Part of Azure Security Center deployment plan in your organization you need to extract Azure Security Center in your tenant so you can determine whether you want to enable Standard tier for some resource types, as well as plan for Log Analytics workspace.
This article provides you some notes, as well as a script to run against multiple subscriptions in your tenant so you would save your time.
TL;DR: You can skip this article and use the script from here https://github.com/azsec/azure-audit/tree/master/AzureSecurityCenter
What would you need?
Before making any progress move, here are what you should collect from Azure Security Center initially:
- Subscription Info: not only subscription Id you do need a subscription name because your brain wouldn’t work well with subscription ID would it?
- Pricing Tier: as of this article there are 8 resource types that are covered by Azure Security Center. You need to see whether you want to take advantage of Standard tier for a specific resource type (e.g. Kubernete)
- Auto Provisioning: this setting tells you whether Microsoft Monitoring Agent is automatically installed on all virtual machines in your subscription.
- Data Collection Workspace: this tells you whether data collected from Azure Security Center is stored in default workspace (Microsoft back-end) or a user-defined workspace (the one you create and manage).
- Contact and Notification: information about email and phone for notification, as well setting of Send email notification for high severity alerts and Also send email notification to subscription owners
Resource Graph Explorer limitation
The reason that I didn’t bring Resource Graph Explorer to the audit because it still has limitations:
- It doesn’t support correlation with custom data (inside or Log Analytics custom log). Imagine you have a list of subscription with friendly name and you would like to join to make an understandable report.
- It currently supports querying Pricing tier only (
| where type == “microsoft.security/pricings” )
Below are some other references related to Azure Security Center that you may need to check out:
- Connect Azure Security Center to Azure Sentinel programatically
- Working with Azure Security Center Alert from Azure Sentinel
- Simulate alerts to be caught by ASC
- Work with Azure Security Center alert in Log Analytics
- A bit about ASC Alert in Log Analytics workspace
- What is securitydata resource group in Microsoft Azure?