Azure Security Center

Do you have an idea or suggestion based on your experience with Azure Security Center? We would love to hear it! Please take a few minutes to submit your ideas or vote up an idea submitted by another customer. All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Security Center. Remember that this site is only for feature suggestions and ideas!

For further reading on Azure Security Center, see our documentation. For general discussion, use our discussion forum. For technical support, take advantage of these support options.

  1. make it easier to enable Security center standard tier on specific VMs.

    currently, seems that enabling SC Standard tier is either ALL VMs in a subscription, or none (or perform manual install). Surely it makes sense for Security Center to have a mechanism to install on specific VMs?

    Maybe using Tags, or some other way to group VMs (tags seem like the obvious way to do this).

    At the moment, i can't justify switching it on for hundreds of VMs, at $15 per month when we only need it on 10 - 20. Manual install is a workaround, but hardly agile.

    Come on, this is a basic core requirement isn't it?

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  2. Disable out-of-the-box security standards

    ASC comes wiith out-of-the-box security standards such as PCI-DSS, ISO 27001, CIS, and SOC TSP. These standards can not be removed/disabled. However, every organization is different. For example, non-payment industry organizations will most likely not follow PCI-DSS controls. This leads to a cluttering of the security center dashboard, and thus reduces usability. Admins should have the ability to disable these out-of-the-box standards.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  3. ASC custom recommendations should not include regulatory or non-custom recommendations

    Adding a policy initiative to ASC such as CIS 1.1.0 (new) results in a "custom recommendations" category being created that includes some policies from the CIS initiative.

    This is very confusing as (i) there is no explanation as to why the category/policies have appeared and (ii) they are not custom recommendations i.e to create a custom recommendation within ASC a specific procedure is required as outlined at https://docs.microsoft.com/en-gb/azure/security-center/custom-security-policies .

    Suggestion: Create a control category that reflects the origin of the policies e.g. "Custom recommendations - CIS 1.1.0 (new)".

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  4. Provide API for proactive ATP scan

    ATP for storage accounts is a really useful service, but it often takes hours for a threat to be identified. It would be great if there was a function in the Blob API that could be called proactively to scan using ATP prior to upload.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  5. Provide mechanism to quarantine potential malware identified by ATP

    It's great that ATP for Storage Accounts can identify potential malware when it gets uploaded to a blob container, but it is lacking a mechanism to automatically deal with the threat. The only solution I have been able to come up with is to delete the blob using workflow automation and a logic app. It would be great if there was a way to automatically quarantine the blob, which I would expect is what nearly all your users would want to happen in this scenario.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. CIS level of each virtual machine

    ACS has the availability to see the level of compliance of cis in each subscription of the platform. But I miss being able to know the level of cis in each virtual machine that has windows. For example, if I deploy a Windows Server 2016 with cis level 2 in azure, and I disable some items of the list, it would be better to have a solution that gives me that information, just like what happens with Secure Score in ACS

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide last scan date

    When we analyse the vulnerabilities found by security center, it would be good to know when the scan has been executed, to have a proper control of the improvements we implement and check if it has the expected effect.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow finer control of resources that Azure Security Center is enabled on

    Unfortunately, with Azure Security Center, the option is not available to enable it individually per VM. But for SQL
    servers / Storage accounts standard features i.e. ‘Advance Data Security’ and ‘Advance Threat Protection’, these can be enabled per resource. It would be useful to have finer control over which resources (specifically VMs) the Security Center is enabled for to avoid enabling it on machines (for example, in a log analytics workspace) that don't need the additional features that Security Center brings. I'm aware this is somewhat of a duplicate of https://feedback.azure.com/forums/347535-azure-security-center/suggestions/38576143-can-i-enable-azure-security-center-policy-to-a-si but since my suggestion has more context I feel…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  9. Database vulnerability items listed on security scan report is not correct

    Need to have update on security scan report for database vulnerability , though we have already taken action to overcome items listed on the security scan report but still there is no change in status on the latest report. Please let's know ETA when this reporting can be corrected. Please share public blog or article where we can get this information was posted

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. Rename Security Center Recommendation for JIT Access

    The current recommendation title says "Internet facing VM should be protected by JIT virtual network access control". This recommendation will show regardless if an NSG is preventing any access from the internet which makes the title inaccurate. Instead it should say something like "The VM has an open management port which should be protected by JIT virtual network access control", because it is essentially only checking if a management port is open.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  11. Honour what you say in every Land.

    Currently using a 30 Day Kostenlose Testversion in Germany.
    Security Policy is greyed out. No means to follow the bellow URL statement to upgrade to start a standard tier free trial without additional cost.

    https://docs.microsoft.com/en-us/azure/security-center/faq-billing
    The standard tier adds threat protection capabilities that includes security alerts, threat intelligence, behavioral analysis, anomaly detection, and threat attribution reports. You can start a standard tier free trial. To upgrade, select Pricing Tier in the security policy. To learn more, see the pricing page.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. No tool to download report for bulit in vulnerability solution ( powered by qualys)

    No tool to download the report for built-in vulnerability solution ( powered by Qualys)

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  13. Move Just-in-Time and Adaptive Application controls to Advisor

    Just-in-Time access on VMs is listed as a high recommendation on Security Center. This is actually a choice and using JIT is an option, but is not mandatory for being secure. We have highly secured VNets where we have very restrictive access to VNet jump boxes. We feel very strongly that we don't want to enable JIT policies on our VMs and that doing so would allow a sideways door into our VNets that we don't want.

    JIT recommendations came up on Security Center as highs. We have appealed to external security advisors and we're all in agreement that we…

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  14. Support tags for Advanced Threat Protection options

    The Advanced Threat Protection resource doesn't have tags even if you applied tags on the storage account.
    For those who control infrastructure as tags or billing with tags, it is not convenient.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  15. Make policies in ASC obey hierachy

    Having a hierarchy structure seemingly in place for policies (Management Group -> Management group children/Subscriptions) but not allowing policy precedence in according to such design is going to confuse and complicate policy management efforts for most people. Request that policy definitions/parameters mentioned further nested down in the hierarchy take precedence. Such as if I wanted to Disable the DDoS Protection should be enabled on your virtual networks recommendation at a top-level Management Group, and then enable at a subscription nested within, the value at the subscription level would take precedence. Noticed this was not the case if policy was set…

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow write access to external users in the SOC TSP policy to create tickets

    We are a managed service provider, and as such we have external account with read only access to our client's infrastructure. However, we would get a SOC TSP violation if we try to write a MS support ticket. We would like for you to change the default policy to allow only this one write action.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Flag idea as inappropriate…  ·  Admin →
  17. 1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  18. Include Azure Devops, Logic App and Dynamic 365 to Azure Security Center Monitoring and getting email alerts

    Include Azure Devops, Logic App and Dynamic 365 to Azure Security Center Monitoring and getting email alerts

    2 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ability to Limit JIT to just "My IP"

    We have users who need to be able to self serve JIT access to VMs. However as an administrator I do not have the ability to configure a policy of allowed IP addresses as we do not know what IP addresses the users will be connecting from.

    Users are told to select the "My IP" option. However there is nothing stopping a user from selecting "All configured IPs" which opens the firewall to the entire internet.

    I would like a policy setting that stops users from creating a JIT rule for all IPs and instead limits their request to "My…

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add CentOS 7.7 to built-in vulnerability assessment feature

    Please extend the support for built-in on CentOS 7.7

    1 vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4 5 11 12
  • Don't see your idea?

Azure Security Center

Categories

Feedback and Knowledge Base