Integrate security solutions in Azure Security Center

This document helps you to manage security solutions already connected to Azure Security Center and add new ones.

Note

A subset of security solutions will be retired on July 31st, 2019. For more information and alternative services, see Retirement of Security Center features (July 2019).

Integrated Azure security solutions

Security Center makes it easy to enable integrated security solutions in Azure. Benefits include:

  • Simplified deployment: Security Center offers streamlined provisioning of integrated partner solutions. For solutions like antimalware and vulnerability assessment, Security Center can provision the needed agent on your virtual machines, and for firewall appliances, Security Center can take care of much of the network configuration required.
  • Integrated detections: Security events from partner solutions are automatically collected, aggregated, and displayed as part of Security Center alerts and incidents. These events also are fused with detections from other sources to provide advanced threat-detection capabilities.
  • Unified health monitoring and management: Customers can use integrated health events to monitor all partner solutions at a glance. Basic management is available, with easy access to advanced setup by using the partner solution.

Currently, integrated security solutions include:

Note

Security Center does not install the Microsoft Monitoring Agent on partner virtual appliances because most security vendors prohibit external agents running on their appliance.

How security solutions are integrated

Azure security solutions that are deployed from Security Center are automatically connected. You can also connect other security data sources, including:

  • Azure AD Identity Protection
  • Computers running on-premises or in other clouds
  • Security solution that supports the Common Event Format (CEF)
  • Microsoft Advanced Threat Analytics

Partner solutions integration

Manage integrated Azure security solutions and other data sources

  1. Sign in to the Azure portal.

  2. On the Microsoft Azure menu, select Security Center. Security Center - Overview opens.

  3. Under the Security Center menu, select Security solutions.

    Security Center Overview

Under Security solutions, you can view information about the health of integrated Azure security solutions and perform basic management tasks. You can also connect other types of security data sources, such as Azure Active Directory Identity Protection alerts and firewall logs in Common Event Format (CEF).

Connected solutions

The Connected solutions section includes security solutions that are currently connected to Security Center and information about the health status of each solution.

Connected solutions

The status of a partner solution can be:

  • Healthy (green) - there is no health issue.
  • Unhealthy (red) - there is a health issue that requires immediate attention.
  • Health issues (orange) - the solution has stopped reporting its health.
  • Not reported (gray) - the solution has not reported anything yet, a solution's status may be unreported if it has recently been connected and is still deploying, or no health data is available.

Note

If health status data is not available, Security Center shows the date and time of the last event received to indicate whether the solution is reporting or not. If no health data is available and no alerts are received within the last 14 days, Security Center indicates that the solution is unhealthy or not reporting.

  1. Select VIEW for additional information and options, which includes:

    • Solution console. Opens the management experience for this solution.
    • Link VM. Opens the Link Applications blade. Here you can connect resources to the partner solution.
    • Delete solution.
    • Configure.

    Partner solution detail

Discovered solutions

Security Center automatically discovers security solutions running in Azure but are not connected to Security Center and displays the solutions in the Discovered solutions section. This includes Azure solutions, such as Azure AD Identity Protection, as well as partner solutions.

Note

The Standard tier of Security Center is required at the subscription level for the discovered solutions feature. See Pricing to learn more about Security's pricing tiers.

Select CONNECT under a solution to integrate with Security Center and be notified on security alerts.

Discovered solutions

Security Center also discovers solutions deployed in the subscription that are able to forward Common Event Format (CEF) logs. Learn how to connect a security solution that uses CEF logs to Security Center.

Add data sources

The Add data sources section includes other available data sources that can be connected. For instructions on adding data from any of these sources, click ADD.

Data sources

Connect external solutions

In addition to collecting security data from your computers, you can integrate security data from a variety of other security solutions, including any that support Common Event Format (CEF). CEF is an industry standard format on top of Syslog messages, used by many security vendors to allow event integration among different platforms.

This quickstart shows you how to:

  • Connect a security solution to Security Center using CEF Logs
  • Validate the connection with the security solution

Prerequisites

To get started with Security Center, you must have a subscription to Microsoft Azure. If you do not have a subscription, you can sign up for a free account.

To step through this quickstart, you must be on Security Center’s Standard pricing tier. You can try Security Center Standard at no cost. The quickstart Onboard your Azure subscription to Security Center Standard walks you through how to upgrade to Standard. To learn more, see the pricing page.

You also need a Linux machine, with Syslog service that is already connected to your Security Center.

Connect solution using CEF

  1. Sign into the Azure portal.

  2. On the Microsoft Azure menu, select Security Center. Security Center - Overview opens.

    Select security center

  3. Under the Security Center main menu, select Security Solutions.

  4. In the Security Solutions page, under Add data sources (3), click Add under Common Event Format.

    Add data source

  5. In the Common Event Format Logs page, expand the second step, Configure Syslog forwarding to send the required logs to the agent on UDP port 25226, and follow the instructions below in your Linux computer:

    Configure syslog

  6. Expand the third step, Place the agent configuration file on the agent computer, and follow the instructions below in your Linux computer:

    Agent configuration

  7. Expand the fourth step, Restart the syslog daemon and the agent, and follow the instructions below in your Linux computer:

    Restart the syslog

Validate the connection

Before you proceed to the steps below, you will need to wait until the syslog starts reporting to Security Center. This can take some time, and it will vary according to the size of the environment.

  1. In the left pane, of the Security Center dashboard, click Search.
  2. Select the workspace that the Syslog (Linux Machine) is connected to.
  3. Type CommonSecurityLog and click the Search button.

The following example shows the result of these steps: CommonSecurityLog

Clean up resources

Other quickstarts and tutorials in this collection build upon this quickstart. If you plan to continue on to work with subsequent quickstarts and tutorials, continue running the Standard tier and keep automatic provisioning enabled. If you do not plan to continue or wish to return to the Free tier:

  1. Return to the Security Center main menu and select Security Policy.
  2. Select the subscription or policy that you want to return to Free. Security policy opens.
  3. Under POLICY COMPONENTS, select Pricing tier.
  4. Select Free to change subscription from Standard tier to Free tier.
  5. Select Save.

If you wish to disable automatic provisioning:

  1. Return to the Security Center main menu and select Security policy.
  2. Select the subscription that you wish to disable automatic provisioning.
  3. Under Security policy – Data Collection, select Off under Onboarding to disable automatic provisioning.
  4. Select Save.

Note

Disabling automatic provisioning does not remove the Microsoft Monitoring Agent from Azure VMs where the agent has been provisioned. Disabling automatic provisioning limits security monitoring for your resources.

Exporting data to a SIEM

Processed events produced by Azure Security Center are published to the Azure Activity log, one of the log types available through Azure Monitor. Azure Monitor offers a consolidated pipeline for routing any of your monitoring data into a SIEM tool. This is done by streaming that data to an Event Hub where it can then be pulled into a partner tool.

This pipe uses the Azure Monitoring single pipeline for getting access to the monitoring data from your Azure environment. This enables you to easily set up SIEMs and monitoring tools to consume the data.

The next sections describe how you can configure data to be streamed to an event hub. The steps assume that you already have Azure Security Center configured in your Azure subscription.

High-level overview

High-Level overview

What is the Azure security data exposed to SIEM?

In this version we expose the security alerts. In upcoming releases, we will enrich the data set with security recommendations.

How to setup the pipeline

Create an Event Hub

Before you begin, you need to create an Event Hubs namespace. This namespace and Event Hub is the destination for all your monitoring data.

Stream the Azure Activity Log to Event Hubs

Please refer to the following article stream activity log to Event Hubs

Install a partner SIEM connector

Routing your monitoring data to an Event Hub with Azure Monitor enables you to easily integrate with partner SIEM and monitoring tools.

Refer to the following link to see the list of supported SIEMs

Example for Querying data

Here is a couple of Splunk queries that you can use to pull alert data:

Description of Query Query
All Alerts index=main Microsoft.Security/locations/alerts
Summarize count of operations by their name index=main sourcetype="amal:security" | table operationName | stats count by operationName
Get Alerts info: Time, Name, State, ID, and Subscription index=main Microsoft.Security/locations/alerts | table _time, properties.eventName, State, properties.operationId, am_subscriptionId

Next steps

In this article, you learned how to integrate partner solutions in Security Center. To learn more about Security Center, see the following articles: