ApplicationCondition]]
class ApplicationCondition:
property: Optional[str]
value: Optional[str]
operator: Optional[str] # Equals, EqualsIgnoreCase, NotEquals, NotEqualsIgnoreCase, GreaterThan, GreaterThanOrEqual, LessThan, LessThanOrEqual, Contains, NotContains, StartsWith, NotStartsWith, EndsWith, NotEndsWith
class PublisherInfo:
publisher_name: Optional[str]
product_name: Optional[str]
binary_name: Optional[str]
version: Optional[str]
class ProtectionMode:
exe: Optional[str] # Audit, Enforce, None
msi: Optional[str] # Audit, Enforce, None
script: Optional[str] # Audit, Enforce, None
executable: Optional[str] # Audit, Enforce, NoneUsage Examples
Adaptive Application Controls Management
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
credential = DefaultAzureCredential()
client = SecurityCenter(credential, "subscription-id")
# List all adaptive application control groups
control_groups = client.adaptive_application_controls.list(
include_path_recommendations=True,
summary=False
)
for group in control_groups:
print(f"Control Group: {group.name}")
print(f"Enforcement Mode: {group.enforcement_mode}")
print(f"Configuration Status: {group.configuration_status}")
print(f"Protection Mode - EXE: {group.protection_mode.exe if group.protection_mode else 'N/A'}")
# Show VM recommendations
if group.vm_recommendations:
print(f"VM Recommendations: {len(group.vm_recommendations)}")
for vm_rec in group.vm_recommendations:
print(f" VM: {vm_rec.resource_id}")
print(f" Action: {vm_rec.recommendation_action}")
print(f" Status: {vm_rec.configuration_status}")
# Show path recommendations
if group.path_recommendations:
print(f"Path Recommendations: {len(group.path_recommendations)}")
for path_rec in group.path_recommendations[:5]: # Show first 5
print(f" Path: {path_rec.path}")
print(f" Action: {path_rec.action}")
print(f" Type: {path_rec.type}")
print(f" Common: {path_rec.common}")
# Show issues
if group.issues:
print(f"Issues: {len(group.issues)}")
for issue in group.issues:
print(f" Issue: {issue.issue}")
print(f" Affected VMs: {issue.number_of_vms}")
# Get specific control group
specific_group = client.adaptive_application_controls.get("group-name")
print(f"Specific Group: {specific_group.name}")
print(f"Location: {specific_group.location}")
print(f"Source System: {specific_group.source_system}")
# Update control group enforcement mode
updated_group = {
"enforcement_mode": "Enforce",
"protection_mode": {
"exe": "Enforce",
"msi": "Audit",
"script": "Audit",
"executable": "Enforce"
}
}
result = client.adaptive_application_controls.put(
"group-name",
updated_group
)
print(f"Updated enforcement mode to: {result.enforcement_mode}")Application Security Management
# List all applications
applications = client.applications.list()
for app in applications:
print(f"Application: {app.display_name}")
print(f"Description: {app.description}")
print(f"Source Resource Type: {app.source_resource_type}")
# Show condition sets
if app.condition_sets:
print(f"Condition Sets: {len(app.condition_sets)}")
for condition_set in app.condition_sets:
if condition_set.conditions:
for condition in condition_set.conditions:
print(f" Condition: {condition.property} {condition.operator} {condition.value}")
# Create a new application
new_application = {
"display_name": "Critical Web Application",
"description": "Web application handling sensitive customer data",
"source_resource_type": "Assessments",
"condition_sets": [{
"conditions": [{
"property": "$.AssessmentDisplayName",
"value": "Web application",
"operator": "Contains"
}, {
"property": "$.ResourceType",
"value": "Microsoft.Web/sites",
"operator": "Equals"
}]
}]
}
app = client.application.create_or_update(
"app-001",
new_application
)
print(f"Created application: {app.display_name}")
# Get specific application details
app_details = client.application.get("app-001")
print(f"Application Details: {app_details.display_name}")
print(f"System Data: {app_details.system_data}")Security Connector Application Management
# List applications in a security connector
connector_apps = client.security_connector_applications.list(
"security-rg",
"multi-cloud-connector"
)
for app in connector_apps:
print(f"Connector Application: {app.display_name}")
print(f"Description: {app.description}")
# Create application in security connector
connector_app = {
"display_name": "AWS Lambda Security Assessment",
"description": "Security assessment for AWS Lambda functions",
"source_resource_type": "Assessments",
"condition_sets": [{
"conditions": [{
"property": "$.CloudProvider",
"value": "AWS",
"operator": "Equals"
}, {
"property": "$.ResourceType",
"value": "AWS::Lambda::Function",
"operator": "Equals"
}]
}]
}
app = client.security_connector_application.create_or_update(
"security-rg",
"multi-cloud-connector",
"aws-lambda-app",
connector_app
)
print(f"Created connector application: {app.display_name}")
# Get connector application details
app_details = client.security_connector_application.get(
"security-rg",
"multi-cloud-connector",
"aws-lambda-app"
)
print(f"Connector App Details: {app_details.display_name}")API Security Management
# List all API collections
api_collections = client.api_collections.list()
for collection in api_collections:
print(f"API Collection: {collection.display_name}")
print(f"Base URL: {collection.base_url}")
print(f"Total Endpoints: {collection.number_of_api_endpoints}")
print(f"External Endpoints: {collection.number_of_external_api_endpoints}")
print(f"Internal Endpoints: {collection.number_of_internal_api_endpoints}")
print(f"Unauthenticated Endpoints: {collection.number_of_unauthenticated_api_endpoints}")
print(f"Endpoints with Sensitive Data: {collection.number_of_api_endpoints_with_sensitive_data_exposed}")
print(f"Inactive Endpoints: {collection.number_of_inactive_api_endpoints}")
print(f"Sensitivity Label: {collection.sensitivity_label}")
print(f"Discovered Via: {collection.discovered_via}")
# Get specific API collection
api_collection = client.api_collections.get(
"api-rg",
"api-management-service",
"collection-001"
)
print(f"API Collection: {api_collection.display_name}")
# List API collections by resource group
rg_collections = client.api_collections.list_by_resource_group(
"api-rg",
"api-management-service"
)
high_risk_collections = []
for collection in rg_collections:
# Identify high-risk collections
risk_score = 0
if collection.number_of_unauthenticated_api_endpoints and collection.number_of_unauthenticated_api_endpoints > 0:
risk_score += 3
if (collection.number_of_api_endpoints_with_sensitive_data_exposed and
collection.number_of_api_endpoints_with_sensitive_data_exposed > 0):
risk_score += 5
if collection.number_of_external_api_endpoints and collection.number_of_external_api_endpoints > 0:
risk_score += 1
if risk_score >= 4:
high_risk_collections.append((collection, risk_score))
print(f"\nHigh-Risk API Collections: {len(high_risk_collections)}")
for collection, score in high_risk_collections:
print(f" {collection.display_name} (Risk Score: {score})")
print(f" Base URL: {collection.base_url}")
print(f" Unauthenticated: {collection.number_of_unauthenticated_api_endpoints}")
print(f" Sensitive Data Exposed: {collection.number_of_api_endpoints_with_sensitive_data_exposed}")
# Onboard/Offboard API collections
client.api_collection_onboarding.onboard(
"api-rg",
"api-management-service",
"collection-001"
)
print("API collection onboarded for security monitoring")
# Later, if needed
# client.api_collection_offboarding.offboard(
# "api-rg",
# "api-management-service",
# "collection-001"
# )Application Security Dashboard
def create_application_security_dashboard():
"""Create a comprehensive application security dashboard."""
print("Application Security Dashboard")
print("=" * 50)
# Adaptive Application Controls
print("\n1. Adaptive Application Controls:")
control_groups = client.adaptive_application_controls.list(summary=True)
total_groups = 0
enforced_groups = 0
groups_with_issues = 0
for group in control_groups:
total_groups += 1
if group.enforcement_mode == "Enforce":
enforced_groups += 1
if group.issues and len(group.issues) > 0:
groups_with_issues += 1
print(f" Total Control Groups: {total_groups}")
print(f" Enforced Groups: {enforced_groups}")
print(f" Groups with Issues: {groups_with_issues}")
# Applications
print("\n2. Applications:")
applications = client.applications.list()
app_count = sum(1 for _ in applications)
print(f" Total Applications: {app_count}")
# API Collections
print("\n3. API Collections:")
api_collections = client.api_collections.list()
total_apis = 0
total_endpoints = 0
sensitive_endpoints = 0
unauthenticated_endpoints = 0
for collection in api_collections:
total_apis += 1
if collection.number_of_api_endpoints:
total_endpoints += collection.number_of_api_endpoints
if collection.number_of_api_endpoints_with_sensitive_data_exposed:
sensitive_endpoints += collection.number_of_api_endpoints_with_sensitive_data_exposed
if collection.number_of_unauthenticated_api_endpoints:
unauthenticated_endpoints += collection.number_of_unauthenticated_api_endpoints
print(f" Total API Collections: {total_apis}")
print(f" Total API Endpoints: {total_endpoints}")
print(f" Sensitive Data Endpoints: {sensitive_endpoints}")
print(f" Unauthenticated Endpoints: {unauthenticated_endpoints}")
# Security Recommendations
print("\n4. Security Recommendations:")
if total_endpoints > 0:
auth_coverage = ((total_endpoints - unauthenticated_endpoints) / total_endpoints) * 100
sensitive_ratio = (sensitive_endpoints / total_endpoints) * 100 if total_endpoints > 0 else 0
print(f" Authentication Coverage: {auth_coverage:.1f}%")
print(f" Sensitive Data Exposure: {sensitive_ratio:.1f}%")
if auth_coverage < 90:
print(" ⚠️ Low authentication coverage detected")
if sensitive_ratio > 10:
print(" ⚠️ High sensitive data exposure detected")
return {
"control_groups": total_groups,
"enforced_groups": enforced_groups,
"groups_with_issues": groups_with_issues,
"applications": app_count,
"api_collections": total_apis,
"total_endpoints": total_endpoints,
"sensitive_endpoints": sensitive_endpoints,
"unauthenticated_endpoints": unauthenticated_endpoints
}
# Generate the dashboard
dashboard_data = create_application_security_dashboard()Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-security