The recommendations are one of the most important part of Azure Security Center. These recommendations are devided in several catagories:
- Subscription recommendations;
- Application Recommendations;
- Network Recommendations;
- SQL Service Recommendations;
- Virtual Machine Recommendations.
In part 2 of the Azure Security Center blog series i will handle the Subscription Recommendations.
Enable data collection for subscription
To get info about the resources in the subscriptions you will need to enable data collection for the subscription, this can be done by creating a custom log analytics workspace or by letting Azure Security Center create a workspace for you with a name in the following format:
Resource Group: DefaultResouceGroup-[geo]
Default log analytics workspace.
- Enable data collection: Go to the blade security policy > Data Collection > Select “Use workspace(s) created by Security Center (default)”.
- Turn on automatic provisioning of agents.
Custom log analytics workspace. (Preferred)
- Create a new resource group named like the companies naming convention in your region.
- Create a new log analytics workspace named like your companies naming convention in the previously created resource group with the same location and pricing tier Per Node.
- Enable data collection: Go to the blade security policy > Data Collection > Use another workspace > select the workspace the you have created and turn on automatic provisioning of agents.
- Reply with yes on the question about the reconfiguration of the VMs.
Provide security contact details for subscription
To comply to this recommendation:
- Go to the blade Security Policy and click on the subscription.
- Go to email notifications
- Supply the security contact email address and the phone number.
- Optionally you can turn on or off the send me a email buttons at the bottom.
When a email with an alert comes in it will look like this:
Enable advanced security for subscription
- Go to the security policy blade and click on the subscription, on the pricing tier blade you can select standard tier instead of free tier.
- Go to the security policy blade and click on the log analytics workspace, on the pricing tier blade you can select standard tier instead of free tier.
- If they are connected to a user created LA workspace, then you MUST enable Standard tier on that WS.
- If they are connected to ASC created workspace (default configuration), then you only need to upgrade on the Subscription level.
The second option is highly recommended to do in any case (upgrading at subscription level) since that adds additional capabilities that do not exist only on the workspace level (network threat detection, PaaS services coverage, etc.).