Beginning in early June 2017, Security Center will use the Microsoft Monitoring Agent to collect and store data. To learn more, see Azure Security Center Platform Migration. The information in this article represents Security Center functionality after transition to the Microsoft Monitoring Agent.
Security Center collects data from your virtual machines (VMs) to assess their security state, provide security recommendations, and alert you to threats. When you first access Security Center, you have the option to enable data collection for all VMs in your subscription. If data collection is not enabled, Security Center recommends that you turn on data collection in the security policy for that subscription.
When data collection is enabled, Security Center provisions the Microsoft Monitoring Agent on all existing supported Azure virtual machines and any new ones that are created. The Microsoft Monitoring Agent scans for various security-related configurations. In addition, the operating system raises event log events. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, logged in user, and tenant ID. The Microsoft Monitoring Agent reads event log entries and configurations and copies the data to your workspace for analysis. The Microsoft Monitoring Agent also copies crash dump files to your workspace.
If you are using the Free tier of Security Center, you can disable data collection from virtual machines by turning off data collection in the security policy. Disabling data collection limits security assessments for your VMs. To learn more, see Disabling data collection. VM disk snapshots and artifact collection are enabled even if data collection has been disabled. Data collection is required for subscriptions on the Standard tier of Security Center.
Learn more about Security Center's Free and Standard pricing tiers.
Implement the recommendation
This document introduces the service by using an example deployment. This document is not a step-by-step guide.
- In the Recommendations blade, select Enable data collection for subscriptions. This opens the Turn on data collection blade.
- On the Turn on data collection blade, select your subscription. The Security policy blade for that subscription opens.
- On the Security policy blade, select On under Data collection to automatically collect logs. Turning on data collection provisions the monitoring extension on all current and new supported VMs in the subscription.
- Select Save.
- Select OK.
Disabling data collection
If you are using the Free tier of Security Center, you can disable data collection from virtual machines at any time by turning off data collection in the security policy. Data collection is required for subscriptions on the Standard tier of Security Center.
- Return to the Security Center blade and select the Policy tile. This opens the Security policy-Define policy per subscription blade.
- On the Security policy-Define policy per subscription blade, select the subscription that you wish to disable data collection.
- The Security policy blade for that subscription opens. Select Off under Data collection.
- Select Save in the top ribbon.
This article showed you how to implement the Security Center recommendation "Enable data collection.” To learn more about Security Center, see the following:
- Setting security policies in Azure Security Center -- Learn how to configure security policies for your Azure subscriptions and resource groups.
- Managing security recommendations in Azure Security Center -- Learn how recommendations help you protect your Azure resources.
- Security health monitoring in Azure Security Center--Learn how to monitor the health of your Azure resources.
- Managing and responding to security alerts in Azure Security Center--Learn how to manage and respond to security alerts.
- Monitoring partner solutions with Azure Security Center -- Learn how to monitor the health status of your partner solutions.
- Azure Security Center data security - Learn how data is managed and safeguarded in Security Center.
- Azure Security Center FAQ--Find frequently asked questions about using the service.
- Azure Security blog--Get the latest Azure security news and information.