Conditions and Terms of Use

Microsoft Confidential

Copyright and Trademarks

© 2021 Microsoft Corporation. All rights reserved.

http://www.microsoft.com/en-us/legal/intellectualproperty/Permissions/default.aspx
 Agenda
• Architecture
• Prerequisites
• Azure Lighthouse
• Log Analytics Workspace
• Log Analytics Pricing
• Azure Security Center Overview
• Onboarding Azure Security Center
• Azure Arc
• Enable Azure Defender
• Data Collection
• Onboard Azure Stack to Azure Security Center
• Onboard Windows Admin Center to Azure Security Center
• Connect your AWS and GCP accounts to Azure Security Center
• Azure Defender Pricing
 Security Center Architecture

NetFlow, SQL DB
and Storage Logs, …
Security Dashboards
Security Dashboards Deliver
Threat Detections, Prescriptive Deliver Rapid Insights into
Rapid Insights into Security
Recommendations Security State Across All
State Across All Workloads
Workloads

Actionable Security
Recommendations
Windows Events, Syslog,
CEF, Configurations IP Geotagging, …
Curated, Prioritized
Security Alerts

Investigation Tools
and Log Search

Export to Excel
and Power BI

REST APIs Automation Notifications

Security Center Architecture
 Security Center Onboarding Permissions
Permissions Required for Onboarding

Subscription
• In the Azure portal, select the subscription, Access Control (IAM) then search for your name
• Verify you are assigned the Contributor role at the subscription level

Log Analytics workspace

• In the Azure portal, select the Log Analytics workspace that will be used for Security Center, Access
Control (IAM) then search for your name
• Verify you are assigned the Log Analytics Contributor role
 Security Center Roles and Permissions
Action Security Reader / Security Admin Resource Group Contributor / Subscription Subscription Owner
Reader Resource Group Owner Contributor

Edit security policy - ✔ - - ✔

Add/assign initiatives (including) - - - - ✔
regulatory compliance standards)

Enable / disable Azure Defender

Change subscription pricing tier - ✔ - - ✔

Enable / disable auto-provisioning - ✔ ✔ - ✔

Apply security recommendations for a - - ✔ ✔ ✔

resource
(and use Quick Fix!)

Dismiss alerts - ✔ - ✔ ✔

View alerts and recommendations ✔ ✔ ✔ ✔ ✔

 Security Center Roles and Permissions
Security roles and access controls
Jeff (Workload Owner)
• Resource Group Owner/Contributor

David (IT Security)

• Subscription Owner/Contributor or
Security Admin

Judy (Security Operations)

• Subscription Reader or Security Reader
to view Alerts
• Subscription Owner/Contributor or
Security Admin required to dismiss
Alerts

Sam (Security Analyst) Only subscription Owners/Contributors and Security Admins can edit a security policy
Only subscription and resource group Owners and Contributors can apply security recommendations for a resource
• Subscription Reader to view Alerts
• Subscription Owner/Contributor
required to dismiss Alerts
 Azure Lighthouse

What is Azure Lighthouse?

• Azure Lighthouse provides the ability for customers to manage resources across multiple tenants and helps
streamline customer engagement and manageability

• Manage resources securely within your own tenant, without having to switch users when accessing other tenants

• Azure Lighthouse can enhance your cross-tenant management experience in these scenarios:

• Azure Arc • Azure Policy

• Azure Automation • Azure Resource Graph
• Azure Backup • Azure Security Center
• Azure Cost Management + Billing • Azure Sentinel
• Azure Kubernetes Service (AKS) • Azure Service Health
• Azure Monitor • Azure Site Recovery
• Azure Networking • Azure Virtual Machines
 Azure Lighthouse
Azure Lighthouse supported features for Azure Security Center
• Once role assignments are defined and the subscription is onboarded to Azure delegated resource management, you
will have following capabilities in Azure Security Center:
Cross-tenant visibility
• Monitor compliance to security policies and ensure security coverage across all tenants’ resources
• Continuous regulatory compliance monitoring across multiple customers in a single view
• Monitor, triage, and prioritize actionable security recommendations with Secure Score calculation
Cross-tenant security posture management
• Manage security policies
• Take action on resources that are out of compliance with actionable security recommendations
• Collect and store security-related data
Cross-tenant threat detection and protection
• Detect threats across tenants’ resources
• Apply advanced threat protection controls such as just-in-time (JIT) VM access
• Harden network security group configuration with Adaptive Network Hardening
• Ensure servers are running only the applications and processes they should be with adaptive application controls
• Monitor changes to important files and registry entries with File Integrity Monitoring (FIM)
 Log Analytics Workspace

Log Analytics workspace

• A workspace is an Azure resource that serves as a container for data. You or other members of your
organization might use multiple workspaces to manage different sets of data collected from all or
portions of your IT infrastructure

• Data collected from the Log Analytics agent will stream events into either an existing Log Analytics
workspace associated with your Azure subscription or a new workspace, depending on the
Geographic location of the VM

• By default, Azure Security Center will create a separate workspace in each subscription where it is
enabled.
• If you have multiple subscriptions or need to follow a different policy, you can override this
behavior and deploy centralized workspaces per region
 Log Analytics Workspace

Why Multiple Workspace?

Reasons to use multiple workspaces:

• Use of multiple Azure tenants
• Multi-region
• For compliance and sovereignty reasons
• To reduce networking costs

Reasons to avoid multiple workspaces:

• Separate billing
• Fine grained retention settings
• Fine grained access control
• Legacy architecture
 Log Analytics Workspace

Log Analytics workspace

Requirements

• A Log Analytics workspace is required for Security Center

• You can use an existing Log Analytics workspace, create a new one, or let Security Center create
one for you

• Important: If you are planning to use Sentinel in the future be advised it cannot use the
DefaultWorkspace-ba398710… that is created by Azure Security Center
 Log Analytics Workspace
Best practices for an optimal Log Analytics workspace design
1. Use as few Log Analytics workspaces as possible, consolidate as much as you can into a “central” workspace

2. Minimize bandwidth costs by creating “regional” workspaces, so that the sending Azure resource is in the same Azure region as
your workspace

3. Explore Log Analytics RBAC options like resource-centric and table level access controls before creating a workspace based on your
RBAC requirements

4. Consider table level retention when you need different retention settings for different types of data

5. Use ARM templates to deploy your Virtual Machines, including the deployment and configuration of the Log Analytics VM
extension. Ensure alignment with Azure Policy assignments to avoid conflicts

6. Use Azure Policy to enforce installation and configuration for the Log Analytics VM extension. Ensure alignment with your DevOps
team if using ARM templates

7. Avoid multi-homing, as it can have undesired outcomes and costs. Strive to resolve by applying proper RBAC

8. Be selective in installing Azure monitoring Solutions to control ingestion costs

 Log Analytics Workspace

Create Log Analytics workspace

• In the Azure portal, click All services. In the list of resources, type Log Analytics. As you
begin typing, the list filters based on your input. Select Log Analytics workspaces.
 Log Analytics Workspace

Create Log Analytics Workspace

• Verify the region to create the Log
Analytics workspace in is the right
geographical location
 Log Analytics Workspace

Create Log Analytics Workspace

• Default pricing for Log Analytics is
a Pay-As-You-Go model based on
data volume ingested and optionally
for longer data retention

• You can change from a Pay-As-You-

Go to Capacity Reservations model

• Each Log Analytics workspace is

charged as a separate service and
contributes to the bill for your Azure
subscription
 Log Analytics Workspace

Create Log Analytics Workspace

• Use tags to organize your resources for example, you
can apply the name "Environment" and the value
"Production" to all the resources in production

• Organizing cloud-based resources is a crucial task for

IT, unless you only have simple deployments. Use
naming and tagging standards to organize your
resources for these reasons:

• Resource management
• Cost management and optimization
• Operations management
• Security
• Governance and regulatory compliance
• Automation
• Workload optimization
 Log Analytics Workspace

Create Log Analytics Workspace

• Once the validation is passed you can select create
 Log Analytics Pricing

Log Analytics
For Azure Monitor Log Analytics, you pay for data ingestion and data retention

Data Ingestion
There are two ways to pay for ingesting data into the Azure Monitor Log Analytics service:

• Capacity Reservations – Fixed price per day / with discount after capacity pricing is exceeded

• Pay-As-You-Go – per gigabyte (GB)

 Log Analytics Pricing
Capacity Reservations
Capacity Reservations you are billed a fixed predictable fee based on your selected capacity reservation for ingesting
data. Capacity Reservations provide you a discount (up to 25%) on data ingestion based on your selected capacity
reservation compared to Pay-As-You-Go pricing. You have the flexibility to opt out of the capacity tier any time after the
first 31 days of commitment.

CAPACITY PRICE DISCOUNT OVER PAY-AS-YOU-GO

100 GB per day $219.52 per day 15%
200 GB per day $412.16 per day 20%
300 GB per day $604.80 per day 22%
400 GB per day $788.48 per day 23%
500 GB per day $968.80 per day 25%
More than 500 GB per day $968.80 per day + $193.76 per day for 25%
each 100 GB increment after 500 GB in
daily capacity

If amount of data ingested into your workspace exceeds selected daily capacity Reservation, then additional data is charged at Pay-As-You-Go rates.
 Log Analytics Pricing
Pay-As-You-Go
Pay-As-You-Go pricing, you are billed per gigabyte (GB) of data ingested into the Log Analytics workspace.

FEATURE FREE UNITS INCLUDED PRICE

Data Ingestion 5 GB per billing account per month3 $2.76 per GB

Data Retention
Every GB of data ingested into your Azure Monitor Log Analytics workspace can be retained at no charge for up to
first 31 days. Data retained beyond first 31 days will be charged per the data retention prices.

FEATURE FREE UNITS INCLUDED PRICE

Data Retention 31 days* $0.12 per GB per month

*For Azure Sentinel enabled workspaces the data is retained for free for 90 days
 Log Analytics Pricing Tier

Changing the Pricing Tier

• Pricing is per Log
Analytics workspace

• Select the workspace you

want to change the
pricing model to either:
• Capacity Reservations
• Pay-As-You-Go
 Log Analytics Workspace
Log Analytics Data Retention
• By default Log Analytics will store data for 31 days and can be set to a maximum of 730 days
• You can adjust Data Retention based on your business needs
• Data retention can also be set for different data types in your workspace for example the SecurityEvent table
 Log Analytics Workspace
Connecting Log Analytics agent to
your Log Analytics workspace
• You can disconnect a virtual machine from one Log
Analytics workspace and connect it to a new one

• From within your destination Log Analytics

workspace simply Disconnect the VM from its
current workspace and Connect it to a new
workspace

• Once the virtual machine is disconnected you will

have the option to Connect it to your new Log
Analytics workspace

• When the Monitoring Agent is installed as an

extension, the extension configuration allows
reporting to only a single workspace.

• Security Center does not override existing

connections to user workspaces
 Log Analytics Workspace

Manual Agent Install from Log Analytics workspace

• From within your Log Analytics workspace Settings
section provides the option to download the agent

• The Log Analytics agent can be used with virtual

machines in Azure, other clouds, and on-premises

• If the agents can’t communicate directly to your

Log Analytics workspace, you can install a Log
Analytics Gateway
• The agents can then send their telemetry via
the Log Analytics Gateway
• The Log Analytics Gateway will be the single
source that will communicate to your Log
Analytics workspace
 Onboarding Log Analytics Agents

Onboarding VM’s and

Computers

Log Analytics Log Analytics

Agent Agent
(Auto Provisioning) (Manual Deployment)

Log Analytics
Agent
(Manual Deployment)
 Onboarding Log Analytics Agents
Note: The Azure Log Analytics agent was previously referred to as the Microsoft Monitoring Agent
(MMA) or OMS Linux agent

The agent may be installed by using one of the following methods. Most installations use a combination
of these methods.
• Automatically, via Auto Provisioning in Azure Security Center (ASC). This enables the automatic
installation of the Azure Log Analytics agent on all the VMs in your subscription. If enabled, any new
or existing VM without an installed agent will be provisioned.

• Manual installation - setup is run manually on the computer using the setup wizard, from the
command line, or deployed using any existing software distribution tool

• Azure Automation Desired State Configuration (DSC). Using DSC in Azure Automation with a
script for Windows computers already deployed in your environment

• PowerShell script

• Azure Resource Manager template for VMs running Windows on-premises in Azure Stack
 Azure Security Center Overview
Azure Security Center
The overview provides a unified
view into the security posture of
your hybrid cloud workloads
from security alerts, coverage
information and more.

• Secure score
• Compliance
• Azure Defender
• Inventory
• Insights
• Subscriptions
• What’s new
• High-level number
 Onboarding Azure Security Center
Azure Security Center Getting Started
• Getting started page
provides a single click
option to upgrade a
subscription, workspace, or
both

• Enabling auto provisioning is

strongly recommended. This
allows Azure Security Center to
automatically install the Log
Analytics agent on all
supported machines and any
new ones that are created
• Use the Install Agents page
to identify your subscriptions
that does not have auto
provisioning enabled
 Onboarding Azure Security Center
Azure
UseUse
Use Use Getting
Use
Security
Getting
Azure
Inventory tostarted
Getting
Center started
Getting
started
Arc
page add page
page
yourpagein
Started Security
in
innon-Azure
in SecuritySecurity
Center Center
Security
Center
to tonon-Azure
Center
to add
machine
add yourto add
to your
add
your non-Azure
your
non-Azure
Security Center machines
non-Azure machines
machines
machines

You can
Whataddisnon-Azure computers in the following Azure
Azure Arc? ways: Arc

•• Azure
Using Arc simplifies
Azure Arc governance and management by delivering a consistent multi-cloud and on-premises
management platform
• From Security Center's pages in the Azure portal:
• Azure Arc enables
• Getting you to manage your entire environment, with a single pane of glass, by projecting your
started
existing resources into Azure Resource Manager
• Inventory

•• You
Fromcan now
Log manage
Analytics virtual machines,
workspace under theKubernetes clusters, andpage
Agents management databases as if they are running in Azure

• Regardless of where they live, you can use familiar Azure services and management capabilities

• Azure Arc enables you to continue using traditional ITOps, while introducing DevOps practices to support
new cloud native patterns in your environment
 Onboarding Azure Security Center

Manual Agent Install

• When installing the Log Analytics agent manually

choose the Connect the agent to Azure Log
Analytics option
 Onboarding Azure Security Center

Manual Agent Install

• Enter your workspace ID and Workspace Key

• Select you Azure Cloud

• If the computer needs to communicate through

a proxy server to the Log Analytics service,
select Advanced and provide the URL and port
number of the proxy server.
 Onboarding Azure Security Center

Turn On Azure Defender

Free option vs Azure Defender Enabled

Azure Defender OFF (Free)

• Security Center without Azure Defender is
enabled for free on all your Azure
subscriptions

• Free mode provides security policy,

continuous security assessment, and
actionable security recommendations to
help you protect your Azure resources

You can Enable Azure Defender for free for the first 30 days!
 Onboarding Azure Security Center

Turn On Azure Defender

Free option vs Azure Defender Enabled

Azure Defender ON
• Enabling Azure Defender extends the capabilities
of the free mode to workloads running in private
and other public clouds, providing unified
security management and threat protection
across your hybrid cloud workloads.

Some of the major Azure Defender features:

• Hybrid security
• Threat protection alerts
• Vulnerability scanning for virtual machines and container registries
• Access and application controls
• Container security features
• Defender for container registries
 AWS connector in Security Center brings a multi-cloud experience

Onboarding your AWS account into Security Center

Security Center integrates your Amazon Web Services

(AWS), Security Hub with Azure Security Center which
provides visibility and protection across both cloud
environments to provide.

• Automatic agent provisioning (Security Center uses Azure

Arc to deploy the Log Analytics agent to your AWS
instances)
• Policy management
• Vulnerability management
• Embedded Endpoint Detection and Response (EDR)
• Detection of security misconfigurations
• A single view showing Security Center recommendations
and AWS Security Hub findings
• Incorporation of your AWS resources into Security
Center's secure score calculations
• Regulatory compliance assessments of your AWS
resources
 GCP connector in Security Center brings a multi-cloud experience

Onboarding your GCP account into Security Center

Security Center integrates your Google Cloud Platform

(GCP). Security Command Center with Azure Security
Center which provides visibility and protection across both
cloud environments to provide.

• Detection of security misconfigurations

• A single view showing Security Center recommendations
and GCP Security Command Center findings
• Incorporation of your GCP resources into Security
Center's secure score calculations
• Integration of GCP Security Command Center
recommendations based on the CIS standard into the
Security Center's regulatory compliance dashboard
 Onboarding Azure Security Center

Turn On Azure Defender

• Azure Defender provides Extend

Detect Response (XDR)
capabilities to protect multi-
cloud and hybrid workloads,
including virtual machines,
databases, containers, IoT, and
more

• Select the subscription you want

to enable Azure Defender on
 Onboarding Azure Security Center

Data Collection
• Selecting a Windows security event
collection tier in Azure Security Center
will only affect the storage of security
events in your Log Analytics workspace

• The Log Analytics agent will still collect

and analyze the security events required
for Azure Security Center’s threat
protection, regardless of which tier of
security events you choose to store in
your Log Analytics workspace

• Choosing to store security events in your

workspace will enable investigation,
search, and auditing of those events in
your workspace
 Onboarding Azure Security Center

Data Collection
• Setting auto provisioning to Off doesn't remove the Log Analytics agent from Azure VMs where the agent
has already been provisioned
 Onboarding Azure Security Center

Data Collection
• Why are the event sources grayed out?

• The workspace you configured for

Security Center needs to be
upgraded

• How do you upgrade the workspace?

• Go to Pricing & Settings, select the

workspace and Enable Azure
Defender

• Once the workspace is upgraded

select which Windows security
events you want to collect
 Onboarding Azure Security Center

What does Security Center collect?

The Log Analytics Agent reads various security-related configurations and events and copies the data to your
workspace.

Examples of data collected:

• Operating System type and version • Running processes

• Operating System logs (Windows event logs, Security event • Machine name
logs) • IP addresses
• Missing updates • Logged-in user
• Misconfigured OS security settings • Tenant ID
• Endpoint protection status • Crash dump files
• Health • ETW traces
• Threat Protection
 Onboarding Azure Security Center

Log Analytics Agent Network Firewall Requirements

 Security Center Workspace
What makes it Security Center?
• When you install Security Center on
your Log Analytics workspace, the
Security solution is deployed to that
workspace

• Free tier – Security Center enables

the 'SecurityCenterFree' solution on
your workspace. You are not billed
for the Free tier

• Azure Defender – Security Center

enables the 'Security' solution on your
workspace
 Onboarding Azure Security Center

Email Notifications
• Enter an email distribution list that is
used by your security team and
organization
• Separate the email addresses
with commas
• There is not a limit to the
number of email addresses that
you can enter

• It’s recommended to enable

notifications for high severity alerts
 Onboarding Azure Security Center

Threat Detection
• Azure Security Center extends its Cloud
Workload Protection Platform by integrating
both
• Microsoft Cloud App Security (MCAS)
• Microsoft Defender for Endpoint

• Security Center detects unusual or potentially

harmful operations in the Azure subscription
environment that are powered by (MCAS)

• Microsoft Defender for Endpoint brings

Endpoint Detection and Response (EDR)
capabilities to detect and respond to advanced
attacks on server endpoints monitored by
Azure Security Center
 Onboarding Azure Security Center

Onboard your Azure Stack virtual machines to Security Center

• You don’t need to download the agent manually

• Just update the Configuration Management extension on your Azure Stack with the
workspace ID and Primary Key

• After you configure the agent extension on your Azure Stack VMs, it might take up to 1
hour for the VM to appear in the Security Center portal
 Onboarding Windows Admin Center

Onboarding Windows Admin Center managed servers into Security Center

When a server is onboarded from Windows Admin Center to Azure Security Center, you can:
• View security alerts and recommendations inside the Security Center extension in Windows Admin Center
• Use Security Center from the Azure Portal (or via API) to view the security posture and retrieve additional
detailed information of your Windows Admin Center managed servers
 Azure Security Center Pricing
Azure Defender Features List
FEATURES AZURE SECURITY CENTER AZURE DEFENDER
FREE TIER
Continuous assessment and security recommendations ✔ ✔

Azure secure score ✔ ✔

Just in time VM Access ‐‐ ✔

Adaptive application controls and network hardening ‐‐ ✔

Regulatory compliance dashboard and reports ‐‐ ✔

Threat protection for Azure VMs and non-Azure servers (including Server EDR) ‐‐ ✔

Threat protection for PaaS services ‐‐ ✔

Microsoft Defender for Endpoint (servers) ‐‐ ✔

 Azure Security Center Pricing
Pricing details
RESOURCE TYPE PRICE

Azure Defender for Servers $0.02/Server/Hour

• Azure Defender is free for the first 30 days When you enable Azure Defender, we automatically enroll
Azure Defender for App Service $0.02/App Service/Hour
and start protecting all your resources unless you explicitly decide to opt-out
Azure Defender for SQL $0.021/Server/Hour

Azure Defender for MySQL (Preview) Free

• For any resource that is protected by Azure Defender, you will be charged for that resource per the
Azure Defender for PostgreSQL (Preview) Free
pricing model
Azure Defender for Storage - Protect all storage accounts within a subscription $0.02/10K transactions

Azure Defender for IoT - By device $0.001/month

• Any usage beyond 30 days will be automatically charged as per the pricing model
Azure Defender for IoT - By messages $0.20/25K transactions

Azure Defender for Kubernetes $0.00268/vCore/hour

Azure Defender for ACR $0.29/image

Azure Defender for Key Vault $0.02/10K transactions

Pricing displayed is preview price. Price will change at GA. For details on ASC features by resource, please refer to the resource specific documentation
Azure Security Center currently protects Azure Blobs, Azure Files and Azure Data Lake Storage Gen2
This pricing applies only to managed IoT/OT devices managed via Azure IoT Hub, and does not apply to the new agentless monitoring capabilities from the CyberX acquisition, which will be
entering public preview in October.
Hands On – Azure Security Center
Questions?