Azure Security Center (ASC) is Microsoft’s cloud workload protection platform and cloud security posture management service that provides organizations with security visibility and control of hybrid workloads. The Log Analytics Agent must be installed in Windows and Linux operating systems that you plan on collecting data from.
We will examine how data flows when using Azure Security Center (ASC), specially the agent collection, central collection of log data, and creation of recommendations and alerts.
ASC Monitored Resources
Azure Security Center has two modes: free tier and standard tier. The free tier provides security recommendations for compute, network, storage, identity, IoT and application resources in Azure. The standard tier provides threat detection for those workloads, and in addition to that, it enables you to monitor virtual machines hosted in other cloud providers and on-premises.
Only the data collected from virtual machines will be stored in a Log Analytics workspace. For your PaaS services such as SQL ATP, there is a “Continuous Export” feature that enables security alerts to be stored in a Log Analytics workspace. You can choose whether you want to use an existing workspace or leave ASC automatically create a default one. Keep in mind that you can gather data from virtual machines running in different subscriptions and store it into a single workspace. Azure Monitor Log Analytics workspace can be retained at no charge for up to first 31 days.
ASC Agent Data Flow: Log Analytics Agent
The Log Analytics Agent reads various security-related configurations and event logs from virtual machines via TCP 443. The data collected is going to be reflected in the Azure Security Center dashboard. This data will be transformed into recommendations such as missing updates, misconfigures OS security settings, endpoint protection enablement, health and into alerts of threat detections. Azure Security Center updates its recommendations within 24 hours; OS security configuration recommendations within 48 hours; and Endpoint Protection recommendations within 8 hours.
To have the Log Analytics Agent sending collected data into the Log Analytics workspace, your virtual machines will need Internet access. If you have a firewall implementation in your environment, make sure to set inbound and outbound allowance to the 5 agent resources mentioned in the firewall requirements table below, and that has a broader vision of not only the monitored VMs but also other services that are supported by Azure Security Center:
If you need to harden the Log Analytics Agent URLs in your firewall, you can use the list below:
ASC Log Data Flow
ASC periodically analyzes the state of monitored resources to identify potential security vulnerabilities. This information is transformed into recommendations that have a Secure Score impact. This assessment focuses on improving your security hygiene. When a recommendation is remediated, Azure Security Center will update your Secure Score.
Recommendations will have a short description, resources involved and remediation steps to follow. Some include a Quick Fix feature to act easily and promptly. All recommendations from Azure Security Center will be displayed in the ASC dashboard, but can also be reached through PowerShell, ASC REST API, Event Hub, third party change management or security operations systems, and even downloaded as a CSV file.
At Ignite 2019, ASC Team announced partnership with Check Point, Tenable and CyberArk that enable these partners to send recommendations to ASC using API. Assuming you have the right license for those products, you could leverage these capabilities to have visibility of security recommendations in ASC dashboard. Recommendations can also be triggered by the built-in (part of ASC Standard Tier) vulnerability assessment integration with Qualys.
ASC deploys a variety of alerts, triggered by advanced threat detections, for the monitored resources you set (Azure, on-premises, hybrid cloud environments). They will get assigned a severity to help you prioritize tasks to solve them. Alerts can be seen in ASC dashboard and Azure Monitor Activity Log, but also they can be configured to push information to ASC REST API, Intelligent Security Graph API, Event Hub, and a third party SIEM solution. When the options shown in the figure below are enabled in ASC settings, ASC will also share analytics with MDATP and MCAS:
For more information on the list of alerts that can be generated by Azure Security Center, read the Alerts Reference Guide.
Continue learning more
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.