Category Archives: Azure Security

How to improve security postures by adopting Azure Security Center

Optimal adoption of cloud solutions, useful for accelerating the digital transformation of businesses, must include a process capable of ensuring and maintaining a high degree of security of its IT resources, regardless of the deployment models implemented. Have a single infrastructure security management system, that strengthens your environment's security postures and provides enhanced threat protection for workloads, wherever they reside, becomes an indispensable element. The Azure Security Center solution achieves these goals and can address key security challenges. This article describes the features of the solution that allow you to improve and control the security aspects of the IT environment.

The challenges of cloud security

Among the main challenges that must be faced in the security field by adopting cloud solutions we find:

  • Always rapidly changing workloads. This aspect is certainly a double-edged sword of the cloud in that on the one hand, end users have the ability to get more out of solutions, on the other hand, it becomes complex to ensure that the constantly evolving services live up to their standards and that they follow all the best security practices.
  • Increasingly sophisticated attacks. No matter where your workloads are running, security attacks adopt sophisticated and advanced techniques that require you to implement reliable procedures to counter their effectiveness.
  • Resources and skills in the security field are not always up to par to address security alerts and ensure that environments are protected. Security is an evolving front and staying up to date is a constant and difficult challenge to achieve.

Azure Security Center can effectively respond to the challenges listed above by enabling you to prevent, detect and address security threats affecting Azure resources and workloads in hybrid and multicloud environments. Everything runs at the speed of the cloud, as the solution is fully natively integrated into the Azure platform and is able to ensure simple and automatic provisioning.

The security pillars covered by Azure Security Center

Azure Security Center features (ASC) are able to sustain two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM): ASC is available for free for all Azure subscriptions. Enabling takes place when you visit the ASC dashboard for the first time in the Azure portal or by enabling it programmatically via API. In this mode (Azure Defender OFF) features related to the CSPM area are offered, including:
    • A continuous assessment that reports recommendations related to the security of the Azure environment. ASC continually discovers new resources that are deployed and assesses whether they are configured based on security best practices. If not,, resources are flagged and you get a priority list of recommendations for what you should fix to get them protected. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks. This benchmark is based on the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), with a focus on cloud-centric security.
    • Assigning a global score to your environment, that allows you to assess the risk profile and take action to take remediation actions.
  • Cloud workload protection (CWP): Azure Defender is the CWP platform integrated in ASC that offers advanced and intelligent protection of resources and workloads residing in Azure and in hybrid and multicloud environments. Enabling Azure Defender offers a range of additional security features as described in the following paragraphs.

Figure 1 – Pillars of Azure Security Center

What types of resources can be protected with Azure Defender?

Enabling Azure Defender extends the functionality of the free mode, also to workloads running in private clouds, at other public clouds and hybrid environments, providing comprehensive management and unified security.

Figure 2 – Azure Security Center security scopes

Among the main features of Azure Defender we find:

  • Microsoft Defender for Endpoint. ASC integrates with Microsoft Defender for Endpoint to provide comprehensive functionality of Endpoint Detection and Response(EDR). With this integration, you can take advantage of the following features:
    • Automated Onboarding: Once the integration is activated, the Microsoft Defender for Endpoint sensor is automatically enabled for the servers monitored by the Security Center, except for Linux and Windows Server systems 2019, for which it is necessary to make specific configurations. Server systems monitored by ASC will also be present in the Microsoft Defender for Endpoint console.
    • Microsoft Defender for Endpoint alerts will also be displayed in the ASC console, in order to keep all reports in a single centralized console.
  • Vulnerability Assessment for Virtual Machines and Container Registries. Vulnerability scanning included in ASC is done through the solutionQualys, This is recognized as a leader to identify in real time any vulnerabilities present on the systems. No additional license is required to take advantage of this feature.
  • Hybrid cloud and multicloud protection. Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. Furthermore, thanks to the multicloud support of Azure Defender for SQL, it is possible to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable for SQL Server activated in an on-premises environment, on virtual machines in Azure and also in multicloud deployments, contemplating Amazon Web Services (AWS) e Google Cloud Platform (GCP).
  • Access and application controls (AAC). It is a solution that can control which applications run on systems, this allows you to do the following:
    • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions.
    • Respect corporate compliance, allowing the execution of only licensed software.
    • Avoid using unwanted or obsolete software in your infrastructure.
    • Control access to sensitive data that takes place using specific applications.

All this is made possible thanks to machine learning policies, adapt to your workloads, which are used to create authorization and denial lists.

  • Threat protection alerts. Thanks to the integrated behavioral analysis features, the Microsoft Intelligent Security Graph and machine learning can identify advanced attacks and zero-day exploits. When Azure Defender detects a threat anywhere in your environment, generates a security alert. These alerts describe the details of the affected resources, the suggested correction steps and in some cases the possibility is provided to activate Logic Apps in response. All security alerts can be exported to Azure Sentinel, in third-party SIEM or other SOAR tools (Security Orchestration, Automation and Response) or IT Service Management.
  • Network map. To continuously monitor the security status of the network, ASC provides a map that allows you to view the topology of the workloads and evaluate if each node is configured correctly. By checking how the nodes are connected, you can more easily block unwanted connections which could potentially make it easier for an attacker to attack your network.

Azure Defender dashboard in ASC allows you to have visibility and undertake specific controls on CWP features for your environment:

Figure 3 – Azure Defender Dashboard

Azure Defender is free for the first 30 days, at the end of which if you choose to continue using the service, charges will be charged as reported in this document.


Azure Security Center helps you strengthen the security posture of your IT infrastructure. Thanks to the features offered, it is possible to implement best practices globally and obtain an overview in the security field. The solution combines the knowledge gained by Microsoft in the management of its services with new and powerful technologies suitable for dealing with and managing the issue of security in a conscious and effective way..

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) e Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.


The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.

Azure Security: how to secure the Azure Deployment and Resource Management service

To achieve a high level of security in your public cloud environment, you need to provide protection for the individual resources that are activated, however it is also appropriate to monitor the service that allows the distribution and management of the resources themselves. In the Microsoft public cloud, the deployment and management service is defined as Azure Resource Manager, a crucial service connected to all Azure resources, therefore a potential and ambitious target for attackers. Microsoft, aware of this aspect, recently announced Azure Defender for Resource Manager. This article describes the features of this solution that allows you to carry out an advanced security analysis, in order to detect potential threats and be alerted to suspicious activity affecting Azure Resource Manager.

In Azure Defender, there are protections designed specifically for individual Azure services, such as for Azure SQL DB, Azure Storage, Azure VMs, and protections that transversally affect all those components that can be used by the various Azure resources. These include Azure Defender for Azure Network, Key Vault and the availability of Azure Defender for Azure DNS and Azure Resource Manager was also announced recently. These tools allow you to obtain an additional level of protection and control in your Azure environment.

Figure 1 – Azure Defender Threat Protection for Azure Workloads

Azure Resource Manager provides the management layer that allows you to create, update and delete resources in the Azure environment. It also provides specific features for the governance of the Azure environment, such as access control, locks and tags, that help protect and organize resources after they are distributed.

Azure Defender for Resource Manager automatically monitors the organization's Azure resource management operations, regardless of whether these are done through the Azure portal, Azure REST APIs, the command line interface or with other Azure programming clients.

Figure 2 – Protection of Azure Defender for Resource Manager

To activate this type of protection, simply enable the specific Azure Defender plan in the Azure Security Center settings:

Figure 3 - Activation of Azure Defender for Resource Manager

Azure Defender for Resource Manager can enable protection when the following conditions occur:

  • Resource management operations classified as suspicious, such as operations from dubious IP addresses, disabling the antimalware component and ambiguous scripts running through the VM extensions.
  • Use of exploitation toolkits such as Microburst or PowerZure.
  • Lateral shift from the Azure management layer to the Azure resources data plane.

A complete list of alerts that Azure Defender for Resource Manager is able to generate, is located in this Microsoft's document.

Security alerts generated by Azure Defender for Resource Manager are based on potential threats that are detected by monitoring Azure Resource Manager operations using the following sources:

  • Azure Activity Log, the Azure platform log providing information about subscription-level events.
  • Azure Resource Manager Internal Logs, not accessible by customers, but only by Microsoft personnel.

In order to obtain a better and more in-depth investigation experience, it is advisable to merge the Azure Activity Logs into Azure Sentinel, following the steps in this Microsoft's document.

Simulating an attack on the Azure Resource Manager layer using the PowerZure exploitation toolkits, Azure Defender for Resource Manager generates an alert with high severity, as shown in the following image:

Figure 4 – Alert generated by Azure Defender for Resource Manager

For such an alert you can also receive a notification by appropriately setting up an action group in Azure Monitor. Furthermore, if the integration between Azure Security Center and Azure Sentinel has been activated, the same alert would also be present in Azure Sentinel, with the relevant information necessary to start the investigation process and provide a prompt response to a problem of this type.


Protecting resources effectively in the Azure environment also means adopting the appropriate tools to deal with potential attacks that can exploit the distribution and management mechanisms of the resources themselves. Thanks to the new tool Azure Defender for Resource Manager it is possible to take advantage of effective protection in a fully integrated way in the Azure platform, without having to install specific software or enable additional agents.

Azure Networking: how to monitor and analyze Azure Firewall logs

In network architectures in Azure where Azure Firewall is present, the firewall-as-a-service solution (FWaaS) which allows to secure the resources present in the Virtual Networks and to govern the related network flows, it becomes strategic to adopt tools to effectively monitor the relevant logs. This article explores how to best interpret logs and how you can do in-depth analysis of Azure Firewall, a component that often plays a fundamental role in network architectures in Azure.

An important aspect to check is that the diagnostic settings are correctly configured in Azure Firewall, to flow log data and metrics to an Azure Monitor Log Analytics workspace.

Figure 1 – Azure Firewall diagnostic settings

To get an overview of the diagnostic logs and metrics available for Azure Firewall, you can consult the specific Microsoft documentation.

One of the most effective ways to view and analyze Azure Firewall logs is to use Workbooks, that allow you to combine text, Log Analytics query, Azure metrics and parameters, thus conseasing interactive and easily searchable reports.

For Azure Firewall there is a specific workbook provided by Microsoft that allows you to obtain detailed information on events, know the applications and network rules activated and view the statistics on firewall activity by URL, ports and addresses.

The import of this workbook can be done via ARM template or Gallery template, following the instructions in this article.

Figure 2 – Azure Firewall Workbook Import

After completing the import process, you can consult the overview an overview of the different events and types of logs present (application, Networks, threat intel, DNS proxy), with the possibility of applying specific filters related to workspaces, time slot and firewalls.

Figure 3 – Azure Firewall Workbook overview

There is a specific section in the workbook for Application rule where are shown sources by IP address, the use of application rules, and FQDNs denied and allowed. Furthermore, you can apply search filters on application rule data.

Figure 4 – Azure Firewall Workbook – Application rule log statistics

Furthermore, in the section Network Rule you can view the information based on the actions of the rules (allow/deny), target ports and DNAT actions.

Figure 5 – Azure Firewall Workbook – Network rule log statistics

If Azure Firewall has been set to work also as DNS Proxy it is possible to view in the tab “Azure Firewall – DNS Proxy” of the Workbook also information regarding the traffic and DNS requests managed.

If it is necessary to carry out further information to obtain more information on the communications of specific resources, you can use the section Investigation going to act on the filters available.

Figure 6 – Azure Firewall Workbook – Investigation

To view and analyze activity logs, you can connect Azure Firewall logs to Azure Sentinel, the service that expands the capabilities of traditional SIEM products (Security Information and Event Management), using the potential of the cloud and artificial intelligence. In this way, through specific workbooks available in Azure Sentinel, you can expand your analytics capabilities and create specific alerts to quickly identify and manage security threats that affect this infrastructure component. To connect Azure Firewall logs to Azure Sentinel you can follow the procedure in this Microsoft's document.


Azure Firewall is a widely used service and is often the centerpiece of your network architecture in Azure, where all network communications transit and are controlled. It therefore becomes important to date yourself with a tool to analyze the metrics and information collected, able to provide valid support in the resolution of any problems and incidents. Thanks to the adoption of these Workbooks you can easily consult the data collected by Azure Firewall, using visually appealing reports, with advanced features that allow you to enrich the analysis experience directly from the Azure portal.

Microsoft Defender ATP: the protection of Linux systems

Many companies have infrastructures consisting of heterogeneous server operating systems and the difficulty of having to adopt and manage different security platforms to ensure protection of the entire machine fleet is known.. Microsoft recently announced the availability of Microsoft Defender Advanced Threat Protection (ATP), the security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats, also for Linux systems. This article describes how to protect Linux machines with this solution and provides an overview of how Microsoft Defender Security Center enables you to monitor and manage the security of the entire spectrum of client and server platforms in enterprise environments (Windows, Windows Server, macOS and Linux).

Microsoft has steadily evolved its endpoint security platform in recent years Microsoft Defender Advanced Threat Protection (ATP), to the point of being recognized as a leader, also getting the highest positioning in the execution capacity, in the last Gartner quadrant of "Endpoint Protection Platforms".

Figure 1 – Gartner Magic Quadrant "Endpoint Protection Platforms" (2019)

The ability to protect Linux systems also makes it an even more complete solution, able to offer:

  • Powerful preventive features. The solution provides real-time protection for the following types of file systems: btrfs, ecryptfs, ext2, ext3, ext4, fuse, fuseblk, jfs, nfs, overlay, ramfs, reiserfs, tmpfs, udf, and vfat.
  • A complete command-line experience to configure and manage the agent, initiate scans and manage threats.
  • An integration into alert monitoring within the Microsoft Defender Security Center.

System Requirements

Before you deploy the solution, you should verify that all the requirements of Microsoft Defender ATP in the Linux environment are met.

The Linux distributions and their versions currently supported are as follows:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

The minimum supported kernel version is the 3.10.0-327 and the feature that must be enabled is fanotify. Fanotify is a file access notification system built into many Linux kernels that allows Microsoft Defender ATP to scan files and, if necessary, block access to threats. The use of this feature must be totally dedicated to Microsoft Defender ATP, as the joint use of this feature by other security solutions, can lead to unpredictable results, including blocking the operating system.

Network Requirements

For Microsoft Defender ATP to work correctly on Linux systems, you must allow proper network communication to specific URLs. In this spreadsheet Microsoft lists the associated services and URLs that the protected system must be able to connect to. For more details on this, see this Microsoft-specific document.

Microsoft Defender ATP uses the following proxy systems:

  • Transparent Proxy
  • Manual configuration of the static proxy

However, are not supported PAC files, WPAD and authenticated proxies. Please also note that SSL inspection mechanisms are not supported for security reasons.

Deployment methods

Microsoft Defender ATP activation on Linux systems can be done manually or through third-party management tools, including Ansible and Puppet, Microsoft documents in detail the steps to follow. Both tools have the following steps::

  • Download the onboarding package from the Microsoft Defender Security Center.

Figure 2 – Download the onboarding package from the Microsoft Defender Security Center portal

  • Creating the manifest (Puppet) or the YAML file (Ansible).
  • Deployment that involves the enrollment of the agent and its configurations.

At the end of the installation process, you can fully manage the Microsoft Defender ATP component directly through bash.

Figure 3 – Running the mdadp command from a Linux machine with the component installed

Once the onboarding process is complete, you can manage Linux machines from the Microsoft Defender Security Center portal, as is the case with other operating systems.

Figure 4 – Linux devices in the Microsoft Defender Security Center portal

In the face of malware detections, alerts are reported within the Microsoft Defender Security Center:

Figure 5 – Detection timeline with Eicar test file on Linux machine

Software updates

Microsoft regularly publishes software updates to improve performance, security and provide new features for Microsoft Defender ATP for Linux. One thing to watch out for is that each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect the system, therefore, you must update the product before that date. For the procedure to update the solution, you can consult this document of Microsoft.

When you upgrade your Linux operating system to a new major release, you must first uninstall Microsoft Defender ATP for Linux, install the update and then reconfigure Microsoft Defender ATP on the system.

Configuring the solution

In enterprise environments that have multiple systems, Microsoft Defender ATP for Linux can be easily managed through configuration profiles. The configuration profile is nothing more than a file with an extension ".json" composed of different voices, identified by a key (denoted the name of the preference) followed by a value. Values can be simple, as a numeric value, or complex, as a nested list of preferences.

These profiles can be distributed by the management tool available to you, going to manage it centrally. Distributed preferences will take precedence over locally set preferences on the system so that you can better govern the different settings. For more details on the structure of this profile and the methodologies to be used for its distribution, see this article of Microsoft.


Although there are those who say that Linux machines do not need security solutions, I personally believe that linux systems should also be properly protected as with any other operating system. Microsoft Defender ATP for Linux is constantly expanding and exciting new features are expected in the coming months to enrich the solution with new and advanced protection features. The addition of Linux to the platforms natively supported by Microsoft Defender ATP marks an important turning point for all customers who need to also include these systems in a unified protection strategy. The Microsoft Defender Security Center provides a centralized solution for monitoring and managing the security of the entire server and client machine fleet.

Azure Security Center: Azure Storage protection

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting hybrid architectures, it also provides enhanced protection for storage resources in Azure. The solution detects unusual and potentially harmful attempts to access or use Azure Storage. This article describes how to effectively protect storage in Azure with this solution, looking at the news recently announced in this area.

Azure Security Center (ASC) is possible to activate it in two different tiers:

  • Free tier. In this tier ASC is totally free and performs a continuous assessment, providing recommendations relating to the security of the Azure environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Advanced Threat Protection (ATP) for Azure Storage, it is one of several features in Azure Security Center Standard.

Figure 1 – Comparison of the features of the different tiers of ASC

Enabling the Security Center Standard tier is strongly recommended to improve security postures in your Azure environment.

The Advanced Threat Protection feature (ATP) for Azure Storage was announced last year, allowing you to detect common threats such as malware, access from suspicious sources (including TOR nodes), data exfiltration activities and more, but all limited to blob containers. Support for Azure Files and Azure Data Lake Storage Gen2 has also been included recently. This also helps customers protect data stored in file shares and data stores designed for the analysis of corporate big data.

Enabling this feature from the Azure portal is very simple and can be done at the Security Center-protected subscription level or selectively on individual storage accounts.

To enable this protection on all storage accounts in your subscription, you must go to the "Pricing & Settings” of Security Center and activate the protection of Storage Accounts.

Figure 2 – ATP activation for Azure Storage at the subscription level

If you prefer to enable it only on certain storage accounts, you need to activate it in the respective settings of Advanced security.

Figure 3 – ATP activation on the single storage account

When anomaly occurs on a storage account, security alerts are sent by email to Azure subscription administrators, with details of detected suspicious activity and related recommendations on how to investigate and resolve threats.

Details included in the event notification include::

  • The nature of the anomaly
  • The name of the storage account
  • The time of the event
  • The type of storage
  • Potential causes
  • The recommended steps to investigate what has been found
  • The actions to be taken to remedy what happened

Figure 4 – Example of a security alert sent in the face of a detection of a threat

In this example, the EICAR test file was used to validate that the solution was working correctly.. This is a file developed by the’European Institute for Computer Anti-Virus Research (EICAR) which is used to securely validate security solutions.

Security alerts can be viewed and managed directly from Azure Security Center, where details and actions to investigate current threats and address future threats are displayed..

Figure 5 – Example of a security alert in the ASC Security alerts tile

To get the full list of possible alerts generated by unusual and potentially malicious attempts to log in or use storage accounts, you can access the Threat protection for data services in Azure Security Center.

This protection is very useful even if you have architecture that uses the service Azure File Sync (AFS), which allows you to centralize the network folders of your infrastructure in Azure Files.


Business companies are increasingly moving their data to the cloud, looking for distributed architecture, high performance and cost optimization. All features offered by the public cloud require you to strengthen cybersecurity, particularly given the increasing complexity and sophistication of cyberattacks. By adopting Advanced Threat Protection (ATP) for Azure Storage, you can increase the level of storage security used in your Azure environment easily and effectively.

Azure Security Center: exports of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.

Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.

Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.

Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.

The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:

  • Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
  • Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
  • Export in a CSV file, for individual data exports (one shot).

The configuration is simple and can be carried out using the following procedure.

In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:

Figure 1 – Continuous export in ASC's subscription settings

In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.

Figure 2 - Configuring parameters to make the Continuous Export

The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.

Figure 3 - Automatically create alert rules in Azure Monitor

By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.

These are the two default alert rules created:

Figure 4 – Default Alert rules of Azure Monitor

Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.

The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).

Figure 4 – Tables in Log Analytics

The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:

In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.

To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.


With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.

Azure Security Center: how to customize the solution to meet your security requirements

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect resources in the Azure environment and workloads in hybrid environments. By assigning a global score to your environment, you can assess your risk profile and act to take remediation action in order to improve the security posture. The solution is based on general recommendations, but in some cases it is appropriate to customize it to better contemplate your security policies. This article describes how you can introduce this level of customization in order to increase the value provided by Azure Security Center.

Using custom security policies

The default recommendations in the solution are derived from general industry best practices and specific regulatory standards.

Figure 1 – Standard score and recommendations in Azure Security Center

Recently was introduced the ability to add your own Initiatives custom, to receive recommendations if security policies specifically set for your environment are not met. The custom initiatives that are created are fully integrated into the solution and will be covered in Secure Score and in compliance dashboards.

To create a initiative you can follow the steps below:

Figure 2 – Starting the process of creating a custom initiative

Within the Initiatives you can include Azure Policies built into your solution or your own custom policies.

In the example below, theinitiative includes the following two policies:

  • A custom that prevents peering against a Hub network that is in a given resource group.
  • A bult-in that verifies that Network Security Groups are applied to all subnets.

Figure 3 – Creating a custom initiative

Following, you need to proceed with the assignment of theinitiative custom:

Figure 4 – Starting the assignment process


Figure 5 – Assigning the custom initiative


Figure 6 – Displaying the assigned custom initiative

The display of the recommendations in Security Center is not immediate, but currently it takes about 1 hour and you can see it in the following section:

Figure 7 - Custom initiative in the Regulatory Compliance section


Disable default security policy

Under certain circumstances it may be desirable to disable certain controls present by default in the Azure Security Center solution, as they are not appropriate for your environment and you do not want to unnecessarily generate the events. To do this, you can take the following steps::

Figure 8 - Access to the Security Center default policy


Figure 9 – Selecting the default Security Center policy assignment


Figure 10 – Disabling a specific policy that is present by default



Azure Security Center natively provides a series of controls to constantly check for conditions that are considered anomalous and can have a direct impact on the security of your environment. The ability to introduce a level of customization into your solution, makes it more flexible and allows you to verify and apply security compliance policies on a large scale that are specific to your environment. To improve security postures it is essential to evaluate the adoption of this solution and applying a good level of customization it greatly increases its value.

Azure Security: Best Practices to improve Security Posture

The tendency to have more frequently solutions in the cloud and hybrid architectures requires you to adopt high security standards for your environment. But how do you get effective cloud security for Azure and what best practices you should follow? This article summarizes the key practices that you should use in Azure to ensure a high level of security and improve security postures.

MFA activation and restrictions for administrative access

For users with administrative rights, authentication should be enabled using administrative Multi-factor Authentication (MFA). In this regard it is very interesting to evaluate passwordless authentication mechanisms that require that the password be replaced with something that you own more something that you are or that you know.

Microsoft currently offers three distinct passwordless authentication scenarios:

Azure Active Directory provides the ability to enable MFA mechanisms, including passwordless authentication. MFA mechanisms based on text messages are easier to bypass, so it's good to target different Multi-factor authentication mechanisms or passwordless.

Minimize the number of people and their time, for administrative access to Azure resources, it is a practice to be adopted because it reduces the possibility of an attacker obtaining administrative access or an authorized user inadvertently affecting a specific resource. To enable authorized users to perform administrative actions, you can offer just-in-time privileged access (JIT) Azure and Azure AD resources. To do this, the Azure Active Directory service is adopted (Azure AD) Privileged Identity Management (PIM) which allows you to manage, controlling and monitoring access to company resources is a good practice to take.

Another key aspect to consider is the use of secure and isolated workstations for sensitive roles. In this official Microsoft document you can get to obtain more details about it.

Segmentation and adoption of the Zero Trust model

The security model, definedZero trust and in contrast with the conventional models based on perimeter security, involves adopting an approach to micro-segmentation and the definition of granular perimeters in your network architecture. To contain security risks, it is good to adopt a clear and simple segmentation strategy, allowing stakeholders with a clear understanding, to facilitate and monitor effective management. It will also be useful to assign the necessary permissions and appropriate network controls.

In this regard, we report a reference design regarding the Azure administrative model:

Figure 1 – Reference Design – Azure Administration Model

The following illustration shows the typical Hub-Spoke network model, where theHub is a virtual network in Azure that serves as a point of connectivity to the on-premises network andSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 – Reference Enterprise Design – Azure Network Security

Adoption of an appropriate "Firewall Strategy"

Adopting a firewall solution in the Azure environment to better protect and segregate network flows is now mandatory.

The choice may involve the adoption of:

  • Microsoft solutions fully integrated into the platform, such as Azure Firewall, flanked by Web App Firewall (WAF) of the Application Gateway, an application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic. The Web Application Firewall Module (WAF) for web publications achieves an application protection, based on OWASP Core Rule sets rules. The WAF protects applications from vulnerabilities and common attacks , such as X-Site Scripting and SQL Injection attacks. These solutions are suitable for most of the scenarios and offer intrinsic high availability and scalability functionality as well as a simple configuration and centralized management.
  • Solutions provided by third-party vendors that are available in the Azure Marketplace. The Network Virtual Appliances (NVAs) are numerous, and can provide advanced features and provide continuity in the user experience compared to solutions already active in the on-premises environment. Typically the configuration of these solutions is more complex and the cost tends to be higher than Microsoft solutions.

Choosing a DDoS Mitigation Solution for critical applications

Very important is the protection of all critical applications from distributed denial-of-service cyberattacks (DDoS – Distributed Denial of Service). These attacks are aimed at deliberately to exhaust the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way.

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 3 - Comparison of the features available in different tiers for DDoS Protection

The protectionBasic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS ProtectionStandard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Security Center Adoption

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. To improve the security posture of your Azure environment is essential to assess the adoption of this solution, it is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is totally free and it will do a continuously assessment, providing recommendations relating to the security of the Azure environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Figure 4 - Comparison between the tiers of Azure Security Center

Azure Security Center assigns a score to your environment, useful for monitoring the risk profile and for try to constantly improve the security postures, applying remediation actions. Good rule is to verify on a regular basis (least monthly) the security score provided by Azure Security Center and program initiatives aimed at improving specific areas. Furthermore, it is recommended to carefully check the alert that Security Center Standard generates when it detects potential security threats on its resources. Security Center sets priorities, lists the alerts, provides the information needed to quickly examine the problems and provides advice on how to resolve any attacks.

Introduce security in development and release stages

The adoption of DevOps models to deploy Azure applications and services enable, as well as providing maximum agility, to obtain benefits in terms of security. In DevOps models can be engaged in development and management stages the teams dedicated to quality control and security throughout the application lifecycle. Using Infrastructure-as-Code processes(IaC) it is possible to define and monitor the compliance on a large scale.

Do not use legacy technologies

In Azure environment it is not recommended the adoption of classical Network Intrusion Detection System (NIDS) and Network Intrusion Prevention Systems (NIPS) since the platform is able to filter out malformed packets natively. The solutions NIDS / NIPS are generally based on outdated signature-based approaches that can be easily removed during attempted attacks and generally produce a high false positive rate.


Achieve a high level of security in Azure environments is a major challenge that needs to be won and it requires constant monitoring, review and updating of security postures. This article have been reported those that are considered the main best practices of security offered by a direct field experience, which it is always good to enrich them by taking further precautions.

Azure Security: how to do a Vulnerability Assessment using azure Security Center

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting Azure resources and workloads in hybrid environments, recently enhanced with the ability to integrate a Vulnerability Assessment for Virtual Machines in Azure. This article explains how you can complete a vulnerability assessment process by using the Azure Security Center, examining the characteristics of the solution.

Vulnerability scanning included in Azure Security Center (ASC) is done through the solution Qualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems. In order to use this feature you must adhere to the standard tier of Security Center, and in this case you will need to not incur additional licensing fees. The Standard tier also adds advanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats.

If you wish to keep the tier free of ASC you can still make the deployment of solutions to perform a vulnerability assessment, which Qualys and Rapid7, but it is necessary to provide the management of the licensing costs, the distribution and configuration. For more details about the cost of Azure Security Center and for a comparison between the Free and the Standard tier, see the Microsoft's official documentation.

The most immediate and rapid method to scan for vulnerabilities in Azure is using the integrated solution Qualys in the Standard Tier of Azure Security Center. To enable it, simply go to the ASC Recommendations and select “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)“, come mostrato dall’immagine seguente:

Figure 1 - Recommendation of Azure Security Center to enable vulnerability assessment solution

Selecting this option Azure virtual machines are divided into the following categories:

  • Healthy resources: systems where the extension has been deployed to complete a vulnerability scan.
  • Unhealthy resources: machines where you can enable the extension to scan for vulnerabilities.
  • Not applicable resources: systems where the extension is not present and that it is not possible to enable it because they belong to the ASC tier free or because the operating system is among those not supported. Among the supported operating systems are: RHEL 6.7/7.6, Ubuntu 14.04/18.04, Centos 6.10/7/7.6, Oracle Linux 6.8/7.6, SUSE 12/15, and Debian 7/8.

Figure 2 - Enabling the solution

Selecting the machines of interest and pressing the button Remediate will be onboarded to the built-in Vulnerability Assessment solution. As a result, the specific extension will be installed on the systems and the first scan will be automatically started at the end of the installation.. The extesion is based on the Azure Virtual Machine agent and therefore runs in the Local Host context on Windows systems, and Root on Linux ones.

The names of the extension that will be present on the enabled systems are listed, for which the provider will always be Qualys:

  • Linux Machines: “LinuxAgent.AzureSecurityCenter”
  • Windows Machines: “WindowsAgent.AzureSecurityCenter”

As for extension updates, the same rules apply to other extensions, so the fewest versions of Qualys' scanner will be automatically deployed following an in-depth testing phase.. In some cases, you may need manual actions to complete the upgrade.

After the scan is complete, any vulnerabilities detected on the systems will be reported in the Recommendations by ASC.

Figure 3 – ASC notification reporting the presence of recommendations for intercepted vulnerabilities

Selecting the recommendation provides details of all vulnerabilities detected, severity and its status:

Figure 4 – List of detected security vulnerabilities

By selecting the single vulnerability you can see the details, potential impacts, remediation actions and affected systems.

Figure 5 – Information reported for each individual vulnerability detected


To strengthen the security posture of your environment you definitely should consider adopting Azure Security Center in the standard tier, that among the various functionality it allows to check that they are applied in a strict manner all safety criteria and allows to constantly monitor the compliance criteria. The inclusion in the solution of a vulnerability assessment tool, provided by Qualys, industry leader, adds further value to the solution, also be able to draw on the knowledge gained by this vendor in the discovery of vulnerabilities.