To further protect its Azure customers, Microsoft has announced a variety of security-related enhancements for the platform - and Security Center in particular - at Ignite 2019.
First up is better threat protection for cloud resources by way of Azure Sentinel, the security information and event management (SIEM) offering from Microsoft's cloud. This means that any threat can be investigated, hunted and correlated with other signals quicker.
Sentinel also now has built-in hunting queries for Linux and network events, the ability to launch Azure Notebooks straight from the SIEM solution, and new analytics and investigation tools to offer better insights on suspicious URLs. Between new connectors from security partners, and new Graph Security API integrations, Sentinel can now use endpoint, network, and identity data from third-party security vendors, as well as allow business customers to sync alerts from it, other Microsoft solutions, and even third-party ticketing and security management offerings. All of these enhancements are now available in preview.
Azure Security Center
At the conference, the Redmond giant has also announced that Security Center is getting a number of enhancements, including workflow automation using Azure Logic Apps, better integrations with continuous export, better alerts and recommendations, onboarding of on-premises services to Security Center via Admin Center, and Azure Security Center Community. The last one is a centralized GitHub that's open to contributors.
First up is workflow automation via the use of playbooks that leverage Azure Logic Apps. These can then be used to create policies that automatically trigger said playbooks depending on specific Security Center findings - like alerts or recommendations. This capability is now generally available.
In terms of continuous export, enterprise customers can now consume Security Center alerts and recommendations outside of the Azure Portal or API. Said recommendations and alerts can be exported to Event Hub, a Log Analytics workspace - which allows folks to create custom dashboards with Power BI -, and more. This continuous export capability is now in public preview.
A preview of better reporting for Security Center alerts and recommendations is now available too, allowing customers to download an Excel/CSV report that shows detailed data about alerts and includes direct links to view an alert or recommendation in the Azure Portal.
Announced in preview is also a set of extensive data security features for SQL Server databases running on Azure VMs. Azure Security Center now has support for vulnerability assessment and threat protection of these databases, allowing for continuous monitoring of suspicious activity and recommendation of any actions meant to mitigate or investigate the detected threat.
The aforementioned vulnerability assessment features are powered by Qualys, and they are also coming (for now in public preview) to the Security Center Standard tier at no additional charge. These features will ensure the continuous scan of installed applications in virtual machines in order to detect vulnerabilities and present them via the Security Center portal.
Vulnerability assessment in Security Center is now supported for Azure Container Registry as well, which means business customers will now be provided with recommendations to address specific vulnerabilities based on the scan of container registries within the active subscription.
Threat protection for Azure Kubernetes Service (AKS) is also available - in public preview - including continuous discovery of managed AKS instances within Security Center registered subscriptions, actionable items for better security best practices compliance, as well as host and cluster-based analytics.
If you're running an on-premises Windows Server - and thus managing it via Admin Center -, you are now able to onboard it and view security alerts and recommendations - courtesy of Security Center -, directly from the Admin Center experience.
Azure Firewall Manager (public preview)
Last but not least is Firewall Manager - now available in public preview -, which is a "cloud-native firewall-as-a-service" capability. It allows enterprise clients to govern and log traffic flows using a DevOps approach. It supports application and network-level filtering rules and it integrates with the Microsoft Threat Intelligence feed.
Firewall Manager can be configured in a hub-and-spoke architecture to manage multiple Firewall instances, as well as automate deployment and enforce firewall policies simultaneously. This ensures traffic governance and protection across the business.