Audit at scale. Workspaces and Azure Security Center

A few times this week I’ve had two discussions.

1. How is my Azure Security Center (ASC) licenced and configured?
2. And how many workspaces do I have, and what retention policy is set.

 

You can look in the portal, however to do this at scale, lets use Azure Resource graph:

 

I suggest you use Azure Resource Graph (ARG) for this (some of which my recent Workbook does as well, but for a quick check you can load ARG in the Azure Portal.  these are some basic query examples, but they could be the basis of more complex queries.

 

1. Azure Security Center:  free vs. Standard licence

securityresources 
| where type == “microsoft.security/pricings”
| extend tier = trim(‘ ‘,tostring(properties.pricingTier))
| summarize  resource = make_set(name), tier = make_set(tier) by  subscriptionId, tenantId

 

2. Workspace details

resources
| where type == “microsoft.operationalinsights/workspaces”
| extend sku = tostring(properties.sku.name), retention = tostring(properties.retentionInDays), created = tostring(properties.createdDate), modified = tostring(properties.modifiedDate)
| summarize by subscriptionId, name, sku, retention, created, modified, location
| order by sku asc

 

Example output from Query #2:  This shows that most of my workspaces are set for 30day retention but one is 90days (in this case that’s the one that supports my Azure Sentinel., so that is correctly set as 90days is part of the free retention for Azure Sentinel).

Query 3:  Much like Query2 but shows if its free or Standard per Subscription ID and Resource Name