A few times this week I’ve had two discussions.
- How is my Azure Security Center (ASC) licenced and configured?
- And how many workspaces do I have, and what retention policy is set.
You can look in the portal, however to do this at scale, lets use Azure Resource graph:
I suggest you use Azure Resource Graph (ARG) for this (some of which my recent Workbook does as well, but for a quick check you can load ARG in the Azure Portal. these are some basic query examples, but they could be the basis of more complex queries.
1. Azure Security Center: free vs. Standard licence
| where type == “microsoft.security/pricings”
| extend tier = trim(‘ ‘,tostring(properties.pricingTier))
| summarize resource = make_set(name), tier = make_set(tier) by subscriptionId, tenantId
2. Workspace details
| where type == “microsoft.operationalinsights/workspaces”
| extend sku = tostring(properties.sku.name), retention = tostring(properties.retentionInDays), created = tostring(properties.createdDate), modified = tostring(properties.modifiedDate)
| summarize by subscriptionId, name, sku, retention, created, modified, location
| order by sku asc
Example output from Query #2: This shows that most of my workspaces are set for 30day retention but one is 90days (in this case that’s the one that supports my Azure Sentinel., so that is correctly set as 90days is part of the free retention for Azure Sentinel).
Query 3: Much like Query2 but shows if its free or Standard per Subscription ID and Resource Name
// Just show Workspaces that have Azure Sentinel enabled
| where type == “microsoft.operationsmanagement/solutions”
| where name contains “SecurityInsights”
| project WorkspaceName=name, S_CreatedDate=properties.creationTime, S_ModifiedDate=properties.lastModifiedTime , day = datetime_diff(‘day’,now(),todatetime(properties.creationTime))