Enable data collection in Azure Security Center

Note

Beginning in early June 2017, Security Center will use the Microsoft Monitoring Agent to collect and store data. To learn more, see Azure Security Center Platform Migration. The information in this article represents Security Center functionality after transition to the Microsoft Monitoring Agent.

Security Center collects data from your virtual machines (VMs) to assess their security state, provide security recommendations, and alert you to threats. When you first access Security Center, you have the option to enable data collection for all VMs in your subscription. If data collection is not enabled, Security Center recommends that you turn on data collection in the security policy for that subscription.

When data collection is enabled, Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations. In addition, the operating system raises event log events. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, logged in user, and tenant ID. The Microsoft Monitoring Agent reads event log entries and configurations and copies the data to your workspace for analysis. The Microsoft Monitoring Agent also copies crash dump files to your workspace.

If you are using the Free tier of Security Center, you can disable data collection from virtual machines by turning off data collection in the security policy. Disabling data collection limits security assessments for your VMs. To learn more, see Disabling data collection. VM disk snapshots and artifact collection are enabled even if data collection has been disabled. Data collection is required for subscriptions on the Standard tier of Security Center.

Note

Learn more about Security Center's Free and Standard pricing tiers.

Implement the recommendation

Note

This document introduces the service by using an example deployment. This document is not a step-by-step guide.

  1. In the Recommendations blade, select Enable data collection for subscriptions. This opens the Turn on data collection blade. Recommendations blade
  2. On the Turn on data collection blade, select your subscription. The Security policy blade for that subscription opens.
  3. On the Security policy blade, select On under Data collection to automatically collect logs. Turning on data collection provisions the monitoring extension on all current and new supported VMs in the subscription.
  4. Select Save.
  5. Select OK.

Disabling data collection

If you are using the Free tier of Security Center, you can disable data collection from virtual machines at any time by turning off data collection in the security policy. Data collection is required for subscriptions on the Standard tier of Security Center.

  1. Return to the Security Center blade and select the Policy tile. This opens the Security policy-Define policy per subscription blade. Select the policy tile
  2. On the Security policy-Define policy per subscription blade, select the subscription that you wish to disable data collection.
  3. The Security policy blade for that subscription opens. Select Off under Data collection.
  4. Select Save in the top ribbon.

Next steps

This article showed you how to implement the Security Center recommendation "Enable data collection.” To learn more about Security Center, see the following: