Azure Security Center can collect security data and events from a Virtual Machine to help you prevent, detect, and respond to threats. Azure Security Center is build upon Log Analytics and will be able to use this information.
In this blog you can see how to setup a VM which will send data to a Log Analytics workspace. After this setup you will see how Azure Security center can be used to dive into al the security improvements for that VM.
- Access to an Azure portal and Azure CLI (https://shell.azure.com/)
- Azure Security Center – Standard Pricing tier ($/€)
What will we build/create?
- We will create a Resource Group (RG) with resources in it;
- A Windows Server VM will be configured in that RG;
- Events of the VM will be collected;
- A Log analytics workspace will be created;
- Security Center actions will secure the VM.
Some code, to prepare the environment
Open the Cloud Shell from the Azure Portal:
Create an Admin Password
Create a Resource Group
az group create –name mwp-test-ak –location westeurope
Create a network in Azure
az network vnet create –resource-group mwp-test-ak –name mwp-test-ak–Vnet –subnet-name mwp-test-ak–Subnet
Create a public IP address
az network public-ip create –resource-group mwp-test-ak –name mwp-test-ak-PublicIP
Create a network security group
az network nsg create –resource-group mwp-test-ak –name mwp-test-ak-NetworkSecurityGroup
Create a virtual network card and associate with public IP address and NSG
az network nic create \
–resource-group mwp-test-ak \
–name mwp-test-ak-Nic \
–vnet-name mwp-test-ak-Vnet \
–subnet mwp-test-ak-Subnet \
–network-security-group mwp-test-ak-NetworkSecurityGroup \
Create a Windows 2016 Datacenter Server
az vm create \
–resource-group mwp-test-ak \
–name mwp-test-ak-VM \
–location westeurope \
–nics mwp-test-ak–Nic \
–image win2016datacenter \
–admin-username azureuser \
Open port 3389 to allow RDP traffic to host
az vm open-port –port 3389 –resource-group mwp-test-ak –name mwp-test-ak-VM
Log Analytics Workspace
Agent data from the VM will be send to Azure Log Analytics Workspace. So we will create a Workspace first. To create a new file start VI-editor in Azure Cloud Shell with: “vi loganalytics.json” and past the JSON code (see below) into this file and close the file with “esc” and “:wq“.
“description”: “Specifies the name of the workspace.”
“description”: “Specifies the location in which to create the workspace.”
“description”: “Specifies the service tier of the workspace: Standalone, PerNode, Per-GB”
After this, execute this commandline to deploy the template
az group deployment create –resource-group mwp-test-ak –name mwp-test-ak-loganalytics –template-file loganalytics.json
When prompted provide a name that is globally unique across all Azure subscriptions. E.g. something with a name, dashes and/or a version: mwp-test-ak-loganalytics
A Log Analytics workspace will be created in Azure.
If you take a look at al the resources in the resource group, it would look like this:
Azure Security Center
Azure Security Center provides you the tools needed to harden your network, secure your services and make sure you’re on top of your security posture.
We need to set the Pricing and Data collection twice, one time for the Subscription and one time Log Analytics workspace.
First set the Pricing tier for the subscription to Standard. Do not forget to click the Save button.
Microsoft Monitoring Agent can be installed automatically but now we install it “manualy” now. So NO configuration in the Data collection tab needed.
Secondly set the Security policy – Pricing tier to Standard for the Log Analytics workspace. This will cost $15/node/month (in 2020). Go to Pricing & Settings again and select the Log Analytics workspace.
And in Data collection select the Common Windows security events to be collected and stored.
The Microsoft Monitor Extension/agent can be installed automatically, manual or can be pushed from both the Security Center or Log Analytics workspace. After we install the Microsoft Monitor Extension onto the Virtual Machine, Data will be collected in Log Analytics and will show up in both Security Center and the Log Analytics workspace. In this case we will push the agent from the Log Analytics workspace.
Go to The Log Analytics workspace and find the Virtual machine blade. Select the VM and click Connect.
Connecting VM to Log Analytics will take a while (+-5 minutes).
Restart the VM to ensure that everything is setup corectly.
Go to the recommendations list in Security Center – Compute & Apps to prevent, detect, and respond to the threats.
Logon to the Virtual Machine server with the username: azureuser and password: ThisIsMyPassword1. and Check if the server is fully functional.
In Apps & Features you can see that the Microsoft Monitoring Agent is installed on the server.