What's new in Azure Security Center?

Security Center is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about new features, bug fixes, and deprecated functionality.

This page is updated frequently, so revisit it often.

To learn about planned changes that are coming soon to Security Center, see Important upcoming changes to Azure Security Center.

Tip

If you're looking for items older than six months, you'll find them in the Archive for What's new in Azure Security Center.

July 2021

Updates in July include:

Enhancements to recommendation to enable Azure Disk Encryption (ADE)

Following user feedback, we've renamed the recommendation Disk encryption should be applied on virtual machines.

The new recommendation uses the same assessment ID and is called Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources.

The description has also been updated to better explain the purpose of this hardening recommendation:

Recommendation Description Severity
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine’s OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren’t encrypted, and data isn’t encrypted when flowing between compute and storage resources. For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data. Disregard this recommendation if: (1) you’re using the encryption-at-host feature, or (2) server-side encryption on Managed Disks meets your security requirements. Learn more in Server-side encryption of Azure Disk Storage.
High

Continuous export of secure score and regulatory compliance data released for General Availability (GA)

Continuous export provides the mechanism for exporting your security alerts and recommendations for tracking with other monitoring tools in your environment.

When you set up your continuous export, you configure what is exported, and where it will go. Learn more in the overview of continuous export.

We've enhanced and expanded this feature over time:

With this update, these two options are released for General Availability (GA).

Workflow automations can be triggered by changes to regulatory compliance assessments (GA)

In February 2021, we added a preview third data type to the trigger options for your workflow automations: changes to regulatory compliance assessments. Learn more in Workflow automations can be triggered by changes to regulatory compliance assessments.

With this update, this trigger option is released for General Availability (GA).

Learn how to use the workflow automation tools in Automate responses to Security Center triggers.

Using changes to regulatory compliance assessments to trigger a workflow automation.

Assessments API field 'FirstEvaluationDate' and 'StatusChangeDate' now available in workspace schemas and logic apps

In May 2021, we updated the Assessment API with two new fields, FirstEvaluationDate and StatusChangeDate. For full details, see Assessments API expanded with two new fields.

Those fields were accessible through the REST API, Azure Resource Graph, continuous export, and in CSV exports.

With this change, we're making the information available in the Log Analytics workspace schema and from logic apps.

In March, we announced the integrated Azure Monitor Workbooks experience in Security Center (see Azure Monitor Workbooks integrated into Security Center and three templates provided).

The initial release included three templates to build dynamic and visual reports about your organization's security posture.

We've now added a workbook dedicated to tracking a subscription's compliance with the regulatory or industry standards applied to it.

Learn about using these reports or building your own in Create rich, interactive reports of Security Center data.

Azure Security Center's compliance over time workbook

June 2021

Updates in June include:

New alert for Azure Defender for Key Vault

To expand the threat protections provided by Azure Defender for Key Vault, we've added the following alert:

Alert (alert type) Description MITRE tactic Severity
Access from a suspicious IP address to a key vault
(KV_SuspiciousIPAccess)
A key vault has been successfully accessed by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. This may indicate that your infrastructure has been compromised. We recommend further investigation. Learn more about Microsoft's threat intelligence capabilities. Credential Access Medium

For more information, see:

Recommendations to encrypt with customer-managed keys (CMKs) disabled by default

Security Center includes multiple recommendations to encrypt data at rest with customer-managed keys, such as:

  • Container registries should be encrypted with a customer-managed key (CMK)
  • Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
  • Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)

Data in Azure is encrypted automatically using platform-managed keys, so the use of customer-managed keys should only be applied when required for compliance with a specific policy your organization is choosing to enforce.

With this change, the recommendations to use CMKs are now disabled by default. When relevant for your organization, you can enable them by changing the Effect parameter for the corresponding security policy to AuditIfNotExists or Enforce. Learn more in Enable a security policy.

This change is reflected in the names of the recommendation with a new prefix, [Enable if required], as shown in the following examples:

  • [Enable if required] Storage accounts should use customer-managed key to encrypt data at rest
  • [Enable if required] Container registries should be encrypted with a customer-managed key (CMK)
  • [Enable if required] Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest

Security Center's CMK recommendations will be disabled by default.

Prefix for Kubernetes alerts changed from "AKS_" to "K8S_"

Azure Defender for Kubernetes recently expanded to protect Kubernetes clusters hosted on-premises and in multi cloud environments. Learn more in Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (in preview).

To reflect the fact that the security alerts provided by Azure Defender for Kubernetes are no longer restricted to clusters on Azure Kubernetes Service, we've changed the prefix for the alert types from "AKS_" to "K8S_". Where necessary, the names and descriptions were updated too. For example, this alert:

Alert (alert type) Description
Kubernetes penetration testing tool detected
(AKS_PenTestToolsKubeHunter)
Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the AKS cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes.

was changed to:

Alert (alert type) Description
Kubernetes penetration testing tool detected
(K8S_PenTestToolsKubeHunter)
Kubernetes audit log analysis detected usage of Kubernetes penetration testing tool in the Kubernetes cluster. While this behavior can be legitimate, attackers might use such public tools for malicious purposes.

Any suppression rules that refer to alerts beginning "AKS_" were automatically converted. If you've setup SIEM exports, or custom automation scripts that refer to Kubernetes alerts by alert type, you'll need to update them with the new alert types.

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

Deprecated two recommendations from "Apply system updates" security control

The following two recommendations were deprecated:

  • OS version should be updated for your cloud service roles - By default, Azure periodically updates your guest OS to the latest supported image within the OS family that you've specified in your service configuration (.cscfg), such as Windows Server 2016.
  • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version - This recommendation's evaluations aren't as wide-ranging as we'd like them to be. We plan to replace the recommendation with an enhanced version that's better aligned with your security needs.

May 2021

Updates in May include:

Azure Defender for DNS and Azure Defender for Resource Manager released for General Availability (GA)

These two cloud-native breadth threat protection plans are now GA.

These new protections greatly enhance your resiliency against attacks from threat actors, and significantly increase the number of Azure resources protected by Azure Defender.

To simplify the process of enabling these plans, use the recommendations:

  • Azure Defender for Resource Manager should be enabled
  • Azure Defender for DNS should be enabled

Note

Enabling Azure Defender plans results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center.

Azure Defender for open-source relational databases released for General Availability (GA)

Azure Security Center expands its offer for SQL protection with a new bundle to cover your open-source relational databases:

  • Azure Defender for Azure SQL database servers - defends your Azure-native SQL Servers
  • Azure Defender for SQL servers on machines - extends the same protections to your SQL servers in hybrid, multi-cloud, and on-premises environments
  • Azure Defender for open-source relational databases - defends your Azure Databases for MySQL, PostgreSQL, and MariaDB single servers

Azure Defender for open-source relational databases constantly monitors your servers for security threats and detects anomalous database activities indicating potential threats to Azure Database for MySQL, PostgreSQL, and MariaDB. Some examples are:

  • Granular detection of brute force attacks - Azure Defender for open-source relational databases provides detailed information on attempted and successful brute force attacks. This lets you investigate and respond with a more complete understanding of the nature and status of the attack on your environment.
  • Behavioral alerts detection - Azure Defender for open-source relational databases alerts you to suspicious and unexpected behaviors on your servers, such as changes in the access pattern to your database.
  • Threat intelligence-based detection - Azure Defender leverages Microsoft’s threat intelligence and vast knowledge base to surface threat alerts so you can act against them.

Learn more in Introduction to Azure Defender for open-source relational databases.

New alerts for Azure Defender for Resource Manager

To expand the threat protections provided by Azure Defender for Resource Manager, we've added the following alerts:

Alert (alert type) Description MITRE tactics Severity
Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)
(ARM_AnomalousRBACRoleAssignment)
Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments performed by the same assigner / performed for the same assignee / in your tenant due to the following anomalies: assignment time, assigner location, assigner, authentication method, assigned entities, client software used, assignment extent. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own. Lateral Movement, Defense Evasion Medium
Privileged custom role created for your subscription in a suspicious way (Preview)
(ARM_PrivilegedRoleDefinitionCreation)
Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection. Lateral Movement, Defense Evasion Low
Azure Resource Manager operation from suspicious IP address (Preview)
(ARM_OperationFromSuspiciousIP)
Azure Defender for Resource Manager detected an operation from an IP address that has been marked as suspicious in threat intelligence feeds. Execution Medium
Azure Resource Manager operation from suspicious proxy IP address (Preview)
(ARM_OperationFromSuspiciousProxyIP)
Azure Defender for Resource Manager detected a resource management operation from an IP address that is associated with proxy services, such as TOR. While this behavior can be legitimate, it's often seen in malicious activities, when threat actors try to hide their source IP. Defense Evasion Medium

For more information, see:

CI/CD vulnerability scanning of container images with GitHub workflows and Azure Defender (preview)

Azure Defender for container registries now provides DevSecOps teams observability into GitHub Action workflows.

The new vulnerability scanning feature for container images, utilizing Trivy, helps your developers scan for common vulnerabilities in their container images before pushing images to container registries.

Container scan reports are summarized in Azure Security Center, providing security teams better insight and understanding about the source of vulnerable container images and the workflows and repositories from where they originate.

Learn more in Identify vulnerable container images in your CI/CD workflows.

More Resource Graph queries available for some recommendations

All of Security Center's recommendations have the option to view the information about the status of affected resources using Azure Resource Graph from the Open query. For full details about this powerful feature, see Review recommendation data in Azure Resource Graph Explorer (ARG).

Security Center includes built-in vulnerability scanners to scan your VMs, SQL servers and their hosts, and container registries for security vulnerabilities. The findings are returned as recommendations with all the individual findings for each resource type gathered into a single view. The recommendations are:

  • Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)
  • Vulnerabilities in your virtual machines should be remediated
  • SQL databases should have vulnerability findings resolved
  • SQL servers on machines should have vulnerability findings resolved

With this change, you can use the Open query button to also open the query showing the security findings.

The open query button now offers options for a deeper query showing the security findings for vulnerability scanner related recommendations.

The Open query button offers additional options for some other recommendations too where relevant.

Learn more about Security Center's vulnerability scanners:

SQL data classification recommendation severity changed

The severity of the recommendation Sensitive data in your SQL databases should be classified has been changed from High to Low.

This is part of the ongoing changes to this recommendation announced in Enhancements to recommendation to classify sensitive data in SQL databases.

New recommendations to enable trusted launch capabilities (in preview)

Azure offers trusted launch as a seamless way to improve the security of generation 2 VMs. Trusted launch protects against advanced and persistent attack techniques. Trusted launch is composed of several, coordinated infrastructure technologies that can be enabled independently. Each technology provides another layer of defense against sophisticated threats. Learn more in Trusted launch for Azure virtual machines.

Important

Trusted launch requires the creation of new virtual machines. You can't enable trusted launch on existing virtual machines that were initially created without it.

Trusted launch is currently in public preview. The preview is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

Security Center's recommendation, vTPM should be enabled on supported virtual machines, ensures your Azure VMs are using a vTPM. This virtualized version of a hardware Trusted Platform Module enables attestation by measuring the entire boot chain of your VM (UEFI, OS, system, and drivers).

With the vTPM enabled, the Guest Attestation extension can remotely validate the secure boot. The following recommendations ensure this extension is deployed:

  • Secure Boot should be enabled on supported Windows virtual machines
  • Guest Attestation extension should be installed on supported Windows virtual machines
  • Guest Attestation extension should be installed on supported Windows virtual machine scale sets
  • Guest Attestation extension should be installed on supported Linux virtual machines
  • Guest Attestation extension should be installed on supported Linux virtual machine scale sets

Learn more in Trusted launch for Azure virtual machines.

New recommendations for hardening Kubernetes clusters (in preview)

The following recommendations allow you to further harden your Kubernetes clusters

  • Kubernetes clusters should not use the default namespace - To protect against unauthorized access for ConfigMap, Pod, Secret, Service, and ServiceAccount resource types, prevent usage of the default namespace in Kubernetes clusters.
  • Kubernetes clusters should disable automounting API credentials - To prevent a potentially compromised Pod resource from running API commands against Kubernetes clusters, disable automounting API credentials.
  • Kubernetes clusters should not grant CAPSYSADMIN security capabilities

Learn how Security Center can protect your containerized environments in Container security in Security Center.

Assessments API expanded with two new fields

We've added the following two fields to the Assessments REST API:

  • FirstEvaluationDate – The time that the recommendation was created and first evaluated. Returned as UTC time in ISO 8601 format.
  • StatusChangeDate – The time that the status of the recommendation last changed. Returned as UTC time in ISO 8601 format.

The initial default value for these fields - for all recommendations - is 2021-03-14T00:00:00+0000000Z.

To access this information, you can use any of the methods in the table below.

Tool Details
REST API call GET https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/assessments?api-version=2019-01-01-preview&$expand=statusEvaluationDates
Azure Resource Graph securityresources
where type == "microsoft.security/assessments"
Continuous export The two dedicated fields will be available the Log Analytics workspace data
CSV export The two fields are included in the CSV files

Learn more about the Assessments REST API.

Asset inventory gets a cloud environment filter

Security Center's asset inventory page has offers a number of filters to quickly refine the list of resources displayed. Learn more in Explore and manage your resources with asset inventory.

A new filter offers the option to refine the list according to the cloud accounts you've connected with Security Center's multi-cloud features:

Inventory's environment filter

Learn more about the multi-cloud capabilities:

April 2021

Updates in April include:

Refreshed resource health page (in preview)

Security Center's resource health has been expanded, enhanced, and improved to provide a snapshot view of the overall health of a single resource.

You can review detailed information about the resource and all recommendations that apply to that resource. Also, if you're using Azure Defender, you can see outstanding security alerts for that specific resource too.

To open the resource health page for a resource, select any resource from the asset inventory page.

This preview page in Security Center's portal pages shows:

  1. Resource information - The resource group and subscription it's attached to, the geographic location, and more.
  2. Applied security feature - Whether Azure Defender is enabled for the resource.
  3. Counts of outstanding recommendations and alerts - The number of outstanding security recommendations and Azure Defender alerts.
  4. Actionable recommendations and alerts - Two tabs list the recommendations and alerts that apply to the resource.

Azure Security Center's resource health page showing the health information for a virtual machine

Learn more in Tutorial: Investigate the health of your resources.

Container registry images that have been recently pulled are now rescanned weekly (released for General Availability (GA))

Azure Defender for container registries includes a built-in vulnerability scanner. This scanner immediately scans any image you push to your registry and any image pulled within the last 30 days.

New vulnerabilities are discovered every day. With this update, container images that were pulled from your registries during the last 30 days will be rescanned every week. This ensures that newly discovered vulnerabilities are identified in your images.

Scanning is charged on a per image basis, so there's no additional charge for these rescans.

Learn more about this scanner in Use Azure Defender for container registries to scan your images for vulnerabilities.

Use Azure Defender for Kubernetes to protect hybrid and multi-cloud Kubernetes deployments (in preview)

Azure Defender for Kubernetes is expanding its threat protection capabilities to defend your clusters wherever they're deployed. This has been enabled by integrating with Azure Arc enabled Kubernetes and its new extensions capabilities.

When you've enabled Azure Arc on your non-Azure Kubernetes clusters, a new recommendation from Azure Security Center offers to deploy the Azure Defender extension to them with only a few clicks.

Use the recommendation (Azure Arc enabled Kubernetes clusters should have Azure Defender's extension installed) and the extension to protect Kubernetes clusters deployed in other cloud providers, although not on their managed Kubernetes services.

This integration between Azure Security Center, Azure Defender, and Azure Arc enabled Kubernetes brings:

  • Easy provisioning of the Azure Defender extension to unprotected Azure Arc enabled Kubernetes clusters (manually and at-scale)
  • Monitoring of the Azure Defender extension and its provisioning state from the Azure Arc Portal
  • Security recommendations from Security Center are reported in the new Security page of the Azure Arc Portal
  • Identified security threats from Azure Defender are reported in the new Security page of the Azure Arc Portal
  • Azure Arc enabled Kubernetes clusters are integrated into the Azure Security Center platform and experience

Learn more in Use Azure Defender for Kubernetes with your on-premises and multi-cloud Kubernetes clusters.

Azure Security Center's recommendation for deploying the Azure Defender extension for Azure Arc enabled Kubernetes clusters.

Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 2019 and Windows 10 Virtual Desktop (WVD) released for General Availability (GA)

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. It provides risk-based vulnerability management and assessment as well as endpoint detection and response (EDR). For a full list of the benefits of using Defender for Endpoint together with Azure Security Center, see Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint.

When you enable Azure Defender for servers on a Windows server, a license for Defender for Endpoint is included with the plan. If you've already enabled Azure Defender for servers and you have Windows 2019 servers in your subscription, they'll automatically receive Defender for Endpoint with this update. No manual action is required.

Support has now been expanded to include Windows Server 2019 and Windows Virtual Desktop (WVD).

Note

If you're enabling Defender for Endpoint on a Windows Server 2019 machine, ensure it meets the prerequisites described in Enable the Microsoft Defender for Endpoint integration.

Recommendations to enable Azure Defender for DNS and Resource Manager (in preview)

Two new recommendations have been added to simplify the process of enabling Azure Defender for Resource Manager and Azure Defender for DNS:

  • Azure Defender for Resource Manager should be enabled - Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity.
  • Azure Defender for DNS should be enabled - Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer.

Enabling Azure Defender plans results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center.

Tip

Preview recommendations don't render a resource unhealthy, and they aren't included in the calculations of your secure score. Remediate them wherever possible, so that when the preview period ends they'll contribute towards your score. Learn more about how to respond to these recommendations in Remediate recommendations in Azure Security Center.

Three regulatory compliance standards added: Azure CIS 1.3.0, CMMC Level 3, and New Zealand ISM Restricted

We've added three standards for use with Azure Security Center. Using the regulatory compliance dashboard, you can now track your compliance with:

You can assign these to your subscriptions as described in Customize the set of standards in your regulatory compliance dashboard.

Three standards added for use with Azure Security Center's regulatory compliance dashboard.

Learn more in:

Azure's Guest Configuration extension reports to Security Center to help ensure your virtual machines' in-guest settings are hardened. The extension isn't required for Arc enabled servers because it's included in the Arc Connected Machine agent. The extension requires a system-managed identity on the machine.

We've added four new recommendations to Security Center to make the most of this extension.

  • Two recommendations prompt you to install the extension and its required system-managed identity:

    • Guest Configuration extension should be installed on your machines
    • Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
  • When the extension is installed and running, it'll begin auditing your machines and you'll be prompted to harden settings such as configuration of the operating system and environment settings. These two recommendations will prompt you to harden your Windows and Linux machines as described:

    • Windows Defender Exploit Guard should be enabled on your machines
    • Authentication to Linux machines should require SSH keys

Learn more in Understand Azure Policy's Guest Configuration.

CMK recommendations moved to best practices security control

Every organization's security program includes data encryption requirements. By default, Azure customers' data is encrypted at rest with service-managed keys. However, customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs let you encrypt your data with an Azure Key Vault key created and owned by you. This gives you full control and responsibility for the key lifecycle, including rotation and management.

Azure Security Center's security controls are logical groups of related security recommendations, and reflect your vulnerable attack surfaces. Each control has a maximum number of points you can add to your secure score if you remediate all of the recommendations listed in the control, for all of your resources. The Implement security best practices security control is worth zero points. So recommendations in this control don't affect your secure score.

The recommendations listed below are being moved to the Implement security best practices security control to better reflect their optional nature. This move ensures that these recommendations are in the most appropriate control to meet their objective.

  • Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
  • Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
  • Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
  • Container registries should be encrypted with a customer-managed key (CMK)
  • SQL managed instances should use customer-managed keys to encrypt data at rest
  • SQL servers should use customer-managed keys to encrypt data at rest
  • Storage accounts should use customer-managed key (CMK) for encryption

Learn which recommendations are in each security control in Security controls and their recommendations.

11 Azure Defender alerts deprecated

The eleven Azure Defender alerts listed below have been deprecated.

  • New alerts will replace these two alerts and provide better coverage:

    AlertType AlertDisplayName
    ARM_MicroBurstDomainInfo PREVIEW - MicroBurst toolkit "Get-AzureDomainInfo" function run detected
    ARM_MicroBurstRunbook PREVIEW - MicroBurst toolkit "Get-AzurePasswords" function run detected
  • These nine alerts relate to an Azure Active Directory Identity Protection connector (IPC) that has already been deprecated:

    AlertType AlertDisplayName
    UnfamiliarLocation Unfamiliar sign-in properties
    AnonymousLogin Anonymous IP address
    InfectedDeviceLogin Malware linked IP address
    ImpossibleTravel Atypical travel
    MaliciousIP Malicious IP address
    LeakedCredentials Leaked credentials
    PasswordSpray Password Spray
    LeakedCredentials Azure AD threat intelligence
    AADAI Azure AD AI

    Tip

    These nine IPC alerts were never Security Center alerts. They’re part of the Azure Active Directory (AAD) Identity Protection connector (IPC) that was sending them to Security Center. For the last two years, the only customers who’ve been seeing those alerts are organizations who configured the export (from the connector to ASC) in 2019 or earlier. AAD IPC has continued to show them in its own alerts systems and they’ve continued to be available in Azure Sentinel. The only change is that they’re no longer appearing in Security Center.

Two recommendations from "Apply system updates" security control were deprecated

The following two recommendations were deprecated and the changes might result in a slight impact on your secure score:

  • Your machines should be restarted to apply system updates
  • Monitoring agent should be installed on your machines. This recommendation relates to on-premises machines only and some of its logic will be transferred to another recommendation, Log Analytics agent health issues should be resolved on your machines

We recommend checking your continuous export and workflow automation configurations to see whether these recommendations are included in them. Also, any dashboards or other monitoring tools that might be using them should be updated accordingly.

Learn more about these recommendations in the security recommendations reference page.

Azure Defender for SQL on machine tile removed from Azure Defender dashboard

The Azure Defender dashboard's coverage area includes tiles for the relevant Azure Defender plans for your environment. Due to an issue with the reporting of the numbers of protected and unprotected resources, we've decided to temporarily remove the resource coverage status for Azure Defender for SQL on machines until the issue is resolved.

21 recommendations moved between security controls

The following recommendations were moved to different security controls. Security controls are logical groups of related security recommendations, and reflect your vulnerable attack surfaces. This move ensures that each of these recommendations is in the most appropriate control to meet its objective.

Learn which recommendations are in each security control in Security controls and their recommendations.

Recommendation Change and impact
Vulnerability assessment should be enabled on your SQL servers
Vulnerability assessment should be enabled on your SQL managed instances
Vulnerabilities on your SQL databases should be remediated new
Vulnerabilities on your SQL databases in VMs should be remediated
Moving from Remediate vulnerabilities (worth 6 points)
to Remediate security configurations (worth 4 points).
Depending on your environment, these recommendations will have a reduced impact on your score.
There should be more than one owner assigned to your subscription
Automation account variables should be encrypted
IoT Devices - Auditd process stopped sending events
IoT Devices - Operating system baseline validation failure
IoT Devices - TLS cipher suite upgrade needed
IoT Devices - Open Ports On Device
IoT Devices - Permissive firewall policy in one of the chains was found
IoT Devices - Permissive firewall rule in the input chain was found
IoT Devices - Permissive firewall rule in the output chain was found
Diagnostic logs in IoT Hub should be enabled
IoT Devices - Agent sending underutilized messages
IoT Devices - Default IP Filter Policy should be Deny
IoT Devices - IP Filter rule large IP range
IoT Devices - Agent message intervals and size should be adjusted
IoT Devices - Identical Authentication Credentials
IoT Devices - Audited process stopped sending events
IoT Devices - Operating system (OS) baseline configuration should be fixed
Moving to Implement security best practices.
When a recommendation moves to the Implement security best practices security control, which is worth no points, the recommendation no longer affects your secure score.

March 2021

Updates in March include:

Azure Firewall management integrated into Security Center

When you open Azure Security Center, the first page to appear is the overview page.

This interactive dashboard provides a unified view into the security posture of your hybrid cloud workloads. Additionally, it shows security alerts, coverage information, and more.

As part of helping you view your security status from a central experience, we have integrated the Azure Firewall Manager into this dashboard. You can now check Firewall coverage status across all networks and centrally manage Azure Firewall policies starting from Security Center.

Learn more about this dashboard in Azure Security Center's overview page.

Security Center's overview dashboard with a tile for Azure Firewall

SQL vulnerability assessment now includes the "Disable rule" experience (preview)

Security Center includes a built-in vulnerability scanner to help you discover, track, and remediate potential database vulnerabilities. The results from your assessment scans provide an overview of your SQL machines' security state, and details of any security findings.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.

Learn more in Disable specific findings.

Azure Monitor Workbooks integrated into Security Center and three templates provided

As part of Ignite Spring 2021, we announced an integrated Azure Monitor Workbooks experience in Security Center.

You can leverage the new integration to start using the out-of-the-box templates from Security Center’s gallery. By using workbook templates, you can access and build dynamic and visual reports to track your organization’s security posture. Additionally, you can create new workbooks based on Security Center data or any other supported data types and quickly deploy community workbooks from Security Center's GitHub community.

Three templates reports are provided:

  • Secure Score Over Time - Track your subscriptions' scores and changes to recommendations for your resources
  • System Updates - View missing system updates by resources, OS, severity, and more
  • Vulnerability Assessment Findings - View the findings of vulnerability scans of your Azure resources

Learn about using these reports or building your own in Create rich, interactive reports of Security Center data.

Secure score over time report.

Regulatory compliance dashboard now includes Azure Audit reports (preview)

From the regulatory compliance dashboard's toolbar you can now download Azure and Dynamics certification reports.

Regulatory compliance dashboard's toolbar

You can select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find the specific reports you need.

Learn more about Managing the standards in your regulatory compliance dashboard.

Filtering the list of available Azure Audit reports.

Recommendation data can be viewed in Azure Resource Graph with "Explore in ARG"

The recommendation details pages now include the "Explore in ARG" toolbar button. Use this button to open an Azure Resource Graph query and explore, export, and share the recommendation's data.

Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.

Learn more about Azure Resource Graph (ARG).

Explore recommendation data in Azure Resource Graph.

Updates to the policies for deploying workflow automation

Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

We provide three Azure Policy 'DeployIfNotExist' policies that create and configure workflow automation procedures so that you can deploy your automations across your organization:

Goal Policy Policy ID
Workflow automation for security alerts Deploy Workflow Automation for Azure Security Center alerts f1525828-9a90-4fcf-be48-268cdd02361e
Workflow automation for security recommendations Deploy Workflow Automation for Azure Security Center recommendations 73d6ab6c-2475-4850-afd6-43795f3492ef
Workflow automation for regulatory compliance changes Deploy Workflow Automation for Azure Security Center regulatory compliance 509122b9-ddd9-47ba-a5f1-d0dac20be63c

There are two updates to the features of these policies:

  • When assigned, they will remain enabled by enforcement.
  • You can now customize these policies and update any of the parameters even after they have already been deployed. For example, if a user wants to add another assessment key, or edit an existing assessment key, they can do so.

Get started with workflow automation templates.

Learn more about how to Automate responses to Security Center triggers.

Two legacy recommendations no longer write data directly to Azure activity log

Security Center passes the data for almost all security recommendations to Azure Advisor which, in turn, writes it to Azure activity log.

For two recommendations, the data is simultaneously written directly to Azure activity log. With this change, Security Center stops writing data for these legacy security recommendations directly to activity Log. Instead, we're exporting the data to Azure Advisor as we do for all the other recommendations.

The two legacy recommendations are:

  • Endpoint protection health issues should be resolved on your machines
  • Vulnerabilities in security configuration on your machines should be remediated

If you've been accessing information for these two recommendations in activity log's "Recommendation of type TaskDiscovery" category, this is no longer available.

Recommendations page enhancements

We've released an improved version of the recommendations list to present more information at a glance.

Now on the page you'll see:

  1. The maximum score and current score for each security control.
  2. Icons replacing tags such as Fix and Preview.
  3. A new column showing the Policy initiative related to each recommendation - visible when "Group by controls" is disabled.

Enhancements to Azure Security Center's recommendations page - March 2021

Enhancements to Azure Security Center's recommendations 'flat' list - March 2021

Learn more in Security recommendations in Azure Security Center.

February 2021

Updates in February include:

New security alerts page in the Azure portal released for General Availability (GA)

Azure Security Center's security alerts page has been redesigned to provide:

  • Improved triage experience for alerts - helping to reduce alerts fatigue and focus on the most relevant threats easier, the list includes customizable filters and grouping options.
  • More information in the alerts list - such as MITRE ATT&ACK tactics.
  • Button to create sample alerts - to evaluate Azure Defender capabilities and test your alerts. configuration (for SIEM integration, email notifications, and workflow automations), you can create sample alerts from all Azure Defender plans.
  • Alignment with Azure Sentinel's incident experience - for customers who use both products, switching between them is now a more straightforward experience and it's easy to learn one from the other.
  • Better performance for large alerts lists.
  • Keyboard navigation through the alert list.
  • Alerts from Azure Resource Graph - you can query alerts in Azure Resource Graph, the Kusto-like API for all of your resources. This is also useful if you're building your own alerts dashboards. Learn more about Azure Resource Graph.
  • Create sample alerts feature - To create sample alerts from the new alerts experience, see Generate sample Azure Defender alerts.

Azure Security Center's security alerts list

Kubernetes workload protection recommendations released for General Availability (GA)

We're happy to announce the General Availability (GA) of the set of recommendations for Kubernetes workload protections.

To ensure that Kubernetes workloads are secure by default, Security Center has added Kubernetes level hardening recommendations, including enforcement options with Kubernetes admission control.

When the Azure Policy add-on for Kubernetes is installed on your Azure Kubernetes Service (AKS) cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices - displayed as 13 security recommendations - before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.

For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

Learn more in Workload protection best-practices using Kubernetes admission control.

Note

While the recommendations were in preview, they didn't render an AKS cluster resource unhealthy, and they weren't included in the calculations of your secure score. with this GA announcement these will be included in the score calculation. If you haven't remediated them already, this might result in a slight impact on your secure score. Remediate them wherever possible as described in Remediate recommendations in Azure Security Center.

Microsoft Defender for Endpoint integration with Azure Defender now supports Windows Server 2019 and Windows 10 Virtual Desktop (WVD) (in preview)

Microsoft Defender for Endpoint is a holistic, cloud delivered endpoint security solution. It provides risk-based vulnerability management and assessment as well as endpoint detection and response (EDR). For a full list of the benefits of using Defender for Endpoint together with Azure Security Center, see Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint.

When you enable Azure Defender for servers on a Windows server, a license for Defender for Endpoint is included with the plan. If you've already enabled Azure Defender for servers and you have Windows 2019 servers in your subscription, they'll automatically receive Defender for Endpoint with this update. No manual action is required.

Support has now been expanded to include Windows Server 2019 and Windows Virtual Desktop (WVD).

Note

If you're enabling Defender for Endpoint on a Windows Server 2019 machine, ensure it meets the prerequisites described in Enable the Microsoft Defender for Endpoint integration.

When you're reviewing the details of a recommendation, it's often helpful to be able to see the underlying policy. For every recommendation supported by a policy, there's a new link from the recommendation details page:

Link to Azure Policy page for the specific policy supporting a recommendation.

Use this link to view the policy definition and review the evaluation logic.

If you're reviewing the list of recommendations on our Security recommendations reference guide, you'll also see links to the policy definition pages:

Accessing the Azure Policy page for a specific policy directly from the Azure Security Center recommendations reference page.

SQL data classification recommendation no longer affects your secure score

The recommendation Sensitive data in your SQL databases should be classified no longer affects your secure score. This is the only recommendation in the Apply data classification security control, so that control now has a secure score value of 0.

For a full list of all security controls in Security Center, together with their scores and a list of the recommendations in each, see Security controls and their recommendations.

Workflow automations can be triggered by changes to regulatory compliance assessments (in preview)

We've added a third data type to the trigger options for your workflow automations: changes to regulatory compliance assessments.

Learn how to use the workflow automation tools in Automate responses to Security Center triggers.

Using changes to regulatory compliance assessments to trigger a workflow automation.

Asset inventory page enhancements

Security Center's asset inventory page has been improved in the following ways:

  • Summaries at the top of the page now include Unregistered subscriptions, showing the number of subscriptions without Security Center enabled.

    Count of unregistered subscriptions in the summaries at the top of the asset inventory page.

  • Filters have been expanded and enhanced to include:

    • Counts - Each filter presents the number of resources that meet the criteria of each category

      Counts in the filters in the asset inventory page of Azure Security Center.

    • Contains exemptions filter (Optional) - narrow the results to resources that have/haven't got exemptions. This filter isn't shown by default, but is accessible from the Add filter button.

      Adding the filter 'contains exemption' in Azure Security Center's asset inventory page

Learn more about how to Explore and manage your resources with asset inventory.