I Have Azure Sentinel… Do I Need Azure Security Center?

| ,

Published on | Updated on February 26, 2021

3 Min. Read

Introduction

According to Gartner, Cloud Security Posture Management (CSPM) tools are fundamental to cloud security. Gartner states that “Cloud Security Providers (CSP) concentrates on security assessment and compliance monitoring, primarily across the IaaS cloud stack”. CSPM typically involves leveraging API integrations with one or more cloud providers in order to automatically discover cloud assets and their associated risks.

Cloud Workload Protection Platforms (CWPPs) are software platforms designed for monitoring and protecting cloud workloads. While such “workload-centric” solutions are usually agent-based, the focus should be on the workload – not the agent. An ideal CWPP would offer agentless and agent-based approaches to protecting workloads of different types in the traditional datacenter, public-cloud and private-cloud environments – including workload-centric security protections for bare-metal servers, SQL servers, storage accounts, orchestrated containers, serverless “functions” and virtual machines (VMs).

Within this realm of SIEM, Security Center, Azure Defender, and Sentinel, I often get asked by customers the following common question: we have already Azure Sentinel, do we need Azure Security Center as well?

In this quick article, I will clarify this frequent question and share with you why you need to have Azure Sentinel and Security Center/Azure Defender to protect your cloud workloads end-to-end and be proactive instead of reactive.

Azure Security Center

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
  2. Azure Defender, formerly known as Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises, or in other clouds such as Amazon AWS or Google GCP, in addition to cloud-native PaaS workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Security Center is meant to be that one tool that gives you a unified overview of your hybrid cloud environment’s current security configuration and informs you about current threats and attacks against your workloads and services.

Azure Sentinel

Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

As I mentioned earlier, Security Center is around Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios while Azure Sentinel covers SIEM/SOAR scenarios that sit on top of other Microsoft security solutions. Azure Sentinel will do all the data ingestion and not only from the Security Center perspective but also for third-party and other Microsoft products.

The following diagram illustrates where each product fits in the realm of Microsoft Security solutions.

I Have Azure Sentinel... Do I Need Azure Security Center? 1

~Image courtesy of Microsoft~

The data ingestion is done by Sentinel which will be the one that does data correlation, think of each one of those products as a data source that feeds Sentinel, and once Sentinel gets the data, you can do the data correlation across all those data sources.

Do I need Security Center?

The answer is yes of course!

Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios.

The following diagram should give you enough information and show how Azure Sentinel and Security Center complement each other to strengthen your Security Operations Center (SOC) Team.I Have Azure Sentinel... Do I Need Azure Security Center? 2

~Image courtesy of Microsoft~

The Cloud Security Posture Management (CSPM) and Azure Defender are two different platforms since Azure Security Center is the only solution in Microsoft (secure package) to address those scenarios. If you want CSPM and Azure Defender, then you need Azure Security Center. And you can take advantage of all the Threat Detection and Advanced Workload Protection in Azure Security Center which is part of Azure Defender’s capability to feed into Azure Sentinel.

The threat intelligence from Security Center is very unique, the threat detection from SQL ATP, Azure Defender for Storage, Azure Defender for Key Vault, Azure Defender for Servers, and all those detection and protection capabilities Sentinel does NOT have awareness at all if not ingested via Security Center connector. So, Azure Security Center and Azure Sentinel are complementary to that aspect.

Summary

Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios, by connecting Azure Security Center to Azure Sentinel will give you more insight into your organization’s network and system by view dashboards, you can create custom alerts, run automated playbooks and further investigate any suspicious activity.

To learn more about Azure Security Center, check the official documentation from Microsoft.

The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions.

To learn more about Azure Sentinel, check the official documentation from Microsoft.

I hope this article gave you a clear picture of how Azure Security Center is essential for Azure Sentinel to protect your workloads across public and hybrid clouds.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Critical Security Features in Microsoft 365 Admins Simply Can’t Ignore

How To Set Up Deployment Stages In Azure DevOps

Next

6 thoughts on “I Have Azure Sentinel… Do I Need Azure Security Center?”

Leave a comment...

  1. Hi Charbel, Thanks you for this post. We migrated our enterprise to Microsoft E5 plan this year and implemented Sentinel on our workstations by connecting them to the Log Analytics Workspace. Our issue is Azure Security Center is now recognizing our 50 workstations as VM’s or servers and and wanting to deploy Azure Defender in addition to the Microsoft Defender ATP we already have deployed which we fill would be duplicating services and costs. We have opened a case with Azure support about this and they seem stumped and are not sure hot to make this alert go away. Was Sentinel implemented improperly thus causing this alert?
    Thank You,
    David

  2. Hello David,
    Thanks for the comment.
    So if I understood your issue, you already have Microsoft 365 Defender for Endpoint agent installed on all those 50 workstations, right?
    Are those workstations servers or clients? Which OS is installed on them?
    When you pay $15 per server to protect your virtual machines (workstations) in Security Center, you also get the Defender for Endpoint license activated on these machines. So one agent and one license. You should not pay double.
    Here are more details about Azure Security Center and Microsoft Defender ATP integration.
    Can you share the alert that you are getting (screenshot)?
    Thanks!

  3. Hi Charbel,
    Yes the workstations are Windows 10 Pro and Windows 10 Enterprise all are physical machines. As I mentioned we use Microsoft 365 E5 Licensing which includes the Microsoft Denender ATP. thus not wanting to pay the additional $15 on the azure side.

    Here is the screenshot of the Azure Security Center Recommendations showing those machines https://www.dropbox.com/s/tm5xfa74xdthcnz/image.png?dl=0

    Following your instructions for the integration. I do not have the workspace with the workstations enabled in Azure Defender yet in fear or being charged for price per machine.

  4. Thanks David!

    What security feature do you want to leverage/use from Azure Security Center on those 35 (Windows 10 Pro and Windows 10 Enterprise) workstations? In short, do you want to use Security Center for those Workstations?
    Usually you Onboard Windows servers/Windows 10 to the Microsoft Defender for Endpoint (ATP) service, and not Windows 10 machines to Azure Security Center.

    If your concern is to have Log aggregation with Azure Sentinel only, then you can connect Microsoft Defender for Endpoint (ATP) directly to Azure Sentinel without Security Center. The new connector is called Microsoft 365 Defender which includes the entire Microsoft 365 Defender suite.

    If your concern about this warning message that you shared in the screenshot above in Azure Security Center, and you don’t want to use Security Center, then you can exempt those 35 machines from the recommendations by following the steps described here, and then they won’t be shown anymore in the Recommendations section.
    Since we are exempting Azure Security Center and we don’t want to integrate those 35 machines, then make sure that under Security Center | Pricing & Settings | Subscription-Name | Threat Detection | uncheck (Allow Microsoft Defender for Endpoint to access my data).

    Let me know if this works for you.

    Hope this helps!
    -Charbel

  5. Thanks Charbel! Using the Microsoft 365 Defender Connector and removing the Log Analytics Workspace agent resolved the issue. I no longer have Azure Security Center nagging me to install its agent on my workstations. Thank you again for the assistance. I even had Microsoft stumped on how to resolve this.

  6. Thank you David for your feedback and confirmation!
    I am happy to hear that I was able to help you in resolving this issue :)
    All the best,

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized! You can copy from the 'Code Blocks' in Black.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!