What's new in Azure Security Center?
Azure Security is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about:
- New features
- Bug fixes
- Deprecated functionality
This page is updated regularly, so revisit it often. If you're looking for items older than six months, you'll find them in the Archive for What's new in Azure Security Center.
Updates in June include:
- Secure score API (preview)
- Advanced data security for SQL machines (Azure, other clouds, and on-prem) (preview)
- Two new recommendations to deploy the Log Analytics agent to Azure Arc machines (preview)
- New policies to create continuous export and workflow automation configurations at scale
- New recommendation for using NSGs to protect non-internet-facing virtual machines
- New policies for enabling threat protection and advanced data security
Secure score API (preview)
You can now access your score via the secure score API (currently in preview). The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. For example, you can use the Secure Scores API to get the score for a specific subscription. In addition, you can use the Secure Score Controls API to list the security controls and the current score of your subscriptions.
For examples of external tools made possible with the secure score API, see the secure score area of our GitHub community.
Learn more about secure score and security controls in Azure Security Center.
Advanced data security for SQL machines (Azure, other clouds, and on-prem) (preview)
Azure Security Center's advanced data security for SQL machines now protects SQL Servers hosted in Azure, on other cloud environments, and even on-premises machines. This extends the protections for your Azure-native SQL Servers to fully support hybrid environments.
Advanced data security provides vulnerability assessment and advanced threat protection for your SQL machines wherever they're located.
Setup involves two steps:
Deploying the Log Analytics agent to your SQL Server's host machine to provide the connection to Azure account.
Enabling the optional bundle in Security Center's pricing and settings page.
Learn more about advanced data security for SQL machines.
Two new recommendations to deploy the Log Analytics agent to Azure Arc machines (preview)
Two new recommendations have been added to help deploy the Log Analytics Agent to your Azure Arc machines and ensure they're protected by Azure Security Center:
- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
These new recommendations will appear in the same four security controls as the existing (related) recommendation, Monitoring agent should be installed on your machines: remediate security configurations, apply adaptive application control, apply system updates, and enable endpoint protection.
The recommendations also include the Quick fix capability to help speed up the deployment process.
Learn more about these two new recommendations in the Compute and app recommendations table.
Learn more about how Azure Security Center uses the agent in What is the Log Analytics agent?.
Learn more about extensions for Azure Arc machines.
New policies to create continuous export and workflow automation configurations at scale
Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.
The policies can be found in Azure policy:
|Continuous export to event hub||Deploy export to Event Hub for Azure Security Center alerts and recommendations||cdfcce10-4578-4ecd-9703-530938e4abcb|
|Continuous export to to Log Analytics workspace||Deploy export to Log Analytics workspace for Azure Security Center alerts and recommendations||ffb6f416-7bd2-4488-8828-56585fef2be9|
|Workflow automation for security alerts||Deploy Workflow Automation for Azure Security Center alerts||f1525828-9a90-4fcf-be48-268cdd02361e|
|Workflow automation for security recommendations||Deploy Workflow Automation for Azure Security Center recommendations||73d6ab6c-2475-4850-afd6-43795f3492ef|
Get started with workflow automation templates.
Learn more about using the two export policies in Continuously Export Azure Security Center Alerts and Recommendations via Policy.
New recommendation for using NSGs to protect non-internet-facing virtual machines
The "implement security best practices" security control now includes the following new recommendation:
- Non-internet-facing virtual machines should be protected with network security groups
An existing recommendation, Internet-facing virtual machines should be protected with network security groups, didn't distinguish between internet-facing and non-internet facing VMs. For both, a high-severity recommendation was generated if a VM wasn't assigned to a network security group. This new recommendation separates the non-internet-facing machines to reduce the false positives and avoid unnecessary high-severity alerts.
Learn more in the Network recommendations table.
New policies for enabling threat protection and advanced data security
The new policies below were added to the ASC Default initiative and are designed to assist with enabling threat protection or advanced data security for the relevant resource types.
The policies can be found in Azure policy:
|Advanced data security should be enabled on Azure SQL Database servers||7fe3b40f-802b-4cdd-8bd4-fd799c948cc2|
|Advanced data security should be enabled on SQL servers on machines||6581d072-105e-4418-827f-bd446d56421b|
|Advanced threat protection should be enabled on Storage accounts||308fbb08-4ab8-4e67-9b29-592e93fb94fa|
|Advanced threat protection should be enabled on Azure Key Vault vaults||0e6763cc-5078-4e64-889d-ff4d9a839047|
|Advanced threat protection should be enabled on App Service plans||2913021d-f2fd-4f3d-b958-22354e2bdbcb|
|Advanced threat protection should be enabled on Azure Container Registry registries||c25d9a16-bc35-4e15-a7e5-9db606bf9ed4|
|Advanced threat protection should be enabled on Azure Kubernetes Service clusters||523b5cd1-3e23-492f-a539-13118b6d1e3a|
|Advanced threat protection should be enabled on Virtual Machines||4da35fc9-c9e7-4960-aec9-797fe7d9051d|
Learn more about Threat protection in Azure Security Center.
Updates in May include:
- Alert suppression rules (preview)
- Virtual machine vulnerability assessment is now generally available
- Changes to just-in-time (JIT) virtual machine (VM) access
- Custom recommendations have been moved to a separate security control
- Toggle added to view recommendations in controls or as a flat list
- Expanded security control "Implement security best practices"
- Custom policies with custom metadata are now generally available
- Crash dump analysis capabilities migrating to fileless attack detection
Alert suppression rules (preview)
This new feature (currently in preview) helps reduce alert fatigue. Use rules to automatically hide alerts that are known to be innocuous or related to normal activities in your organization. This lets you focus on the most relevant threats.
Alerts that match your enabled suppression rules will still be generated, but their state will be set to dismissed. You can see the state in the Azure portal or however you access your Security Center security alerts.
Suppression rules define the criteria for which alerts should be automatically dismissed. Typically, you'd use a suppression rule to:
suppress alerts that you've identified as false positives
suppress alerts that are being triggered too often to be useful
Learn more about suppressing alerts from Azure Security Center's threat protection.
Virtual machine vulnerability assessment is now generally available
Security Center's standard tier now includes an integrated vulnerability assessment for virtual machines for no additional fee. This extension is powered by Qualys but reports its findings directly back to Security Center. You don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center.
The new solution can continuously scan your virtual machines to find vulnerabilities and present the findings in Security Center.
To deploy the solution, use the new security recommendation:
"Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)"
Changes to just-in-time (JIT) virtual machine (VM) access
Security Center includes an optional feature to protect the management ports of your VMs. This provides a defense against the most common form of brute force attacks.
This update brings the following changes to this feature:
The recommendation that advises you to enable JIT on a VM has been renamed. Formerly, "Just-in-time network access control should be applied on virtual machines" it's now: "Management ports of virtual machines should be protected with just-in-time network access control".
The recommendation has been set to be triggered only if there are open management ports.
Learn more about the JIT access feature.
Custom recommendations have been moved to a separate security control
One of the security controls introduced with the enhanced secure score was "Implement security best practices". Any custom recommendations created for your subscriptions were automatically placed in that control.
To make it easier to find your custom recommendations, we've moved them into a dedicated security control, "Custom recommendations". This control has no impact on your secure score.
Learn more about security controls in Enhanced secure score (preview) in Azure Security Center.
Toggle added to view recommendations in controls or as a flat list
Security controls are logical groups of related security recommendations. They reflect your vulnerable attack surfaces. A control is a set of security recommendations, with instructions that help you implement those recommendations.
To immediately see how well your organization is securing each individual attack surface, review the scores for each security control.
By default, your recommendations are shown in the security controls. From this update you can also display them as a list. To view them as simple list sorted by the health status of the affected resources, use the new toggle 'Group by controls'. The toggle is above the list in the portal.
The security controls - and this toggle - are part of the new secure score experience. Remember to send us your feedback from within the portal.
Learn more about security controls in Enhanced secure score (preview) in Azure Security Center.
Expanded security control "Implement security best practices"
One of the security controls introduced with the enhanced secure score is "Implement security best practices". When a recommendation is in this control, it doesn't impact the secure score.
With this update, three recommendations have moved out of the controls in which they were originally placed, and into this best practices control. We've taken this step because we've determined that the risk of these three recommendations is lower than was initially thought.
In addition, two new recommendations have been introduced and added to this control.
The three recommendations that moved are:
- MFA should be enabled on accounts with read permissions on your subscription (originally in the "Enable MFA" control)
- External accounts with read permissions should be removed from your subscription (originally in the "Manage access and permissions" control)
- A maximum of 3 owners should be designated for your subscription (originally in the "Manage access and permissions" control)
The two new recommendations added to the control are:
Guest configuration extension should be installed on Windows virtual machines (Preview) - Using Azure Policy Guest Configuration provides visibility inside virtual machines to server and application settings (Windows only).
Windows Defender Exploit Guard should be enabled on your machines (Preview) - Windows Defender Exploit Guard leverages the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only).
Learn more about Windows Defender Exploit Guard in Create and deploy an Exploit Guard policy.
Learn more about security controls in Enhanced secure score (preview).
Custom policies with custom metadata are now generally available
Custom policies are now part of the Security Center recommendations experience, secure score, and the regulatory compliance standards dashboard. This feature is now generally available and allows you to extend your organization's security assessment coverage in Security Center.
Create a custom initiative in Azure policy, add policies to it and onboard it to Azure Security Center, and visualize it as recommendations.
We've now also added the option to edit the custom recommendation metadata. Metadata options include severity, remediation steps, threats information, and more.
Learn more about enhancing your custom recommendations with detailed information.
Crash dump analysis capabilities migrating to fileless attack detection
We are integrating the Windows crash dump analysis (CDA) detection capabilities into fileless attack detection. Fileless attack detection analytics brings improved versions of the following security alerts for Windows machines: Code injection discovered, Masquerading Windows Module Detected, Shellcode discovered, and Suspicious code segment detected.
Some of the benefits of this transition:
Proactive and timely malware detection - The CDA approach involved waiting for a crash to occur and then running analysis to find malicious artifacts. Using fileless attack detection brings proactive identification of in-memory threats while they are running.
Enriched alerts - The security alerts from fileless attack detection include enrichments that aren't available from CDA, such as the active network connections information.
Alert aggregation - When CDA detected multiple attack patterns within a single crash dump, it triggered multiple security alerts. Fileless attack detection combines all of the identified attack patterns from the same process into a single alert, removing the need to correlate multiple alerts.
Reduced requirements on your Log Analytics workspace - Crash dumps containing potentially sensitive data will no longer be uploaded to your Log Analytics workspace.
Updates in April include:
- Dynamic compliance packages are now generally available
- Identity recommendations now included in Azure Security Center free tier
Dynamic compliance packages are now generally available
The Azure Security Center regulatory compliance dashboard now includes dynamic compliance packages (now generally available) to track additional industry and regulatory standards.
Dynamic compliance packages can be added to your subscription or management group from the Security Center security policy page. When you've onboarded a standard or benchmark, the standard appears in your regulatory compliance dashboard with all associated compliance data mapped as assessments. A summary report for any of the standards that have been onboarded will be available to download.
Now, you can add standards such as:
- NIST SP 800-53 R4
- SWIFT CSP CSCF-v2020
- UK Official and UK NHS
- Canada Federal PBMM
- Azure CIS 1.1.0 (new) (which is a more complete representation of Azure CIS 1.1.0)
In addition, we've recently added the Azure Security Benchmark, the Microsoft-authored Azure-specific guidelines for security and compliance best practices based on common compliance frameworks. Additional standards will be supported in the dashboard as they become available.
Learn more about customizing the set of standards in your regulatory compliance dashboard.
Identity recommendations now included in Azure Security Center free tier
Security recommendations for identity and access on the Azure Security Center free tier are now generally available. This is part of the effort to make the cloud security posture management (CSPM) features free. Until now, these recommendations were only available on the standard pricing tier.
Examples of identity and access recommendations include:
- "Multifactor authentication should be enabled on accounts with owner permissions on your subscription."
- "A maximum of three owners should be designated for your subscription."
- "Deprecated accounts should be removed from your subscription."
If you have subscriptions on the free pricing tier, their secure scores will be impacted by this change because they were never assessed for their identity and access security.
Learn more about identity and access recommendations.
Learn more about monitoring identity and access.
Updates in March include:
- Workflow automation is now generally available
- Integration of Azure Security Center with Windows Admin Center
- Protection for Azure Kubernetes Service
- Improved just-in-time experience
- Two security recommendations for web applications deprecated
Workflow automation is now generally available
The workflow automation feature of Azure Security Center is now generally available. Use it to automatically trigger Logic Apps on security alerts and recommendations. In addition, manual triggers are available for alerts and all recommendations that have the quick fix option available.
Every security program includes multiple workflows for incident response. These processes might include notifying relevant stakeholders, launching a change management process, and applying specific remediation steps. Security experts recommend that you automate as many steps of those procedures as you can. Automation reduces overhead and can improve your security by ensuring the process steps are done quickly, consistently, and according to your predefined requirements.
For more information about the automatic and manual Security Center capabilities for running your workflows, see workflow automation.
Learn more about creating Logic Apps.
Integration of Azure Security Center with Windows Admin Center
It’s now possible to move your on-premises Windows servers from the Windows Admin Center directly to the Azure Security Center. Security Center then becomes your single pane of glass to view security information for all your Windows Admin Center resources, including on-premises servers, virtual machines, and additional PaaS workloads.
After moving a server from Windows Admin Center to Azure Security Center, you’ll be able to:
- View security alerts and recommendations in the Security Center extension of the Windows Admin Center.
- View the security posture and retrieve additional detailed information of your Windows Admin Center managed servers in the Security Center within the Azure portal (or via an API).
Learn more about how to integrate Azure Security Center with Windows Admin Center.
Protection for Azure Kubernetes Service
Azure Security Center is expanding its container security features to protect Azure Kubernetes Service (AKS).
The popular, open-source platform Kubernetes has been adopted so widely that it’s now an industry standard for container orchestration. Despite this widespread implementation, there’s still a lack of understanding regarding how to secure a Kubernetes environment. Defending the attack surfaces of a containerized application requires expertise to ensuring the infrastructure is configured securely and constantly monitored for potential threats.
The Security Center defense includes:
- Discovery and visibility - Continuous discovery of managed AKS instances within the subscriptions registered to Security Center.
- Security recommendations - Actionable recommendations to help you comply with security best-practices for AKS. These recommendations are included in your secure score to ensure they’re viewed as a part of your organization’s security posture. An example of an AKS-related recommendation you might see is "Role-based access control should be used to restrict access to a Kubernetes service cluster".
- Threat protection - Through continuous analysis of your AKS deployment, Security Center alerts you to threats and malicious activity detected at the host and AKS cluster level.
Learn more about Azure Kubernetes Services' integration with Security Center.
Learn more about the container security features in Security Center.
Improved just-in-time experience
The features, operation, and UI for Azure Security Center’s just-in-time tools that secure your management ports have been enhanced as follows:
- Justification field - When requesting access to a virtual machine (VM) through the just-in-time page of the Azure portal, a new optional field is available to enter a justification for the request. Information entered into this field can be tracked in the activity log.
- Automatic cleanup of redundant just-in-time (JIT) rules - Whenever you update a JIT policy, a cleanup tool automatically runs to check the validity of your entire ruleset. The tool looks for mismatches between rules in your policy and rules in the NSG. If the cleanup tool finds a mismatch, it determines the cause and, when it's safe to do so, removes built-in rules that aren't needed anymore. The cleaner never deletes rules that you've created.
Learn more about the JIT access feature.
Two security recommendations for web applications deprecated
Two security recommendations related to web applications are being deprecated:
The rules for web applications on IaaS NSGs should be hardened. (Related policy: The NSGs rules for web applications on IaaS should be hardened)
Access to App Services should be restricted. (Related policy: Access to App Services should be restricted [preview])
These recommendations will no longer appear in the Security Center list of recommendations. The related policies will no longer be included in the initiative named "Security Center Default".
Learn more about security recommendations.
Fileless attack detection for Linux (preview)
As attackers increasing employ stealthier methods to avoid detection, Azure Security Center is extending fileless attack detection for Linux, in addition to Windows. Fileless attacks exploit software vulnerabilities, inject malicious payloads into benign system processes, and hide in memory. These techniques:
- minimize or eliminate traces of malware on disk
- greatly reduce the chances of detection by disk-based malware scanning solutions
To counter this threat, Azure Security Center released fileless attack detection for Windows in October 2018, and has now extended fileless attack detection on Linux as well.
Enhanced secure score (preview)
An enhanced version of the secure score feature of Azure Security Center is now available in preview. In this version, multiple recommendations are grouped into Security Controls that better reflect your vulnerable attack surfaces (for example, restrict access to management ports).
Familiarize yourself with the secure score changes during the preview phase and determine other remediations that will help you to further secure your environment.
Learn more about Enhanced secure score (preview) in Azure Security Center.