Hugo Future Imperfect Slim

Shashi Shetty

Opinions Are My Own.

Azure Security - Part 2

Series of blog posts on Azure Policies and Security Center.

Shashi Shetty

6-Minute Read

Azure Security Center

Azure Security Center is a centralized security management system/dashboard that provides security related information of your Hybrid infrastructure. Azure security works in conjunction with you, the customer, which provides recommendations to you in making your environment secure. It’s the customer’s responsibility to work on these recommendations and make infrastructure secure. The security center’s remarkable feature is the recommendations tab; This view provides an overall security score and recommendations on how to increase the score. Recommendations are provided along with the number of potential security points.

Security Center Overview

Security Center Recommendation

Shared responsibility in the cloud

In an on-prem infrastructure, you own end-to-end security, i.e., data center access to individual applications/data access. In cloud infra, some of the responsibilities are transferred to cloud service provider.

Shared responsibility in the cloud

Azure security Center License

Azure security licensing comes in two tiers, free and Defender. The free version is active by default. You need to onboard a subscription to enable the Defender plan. Pricing is based on resource type and consummation.

Defender tier is enabled by following either of below options

  • Security -> Management -> Pricing & Settings ->Azure defender Plan

  • Security -> Management -> Coverage ->edit plan

Security Center License Tier

Defender License by resource

Log analytic workspace needs onboarding to defender tier along with subscriptions.

Workspace defender License

Note: when you enable the free trial for 30 days, Defender is auto charged based on consumption post 30 days


Once the defender plan is enabled, you need to install the agent to collect the data. Azure security center collects the data using Log Analytics agent on the VM, Log analytic workspace stores the data for further analysis.

You can enable the agent’s auto-provisioning using – Security Center-> Pricing& Settings -> Your subscription -> Auto Provisioning.

Log Analytics agent for Azure VMs – collects event logs and related security configurations

Microsoft Dependency agent - The Dependency agent collects discovered data about processes running on the machine and external process dependencies. Used for Service Map and VM insights

Policy Add-on for Kubernetes – Enables reporting of auditing and compliance details of Kubernetes cluster to Azure Policies.

You can enable or disable the auto agent installation for all three extensions or select only those relevant to you.

You can use your organization-specific software distribution tool to install the agents. To add a non-azure system, use the below option

- Security Center -> General -> inventory -> add non azure servers

- Security Center ->Security Solutions -> non azure servers add

Note: Charges will be based on per Node per month.

Cloud Security

Azure Security Centre cloud security has four components.

  1. Secure score – here, you can see the overall security score of your subscriptions
  2. Regulatory Compliance – Regulatory compliance is the inbuilt standard policies that are applied to Azure subscriptions. You can add additional Microsoft pre-defined regulatory compliance under security policies.
  3. Firewall manager - Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
  4. Azure Defender allows you to configure advanced protections options
  • VM vulnerability assessment

  • Just in time access

  • Adaptive application access

  • Container image scanning

  • Adaptive network hardening

  • SQL vulnerability assessment

  • File integrity monitoring

  • Network map

  • IoT security

VM vulnerability assessment – In the background, the Defender uses Qualys’s powered agent, which identifies the system’s threat. You don’t need any additional Qualys licenses to use this feature. You can even install your own vulnerability solution like Rapid 7. However, license needs to be taken care by customer. Post the agent installation;It would take a minimum of 30 mins to reflect the agent installation status in the security center. Vulnerabilities are assed once in 24 hours; even if you remediate, it takes 24 hours to clear from the dashboard.

Adaptive application access – Allows admins to white-list the applications to be run on a VM rather than blacklisting. App sense is used in the background to learn the applications and white list the applications

Container image scanning (Qualys) – Scans Azure container registry for security vulnerabilities and exposes detailed findings for each image.

Adaptive network hardening- Analyses the virtual machines' internet traffic communication patterns and determines if the existing rules in the NSGs associated are overly permissive, resulting in an increased potential attack surface. This typically occurs when this IP address doesn’t communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center’s threat intelligence sources.

SQL vulnerability assessment - Scans database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data.

File integrity monitoring - Log Analytics workspace is used to monitor the file integrity. You need to enable this feature on a log analytics work space explicitly. This feature monitors the changes to the registry, operating system files, and application software for any potential attack. The checksum comparison method is used to find the difference from the last scan to the files' current state. It can also write the changes to a storage account so that an admin can compare the old and new files. Storage cost needs to be considered before enabling the feature .

Network Map – Creates network map, showing the topology and workload.

Just in Time – Popularly known as JIT, this feature works on the back of an NSG. The pre-requisite to enable this feature is NSG. In a nutshell, the JIT adds a deny rule on top of existing NGS rules attached to a VM. Allow rule in NSG is created only when a user requests access. JIT configuration contains the ports, source IP address, and allowed duration. The minimum allowed time is 1 hour, and the default is 03 hours; post this interval the NSG allow rule is removed.

Access level required to request JIT access to a VM .

Azure JIT - Access level


The security center’s management section allows you to manage licenses, connect to third party solutions , configure agent auto installation, and automate workflows.

Pricing and settings allow you to

  • Change the license tier of your subscription
  • Enable / Disable auto-provisioning of extensions ( agents)
  • Configure Email notifications along with notification types
  • Integrate with other Microsoft security services like cloud security.
  • Automate the workflows based on the type of threat detected; also available directly under the security center’s management pane.
  • Continuous export of security center data – recommendations/scores/alerts / regulatory compliance to Event hub or Log analytic workspace
  • Connect to other clouds – AWS / GCP; also available directly under the security center’s management pane.

Security Policy allows you to add or modify security policies / regulatory compliances and custom initiatives. By default, standard ASC default policies are applied to your subscription.

Security Solutions allows you to view the connected security solutions (auto-discovered security solutions) and configure data sources. Data sources can be a non-azure machine, SIEM, and Azure App gateway with firewall enabled.

SIEM – Data is exported to Third party SIEM via – Security Center -> Azure monitor-> azure event hub ->azure functions ->SIEM


Email notifications of the security center have the following limitations; you can use workflow automation to get around the limitation.

· a maximum of one email per 6 hours (4 emails per day) for high-severity alerts

· a maximum of one email per 12 hours (2 emails per day) for medium-severity alerts

· a maximum of one email per 24 hours for low-severity alerts

Say Something


Nothing yet.

Recent Posts



Dependable and goal-oriented IT infrastructure engineer with 12 years of experience in designing and delivering infrastructure projects.