SOLVED

Did I just stumble on a hidden gem?

%3CLINGO-SUB%20id%3D%22lingo-sub-1723541%22%20slang%3D%22en-US%22%3EDid%20I%20just%20stumble%20on%20a%20hidden%20gem%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1723541%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20while%20back%20I%20asked%20a%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-monitor%2Fantimalware-monitoring%2Ftd-p%2F1416239%22%20target%3D%22_blank%22%3Equestion%3C%2FA%3E%20on%20antimalware%20monitoring%2C%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54923%22%20target%3D%22_blank%22%3E%40Noa%20Kuperberg%3C%2FA%3E%26nbsp%3Bpointed%20me%20to%20the%20Antimalware%20assessment.%20However%2C%20last%20week%20I%20noticed%20Azure%20Security%20Center%20has%20the%20same%20features%20as%20the%20Antimalware%20assessment%2C%20and%20it%20even%20shows%20that%20in%20the%20pricing%20and%20settings%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22-Akos-_0-1601372194357.png%22%20style%3D%22width%3A%20806px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222753i188804A3A0709B7F%2Fimage-dimensions%2F806x62%3Fv%3D1.0%22%20width%3D%22806%22%20height%3D%2262%22%20title%3D%22-Akos-_0-1601372194357.png%22%20alt%3D%22-Akos-_0-1601372194357.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20see%20that%20even%20the%20free%20ASC%20tier%20has%20the%20ProtectionStatus%20table%20in%20the%20Log%20Analytics%20workspace%2C%20so%20I%20am%20indeed%20able%20to%20see%20the%20status%20of%20the%20antimalware.%20Now%20here%20comes%20my%20confusion%3A%20I%20know%20that%20the%20Azure%20Security%20Center%20%22Azure%20Defender%20On%22%20paid%20tier%20has%20alerting%20capabilities%20on%20things%20like%20brute%20force%20attacks%2C%20but%20it%20seems%20the%20free%20tier%20has%20alerting%20on%20antimalware%20(from%20the%20IaaSAntimalware%20extension%20at%20least)%20baked%20in.%20I%20tested%20this%20with%20an%20eicar%20test%20file%2C%20and%20sure%20enough%20I%20am%20getting%20alerts.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22-Akos-_1-1601372997862.png%22%20style%3D%22width%3A%20835px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F222755iBB2DE45D03503AAF%2Fimage-dimensions%2F835x249%3Fv%3D1.0%22%20width%3D%22835%22%20height%3D%22249%22%20title%3D%22-Akos-_1-1601372997862.png%22%20alt%3D%22-Akos-_1-1601372997862.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20tested%20this%20on%20several%20Azure%20subscriptions%20that%20have%20no%20Azure%20Defender%20subscription%2C%20nor%20trial%20enabled.%26nbsp%3BI%20see%20alerts%20not%20only%20in%20ASC%2C%20but%20they%20come%20to%20the%20Activity%20Log%20as%20well%2C%20so%20I%20can%20alert%20from%20there%2C%20even%20showing%20me%20the%20file%20path%20and%20threat%20status%20whether%20it%20was%20quarantined.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EMy%20question%3A%3C%2FSTRONG%3E%20Is%20this%20a%20happy%20accident%2C%20or%20is%20even%20the%20free%20tier%20supposed%20to%20have%20antimalware%20alerting%20from%20Azure%20Security%20Center%3F%20Or%20is%20that%20ability%20going%20away%20like%20after%20a%20while%2C%20like%20a%20secret%20trialware%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.S.%20I%20am%20well%20aware%20that%20ASC's%20capabilities%20extend%20beyond%20just%20antimalware%2C%20but%20this%20feature%20alone%20would%20be%20a%20serious%20bonus.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1723541%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eantimalware%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EASC%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Security%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1744693%22%20slang%3D%22en-US%22%3ERe%3A%20Did%20I%20just%20stumble%20on%20a%20hidden%20gem%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1744693%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F671042%22%20target%3D%22_blank%22%3E%40-Akos-%3C%2FA%3E%2C%3C%2FP%3E%0A%3CP%3EEndpoint%20Protection%20assessments%20(including%20SCEP%2FMicrosoft%20Antimalware)%20for%20Azure%20resources%20are%20part%20of%20Azure%20Security%20Center%20without%20Azure%20Defender.%20More%20information%20about%20what%20features%20are%20included%20in%20ASC%20with%20and%20without%20Azure%20Defender%20can%20be%20found%20%3CA%20title%3D%22ASC%20features%20for%20Windows%20VMs%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-services%3Ftabs%3Dfeatures-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBest%20regards%2C%3C%2FP%3E%0A%3CP%3ETom%20Janetscheck%3C%2FP%3E%0A%3CP%3ESenior%20Program%20Manager%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ECxE%20%7C%20Azure%20Security%20Center%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1745502%22%20slang%3D%22en-US%22%3ERe%3A%20Did%20I%20just%20stumble%20on%20a%20hidden%20gem%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1745502%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F699391%22%20target%3D%22_blank%22%3E%40Tom_Janetscheck%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20for%20your%20answer!%20I%20have%20seen%20that%20article%2C%20but%20it%20doesn't%20say%20very%20clearly%20that%20you%20get%20that%20for%20free%2C%20but%20it's%20great%20to%20know%20that%20this%20little%20gem%20is%20a%20keeper.%20And%20it%20alone%20will%20be%20reason%20for%20me%20to%20get%20ASC%20in%20every%20new%20subscription%20we%20manage.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi all,

 

A while back I asked a question on antimalware monitoring, and @Noa Kuperberg pointed me to the Antimalware assessment. However, last week I noticed Azure Security Center has the same features as the Antimalware assessment, and it even shows that in the pricing and settings:

-Akos-_0-1601372194357.png

I see that even the free ASC tier has the ProtectionStatus table in the Log Analytics workspace, so I am indeed able to see the status of the antimalware. Now here comes my confusion: I know that the Azure Security Center "Azure Defender On" paid tier has alerting capabilities on things like brute force attacks, but it seems the free tier has alerting on antimalware (from the IaaSAntimalware extension at least) baked in. I tested this with an eicar test file, and sure enough I am getting alerts.

-Akos-_1-1601372997862.png

I tested this on several Azure subscriptions that have no Azure Defender subscription, nor trial enabled. I see alerts not only in ASC, but they come to the Activity Log as well, so I can alert from there, even showing me the file path and threat status whether it was quarantined.

 

My question: Is this a happy accident, or is even the free tier supposed to have antimalware alerting from Azure Security Center? Or is that ability going away like after a while, like a secret trialware?

 

P.S. I am well aware that ASC's capabilities extend beyond just antimalware, but this feature alone would be a serious bonus.

 

2 Replies
best response confirmed by -Akos- (Contributor)
Solution

Hi @-Akos-,

Endpoint Protection assessments (including SCEP/Microsoft Antimalware) for Azure resources are part of Azure Security Center without Azure Defender. More information about what features are included in ASC with and without Azure Defender can be found here.

 

Best regards,

Tom Janetscheck

Senior Program Manager

CxE | Azure Security Center

Hi @Tom_Janetscheck 

 

Thank you for your answer! I have seen that article, but it doesn't say very clearly that you get that for free, but it's great to know that this little gem is a keeper. And it alone will be reason for me to get ASC in every new subscription we manage.