Appendix A Using multiple workspaces in Security Center
In Chapter 2, you learned what a workspace is and how it works, and you explored some design considerations to determine how many workspaces you might need for your environment. In this appendix, you will learn how to create a new workspace and how to configure computers managed by Security Center to use this workspace as their main repository.
Creating a new workspace
As you learned in Chapter 2, there are many reasons to create more than one workspace. One scenario in which multiple workspaces are needed is when you need to isolate data—for example, if a company wants a separate workspace for each branch office. (See Figure A-1.)
Whatever the reason may be, if you determine during the design process that you need more than one workspace, you can use Log Analytics to create one. Follow these steps:
Open the Azure Portal and sign in as a user who has Security Admin privileges.
In the left pane, click More Services, and type Log Analytics.
In the Log Analytics page, click the Add button.
In the Workspace page, click Create New, and type a name for the new workspace in the Workspace box.
Open the Subscription drop-down list and choose the subscription that will be used for this workspace.
Under Resource Group, select the resource group you want to use, or create a new one.
Under Location, select the geo-location for this workspace.
If your workspace is on the free pricing tier, you can send only 500 MB of data per day. When you reach the daily limit, data collection stops until the next day. To switch to the paid tier, click the Pricing Tier option and choose Per Node. Then click OK.
Click OK to create the workspace.
Your new workspace should appear in the Log Analytics page under the default workspace created by Security Center. (See Figure A-2.) If you don’t see it, click Refresh to update the page.
Moving computers and VMs to a new workspace
All computers and virtual machines (VMs) with the Security Center agent installed store data in the default workspace. You can move some or all computers and VMs to a different workspace. (The same basic processes work for both Azure VMs and on-premises computers.)
Open the Azure Portal and sign in as a user who has Security Admin privileges.
In the left pane, click Security Center.
In the left pane of the Security Center window, under General, click Security Policy and select your subscription.
In the Security Policy – Data Collection page, select Use Another Workspace. Then select the desired workspace from the drop-down list. (See Figure A-3.)
Click Save.
Security Center will configure all computers and VMs to report to this new workspace. This remapping might take some time. The amount of time it takes depends on how many computers and VMs you have in your environment.
If you need to move just a few computers and VMs from one workspace to another, the easiest way to do so is via Log Analytics.
Open the Azure Portal and sign in as a user who has Security Admin privileges.
In the left pane, click More Services, and type Log Analytics.
In the Log Analytics page, click the workspace containing the VMs you want to move.
In the workspace’s page, under Workspace Data Source, click Virtual Machines to view a list of machines in that workgroup, as shown in Figure A-4.
As shown in Figure A-4, you have one VM that belongs to another workspace (the default one), and another VM that is not connected to any workspace. You can connect this VM to this workspace by clicking on the VM, and then clicking Connect.
You can also use PowerShell to obtain the VM’s attribute, which includes the extension (in this case MicrosoftMonitoringAgent) and the workspace ID, by using the Get-AzureRmVMExtension command. Listing A-1 shows a sample PowerShell script.
Listing A-1 PowerShell script for to obtain a VM’s attribute.
PS C:> Get-AzureRmVMExtension -ResourceGroupName "CONTOSOCST" -VMName "W2012Web" -Name "MicrosoftMonitoringAgent"
ResourceGroupName : CONTOSOCST
VMName : W2012Web
Name : MicrosoftMonitoringAgent
Location : centralus
Etag : null
Publisher : Microsoft.EnterpriseCloud.Monitoring
ExtensionType : MicrosoftMonitoringAgent
TypeHandlerVersion : 1.0
Id : /subscriptions/XXXXXXXXXXX-b4a7ecb1a170/resourceGroups/CONTOSOCST/providers/Microsoft.Compute/virtualMachines/W2012Web/extensions/MicrosoftMonitoringAgent
PublicSettings : {
"workspaceId": "XXXXXXXXXX-XXXXXXXXX",
"azureResourceId": "/subscriptions/XXXXXXXXXXXXXXX-b4a7ecb1a170/resourcegroups/contosocst/providers/microsoft.compute/virtualmachines/w2012web",
"stopOnMultipleConnections": true
}
ProtectedSettings :
ProvisioningState : Succeeded
Statuses :
SubStatuses :
AutoUpgradeMinorVersion : True
ForceUpdateTag :
If you need to move just a couple of VMs from workspace to another, the easiest way to do it is via Log Analytics, as shown previously in step 5. However, if you need to move many more VMs, you should use PowerShell. You can start with the following PowerShell sample script:
$ASCId = "<Replace with your Azure Security Center Workspace Id>"
$ASCKey = "<Replace with your Azure Security Center key>"
Set-AzureRmVMExtension -ResourceGroupName myResourceGroup `
-ExtensionName "Microsoft.EnterpriseCloud.Monitoring" `
-VMName YourVM `
-Publisher "Microsoft.EnterpriseCloud.Monitoring" `
-ExtensionType "MicrosoftMonitoringAgent" `
-TypeHandlerVersion 1.0 `
-Settings @{"workspaceId" = $ASCId} `
-ProtectedSettings @{"workspaceKey" = $ASCKey} `
-Location YourLocation