What is securitydata resource group in Microsoft Azure?
If you happen to see a strange securitydata resource group in your Azure subscription, you would be pretty much surprised what the heck it is. You would be angry on someone in your cloud team if the Azure subscription is shared to every member. Even you think of the subscription being hacked by somebody else then you would delete this resource group then change your password. Congrats on having a seriously security awareness which has to be required today in the digital transformation.
I’ve recently had to clean up my Azure subscription to prepare some of the demons for the upcoming Global Azure Bootcamp 2017 in Singapore. I realized I did delete securitydata resource group in the past but it was still there in my Azure subscription. I was pretty surprised and a little scary as to why it still existed. I opened Azure Resource Explorer to look up this resource group and realized that it was created in East US region. Oh I have no people from such a far region to use my Azure subscription. The farthest distance is UK where my friend is out there. Inside the resource group, there was a storage account which continuously generated many Blob containers. I spent a couple of hours to look at each container and table to check up what type of data was stored. Finally I found something as below which gave me a sign on Azure Security Center service I’ve been working with.
I wondered if this storage account stored data collected from Azure Security Center via monitoring module. After a couple of minutes on Microsoft Azure website regarding data collection in Azure Security Center, I figured out that securitydata resource group is automatically created along with storage account every time if we don’t specify an existing storage account. We can find the setting from Security policy in Azure Security Center. I’m pretty sure I never touched this configuration during the time enabling Azure Security Center service for my Azure subscription. That’s why I spent my time looking into what was stored in securitydata resource group. If you do not want data collection, turn it off but this action is not recommended as usual.
What I should be mentioning here is Microsoft should change the name to be more meaningful, for example azuresecuritycenter-data. Such a name will never make people feel unsafe when they manage Azure. If the environment is large then there would be an audit action plan to check through the entirely Azure subscription which would take time and effort.
Additional references which address to the securitydata resource group: