Azure Security Center
As you may or may not know the Azure Security Center has been made freely available today.
As such head over to your Azure Subscription, access the Portal and then from the left navigation select the “Browse” button, then from the massive list select the “Security Center” option.
Once loaded into the portal it will take a few minutes as it checks your subscriptions and then renders out what the issues may be, if any.
As you can see my current environment has lots of issues. Clicking into the “SQL” issue for example displays even further details.
If I go back and then click on the “Networking” issues which weren’t completely red is shows the following.
Most of these issues are because of “Access Control Lists” not being set on the endpoints. Going further into the orange endpoint now narrows down the issues even further.
If we then go back over to the main home page and click the “Virtual Machines” link it then displays and breaks down the issues even further for me.
Selecting one of the Virtual Machines and clicking into it, then display the actual reason for the error.
The main issues with these servers and the whole subscription is that data collection is not enabled. This can be done by clicking the recommendations chart which will then display the table of recommendations.
Now that I have the list I can select the “Enable data collection” option and set as needed.
In fact, clicking on any of the recommendations will open a pane that will allow further configuration to be set. As data is collected, this will become more useful and allow for you to set “Security Policies” using the screen above on a per subscription basis. If you are not sure what can be done, then click the “Quick Start” link and you will get presented with more links and details.
The Security Alerts is really where it comes into it’s own. As the system scans and checks your environment is can pick attacks and display them to you waiting for action to be taken. As an example it could be something like this.
These Security Alerts are based on the following attack scenarios:
- Brute Force Detection over Network Data: These detections are based on machine learning models that learn from network traffic data.
- Brute Force Detection over Endpoint Data: These detections are based on Azure Security Center queries of machine logs; this enables differentiation between failed and a successful attempt.
- VMs Communicating with Malicious IPs: These detections are based on Azure Security Center discovering machines that are compromised with bots and communicating with their Command and Control (C&C) Servers (and vice versa).
Remedial action and further details can be gleaned from the event.
This a great tool, that allows you and me to monitor our Azure Environments much better and take control of the Security. More to come J