Why Are There 4 Different Azure VM Security Extensions?
Use extensions to customize Azure VM security.
Azure uses extensions to allow users to add features to their VMs. These extensions are normally used to give VMs some new functionality, and a noticeable number of these added functionalities are used for security reasons.
In this blog, we discuss what the 4 main Azure VM extensions for security do. We will also go over the use cases in which the Azure security administrators should use these extensions on their VMs.
Azure Defender Extensions
These extensions connect Windows and Linux VMs to Azure Defender, which is the EDR solution built into Azure Security Center. Azure security admins would enable this extension when they believe the information stored on their VMs is valuable enough to justify the cost of the EDR solution.
This extension has additional features built into the Azure Security Center platform like auto-provisioning that deploys the extensions to the VMs in their environment automatically. There are also options to customize the amount of data collected by the extensions based on how in depth the monitoring needs to be.
Azure Sentinel Extensions
These extensions connect Windows and Linux VMs to Azure Sentinel directly so that the SIEM system can collect device logs instead of just the logs from the EDR solutions. Azure security admins would enable this extension if they had specific detections that use device logs like many of the shared queries on the official Azure Sentinel GitHub.
These VM extensions can be added in the Azure Sentinel data connector UI and the amount of data collected can be edited in the same menu. The Syslog connector for Linux devices has a more involved setup process but provides more data collection customization options.
Azure Monitor Extension
This extension connects Windows and Linux VMs to Azure Monitor so that performance data can be collected. This data is useful for security because analysts can query the monitor data while doing advanced threat hunting to learn more about the device’s performance and activity around the time of the incidents.
This extension connects compatible VMs to Microsoft Defender for Endpoints (MDE) which is the EDR component of Microsoft 365 Defender. This connection is useful for connecting VMs to a different EDR service if Azure Defender does not provide adequate coverage or if some of the AIR features are needed instead of the logic app responses that are available for Azure Defender.
Azure security admins do not need to restrict themselves to only using one of these extensions, they can all be used in parallel. Even the Azure Defender and MDE extensions can be used together as two separate EDR solutions, but they have a significant number of overlapping detections so duplicate alerts are likely to appear.
We will continue to share best practices and lessons learned in future posts on Azure VM security in customer environments. More extensions that are useful for security will likely appear in the future and CyberMSI is constantly monitoring for updates so that we can improve the quality of our cloud security services.
In closing, consider these three questions when using Azure VM extension for security in your organization:
- Do we have a decision matrix for determining how to secure and monitor our VMs being deployed in the cloud?
- How can we improve ou VM security by implementing 1 or more of these security extensions?
- Can we use the data gathered by these extensions to provide useful insights to our cybersecurity anlaytics with analytic tools like workbooks and notebooks?