tessl/pypi-azure-mgmt-security
Microsoft Azure Security Center Management Client Library for Python
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
vulnerability-management.mddocs/
Vulnerability Management
Comprehensive vulnerability management capabilities for Azure Security Center, providing server vulnerability assessments, SQL vulnerability scanning, sub-assessment analysis, and software inventory management across your infrastructure.
Capabilities
Server Vulnerability Assessment
Manage vulnerability assessments for servers and virtual machines.
def create_or_update(
resource_id: str,
**kwargs: Any
) -> ServerVulnerabilityAssessment:
"""
Create or update server vulnerability assessment configuration.
Parameters:
- resource_id (str): Full resource ID of the server
Returns:
ServerVulnerabilityAssessment: Server vulnerability assessment configuration
"""
def get(
resource_id: str,
**kwargs: Any
) -> ServerVulnerabilityAssessment:
"""
Get server vulnerability assessment configuration.
Parameters:
- resource_id (str): Full resource ID of the server
Returns:
ServerVulnerabilityAssessment: Server vulnerability assessment details
"""
def delete(
resource_id: str,
**kwargs: Any
) -> None:
"""
Delete server vulnerability assessment configuration.
Parameters:
- resource_id (str): Full resource ID of the server
Returns:
None
"""
def list_by_extended_resource(
resource_id: str,
**kwargs: Any
) -> Iterator[ServerVulnerabilityAssessment]:
"""
List server vulnerability assessments for an extended resource.
Parameters:
- resource_id (str): Full resource ID of the extended resource
Returns:
Iterator[ServerVulnerabilityAssessment]: Iterator of assessment objects
"""Server Vulnerability Assessment Settings
Manage settings and configuration for server vulnerability assessments.
def list_by_subscription(
**kwargs: Any
) -> Iterator[ServerVulnerabilityAssessmentsSettings]:
"""
List server vulnerability assessment settings for the subscription.
Returns:
Iterator[ServerVulnerabilityAssessmentsSettings]: Iterator of settings objects
"""
def get(
setting_kind: str,
**kwargs: Any
) -> ServerVulnerabilityAssessmentsSettings:
"""
Get server vulnerability assessment settings.
Parameters:
- setting_kind (str): Kind of the setting (AzureServersSetting)
Returns:
ServerVulnerabilityAssessmentsSettings: Assessment settings details
"""
def create_or_update(
setting_kind: str,
body: ServerVulnerabilityAssessmentsSettings,
**kwargs: Any
) -> ServerVulnerabilityAssessmentsSettings:
"""
Create or update server vulnerability assessment settings.
Parameters:
- setting_kind (str): Kind of the setting (AzureServersSetting)
- body (ServerVulnerabilityAssessmentsSettings): Settings configuration
Returns:
ServerVulnerabilityAssessmentsSettings: Created or updated settings
"""
def delete(
setting_kind: str,
**kwargs: Any
) -> None:
"""
Delete server vulnerability assessment settings.
Parameters:
- setting_kind (str): Kind of the setting (AzureServersSetting)
Returns:
None
"""SQL Vulnerability Assessment Scans
Manage SQL database vulnerability assessment scans.
def list(
resource_id: str,
**kwargs: Any
) -> Iterator[SqlVulnerabilityAssessmentScan]:
"""
List SQL vulnerability assessment scans for a resource.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
Returns:
Iterator[SqlVulnerabilityAssessmentScan]: Iterator of scan objects
"""
def get(
resource_id: str,
scan_id: str,
**kwargs: Any
) -> SqlVulnerabilityAssessmentScan:
"""
Get details of a specific SQL vulnerability assessment scan.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
- scan_id (str): ID of the scan
Returns:
SqlVulnerabilityAssessmentScan: Scan details
"""SQL Vulnerability Assessment Scan Results
Access and manage SQL vulnerability assessment scan results.
def list(
resource_id: str,
scan_id: str,
**kwargs: Any
) -> Iterator[SqlVulnerabilityAssessmentScanResult]:
"""
List SQL vulnerability assessment scan results.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
- scan_id (str): ID of the scan
Returns:
Iterator[SqlVulnerabilityAssessmentScanResult]: Iterator of scan result objects
"""
def get(
resource_id: str,
scan_id: str,
rule_id: str,
**kwargs: Any
) -> SqlVulnerabilityAssessmentScanResult:
"""
Get details of a specific SQL vulnerability assessment scan result.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
- scan_id (str): ID of the scan
- rule_id (str): ID of the rule
Returns:
SqlVulnerabilityAssessmentScanResult: Scan result details
"""SQL Vulnerability Assessment Baseline Rules
Manage baseline rules for SQL vulnerability assessments.
def list(
resource_id: str,
**kwargs: Any
) -> Iterator[SqlVulnerabilityAssessmentBaselineRule]:
"""
List SQL vulnerability assessment baseline rules.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
Returns:
Iterator[SqlVulnerabilityAssessmentBaselineRule]: Iterator of baseline rule objects
"""
def get(
resource_id: str,
rule_id: str,
**kwargs: Any
) -> SqlVulnerabilityAssessmentBaselineRule:
"""
Get details of a specific SQL vulnerability assessment baseline rule.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
- rule_id (str): ID of the rule
Returns:
SqlVulnerabilityAssessmentBaselineRule: Baseline rule details
"""
def create_or_update(
resource_id: str,
rule_id: str,
body: SqlVulnerabilityAssessmentBaselineRule,
**kwargs: Any
) -> SqlVulnerabilityAssessmentBaselineRule:
"""
Create or update a SQL vulnerability assessment baseline rule.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
- rule_id (str): ID of the rule
- body (SqlVulnerabilityAssessmentBaselineRule): Baseline rule data
Returns:
SqlVulnerabilityAssessmentBaselineRule: Created or updated baseline rule
"""
def delete(
resource_id: str,
rule_id: str,
**kwargs: Any
) -> None:
"""
Delete a SQL vulnerability assessment baseline rule.
Parameters:
- resource_id (str): Full resource ID of the SQL resource
- rule_id (str): ID of the rule
Returns:
None
"""Sub-Assessments
Manage detailed vulnerability findings through sub-assessments.
def list(
scope: str,
assessment_name: str,
**kwargs: Any
) -> Iterator[SubAssessment]:
"""
List sub-assessments for a specific assessment.
Parameters:
- scope (str): Resource scope (subscription, resource group, or resource)
- assessment_name (str): Name of the parent assessment
Returns:
Iterator[SubAssessment]: Iterator of SubAssessment objects
"""
def list_all(
scope: str,
**kwargs: Any
) -> Iterator[SubAssessment]:
"""
List all sub-assessments for a specific scope.
Parameters:
- scope (str): Resource scope (subscription, resource group, or resource)
Returns:
Iterator[SubAssessment]: Iterator of SubAssessment objects
"""
def get(
scope: str,
assessment_name: str,
sub_assessment_name: str,
**kwargs: Any
) -> SubAssessment:
"""
Get details of a specific sub-assessment.
Parameters:
- scope (str): Resource scope
- assessment_name (str): Name of the parent assessment
- sub_assessment_name (str): Name of the sub-assessment
Returns:
SubAssessment: Sub-assessment details
"""Software Inventories
Manage software inventory and installed software tracking.
def list_by_extended_resource(
resource_group_name: str,
resource_namespace: str,
resource_type: str,
resource_name: str,
**kwargs: Any
) -> Iterator[Software]:
"""
List software inventory for an extended resource.
Parameters:
- resource_group_name (str): Name of the resource group
- resource_namespace (str): Resource provider namespace
- resource_type (str): Resource type
- resource_name (str): Name of the resource
Returns:
Iterator[Software]: Iterator of Software objects
"""
def list_by_subscription(
**kwargs: Any
) -> Iterator[Software]:
"""
List software inventory for the subscription.
Returns:
Iterator[Software]: Iterator of Software objects
"""
def get(
resource_group_name: str,
resource_namespace: str,
resource_type: str,
resource_name: str,
software_name: str,
**kwargs: Any
) -> Software:
"""
Get details of specific software in inventory.
Parameters:
- resource_group_name (str): Name of the resource group
- resource_namespace (str): Resource provider namespace
- resource_type (str): Resource type
- resource_name (str): Name of the resource
- software_name (str): Name of the software
Returns:
Software: Software inventory details
"""Types
class ServerVulnerabilityAssessment:
id: Optional[str]
name: Optional[str]
type: Optional[str]
provisioning_state: Optional[str] # Succeeded, Failed, Canceled, Provisioning, Deleting
class ServerVulnerabilityAssessmentsSettings:
id: Optional[str]
name: Optional[str]
type: Optional[str]
kind: Optional[str] # AzureServersSetting
selected_provider: Optional[str] # Qualys, TVM
class SqlVulnerabilityAssessmentScan:
id: Optional[str]
name: Optional[str]
type: Optional[str]
scan_id: Optional[str]
trigger_type: Optional[str] # OnDemand, Recurring
state: Optional[str] # Passed, Failed, FailedToRun, InProgress
server: Optional[str]
database: Optional[str]
sql_version: Optional[str]
start_time: Optional[datetime]
end_time: Optional[datetime]
high_severity_failed_rules_count: Optional[int]
medium_severity_failed_rules_count: Optional[int]
low_severity_failed_rules_count: Optional[int]
total_passed_rules_count: Optional[int]
total_failed_rules_count: Optional[int]
total_rules_count: Optional[int]
class SqlVulnerabilityAssessmentScanResult:
id: Optional[str]
name: Optional[str]
type: Optional[str]
rule_id: Optional[str]
status: Optional[str] # NonFinding, Finding, InternalError
is_trimmed: Optional[bool]
query_results: Optional[List[List[str]]]
remediation: Optional[Remediation]
base_line_adjusted_result: Optional[BaselineAdjustedResult]
rule_metadata: Optional[VaRule]
class SqlVulnerabilityAssessmentBaselineRule:
id: Optional[str]
name: Optional[str]
type: Optional[str]
latest_scan: Optional[bool]
results: List[List[str]]
class SubAssessment:
id: Optional[str]
name: Optional[str]
type: Optional[str]
status: Optional[SubAssessmentStatus]
remediation: Optional[str]
impact: Optional[str]
category: Optional[str]
description: Optional[str]
time_generated: Optional[datetime]
resource_details: Optional[ResourceDetails]
additional_data: Optional[AdditionalData]
class Software:
id: Optional[str]
name: Optional[str]
type: Optional[str]
device_id: Optional[str]
os_platform: Optional[str]
vendor: Optional[str]
software_name: Optional[str]
version: Optional[str]
end_of_support_status: Optional[str] # None, noLongerSupported, versionNoLongerSupported, upcomingNoLongerSupported, upcomingVersionNoLongerSupported
end_of_support_date: Optional[str]
number_of_known_vulnerabilities: Optional[int]
first_seen_at: Optional[str]
class SubAssessmentStatus:
code: Optional[str] # Healthy, Unhealthy, NotApplicable
cause: Optional[str]
description: Optional[str]
severity: Optional[str] # Low, Medium, High
class Remediation:
description: Optional[str]
scripts: Optional[List[str]]
automated: Optional[bool]
portal_link: Optional[str]
class BaselineAdjustedResult:
status: Optional[str] # NonFinding, Finding, InternalError
class VaRule:
rule_id: Optional[str]
severity: Optional[str] # High, Medium, Low, Informational
category: Optional[str]
rule_type: Optional[str] # Binary, BaselineExpected, PositiveList, NegativeList
title: Optional[str]
description: Optional[str]
rationale: Optional[str]
query_check: Optional[QueryCheck]
benchmark_references: Optional[List[BenchmarkReference]]
class ResourceDetails:
source: Optional[str] # Azure, OnPremise, OnPremiseSql
id: Optional[str]
class AdditionalData:
assessedResourceType: Optional[str] # SqlServerVulnerability, ContainerRegistryVulnerability, ServerVulnerabilityAssessment
workspaceName: Optional[str]
serverName: Optional[str]
databaseName: Optional[str]
patchable: Optional[bool]
cve: Optional[List[CVE]]
vendorReferences: Optional[List[VendorReference]]
cvss: Optional[Dict[str, CVSS]]
class QueryCheck:
query: Optional[str]
expected_result: Optional[List[List[str]]]
column_names: Optional[List[str]]
class BenchmarkReference:
benchmark: Optional[str]
reference: Optional[str]
class CVE:
title: Optional[str]
link: Optional[str]
class VendorReference:
title: Optional[str]
link: Optional[str]
class CVSS:
base: Optional[float]Usage Examples
Server Vulnerability Assessment Management
from azure.identity import DefaultAzureCredential
from azure.mgmt.security import SecurityCenter
credential = DefaultAzureCredential()
client = SecurityCenter(credential, "subscription-id")
# Configure server vulnerability assessment for a VM
vm_resource_id = "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Compute/virtualMachines/vm1"
assessment = client.server_vulnerability_assessment.create_or_update(vm_resource_id)
print(f"Server vulnerability assessment configured: {assessment.name}")
print(f"Provisioning state: {assessment.provisioning_state}")
# List all server vulnerability assessments
assessments = client.server_vulnerability_assessment.list_by_extended_resource(
"/subscriptions/sub-id"
)
for assessment in assessments:
print(f"Assessment: {assessment.name}")
print(f"State: {assessment.provisioning_state}")
# Configure assessment settings at subscription level
settings = {
"kind": "AzureServersSetting",
"selected_provider": "Qualys"
}
assessment_settings = client.server_vulnerability_assessments_settings.create_or_update(
"AzureServersSetting",
settings
)
print(f"Assessment settings configured: {assessment_settings.selected_provider}")
# List all assessment settings
all_settings = client.server_vulnerability_assessments_settings.list_by_subscription()
for setting in all_settings:
print(f"Setting: {setting.kind}")
print(f"Provider: {setting.selected_provider}")SQL Vulnerability Assessment Management
# SQL database resource ID
sql_db_resource_id = "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Sql/servers/sqlserver/databases/db1"
# List SQL vulnerability assessment scans
sql_scans = client.sql_vulnerability_assessment_scans.list(sql_db_resource_id)
for scan in sql_scans:
print(f"SQL Scan: {scan.scan_id}")
print(f"State: {scan.state}")
print(f"Trigger: {scan.trigger_type}")
print(f"Database: {scan.database}")
print(f"SQL Version: {scan.sql_version}")
print(f"Start Time: {scan.start_time}")
print(f"End Time: {scan.end_time}")
print(f"High Severity Failures: {scan.high_severity_failed_rules_count}")
print(f"Medium Severity Failures: {scan.medium_severity_failed_rules_count}")
print(f"Low Severity Failures: {scan.low_severity_failed_rules_count}")
print(f"Total Passed: {scan.total_passed_rules_count}")
print(f"Total Failed: {scan.total_failed_rules_count}")
# Get scan results for failed scans
if scan.state == "Failed" or (scan.total_failed_rules_count and scan.total_failed_rules_count > 0):
scan_results = client.sql_vulnerability_assessment_scan_results.list(
sql_db_resource_id,
scan.scan_id
)
print(f"\n Scan Results for {scan.scan_id}:")
for result in scan_results:
if result.status == "Finding":
print(f" Rule: {result.rule_id}")
print(f" Status: {result.status}")
if result.rule_metadata:
print(f" Severity: {result.rule_metadata.severity}")
print(f" Title: {result.rule_metadata.title}")
print(f" Description: {result.rule_metadata.description}")
if result.remediation:
print(f" Remediation: {result.remediation.description}")
# Get specific scan details
specific_scan = client.sql_vulnerability_assessment_scans.get(
sql_db_resource_id,
"scan-001"
)
print(f"\nSpecific Scan Details: {specific_scan.scan_id}")
print(f"Server: {specific_scan.server}")
print(f"Total Rules: {specific_scan.total_rules_count}")
# Manage baseline rules
baseline_rules = client.sql_vulnerability_assessment_baseline_rules.list(sql_db_resource_id)
for rule in baseline_rules:
print(f"Baseline Rule: {rule.name}")
print(f"Latest Scan: {rule.latest_scan}")
print(f"Results Count: {len(rule.results or [])}")
# Create/update baseline rule
baseline_rule_data = {
"latest_scan": True,
"results": [
["value1", "value2"],
["value3", "value4"]
]
}
updated_rule = client.sql_vulnerability_assessment_baseline_rules.create_or_update(
sql_db_resource_id,
"rule-001",
baseline_rule_data
)
print(f"Updated baseline rule: {updated_rule.name}")Sub-Assessment Analysis
# List all sub-assessments for subscription
scope = "subscriptions/subscription-id"
sub_assessments = client.sub_assessments.list_all(scope)
vulnerability_findings = []
for sub_assessment in sub_assessments:
print(f"Sub-Assessment: {sub_assessment.name}")
print(f"Category: {sub_assessment.category}")
print(f"Description: {sub_assessment.description}")
print(f"Impact: {sub_assessment.impact}")
print(f"Time Generated: {sub_assessment.time_generated}")
if sub_assessment.status:
print(f"Status: {sub_assessment.status.code}")
print(f"Severity: {sub_assessment.status.severity}")
print(f"Status Description: {sub_assessment.status.description}")
# Collect high/medium severity findings
if sub_assessment.status.severity in ["High", "Medium"]:
vulnerability_findings.append({
"name": sub_assessment.name,
"severity": sub_assessment.status.severity,
"category": sub_assessment.category,
"description": sub_assessment.description,
"remediation": sub_assessment.remediation
})
if sub_assessment.additional_data:
print(f"Resource Type: {sub_assessment.additional_data.assessedResourceType}")
if hasattr(sub_assessment.additional_data, 'cve') and sub_assessment.additional_data.cve:
print(f"CVEs: {len(sub_assessment.additional_data.cve)}")
for cve in sub_assessment.additional_data.cve[:3]: # Show first 3 CVEs
print(f" - {cve.title}: {cve.link}")
print(f"\nHigh/Medium Severity Findings: {len(vulnerability_findings)}")
for finding in vulnerability_findings[:10]: # Show first 10
print(f" {finding['severity']}: {finding['category']} - {finding['name']}")
# Get specific sub-assessment
specific_sub_assessment = client.sub_assessments.get(
scope,
"parent-assessment-name",
"sub-assessment-name"
)
print(f"\nSpecific Sub-Assessment: {specific_sub_assessment.name}")
print(f"Resource Details: {specific_sub_assessment.resource_details}")Software Inventory Management
# List software inventory for subscription
software_inventory = client.software_inventories.list_by_subscription()
vulnerable_software = []
end_of_support_software = []
for software in software_inventory:
print(f"Software: {software.software_name}")
print(f"Vendor: {software.vendor}")
print(f"Version: {software.version}")
print(f"OS Platform: {software.os_platform}")
print(f"Device ID: {software.device_id}")
print(f"Known Vulnerabilities: {software.number_of_known_vulnerabilities}")
print(f"End of Support Status: {software.end_of_support_status}")
print(f"End of Support Date: {software.end_of_support_date}")
print(f"First Seen: {software.first_seen_at}")
# Identify vulnerable software
if (software.number_of_known_vulnerabilities and
software.number_of_known_vulnerabilities > 0):
vulnerable_software.append({
"name": software.software_name,
"vendor": software.vendor,
"version": software.version,
"vulnerabilities": software.number_of_known_vulnerabilities,
"device_id": software.device_id
})
# Identify end-of-support software
if software.end_of_support_status in ["noLongerSupported", "versionNoLongerSupported"]:
end_of_support_software.append({
"name": software.software_name,
"vendor": software.vendor,
"version": software.version,
"status": software.end_of_support_status,
"end_date": software.end_of_support_date,
"device_id": software.device_id
})
print(f"\nVulnerable Software Found: {len(vulnerable_software)}")
for software in vulnerable_software[:10]: # Show first 10
print(f" {software['name']} v{software['version']} - {software['vulnerabilities']} vulnerabilities")
print(f"\nEnd-of-Support Software Found: {len(end_of_support_software)}")
for software in end_of_support_software[:10]: # Show first 10
print(f" {software['name']} v{software['version']} - {software['status']}")
# Get software inventory for specific VM
vm_software = client.software_inventories.list_by_extended_resource(
"vm-rg",
"Microsoft.Compute",
"virtualMachines",
"vm1"
)
print(f"\nSoftware on VM1:")
for software in vm_software:
print(f" {software.software_name} v{software.version}")
if software.number_of_known_vulnerabilities and software.number_of_known_vulnerabilities > 0:
print(f" ⚠️ {software.number_of_known_vulnerabilities} known vulnerabilities")Vulnerability Management Dashboard
def create_vulnerability_management_dashboard():
"""Create a comprehensive vulnerability management dashboard."""
print("Vulnerability Management Dashboard")
print("=" * 50)
# Server Vulnerability Assessments
print("\n1. Server Vulnerability Assessments:")
try:
server_settings = client.server_vulnerability_assessments_settings.list_by_subscription()
settings_count = sum(1 for _ in server_settings)
print(f" Configured Settings: {settings_count}")
except Exception as e:
print(f" Settings: Unable to retrieve ({e})")
# SQL Vulnerability Assessments
print("\n2. SQL Vulnerability Assessments:")
# Note: Would need specific SQL resource IDs to get actual scan data
print(" Requires specific SQL resource IDs for detailed analysis")
# Sub-Assessments Summary
print("\n3. Vulnerability Findings (Sub-Assessments):")
scope = "subscriptions/subscription-id"
sub_assessments = client.sub_assessments.list_all(scope)
severity_counts = {"High": 0, "Medium": 0, "Low": 0}
category_counts = {}
total_findings = 0
for sub_assessment in sub_assessments:
total_findings += 1
if sub_assessment.status and sub_assessment.status.severity:
severity = sub_assessment.status.severity
if severity in severity_counts:
severity_counts[severity] += 1
if sub_assessment.category:
category_counts[sub_assessment.category] = category_counts.get(
sub_assessment.category, 0
) + 1
print(f" Total Findings: {total_findings}")
print(f" High Severity: {severity_counts['High']}")
print(f" Medium Severity: {severity_counts['Medium']}")
print(f" Low Severity: {severity_counts['Low']}")
print("\n Top Categories:")
sorted_categories = sorted(category_counts.items(), key=lambda x: x[1], reverse=True)
for category, count in sorted_categories[:5]:
print(f" {category}: {count}")
# Software Inventory
print("\n4. Software Inventory:")
software_inventory = client.software_inventories.list_by_subscription()
total_software = 0
vulnerable_count = 0
end_of_support_count = 0
total_vulnerabilities = 0
for software in software_inventory:
total_software += 1
if (software.number_of_known_vulnerabilities and
software.number_of_known_vulnerabilities > 0):
vulnerable_count += 1
total_vulnerabilities += software.number_of_known_vulnerabilities
if software.end_of_support_status in ["noLongerSupported", "versionNoLongerSupported"]:
end_of_support_count += 1
print(f" Total Software Packages: {total_software}")
print(f" Vulnerable Packages: {vulnerable_count}")
print(f" Total Known Vulnerabilities: {total_vulnerabilities}")
print(f" End-of-Support Packages: {end_of_support_count}")
# Risk Assessment
print("\n5. Risk Assessment:")
critical_risk = severity_counts["High"] + (vulnerable_count * 0.1)
if critical_risk > 10:
print(" 🔴 High Risk - Immediate attention required")
elif critical_risk > 5:
print(" 🟡 Medium Risk - Plan remediation activities")
else:
print(" 🟢 Low Risk - Continue monitoring")
return {
"total_findings": total_findings,
"high_severity": severity_counts["High"],
"medium_severity": severity_counts["Medium"],
"low_severity": severity_counts["Low"],
"total_software": total_software,
"vulnerable_software": vulnerable_count,
"total_vulnerabilities": total_vulnerabilities,
"end_of_support": end_of_support_count,
"risk_score": critical_risk
}
# Generate the dashboard
dashboard_data = create_vulnerability_management_dashboard()Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-security