Enable data collection in Azure Security Center

To help customers prevent, detect, and respond to threats, Azure Security Center collects and processes data about your Azure virtual machines, including configuration information, metadata, and event logs. When you first access Security Center, data collection is enabled on all virtual machines in your subscription. Data collection is recommended but you can opt-out by turning off data collection in the Security Center policy (see Disabling data collection). If you turn off data collection, Security Center recommends that you turn on data collection in the security policy for that subscription.

Note

This document introduces the service by using an example deployment. This is not a step-by-step guide.

Implement the recommendation

  1. Select the Recommendations tile on the Security Center blade. This opens the Recommendations blade. Security Center blade
  2. On the Recommendations blade, select Enable data collection for subscriptions. This opens the Turn on data collection blade. Recommendations blade
  3. On the Turn on data collection blade, select your subscription. The Security policy blade for that subscription opens.
  4. On the Security policy blade, select On under Data collection to automatically collect logs. Turning on data collection provisions the monitoring extension on all current and new supported VMs in the subscription.

    Security policy blade

  5. Select Save.

  6. Select Choose a storage account per region. For each region in which you have virtual machines running, you choose the storage account where data collected from those virtual machines is stored. If you do not choose a storage account for each region, a storage account is created for you and placed in the securitydata resource group. In this example, we choose newstoracct. You can change the storage account later by returning to the security policy for your subscription and choosing a different storage account. Choose a storage account
  7. Select OK.
Note

We recommend that you turn on data collection and choose a storage account at the subscription level first. Security policies can be set at the Azure subscription level and resource group level but configuration of data collection and storage account occurs at the subscription level only.

After data collection is enabled

Data collection is enabled via the Azure Monitoring Agent and the Azure Security Monitoring extension. The Azure Security Monitoring extension scans for various security relevant configurations and sends it into Event Tracing for Windows (ETW) traces. In addition, the operating system creates event log entries. The Azure Monitoring Agent reads event log entries and ETW traces and copies them to your storage account for analysis. The Monitoring Agent also copies crash dump files to your storage account. This is the storage account you configured in the security policy.

Disabling data collection

You can disable data collection at any time, which automatically removes any Monitoring Agents previously installed by Security Center. You must select a subscription to turn off data collection.

Note

Security policies can be set at the Azure subscription level and resource group level but you must select a subscription to turn off data collection.

  1. Return to the Security Center blade and select the Policy tile. This opens the Security policy-Define policy per subscription or resource group blade. Select the policy tile
  2. On the Security policy-Define policy per subscription or resource group blade, select the subscription that you wish to disable data collection. Select subscription to disable data collection
  3. The Security policy blade for that subscription opens. Select Off under Data collection.
  4. Select Save in the top ribbon.

Next steps

This article showed you how to implement the Security Center recommendation "Enable data collection.” To learn more about Security Center, see the following: