Retirement of Security Center features (July 2019)

We've made several improvements to Azure Security Center over the last six months. With these improved capabilities, we're removing some redundant features and related APIs from Security Center on July 31, 2019.

Most of these retiring features can be replaced with new functionality in Azure Security Center or Azure Log Analytics. Other features can be implemented using Azure Sentinel (preview).

Security Center features to be retired include:

This article provides detailed information for each retired feature and the steps you can take to implement replacement features.

Events dashboard

Security Center uses Microsoft Monitoring Agent to collect various security-related configurations and events from your machines. It stores these events in your workspaces. The events dashboard lets you view this data and gives you an entry point to Log Analytics.

We're retiring the events dashboard that appears when you select a workspace:

Events dashboard

Events dashboard - the new experience

We encouraged you to use the native capabilities of Azure Log Analytics to view notable events on your workspaces.

If you've created custom notable events in Security Center, they'll be accessible. In Log Analytics, go to Select workspace > Saved Searches. Your data won't be lost or modified. Native notable events are also available from the same screen in Log Analytics.

Workspace saved searches

Search menu entry

Azure Security Center currently uses Azure Monitor logs search to retrieve and analyze your security data. This screen serves as a window to Log Analytics search page, and enables users to run search queries on their selected workspace. For more information, see Azure Security Center search. We're retiring this search window:

Search page

Search menu entry - the new experience

We encourage you to use the Azure Log Analytics native capabilities to perform Search queries on your workspaces. Go to Azure Log Analytics and select Logs.

Log Analytics logs page

Classic Identity & Access (Preview)

The Classic Identity & Access experience in Security Center currently shows a dashboard of identity and access information in Log Analytics. To view this dashboard:

  1. Select View classic Identity & Access.

    Identity page

  2. View the Identity & Access dashboard.

    Identity page - workspace selection

  3. Select a workspace to open the Identity & Access dashboard in Log Analytics to view identity and access information on your workspace.

    Identity page - dashboard

We're retiring all three screens shown in the preceding steps. Your data will remain available in the Log Analytics security solution and won't be modified or removed.

Classic Identity & Access (Preview) - the new experience

The Log Analytics dashboard has shown insights on a single workspace. However, native Security Center capabilities provide visibility into all subscriptions and all workspaces associated with them. You can access an easy-to use view that lets you focus on what’s important with recommendations ranked according to their secure score.

All the features of the Identity & Access dashboard in Log Analytics can be reached by selecting Identity & access (Preview) within Security Center.

Identity page - classic experience retirement

Security events map

Security Center provides you with a security alerts map to help identify security threats. The Go to security events map button in that map opens a dashboard that allows you to view raw security events on the selected workspace.

We're removing the Go to security events map button and the per-workspace dashboard.

Security alerts map - button

When you select the Go to security events map button, you open the threat intelligence dashboard. We're retiring the threat intelligence dashboard.

Threat intelligence dashboard

When you choose a workspace to view its threat intelligence dashboard, you open the security alerts map (preview) screen in Log Analytics. We're retiring this screen.

Security alerts map in Log Analytics

Your existing data will remain available in the Log Analytics security solution and won't be modified nor removed.

Security events map - the new experience

We encourage you to use the alerts map functionality built into Security Center: Security alerts map (Preview). This functionality provides an optimized experience and works across all subscriptions and associated workspaces. It gives you a high-level view across your environment and isn't focused on a single workspace.

Custom alert rules (Preview)

We're retiring the custom alerts experience on June 30, 2019 because its underlying infrastructure is retiring. Until then, you can edit existing custom alert rules, but you aren't able to add new ones. We recommend that you enable Azure Sentinel to automatically migrate your existing alerts and create new ones. Alternatively, you can create your alerts with Azure Monitor log alerts.

To keep your existing alerts and migrate them to Azure Sentinel:

  1. Open Azure Sentinel and select the workspace where your custom alerts are stored.
  2. Select Analytics from the menu to automatically migrate your alerts.

Custom alerts

If you're not interested in transitioning to Azure Sentinel, we encourage you to create your alerts with Azure Monitor log alerts. For instructions, see Create, view, and manage log alerts by using Azure Monitor and Log alerts in Azure Monitor.

For more information on custom alerts retirement, see Custom Alert Rules in Azure Security Center (Preview).

Security alerts investigation

The Investigation feature in Security Center helps you triage a potential security incident. The feature allows you to understand the scope of an incident and track down its root cause. We're removing this feature from Security Center because it's been replaced with an improved experience in Azure Sentinel.

Security incident

When you select the Investigate button from a Security incident screen, you open the Investigation Dashboard (Preview) in Log Analytics. We're retiring the Investigation Dashboard.

Your existing data will remain available in the Log Analytics security solution and won't be modified nor removed.

Investigation dashboard in Log Analytics

Investigation - the new experience

We encourage you to transition to Azure Sentinel for a rich investigation experience. Azure Sentinel provides powerful search and query tools to hunt for security threats across your organization’s data sources.

Subset of security solutions

Security Center can enable integrated security solutions in Azure. We're retiring the following partner solutions from Security Center. These solutions are enabled in Azure Sentinel along with a number of additional data sources.

After retirement, you won't be able to add or modify any of solution types mentioned in the preceding list, either from the UI or the API.

If you have existing connected solutions, we encourage you to move to Azure Sentinel.

Security centers solutions

Edit security configurations for security policies

Azure Security Center monitors security configurations by applying a set of over 150 recommended rules. for hardening the OS. These rules pertain to firewalls, auditing, password policies, and more. If a machine is found to have a vulnerable configuration, Security Center generates a security recommendation. The Edit security configuration screen allows customers to customize the default OS security configuration in Security Center.

We're retiring this preview feature. If, after the retirement date, you'd like to reset your security configurations back to their default values, you can do so via API or Powershell using the following instructions

Edit security configurations

Edit security configurations - the new experience

We intend to enable Security Center to support the Guest configuration agent. Such an update will allow a much richer feature set, including support for more operating systems and integration of Azure in-guest policies for guest configurations. After these changes are enabled, you'll also have the ability to control configurations at scale and apply them to new resources automatically.

Security and audit dashboard for Log Analytics workspaces

The security and audit dashboard was originally used in the OMS portal. In Log Analytics, the dashboard provides a per-workspace overview of notable security events and threats, a threat intelligence map, and an identity-and-access assessment of security events saved in the workspace. We're removing the dashboard. As we already recommended in the dashboard UI, we advise that you to transition to Azure Security Center.

Log Analytics security dashboard

Security and audit dashboard - the new experience

We advise you to switch to Azure Security Center. It provides the same security overview across multiple subscriptions and the workspaces associated with them, plus a richer feature set.

You can get the original Log Analytics queries that populate the security and audit dashboard in the GitHub repository for Security Center.

Next steps