 Welcome to Ops 101, Securing Your Hybrid Environment. Today, we're going to be talking about all things Azure Security Center. Joining with me today is Sarah Yang. She's our senior PM for all things security here at Microsoft. Sarah, welcome. Hi, thanks for having me. Today, we're going to be discussing specifically around Azure Security Center, and what it can be used for in regards to securing your hybrid implementation of on-premises in Cloud architecture. There's been a lot of name changes that have occurred. Can we first start with that because that's one number one question that we've been getting thus far in terms of what's going on with all the name changes. Yeah. We've had a lot of name changes in the last couple of months. I do think they're actually really good name changes because they are standardizing all the different name changes that we have, and all the different naming conventions we have. But specifically around Security Center, we now have Azure Security Center or ASC as we did before. ASC is our free tier of CSPM, which is Cloud Security Posture Management Software. Within Security Center, we have Azure Defender, and Azure Defender is our Cloud Workload Protection product. That's the paid for element of the suite of products, and that protects against different threats. I actually have, and here's something I prepared earlier. It's going a little bit outside, but I think it's a really good diagram you can see here. We have a lot of XDR offering, it's called Microsoft Defender, and that splits into two halves. We have Microsoft 365 Defender, which we're not talking about in this session, but as you can see, Endpoints Identities, Apps, et cetera, and Azure Defender on the right-hand side there, that's talking. This is our threat protection on the Azure and server endpoint side, so for SQL, for your network, IoT, App Services, Containers, Server VMs, and all of those different products together constitute Microsoft Defender. Now, I know there's a heck of a lot of different names, and we do change them, so hopefully this diagram helps. I think this is a pretty good one to help explain things, but yeah, we got a lot of things out there. The other thing that's really good to look at, if you're still understanding where everything fits all the different Microsoft products, is looking at the Cybersecurity Reference Architecture. It's a very, very busy diagram, but it does show where all of the different Microsoft products sit, so that's worth checking out too. We're going to come back to Azure Defender later on. I definitely want to touch on the IoT piece, which we're seeing as the new architecturally hybrid solution, because your IoT devices are on-premises, or in the real world pushing data up to the Cloud. But I also want to cover the SQL piece as well, because there are a lot of organizations that have that requirement of the SQL servers being on-premises, and we'd love to see and have that talk about how Azure Defender defends those as well. Now what we're going to do is we're going to go through what Azure Security Center can do for your hybrid implementation or your hybrid architecture for on-premises and in Cloud. Take it away, Sarah. Okay. This is Azure Security Center. I'll talk about Azure Security Center first, and then I'll move on to talk about Azure Defender, which is part of Security Center. Azure Security Center or ASC, it's been around for a while. It is a really, really nice tool included within Azure, so you should go look at it. One of the great things about it is that, despite the name calling it Azure Security Center, it can be used for machines and virtual machines that are on-premise or in other Clouds, and we manage them through Azure Arc. I'll come back and talk about that a bit later. As I said, Security Center is a Poster Management tool. We've re-jigged this screen in the last few months. Depending on when was the last time you looked at Security Center, it might look a bit different, but I think the improvements we've made are really good. The first thing we'll have a look at is Secure Score. Now, Secure Score is something that we do use quite regularly in Microsoft. You might have seen Secure Score in Microsoft 365. We do use it in other places, but when we look at Secure Score here, we're looking at Secure Score for your Azure infrastructure and any other Cloud or on-premise infrastructure. If I have a look here, I'm just going to pick one of the subscriptions we've got. We can have a look and see how well we're scoring on a per-subscription. You'll notice that you can be quite granular with this, so you can just use ASC and look at a single subscription, or you can have it roll up and look at multiple subscriptions. In some organizations, we see that particularly if you're going towards that Agile DevOps model, the operational teams are actually taking responsibility for their individual subscriptions. That's why you might want to make the access limited to a certain subscription, and that can be done using our role-based access controller RBAC, or it might be you've still got a central team doing all of it, but we can cater to it either way. You can see here on the subscription, I've just dived into a little bit. The Secure Score on here is 77 percent. I've got 41 out of 54 points. We can see that I've got about a third of my resources are considered unhealthy, about two-thirds are considered unhealthy. Now, what posture management is about trying to get rid of the gotchas, the basic things that you should do, because one of the great things about Cloud and one of the terrible things about Cloud at the same time, is that you can just spin up resources left, right, and center, and you can spin them up quickly and easily. It means that from a security perspective, someone could be just spinning up random machines everywhere, and they may not have the right controls on them, they may not have the right images, and Security Sensor can help with that. We know actually, it's worth pointing out here, we know that a good proportion of security breaches are not initiated or propagated through someone in a hoodie, sorry, tapping on a keyboard, doing some very, very complicated zero-day. Often attackers are using known bugs, things that need patching, or even just misconfigurations. This is where Security Sensor can help, because the posture management and Secure Score can help you see where your machines are not configured to securely best practice, and it can help you remediate them. Obviously, that overall reduces the risk of those misconfigurations being manipulated by an attacker to do something bad. If we have a look, I'll just, now we've recently-ish, we arranged some of these, we arranged some of these how we categorize these. I think it's much more obvious now. You can see here, on top of the list, we have remediate vulnerabilities. When we talk about vulnerabilities, this can be patching, it can be from our vulnerability assessment. ASC, Azure Security Center, does have Qualys as a gray box solution. Qualys is a vulnerability scanner, so that can look for any known vulnerabilities on your machines. But you can see here, we've got Azure Defender for SQL should be enabled, vulnerabilities in the Azure Container Registry images should be remediated, vulnerabilities in your virtual machine should be remediated. I'm going to click on this one, just so you can have a little bit more detail. If you click on one of these, it will to start with, it will tell you all the findings. You can see here, six of the 14 virtual machines in this subscription, they don't have the Windows security update for November 2020. Yeah, don't judge our demo environment. Well, it's done like that so that you can show it, right? It is supposed to be like this. Look, we basically, there's quite a lot of Windows security updates missing on here. You can see that we tell you how many resources are affected by this. There's also an Internet Explorer update there too, and we've also given it a severity as well. We've also given it a severity as well. If I click on that particular finding, it will actually give me some more information. So it will tell me the impact. Now, this one's fairly, kind of fairly obvious, which is if there's no vulnerabilities in your machine, that gives the attacker the possibility to exploit it. It will also give you here the CVEs and the CVSS base score. Now, if you're not familiar with what they are, the CVE is the Common Vulnerabilities and Exposures List. This is a centrally controlled list, which I'll actually show you. It's done by MITRE. And every time vulnerabilities are found, security vulnerabilities, they are logged in the CVE directory. So you can see here generally a CVE ID will be CVE-22. The ID will be CVE-2020, the year it was discovered, and then what number it is for that year. So you can find these for not just, it's not just OSs and Windows. It can be for code. It can be for other programs. But that's where research and some manufacturers will log their CVEs. And the CVSS base score tells you how severe the potential impact could be. So you can go up to 10. I believe 10 is the highest off the top of my head. And it goes down from there. So you might have a minor security vulnerability that ultimately the impact might not be too bad. But if you can get up to a 9.8 and a 10 there, that's actually quite bad. So that gives you an idea of, and as you can see, we in Microsoft have categorized this as high severity. So that suggests you should fix this as soon as you can. So as you can see here, there's lots of CVEs that this particular security update is addressing. And then it will tell you the affected resources here. So we've got some virtual machines. Just here, I wanted to highlight these two servers in the middle. The two at the top and the two at the bottom are virtual machines that are from, that are from Azure. They're actually Azure resources. These two in the middle, just by, you can tell by the change in, by the change in, by the change in logo. They are actually on-premise servers that have been onboarded through Arc. So this is something that you can get for your virtual machines within Azure, but also for your virtual, for any virtual machines that you onboard to Azure Arc. Security center can also monitor them because of course, you know, we talk about all the time, there's no point. Most people are running hybrid environments nowadays. There's no point just monitoring the cloud or just monitoring your on-prem. You need to get this view across everything. So that's something to remember. Do remember that this can, you can onboard, you can onboard on-prem machines and get this sort of information as well. We also give you some remediation. I mean, essentially here the remediation is, please install the security update, but that might vary depending on what you see. I was going to ask in terms of what it actually reports out, is there any difference in terms of the reporting from a virtual machine that's based in Azure, or a virtual machine based in Hyper-V? Would there be a designation on the report out list that you just shared in terms of which was which, if it was on-premises or in cloud, or is it just sees them all as virtual machines? And then reports on them just the same. So it does, on this side of things, the reporting is the same. If you did need to see your, if you did for reporting purposes, perhaps need to see on-prem and in Azure differently, or you needed to know what sort of the delta was between the two. The way that you onboarded those machines into Azure Arc would make that easier because when you onboard a machine into Azure Arc, you'll put it in a resource group. So you'd probably have like an on-premise resource group and maybe put that in a separate subscription. And then what you'd be able to do is see that as a separate subscription, but have it all roll up. There's a couple of ways you could deal with that. But essentially the reporting is the same, but you may, you know, some people may need to, some organizations might need to see them separate. Some organizations, there's regulations that require them to report out their on-premises implementation that is required. This is the security that's being monitored. This is what the report out is in terms of their implementation so they can prove that it's to the spec that's required for the ISO standard certificate that's required, required by the organization to upkeep. Definitely. So, I mean, I'm not going to go through all of these because we'd be here for hours, but you can see if I'll scroll down a little bit. Now, you'll only see recommendations that are relevant to the resources that ASC can see. So, you wouldn't see this, you wouldn't see, you wouldn't see a recommendation in here if you've got no resources that it's relevant to. And this is always being updated. So, you can see here, we've got some Azure, we've actually got here a specific on-prem recommendation. Log Analytics agent should be installed on your Linux-based Azure Arc Machines. So, the Log Analytics agent is used for various different things. It's also used for Sentinel, but the Log Analytics agent does need to be installed on any virtual machines that ASC is monitoring. It does use that agent to help it report on things. So, but here, ASC is smart though. It will actually tell you, it does know if there are virtual machines in your subscription that don't have it installed. And as we can see here with this remediation, it actually tells you, please install it because I can't see anything. So, we do make this really, really as straightforward as possible. And particularly, as I said, if you're moving to that DevOps thing where perhaps developers who weren't necessarily responsible for operational security in the past, if they're just learning how to do this, it's nice and easy to do. And where you can see there's a blue box here that says Quick Fix. That's where we've got automated remediation to fix that problem. So, yeah, we love that. So, that means we've got an ARM template or a logic app that would be able to, that would actually be able to fix it. Now, you'll see here, because we practice what we preach in Microsoft that we have the principle of release privilege. I actually do not have sufficient permissions on this demo to select this ARC machine. But if I did, what you would see, you can see here, I would select the machines and down here we've got some, well, they're grayed out for me on this one. You would be able to hit Remediate or trigger logic app and that would actually fix, it would do the automated remediation. We also provide you the ability to look at the ARM template and the actual logic of the remediation before you do it. Of course, because if we're looking at production environments, I'm very aware because I come from an operational background that you can't just necessarily start installing things willy-nilly on operational things. So, in fact, this is a good demonstration of how, as well, you can limit the permissions that people have to ASC. It might be you just want them to be able to look, but not fix, which is what I have here in this particular environment. So, you don't need to be scared that people are just going to use this automated remediation to start making changes in prod without it being controlled and going through your change control process. World-based access control has been huge in terms of the least amount of enablement provided to administrators and users whoever is governing over your organization and have to be granted access and the whole trouble-ticketing capability that can be implemented and permissions granted through that trouble-ticketing. It's such a huge benefit for security forensics. Should something happen or there's a theft of data occurring, the fact that you have this capability of lockdown and granting permissions and then tracking that whole history in terms of the footprints and how that all occurred, huge advantage for people and organizations to keep track of what's going on. And you've probably heard it before. It's cheesy, but it's true. Identity is our new perimeter of hybrid environments when you've got things on-premise and you've got things on the cloud. The only way that you can now build a perimeter, we can't just box everything in a traditional on-prem data center with lots of firewalls anymore. We can't just use the network because of hybrid architectures. So the only way that we can have a perimeter now is to have really strong centralized identity controls. It's the way forward and it's a journey for everyone. And I'm not saying before anyone like jumps at me on Discord or anything. I'm not saying network controls aren't important. I am previously a network engineer in a previous life, but they can't be the only thing we can rely on anymore in hybrid architecture. It just doesn't work. So, yeah, identity and our back is really, really important. There's another half a day run I could go on that we definitely don't have time for. We'll have to do that in the future. Yeah. Yeah, that's a big one. And you can see, as I said, I'm not going to go through all of these, but you can see we've got things like looking at network. As I said, network is important. Applying system updates, of course. Enable auditing and logging. Implement security best practices. Now, here's a good one that I do like to see is done, which is MFA. You can see here that MFA is all enabled on our subscription. This demo subscription is not all bad. And we got our encrypted data in transit, secure management ports. And if you're wondering, these best practices come from a variety of places, but they are largely based on internal Microsoft best practice. The CIS, which is Center for Internet Security as your benchmark and general best practices in industry. So, yeah, this is a really good place to start. If you're still, if you're just starting to move to the cloud and I had once had a customer and I love this description, it's always stuck in my mind. They said that their cloud implementation was a bit of a wild west, that people had just spun things up all over the place. And the security didn't really have good visibility of what anything was, whether it was good, whether it was bad. This is a really good place to start. And because it's scored, it's something that you can actually look to improve over time. And you can track that. And you can track it and monitor it. And you can see how your secure score improves, which is great, because if you're still maybe building a cloud security policy, because the reality is not all businesses will build a cloud security policy before they start moving to cloud. And this is a way to start you off and saying, these are best industry best practices and we are adhering to them. Or this is where we're not. Let's look how we can fix that, etc. So I think this is a really good place to start. So a couple of things I want to reemphasize. MFA or multi-factor authentication, really important. It's no longer an excuse. You don't have to buy a token. You can enable that functionality directly on your smartphone using the app. Or there's a callback feature, what have you. Something you can activate in Azure Active Directory for that type of implementation. So something that you should take into consideration when you're deploying your security strategy across your hybrid infrastructure. The other piece I wanted to make sure that everybody is aware of is your security posture and your governance posture should be planned hand in hand. The cloud shouldn't be the Wild Wild West when you're migrating data up into the cloud and taking advantage of your hybrid infrastructure implementation. Governance is that key that can provide you that guidance in terms of what the organization has said is okay to deploy to spin up in terms of services in your organization. It's something that can be agreed upon by the organization as a whole and doesn't have to be governed by one entity. Think of it as cloud adoption with training wheels or with guardrails so that you don't fall off the bed and you ensure that your organization stays in its secure posture that's required for the implementation of cloud. Yeah, definitely. Yeah, you've got to as you said, your governance and your security standards do need to go hand in hand. It's tricky and you've got to translate often businesses will have had something or organizations will have had something they were using on-prem and it's not necessarily a straight sort of copy-paste but it's an important thing to do so you can actually judge where you're at but I think ASC is a really good place to start if you're still going through that journey and working it out within your organization and of course the great thing is it also will look at your on-premise as well because a lot of these best practices that you can see, they are good common good solid common sense and the vast majority of them also apply to on-premise machines as well so you can use this actually to get a look back at the board machines throughout your arc you can actually see what your on-premise security baseline is as well which might be an interesting experience for some customers depending on how your on-premise how well it's been looked after in the past. That's the important piece, you want to have that uniformity of your virtual machines across on-premises and cloud and so rules need to be abide by in cloud most likely they have to be done on-premise as well so it's something where if you're getting now that standardized this is what we should be at and why we're not there it being reported out in ASC is a huge advantage for organizations to get up to spec in terms of the updates and security patches that are required. Yeah exactly and you know this is you know we have this discussion all the time in security but it's so true is that an attacker doesn't care if your server is in your cloud or on-premise they're going to go for the low-hanging fruit the easiest thing for them to get into it may not be where they need to be initially but if that gets them a foothold in your organization then in your environment then they can start to look to move laterally and move through your environment so if you just concentrate say on patching all your new things in the cloud and you just sort of let your on-prem just do its thing and neglect it an attacker might decide you know may just go for the easiest lowest common denominator whatever's easy I mean attackers don't care where it is they're just going to go for the easiest thing and even if that particular resource that they compromise doesn't have anything of value that could be their point to start pivot throughout the rest of your environment so you know it is important security has to be looked at holistically so you can't just look at say hey we're going cloud first let's kind of just focus on cloud because you know at the end of the day that wouldn't necessarily protect you maybe it'll protect your cloud environment but yeah so we've got to always think about this in a holistic way In terms of your implementation of Azure Security Center monitoring your on-premises implementation you may mention numerous times about Azure Arc is that a requirement for your onboarding of on-premises? Not necessarily there are two ways you can onboard on-premise servers into Azure Security Center our recommended way is using Azure Arc and the way that we onboard to Azure Arc is well the same way you do any Azure Arc onboarding no matter what you choose to use Azure Arc for is exactly the same in fact well here's one I made earlier essentially if you've already got a on-prem machine you want to add you simply add it as a server and essentially you have to click through here fill in where you want to onboard it within your Azure subscription you can put tags on it obviously this isn't going to work because it's a this is me messing around and then it will create for you a custom script that's tailored for that machine and you download and run the script and then it will onboard to Azure Arc and that and so of course Azure Arc has many other uses as well it's not just for ASC but that's our recommended way of doing it and the other way that you can do it that was the only way to do it until Azure Arc came along which is to manually add agents here within Security Center this is probably more fiddly the agent that you have to install is the Log Analytics agent but it is a little bit fiddlier to do it like that we definitely recommend Azure Arc but yeah this is the other way you can do it the cool thing is it doesn't matter which one you install from an ASC perspective at least the functionality is the same but we would recommend you go with Azure Arc which is a way of connecting outside Azure into Azure for many different services so there's a lot of other good reasons to use that so there are your two options so now for more information around Azure Arc we'll provide a link below in regards to where you can find out more information about Azure Arc and its implementation but it's great to know that there is choice in terms of your deployment or your monitoring of your on-premises implementation in the hybrid infrastructure through Azure Security Center one of the big things for me as you mentioned is the manual process that's required outside of Azure Arc whereas in Azure Arc it's all automated is it safe to assume that it also allows you to do multiple implementations of server that's on-premises through Azure Arc really quickly as opposed to doing it the other way where you're going one by one by one installing clients yeah actually to be fair to the when we say manually it is possible to push out this it is possible if you're using SCCM and other systems on-premise that push mass updates and programs you can get the log analytics machine you can use those systems to push the log analytics agent so it's probably not entirely fair to say it's literally one by one by one but Azure Arc is the easier way of doing it it's more straightforward it's something that's designed for doing those things and onboarding there's one other thing I wanted to show from SecurityCenter which is really valuable and we touched on this just before you talked about regulations and regulatory compliance that is something that most organizations no matter what the vertical and where you are in the world most organizations are beholden to regulatory compliance in some way shape or form and we actually have a module as part of SecurityCenter to help with that so you can see here we've got ISO 27001 PCI DSS which is for processing credit card payments we have NIST which is made by the federal government and I'm not going to read them all out here we've got the Azure CIS the Center for Internet Security Benchmark which I did refer to earlier in the recommendations and the regulatory compliance module here it will actually score your infrastructure that it can see against these regulatory standards so if we have a look at ISO here ISO 27001 is a very very common information security standard if you haven't heard of it and you can see here it is actually if we drill down we can see all the different rules within the standard and then we can see where we've got a little red cross that's where we're not compliant where it's grey that means that means that's not an automated control at the moment or it might be something that you have to look at outside of Azure because these standards if you're not familiar with these standards they are holistic for an organization so they're not just necessarily technical standards so you can see here for example human resources security that's something that's part of the ISO 27001 standard but it's not something that ASC can look at because that is a company policy if you see here it's talking about security around prior to employment during employment and termination so for example a prior to employment check would be doing a background check maybe a criminal records check now ASC of course can't we have a lot of intelligence in ASC ASC isn't able to go and read your organization's policies to know whether you can do that so you will see some things greyed out because we can't check them we'll be focusing on the technical infrastructure controls so if we have a look at one of these as you can see we're not doing particularly well in this subscription you can see here segregation of duties we're not adhering to that and as you can see when we drill down it actually links it back to the best practice recommendations and secure score that we were looking at before so essentially it's saying this is the part of the standard we're failing on but this is how you fix it so if I click here it will actually take me to that recommendation that we were looking at previously so again there's still going to be work to do for you but what it means is that it very very clearly shows you links to how you can improve your posture and how it will help you adhere to regulatory compliance which I think is really really cool and as someone who comes from I did work in financial services and before that I worked for a big four organization that did these sort of assessments on behalf of other organizations I can tell you as someone who's had to who's been on both sides of the fence for regulatory assessments doing any of it in an automated fashion is really really helpful because these sort of assessments against standards can be very very time consuming so this is definitely very very valuable so Sarah one of the questions I know is going to come up is what is the difference then between Azure Security Center and Azure Sentinel yeah that's a really good question and we get asked it a lot so Azure Security Center is you can see here and I think this is one of the best diagrams we have to explain this Azure Security Center is what you use to proactively prevent to be proactively stopping security things security issues happening so this is when you can identify maybe where you've got where you've got a misconfiguration or something that's not configured to best practice or you need to do patching and then you can remediate that implement protections and this is all before anything's happened then for Sentinel Sentinel is your seam where it will actually detect security incidents if they happen then that's where you can respond and recover so that's kind of in the incident that's where Security Center and Sentinel sit it's a really good question though and we get asked it a lot I still think people are still getting their heads around it but Security Center is just one pillar of the things that need to be fed into a seam like Azure Sentinel so Security Center or Azure Defender the Azure Defender part of Azure Security Center will generate threat protection alerts and alongside alerts coming from your identity your endpoint, other clouds and network you would send that into your seam so the seam has visibility of everything in your environment and then it will create incidents as appropriate and that's the way that you get proper visibility of what's going on particularly in complex hybrid environments So early on in the presentation you talked about Azure Defender threat protection and its capabilities for your hybrid implementation of on-premises and in cloud. Let's get a little deeper into that. So what does it actually mean and what can you actually do with it? So Azure Defender is a cloud workload protection or CWP product so what that means is it will actually look at the behavior and the heuristics and what's going on in different products within Azure for them on-prem as well and if it sees something that looks like it could be anomalous or looks like a pattern of behavior that we've seen in our Microsoft threat intelligence land it will create an alert so you can see here on the Azure Defender page it shows us to start with what is covered by Azure Defender what isn't isn't covered and you can see Azure Defender does go across a range of different things we have servers, Kubernetes container registries SQL I'm not going to read them all out and then we can see the security alerts here so it actually tells us what security alerts have been raised so this is last two weeks or so here if I click on that we can actually have a look at the security alerts again this is a demo environment so we do have quite a lot of alerts so we can show people what goes on but again these alerts are going to depend on what is seen in your environment and what things you have running but you can see here we've got DDoS attack for public IP that's actually something that will have come from the Azure DDoS service which is a network product that we have but it will report into ASC for example here we've got an exposed Kubernetes dashboard that's been detected for those of you who aren't too familiar with Kubernetes having a exposed Kubernetes dashboard is not good it is something that can is something that can be potentially vulnerable and should be remediated if we go back to the security alerts here are some we've actually got quite a few here we've got potential SQL brute force now SQL of course is something that a lot of people are running in some way shape or form and SQL injection is one of the OOS top 10 web vulnerabilities so SQL brute force of course is not good you can see that someone is attempting to brute force the creds to your SQL server because of course you will log into a SQL server with different creds so you can see here it's mapped to the mitre attack tactics and it will give you the principle name the application the IP address where we think it's come from of course this is a demo so it's not so interesting and then it will also intake action it will tell you what you need to do it's also possible to trigger an automated response here as well to actually fix it so fix it quickly without a person being involved of course there are quite a lot of security alerts what you see of course is going to depend on what's running but we do have coverage for a lot of different things you can see here we have some more SQL injection which of course can be a quite nasty attack if you've got vulnerable SQL things running we've got phishing content hosted on Azure web app of course that's not something you want to see just it's not great to if someone's using phishing content on your web app that suggests your web app has been compromised it's also not good from a reputational perspective we can see currency mining so that's bitcoin mining and then focusing maybe more on the servant infrastructure you can see here we've got failed SSH brute force attack so that's when someone just keeps trying to SSH into a machine with credentials just keep trying and trying and trying we can see suspicious authentication as you can see I'm not going to read them all out but there's many different things here and we're adding to them all the time and of course it's very contextual as to what you will see here but if you see an alert in here based on Microsoft threat intelligence and all the different things all the different threat intelligence that we collect and our security engineers and our threat intelligence folks this is something that you may want to look at so Sarah we covered a lot today in regards to Azure Security Center if somebody wants to continue on their journey in terms of upskilling on the service what's the best resources being available for them? we've actually got now in the last few months we released the ASC Ninja training so that's training that goes through ASC from top to bottom we use it, there's a lot of videos and tutorials and labs so I think that's a great place to start we also have an ASC GitHub repo where there are example logic apps for mediating things so that's definitely worth checking out one of my colleagues the very wonderful Yuri who's on my sister team Yuri runs a regular YouTube series called Azure Security Center and it's fairly bite-sized and it goes through different aspects of ASC, you always interview someone that's worth checking out and you can always go to the the Azure Security tech community and look at the ASC pages where we do write new blogs and you can ask questions and we also have as we do for Sentinel on our other security products we run webinars we we post all the webinars if they're not a good time for you, for me over here in New Zealand the webinars are at 3am so I don't really get up for them post them unless I'm running them I have had to run a webinar at 3am because we do them live but then the recordings are posted to YouTube so you can watch them retrospectively we have them for Sentinel, for ASC for MCAS all the other security products so definitely go check that out too and that's probably a good place to start with ASC and we also have some MS Learn modules as well which we're going to look to and I think that's everything that's a good foundation to look at ASC One possible ad would be the Azure Security Center hub on docs as well that you probably wanted to highlight in regards to your full repository of your vanilla versions of implementation and then looking at tech community for that real-world now guidance in terms of implementing Azure Security Center Sarah, awesome to be with you here to talk about Azure Security Center if people want to get a hold of you what's the best way to get a hold of you on social? That would be my Twitter handle it's at underscore Sarah Y.O or Sarah Y.O so feel free to tweet at me my DMs are open for better or worse so feel free to reach out to me alternatively you can also post questions on the tech community website and that's pecked up by myself, my teammates and other engineering folks as well if you have questions and we're always trying to help out where we can. And if you want to get a hold of me for some reason you can find me on Twitter at wireless life or regularly producing content at itopstock.com Sarah, thank you very much No problem, thanks for having me See y'all Bye