Azure Security Center & log Analytics Workspaces

Azure Security Center is a good thing to have as part of your Azure resources and it comes in two tiers: Free or Standard. By default it is enabled in your Azure subscription at the free tier and changing that to standard unlocks additional features and comes with some costs .

So you’ve upgraded Security Center to standard and you have enabled data collection and you chose the option ‘Use workspace(s) created by Security Center (default)‘. All is good and you have your machines onboarded into Security Center and they are sending data to the workspace. So what actually happens when you do this?

A resource group is created called ‘
DefaultResourceGroup-xxx’ (where xxx is a region). For example in my subscription this was called ‘
DefaultResourceGroup-WEU’

Default Security Center Workspace Resource Group

A log analytics workspace is created in the above resource group and this is called ‘DefaultWorkspace- subscription guid-xxx (xxx is again the region)

Default Security Center Workspace

Within the log analytics workspace above two solutions are added:

Securitycenterfree

SecurityCenter

Security Center Solutions added to Log Analytics Workspace

Something that happens a lot is the above is configured but then you realise that a custom log analytics workspace should be used instead. This could be to align to a naming convention you use or because you use a centralised workspace for all data collection. Either way you now need to change Security Center to use a different workspace. The change is simple enough to do and is documented here . From that article:

“Select the pricing tier for the desired workspace you intend to set the Microsoft Monitoring agent.
To use an existing workspace, set the pricing tier for the workspace. This will install a security Center solution on the work
space if one is not already present.

a. In the Security Center main menu, select Security policy.

b. Select the desired Workspace in which you intend to connect the agent by clicking Edit settings in the Settings column of the desired subscription in the list. “

What this is saying is you need to update the tier of the log analytics workspace you are going to use for Security Center – doing so doesn’t affect the pricing of the workspace itself, but what it does do is add the SecurityCenter solution to the workspace.

Here’s what I’m about to do:

Create a new log analytics works called ‘laworkspacetest

Update the Data Collection settings of Security Center to use laworkspacetest – at this point there will not be any Securitycenter solutions in the log analytics workspace laworkspacetest.

Update the pricing tier of laworkspacetest from within Security Center by following the documentation linked to previously – this will add the SecurityCenter solutions to the log analytics workspace laworkspacetest

laworkspacetest Log Analytics workspace without any solutions

In the below picture I have updated Security Center data collection settings to use the laworkspacetest Log Analytics workspace:

Changing security Center to use a custom log analytics workspace

I see the log analytics workspace laworkspacetest under ‘Security Policy’ now and I have an option to ‘Edit Settings’ of the workspace

Log Analytics workspace under Security Policy

Clicking edit settings allows me to choose the free or standard tier

At this point I choose to switch to Standard and would then click save. What happens now is the SecurityCenter solution is added to the custom log analytics workspace.

The above is fine and all works well, but if you were doing more than one or two workspaces in this manner, or you are deploying to a greenfield site this is too much clicking for my liking.

You can update the log analytics workspace with the securitycenter solution by using PowerShell:

Set-AzOperationalInsightsIntelligencePack -ResourceGroupName <your rg name> -WorkspaceName <workspace name> -IntelligencePackName “Security” -Enabled $true

If you are deploying with Terraform use the resource
azurerm_log_analytics_solution and add the following plan:

plan {
publisher = “Microsoft”
product = “OMSGallery/Security”
}

If you deploy using ARM templates you add a plan section under the resource type Microsoft.OperationsManagement/solutions as per
https://docs.microsoft.com/bs-cyrl-ba/azure/azure-monitor/platform/template-workspace-configuration

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s