| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.devlang | ms.topic | ms.tgt_pltfrm | ms.workload | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Azure Security Center Platform Migration | Microsoft Docs |
This document explains some changes to the way Azure Security Center data is collected. |
security-center |
na |
YuriDio |
mbaldwin |
80246b00-bdb8-4bbc-af54-06b7d12acf58 |
security-center |
na |
hero-article |
na |
na |
07/24/2017 |
yurid |
Beginning in early June 2017, Azure Security Center rolls out important changes to the way security data is collected and stored. These changes unlock new capabilities like the ability to easily search security data and better aligns with other Azure management and monitoring services.
Note
The platform migration should not impact your production resources, and no action is necessary from your side.
Previously, Security Center used the Azure Monitoring Agent to collect security data from your VMs. This includes information about security configurations, which are used to identify vulnerabilities, and security events, which are used to detect threats. This data was stored in your Storage account(s) in Azure.
Going forward, Security Center uses the Microsoft Monitoring Agent – this is the same agent used by the Operations Management Suite and Log Analytics service. Data collected from this agent is stored in either an existing Log Analytics workspace associated with your Azure subscription or a new workspace(s), taking into account the geolocation of the VM.
As part of the transition, the Microsoft Monitoring Agent (for Windows or Linux) is installed on all Azure VMs from which data is currently being collected. If the VM already has the Microsoft Monitoring Agent installed, Security Center leverages the current installed agent.
For a period of time (typically a few days), both agents will run side by side to ensure a smooth transition without any loss of data. This will enable Microsoft to validate that the new data pipeline is operational before discontinuing use of the current pipeline. Once verified, the Azure Monitoring Agent will be removed from your VMs. No work is required on your part. An email will notify you when all customers have been migrated.
It is not recommended that you manually uninstall the Azure Monitoring Agent during the migration as gaps in security data could result. Please consult Microsoft Customer Service and Support if you need further assistance.
The Microsoft Monitoring Agent for Windows requires use TCP port 443, read Azure Security Center Troubleshooting Guide for more information.
Note
Because the Microsoft Monitoring Agent may be used by other Azure management and monitoring services, the agent will not be uninstalled automatically when you turn off data collection in Security Center. However, you can manually uninstall the agent if needed.
As described previously, data collected from the Microsoft Monitoring Agent (on behalf of Security Center) are stored in either an existing Log Analytics workspace(s) associated with your Azure subscription or a new workspace(s), taking into account the geolocation of the VM.
In the Azure portal, you can browse to see a list of your Log Analytics workspaces, including any created by Security Center. A related resource group will be created for new workspaces. Both follow this naming convention:
- Workspace: DefaultWorkspace-[subscription-ID]-[geo]
- Resource Group: DefaultResouceGroup-[geo]
For workspaces created by Security Center, data is retained for 30 days. For existing workspaces, retention is based on the workspace pricing tier.
Note
Data previously collected by Security Center remains in your Storage account(s). After the migration is complete, you can delete these Storage accounts.
For existing customers that don’t have OMS Security solution installed, Microsoft is installing it on their workspace, but targeting only Azure VMs. Do not uninstall this solution, as there is no automatic remediation if this is done from OMS management console.
In conjunction with the platform migration, we are rolling out some additional minor updates:
- Additional OS versions will be supported. See the list here.
- The list of OS vulnerabilities will be expanded. See the list here.
- Pricing will be pro-rated hourly (previously it was daily), which will result in cost savings for some customers.
- Data Collection will be required and automatically enabled for customers on the Standard pricing tier.
- Azure Security Center will begin discovering antimalware solutions that were not deployed via Azure extensions. Discovery of Symantec Endpoint Protection and Defender for Windows 2016 will be available first.
- Prevention policies and notifications are only configurable at the Subscription level, but pricing can still be set at the Resource Group level