I spend most of my time working with organizations who are either considering, migrating, or have already migrated to Azure or Microsoft 365. Most of the conversations that organizations have are related to the cool new features that are available and how the end-users will be empowered to use them. On the flip-side, though I also have many conversations after companies have moved to Office 365, and that conversation usually is around how they can stop access, control sharing or best practice security capabilities in the service.
One critical area but a not so sexy topic is alerting and logging. Honestly, there are not many organizations that their first conversation about moving to the cloud is "what logging can we get, and I want lots of alerts." It is a boring subject, whether you are still using on-premises, cloud, or hybrid services. No IT or Security team enjoys looking at log files or receiving millions of alerts about user activity; however, it is a critical factor in a successful deployment and migration to the cloud.
Will we still be looking at logs in the cloud?
Yes, you will. Everything within the Microsoft 365 cloud platform gets logged and captured. Running within the service itself is Microsoft Telemetry platform that captures all kinds of information based on different signals. Then you have each application that logs values such as errors, activities to security issues. On top of that, you have all of this data normalized and then made available in various forms such as through log tools, web interfaces to the Restful APIs and Graph endpoints.
Security alerting and the Azure Security Center?
Alerts are the notifications that the Azure Security Center generates when it detects threats on your resources. It prioritizes and lists the alerts along with the information needed for you to investigate the problem quickly. To detect real threats and reduce false positives, the Azure Security Center collects, analyzes, and integrates log data from all Azure resources, the network, and other solutions, such as the firewall and endpoint protection. Azure Security Center analyzes this information, correlating information from multiple sources, to identify threats. If you are using on-premises and hybrid cloud, then the Azure Security Center can monitor those resources.
Security incidents in the Azure Security Center
A security incident is a collection of related alerts, instead of listing each alert individually. The Azure Security Center uses fusion to correlate different alerts and low fidelity signals into security incidents. Using incidents, the Azure Security Center provides you with a single view of an attack campaign and all of the related alerts.
How can I use the Azure Security Center?
The Azure Security Center is enabled with your Microsoft Azure subscription and accessed from the Azure portal. The Security Center is available in two tiers. The Free tier provides visibility into the security state of your Azure resources, basic security policy, security recommendations, and integration with security products and services from partners. The Standard tier adds advanced threat detection capabilities, including threat intelligence, behavioral analysis, anomaly detection, security incidents, and threat attribution reports.
Want to know how to use the Azure Security Center? We can help, just reach out.