tessl/pypi-azure-mgmt-security
Microsoft Azure Security Center Management Client Library for Python
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
compliance-governance.mddocs/
Compliance and Governance
Comprehensive compliance and governance management for Azure Security Center, enabling regulatory compliance tracking, governance rule management, and compliance reporting across multiple industry standards and frameworks.
Capabilities
Regulatory Compliance Standards
Manage and track compliance with regulatory standards such as PCI DSS, SOC TSP, Azure CIS, and other industry frameworks.
def list(
filter: Optional[str] = None,
**kwargs: Any
) -> Iterator[RegulatoryComplianceStandard]:
"""
List supported regulatory compliance standards.
Parameters:
- filter (str, optional): OData filter for results
Returns:
Iterator[RegulatoryComplianceStandard]: Iterator of compliance standards
"""
def get(
regulatory_compliance_standard_name: str,
**kwargs: Any
) -> RegulatoryComplianceStandard:
"""
Get details of a specific regulatory compliance standard.
Parameters:
- regulatory_compliance_standard_name (str): Name of the compliance standard
Returns:
RegulatoryComplianceStandard: Compliance standard details
"""Regulatory Compliance Controls
Manage compliance controls within regulatory standards.
def list(
regulatory_compliance_standard_name: str,
filter: Optional[str] = None,
**kwargs: Any
) -> Iterator[RegulatoryComplianceControl]:
"""
List regulatory compliance controls for a specific standard.
Parameters:
- regulatory_compliance_standard_name (str): Name of the compliance standard
- filter (str, optional): OData filter for results
Returns:
Iterator[RegulatoryComplianceControl]: Iterator of compliance controls
"""
def get(
regulatory_compliance_standard_name: str,
regulatory_compliance_control_name: str,
**kwargs: Any
) -> RegulatoryComplianceControl:
"""
Get details of a specific regulatory compliance control.
Parameters:
- regulatory_compliance_standard_name (str): Name of the compliance standard
- regulatory_compliance_control_name (str): Name of the compliance control
Returns:
RegulatoryComplianceControl: Compliance control details
"""Regulatory Compliance Assessments
Manage compliance assessments that evaluate adherence to regulatory requirements.
def list(
regulatory_compliance_standard_name: str,
regulatory_compliance_control_name: str,
filter: Optional[str] = None,
**kwargs: Any
) -> Iterator[RegulatoryComplianceAssessment]:
"""
List regulatory compliance assessments for a specific control.
Parameters:
- regulatory_compliance_standard_name (str): Name of the compliance standard
- regulatory_compliance_control_name (str): Name of the compliance control
- filter (str, optional): OData filter for results
Returns:
Iterator[RegulatoryComplianceAssessment]: Iterator of compliance assessments
"""
def get(
regulatory_compliance_standard_name: str,
regulatory_compliance_control_name: str,
regulatory_compliance_assessment_name: str,
**kwargs: Any
) -> RegulatoryComplianceAssessment:
"""
Get details of a specific regulatory compliance assessment.
Parameters:
- regulatory_compliance_standard_name (str): Name of the compliance standard
- regulatory_compliance_control_name (str): Name of the compliance control
- regulatory_compliance_assessment_name (str): Name of the compliance assessment
Returns:
RegulatoryComplianceAssessment: Compliance assessment details
"""Compliance Results
Access historical compliance results and compliance posture data.
def list(
scope: str,
**kwargs: Any
) -> Iterator[ComplianceResult]:
"""
List compliance results for a specific scope.
Parameters:
- scope (str): Resource scope (subscription, resource group, or resource)
Returns:
Iterator[ComplianceResult]: Iterator of ComplianceResult objects
"""
def get(
scope: str,
compliance_result_name: str,
**kwargs: Any
) -> ComplianceResult:
"""
Get details of a specific compliance result.
Parameters:
- scope (str): Resource scope
- compliance_result_name (str): Name of the compliance result
Returns:
ComplianceResult: Compliance result details
"""Compliances
Manage overall compliance posture and compliance summaries.
def list(
scope: str,
**kwargs: Any
) -> Iterator[Compliance]:
"""
List compliances for a specific scope.
Parameters:
- scope (str): Resource scope (subscription, resource group, or resource)
Returns:
Iterator[Compliance]: Iterator of Compliance objects
"""
def get(
scope: str,
compliance_name: str,
**kwargs: Any
) -> Compliance:
"""
Get details of a specific compliance.
Parameters:
- scope (str): Resource scope
- compliance_name (str): Name of the compliance
Returns:
Compliance: Compliance details
"""Governance Rules
Manage governance rules that define security governance policies and requirements.
def list(
scope: str,
**kwargs: Any
) -> Iterator[GovernanceRule]:
"""
List governance rules for a specific scope.
Parameters:
- scope (str): Resource scope (management group or subscription)
Returns:
Iterator[GovernanceRule]: Iterator of GovernanceRule objects
"""
def get(
scope: str,
rule_id: str,
**kwargs: Any
) -> GovernanceRule:
"""
Get details of a specific governance rule.
Parameters:
- scope (str): Resource scope
- rule_id (str): ID of the governance rule
Returns:
GovernanceRule: Governance rule details
"""
def create_or_update(
scope: str,
rule_id: str,
governance_rule: GovernanceRule,
**kwargs: Any
) -> GovernanceRule:
"""
Create or update a governance rule.
Parameters:
- scope (str): Resource scope
- rule_id (str): ID of the governance rule
- governance_rule (GovernanceRule): Governance rule data
Returns:
GovernanceRule: Created or updated governance rule
"""
def delete(
scope: str,
rule_id: str,
**kwargs: Any
) -> None:
"""
Delete a governance rule.
Parameters:
- scope (str): Resource scope
- rule_id (str): ID of the governance rule
Returns:
None
"""
def operation_results(
scope: str,
rule_id: str,
operation_id: str,
**kwargs: Any
) -> OperationResult:
"""
Get the result of a governance rule operation.
Parameters:
- scope (str): Resource scope
- rule_id (str): ID of the governance rule
- operation_id (str): ID of the operation
Returns:
OperationResult: Operation result details
"""Governance Assignments
Manage governance assignments that apply governance rules to specific resources or scopes.
def list(
scope: str,
assessment_name: str,
**kwargs: Any
) -> Iterator[GovernanceAssignment]:
"""
List governance assignments for a specific scope and assessment.
Parameters:
- scope (str): Resource scope
- assessment_name (str): Name of the assessment
Returns:
Iterator[GovernanceAssignment]: Iterator of GovernanceAssignment objects
"""
def get(
scope: str,
assessment_name: str,
assignment_key: str,
**kwargs: Any
) -> GovernanceAssignment:
"""
Get details of a specific governance assignment.
Parameters:
- scope (str): Resource scope
- assessment_name (str): Name of the assessment
- assignment_key (str): Key of the governance assignment
Returns:
GovernanceAssignment: Governance assignment details
"""
def create_or_update(
scope: str,
assessment_name: str,
assignment_key: str,
governance_assignment: GovernanceAssignment,
**kwargs: Any
) -> GovernanceAssignment:
"""
Create or update a governance assignment.
Parameters:
- scope (str): Resource scope
- assessment_name (str): Name of the assessment
- assignment_key (str): Key of the governance assignment
- governance_assignment (GovernanceAssignment): Assignment data
Returns:
GovernanceAssignment: Created or updated assignment
"""
def delete(
scope: str,
assessment_name: str,
assignment_key: str,
**kwargs: Any
) -> None:
"""
Delete a governance assignment.
Parameters:
- scope (str): Resource scope
- assessment_name (str): Name of the assessment
- assignment_key (str): Key of the governance assignment
Returns:
None
"""Custom Assessment Automations
Manage custom assessment automations for governance and compliance evaluation.
def list_by_subscription(
**kwargs: Any
) -> Iterator[CustomAssessmentAutomation]:
"""
List custom assessment automations in the subscription.
Returns:
Iterator[CustomAssessmentAutomation]: Iterator of automation objects
"""
def list_by_resource_group(
resource_group_name: str,
**kwargs: Any
) -> Iterator[CustomAssessmentAutomation]:
"""
List custom assessment automations in a resource group.
Parameters:
- resource_group_name (str): Name of the resource group
Returns:
Iterator[CustomAssessmentAutomation]: Iterator of automation objects
"""
def get(
resource_group_name: str,
custom_assessment_automation_name: str,
**kwargs: Any
) -> CustomAssessmentAutomation:
"""
Get details of a custom assessment automation.
Parameters:
- resource_group_name (str): Name of the resource group
- custom_assessment_automation_name (str): Name of the automation
Returns:
CustomAssessmentAutomation: Automation details
"""
def create(
resource_group_name: str,
custom_assessment_automation_name: str,
custom_assessment_automation_body: CustomAssessmentAutomationRequest,
**kwargs: Any
) -> CustomAssessmentAutomation:
"""
Create a custom assessment automation.
Parameters:
- resource_group_name (str): Name of the resource group
- custom_assessment_automation_name (str): Name of the automation
- custom_assessment_automation_body (CustomAssessmentAutomationRequest): Automation data
Returns:
CustomAssessmentAutomation: Created automation
"""
def delete(
resource_group_name: str,
custom_assessment_automation_name: str,
**kwargs: Any
) -> None:
"""
Delete a custom assessment automation.
Parameters:
- resource_group_name (str): Name of the resource group
- custom_assessment_automation_name (str): Name of the automation
Returns:
None
"""Custom Entity Store Assignments
Manage custom entity store assignments for governance data management.
def list_by_subscription(
**kwargs: Any
) -> Iterator[CustomEntityStoreAssignment]:
"""
List custom entity store assignments in the subscription.
Returns:
Iterator[CustomEntityStoreAssignment]: Iterator of assignment objects
"""
def list_by_resource_group(
resource_group_name: str,
**kwargs: Any
) -> Iterator[CustomEntityStoreAssignment]:
"""
List custom entity store assignments in a resource group.
Parameters:
- resource_group_name (str): Name of the resource group
Returns:
Iterator[CustomEntityStoreAssignment]: Iterator of assignment objects
"""
def get(
resource_group_name: str,
custom_entity_store_assignment_name: str,
**kwargs: Any
) -> CustomEntityStoreAssignment:
"""
Get details of a custom entity store assignment.
Parameters:
- resource_group_name (str): Name of the resource group
- custom_entity_store_assignment_name (str): Name of the assignment
Returns:
CustomEntityStoreAssignment: Assignment details
"""
def create(
resource_group_name: str,
custom_entity_store_assignment_name: str,
custom_entity_store_assignment_request_body: CustomEntityStoreAssignmentRequest,
**kwargs: Any
) -> CustomEntityStoreAssignment:
"""
Create a custom entity store assignment.
Parameters:
- resource_group_name (str): Name of the resource group
- custom_entity_store_assignment_name (str): Name of the assignment
- custom_entity_store_assignment_request_body (CustomEntityStoreAssignmentRequest): Assignment data
Returns:
CustomEntityStoreAssignment: Created assignment
"""
def delete(
resource_group_name: str,
custom_entity_store_assignment_name: str,
**kwargs: Any
) -> None:
"""
Delete a custom entity store assignment.
Parameters:
- resource_group_name (str): Name of the resource group
- custom_entity_store_assignment_name (str): Name of the assignment
Returns:
None
"""Types
class RegulatoryComplianceStandard:
id: Optional[str]
name: Optional[str]
type: Optional[str]
state: Optional[str] # Passed, Failed, Skipped, Unsupported
passed_controls: Optional[int]
failed_controls: Optional[int]
skipped_controls: Optional[int]
unsupported_controls: Optional[int]
class RegulatoryComplianceControl:
id: Optional[str]
name: Optional[str]
type: Optional[str]
description: Optional[str]
state: Optional[str] # Passed, Failed, Skipped, Unsupported
passed_assessments: Optional[int]
failed_assessments: Optional[int]
skipped_assessments: Optional[int]
unsupported_assessments: Optional[int]
class RegulatoryComplianceAssessment:
id: Optional[str]
name: Optional[str]
type: Optional[str]
description: Optional[str]
assessment_type: Optional[str]
assessment_details_link: Optional[str]
state: Optional[str] # Passed, Failed, Skipped, Unsupported
passed_resources: Optional[int]
failed_resources: Optional[int]
skipped_resources: Optional[int]
unsupported_resources: Optional[int]
class ComplianceResult:
id: Optional[str]
name: Optional[str]
type: Optional[str]
resource_status: Optional[str] # Healthy, NotApplicable, OffByPolicy, Unhealthy
policy_definition_id: Optional[str]
policy_definition_name: Optional[str]
policy_definition_action: Optional[str]
policy_assignment_id: Optional[str]
policy_assignment_name: Optional[str]
policy_assignment_owner: Optional[str]
policy_assignment_parameters: Optional[Dict[str, Any]]
policy_assignment_scope: Optional[str]
policy_definition_reference_id: Optional[str]
compliance_state: Optional[str]
policy_evaluation_details: Optional[PolicyEvaluationDetails]
policy_definition_group_names: Optional[List[str]]
components_compliance_results: Optional[List[ComplianceResult]]
policy_definition_version: Optional[str]
policy_assignment_version: Optional[str]
class Compliance:
id: Optional[str]
name: Optional[str]
type: Optional[str]
assessment_timestamp_utc_date: Optional[datetime]
resource_count: Optional[int]
assessment_result: Optional[List[ComplianceSegment]]
class GovernanceRule:
id: Optional[str]
name: Optional[str]
type: Optional[str]
tenant_id: Optional[str]
display_name: Optional[str]
description: Optional[str]
remediation_timeframe: Optional[str]
is_graceful: Optional[bool]
rule_priority: Optional[int]
is_disabled: Optional[bool]
rule_type: Optional[str] # Integrated, ServiceNow
source_resource_type: Optional[str]
excluded_scopes: Optional[List[str]]
condition_sets: Optional[List[GovernanceRuleConditionSet]]
include_member_scopes: Optional[bool]
owner_source: Optional[GovernanceRuleOwnerSource]
governance_email_notification: Optional[GovernanceRuleEmailNotification]
metadata: Optional[GovernanceRuleMetadata]
class GovernanceAssignment:
id: Optional[str]
name: Optional[str]
type: Optional[str]
owner: Optional[str]
remediation_due_date: Optional[datetime]
remediation_eta: Optional[RemediationEta]
is_grace_period: Optional[bool]
governance_email_notification: Optional[GovernanceEmailNotification]
additional_data: Optional[Dict[str, str]]
class CustomAssessmentAutomation:
id: Optional[str]
name: Optional[str]
type: Optional[str]
system_data: Optional[SystemData]
compressed_query: Optional[str]
supported_cloud: Optional[str] # AWS, GCP
severity: Optional[str] # High, Medium, Low
display_name: Optional[str]
description: Optional[str]
remediation_description: Optional[str]
assessment_key: Optional[str]
class CustomEntityStoreAssignment:
id: Optional[str]
name: Optional[str]
type: Optional[str]
system_data: Optional[SystemData]
principal: Optional[str]
entity_type: Optional[str]
class ComplianceSegment:
segment_type: Optional[str]
percentage: Optional[float]
class PolicyEvaluationDetails:
evaluated_expressions: Optional[List[ExpressionEvaluationDetails]]
class GovernanceRuleConditionSet:
conditions: Optional[List[GovernanceRuleCondition]]
class GovernanceRuleOwnerSource:
type: Optional[str] # Manually, ByTag
value: Optional[str]
class GovernanceRuleEmailNotification:
disable_manager_email_notification: Optional[bool]
disable_owner_email_notification: Optional[bool]
class RemediationEta:
eta: Optional[datetime]
justification: Optional[str]Usage Examples
Regulatory Compliance Monitoring
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
credential = DefaultAzureCredential()
client = SecurityCenter(credential, "subscription-id")
# Get all supported compliance standards
standards = client.regulatory_compliance_standards.list()
for standard in standards:
print(f"Standard: {standard.name}")
print(f"State: {standard.state}")
print(f"Passed: {standard.passed_controls}/{standard.passed_controls + standard.failed_controls}")
# Get failing controls for this standard
controls = client.regulatory_compliance_controls.list(
standard.name,
filter="properties/state eq 'Failed'"
)
for control in controls:
print(f" Failed Control: {control.description}")
print(f" Failed Assessments: {control.failed_assessments}")
# Get specific assessment details
assessments = client.regulatory_compliance_assessments.list(
standard.name,
control.name,
filter="properties/state eq 'Failed'"
)
for assessment in assessments:
print(f" Assessment: {assessment.description}")
print(f" Failed Resources: {assessment.failed_resources}")Governance Rule Management
# Create a governance rule for high severity findings
governance_rule = {
"display_name": "Critical Security Findings",
"description": "Automatic assignment for critical security findings",
"remediation_timeframe": "7.00:00:00", # 7 days
"is_graceful": True,
"rule_priority": 100,
"is_disabled": False,
"rule_type": "Integrated",
"source_resource_type": "Assessments",
"condition_sets": [{
"conditions": [{
"property": "$.AssessmentDisplayName",
"value": "Critical",
"operator": "Contains"
}]
}],
"owner_source": {
"type": "ByTag",
"value": "SecurityOwner"
},
"governance_email_notification": {
"disable_manager_email_notification": False,
"disable_owner_email_notification": False
}
}
scope = "subscriptions/subscription-id"
rule = client.governance_rules.create_or_update(
scope,
"critical-findings-rule",
governance_rule
)
print(f"Created rule: {rule.display_name}")
# List all governance assignments
assignments = client.governance_assignments.list(
scope,
"assessment-name"
)
for assignment in assignments:
print(f"Assignment: {assignment.owner}")
print(f"Due Date: {assignment.remediation_due_date}")
print(f"Grace Period: {assignment.is_grace_period}")Custom Assessment Automation
# Create custom assessment for governance
automation_request = {
"compressed_query": "base64-encoded-kql-query",
"supported_cloud": "AWS",
"severity": "High",
"display_name": "Custom AWS Security Assessment",
"description": "Custom assessment for AWS resource security",
"remediation_description": "Follow remediation steps to secure resources"
}
automation = client.custom_assessment_automations.create(
"security-rg",
"aws-security-assessment",
automation_request
)
print(f"Created automation: {automation.display_name}")
# List all automations
automations = client.custom_assessment_automations.list_by_subscription()
for auto in automations:
print(f"Automation: {auto.display_name}")
print(f"Cloud: {auto.supported_cloud}")
print(f"Severity: {auto.severity}")Compliance Results Analysis
# Get compliance results for subscription
scope = "subscriptions/subscription-id"
results = client.compliance_results.list(scope)
compliant_resources = 0
non_compliant_resources = 0
for result in results:
if result.resource_status == "Healthy":
compliant_resources += 1
else:
non_compliant_resources += 1
print(f"Resource: {result.name}")
print(f"Policy: {result.policy_definition_name}")
print(f"Status: {result.resource_status}")
print(f"Compliance State: {result.compliance_state}")
compliance_percentage = (
compliant_resources / (compliant_resources + non_compliant_resources) * 100
)
print(f"Overall Compliance: {compliance_percentage:.1f}%")Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-security