Introduction to Azure Security Center

Learn about Azure Security Center, its key capabilities, and how it works.

Note

Beginning in early June 2017, Security Center will use the Microsoft Monitoring Agent to collect and store data. See Azure Security Center Platform Migration to learn more. The information in this article represents Security Center functionality after transition to the Microsoft Monitoring Agent.

What is Azure Security Center?

Security Center helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Key capabilities

Security Center delivers easy-to-use and effective threat prevention, detection, and response capabilities that are built in to Azure. Key capabilities are:

Stage Capability
Prevent Monitors the security state of your Azure resources
Prevent Defines policies for your Azure subscriptions based on your company’s security requirements, the types of applications that you use, and the sensitivity of your data
Prevent Uses policy-driven security recommendations to guide service owners through the process of implementing needed controls
Prevent Rapidly deploys security services and appliances from Microsoft and partners
Detect Automatically collects and analyzes security data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls
Detect Uses global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds
Detect Applies advanced analytics, including machine learning and behavioral analysis
Respond Provides prioritized security incidents/alerts
Respond Offers insights into the source of the attack and impacted resources
Respond Suggests ways to stop the current attack and help prevent future attacks

Introductory walkthrough

Note

This document introduces the service by using an example deployment. This document is not a step-by-step guide.

You access Security Center from the Azure portal. Sign in to the portal. Under the main portal menu, scroll to the Security Center option or select the Security Center tile that you previously pinned to the portal dashboard.

Security tile in Azure portal

From Security Center, you can set security policies, monitor security configurations, and view security alerts.

Security policies

You can define policies for your Azure subscriptions according to your company's security requirements. You can also tailor them to the types of applications you're using or to the sensitivity of the data in each subscription. For example, resources used for development or testing may have different security requirements than those used for production applications. Likewise, applications with regulated data like PII may require a higher level of security.

Note

To modify a security policy, you must be a Security Administrator or the subscription's Owner or Contributor. To learn more about roles and allowed actions in Security Center, see Permissions in Azure Security Center.

On the Security Center blade, select the Policy tile for a list of your subscriptions and resource groups.

Security Center blade

On the Security policy blade, select a subscription to view the policy details.

Data collection enables data collection for a security policy. Enabling provides:

  • Daily scanning of all supported virtual machines (VMs) for security monitoring and recommendations.
  • Collection of security events for analysis and threat detection.
Note

Data collection is configured at the subscription level.

Select Prevention policy to open the Prevention policy blade. Show recommendations for lets you choose the security controls that you want to monitor and the recommendations that you want to see based on the security needs of the resources within the subscription.

Security recommendations

Security Center analyzes the security state of your Azure resources to identify potential security vulnerabilities. A list of recommendations guides you through the process of configuring needed controls. Examples include:

  • Provisioning antimalware to help identify and remove malicious software
  • Configuring network security groups and rules to control traffic to VMs
  • Provisioning of web application firewalls to help defend against attacks that target your web applications
  • Deploying missing system updates
  • Addressing OS configurations that do not match the recommended baselines

Click the Recommendations tile for a list of recommendations. Click each recommendation to view additional information or to take action to resolve the issue.

Security recommendations in Azure Security Center

Security state of Azure resources

The Prevention section of the dashboard shows the overall security posture of the environment by resource type, including VMs, web applications, and other resources.

Select a resource type under Prevention to view more information, including a list of any potential security vulnerabilities that have been identified. (Compute is selected in the example below.)

Resources health tile

Security alerts

Security Center automatically collects, analyzes, and integrates log data from your Azure resources, the network, and partner solutions like antimalware programs and firewalls. When threats are detected, a security alert is created. Examples include detection of:

  • Compromised VMs communicating with known malicious IP addresses
  • Advanced malware detected by using Windows error reporting
  • Brute force attacks against VMs
  • Security alerts from integrated antimalware programs and firewalls

Clicking the Security alerts tile displays a list of prioritized alerts.

Security alerts

Selecting an alert shows more information about the attack and suggestions for how to remediate it.

Security alert details

Partner solutions

The Partner solutions tile lets you monitor at a glance the security state of your partner solutions integrated with your Azure subscription. Security Center displays alerts coming from the solutions.

Select the Partner solutions tile. A blade opens displaying a list of all connected partner solutions.

Partner solutions

Get started

To get started with Security Center, you need a subscription to Microsoft Azure. Security Center is enabled with your Azure subscription. If you do not have a subscription, you can sign up for a free trial.

You access Security Center from the Azure portal. See the portal documentation to learn more.

Getting started with Azure Security Center quickly guides you through the security-monitoring and policy-management components of Security Center.

Next steps

In this document, you were introduced to Security Center, its key capabilities, and how to get started. To learn more, see the following resources: