SecASC - M02 - Azure Security Center Setup and Configuration
SecASC - M02 - Azure Security Center Setup and Configuration
Microsoft Confidential
http://www.microsoft.com/en-us/legal/intellectualproperty/Permissions/default.aspx
Agenda
• Architecture
• Prerequisites
• Azure Lighthouse
• Log Analytics Workspace
• Log Analytics Pricing
• Azure Security Center Overview
• Onboarding Azure Security Center
• Azure Arc
• Enable Azure Defender
• Data Collection
• Onboard Azure Stack to Azure Security Center
• Onboard Windows Admin Center to Azure Security Center
• Connect your AWS and GCP accounts to Azure Security Center
• Azure Defender Pricing
Security Center Architecture
NetFlow, SQL DB
and Storage Logs, …
Security Dashboards
Security Dashboards Deliver
Threat Detections, Prescriptive Deliver Rapid Insights into
Rapid Insights into Security
Recommendations Security State Across All
State Across All Workloads
Workloads
Actionable Security
Recommendations
Windows Events, Syslog,
CEF, Configurations IP Geotagging, …
Curated, Prioritized
Security Alerts
Investigation Tools
and Log Search
Export to Excel
and Power BI
Subscription
• In the Azure portal, select the subscription, Access Control (IAM) then search for your name
• Verify you are assigned the Contributor role at the subscription level
Dismiss alerts - ✔ - ✔ ✔
Sam (Security Analyst) Only subscription Owners/Contributors and Security Admins can edit a security policy
Only subscription and resource group Owners and Contributors can apply security recommendations for a resource
• Subscription Reader to view Alerts
• Subscription Owner/Contributor
required to dismiss Alerts
Azure Lighthouse
• Manage resources securely within your own tenant, without having to switch users when accessing other tenants
• Azure Lighthouse can enhance your cross-tenant management experience in these scenarios:
• A workspace is an Azure resource that serves as a container for data. You or other members of your
organization might use multiple workspaces to manage different sets of data collected from all or
portions of your IT infrastructure
• Data collected from the Log Analytics agent will stream events into either an existing Log Analytics
workspace associated with your Azure subscription or a new workspace, depending on the
Geographic location of the VM
• By default, Azure Security Center will create a separate workspace in each subscription where it is
enabled.
• If you have multiple subscriptions or need to follow a different policy, you can override this
behavior and deploy centralized workspaces per region
Log Analytics Workspace
Requirements
• You can use an existing Log Analytics workspace, create a new one, or let Security Center create
one for you
• Important: If you are planning to use Sentinel in the future be advised it cannot use the
DefaultWorkspace-ba398710… that is created by Azure Security Center
Log Analytics Workspace
Best practices for an optimal Log Analytics workspace design
1. Use as few Log Analytics workspaces as possible, consolidate as much as you can into a “central” workspace
2. Minimize bandwidth costs by creating “regional” workspaces, so that the sending Azure resource is in the same Azure region as
your workspace
3. Explore Log Analytics RBAC options like resource-centric and table level access controls before creating a workspace based on your
RBAC requirements
4. Consider table level retention when you need different retention settings for different types of data
5. Use ARM templates to deploy your Virtual Machines, including the deployment and configuration of the Log Analytics VM
extension. Ensure alignment with Azure Policy assignments to avoid conflicts
6. Use Azure Policy to enforce installation and configuration for the Log Analytics VM extension. Ensure alignment with your DevOps
team if using ARM templates
7. Avoid multi-homing, as it can have undesired outcomes and costs. Strive to resolve by applying proper RBAC
• Resource management
• Cost management and optimization
• Operations management
• Security
• Governance and regulatory compliance
• Automation
• Workload optimization
Log Analytics Workspace
Log Analytics
For Azure Monitor Log Analytics, you pay for data ingestion and data retention
Data Ingestion
There are two ways to pay for ingesting data into the Azure Monitor Log Analytics service:
• Capacity Reservations – Fixed price per day / with discount after capacity pricing is exceeded
If amount of data ingested into your workspace exceeds selected daily capacity Reservation, then additional data is charged at Pay-As-You-Go rates.
Log Analytics Pricing
Pay-As-You-Go
Pay-As-You-Go pricing, you are billed per gigabyte (GB) of data ingested into the Log Analytics workspace.
Data Retention
Every GB of data ingested into your Azure Monitor Log Analytics workspace can be retained at no charge for up to
first 31 days. Data retained beyond first 31 days will be charged per the data retention prices.
*For Azure Sentinel enabled workspaces the data is retained for free for 90 days
Log Analytics Pricing Tier
Log Analytics
Agent
(Manual Deployment)
Onboarding Log Analytics Agents
Note: The Azure Log Analytics agent was previously referred to as the Microsoft Monitoring Agent
(MMA) or OMS Linux agent
The agent may be installed by using one of the following methods. Most installations use a combination
of these methods.
• Automatically, via Auto Provisioning in Azure Security Center (ASC). This enables the automatic
installation of the Azure Log Analytics agent on all the VMs in your subscription. If enabled, any new
or existing VM without an installed agent will be provisioned.
• Manual installation - setup is run manually on the computer using the setup wizard, from the
command line, or deployed using any existing software distribution tool
• Azure Automation Desired State Configuration (DSC). Using DSC in Azure Automation with a
script for Windows computers already deployed in your environment
• PowerShell script
• Azure Resource Manager template for VMs running Windows on-premises in Azure Stack
Azure Security Center Overview
Azure Security Center
The overview provides a unified
view into the security posture of
your hybrid cloud workloads
from security alerts, coverage
information and more.
• Secure score
• Compliance
• Azure Defender
• Inventory
• Insights
• Subscriptions
• What’s new
• High-level number
Onboarding Azure Security Center
Azure Security Center Getting Started
• Getting started page
provides a single click
option to upgrade a
subscription, workspace, or
both
You can
Whataddisnon-Azure computers in the following Azure
Azure Arc? ways: Arc
•• Azure
Using Arc simplifies
Azure Arc governance and management by delivering a consistent multi-cloud and on-premises
management platform
• From Security Center's pages in the Azure portal:
• Azure Arc enables
• Getting you to manage your entire environment, with a single pane of glass, by projecting your
started
existing resources into Azure Resource Manager
• Inventory
•• You
Fromcan now
Log manage
Analytics virtual machines,
workspace under theKubernetes clusters, andpage
Agents management databases as if they are running in Azure
• Regardless of where they live, you can use familiar Azure services and management capabilities
• Azure Arc enables you to continue using traditional ITOps, while introducing DevOps practices to support
new cloud native patterns in your environment
Onboarding Azure Security Center
You can Enable Azure Defender for free for the first 30 days!
Onboarding Azure Security Center
Azure Defender ON
• Enabling Azure Defender extends the capabilities
of the free mode to workloads running in private
and other public clouds, providing unified
security management and threat protection
across your hybrid cloud workloads.
Data Collection
• Selecting a Windows security event
collection tier in Azure Security Center
will only affect the storage of security
events in your Log Analytics workspace
Data Collection
• Setting auto provisioning to Off doesn't remove the Log Analytics agent from Azure VMs where the agent
has already been provisioned
Onboarding Azure Security Center
Data Collection
• Why are the event sources grayed out?
Email Notifications
• Enter an email distribution list that is
used by your security team and
organization
• Separate the email addresses
with commas
• There is not a limit to the
number of email addresses that
you can enter
Threat Detection
• Azure Security Center extends its Cloud
Workload Protection Platform by integrating
both
• Microsoft Cloud App Security (MCAS)
• Microsoft Defender for Endpoint
• Just update the Configuration Management extension on your Azure Stack with the
workspace ID and Primary Key
• After you configure the agent extension on your Azure Stack VMs, it might take up to 1
hour for the VM to appear in the Security Center portal
Onboarding Windows Admin Center
Threat protection for Azure VMs and non-Azure servers (including Server EDR) ‐‐ ✔