To help customers prevent, detect, and respond to threats, Azure Security Center collects and processes data about your Azure virtual machines, including configuration information, metadata, and event logs. When you first access Security Center, data collection is enabled on all virtual machines in your subscription. Data collection is recommended but you can opt-out by turning off data collection in the Security Center policy (see Disabling data collection). If you turn off data collection, Security Center recommends that you turn on data collection in the security policy for that subscription.
This document introduces the service by using an example deployment. This is not a step-by-step guide.
Implement the recommendation
- Select the Recommendations tile on the Security Center blade. This opens the Recommendations blade.
- On the Recommendations blade, select Enable data collection for subscriptions. This opens the Turn on data collection blade.
- On the Turn on data collection blade, select your subscription. The Security policy blade for that subscription opens.
On the Security policy blade, select On under Data collection to automatically collect logs. Turning on data collection provisions the monitoring extension on all current and new supported VMs in the subscription.
- Select Choose a storage account per region. For each region in which you have virtual machines running, you choose the storage account where data collected from those virtual machines is stored. If you do not choose a storage account for each region, a storage account is created for you and placed in the securitydata resource group. In this example, we choose newstoracct. You can change the storage account later by returning to the security policy for your subscription and choosing a different storage account.
- Select OK.
We recommend that you turn on data collection and choose a storage account at the subscription level first. Security policies can be set at the Azure subscription level and resource group level but configuration of data collection and storage account occurs at the subscription level only.
After data collection is enabled
Data collection is enabled via the Azure Monitoring Agent and the Azure Security Monitoring extension. The Azure Security Monitoring extension scans for various security relevant configurations and sends it into Event Tracing for Windows (ETW) traces. In addition, the operating system creates event log entries. The Azure Monitoring Agent reads event log entries and ETW traces and copies them to your storage account for analysis. The Monitoring Agent also copies crash dump files to your storage account. This is the storage account you configured in the security policy.
Disabling data collection
You can disable data collection at any time, which automatically removes any Monitoring Agents previously installed by Security Center. You must select a subscription to turn off data collection.
Security policies can be set at the Azure subscription level and resource group level but you must select a subscription to turn off data collection.
- Return to the Security Center blade and select the Policy tile. This opens the Security policy-Define policy per subscription or resource group blade.
- On the Security policy-Define policy per subscription or resource group blade, select the subscription that you wish to disable data collection.
- The Security policy blade for that subscription opens. Select Off under Data collection.
- Select Save in the top ribbon.
This article showed you how to implement the Security Center recommendation "Enable data collection.” To learn more about Security Center, see the following:
- Setting security policies in Azure Security Center -- Learn how to configure security policies for your Azure subscriptions and resource groups.
- Managing security recommendations in Azure Security Center -- Learn how recommendations help you protect your Azure resources.
- Security health monitoring in Azure Security Center--Learn how to monitor the health of your Azure resources.
- Managing and responding to security alerts in Azure Security Center--Learn how to manage and respond to security alerts.
- Monitoring partner solutions with Azure Security Center -- Learn how to monitor the health status of your partner solutions.
- Azure Security Center FAQ--Find frequently asked questions about using the service.
- Azure Security blog--Get the latest Azure security news and information.