Hi all,

The recommendations are one of the most important part of Azure Security Center. These recommendations are devided in several catagories:

  • Subscription recommendations;
  • Application Recommendations;
  • Network Recommendations;
  • SQL Service Recommendations;
  • Virtual Machine Recommendations.

In part 2 of the Azure Security Center blog series i will handle the Subscription Recommendations.

Enable data collection for subscription

To get info about the resources in the subscriptions you will need to enable data collection for the subscription, this can be done by creating a custom log analytics workspace or by letting Azure Security Center create a workspace for you with a name in the following format:

Workspace: DefaultWorkspace-[subscription-ID]-[geo]
Resource Group: DefaultResouceGroup-[geo]

Default log analytics workspace.

  1. Enable data collection: Go to the blade security policy > Data Collection > Select  “Use workspace(s) created by Security Center (default)”.
  2. Turn on automatic provisioning of agents.

Custom log analytics workspace. (Preferred)

  1. Create a new resource group named like the companies naming convention in your region.
  2. Create a new log analytics workspace named like your companies naming convention in the previously created resource group with the same location and pricing tier Per Node.
  3. Enable data collection: Go to the blade security policy > Data Collection > Use another workspace > select the workspace the you have created and turn on automatic provisioning of agents.
  4. Reply with yes on the question about the reconfiguration of the VMs.

Provide security contact details for subscription

To comply to this recommendation:

  1. Go to the blade Security Policy and click on the subscription.
  2. Go to email notifications
  3. Supply the security contact email address and the phone number.
  4. Optionally you can turn on or off the send me a email buttons at the bottom.

When a email with an alert comes in it will look like this:

Enable advanced security for subscription

Because we have created a custom log analytics workspace we can adjust the setting for the pricing tier on two places.
  1. Go to the security policy blade and click on the subscription, on the pricing tier blade you can select standard tier instead of free tier.
  2. Go to the security policy blade and click on the log analytics workspace, on the pricing tier blade you can select standard tier instead of free tier.
After consulting Microsoft about the question where to enable the standard tier i got the following answer.  It depends on where do you manage your VMs:
  • If they are connected to a user created LA workspace, then you MUST enable Standard tier on that WS.
  • If they are connected to ASC created workspace (default configuration), then you only need to upgrade on the Subscription level.

The second option is highly recommended to do in any case (upgrading at subscription level) since that adds additional capabilities that do not exist only on the workspace level (network threat detection, PaaS services coverage, etc.).

So in my understanding it can do you no harm to set the setting to standard tier on both the places.
If the adjustment for the pricing tier on workspace level fails without any obvious error. You should check to activity log on the workspace. Usually there is an error. In my subscription there was the following error:
Error code MissingSubscriptionRegistration
Message: The subscription is not registered to use namespace ‘Microsoft.OperationsManagement’. See https://aka.ms/rps-not-found for how to register subscriptions
This can be resolved by going to subscriptions in the Azure portal select the subscription, go to Resource providers and search for the Microsoft.OperationsManagement resource provider. This will appear as “Not registered”, you can register this provider by selecting the register link. After registering this provider the upgrade of the workspace can be done.
If the upgrading to the standard tier for the subscription went fine you will see two solutions in the log analytics workspace.
Thats it for part 2 of the Azure Security Center blog series in the next part i will handle another set of recommendations.