Learn about configuring where Azure Security Center data is stored and how long it is retained.
- [Instructor] Azure Security Center collects data from your Azure Virtual Machines, and your non-Azure computers to monitor for security related vulnerabilities and threat. This data is collected using the Microsoft monitoring agent, which reads various security related security configurations and event logs from the machine and copies that data to your Log Analytics workspace for analysis. From a technical perspective it's good to understand where the data is gathered that provides the security insight, so we can configure and troubleshoot data collection when necessary.
And, because we're generally paying for data storage by the gigabyte, it's helpful in a business sense to understand so we can optimize data collection and retention in our Log Analytics workspace, especially when we're dealing with Windows Security Event Logs or Azure Diagnostic Logs, which can be very verbose. Fortunately with Log Analytics we can actually control both data collection and data retention. So, just a few examples of some of the data collected include operating system logs, machine name, IP address, the logged in user, running processes, and the tenant ID.
Also, crash dumps are collected by the monitoring agent and forwarded to our workspace. When automatic provisions is enabled, security center actually provisions the Microsoft Monitoring Agent on all our supported Azure VMs, and on any new VMs that are created. Automatic provisioning is strongly recommended. It's actually required for subscription on the standard tier of security center. Now, disabling automatic provisioning limits your security monitoring for your resources.
However, VM disk snapshots, and some artifact collection like storage or network configurations are still enabled even if automatic provisioning is disabled. You can disable automatic provisioning. Disabling automatic provisioning, though, doesn't remove the Microsoft monitoring agent, where its already been provisioned. Data collected by security center is stored in the Log Analytics workspace, and you can elect to have data collected from Azure VMs stored in workspaces created by security center, or in an existing workspace that you've created previously.
You can use your exiting Log Analytics workspace, but the workspace must be associated with your selected Azure subscription where security center resides, and at a minimum you need read permission to access that workspace. And, if you don't have those read permissions, the analytics workspace simply will not appear in the UI dropdown in the Azure portal. And, you can also control the volume of security event log events, while maintaining enough events for investigation and the audit trail, helping us with treat detection.
You can choose the right filtering policy for your subscriptions and your workspaces from four event levels to be collected by the agent. Those are all events, which is really for customers who want to make sure all events are collected, no matter what. And, this is actually the default. There's a setting known as Common. Now, this is a set of events that satisfies most customers and still accommodates a full audit trail. The Minimal option is a smaller set of events for customers who really just want the critical events and a lower event volume.
And, then of course the None setting means we're disabling event collection entirely from the security and app locker logs. For customer who choose this, their security dashboards only have Windows Firewall Logs and proactive assessments like anti-malware, baseline, and update. Now, to determine the events that belong in the Common and the Minimal Event set, Microsoft actually worked with customers and reviewed industry standards to learn about the unfiltered frequency of each event and their usage.
This really enables Microsoft to quantify unfiltered event frequency, which can give us insight into potential quantity of data we're dealing with, at least in the low, medium, high data footprint perspective. So, to touch on the key points, the OMS agent, or Microsoft Monitoring Agent collects key metrics for security center. Automatic provisioning ensures those VMs are all captured. And, you can control the volume of your security event data to those four levels.
Setting it to Common at Minimum means we maintain the full audit trail, which our security team will appreciate. Ultimately we want to tune data collection over time based on the data that delivers the insight we're interested in.
- Exploring features and benefits of Hyper-V guarded fabric
- Implementing guarded fabric in Windows Server 2016
- Shielding virtual machine data
- Configuring security policies
- Managing and responding to security alerts
- Encrypting data at rest in Azure