tessl/pypi-azure-mgmt-security
Microsoft Azure Security Center Management Client Library for Python
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
network-security.mddocs/
Network Security
Network security management capabilities for Azure Security Center, providing adaptive network hardening, just-in-time VM access policies, network topology analysis, and connection monitoring to secure network infrastructure.
Capabilities
Adaptive Network Hardenings
Manage adaptive network hardening recommendations and enforce network security best practices.
def list(
**kwargs: Any
) -> Iterator[AdaptiveNetworkHardening]:
"""
List adaptive network hardenings for the subscription.
Returns:
Iterator[AdaptiveNetworkHardening]: Iterator of adaptive network hardening objects
"""
def list_by_extended_resource(
resource_group_name: str,
resource_namespace: str,
resource_type: str,
resource_name: str,
**kwargs: Any
) -> Iterator[AdaptiveNetworkHardening]:
"""
List adaptive network hardenings for an extended resource.
Parameters:
- resource_group_name (str): Name of the resource group
- resource_namespace (str): Resource provider namespace
- resource_type (str): Resource type
- resource_name (str): Name of the resource
Returns:
Iterator[AdaptiveNetworkHardening]: Iterator of adaptive network hardening objects
"""
def get(
resource_group_name: str,
resource_namespace: str,
resource_type: str,
resource_name: str,
adaptive_network_hardening_resource_name: str,
**kwargs: Any
) -> AdaptiveNetworkHardening:
"""
Get details of a specific adaptive network hardening.
Parameters:
- resource_group_name (str): Name of the resource group
- resource_namespace (str): Resource provider namespace
- resource_type (str): Resource type
- resource_name (str): Name of the resource
- adaptive_network_hardening_resource_name (str): Name of the hardening resource
Returns:
AdaptiveNetworkHardening: Adaptive network hardening details
"""
def enforce(
resource_group_name: str,
resource_namespace: str,
resource_type: str,
resource_name: str,
adaptive_network_hardening_resource_name: str,
body: AdaptiveNetworkHardeningEnforceRequest,
**kwargs: Any
) -> AdaptiveNetworkHardening:
"""
Enforce adaptive network hardening recommendations.
Parameters:
- resource_group_name (str): Name of the resource group
- resource_namespace (str): Resource provider namespace
- resource_type (str): Resource type
- resource_name (str): Name of the resource
- adaptive_network_hardening_resource_name (str): Name of the hardening resource
- body (AdaptiveNetworkHardeningEnforceRequest): Enforcement request data
Returns:
AdaptiveNetworkHardening: Updated adaptive network hardening
"""Allowed Connections
Monitor and analyze allowed network connections between resources.
def list(
**kwargs: Any
) -> Iterator[AllowedConnectionsResource]:
"""
List allowed connections for the subscription.
Returns:
Iterator[AllowedConnectionsResource]: Iterator of allowed connection objects
"""
def list_by_home_region(
asc_location: str,
**kwargs: Any
) -> Iterator[AllowedConnectionsResource]:
"""
List allowed connections in the subscription's home region.
Parameters:
- asc_location (str): Azure Security Center location
Returns:
Iterator[AllowedConnectionsResource]: Iterator of allowed connection objects
"""
def get(
resource_group_name: str,
asc_location: str,
connection_type: str,
**kwargs: Any
) -> AllowedConnectionsResource:
"""
Get details of specific allowed connections.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
- connection_type (str): Type of connection (Internal, External)
Returns:
AllowedConnectionsResource: Allowed connection details
"""Just-in-Time Network Access Policies
Manage just-in-time (JIT) VM access policies for secure, time-limited VM access.
def list(
**kwargs: Any
) -> Iterator[JitNetworkAccessPolicy]:
"""
List JIT network access policies for the subscription.
Returns:
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
"""
def list_by_region(
asc_location: str,
**kwargs: Any
) -> Iterator[JitNetworkAccessPolicy]:
"""
List JIT network access policies in a specific region.
Parameters:
- asc_location (str): Azure Security Center location
Returns:
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
"""
def list_by_resource_group(
resource_group_name: str,
**kwargs: Any
) -> Iterator[JitNetworkAccessPolicy]:
"""
List JIT network access policies in a resource group.
Parameters:
- resource_group_name (str): Name of the resource group
Returns:
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
"""
def list_by_resource_group_and_region(
resource_group_name: str,
asc_location: str,
**kwargs: Any
) -> Iterator[JitNetworkAccessPolicy]:
"""
List JIT network access policies in a resource group and region.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
Returns:
Iterator[JitNetworkAccessPolicy]: Iterator of JIT policy objects
"""
def get(
resource_group_name: str,
asc_location: str,
jit_network_access_policy_name: str,
**kwargs: Any
) -> JitNetworkAccessPolicy:
"""
Get details of a specific JIT network access policy.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
- jit_network_access_policy_name (str): Name of the JIT policy
Returns:
JitNetworkAccessPolicy: JIT policy details
"""
def create_or_update(
resource_group_name: str,
asc_location: str,
jit_network_access_policy_name: str,
body: JitNetworkAccessPolicy,
**kwargs: Any
) -> JitNetworkAccessPolicy:
"""
Create or update a JIT network access policy.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
- jit_network_access_policy_name (str): Name of the JIT policy
- body (JitNetworkAccessPolicy): JIT policy data
Returns:
JitNetworkAccessPolicy: Created or updated JIT policy
"""
def delete(
resource_group_name: str,
asc_location: str,
jit_network_access_policy_name: str,
**kwargs: Any
) -> None:
"""
Delete a JIT network access policy.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
- jit_network_access_policy_name (str): Name of the JIT policy
Returns:
None
"""
def initiate(
resource_group_name: str,
asc_location: str,
jit_network_access_policy_name: str,
body: JitNetworkAccessPolicyInitiateRequest,
**kwargs: Any
) -> JitNetworkAccessRequest:
"""
Initiate a JIT network access request.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
- jit_network_access_policy_name (str): Name of the JIT policy
- body (JitNetworkAccessPolicyInitiateRequest): Access request data
Returns:
JitNetworkAccessRequest: Initiated access request
"""Network Topology
Analyze and visualize network topology and security posture.
def list(
**kwargs: Any
) -> Iterator[TopologyResource]:
"""
List network topology resources for the subscription.
Returns:
Iterator[TopologyResource]: Iterator of topology resource objects
"""
def list_by_home_region(
asc_location: str,
**kwargs: Any
) -> Iterator[TopologyResource]:
"""
List network topology resources in the subscription's home region.
Parameters:
- asc_location (str): Azure Security Center location
Returns:
Iterator[TopologyResource]: Iterator of topology resource objects
"""
def get(
resource_group_name: str,
asc_location: str,
topology_resource_name: str,
**kwargs: Any
) -> TopologyResource:
"""
Get details of a specific topology resource.
Parameters:
- resource_group_name (str): Name of the resource group
- asc_location (str): Azure Security Center location
- topology_resource_name (str): Name of the topology resource
Returns:
TopologyResource: Topology resource details
"""Types
class AdaptiveNetworkHardening:
id: Optional[str]
name: Optional[str]
type: Optional[str]
rules: Optional[List[Rule]]
rules_calculation_time: Optional[datetime]
effective_network_security_groups: Optional[List[EffectiveNetworkSecurityGroups]]
class AdaptiveNetworkHardeningEnforceRequest:
rules: List[Rule]
network_security_groups: List[str]
class AllowedConnectionsResource:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
connectable_resources: Optional[List[ConnectableResource]]
class JitNetworkAccessPolicy:
id: Optional[str]
name: Optional[str]
type: Optional[str]
kind: Optional[str]
location: Optional[str]
virtual_machines: List[JitNetworkAccessPolicyVirtualMachine]
requests: Optional[List[JitNetworkAccessRequest]]
provisioning_state: Optional[str]
class JitNetworkAccessPolicyVirtualMachine:
id: str
ports: List[JitNetworkAccessPortRule]
public_ip_address: Optional[str]
class JitNetworkAccessPortRule:
number: int
protocol: str # TCP, UDP, Any
allowed_source_address_prefix: Optional[str]
allowed_source_address_prefixes: Optional[List[str]]
max_request_access_duration: str # ISO 8601 duration format
class JitNetworkAccessRequest:
virtual_machines: List[JitNetworkAccessRequestVirtualMachine]
start_time_utc: datetime
requestor: str
justification: Optional[str]
class JitNetworkAccessRequestVirtualMachine:
id: str
ports: List[JitNetworkAccessRequestPort]
class JitNetworkAccessRequestPort:
number: int
allowed_source_address_prefix: Optional[str]
allowed_source_address_prefixes: Optional[List[str]]
end_time_utc: datetime
status: str # Revoked, Initiated
status_reason: str # Expired, UserRequested, NewerRequestInitiated
class JitNetworkAccessPolicyInitiateRequest:
virtual_machines: List[JitNetworkAccessPolicyInitiateVirtualMachine]
justification: Optional[str]
class JitNetworkAccessPolicyInitiateVirtualMachine:
id: str
ports: List[JitNetworkAccessPolicyInitiatePort]
class JitNetworkAccessPolicyInitiatePort:
number: int
allowed_source_address_prefix: Optional[str]
allowed_source_address_prefixes: Optional[List[str]]
end_time_utc: datetime
class TopologyResource:
id: Optional[str]
name: Optional[str]
type: Optional[str]
location: Optional[str]
calculated_date_time: Optional[datetime]
topology_resources: Optional[List[TopologySingleResource]]
class TopologySingleResource:
resource_id: Optional[str]
severity: Optional[str]
recommendationsExist: Optional[bool]
network_zones: Optional[str]
topology_score: Optional[int]
location: Optional[str]
parents: Optional[List[TopologySingleResourceParent]]
children: Optional[List[TopologySingleResourceChild]]
class Rule:
name: Optional[str]
direction: Optional[str] # Inbound, Outbound
destination_port: Optional[int]
protocols: Optional[List[str]]
source_address_prefix: Optional[str]
source_address_prefixes: Optional[List[str]]
destination_address_prefix: Optional[str]
destination_address_prefixes: Optional[List[str]]
class EffectiveNetworkSecurityGroups:
network_security_groups: Optional[List[str]]
network_interface: Optional[str]
class ConnectableResource:
id: Optional[str]
inbound_connected_resources: Optional[List[ConnectedResource]]
outbound_connected_resources: Optional[List[ConnectedResource]]
class ConnectedResource:
connected_resource_id: Optional[str]
tcp_ports: Optional[str]
udp_ports: Optional[str]
class TopologySingleResourceParent:
resource_id: Optional[str]
class TopologySingleResourceChild:
resource_id: Optional[str]Usage Examples
Just-in-Time VM Access Management
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
from datetime import datetime, timedelta
credential = DefaultAzureCredential()
client = SecurityCenter(credential, "subscription-id")
# Create a JIT policy for a VM
jit_policy = {
"virtual_machines": [{
"id": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/vm1",
"ports": [
{
"number": 22,
"protocol": "TCP",
"allowed_source_address_prefix": "10.0.0.0/8",
"max_request_access_duration": "PT3H" # 3 hours
},
{
"number": 3389,
"protocol": "TCP",
"allowed_source_address_prefixes": ["192.168.1.0/24", "172.16.0.0/16"],
"max_request_access_duration": "PT2H" # 2 hours
}
]
}]
}
# Create the JIT policy
policy = client.jit_network_access_policies.create_or_update(
"my-rg",
"eastus",
"vm1-jit-policy",
jit_policy
)
print(f"Created JIT policy: {policy.name}")
# Request JIT access
access_request = {
"virtual_machines": [{
"id": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/vm1",
"ports": [{
"number": 22,
"allowed_source_address_prefix": "203.0.113.0/32", # Specific IP
"end_time_utc": datetime.utcnow() + timedelta(hours=2)
}]
}],
"justification": "Emergency maintenance access required"
}
request = client.jit_network_access_policies.initiate(
"my-rg",
"eastus",
"vm1-jit-policy",
access_request
)
print(f"JIT access requested for: {request.requestor}")
# List all JIT policies
policies = client.jit_network_access_policies.list()
for policy in policies:
print(f"Policy: {policy.name}")
print(f"VMs: {len(policy.virtual_machines)}")
for vm in policy.virtual_machines:
print(f" VM: {vm.id}")
print(f" Ports: {[p.number for p in vm.ports]}")
# Show active requests
if policy.requests:
for req in policy.requests:
print(f" Active Request: {req.requestor}")
print(f" Start: {req.start_time_utc}")
print(f" Justification: {req.justification}")Adaptive Network Hardening
# List adaptive network hardenings
hardenings = client.adaptive_network_hardenings.list()
for hardening in hardenings:
print(f"Hardening: {hardening.name}")
print(f"Calculation Time: {hardening.rules_calculation_time}")
print(f"Rules Count: {len(hardening.rules or [])}")
# Show recommended rules
if hardening.rules:
print(" Recommended Rules:")
for rule in hardening.rules:
print(f" {rule.direction} - Port {rule.destination_port}")
print(f" Protocol: {rule.protocols}")
print(f" Source: {rule.source_address_prefix}")
# Get specific hardening for a VM
vm_hardening = client.adaptive_network_hardenings.get(
"my-rg",
"Microsoft.Compute",
"virtualMachines",
"my-vm",
"default"
)
print(f"VM Hardening Rules: {len(vm_hardening.rules or [])}")
# Enforce hardening recommendations
if vm_hardening.rules:
enforce_request = {
"rules": vm_hardening.rules[:5], # Enforce first 5 rules
"network_security_groups": [
"/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Network/networkSecurityGroups/nsg1"
]
}
result = client.adaptive_network_hardenings.enforce(
"my-rg",
"Microsoft.Compute",
"virtualMachines",
"my-vm",
"default",
enforce_request
)
print(f"Enforced {len(result.rules)} hardening rules")Network Topology Analysis
# Get network topology
topology_resources = client.topology.list()
for resource in topology_resources:
print(f"Topology Resource: {resource.name}")
print(f"Location: {resource.location}")
print(f"Calculated: {resource.calculated_date_time}")
if resource.topology_resources:
print(f"Network Resources: {len(resource.topology_resources)}")
for topo_resource in resource.topology_resources:
print(f" Resource: {topo_resource.resource_id}")
print(f" Severity: {topo_resource.severity}")
print(f" Score: {topo_resource.topology_score}")
print(f" Has Recommendations: {topo_resource.recommendationsExist}")
# Show network relationships
if topo_resource.parents:
print(f" Parents: {len(topo_resource.parents)}")
for parent in topo_resource.parents:
print(f" - {parent.resource_id}")
if topo_resource.children:
print(f" Children: {len(topo_resource.children)}")
for child in topo_resource.children:
print(f" - {child.resource_id}")
# Get topology for specific region
region_topology = client.topology.list_by_home_region("eastus")
for resource in region_topology:
print(f"Regional Topology: {resource.name}")Allowed Connections Monitoring
# List allowed connections
connections = client.allowed_connections.list()
for connection in connections:
print(f"Connection Resource: {connection.name}")
print(f"Location: {connection.location}")
if connection.connectable_resources:
print(f"Connectable Resources: {len(connection.connectable_resources)}")
for connectable in connection.connectable_resources:
print(f" Resource: {connectable.id}")
# Show inbound connections
if connectable.inbound_connected_resources:
print(f" Inbound Connections: {len(connectable.inbound_connected_resources)}")
for inbound in connectable.inbound_connected_resources:
print(f" From: {inbound.connected_resource_id}")
if inbound.tcp_ports:
print(f" TCP Ports: {inbound.tcp_ports}")
if inbound.udp_ports:
print(f" UDP Ports: {inbound.udp_ports}")
# Show outbound connections
if connectable.outbound_connected_resources:
print(f" Outbound Connections: {len(connectable.outbound_connected_resources)}")
for outbound in connectable.outbound_connected_resources:
print(f" To: {outbound.connected_resource_id}")
if outbound.tcp_ports:
print(f" TCP Ports: {outbound.tcp_ports}")
if outbound.udp_ports:
print(f" UDP Ports: {outbound.udp_ports}")
# Get connections for specific resource group
rg_connections = client.allowed_connections.get(
"my-rg",
"eastus",
"Internal"
)
print(f"Resource Group Internal Connections: {len(rg_connections.connectable_resources or [])}")Network Security Monitoring Dashboard
def create_network_security_dashboard():
"""Create a comprehensive network security status dashboard."""
print("Network Security Dashboard")
print("=" * 50)
# JIT Policy Status
print("\n1. Just-in-Time Access Policies:")
jit_policies = client.jit_network_access_policies.list()
total_policies = 0
active_requests = 0
for policy in jit_policies:
total_policies += 1
if policy.requests:
active_requests += len([r for r in policy.requests
if r.start_time_utc and
any(p.status == "Initiated" for vm in r.virtual_machines for p in vm.ports)])
print(f" Total Policies: {total_policies}")
print(f" Active Requests: {active_requests}")
# Network Hardening Status
print("\n2. Adaptive Network Hardening:")
hardenings = client.adaptive_network_hardenings.list()
hardening_count = sum(1 for _ in hardenings)
print(f" Hardening Resources: {hardening_count}")
# Topology Analysis
print("\n3. Network Topology:")
topology = client.topology.list()
resources_with_recommendations = 0
total_topology_resources = 0
for topo in topology:
if topo.topology_resources:
for resource in topo.topology_resources:
total_topology_resources += 1
if resource.recommendationsExist:
resources_with_recommendations += 1
print(f" Total Resources: {total_topology_resources}")
print(f" Resources with Recommendations: {resources_with_recommendations}")
# Connection Analysis
print("\n4. Network Connections:")
connections = client.allowed_connections.list()
total_connections = 0
for conn in connections:
if conn.connectable_resources:
total_connections += len(conn.connectable_resources)
print(f" Connectable Resources: {total_connections}")
return {
"jit_policies": total_policies,
"active_jit_requests": active_requests,
"hardening_resources": hardening_count,
"topology_resources": total_topology_resources,
"resources_with_recommendations": resources_with_recommendations,
"connectable_resources": total_connections
}
# Generate the dashboard
dashboard_data = create_network_security_dashboard()Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-security