Become a Microsoft Defender for Cloud Ninja
[Last update: 02/26/2025] This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate (Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 - AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud MDC Cost Calculator (02/2025) Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Assigning Permissions in Microsoft Defender for Cloud Design Considerations for Log Analytics Workspace Microsoft Defender for Cloud Monitoring Agent Deployment Options Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloud using Management Groups Planning Data Collection for IaaS VMs Considerations for Multi-Tenant Scenario How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for Cloud PoC Series – Microsoft Defender for Resource Manager Microsoft Defender for Cloud PoC Series – Microsoft Defender for Storage Microsoft Defender for Cloud PoC Series – Microsoft Defender for DNS Microsoft Defender for Cloud PoC Series – Microsoft Defender for App Service Microsoft Defender for Cloud PoC Series - Microsoft Defender for Container Registries Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Protect non-Azure resources using Azure Arc and Microsoft Defender for Cloud Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture Azure Secure Score vs. Microsoft Secure Score How to calculate your secure score How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud How to keep track of Resource Exemptions in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for Cloud Recommendations to Azure Resource Stakeholders Secure Score Reduction Alert Weekly Secure Score Progress Report Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Remediation Scripts Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Deployment Options Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Exporting Azure Container Registry Vulnerability Assessment in Microsoft Defender for Cloud Improvements in Continuous Export feature Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP 31 new and enhanced multicloud regulatory standards coverage (02/2025) Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM ServiceNow's integration now includes Configuration Compliance module 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Regulatory compliance dashboard Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Define known-safe applications using Adaptive Application Control Understanding Threat Protection in Microsoft Defender Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Network Layer Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience Exploring the Latest Container Security Updates from Microsoft Ignite 2024 Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud (02/2025) Onboarding Docker Hub and JFrog Artifactory (02/2025) Improvements in Container’s Posture Management New AKS Security Dashboard in Defender for Cloud (02/2025) Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage Microsoft Defender for SQL Microsoft Defender for SQL and the Vulnerability Assessment (VA) New Defender for SQL VA Microsoft Defender for SQL Anywhere Validating Alerts on Microsoft Defender for SQL on machines New autoprovisioning process for SQL Server on machines plan Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService How Microsoft Defender for App Service works Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Investigating Microsoft Defender for Cloud alerts using Azure Sentinel Service Layer Protection - Microsoft Defender for Resource Manager and DNS Azure Arc and Azure Microsoft for Kubernetes Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Accessing Microsoft Defender for Cloud Alerts in Splunk using Graph Security API Integration Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Integrate Defender for Cloud CLI with CI/CD pipelines (02/2025) Code Reachability Analysis (02/2025) 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts . API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Boost Security with API Security Posture Management (02/2025) 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime Data and AI security dashboard (02/2025) Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud (02/2025) 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PM
Automate SecOps to Developer Communication with DevOps Security in Defender for Cloud
Automate SecOps to Developer Communication with DevOps Security in Defender for Cloud Logic Apps are a workflow automation feature of Microsoft Defender for Cloud (MDC) in which you can create and run automated workflows that integrate your apps, data, services, and systems. Customer feedback has been loud and clear—Security Teams need more efficient and effective ways to communicate directly with Development Teams about discovered security findings. This blog walks through creating a Logic App that Security Teams can use to automate communication of discovered security issues to Development Teams. The Logic App creates a Work Item in Azure DevOps (ADO) containing repository location, description, and remediation information from DevOps security in Defender for Cloud Recommendations that Developers can use to remediate the discovered security issue. Security Operators will find this Logic App particularly useful because they do not need to be familiar with Azure DevOps or even to login to Azure DevOps to create a Work Item for their Developers. Instead, SecOps can trigger a Logic App on an affected repository and create a Work Item for a Development Team to triage and remediate. Objectives: Create a Logic App to create an Azure DevOps work item from an MDC Recommendation Test the Logic App Prerequisite: Connector provisioned in MDC to your Source Code Management System (such as Azure DevOps or GitHub) Create a Logic App to Create an ADO Work Item Login to Azure and search for or click Logic Apps Click + Add Choose a Subscription and Resource group Enter a name for your Logic App Under Plan, choose Consumption Click Review + create Click Create Go to the Logic App you created and click Logic app designer in the left menu Click Blank Logic App In the search box, type Recommendation Choose When a Microsoft Defender for Cloud Recommendation is created or triggered Click + New step Type variable in the search box Choose Initialize variable For Name, type org_name For Type, choose String Click + New step Type variable in the search box Choose Initialize variable For Name, type project_name For Type, choose String Click + New step Type variable in the search box Choose Initialize variable For Name, type repo_name For Type, choose String Click + New step Type variable in the search box Choose Set variable For Name, choose org_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),10)) and click OK Click + New step Type variable in the search box Choose Set variable For Name, choose project_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),12)) and click OK Click + New step Type variable in the search box Choose Set variable For Name, choose repo_name from the dropdown menu For Value, click in the empty box In the Add dynamic content flyout, click Expression and type the following: first(skip(split(triggerBody()?['properties']?['resourceDetails']?['id'],'/'),14)) and click OK Click + New step Type azure devops in the search box Click Create a work item Click Sign in Click Accept to allow the App request for the Logic App to write to Azure DevOps For Organization Name, click in the box, click Enter custom value In the Add dynamic content flyout, click org_name For Project name, click Enter custom value In the Add dynamic content flyout, click project_name For Work Item Type, type task For Title, click in the box, type the title of the work item you want to create for your Developers, such as: A security issue needs to be remediated from the following repo: In the Add dynamic content flyout, click repo_name For Description, type Description: In the Add dynamic content flyout, click Properties Metadata Description, then hit enter twice Type Remediation steps: then hit enter In the Add dynamic content flyout, click Properties Metadata Remediation Description Your Logic App should now look like the following: Your no code Logic App is now complete and needs to be tested. Test the Logic App Navigate to Microsoft Defender for Cloud Click Recommendations Expand Remediate vulnerabilities, click Code repositories should have secret scanning findings resolved Expand Affected resources, tick an Azure DevOps repository Click Trigger logic app In the Selected subscription dropdown, choose the Subscription that contains the Logic App Tick the box next to the Logic app Click Trigger Now let’s verify that your work item has been created Login to Azure DevOps and navigate to the Project with the repository you tested Click Boards, then click Work items to see the work item that you created Your work item should look similar to the following work item: Conclusion To review, we’ve walked through creating a Logic App that creates a Work Item in Azure DevOps to communicate with Developers so they can remediate security findings discovered by Microsoft Defender for Cloud. This Logic App can be executed on any Azure DevOps repository. It injects the location, description, and remediation steps in the Work Item description body so that Developers can quickly find and fix the security issue. This helps Security Operators automate communication with Developers by creating a Work Item that the Development Team can then prioritize in their Sprint Planning sessions. Additional Resources To learn more about DevOps security in Defender for Cloud, read this documentation Download (free) a special Appendix about DevOps security in Defender for Cloud from the latest Microsoft Defender for Cloud book published by Microsoft Press To learn how to onboard your Azure DevOps Source Code Management System to Defender for Cloud, read this documentation for Azure DevOps
Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.How to Effectively Perform a Microsoft Defender for Cloud PoC
[Post updated on 06/27/2024] Introduction Organizations are starting to realize that they need to closely monitor their cloud security posture and protect cloud workloads against threats. At the same time, they need to do this without creating silos across different solutions. Cloud Native Application Protection Platform (CNAPP) bring the capabilities from Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWP), in addition to many other platforms in a single place. To learn more about Defender for Cloud as your CNAPP solution, we recommend you use the resources below: Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP To effectively determine the benefits of adopting Microsoft Defender for Cloud, you should perform a Proof of Concept (PoC). Even before enabling enable Microsoft Defender for Cloud in your subscription and start validating your scenarios, you should go through a planning process to determine a series of tasks that must be accomplished in this PoC. Planning Each Phase Use following schedule to perform their Microsoft Defender for Cloud PoC. Keep in mind that this is an example, and each organization may adequate this according to their needs. The sections that follow will explain each phase in more details. Planning During the planning phase you will organize a meeting with key stakeholders of this PoC. At minimum, you should have representatives from IT (mainly the ones that are responsible for your Cloud workloads), Security Operations, and Security Governance. The intent of this phase is to determine the answers for the following items: Scope of the PoC: what are you going to validate on this PoC? What scenarios do you want to test? Requirements: based on the scope, you can start determining the requirements for this PoC. This includes at least the following items: Determine if the type of deployment: single cloud (Azure) or multi-cloud. For AWS considerations, read this article. For GCP considerations, read this article. Determine which users should have administrative and read access to the subscriptions that Microsoft Defender for Cloud will be enabled. Use this article as a reference to review the roles (RBAC) available for Microsoft Defender for Cloud. Determine if you need policy centralized management for Microsoft Defender for Cloud, and use the best practices from this article. If you are going to use multiple subscriptions, define the workspace model (centralized or distributed). In Microsoft Defender for Cloud, this is defined using the Data Collection tier, visit this article for more information about the options available. In the same Data Collection option, define if you are going to use Auto Provision or not. By using auto provision, the MMA agent will be automatically installed in the VMs that are under the selected subscription (preferred option). If you are going to use multiple subscriptions, consider using Management Group to manage Security Policy across all subscriptions. For more information about this, read this article. If you are going to use multiple subscriptions and want to automate the onboarding process, use the PowerShell examples described in this article. If you need to prioritize security recommendations based on risk factors, and disrupt potential attack before it happens, consider enabling Defender CSPM. If you need to create governance rules to assign to workload owners and establish SLA to remediate recommendations, consider enabling Defender CSPM and use the governance feature. Define which resources will be monitored during the PoC to define which Microsoft Defender for Cloud plans you need to enable: Note: you can enable any of the Microsoft Defender for Cloud plans for 30 days free trial. Determine which PaaS workloads will be tested. Use this article to determine which PaaS workloads are supported by Microsoft Defender for Cloud. Define which VMs will be available through the Internet (via RDP or SSH) to test functionalities such as JIT VM Access, Network Map and Network Hardening. Determine the Operating System for the VMs that will be deployed for this PoC. Use this article to obtain the list of supported operating systems. These VMs can be in Azure, or on-premises. Take in considerations different scenarios for recommendations, such as: Validate scenarios where you need to exempt resources from recommendations. Use this article to learn how to create exemptions. Validate scenarios where you need to disable a recommendation that is not applicable to your scenario. Read this article for more information on how to perform this task. Validate scenarios where you need to automate a response for a recommendation. You can use the Workflow Automation feature to accomplish that. Measure success: this is something very important to establish before starting your PoC, because this will help you to set the right expectation and based on that expectation, measure if your PoC was a success or not. At the end of this phase you have the first checkpoint (A). On this checkpoint you should document the following items: Scope of the PoC, the requirements, timeline and the decision of how you will measure success. Next steps of the PoC If there are requirements that needs to be in place before the implementation, these requirements must be listed and planned for implementation The timeline for implementation of those requirements needs to be established Preparation This phase will focus on the implementation of the requirements. When going through those requirements, make sure to document everything that needs to be changed in the environment. One classic example is when the members of the Team that are implementing Microsoft Defender for Cloud don’t have the right level of permission in all subscriptions. This can cause delays if the team that is implementing Microsoft Defender for Cloud is not the same team that manages Azure Identity. For this reason, it becomes critical to involve the right stakeholders since the planning phase. At the end of this phase, you have the second checkpoint (B). On this checkpoint you should document the following items: Changes that were performed in the environment to adequate with the PoC requirements. Define when the implementation phase will start This is critical because once you enable Microsoft Defender for Cloud, you have 30 days free trial, and you should ensure that you utilize those days to validate all scenarios. You can also use the cost estimation workbook to estimate how much each plan will cost based on the resources you have in the subscription. Define who the workload owners are. Many times, the team that manage Microsoft Defender for Cloud do not have privileges to remediate recommendations in different workloads. For example, recommendations to remediate vulnerabilities in SQL Database might be something that the team that manages Microsoft Defender for Cloud can't do it, therefore it is imperative to involve the workload owners. Implementation and validation Now you can enable the Defender for Cloud enhanced security features, and once you do that the next step is the implementation of the scenarios that you established during the planning phase. Here are the most common scenarios that are covered during a PoC: Scenario 1: Security Posture Management If you decide to try the Foundational CSPM (free tier) you can immediately start testing the following scenarios: Ensure that you are driving your secure score up by addressing the recommendations raised by Microsoft Defender for Cloud. Use this article for more information about Secure Score. To drive your secure score up, you need to review security recommendations for the different workloads and follow the remediation steps to address them. Use the Workflow Automation feature to create automations for recommendations. You can test to send recommendation to workload owners using instructions from this article. If you want to validate advanced cloud security posture management feature, you will need to enable Defender CSPM. If that's the case, use this DCSPM POC article. Scenario 2: Reducing the Attack Surface Enable JIT VM access for Internet facing VMs and test the functionality. Use this article as a reference to perform the configuration/validation and watch this video to understand how JIT helps to reduce the attack surface. Use Adaptive Application Control to review the list of apps that should be allowed. Use this article as a reference to understand and implement this feature. Scenario 3: Threat Detection & Response Enable File Integrity Monitoring in your workspace to track changes to files and registry keys. Use this article as a reference to configure this feature. You can use the following guides to simulate attacks against the VMs and see how Microsoft Defender for Server will trigger Security Alerts: For Windows For Linux If you are validating threat detection for PaaS workloads such as Containers, Azure Key Vault, Storage and SQL, visit this page and select the scenario that you want to validate. Try to suppress alerts that are considered false positive for your environment using the Alert Suppression feature. Validate the integration of Microsoft Defender for Cloud with Microsoft Defender for Endpoint (MDE) using the instructions from this article. Configure SIEM integration (optional): if you need to validate SIEM integration, visit this site for more information about supported SIEM platforms. Create workflow automation using Playbooks to run once you receive an alert. You can use the examples below as a reference: Automate Microsoft Defender for Cloud actions with Playbooks and ServiceNow Microsoft Defender for Cloud & automatic creation of an incident in ServiceNow At the end of this phase, you have the third checkpoint (C). On this checkpoint you should document the following items: Each scenario that was tested and its results The learnings from each scenario. These learning can be used to determine if you foresee any roadblock that can delay the Microsoft Defender for Cloud adoption in the production environment and how to overcome those If you need a deeper plan to perform a PoC for each Microsoft Defender for Cloud Plan, please access them from here: Microsoft Defender for Kubernetes Microsoft Defender for Resource Manager Microsoft Defender for Storage Microsoft Defender for Key Vault Microsoft Defender for DNS Microsoft Defender for App Service Microsoft Defender for Container Registries Microsoft Defender for SQL Microsoft Defender for Servers Microsoft Defender CSPM Conclusion This is the final phase of the PoC, and it is strategically done 5 days before you reach the 30 days trial, and the reason for that is because you want to have a spare time to make your final decision if you want to keep using Microsoft Defender for Cloud or not, and if not you can disable Microsoft Defender for Cloud. This is the time to re-engage the stakeholders, present the results, and the benefits of adopting Microsoft Defender for Cloud in production. At the end of this phase, you have the last checkpoint (D). On this checkpoint you should document the following items: Final PoC report Final decision regarding Microsoft Defender for Cloud adoption Summary of the next steps, which needs to include the final considerations of Microsoft Defender for Cloud adoption in production and across all subscriptions Additional Resources Microsoft Defender for Cloud Documentation http://aka.ms/ascdocs Videos https://aka.ms/MDFCInTheField Training Roadmap https://aka.ms/MDFCNinja Microsoft Defender for Cloud Lab http://aka.ms/MDFCLabs
How Defender for Cloud displays machines affected by Log4j vulnerabilities
Microsoft Defender for Cloud's inventory filters can easily and quickly help you find all machines with a specific piece of software, or that are vulnerable to a specific CVE. In this case, we show how to find machines running Log4j or with the security finding CVE-2021-44228.Microsoft Defender for Cloud Cost Estimation Dashboard
This blog was updated on April 16 th , 2023 to reflect the latest version of the Cost Estimation workbook. Microsoft Defender for Cloud provides advanced threat detection capabilities across your cloud workloads. This includes comprehensive coverage plans for compute, PaaS and data resources in your environment. Before enabling Defender for Cloud across subscriptions, customers are often interested in having a cost estimation to make sure the cost aligns with the team’s budget. We previously released the Microsoft Defender for Storage Price Estimation Workbook, which was widely and positively received by customers. Based on customer feedback, we have extended this offering by creating one comprehensive workbook that covers most Microsoft Defender for Cloud plans. This includes Defender for Containers, App Service, Servers, Storage, Cloud Security Posture Management and Databases. The Cost Estimation workbook is out-of-the box and can be found in the Defender for Cloud portal. After reading this blog and using the workbook, be sure to leave your feedback to be considered for future enhancements. Please remember these numbers are only estimated based on retail prices and do not provide actual billing data. For reference on how these prices are calculated, visit the Pricing—Microsoft Defender | Microsoft Azure. Overview The cost estimation workbook provides a consolidated price estimation for Microsoft Defender for Cloud plans based on the resource telemetry in your organization’s environment. The workbook allows you to select which subscriptions you would like to estimate the price for as well as the Defender Plans. In a single pane of glass, organizations can see the estimated cost per plan on each subscription as well as the grand total for all the selected subscriptions and plans. To see which plans are currently being used on the subscription, consider using the coverage workbook. Defender Cloud Security Posture Management (CSPM) Defender CSPM protects all resources across your subscriptions, but billing only applies to Compute, Databases and Storage accounts. Billable workloads include VMs, Storage accounts, open-source relational databases and SQL PaaS & Servers on machines. See here for more information regarding pricing. On the backend, the workbook checks to see how many billable resources were detected and if any of the above plans are enabled on the subscription. It then takes the number of billable resources and multiplies it by the Defender CSPM price. Defender for App Service The estimation for Defender for App Services is based on the retail price of $14.60 USD per App Service per month. Check out the Defender for App Service Price Estimation Dashboard for a more detailed view on estimated pricing with information such as CPU time and a list of App Services detected. Defender for Containers The estimation for Defender for Containers is calculated based on the average number of worker nodes in the cluster during the past 30 days. For a more detailed view on containers pricing such as average vCores detected and the number of image scans included, consider also viewing the stand-alone Defender for Containers Cost Estimation Workbook. Defender for Databases Pricing for Defender for Databases includes Defender for SQL Databases and Defender for open-source relational databases (OSS DBs). This includes PostgreSQL, MySQL and MariaDB. All estimations are based on the retail price of $15 USD per resource per month. On the backend, the workbook runs a query to find all SQL databases and OSS DBs in the selected subscriptions and multiplies the total amount by 15 to get the estimated monthly cost. Defender for Key Vault Defender for Key Vault cost estimation is not included in the out of the box workbook, however, a stand-alone workbook is available in the Defender for Cloud GitHub. The Defender for Key Vault dashboard considers all Key Vaults with or without Defender for Key Vault enabled on the selected subscriptions. The calculations are based on the retail price of $0.02 USD per 10k transactions. The “Estimated Cost (7 days)” column takes the total Key Vault transactions of the last 7 days, divides them by 10K and multiples them by 0.02. In “Estimated Monthly Price”, the results of “Estimated Cost (7 days)” are multiplied by 4.35 to get the monthly estimate. Defender for Servers Defender for Servers includes two plan options, Plan 1 and Plan 2. The workbook gives you the option to toggle between the two plans to see the difference in how they would effect pricing. Plan 1 is currently charged at $5 per month where as Plan 2 is currently charged at $15. Defender for Storage The Defender for Storage workbook allows you to estimate the cost of the two pricing plans: the legacy per-transaction plan and the new per-storage plan. The workbook looks at historical file and blob transaction data on supported storage types such as Blob Storage, Azure Files, and Azure Data Lake Storage Gen 2. We have released a new version of this workbook, and you can find it here: Microsoft-Defender-for-Cloud/Workbooks/Microsoft Defender for Storage Price Estimation and learn more about the storage workbook in Microsoft Defender for Storage – Price Estimation blog post. Limitations Azure Monitor Metrics data backends have limits and the number of requests to fetch data might time out. To solve this, narrow your scope by reducing the selected subscriptions and Defender plans. The workbook currently only includes Azure resources. Acknowledgements Special thanks to everyone who contributed to different versions of this workbook: Fernanda Vela, Helder Pinto, Lili Davoudian, Sarah Kriwet, Safeena Begum Lepakshi, Tom Janetscheck, Amit Biton, Ahmed Masalha, Keren Damari, Nir Sela, Mark Kendrick, Yaniv Shasha, Mauricio Zaragoza, Kafeel Tahir, Mary Lieb, Chris Tucci, Brian Roosevelt References: What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn Pricing—Microsoft Defender | Microsoft Azure Workbooks gallery in Microsoft Defender for Cloud | Microsoft Docs Pricing Calculator | Microsoft Azure Microsoft Defender for Key Vault Price Estimation Workbook Microsoft Defender for App Services Price Estimation Workbook Microsoft Defender for Containers Cost Estimation Workbook Coverage Workbook
