• Configure a custom security policy
• Create a policy initiative
• Configure security settings and auditing by using Azure Policy

• Configure Microsoft Defender for Servers (not including Microsoft Defender for Endpoint)
• Evaluate vulnerability scans from Microsoft Defender for Servers
• Configure Microsoft Defender for SQL
• Use the Microsoft Threat Modeling Tool

• Create and customize alert rules by using Azure Monitor
• Configure diagnostic logging and log retention by using Azure Monitor
• Monitor security logs by using Azure Monitor
• Create and customize alert rules in Microsoft Sentinel
• Configure connectors in Microsoft Sentinel
• Evaluate alerts and incidents in Microsoft Sentinel

Azure Monitor is a service that delivers a comprehensive solution for collecting, analyzing, and acting on telemetry (metrics and logs) from your cloud and on-premises environments.

• https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview

• By default the Activity Log keeps logs for 90 days.

• Metrics are numeric values collected at regular intervals (e.g. CPU utilization, disk IOPS, network connections, etc.)
  • Metrics are produced automatically without any configuration done by the user
• Logs are textual data that are produced organically as things occur in the environment (e.g. user login event)
  • Logs are not collected until things are collected until configuration is done by administrators
• Most Azure resources have an option to enable Diagnostic Logs
• Azure Monitoring Agent (AMA) is an agent that runs on Windows or Linux OS that can collect logs and metrics.
• Some logs are automatically generated by resources by default, but for more details logging it maybe necessary to enabled diagnostics logs for a resource, or, in the case of VMs, install an agent on the OS.

• https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane

These logs differ from the activity log. The activity log provides insight into the operations, such as creating a VM or deleting a logic app, that Azure Resource Manager performed on resources in your subscription using. The activity log is a subscription-level log. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself, such as getting a secret from a key vault.

• activity logs represent events on the control/management plane
• diagnostic logs represent events on the data plane
• diagnostic logs may be referred to as resource logs; they represent operations that were performed within a resource

• Resource logs are automatically generated by supported Azure resources, but they aren't available to be viewed unless you create a diagnostic setting.

Microsoft Defender for Cloud is your central location for setting and monitoring your organizations security posture.

• Microsoft Defender for Cloud was previously known as Azure Security Center.

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multi-cloud (Amazon AWS and Google GCP) resources. Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises, continually assess, secure and defend.

• Defender continuously assesses the security posture of environments and their resources and produces a score (based on the Azure Security Benchmark) for it.
  • Security Posture assessment how well and environment is hardened against attacks.
  • There is also threat detection capability that uses real-time signals to detect threats.
• Defender works for Azure, other clouds and on-prem resources.
• JIT VM Access is a feature of Defender that only allows VM access after approval and for a short. fixed amount of time. This mitigates against brute-force types of attacks. (requires the Enhanced Security tier)
• The free tier does not include monitoring non-Azure resources; this requires the Enhance tier of the service.
• Example: Defender would not detect if there is a new version of an OS, but it would detect of there are critical security updates that are missing.
• Azure Policy provides most of the data Defender for Cloud uses
• A Log Analytics Workspace is used just for data coming from virtual machines

Microsoft Defender for Servers is one of the enhanced security features of Microsoft Defender for Cloud. Use it to add threat detection and advanced defenses to your Windows and Linux machines whether they're running in Azure, AWS, GCP, and on-premises environment.

• https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction
• Alerts and vulnerability data from Microsoft Defender for Endpoint is shown in Microsoft Defender for Cloud
• There are two tiers Plan 1 and Plan 2.
• Defender for Servers also has features for just-in-time VM access, file integrity monitoring, …
• For just-in-time VM access, JIT does not support VMs protected by Azure Firewalls controlled by Azure Firewall Manager. The Azure Firewall must be configured with Rules (Classic) and cannot use Firewall policies.

• https://docs.microsoft.com/en-us/learn/modules/azure-security-center/3-implement-azure-security-center

Ref: https://techcommunity.microsoft.com/t5/itops-talk-blog/what-s-the-difference-between-azure-security-center-azure/ba-p/2155188

• Azure Sentinel is a SIEM/SOAR solution that works off of data from a Log Analytics Workspace
• It ingests data from a variety of source types by using connectors
• There are built-in rules and support for custom rules using the Kusto query language