What's new in Azure Security Center?

Security Center is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about new features, bug fixes, and deprecated functionality.

This page is updated frequently, so revisit it often.

To learn about planned changes that are coming soon to Security Center, see Important upcoming changes to Azure Security Center.

Tip

If you're looking for items older than six months, you'll find them in the Archive for What's new in Azure Security Center.

January 2021

Updates in January include:

Azure Security Benchmark is now the default policy initiative for Azure Security Center

Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.

In recent months, Security Center's list of built-in security recommendations has grown significantly to expand our coverage of this benchmark.

From this release, the benchmark is the foundation for Security Center’s recommendations and fully integrated as the default policy initiative.

All Azure services have a security baseline page in their documentation. For example, this is Security Center's baseline. These baselines are built on Azure Security Benchmark.

If you're using Security Center's regulatory compliance dashboard, you'll see two instances of the benchmark during a transition period:

Azure Security Center's regulatory compliance dashboard showing the Azure Security Benchmark

Existing recommendations are unaffected and as the benchmark grows, changes will automatically be reflected within Security Center.

To learn more, see the following pages:

Vulnerability assessment for on-premise and multi-cloud machines is released for General Availability (GA)

In October, we announced a preview for scanning Azure Arc enabled servers with Azure Defender for servers' integrated vulnerability assessment scanner (powered by Qualys).

It's now released for General Availability (GA).

When you've enabled Azure Arc on your non-Azure machines, Security Center will offer to deploy the integrated vulnerability scanner on them - manually and at-scale.

With this update, you can unleash the power of Azure Defender for servers to consolidate your vulnerability management program across all of your Azure and non-Azure assets.

Main capabilities:

  • Monitoring the VA (vulnerability assessment) scanner provisioning state on Azure Arc machines
  • Provisioning the integrated VA agent to unprotected Windows and Linux Azure Arc machines (manually and at-scale)
  • Receiving and analyzing detected vulnerabilities from deployed agents (manually and at-scale)
  • Unified experience for Azure VMs and Azure Arc machines

Learn more about deploying the integrated vulnerability scanner to your hybrid machines.

Learn more about Azure Arc enabled servers.

Secure score for management groups is now available in preview

The secure score page now shows the aggregated secure scores for your management groups in addition to the subscription level. So now you can see the list of management groups in your organization and the score for each management group.

Viewing the secure scores for your management groups.

Learn more about secure score and security controls in Azure Security Center.

Secure score API is released for General Availability (GA)

You can now access your score via the secure score API. The API methods provide the flexibility to query the data and build your own reporting mechanism of your secure scores over time. For example, you can use the Secure Scores API to get the score for a specific subscription. In addition, you can use the Secure Score Controls API to list the security controls and the current score of your subscriptions.

For examples of external tools made possible with the secure score API, see the secure score area of our GitHub community.

Learn more about secure score and security controls in Azure Security Center.

Dangling DNS protections added to Azure Defender for App Service

Subdomain takeovers are a common, high-severity threat for organizations. A subdomain takeover can occur when you have a DNS record that points to a deprovisioned web site. Such DNS records are also known as "dangling DNS" entries. CNAME records are especially vulnerable to this threat.

Subdomain takeovers enable threat actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.

Azure Defender for App Service now detects dangling DNS entries when an App Service website is decommissioned. This is the moment at which the DNS entry is pointing at a non-existent resource and your website is vulnerable to a subdomain takeover. These protections are available whether your domains are managed with Azure DNS or an external domain registrar and applies to both App Service on Windows and App Service on Linux.

Learn more:

Multi-cloud connectors are released for General Availability (GA)

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Azure Security Center protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Connecting your AWS or GCP accounts integrates their native security tools like AWS Security Hub and GCP Security Command Center into Azure Security Center.

This capability means that Security Center provides visibility and protection across all major cloud environments. Some of the benefits of this integration:

  • Automatic agent provisioning - Security Center uses Azure Arc to deploy the Log Analytics agent to your AWS instances
  • Policy management
  • Vulnerability management
  • Embedded Endpoint Detection and Response (EDR)
  • Detection of security misconfigurations
  • A single view showing security recommendations from all cloud providers
  • Incorporate all of your resources into Security Center's secure score calculations
  • Regulatory compliance assessments of your AWS and GCP resources

From Security Center's menu, select Multi cloud connectors and you'll see the options for creating new connectors:

Add AWS account button on Security Center's multi cloud connectors page

Learn more in:

Exempt entire recommendations from your secure score for subscriptions and management groups

We're expanding the exemption capability to include entire recommendations. Providing further options to fine-tune the security recommendations that Security Center makes for your subscriptions, management group, or resources.

Occasionally, a resource will be listed as unhealthy when you know the issue has been resolved by a third-party tool which Security Center hasn't detected. Or a recommendation will show in a scope where you feel it doesn't belong. The recommendation might be inappropriate for a specific subscription. Or perhaps your organization has simply decided to accept the risks related to the specific resource or recommendation.

With this preview feature, you can now create an exemption for a recommendation to:

  • Exempt a resource to ensure it isn't listed with the unhealthy resources in the future, and doesn't impact your secure score. The resource will be listed as not applicable and the reason will be shown as "exempted" with the specific justification you select.

  • Exempt a subscription or management group to ensure that the recommendation doesn't impact your secure score and won't be shown for the subscription or management group in the future. This relates to existing resources and any you create in the future. The recommendation will be marked with the specific justification you select for the scope that you selected.

Learn more in Exempting resources and recommendations from your secure score.

Users can now request tenant-wide visibility from their global administrator

If a user doesn't have permissions to see Security Center data, they'll now see a link to request permissions from their organization's global administrator. The request includes the role they'd like and the justification for why it's necessary.

Banner informing a user they can request tenant-wide permissions.

Learn more in Request tenant-wide permissions when yours are insufficient .

35 preview recommendations added to increase coverage of Azure Security Benchmark

Azure Security Benchmark is the default policy initiative in Azure Security Center.

To increase the coverage of this benchmark, the following 35 preview recommendations have been added to Security Center.

Tip

Preview recommendations don't render a resource unhealthy, and they aren't included in the calculations of your secure score. Remediate them wherever possible, so that when the preview period ends they'll contribute towards your score. Learn more about how to respond to these recommendations in Remediate recommendations in Azure Security Center.

Security control New recommendations
Enable encryption at rest - Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest
- Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)
- Bring your own key data protection should be enabled for MySQL servers
- Bring your own key data protection should be enabled for PostgreSQL servers
- Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)
- Container registries should be encrypted with a customer-managed key (CMK)
- SQL managed instances should use customer-managed keys to encrypt data at rest
- SQL servers should use customer-managed keys to encrypt data at rest
- Storage accounts should use customer-managed key (CMK) for encryption
Implement security best practices - Subscriptions should have a contact email address for security issues
- Auto provisioning of the Log Analytics agent should be enabled on your subscription
- Email notification for high severity alerts should be enabled
- Email notification to subscription owner for high severity alerts should be enabled
- Key vaults should have purge protection enabled
- Key vaults should have soft delete enabled
Manage access and permissions - Function apps should have 'Client Certificates (Incoming client certificates)' enabled
Protect applications against DDoS attacks - Web Application Firewall (WAF) should be enabled for Application Gateway
- Web Application Firewall (WAF) should be enabled for Azure Front Door Service service
Restrict unauthorized network access - Firewall should be enabled on Key Vault
- Private endpoint should be configured for Key Vault
- App Configuration should use private link
- Azure Cache for Redis should reside within a virtual network
- Azure Event Grid domains should use private link
- Azure Event Grid topics should use private link
- Azure Machine Learning workspaces should use private link
- Azure SignalR Service should use private link
- Azure Spring Cloud should use network injection
- Container registries should not allow unrestricted network access
- Container registries should use private link
- Public network access should be disabled for MariaDB servers
- Public network access should be disabled for MySQL servers
- Public network access should be disabled for PostgreSQL servers
- Storage account should use a private link connection
- Storage accounts should restrict network access using virtual network rules
- VM Image Builder templates should use private link

Related links:

CSV export of filtered list of recommendations

In November 2020, we added filters to the recommendations page (Recommendations list now includes filters). In December, we expanded those filters (Recommendations page has new filters for environment, severity, and available responses).

With this announcement, we're changing the behavior of the Download to CSV button so that the CSV export only includes the recommendations currently displayed in the filtered list.

For example, in the image below you can see that the list has been filtered to two recommendations. The CSV file that is generated includes the status details for every resource affected by those two recommendations.

Exporting filtered recommendations to a CSV file

Learn more in Security recommendations in Azure Security Center.

"Not applicable" resources now reported as "Compliant" in Azure Policy assessments

Previously, resources that were evaluated for a recommendation and found to be not applicable appeared in Azure Policy as "Non-compliant". No user actions could change their state to "Compliant". With this change, they're reported as "Compliant" for improved clarity.

The only impact will be seen in Azure Policy where the number of compliant resources will increase. There will be no impact to your secure score in Azure Security Center.

Export weekly snapshots of secure score and regulatory compliance data with continuous export (preview)

We've added a new preview feature to the continuous export tools for exporting weekly snapshots of secure score and regulatory compliance data.

When you define a continuous export, set the export frequency:

Choosing the frequency of your continuous export

  • Streaming – assessments will be sent in real-time when a resource’s health state is updated (if no updates occur, no data will be sent).
  • Snapshots – a snapshot of the current state of all regulatory compliance assessments will be sent every week (this is a preview feature for weekly snapshots of secure scores and regulatory compliance data).

Learn more about the full capabilities of this feature in Continuously export Security Center data

December 2020

Updates in December include:

Azure Defender for SQL servers on machines is generally available

Azure Security Center offers two Azure Defender plans for SQL Servers:

  • Azure Defender for Azure SQL database servers - defends your Azure-native SQL Servers
  • Azure Defender for SQL servers on machines - extends the same protections to your SQL servers in hybrid, multicloud, and on-premises environments

With this announcement, Azure Defender for SQL now protects your databases and their data wherever they're located.

Azure Defender for SQL includes vulnerability assessment capabilities. The vulnerability assessment tool includes the following advanced features:

  • Baseline configuration (New!) to intelligently refine the results of vulnerability scans to those that might represent real security issues. After you've established your baseline security state, the vulnerability assessment tool only reports deviations from that baseline state. Results that match the baseline are considered as passing subsequent scans. This lets you and your analysts focus your attention where it matters.
  • Detailed benchmark information to help you understand the discovered findings, and why they relate to your resources.
  • Remediation scripts to help you mitigate identified risks.

Learn more about Azure Defender for SQL.

Azure Defender for SQL support for Azure Synapse Analytics dedicated SQL pool is generally available

Azure Synapse Analytics (formerly SQL DW) is an analytics service that combines enterprise data warehousing and big data analytics. Dedicated SQL pools are the enterprise data warehousing features of Azure Synapse. Learn more in What is Azure Synapse Analytics (formerly SQL DW)?.

Azure Defender for SQL protects your dedicated SQL pools with:

  • Advanced threat protection to detect threats and attacks
  • Vulnerability assessment capabilities to identify and remediate security misconfigurations

Azure Defender for SQL's support for Azure Synapse Analytics SQL pools is automatically added to Azure SQL databases bundle in Azure Security Center. You'll find a new “Azure Defender for SQL” tab in your Synapse workspace page in the Azure portal.

Learn more about Azure Defender for SQL.

Global Administrators can now grant themselves tenant-level permissions

A user with the Azure Active Directory role of Global Administrator might have tenant-wide responsibilities, but lack the Azure permissions to view that organization-wide information in Azure Security Center.

To assign yourself tenant-level permissions, follow the instructions in Grant tenant-wide permissions to yourself.

Two new Azure Defender plans: Azure Defender for DNS and Azure Defender for Resource Manager (in preview)

We've added two new cloud-native breadth threat protection capabilities for your Azure environment.

These new protections greatly enhance your resiliency against attacks from threat actors, and significantly increase the number of Azure resources protected by Azure Defender.

New security alerts page in the Azure portal (preview)

Azure Security Center's security alerts page has been redesigned to provide:

  • Improved triage experience for alerts - helping to reduce alerts fatigue and focus on the most relevant threats easier, the list includes customizable filters and grouping options
  • More information in the alerts list - such as MITRE ATT&ACK tactics
  • Button to create sample alerts - to evaluate Azure Defender capabilities and test your alerts configuration (for SIEM integration, email notifications, and workflow automations), you can create sample alerts from all Azure Defender plans
  • Alignment with Azure Sentinel's incident experience - for customers who use both products, switching between them is now a more straightforward experience and it's easy to learn one from the other
  • Better performance for large alerts lists
  • Keyboard navigation through the alert list
  • Alerts from Azure Resource Graph - you can query alerts in Azure Resource Graph, the Kusto-like API for all of your resources. This is also useful if you're building your own alerts dashboards. Learn more about Azure Resource Graph.

To access the new experience, use the 'try it now' link from the banner at the top of the security alerts page.

Banner with link to the new preview alerts experience

To create sample alerts from the new alerts experience, see Generate sample Azure Defender alerts.

Revitalized Security Center experience in Azure SQL Database & SQL Managed Instance

The Security Center experience within SQL provides access to the following Security Center and Azure Defender for SQL features:

  • Security recommendations – Security Center periodically analyzes the security state of all connected Azure resources to identify potential security misconfigurations. It then provides recommendations on how to remediate those vulnerabilities and improve organizations’ security posture.
  • Security alerts – a detection service that continuously monitors Azure SQL activities for threats such as SQL injection, brute-force attacks, and privilege abuse. This service triggers detailed and action-oriented security alerts in Security Center and provides options for continuing investigations with Azure Sentinel, Microsoft’s Azure-native SIEM solution.
  • Findings – a vulnerability assessment service that continuously monitors Azure SQL configurations and helps remediate vulnerabilities. Assessment scans provide an overview of Azure SQL security states together with detailed security findings.

Azure Security Center's security features for SQL are available from within Azure SQL

Asset inventory tools and filters updated

The inventory page in Azure Security Center has been refreshed with the following changes:

  • Guides and feedback added to the toolbar. This opens a pane with links to related information and tools.

  • Subscriptions filter added to the default filters available for your resources.

  • Open query link for opening the current filter options as an Azure Resource Graph query (formerly called "View in resource graph explorer").

  • Operator options for each filter. Now you can choose from additional logical operators other than '='. For example, you might want to find all resources with active recommendations whose titles include the string 'encrypt'.

    Controls for the operator option in asset inventory's filters

Learn more about inventory in Explore and manage your resources with asset inventory.

Recommendation about web apps requesting SSL certificates no longer part of secure score

The recommendation "Web apps should request an SSL certificate for all incoming requests" has been moved from the security control Manage access and permissions (worth a maximum of 4 pts) into Implement security best practices (which is worth no points).

Ensuring your web apps request a certificate certainly makes them more secure. However, for public-facing web apps it's irrelevant. If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client certificates, you should not allow requests to your application over HTTP. Learn more in Configure TLS mutual authentication for Azure App Service.

With this change, the recommendation is now a recommended best practice that does not impact your score.

Learn which recommendations are in each security control in Security controls and their recommendations.

Recommendations page has new filters for environment, severity, and available responses

Azure Security Center monitors all connected resources and generates security recommendations. Use these recommendations to strengthen your hybrid cloud posture and track compliance with the policies and standards relevant to your organization, industry, and country.

As Security Center continues to expand its coverage and features, the list of security recommendations is growing every month. For example, see 29 preview recommendations added to increase coverage of Azure Security Benchmark.

With the growing list, there's a need to be able to filter to the recommendations of greatest interest. In November, we added filters to the recommendations page (see Recommendations list now includes filters).

The filters added this month provide options to refine the recommendations list according to:

  • Environment - View recommendations for your AWS, GCP, or Azure resources (or any combination)

  • Severity - View recommendations according to the severity classification set by Security Center

  • Response actions - View recommendations according to the availability of Security Center response options: Quick fix, Deny, and Enforce

    Tip

    The response actions filter replaces the Quick fix available (Yes/No) filter.

    Learn more about each of these response options:

Recommendations grouped by security control

Continuous export gets new data types and improved deployifnotexist policies

Azure Security Center's continuous export tools enable you to export Security Center's recommendations and alerts for use with other monitoring tools in your environment.

Continuous export lets you fully customize what will be exported, and where it will go. For full details, see Continuously export Security Center data.

These tools have been enhanced and expanded in the following ways:

  • Continuous export's deployifnotexist policies enhanced. The policies now:

    • Check whether the configuration is enabled. If it isn't, the policy will show as non-compliant and create a compliant resource. Learn more about the supplied Azure Policy templates in the "Deploy at scale with Azure Policy tab" in Set up a continuous export.

    • Support exporting security findings. When using the Azure Policy templates, you can configure your continuous export to include findings. This is relevant when exporting recommendations that have 'sub' recommendations, like findings from vulnerability assessment scanners or specific system updates for the 'parent' recommendation "System updates should be installed on your machines".

    • Support exporting secure score data.

  • Regulatory compliance assessment data added (in preview). You can now continuously export updates to regulatory compliance assessments, including for any custom initiatives, to a Log Analytics workspace or Event Hub. This feature is unavailable on national/sovereign clouds.

    The options for including regulatory compliant assessment information with your continuous export data.

November 2020

Updates in November include:

29 preview recommendations added to increase coverage of Azure Security Benchmark

Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks. Learn more about Azure Security Benchmark.

The following 29 preview recommendations have been added to Security Center to increase the coverage of this benchmark.

Preview recommendations don't render a resource unhealthy, and they aren't included in the calculations of your secure score. Remediate them wherever possible, so that when the preview period ends they'll contribute towards your score. Learn more about how to respond to these recommendations in Remediate recommendations in Azure Security Center.

Security control New recommendations
Encrypt data in transit - Enforce SSL connection should be enabled for PostgreSQL database servers
- Enforce SSL connection should be enabled for MySQL database servers
- TLS should be updated to the latest version for your API app
- TLS should be updated to the latest version for your function app
- TLS should be updated to the latest version for your web app
- FTPS should be required in your API App
- FTPS should be required in your function App
- FTPS should be required in your web App
Manage access and permissions - Web apps should request an SSL certificate for all incoming requests
- Managed identity should be used in your API App
- Managed identity should be used in your function App
- Managed identity should be used in your web App
Restrict unauthorized network access - Private endpoint should be enabled for PostgreSQL servers
- Private endpoint should be enabled for MariaDB servers
- Private endpoint should be enabled for MySQL servers
Enable auditing and logging - Diagnostic logs in App Services should be enabled
Implement security best practices - Azure Backup should be enabled for virtual machines
- Geo-redundant backup should be enabled for Azure Database for MariaDB
- Geo-redundant backup should be enabled for Azure Database for MySQL
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- PHP should be updated to the latest version for your API app
- PHP should be updated to the latest version for your web app
- Java should be updated to the latest version for your API app
- Java should be updated to the latest version for your function app
- Java should be updated to the latest version for your web app
- Python should be updated to the latest version for your API app
- Python should be updated to the latest version for your function app
- Python should be updated to the latest version for your web app
- Audit retention for SQL servers should be set to at least 90 days

Related links:

NIST SP 800 171 R2 added to Security Center's regulatory compliance dashboard

The NIST SP 800-171 R2 standard is now available as a built-in initiative for use with Azure Security Center's regulatory compliance dashboard. The mappings for the controls are described in Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative.

To apply the standard to your subscriptions and continuously monitor your compliance status, use the instructions in Customizing the set of standards in your regulatory compliance dashboard.

The NIST SP 800 171 R2 standard in Security Center's regulatory compliance dashboard

For more information about this compliance standard, see NIST SP 800-171 R2.

Recommendations list now includes filters

You can now filter the list of security recommendations according to a range of criteria. In the following example, the recommendations list has been filtered to show recommendations that:

  • are generally available (that is, not preview)
  • are for storage accounts
  • support quick fix remediation

Filters for the recommendations list

Auto provisioning experience improved and expanded

The auto provisioning feature helps reduce management overhead by installing the required extensions on new - and existing - Azure VMs so they can benefit from Security Center's protections.

As Azure Security Center grows, more extensions have been developed and Security Center can monitor a larger list of resource types. The auto provisioning tools have now been expanded to support additional extensions and resource types by leveraging the capabilities of Azure Policy.

You can now configure the auto provisioning of:

  • Log Analytics agent
  • (New) Azure Policy Add-on for Kubernetes
  • (New) Microsoft Dependency agent

Learn more in Auto provisioning agents and extensions from Azure Security Center.

Secure score is now available in continuous export (preview)

With continuous export of secure score, you can stream changes to your score in real time to Azure Event Hubs or a Log Analytics workspace. Use this capability to:

  • track your secure score over time with dynamic reports
  • export secure score data to Azure Sentinel (or any other SIEM)
  • integrate this data with any processes you might already be using to monitor secure score in your organization

Learn more about how to Continuously export Security Center data.

"System updates should be installed on your machines" recommendation now includes subrecommendations

The System updates should be installed on your machines recommendation has been enhanced. The new version includes subrecommendations for each missing update and brings the following improvements:

  • A redesigned experience in the Azure Security Center pages of the Azure portal. The recommendation details page for System updates should be installed on your machines includes the list of findings as shown below. When you select a single finding, the details pane opens with a link to the remediation information and a list of affected resources.

    Opening one of the subrecommendations in the portal experience for the updated recommendation

  • Enriched data for the recommendation from Azure Resource Graph (ARG). ARG is an Azure service that's designed to provide efficient resource exploration. You can use ARG to query at scale across a given set of subscriptions so that you can effectively govern your environment.

    For Azure Security Center, you can use ARG and the Kusto Query Language (KQL) to query a wide range of security posture data.

    Previously, if you queried this recommendation in ARG, the only available information was that the recommendation needs to be remediated on a machine. The following query of the enhanced version will return each missing system updates grouped by machine.

    securityresources
    | where type =~ "microsoft.security/assessments/subassessments"
    | where extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) == "4ab6e3c5-74dd-8b35-9ab9-f61b30875b27"
    | where properties.status.code == "Unhealthy"
    

Policy management page in the Azure portal now shows status of default policy assignments

You can now see whether or not your subscriptions have the default Security Center policy assigned, in the Security Center's security policy page of the Azure portal.

The policy management page of Azure Security Center showing the default policy assignments

October 2020

Updates in October include:

Vulnerability assessment for on-premise and multi-cloud machines (preview)

Azure Defender for servers' integrated vulnerability assessment scanner (powered by Qualys) now scans Azure Arc enabled servers.

When you've enabled Azure Arc on your non-Azure machines, Security Center will offer to deploy the integrated vulnerability scanner on them - manually and at-scale.

With this update, you can unleash the power of Azure Defender for servers to consolidate your vulnerability management program across all of your Azure and non-Azure assets.

Main capabilities:

  • Monitoring the VA (vulnerability assessment) scanner provisioning state on Azure Arc machines
  • Provisioning the integrated VA agent to unprotected Windows and Linux Azure Arc machines (manually and at-scale)
  • Receiving and analyzing detected vulnerabilities from deployed agents (manually and at-scale)
  • Unified experience for Azure VMs and Azure Arc machines

Learn more about deploying the integrated vulnerability scanner to your hybrid machines.

Learn more about Azure Arc enabled servers.

Azure Firewall recommendation added (preview)

A new recommendation has been added to protect all your virtual networks with Azure Firewall.

The recommendation, Virtual networks should be protected by Azure Firewall advises you to restrict access to your virtual networks and prevent potential threats by using Azure Firewall.

Learn more about Azure Firewall.

Authorized IP ranges should be defined on Kubernetes Services recommendation updated with quick fix

The recommendation Authorized IP ranges should be defined on Kubernetes Services now has a quick fix option.

For more information about this recommendation and all other Security Center recommendations, see Security recommendations - a reference guide.

The authorized IP ranges should be defined on Kubernetes Services recommendation with the quick fix option

Regulatory compliance dashboard now includes option to remove standards

Security Center's regulatory compliance dashboard provides insights into your compliance posture based on how you're meeting specific compliance controls and requirements.

The dashboard includes a default set of regulatory standards. If any of the supplied standards isn't relevant to your organization, it's now a simple process to simply remove them from the UI for a subscription. Standards can be removed only at the subscription level; not the management group scope.

Learn more in Removing a standard from your dashboard.

Microsoft.Security/securityStatuses table removed from Azure Resource Graph (ARG)

Azure Resource Graph is a service in Azure that is designed to provide efficient resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

For Azure Security Center, you can use ARG and the Kusto Query Language (KQL) to query a wide range of security posture data. For example:

Within ARG, there are tables of data for you to use in your queries.

Azure Resource Graph Explorer and the available tables

Tip

The ARG documentation lists all the available tables in Azure Resource Graph table and resource type reference.

From this update, the Microsoft.Security/securityStatuses table has been removed. The securityStatuses API is still available.

Data replacement can be used by Microsoft.Security/Assessments table.

The major difference between Microsoft.Security/securityStatuses and Microsoft.Security/Assessments is that while the first shows aggregation of assessments, the seconds holds a single record for each.

For example, Microsoft.Security/securityStatuses would return a result with an array of two policyAssessments:

{
id: "/subscriptions/449bcidd-3470-4804-ab56-2752595 felab/resourceGroups/mico-rg/providers/Microsoft.Network/virtualNetworks/mico-rg-vnet/providers/Microsoft.Security/securityStatuses/mico-rg-vnet",
name: "mico-rg-vnet",
type: "Microsoft.Security/securityStatuses",
properties:  {
    policyAssessments: [
        {assessmentKey: "e3deicce-f4dd-3b34-e496-8b5381bazd7e", category: "Networking", policyName: "Azure DDOS Protection Standard should be enabled",...},
        {assessmentKey: "sefac66a-1ec5-b063-a824-eb28671dc527", category: "Compute", policyName: "",...}
    ],
    securitystateByCategory: [{category: "Networking", securityState: "None" }, {category: "Compute",...],
    name: "GenericResourceHealthProperties",
    type: "VirtualNetwork",
    securitystate: "High"
}

Whereas, Microsoft.Security/Assessments will hold a record for each such policy assessment as follows:

{
type: "Microsoft.Security/assessments",
id:  "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourceGroups/mico-rg/providers/Microsoft. Network/virtualNetworks/mico-rg-vnet/providers/Microsoft.Security/assessments/e3delcce-f4dd-3b34-e496-8b5381ba2d70",
name: "e3deicce-f4dd-3b34-e496-8b5381ba2d70",
properties:  {
    resourceDetails: {Source: "Azure", Id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourceGroups/mico-rg/providers/Microsoft.Network/virtualNetworks/mico-rg-vnet"...},
    displayName: "Azure DDOS Protection Standard should be enabled",
    status: (code: "NotApplicable", cause: "VnetHasNOAppGateways", description: "There are no Application Gateway resources attached to this Virtual Network"...}
}

{
type: "Microsoft.Security/assessments",
id:  "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg-vnet/providers/Microsoft.Security/assessments/80fac66a-1ec5-be63-a824-eb28671dc527",
name: "8efac66a-1ec5-be63-a824-eb28671dc527",
properties: {
    resourceDetails: (Source: "Azure", Id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg-vnet"...),
    displayName: "Audit diagnostic setting",
    status:  {code: "Unhealthy"}
}

Example of converting an existing ARG query using securityStatuses to now use the assessments table:

Query that references SecurityStatuses:

SecurityResources 
| where type == 'microsoft.security/securitystatuses' and properties.type == 'virtualMachine'
| where name in ({vmnames}) 
| project name, resourceGroup, policyAssesments = properties.policyAssessments, resourceRegion = location, id, resourceDetails = properties.resourceDetails

Replacement query for the Assessments table:

securityresources
| where type == "microsoft.security/assessments" and id contains "virtualMachine"
| extend resourceName = extract(@"(?i)/([^/]*)/providers/Microsoft.Security/assessments", 1, id)
| extend source = tostring(properties.resourceDetails.Source)
| extend resourceId = trim(" ", tolower(tostring(case(source =~ "azure", properties.resourceDetails.Id,
source =~ "aws", properties.additionalData.AzureResourceId,
source =~ "gcp", properties.additionalData.AzureResourceId,
extract("^(.+)/providers/Microsoft.Security/assessments/.+$",1,id)))))
| extend resourceGroup = tolower(tostring(split(resourceId, "/")[4]))
| where resourceName in ({vmnames}) 
| project resourceName, resourceGroup, resourceRegion = location, id, resourceDetails = properties.additionalData

Learn more at the following links:

September 2020

Updates in September include:

Security Center gets a new look!

We've released a refreshed UI for Security Center's portal pages. The new pages include a new overview page as well as dashboards for secure score, asset inventory, and Azure Defender.

The redesigned overview page now has a tile for accessing the secure score, asset inventory, and Azure Defender dashboards. It also has a tile linking to the regulatory compliance dashboard.

Learn more about the overview page.

Azure Defender released

Azure Defender is the cloud workload protection platform (CWPP) integrated within Security Center for advanced, intelligent, protection of your Azure and hybrid workloads. It replaces Security Center's standard pricing tier option.

When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Each of these plans is explained separately in the Security Center documentation.

With its dedicated dashboard, Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more.

Learn more about Azure Defender

Azure Defender for Key Vault is generally available

Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.

Azure Defender for Key Vault provides Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. By extension, Azure Defender for Key Vault is consequently protecting many of the resources dependent upon your Key Vault accounts.

The optional plan is now GA. This feature was in preview as "advanced threat protection for Azure Key Vault".

Also, the Key Vault pages in the Azure portal now include a dedicated Security page for Security Center recommendations and alerts.

Learn more in Azure Defender for Key Vault.

Azure Defender for Storage protection for Files and ADLS Gen2 is generally available

Azure Defender for Storage detects potentially harmful activity on your Azure Storage accounts. Your data can be protected whether it's stored as blob containers, file shares, or data lakes.

Support for Azure Files and Azure Data Lake Storage Gen2 is now generally available.

From 1 October 2020, we'll begin charging for protecting resources on these services.

Learn more in Azure Defender for Storage.

Asset inventory tools are now generally available

The asset inventory page of Azure Security Center provides a single page for viewing the security posture of the resources you've connected to Security Center.

Security Center periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to remediate those vulnerabilities.

When any resource has outstanding recommendations, they'll appear in the inventory.

Learn more in Explore and manage your resources with asset inventory.

Disable a specific vulnerability finding for scans of container registries and virtual machines

Azure Defender includes vulnerability scanners to scan images in your Azure Container Registry and your virtual machines.

If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't impact your secure score or generate unwanted noise.

When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings.

This option is available from the recommendations details pages for:

  • Vulnerabilities in Azure Container Registry images should be remediated
  • Vulnerabilities in your virtual machines should be remediated

Learn more in Disable specific findings for your container images and Disable specific findings for your virtual machines.

Exempt a resource from a recommendation

Occasionally, a resource will be listed as unhealthy regarding a specific recommendation (and therefore lowering your secure score) even though you feel it shouldn't be. It might have been remediated by a process not tracked by Security Center. Or perhaps your organization has decided to accept the risk for that specific resource.

In such cases, you can create an exemption rule and ensure that resource isn't listed amongst the unhealthy resources in the future. These rules can include documented justifications as described below.

Learn more in Exempt a resource from recommendations and secure score.

AWS and GCP connectors in Security Center bring a multi-cloud experience

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Azure Security Center now protects workloads in Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Onboarding your AWS and GCP accounts into Security Center, integrates AWS Security Hub, GCP Security Command and Azure Security Center.

Learn more in Connect your AWS accounts to Azure Security Center and Connect your GCP accounts to Azure Security Center.

Kubernetes workload protection recommendation bundle

To ensure that Kubernetes workloads are secure by default, Security Center is adding Kubernetes level hardening recommendations, including enforcement options with Kubernetes admission control.

When you've installed the Azure Policy add-on for Kubernetes on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure to enforce the best practices and mandate them for future workloads.

For example, you can mandate that privileged containers shouldn't be created, and any future requests to do so will be blocked.

Learn more in Workload protection best-practices using Kubernetes admission control.

Vulnerability assessment findings are now available in continuous export

Use continuous export to stream your alerts and recommendations in real time to Azure Event Hubs, Log Analytics workspaces, or Azure Monitor. From there, you can integrate this data with SIEMs (such as Azure Sentinel, Power BI, Azure Data Explorer, and more.

Security Center's integrated vulnerability assessment tools return findings about your resources as actionable recommendations within a 'parent' recommendation such as "Vulnerabilities in your virtual machines should be remediated".

The security findings are now available for export through continuous export when you select recommendations and enable the include security findings option.

Include security findings toggle in continuous export configuration

Related pages:

Prevent security misconfigurations by enforcing recommendations when creating new resources

Security misconfigurations are a major cause of security incidents. Security Center now has the ability to help prevent misconfigurations of new resources with regard to specific recommendations.

This feature can help keep your workloads secure and stabilize your secure score.

Enforcing a secure configuration, based on a specific recommendation, is offered in two modes:

  • Using the Deny effect of Azure Policy, you can stop unhealthy resources from being created

  • Using the Enforce option, you can take advantage of Azure policy's DeployIfNotExist effect and automatically remediate non-compliant resources upon creation

This is available for selected security recommendations and can be found at the top of the resource details page.

Learn more in Prevent misconfigurations with Enforce/Deny recommendations.

Network security group recommendations improved

The following security recommendations related to network security groups have been improved to reduce some instances of false positives.

  • All network ports should be restricted on NSG associated to your VM
  • Management ports should be closed on your virtual machines
  • Internet-facing virtual machines should be protected with Network Security Groups
  • Subnets should be associated with a Network Security Group

Deprecated preview AKS recommendation "Pod Security Policies should be defined on Kubernetes Services"

The preview recommendation "Pod Security Policies should be defined on Kubernetes Services" is being deprecated as described in the Azure Kubernetes Service documentation.

The pod security policy (preview) feature, is set for deprecation and will no longer be available after October 15, 2020 in favor of Azure Policy for AKS.

After pod security policy (preview) is deprecated, you must disable the feature on any existing clusters using the deprecated feature to perform future cluster upgrades and stay within Azure support.

Email notifications from Azure Security Center improved

The following areas of the emails regarding security alerts have been improved:

  • Added the ability to send email notifications about alerts for all severity levels
  • Added the ability to notify users with different Azure roles on the subscription
  • We're proactively notifying subscription owners by default on high-severity alerts (which have a high-probability of being genuine breaches)
  • We've removed the phone number field from the email notifications configuration page

Learn more in Set up email notifications for security alerts.

Secure score doesn't include preview recommendations

Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so that you can tell, at a glance, your current security situation: the higher the score, the lower the identified risk level.

As new threats are discovered, new security advice is made available in Security Center through new recommendations. To avoid surprise changes your secure score, and to provide a grace period in which you can explore new recommendations before they impact your scores, recommendations flagged as Preview are no longer included in the calculations of your secure score. They should still be remediated wherever possible, so that when the preview period ends they'll contribute towards your score.

Also, Preview recommendations don't render a resource "Unhealthy".

An example of a preview recommendation:

Recommendation with the preview flag

Learn more about secure score.

Recommendations now include a severity indicator and the freshness interval

The details page for recommendations now includes a freshness interval indicator (whenever relevant) and a clear display of the severity of the recommendation.

Recommendation page showing freshness and severity

August 2020

Updates in August include:

Asset inventory - powerful new view of the security posture of your assets

Security Center's asset inventory (currently in preview) provides a way to view the security posture of the resources you've connected to Security Center.

Security Center periodically analyzes the security state of your Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to remediate those vulnerabilities. When any resource has outstanding recommendations, they'll appear in the inventory.

You can use the view and its filters to explore your security posture data and take further actions based on your findings.

Learn more about asset inventory.

Added support for Azure Active Directory security defaults (for multi-factor authentication)

Security Center has added full support for security defaults, Microsoft’s free identity security protections.

Security defaults provide preconfigured identity security settings to defend your organization from common identity-related attacks. Security defaults already protecting more than 5 million tenants overall; 50,000 tenants are also protected by Security Center.

Security Center now provides a security recommendation whenever it identifies an Azure subscription without security defaults enabled. Until now, Security Center recommended enabling multi-factor authentication using conditional access, which is part of the Azure Active Directory (AD) premium license. For customers using Azure AD free, we now recommend enabling security defaults.

Our goal is to encourage more customers to secure their cloud environments with MFA, and mitigate one of the highest risks that is also the most impactful to your secure score.

Learn more about security defaults.

Service principals recommendation added

A new recommendation has been added to recommend that Security Center customers using management certificates to manage their subscriptions switch to service principals.

The recommendation, Service principals should be used to protect your subscriptions instead of Management Certificates advises you to use Service Principals or Azure Resource Manager to more securely manage your subscriptions.

Learn more about Application and service principal objects in Azure Active Directory.

Vulnerability assessment on VMs - recommendations and policies consolidated

Security Center inspects your VMs to detect whether they're running a vulnerability assessment solution. If no vulnerability assessment solution is found, Security Center provides a recommendation to simplify the deployment.

When vulnerabilities are found, Security Center provides a recommendation summarizing the findings for you to investigate and remediate as necessary.

To ensure a consistent experience for all users, regardless of the scanner type they're using, we've unified four recommendations into the following two:

Unified recommendation Change description
A vulnerability assessment solution should be enabled on your virtual machines Replaces the following two recommendations:
Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys (now deprecated) (Included with standard tier)
Vulnerability assessment solution should be installed on your virtual machines (now deprecated) (Standard and free tiers)
Vulnerabilities in your virtual machines should be remediated Replaces the following two recommendations:
Remediate vulnerabilities found on your virtual machines (powered by Qualys) (now deprecated)
Vulnerabilities should be remediated by a Vulnerability Assessment solution (now deprecated)

Now you'll use the same recommendation to deploy Security Center's vulnerability assessment extension or a privately licensed solution ("BYOL") from a partner such as Qualys or Rapid7.

Also, when vulnerabilities are found and reported to Security Center, a single recommendation will alert you to the findings regardless of the vulnerability assessment solution that identified them.

Updating dependencies

If you have scripts, queries, or automations referring to the previous recommendations or policy keys/names, use the tables below to update the references:

Before August 2020
Recommendation Scope
Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)
Key: 550e890b-e652-4d22-8274-60b3bdb24c63
Built-in
Remediate vulnerabilities found on your virtual machines (powered by Qualys)
Key: 1195afff-c881-495e-9bc5-1486211ae03f
Built-in
Vulnerability assessment solution should be installed on your virtual machines
Key: 01b1ed4c-b733-4fee-b145-f23236e70cf3
BYOL
Vulnerabilities should be remediated by a Vulnerability Assessment solution
Key: 71992a2a-d168-42e0-b10e-6b45fa2ecddb
BYOL
Policy Scope
Vulnerability assessment should be enabled on virtual machines
Policy ID: 501541f7-f7e7-4cd6-868c-4190fdad3ac9
Built-in
Vulnerabilities should be remediated by a vulnerability assessment solution
Policy ID: 760a85ff-6162-42b3-8d70-698e268f648c
BYOL
From August 2020
Recommendation Scope
A vulnerability assessment solution should be enabled on your virtual machines
Key: ffff0522-1e88-47fc-8382-2a80ba848f5d
Built-in + BYOL
Vulnerabilities in your virtual machines should be remediated
Key: 1195afff-c881-495e-9bc5-1486211ae03f
Built-in + BYOL
Policy Scope
Vulnerability assessment should be enabled on virtual machines
Policy ID: 501541f7-f7e7-4cd6-868c-4190fdad3ac9
Built-in + BYOL

New AKS security policies added to ASC_default initiative – for use by private preview customers only

To ensure that Kubernetes workloads are secure by default, Security Center is adding Kubernetes level policies and hardening recommendations, including enforcement options with Kubernetes admission control.

The early phase of this project includes a private preview and the addition of new (disabled by default) policies to the ASC_default initiative.

You can safely ignore these policies and there will be no impact on your environment. If you'd like to enable them, sign up for the preview at https://aka.ms/SecurityPrP and select from the following options:

  1. Single Preview – To join only this private preview. Explicitly mention “ASC Continuous Scan” as the preview you would like to join.
  2. Ongoing Program – To be added to this and future private previews. You'll need to complete a profile and privacy agreement.