This FAQ answers questions about Azure Security Center, a service that helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Microsoft Azure resources.
What is Azure Security Center?
Azure Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
How do I get Azure Security Center?
How does billing work for Azure Security Center?
Security Center is offered in two tiers: Free and Standard.
The Free tier enables you to set security policies and receive security alerts, incidents, and recommendations that guide you through the process of configuring needed controls. With the Free tier, you can also monitor the security state of your Azure resources and partner solutions integrated with your Azure subscription.
The Standard tier provides the Free tier features plus advanced detections: threat intelligence, behavioral analysis, crash analysis, and anomaly detection. The Standard tier is offered free for the first 60 days. Should you choose to continue to use the service beyond 60 days, we will automatically start to charge for the service. To upgrade, select Pricing Tier in the security policy. To learn more, see Security Center pricing.
Security Center assesses the configuration of your resources to identify security issues and vulnerabilities. In Security Center, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or resource group that a resource belongs to.
See Permissions in Azure Security Center to learn more about roles and allowed actions in Security Center.
Security Center collects data from your virtual machines to assess their security state, provide security recommendations, and alert you to threats. When you first access Security Center, data collection is enabled on all virtual machines in your subscription. Data collection is recommended but you can opt-out by disabling data collection in the Security Center policy.
How do I disable data collection?
You can disable Data collection for a subscription in the Security policy at any time. (Sign in to the Azure portal, select Browse, select Security Center, and select Policy.) When you select a subscription, a new blade opens and provides you the option to turn off Data collection. Azure Monitoring Agents are automatically removed from the subscription's existing virtual machines when you turn off data collection.
Security policies can be set at the Azure subscription level and resource group level but you must select a subscription to turn off data collection.
How do I enable data collection?
You can enable data collection for your Azure subscription in the Security policy. To enable data collection, sign in to the Azure portal, select Browse, select Security Center, and select Policy. Set Data collection to On and configure the storage accounts where you want data to be collected to (see question “Where is my data stored?”). When Data collection is enabled, it automatically collects security configuration and event information from all supported virtual machines in the subscription.
Security policies can be set at the Azure subscription level and resource group level but configuration of data collection occurs at the subscription level only.
What happens when data collection is enabled?
Data collection is enabled via the Azure Monitoring Agent and the Azure Security Monitoring extension. The Azure Security Monitoring extension scans for various security relevant configurations and sends it into Event Tracing for Windows (ETW) traces. In addition, the operating system creates event log entries. The Azure Monitoring Agent reads event log entries and ETW traces and copies them to your storage account for analysis. This is the storage account you configured in the security policy. For more information about the storage account, see question “Where is my data stored?”
Does the Monitoring Agent or Security Monitoring extension impact the performance of my server(s)?
The agent and extension consumes a nominal amount of system resources and should have little impact on the performance. For more information on performance impact and the agent and extension, see the planning and operations guide.
Where is my data stored?
For each region in which you have virtual machines running, you choose the storage account where data collected from those virtual machines is stored. This makes it easy for you to keep data in the same geographic area for privacy and data sovereignty purposes. You choose the storage account for a subscription in the Security policy. (Sign in to the Azure portal, select Browse, select Security Center, and select Policy.) When you select a subscription, a new blade opens. To select a region, select Choose storage accounts. If you do not choose a storage account for each region, a storage account is created for you and placed in the securitydata resource group.
Security policies can be set at the Azure subscription level and resource group level but selecting a region for your storage account occurs at the subscription level only.
Using Azure Security Center
What is a security policy?
A security policy defines the set of controls that are recommended for resources within the specified subscription or resource group. In Azure Security Center, you define policies for your Azure subscriptions and resource groups according to your company's security requirements and the type of applications or sensitivity of the data in each subscription.
For example, resources used for development or test may have different security requirements than those used for production applications. Likewise, applications with regulated data like PII (Personally Identifiable Information) may require a higher level of security. The security policies enabled in Azure Security Center drive security recommendations and monitoring. To learn more about security policies, see Security health monitoring in Azure Security Center.
If there is a conflict between subscription level policy and resource group level policy, the resource group level policy takes precedence.
Who can modify a security policy?
Security policies are configured for each subscription or resource group. To modify a security policy at the subscription level or resource group level, you must be an Owner or Contributor of that subscription.
To learn how to configure a security policy, see Setting security policies in Azure Security Center.
What is a security recommendation?
Azure Security Center analyzes the security state of your Azure resources. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the needed control. Examples are:
- Provisioning of antimalware to help identify and remove malicious software
- Configuring Network Security Groups and rules to control traffic to virtual machines
- Provisioning of a web application firewall to help defend against attacks targeting your web applications
- Deploying missing system updates
- Addressing OS configurations that do not match the recommended baselines
Only recommendations that are enabled in Security Policies are shown here.
How can I see the current security state of my Azure resources?
A Resources health tile on the Security Center blade shows the overall security posture of your environment broken down by virtual machines, web applications, and other resources. Each resource has an indicator showing if any potential security vulnerabilities have been identified. Clicking the Resources health tile displays your resources and identifies where attention is required or issues may exist.
What triggers a security alert?
Azure Security Center automatically collects, analyzes, and fuses log data from your Azure resources, the network, and partner solutions like antimalware and firewalls. When threats are detected, a security alert is created. Examples include detection of:
- Compromised virtual machines communicating with known malicious IP addresses
- Advanced malware detected using Windows error reporting
- Brute force attacks against virtual machines
- Security alerts from integrated partner security solutions such as Anti-Malware or Web Application Firewalls
What's the difference between threats detected and alerted on by Microsoft Security Response Center versus Azure Security Center?
The Microsoft Security Response Center (MSRC) performs select security monitoring of the Azure network and infrastructure and receives threat intelligence and abuse complaints from third parties. When MSRC becomes aware that customer data has been accessed by an unlawful or unauthorized party or that the customer’s use of Azure does not comply with the terms for Acceptable Use, a security incident manager notifies the customer. Notification typically occurs by sending an email to the security contacts specified in Azure Security Center or the Azure subscription owner if a security contact is not specified.
Security Center is an Azure service that continuously monitors the customer’s Azure environment and applies analytics to automatically detect a wide range of potentially malicious activity. These detections are surfaced as security alerts in the Security Center dashboard.
Which Azure resources are monitored by Azure Security Center?
Azure Security Center monitors the following Azure resources:
- Virtual machines (VMs) (including Cloud Services)
- Azure Virtual Networks
- Azure SQL service
- Partner solutions integrated with your Azure subscription such as a web application firewall on VMs and on App Service Environment
What types of virtual machines are supported?
Security health monitoring and recommendations are available for virtual machines (VMs) created using both the classic and Resource Manager deployment models.
Supported Windows VMs:
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Supported Linux VMs:
- Ubuntu versions 12.04, 14.04, 16.04, 16.10
- Debian versions 7, 8
- CentOS versions 6.*, 7.*
- Red Hat Enterprise Linux (RHEL) versions 6.*, 7.*
- SUSE Linux Enterprise Server (SLES) versions 11 SP4+, 12.*
- Oracle Linux versions 6.*, 7.*
VMs running in a cloud service are also supported. Only cloud services web and worker roles running in production slots are monitored. To learn more about cloud service, see Cloud Services overview.
Why doesn't Azure Security Center recognize the antimalware solution running on my Azure VM?
Azure Security Center only has visibility into antimalware installed through Azure extensions. For example, Security Center is not able to detect antimalware that was pre-installed on an image you provided or if you installed antimalware on your virtual machines using your own processes (such as configuration management systems).
Why do I get the message "Missing Scan Data" for my VM?
It can take some time (less than an hour) for scan data to populate after Data Collection is enabled in Azure Security Center. Scans do not populate for VMs in a stopped state.
Why do I get the message "VM Agent is Missing?"
The VM Agent must be installed on VMs to enable Data Collection. The VM Agent is installed by default for VMs that are deployed from the Azure Marketplace. For information on how to install the VM Agent on other VMs, see the blog post VM Agent and Extensions.