What's new in Azure Security Center?

Security Center is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about new features, bug fixes, and deprecated functionality.

This page is updated frequently, so revisit it often.

To learn about planned changes that are coming soon to Security Center, see Important upcoming changes to Azure Security Center.

Tip

If you're looking for items older than six months, you'll find them in the Archive for What's new in Azure Security Center.

March 2021

Updates in March include:

Azure Firewall management integrated into Security Center

When you open Azure Security Center, the first page to appear is the overview page.

This interactive dashboard provides a unified view into the security posture of your hybrid cloud workloads. Additionally, it shows security alerts, coverage information, and more.

As part of helping you view your security status from a central experience, we have integrated the Azure Firewall Manager into this dashboard. You can now check Firewall coverage status across all networks and centrally manage Azure Firewall policies starting from Security Center.

Learn more about this dashboard in Azure Security Center's overview page.

Security Center's overview dashboard with a tile for Azure Firewall

SQL vulnerability assessment now includes the "Disable rule" experience (preview)

Security Center includes a built-in vulnerability scanner to help you discover, track, and remediate potential database vulnerabilities. The findings from your assessment scans provide an overview of your SQL machines' security state, and details of any security findings.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.

Learn more in Disable specific findings.

Azure Monitor Workbooks integrated into Security Center and three templates provided

As part of Ignite Spring 2021, we announced an integrated Azure Monitor Workbooks experience in Security Center.

You can leverage the new integration to start using the out-of-the-box templates from Security Center’s gallery. By using workbook templates, you can access and build dynamic and visual reports to track your organization’s security posture. Additionally, you can create new workbooks based on Security Center data or any other supported data types and quickly deploy community workbooks from Security Center's GitHub community.

Three templates reports are provided:

  • Secure Score Over Time - Track your subscriptions' scores and changes to recommendations for your resources
  • System Updates - View missing system updates by resources, OS, severity, and more
  • Vulnerability Assessment Findings - View the findings of vulnerability scans of your Azure resources

Learn about using these reports or building your own Create rich, interactive reports of Security Center data.

Secure score over time report

Regulatory compliance dashboard now includes Azure Audit reports (preview)

From the regulatory compliance dashboard's toolbar you can now download Azure and Dynamics certification reports.

Regulatory compliance dashboard's toolbar

You can select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find the specific reports you need.

Learn more about Managing the standards in your regulatory compliance dashboard.

Filtering the list of available Azure Audit reports

Updates to the policies for deploying workflow automation

Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

We provide three Azure Policy 'DeployIfNotExist' policies that create and configure workflow automation procedures so that you can deploy your automations across your organization:

Goal Policy Policy ID
Workflow automation for security alerts Deploy Workflow Automation for Azure Security Center alerts f1525828-9a90-4fcf-be48-268cdd02361e
Workflow automation for security recommendations Deploy Workflow Automation for Azure Security Center recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef
Workflow automation for regulatory compliance changes Deploy Workflow Automation for Azure Security Center regulatory compliance 509122b9-ddd9-47ba-a5f1-d0dac20be63c

There are two updates to the features of these policies:

  • When assigned, they will remain enabled by enforcement.
  • You can now customize these policies and update any of the parameters even after they have already been deployed. For example, if a user wants to add another assessment key, or edit an existing assessment key, they can do so.

Get started with workflow automation templates.

Learn more about how to Automate responses to Security Center triggers.

February 2021

Updates in February include:

New security alerts page in the Azure portal released for General Availability (GA)

Azure Security Center's security alerts page has been redesigned to provide:

  • Improved triage experience for alerts - helping to reduce alerts fatigue and focus on the most relevant threats easier, the list includes customizable filters and grouping options.
  • More information in the alerts list - such as MITRE ATT&ACK tactics.
  • Button to create sample alerts - to evaluate Azure Defender capabilities and test your alerts. configuration (for SIEM integration, email notifications, and workflow automations), you can create sample alerts from all Azure Defender plans.
  • Alignment with Azure Sentinel's incident experience - for customers who use both products, switching between them is now a more straightforward experience and it's easy to learn one from the other.
  • Better performance for large alerts lists.
  • Keyboard navigation through the alert list.
  • Alerts from Azure Resource Graph - you can query alerts in Azure Resource Graph, the Kusto-like API for all of your resources. This is also useful if you're building your own alerts dashboards. Learn more about Azure Resource Graph.
  • Create sample alerts feature - To create sample alerts from the new alerts experience, see Generate sample Azure Defender alerts.

Azure Security Center's security alerts list

Kubernetes workload protection recommendations released for General Availability (GA)

We're happy to announce the General Availability (GA) of the set of recommendations for Kubernetes workload protections.

To ensure that Kubernetes workloads are secure by default, Security Center has added Kubernetes level hardening recommendations, including enforcement options with Kubernetes admission control.

When the Azure Policy add-on for Kubernetes is installed on your Azure Kubernetes Service (AKS) cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices - displayed as 13 security recommendations - before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.

For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

Learn more in Workload protection best-practices using Kubernetes admission control.

Note

While the recommendations were in preview, they didn't render an AKS cluster resource unhealthy, and they weren't included in the calculations of your secure score. with this GA announcement these will be included in the score calculation. If you haven't remediated them already, this might result in a slight impact on your secure score. Remediate them wherever possible as described in Remediate recommendations in Azure Security Center.

Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 2019 and Windows 10 Virtual Desktop (WVD) (in preview)

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. It provides risk-based vulnerability management and assessment as well as endpoint detection and response (EDR). For a full list of the benefits of using Defender for Endpoint together with Azure Security Center, see Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint.

When you enable Azure Defender for servers on a Windows server, a license for Defender for Endpoint is included with the plan. If you've already enabled Azure Defender for servers and you have Windows 2019 servers in your subscription, they'll automatically receive Defender for Endpoint with this update. No manual action is required.

Support has now been expanded to include Windows Server 2019 and Windows Virtual Desktop (WVD).

Note

If you're enabling Defender for Endpoint on a Windows Server 2019 machine, ensure it meets the prerequisites described in Enabling the Microsoft Defender for Endpoint integration.

When you're reviewing the details of a recommendation, it's often helpful to be able to see the underlying policy. For every recommendation supported by a policy, there's a new link from the recommendation details page:

Link to Azure Policy page for the specific policy supporting a recommendation

Use this link to view the policy definition and review the evaluation logic.

If you're reviewing the list of recommendations on our Security recommendations reference guide, you'll also see links to the policy definition pages:

Accessing the Azure Policy page for a specific policy directly from the Azure Security Center recommendations reference page

SQL data classification recommendation no longer affects your secure score

The recommendation Sensitive data in your SQL databases should be classified no longer affects your secure score. This is the only recommendation in the Apply data classification security control, so that control now has a secure score value of 0.

For a full list of all security controls in Security Center, together with their scores and a list of the recommendations in each, see Security controls and their recommendations.

Workflow automations can be triggered by changes to regulatory compliance assessments (in preview)

We've added a third data type to the trigger options for your workflow automations: changes to regulatory compliance assessments.

Learn how to use the workflow automation tools in Automate responses to Security Center triggers.

Using changes to regulatory compliance assessments to trigger a workflow automation

Asset inventory page enhancements

Security Center's asset inventory page has been improved in the following ways:

  • Summaries at the top of the page now include Unregistered subscriptions, showing the number of subscriptions without Security Center enabled.

    Count of unregistered subscriptions in the summaries at the top of the asset inventory page

  • Filters have been expanded and enhanced to include:

    • Counts - Each filter presents the number of resources that meet the criteria of each category

      Counts in the filters in the asset inventory page of Azure Security Center

    • Contains exemptions filter (Optional) - narrow the results to resources that have/haven't got exemptions. This filter isn't shown by default, but is accessible from the Add filter button.

      Adding the filter 'contains exemption' in Azure Security Center's asset inventory page

Learn more about how to Explore and manage your resources with asset inventory.

January 2021

Updates in January include:

Azure Security Benchmark is now the default policy initiative for Azure Security Center

Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.

In recent months, Security Center's list of built-in security recommendations has grown significantly to expand our coverage of this benchmark.

From this release, the benchmark is the foundation for Security Center’s recommendations and fully integrated as the default policy initiative.

All Azure services have a security baseline page in their documentation. For example, this is Security Center's baseline. These baselines are built on Azure Security Benchmark.

If you're using Security Center's regulatory compliance dashboard, you'll see two instances of the benchmark during a transition period:

Azure Security Center's regulatory compliance dashboard showing the Azure Security Benchmark

Existing recommendations are unaffected and as the benchmark grows, changes will automatically be reflected within Security Center.

To learn more, see the following pages:

Vulnerability assessment for on-premise and multi-cloud machines is released for General Availability (GA)

In October, we announced a preview for scanning Azure Arc enabled servers with Azure Defender for servers' integrated vulnerability assessment scanner (powered by Qualys).

It's now released for General Availability (GA).

When you've enabled Azure Arc on your non-Azure machines, Security Center will offer to deploy the integrated vulnerability scanner on them - manually and at-scale.

With this update, you can unleash the power of Azure Defender for servers to consolidate your vulnerability management program across all of your Azure and non-Azure assets.

Main capabilities:

  • Monitoring the VA (vulnerability assessment) scanner provisioning state on Azure Arc machines
  • Provisioning the integrated VA agent to unprotected Windows and Linux Azure Arc machines (manually and at-scale)
  • Receiving and analyzing detected vulnerabilities from deployed agents (manually and at-scale)
  • Unified experience for Azure VMs and Azure Arc machines

Learn more about deploying the integrated vulnerability scanner to your hybrid machines.

Learn more about Azure Arc enabled servers.

Secure score for management groups is now available in preview

The secure score page now shows the aggregated secure scores for your management groups in addition to the subscription level. So now you can see the list of management groups in your organization and the score for each management group.

Viewing the secure scores for your management groups.

Learn more about secure score and security controls in Azure Security Center.

Secure score API is released for General Availability (GA)

You can now access your score via the secure score API. The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. For example:

  • use the Secure Scores API to get the score for a specific subscription
  • use the Secure Score Controls API to list the security controls and the current score of your subscriptions

Learn about external tools made possible with the secure score API in the secure score area of our GitHub community.

Learn more about secure score and security controls in Azure Security Center.

Dangling DNS protections added to Azure Defender for App Service

Subdomain takeovers are a common, high-severity threat for organizations. A subdomain takeover can occur when you have a DNS record that points to a deprovisioned web site. Such DNS records are also known as "dangling DNS" entries. CNAME records are especially vulnerable to this threat.

Subdomain takeovers enable threat actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.

Azure Defender for App Service now detects dangling DNS entries when an App Service website is decommissioned. This is the moment at which the DNS entry is pointing at a non-existent resource, and your website is vulnerable to a subdomain takeover. These protections are available whether your domains are managed with Azure DNS or an external domain registrar and applies to both App Service on Windows and App Service on Linux.

Learn more:

Multi-cloud connectors are released for General Availability (GA)

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Azure Security Center protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Connecting your AWS or GCP accounts integrates their native security tools like AWS Security Hub and GCP Security Command Center into Azure Security Center.

This capability means that Security Center provides visibility and protection across all major cloud environments. Some of the benefits of this integration:

  • Automatic agent provisioning - Security Center uses Azure Arc to deploy the Log Analytics agent to your AWS instances
  • Policy management
  • Vulnerability management
  • Embedded Endpoint Detection and Response (EDR)
  • Detection of security misconfigurations
  • A single view showing security recommendations from all cloud providers
  • Incorporate all of your resources into Security Center's secure score calculations
  • Regulatory compliance assessments of your AWS and GCP resources

From Security Center's menu, select Multi cloud connectors and you'll see the options for creating new connectors:

Add AWS account button on Security Center's multi cloud connectors page

Learn more in:

Exempt entire recommendations from your secure score for subscriptions and management groups

We're expanding the exemption capability to include entire recommendations. Providing further options to fine-tune the security recommendations that Security Center makes for your subscriptions, management group, or resources.

Occasionally, a resource will be listed as unhealthy when you know the issue has been resolved by a third-party tool which Security Center hasn't detected. Or a recommendation will show in a scope where you feel it doesn't belong. The recommendation might be inappropriate for a specific subscription. Or perhaps your organization has decided to accept the risks related to the specific resource or recommendation.

With this preview feature, you can now create an exemption for a recommendation to:

  • Exempt a resource to ensure it isn't listed with the unhealthy resources in the future, and doesn't impact your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.

  • Exempt a subscription or management group to ensure that the recommendation doesn't impact your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.

Learn more in Exempting resources and recommendations from your secure score.

Users can now request tenant-wide visibility from their global administrator

If a user doesn't have permissions to see Security Center data, they'll now see a link to request permissions from their organization's global administrator. The request includes the role they'd like and the justification for why it's necessary.

Banner informing a user they can request tenant-wide permissions.

Learn more in Request tenant-wide permissions when yours are insufficient.

35 preview recommendations added to increase coverage of Azure Security Benchmark

Azure Security Benchmark is the default policy initiative in Azure Security Center.

To increase the coverage of this benchmark, the following 35 preview recommendations have been added to Security Center.

Tip

Preview recommendations don't render a resource unhealthy, and they aren't included in the calculations of your secure score. Remediate them wherever possible, so that when the preview period ends they'll contribute towards your score. Learn more about how to respond to these recommendations in Remediate recommendations in Azure Security Center.

Security control New recommendations
Enable encryption at rest - Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
- Bring your own key data protection should be enabled for MySQL servers
- Bring your own key data protection should be enabled for PostgreSQL servers
- Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
- Container registries should be encrypted with a customer-managed key (CMK)
- SQL managed instances should use customer-managed keys to encrypt data at rest
- SQL servers should use customer-managed keys to encrypt data at rest
- Storage accounts should use customer-managed key (CMK) for encryption
Implement security best practices - Subscriptions should have a contact email address for security issues
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Key vaults should have purge protection enabled
- Key vaults should have soft delete enabled
Manage access and permissions - Function apps should have 'Client Certificates (Incoming client certificates)' enabled
Protect applications against DDoS attacks - Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
Restrict unauthorized network access - Firewall should be enabled on Key Vault
- Private endpoint should be configured for Key Vault
- App Configuration should use private link
- Azure Cache for Redis should reside within a virtual network
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Azure Machine Learning workspaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- Storage account should use a private link connection
- Storage accounts should restrict network access using virtual network rules
- VM Image Builder templates should use private link

Related links:

CSV export of filtered list of recommendations

In November 2020, we added filters to the recommendations page (Recommendations list now includes filters). In December, we expanded those filters (Recommendations page has new filters for environment, severity, and available responses).

With this announcement, we're changing the behavior of the Download to CSV button so that the CSV export only includes the recommendations currently displayed in the filtered list.

For example, in the image below you can see that the list has been filtered to two recommendations. The CSV file that is generated includes the status details for every resource affected by those two recommendations.

Exporting filtered recommendations to a CSV file

Learn more in Security recommendations in Azure Security Center.

"Not applicable" resources now reported as "Compliant" in Azure Policy assessments

Previously, resources that were evaluated for a recommendation and found to be not applicable appeared in Azure Policy as "Non-compliant". No user actions could change their state to "Compliant". With this change, they're reported as "Compliant" for improved clarity.

The only impact will be seen in Azure Policy where the number of compliant resources will increase. There will be no impact to your secure score in Azure Security Center.

Export weekly snapshots of secure score and regulatory compliance data with continuous export (preview)

We've added a new preview feature to the continuous export tools for exporting weekly snapshots of secure score and regulatory compliance data.

When you define a continuous export, set the export frequency:

Choosing the frequency of your continuous export

  • Streaming – assessments will be sent in real time when a resource’s health state is updated (if no updates occur, no data will be sent).
  • Snapshots – a snapshot of the current state of all regulatory compliance assessments will be sent every week (this is a preview feature for weekly snapshots of secure scores and regulatory compliance data).

Learn more about the full capabilities of this feature in Continuously export Security Center data.

December 2020

Updates in December include:

Azure Defender for SQL servers on machines is generally available

Azure Security Center offers two Azure Defender plans for SQL Servers:

  • Azure Defender for Azure SQL database servers - defends your Azure-native SQL Servers
  • Azure Defender for SQL servers on machines - extends the same protections to your SQL servers in hybrid, multicloud, and on-premises environments

With this announcement, Azure Defender for SQL now protects your databases and their data wherever they're located.

Azure Defender for SQL includes vulnerability assessment capabilities. The vulnerability assessment tool includes the following advanced features:

  • Baseline configuration (New!) to intelligently refine the results of vulnerability scans to those that might represent real security issues. After you've established your baseline security state, the vulnerability assessment tool only reports deviations from that baseline state. Results that match the baseline are considered as passing subsequent scans. This lets you and your analysts focus your attention where it matters.
  • Detailed benchmark information to help you understand the discovered findings, and why they relate to your resources.
  • Remediation scripts to help you mitigate identified risks.

Learn more about Azure Defender for SQL.

Azure Defender for SQL support for Azure Synapse Analytics dedicated SQL pool is generally available

Azure Synapse Analytics (formerly SQL DW) is an analytics service that combines enterprise data warehousing and big data analytics. Dedicated SQL pools are the enterprise data warehousing features of Azure Synapse. Learn more in What is Azure Synapse Analytics (formerly SQL DW)?.

Azure Defender for SQL protects your dedicated SQL pools with:

  • Advanced threat protection to detect threats and attacks
  • Vulnerability assessment capabilities to identify and remediate security misconfigurations

Azure Defender for SQL's support for Azure Synapse Analytics SQL pools is automatically added to Azure SQL databases bundle in Azure Security Center. You'll find a new “Azure Defender for SQL” tab in your Synapse workspace page in the Azure portal.

Learn more about Azure Defender for SQL.

Global Administrators can now grant themselves tenant-level permissions

A user with the Azure Active Directory role of Global Administrator might have tenant-wide responsibilities, but lack the Azure permissions to view that organization-wide information in Azure Security Center.

To assign yourself tenant-level permissions, follow the instructions in Grant tenant-wide permissions to yourself.

Two new Azure Defender plans: Azure Defender for DNS and Azure Defender for Resource Manager (in preview)

We've added two new cloud-native breadth threat protection capabilities for your Azure environment.

These new protections greatly enhance your resiliency against attacks from threat actors, and significantly increase the number of Azure resources protected by Azure Defender.

New security alerts page in the Azure portal (preview)

Azure Security Center's security alerts page has been redesigned to provide:

  • Improved triage experience for alerts - helping to reduce alerts fatigue and focus on the most relevant threats easier, the list includes customizable filters and grouping options
  • More information in the alerts list - such as MITRE ATT&ACK tactics
  • Button to create sample alerts - to evaluate Azure Defender capabilities and test your alerts configuration (for SIEM integration, email notifications, and workflow automations), you can create sample alerts from all Azure Defender plans
  • Alignment with Azure Sentinel's incident experience - for customers who use both products, switching between them is now a more straightforward experience and it's easy to learn one from the other
  • Better performance for large alerts lists
  • Keyboard navigation through the alert list
  • Alerts from Azure Resource Graph - you can query alerts in Azure Resource Graph, the Kusto-like API for all of your resources. This is also useful if you're building your own alerts dashboards. Learn more about Azure Resource Graph.

To access the new experience, use the 'try it now' link from the banner at the top of the security alerts page.

Banner with link to the new preview alerts experience

To create sample alerts from the new alerts experience, see Generate sample Azure Defender alerts.

Revitalized Security Center experience in Azure SQL Database & SQL Managed Instance

The Security Center experience within SQL provides access to the following Security Center and Azure Defender for SQL features:

  • Security recommendations – Security Center periodically analyzes the security state of all connected Azure resources to identify potential security misconfigurations. It then provides recommendations on how to remediate those vulnerabilities and improve organizations’ security posture.
  • Security alerts – a detection service that continuously monitors Azure SQL activities for threats such as SQL injection, brute-force attacks, and privilege abuse. This service triggers detailed and action-oriented security alerts in Security Center and provides options for continuing investigations with Azure Sentinel, Microsoft’s Azure-native SIEM solution.
  • Findings – a vulnerability assessment service that continuously monitors Azure SQL configurations and helps remediate vulnerabilities. Assessment scans provide an overview of Azure SQL security states together with detailed security findings.

Azure Security Center's security features for SQL are available from within Azure SQL

Asset inventory tools and filters updated

The inventory page in Azure Security Center has been refreshed with the following changes:

  • Guides and feedback added to the toolbar. This opens a pane with links to related information and tools.

  • Subscriptions filter added to the default filters available for your resources.

  • Open query link for opening the current filter options as an Azure Resource Graph query (formerly called "View in resource graph explorer").

  • Operator options for each filter. Now you can choose from more logical operators other than '='. For example, you might want to find all resources with active recommendations whose titles include the string 'encrypt'.

    Controls for the operator option in asset inventory's filters

Learn more about inventory in Explore and manage your resources with asset inventory.

Recommendation about web apps requesting SSL certificates no longer part of secure score

The recommendation "Web apps should request an SSL certificate for all incoming requests" has been moved from the security control Manage access and permissions (worth a maximum of 4 pts) into Implement security best practices (which is worth no points).

Ensuring a web app requests a certificate certainly makes it more secure. However, for public-facing web apps it's irrelevant. If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client certificates, you should not allow requests to your application over HTTP. Learn more in Configure TLS mutual authentication for Azure App Service.

With this change, the recommendation is now a recommended best practice that does not impact your score.

Learn which recommendations are in each security control in Security controls and their recommendations.

Recommendations page has new filters for environment, severity, and available responses

Azure Security Center monitors all connected resources and generates security recommendations. Use these recommendations to strengthen your hybrid cloud posture and track compliance with the policies and standards relevant to your organization, industry, and country.

As Security Center continues to expand its coverage and features, the list of security recommendations is growing every month. For example, see 29 preview recommendations added to increase coverage of Azure Security Benchmark.

With the growing list, there's a need to filter the recommendations to find the ones of greatest interest. In November, we added filters to the recommendations page (see Recommendations list now includes filters).

The filters added this month provide options to refine the recommendations list according to:

  • Environment - View recommendations for your AWS, GCP, or Azure resources (or any combination)

  • Severity - View recommendations according to the severity classification set by Security Center

  • Response actions - View recommendations according to the availability of Security Center response options: Quick fix, Deny, and Enforce

    Tip

    The response actions filter replaces the Quick fix available (Yes/No) filter.

    Learn more about each of these response options:

Recommendations grouped by security control

Continuous export gets new data types and improved deployifnotexist policies

Azure Security Center's continuous export tools enable you to export Security Center's recommendations and alerts for use with other monitoring tools in your environment.

Continuous export lets you fully customize what will be exported, and where it will go. For full details, see Continuously export Security Center data.

These tools have been enhanced and expanded in the following ways:

  • Continuous export's deployifnotexist policies enhanced. The policies now:

    • Check whether the configuration is enabled. If it isn't, the policy will show as non-compliant and create a compliant resource. Learn more about the supplied Azure Policy templates in the "Deploy at scale with Azure Policy tab" in Set up a continuous export.

    • Support exporting security findings. When using the Azure Policy templates, you can configure your continuous export to include findings. This is relevant when exporting recommendations that have 'sub' recommendations, like findings from vulnerability assessment scanners or specific system updates for the 'parent' recommendation "System updates should be installed on your machines".

    • Support exporting secure score data.

  • Regulatory compliance assessment data added (in preview). You can now continuously export updates to regulatory compliance assessments, including for any custom initiatives, to a Log Analytics workspace or Event Hub. This feature is unavailable on national/sovereign clouds.

    The options for including regulatory compliant assessment information with your continuous export data.

November 2020

Updates in November include:

29 preview recommendations added to increase coverage of Azure Security Benchmark

Azure Security Benchmark is the Microsoft-authored, Azure-specific, set of guidelines for security and compliance best practices based on common compliance frameworks. Learn more about Azure Security Benchmark.

The following 29 preview recommendations have been added to Security Center to increase the coverage of this benchmark.

Preview recommendations don't render a resource unhealthy, and they aren't included in the calculations of your secure score. Remediate them wherever possible, so that when the preview period ends they'll contribute towards your score. Learn more about how to respond to these recommendations in Remediate recommendations in Azure Security Center.

Security control New recommendations
Encrypt data in transit - Enforce SSL connection should be enabled for PostgreSQL database servers
- Enforce SSL connection should be enabled for MySQL database servers
- TLS should be updated to the latest version for your API app
- TLS should be updated to the latest version for your function app
- TLS should be updated to the latest version for your web app
- FTPS should be required in your API App
- FTPS should be required in your function App
- FTPS should be required in your web App
Manage access and permissions - Web apps should request an SSL certificate for all incoming requests
- Managed identity should be used in your API App
- Managed identity should be used in your function App
- Managed identity should be used in your web App
Restrict unauthorized network access - Private endpoint should be enabled for PostgreSQL servers
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
Enable auditing and logging - Diagnostic logs in App Services should be enabled
Implement security best practices - Azure Backup should be enabled for virtual machines
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- PHP should be updated to the latest version for your API app
- PHP should be updated to the latest version for your web app
- Java should be updated to the latest version for your API app
- Java should be updated to the latest version for your function app
- Java should be updated to the latest version for your web app
- Python should be updated to the latest version for your API app
- Python should be updated to the latest version for your function app
- Python should be updated to the latest version for your web app
- Audit retention for SQL servers should be set to at least 90 days

Related links:

NIST SP 800 171 R2 added to Security Center's regulatory compliance dashboard

The NIST SP 800-171 R2 standard is now available as a built-in initiative for use with Azure Security Center's regulatory compliance dashboard. The mappings for the controls are described in Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative.

To apply the standard to your subscriptions and continuously monitor your compliance status, use the instructions in Customize the set of standards in your regulatory compliance dashboard.

The NIST SP 800 171 R2 standard in Security Center's regulatory compliance dashboard

For more information about this compliance standard, see NIST SP 800-171 R2.

Recommendations list now includes filters

You can now filter the list of security recommendations according to a range of criteria. In the following example, the recommendations list has been filtered to show recommendations that:

  • are generally available (that is, not preview)
  • are for storage accounts
  • support quick fix remediation

Filters for the recommendations list

Auto provisioning experience improved and expanded

The auto provisioning feature helps reduce management overhead by installing the required extensions on new - and existing - Azure VMs so they can benefit from Security Center's protections.

As Azure Security Center grows, more extensions have been developed and Security Center can monitor a larger list of resource types. The auto provisioning tools have now been expanded to support other extensions and resource types by leveraging the capabilities of Azure Policy.

You can now configure the auto provisioning of:

  • Log Analytics agent
  • (New) Azure Policy Add-on for Kubernetes
  • (New) Microsoft Dependency agent

Learn more in Auto provisioning agents and extensions from Azure Security Center.

Secure score is now available in continuous export (preview)

With continuous export of secure score, you can stream changes to your score in real time to Azure Event Hubs or a Log Analytics workspace. Use this capability to:

  • track your secure score over time with dynamic reports
  • export secure score data to Azure Sentinel (or any other SIEM)
  • integrate this data with any processes you might already be using to monitor secure score in your organization

Learn more about how to Continuously export Security Center data.

"System updates should be installed on your machines" recommendation now includes subrecommendations

The System updates should be installed on your machines recommendation has been enhanced. The new version includes subrecommendations for each missing update and brings the following improvements:

  • A redesigned experience in the Azure Security Center pages of the Azure portal. The recommendation details page for System updates should be installed on your machines includes the list of findings as shown below. When you select a single finding, the details pane opens with a link to the remediation information and a list of affected resources.

    Opening one of the subrecommendations in the portal experience for the updated recommendation

  • Enriched data for the recommendation from Azure Resource Graph (ARG). ARG is an Azure service that's designed to provide efficient resource exploration. You can use ARG to query at scale across a given set of subscriptions so that you can effectively govern your environment.

    For Azure Security Center, you can use ARG and the Kusto Query Language (KQL) to query a wide range of security posture data.

    Previously, if you queried this recommendation in ARG, the only available information was that the recommendation needs to be remediated on a machine. The following query of the enhanced version will return each missing system updates grouped by machine.

    securityresources
    | where type =~ "microsoft.security/assessments/subassessments"
    | where extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) == "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27"
    | where properties.status.code == "Unhealthy"
    

Policy management page in the Azure portal now shows status of default policy assignments

You can now see whether or not your subscriptions have the default Security Center policy assigned, in the Security Center's security policy page of the Azure portal.

The policy management page of Azure Security Center showing the default policy assignments

October 2020

Updates in October include:

Vulnerability assessment for on-premise and multi-cloud machines (preview)

Azure Defender for servers' integrated vulnerability assessment scanner (powered by Qualys) now scans Azure Arc enabled servers.

When you've enabled Azure Arc on your non-Azure machines, Security Center will offer to deploy the integrated vulnerability scanner on them - manually and at-scale.

With this update, you can unleash the power of Azure Defender for servers to consolidate your vulnerability management program across all of your Azure and non-Azure assets.

Main capabilities:

  • Monitoring the VA (vulnerability assessment) scanner provisioning state on Azure Arc machines
  • Provisioning the integrated VA agent to unprotected Windows and Linux Azure Arc machines (manually and at-scale)
  • Receiving and analyzing detected vulnerabilities from deployed agents (manually and at-scale)
  • Unified experience for Azure VMs and Azure Arc machines

Learn more about deploying the integrated vulnerability scanner to your hybrid machines.

Learn more about Azure Arc enabled servers.

Azure Firewall recommendation added (preview)

A new recommendation has been added to protect all your virtual networks with Azure Firewall.

The recommendation, Virtual networks should be protected by Azure Firewall advises you to restrict access to your virtual networks and prevent potential threats by using Azure Firewall.

Learn more about Azure Firewall.

Authorized IP ranges should be defined on Kubernetes Services recommendation updated with quick fix

The recommendation Authorized IP ranges should be defined on Kubernetes Services now has a quick fix option.

For more information about this recommendation and all other Security Center recommendations, see Security recommendations - a reference guide.

The authorized IP ranges should be defined on Kubernetes Services recommendation with the quick fix option

Regulatory compliance dashboard now includes option to remove standards

Security Center's regulatory compliance dashboard provides insights into your compliance posture based on how you're meeting specific compliance controls and requirements.

The dashboard includes a default set of regulatory standards. If any of the supplied standards isn't relevant to your organization, it's now a simple process to remove them from the UI for a subscription. Standards can be removed only at the subscription level; not the management group scope.

Learn more in Remove a standard from your dashboard.

Microsoft.Security/securityStatuses table removed from Azure Resource Graph (ARG)

Azure Resource Graph is a service in Azure that is designed to provide efficient resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

For Azure Security Center, you can use ARG and the Kusto Query Language (KQL) to query a wide range of security posture data. For example:

Within ARG, there are tables of data for you to use in your queries.

Azure Resource Graph Explorer and the available tables

Tip

The ARG documentation lists all the available tables in Azure Resource Graph table and resource type reference.

From this update, the Microsoft.Security/securityStatuses table has been removed. The securityStatuses API is still available.

Data replacement can be used by Microsoft.Security/Assessments table.

The major difference between Microsoft.Security/securityStatuses and Microsoft.Security/Assessments is that while the first shows aggregation of assessments, the seconds holds a single record for each.

For example, Microsoft.Security/securityStatuses would return a result with an array of two policyAssessments:

{
id: "/subscriptions/449bcidd-3470-4804-ab56-2752595 felab/resourceGroups/mico-rg/providers/Microsoft.Network/virtualNetworks/mico-rg-vnet/providers/Microsoft.Security/securityStatuses/mico-rg-vnet",
name: "mico-rg-vnet",
type: "Microsoft.Security/securityStatuses",
properties:  {
    policyAssessments: [
        {assessmentKey: "e3deicce-f4dd-3b34-e496-8b5381bazd7e", category: "Networking", policyName: "Azure DDOS Protection Standard should be enabled",...},
        {assessmentKey: "sefac66a-1ec5-b063-a824-eb28671dc527", category: "Compute", policyName: "",...}
    ],
    securitystateByCategory: [{category: "Networking", securityState: "None" }, {category: "Compute",...],
    name: "GenericResourceHealthProperties",
    type: "VirtualNetwork",
    securitystate: "High"
}

Whereas, Microsoft.Security/Assessments will hold a record for each such policy assessment as follows:

{
type: "Microsoft.Security/assessments",
id:  "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourceGroups/mico-rg/providers/Microsoft. Network/virtualNetworks/mico-rg-vnet/providers/Microsoft.Security/assessments/e3delcce-f4dd-3b34-e496-8b5381ba2d70",
name: "e3deicce-f4dd-3b34-e496-8b5381ba2d70",
properties:  {
    resourceDetails: {Source: "Azure", Id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourceGroups/mico-rg/providers/Microsoft.Network/virtualNetworks/mico-rg-vnet"...},
    displayName: "Azure DDOS Protection Standard should be enabled",
    status: (code: "NotApplicable", cause: "VnetHasNOAppGateways", description: "There are no Application Gateway resources attached to this Virtual Network"...}
}

{
type: "Microsoft.Security/assessments",
id:  "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg-vnet/providers/Microsoft.Security/assessments/80fac66a-1ec5-be63-a824-eb28671dc527",
name: "8efac66a-1ec5-be63-a824-eb28671dc527",
properties: {
    resourceDetails: (Source: "Azure", Id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg-vnet"...),
    displayName: "Audit diagnostic setting",
    status:  {code: "Unhealthy"}
}

Example of converting an existing ARG query using securityStatuses to now use the assessments table:

Query that references SecurityStatuses:

SecurityResources 
| where type == 'microsoft.security/securitystatuses' and properties.type == 'virtualMachine'
| where name in ({vmnames}) 
| project name, resourceGroup, policyAssesments = properties.policyAssessments, resourceRegion = location, id, resourceDetails = properties.resourceDetails

Replacement query for the Assessments table:

securityresources
| where type == "microsoft.security/assessments" and id contains "virtualMachine"
| extend resourceName = extract(@"(?i)/([^/]*)/providers/Microsoft.Security/assessments", 1, id)
| extend source = tostring(properties.resourceDetails.Source)
| extend resourceId = trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,
source =~ "aws", properties.additionalData.AzureResourceId,
source =~ "gcp", properties.additionalData.AzureResourceId,
extract("^(.+)/providers/Microsoft.Security/assessments/.+$",1,id)))))
| extend resourceGroup = tolower(tostring(split(resourceId, "/")[4]))
| where resourceName in ({vmnames}) 
| project resourceName, resourceGroup, resourceRegion = location, id, resourceDetails = properties.additionalData

Learn more at the following links: