Azure Security Center–Data Collection and Storage

imageIn order for Azure Security Center to get the information it needs to assess your current security state and provide expert security recommendations, it needs to collect data from your virtual machines (this includes virtual machines that run in both Azure IaaS and PaaS cloud service models).

In order to do this, you need to turn on data collection for your Azure subscription. If you have multiple Azure subscriptions, then you’ll need to turn it on for all of the subscriptions you want Azure Security Center to watch and protect.

When you turn on data collection, you allow the Azure Monitoring Agent (ASMAgentLauncher.exe) and the Azure Security Monitoring extension (ASMMonitoringAgent.exe) to start collecting that information.

image

The Azure Security Monitoring extension scans the security configuration of your virtual machines and also collects information from security logs. This data is sent to a storage account you configure when you first set up Azure Security Center. Another software component, called the Scan Manager (ASMSoftwareScanner.exe) will be installed and be used as a patch scanner.

We’ve had a lot of questions about what the effective footprint is for these security monitoring components. Use the following as a reasonable baseline: image

  • RAM: on average, about 3 MB, with potential spikes of 10 MB every 12 hours
  • CPU: Insignificant processor utilization from both persistent process and scanners
  • DISK: Insignificant disk utilization

However, with that said, it’s important to be aware that each of the monitoring agents has a chain of processes that can exceed the baselines noted above. For example:

  • RAM: memory usage can go up to 30 MB per agent.
  • CPU: processor utilization can be up to 20% per agent (although in practice this is much less)
  • DISK: disk space usage can be up to 3 GB per agent.

The monitoring agent and extensions are installed automatically on all existing and any new supported virtual machines that are provisioned in Azure after you enable data collection.

Note:
If you have problems with any of these agents, make sure to check out the Azure Security Center Troubleshooting Guide.

It’s important to know that enabling Azure Security Center data collection isn’t a life long commitment. You can turn off data collection at any time. Use the same interface you saw in the figure above to disable data collection. You can also delete the monitoring agents by selecting the Delete Agents menu option, which will become available when you turn off data collection.

What about storage?

The information Azure Security Center collects is kept in a storage account you own.

Remember that the storage account you use for data collection has to be in the same region as the virtual machines. When you enable data collection, you’ll be asked for a storage account to store the data. If you don’t choose a storage account, an account will be created for you.

If you are using a storage account shared among different Azure resources, make sure to read Azure Storage Scalability and Performance Targets. Your subscription also has storage account limits, so check out Azure subscription and service limits, quotas, and constraints to better understand these limits.

Note:
Remember that you are responsible for the cost of storing the data collected by Azure Security Center; you’ll be charged the regular Azure storage rates.

 

HTH,

Tom

Tom Shinder
Program Manager, Azure Security
@tshinder | Facebook | LinkedIn | Email | Web | Bing me! | GOOG me