Microsoft Defender for Cloud Blog articles https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/bg-p/MicrosoftDefenderCloudBlog Microsoft Defender for Cloud Blog articles Tue, 24 May 2022 22:05:18 GMT MicrosoftDefenderCloudBlog 2022-05-24T22:05:18Z How to demonstrate the new containers features in Microsoft Defender for Cloud https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-to-demonstrate-the-new-containers-features-in-microsoft/ba-p/3281172 <H3>How to demonstrate the new containers features in Microsoft Defender for Cloud</H3> <P><BR />To address the evolving security challenges surrounding container solutions our team recently announced Microsoft Defender for Containers – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, Google GKE and on-prem environments. It is part of Microsoft Defender for Cloud. <BR />It merges two previous legacy plans which we had, namely Microsoft Defender for Kubernetes and Microsoft Defender for Container registries. It doesn’t remove any functionalities which were present in these legacy plans, it does however add new set of critical features on top of it, like threat protection on the Worker Node level for VMSS nodes.<BR />Other critical capabilities include Advanced Threat Protection, VA, Hardening Controls, Multi-Cloud Support and Kubernetes-Native Deployment.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_0-1649596847334.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362746iBA1A35745DE20314/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_0-1649596847334.png" alt="Shay_Amar_0-1649596847334.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You can learn more about these capabilities reading the following articles:&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317?msclkid=1f732b66b89a11ec94cf9104b405da1f" target="_blank" rel="noopener">Microsoft launches dedicated Container protection plan</A></P> <P>On this blog post&nbsp;we will&nbsp;focus on&nbsp;how to simulate&nbsp;alerts&nbsp;that&nbsp;are&nbsp;part of&nbsp;the&nbsp;AKS advanced&nbsp;threat&nbsp;Detection.&nbsp;</P> <P>&nbsp;</P> <P><STRONG><EM>Simulate AKS alert on&nbsp;Microsoft Defender for Cloud&nbsp;</EM></STRONG></P> <P>To simulate AKS alert&nbsp;on&nbsp;a&nbsp;cluster that&nbsp;is&nbsp;protected under&nbsp;Microsoft Defender for Cloud&nbsp;follow&nbsp;the following&nbsp;steps:&nbsp;</P> <OL> <LI>Validate that your&nbsp;<STRONG>Microsoft Defender for Containers</STRONG>&nbsp;plan pricing tier is&nbsp;enabled.&nbsp;If it is not, make sure to enabled it.&nbsp;</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_1-1649596847345.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362747i396DF6A35C6F729D/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_1-1649596847345.png" alt="Shay_Amar_1-1649596847345.png" /></span></P> <P class="lia-indent-padding-left-30px">2. From&nbsp;<A href="#" target="_blank" rel="noopener">Azure CLI</A>&nbsp;login to the AKS subscription&nbsp;by running the above commands:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">az login az account set --subscription "MyAzureSubName" </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; 3. Download AKS tools for Azure CLI&nbsp;and add&nbsp;a&nbsp;local&nbsp;path:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">az aks install-cli $env:path += 'C:\Users\User\.azure-kubectl' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">4.&nbsp;Run the alert simulation command&nbsp;below:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">kubectl get pods --namespace=asc-alerttest-662jfi039n</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">You may see an&nbsp;output&nbsp;like&nbsp;the one below:</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_0-1649600064687.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362777i19A3E44A635D1859/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_0-1649600064687.png" alt="Shay_Amar_0-1649600064687.png" /></span></P> <P class="lia-indent-padding-left-30px">Wait&nbsp;approximately&nbsp;30 minutes&nbsp;and open&nbsp;Microsoft Defender for Cloud&nbsp;alert blade:&nbsp;</P> <P class="lia-indent-padding-left-30px">In the Azure portal, open Microsoft Defender for Cloud's security alerts page and look for the alert on the relevant resource:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_0-1649791205485.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/363527i1F41D3EEAC38B164/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_0-1649791205485.png" alt="Shay_Amar_0-1649791205485.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">Once you see it, click on it until you see the full details, as shown below:&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_1-1649600315870.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362780iDED8BCCA76736E40/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_1-1649600315870.png" alt="Shay_Amar_1-1649600315870.png" /></span></P> <P>The full list of available threat detection alerts can be found&nbsp;<A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <H3>Simulate&nbsp;scanning for a&nbsp;vulnerable container image&nbsp;to an&nbsp;Azure Container Registry (ACR)&nbsp;and present&nbsp;its&nbsp;recommendation in Microsoft Defender for Cloud.</H3> <P>&nbsp;</P> <P>When&nbsp;<STRONG>Defender for Containers</STRONG>&nbsp;is enabled, any image you push to your registry will be scanned immediately. In addition, any image pulled within the last 30 days is also scanned.</P> <P>&nbsp;</P> <P><STRONG>Key&nbsp;notes about this feature&nbsp;are:&nbsp;</STRONG></P> <P>When the scanner reports vulnerabilities to Defender for Cloud, Defender for Cloud presents the findings and related information as recommendations. In addition, the findings include related information such as remediation steps, relevant CVEs, CVSS scores, and more.</P> <P>&nbsp;</P> <P>You can view the identified vulnerabilities for one or more subscriptions, or for a specific registry.</P> <P>To simulate this,&nbsp;the first step is&nbsp;to&nbsp;install Docker&nbsp;desktop.</P> <P>Follow the steps below to do that:&nbsp;</P> <OL> <LI>Navigate to <A href="#" target="_blank" rel="noopener">https://www.docker.com/products/docker-desktop</A>&nbsp;</LI> <LI>Download and install Docker, Check the system requirements,&nbsp;<A href="#" target="_blank" rel="noopener">Get Docker | Docker Documentation</A></LI> <LI>After the installation, open PowerShell&nbsp;</LI> <LI>Verify your docker version by executing in PowerShell:<LI-CODE lang="powershell">docker version​</LI-CODE></LI> </OL> <P class="lia-indent-padding-left-30px">You may see an&nbsp;output&nbsp;like&nbsp;the one below:</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_0-1649600444542.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362781iCB1B03B7301D7431/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_0-1649600444542.png" alt="Shay_Amar_0-1649600444542.png" /></span></P> <P>&nbsp;</P> <OL start="5"> <LI>Create Container registry in Azure portal or via CLI.</LI> </OL> <P>&nbsp; &nbsp; &nbsp; Follow the steps below to do that and continue the validation:</P> <H3 class="lia-indent-padding-left-30px">Create an Azure container registry using the Azure portal</H3> <OL> <LI>Sign in to Azure</LI> <LI>Sign in to the Azure portal at&nbsp;<A href="#" target="_blank" rel="noopener">https://portal.azure.com</A>.</LI> <LI>Create a container registry</LI> </OL> <P class="lia-indent-padding-left-30px">Select&nbsp;<STRONG>Create a resource</STRONG>&nbsp;&gt;&nbsp;<STRONG>Containers</STRONG>&nbsp;&gt;&nbsp;<STRONG>Container Registry</STRONG>.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_1-1649600489938.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362782i7C28D1C057443B5A/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_1-1649600489938.png" alt="Shay_Amar_1-1649600489938.png" /></span></P> <P class="lia-indent-padding-left-30px">In the&nbsp;<STRONG>Basics</STRONG>&nbsp;tab, enter values for&nbsp;<STRONG>Resource group</STRONG>&nbsp;and&nbsp;<STRONG>Registry name</STRONG>. The registry name must be unique within Azure, and contain 5-50 alphanumeric characters. For this quickstart create a new resource group in the&nbsp;West US&nbsp;location named&nbsp;myResourceGroup, and for&nbsp;<STRONG>SKU</STRONG>, select 'Basic'.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_2-1649600514533.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362784iE0F37AB8C0D71084/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_2-1649600514533.png" alt="Shay_Amar_2-1649600514533.png" /></span></P> <OL> <LI>Accept default values for the remaining settings. Then select&nbsp;<STRONG>Review + create</STRONG>. After reviewing the settings, select&nbsp;<STRONG>Create</STRONG>.</LI> <LI>When the&nbsp;<STRONG>Deployment succeeded</STRONG>&nbsp;message appears, select the container registry in the portal.</LI> <LI>copy the&nbsp;<STRONG>Login server</STRONG>&nbsp;URL</LI> </OL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_3-1649600514540.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362783i5FD7C7217D2EF97E/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_3-1649600514540.png" alt="Shay_Amar_3-1649600514540.png" /></span></P> <P class="lia-indent-padding-left-30px">4. Open&nbsp;PowerShell&nbsp;and run (where the name&nbsp;is&nbsp;the ACR name that you created)&nbsp;the command below:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">az acr login --name secteach365</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">You may see an&nbsp;output&nbsp;like&nbsp;the one below:</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_4-1649600580887.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362786i6E5C41E171C34031/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_4-1649600580887.png" alt="Shay_Amar_4-1649600580887.png" /></span></P> <P class="lia-indent-padding-left-30px">5. Download&nbsp;vulnerable&nbsp;image from&nbsp;docker&nbsp;hub&nbsp;<A href="#" target="_blank" rel="noopener">https://hub.docker.com/r/vulnerables/web-dvwa/</A>,</P> <P class="lia-indent-padding-left-30px">by&nbsp;running&nbsp;the command&nbsp;below:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">docker pull vulnerables/web-dvwa</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">A sample of the output&nbsp;is shown&nbsp;below:&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_5-1649600700656.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362788iE8C8E3E0D5965425/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_5-1649600700656.png" alt="Shay_Amar_5-1649600700656.png" /></span></P> <P class="lia-indent-padding-left-30px">6.&nbsp;Check the image on your local repository by running&nbsp;the command below:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Docker images vulnerables/web-dvwa</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">A sample of the output&nbsp;is shown&nbsp;below:&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_6-1649600769404.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362791i4FC7CB6DE09CE81C/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_6-1649600769404.png" alt="Shay_Amar_6-1649600769404.png" /></span></P> <P class="lia-indent-padding-left-30px">7. In this step we need to tag our image with the ACR&nbsp;Login&nbsp;URL&nbsp;that we copied in steps&nbsp;Execute the following command:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Docker tag vulnerables/web-dvwa:latest secteach365.azurecr.io/vulnerables/web-dvwa:v1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">8.&nbsp;Check again the image on your local repository by running&nbsp;the command below:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Docker images secteach365.azurecr.io/vulnerables/web-dvwa</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_7-1649600864189.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362792i5E0628E603549EC4/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_7-1649600864189.png" alt="Shay_Amar_7-1649600864189.png" /></span></P> <P class="lia-indent-padding-left-30px">9.&nbsp;Run docker push to upload the new image to the&nbsp;azure&nbsp;repository and generate image scan (it can take some time), using the command below:&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">docker push secteach365.azurecr.io/vulnerables/web-dvwa:v1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_8-1649600911249.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362793iEBB18465D64FC452/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_8-1649600911249.png" alt="Shay_Amar_8-1649600911249.png" /></span></P> <P>Once done&nbsp;check&nbsp;on your&nbsp;ACR repository&nbsp;and&nbsp;validate&nbsp;that you have&nbsp;a&nbsp;new&nbsp;repository with&nbsp;a new&nbsp;image.</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_0-1649600949020.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362795i6B8A8A4E1E617DBC/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_0-1649600949020.png" alt="Shay_Amar_0-1649600949020.png" /></span></P> <OL start="14"> <LI>Navigate to&nbsp;<STRONG>Microsoft Defender for Cloud</STRONG>&nbsp;&gt;&nbsp;<STRONG>Recommendations</STRONG>.&nbsp;Select the recommendation&nbsp;"Container registry images should have vulnerability findings resolved" to view the recommendation details page.</LI> </OL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_1-1649600949026.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362794i810CBEF03900E5A6/image-size/large?v=v2&amp;px=999" role="button" title="Shay_Amar_1-1649600949026.png" alt="Shay_Amar_1-1649600949026.png" /></span></P> <P>Drill down to the recommendation&nbsp;and review&nbsp;image&nbsp;and the set of&nbsp;vulnerabilities that Microsoft Defender for Cloud has discovered.&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shay_Amar_2-1649600949038.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362796i916D2D542FCB6C22/image-size/medium?v=v2&amp;px=400" role="button" title="Shay_Amar_2-1649600949038.png" alt="Shay_Amar_2-1649600949038.png" /></span></P> <P>&nbsp;</P> <P>In this blogpost, we provided details on the options to simulate&nbsp;alerts&nbsp;that&nbsp;are&nbsp;part of&nbsp;the&nbsp;AKS&nbsp;threat Detection&nbsp;and the&nbsp;image scanning&nbsp;(ACR)&nbsp;recommendation.&nbsp;</P> <P>For more information on how Microsoft Defender for Cloud visit our documentation below:&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Cloud documentation | Microsoft Docs</A></P> <H2 id="toc-hId--1819373027"><STRONG>Reviewers</STRONG></H2> <P>Special thanks to <LI-USER uid="361582"></LI-USER>,<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/124214" target="_blank" rel="noopener">@Yuri Diogenes</A>&nbsp; for reviewing this article.</P> <P>&nbsp;</P> <P><EM>This article was originally wrote for Azure Security Center by Yaniv Shasha, you can find the original post here :&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-to-demonstrate-the-new-containers-features-in-azure-security/ba-p/1011270" target="_blank" rel="noopener">How to demonstrate the new containers features in Azure Security Center - Microsoft Tech Community</A></EM></P> <P>&nbsp;</P> Tue, 12 Apr 2022 19:52:20 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-to-demonstrate-the-new-containers-features-in-microsoft/ba-p/3281172 Shay_Amar 2022-04-12T19:52:20Z Defender for Endpoint and Defender for Cloud- which dashboard should you use? https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/defender-for-endpoint-and-defender-for-cloud-which-dashboard/ba-p/3279558 <DIV style="direction: ltr; border-width: 100%;"> <DIV style="direction: ltr; margin-top: 0in; margin-left: 0in; width: 9.375in;"> <DIV style="direction: ltr; margin-top: 0in; margin-left: 0in; width: 9.375in;"> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">Microsoft Defender for Servers is a plan that is part of Microsoft Defender for Cloud. When you enable Microsoft Defender for Servers, you get a range of awesome functionality designed to protect your servers, including file integrity monitoring, adaptive application control, just in time access, among <A href="#" target="_blank" rel="noopener">others</A>.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">One additional capability that comes included with Defender for Servers is Microsoft Defender for Endpoint. See more details about the integrated solution <A href="#" target="_blank" rel="noopener">here</A>.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 18.0pt;"><SPAN>Background</SPAN></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">One advantage of this native integration is the centralization of alerts, in other words, when an alert is triggered by MDE, it will be surfaced in the Microsoft Defender for Cloud / Security Alerts dashboard, as shown below:</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1 - mdfc alerts.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362246iC0667ACF7BAE5FC8/image-size/large?v=v2&amp;px=999" role="button" title="Picture1 - mdfc alerts.png" alt="Picture1 - mdfc alerts.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">If you select one alert, you can get more details about it and take action on the alert to start your investigation or remediation of it. You can also click on the link to be brought directly to the Microsoft 365 portal to investigate the alerts there.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2- mdfc 1 alert.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362247i4A0D699DB3F1FC2E/image-size/large?v=v2&amp;px=999" role="button" title="Picture2- mdfc 1 alert.png" alt="Picture2- mdfc 1 alert.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">In addition of appearing in the Security Alerts in Defender for Cloud, it will also appear in the Microsoft 365 Defender Alerts page, as shown the example below:</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3 - mde alerts.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362248iAF0362D97899E222/image-size/large?v=v2&amp;px=999" role="button" title="Picture3 - mde alerts.png" alt="Picture3 - mde alerts.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">From this dashboard you can perform a deeper investigation of the alert, as shown the example below:</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4- mde 1 alert.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362249i79305675C896BCFA/image-size/large?v=v2&amp;px=999" role="button" title="Picture4- mde 1 alert.png" alt="Picture4- mde 1 alert.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 18.0pt;"><SPAN>Which dashboard should you look at?</SPAN></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">As you can see, these alerts can be investigated from both dashboards of Microsoft Defender for Servers in the Azure Portal and from Microsoft Defender for Endpoint in Microsoft 365 Defender.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">So which dashboard should you use?</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">The answer is your choice and lies entirely with&nbsp;how your Information Security Team is consuming the alerts and managing the devices.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">However, we can give you some guidance on best practises that we have seen to work with many customers.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">Check out this handy diagram to help you with your dashboard selection!</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture5- flow diagram- which dashboard - mde or mdfc.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/362250iB79308408E5F62A5/image-size/large?v=v2&amp;px=999" role="button" title="Picture5- flow diagram- which dashboard - mde or mdfc.png" alt="Picture5- flow diagram- which dashboard - mde or mdfc.png" /></span></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">A SIEM is the recommended started point for investigation for all Defender for Cloud alerts (not just those coming from MDE).</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">Note: You might see duplicate alerts in Microsoft Sentinel, coming from Microsoft defender for Cloud and Defender for Endpoint. This is a known behaviour if Defender for Endpoint sensor was onboarded via Defender for Cloud.&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">In the absence of a SIEM and if you’re a general SOC team doing the investigation (not focused on just endpoints), we recommend that you start your investigation of alerts on <A href="#" target="_blank" rel="noopener">Microsoft Defender for Cloud</A>, and you can easily go to Microsoft 365 Defender to further your hunt via Defender for Endpoint.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">On the other hand, if you’re a team who focuses entirely on endpoints who are doing the investigation of the alerts, then you can use just the <A href="#" target="_blank" rel="noopener">Microsoft 365 Portal</A>.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">In summary, you can use whichever dashboard or method you choose to investigate the alerts, but you can decide based on the criteria listed above.</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><SPAN>Reviewers</SPAN></P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;<LI-USER uid="124214"></LI-USER>&nbsp;, Principal PM Manager, Microsoft Defender for Cloud</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><LI-USER uid="214230"></LI-USER>&nbsp;, Principal Program Manager, Microsoft Sentinel</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;"><LI-USER uid="215052"></LI-USER>&nbsp;&nbsp;, Senior Program Manager, Microsoft Sentinel</P> <P style="margin: 0in; font-family: Calibri; font-size: 11.0pt;">&nbsp;</P> </DIV> </DIV> </DIV> Sun, 10 Apr 2022 14:00:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/defender-for-endpoint-and-defender-for-cloud-which-dashboard/ba-p/3279558 Liana_Anca_Tomescu 2022-04-10T14:00:01Z Security posture management and server protection for AWS and GCP are now generally available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/security-posture-management-and-server-protection-for-aws-and/ba-p/3271388 <P>Today, we’re excited to announce that Microsoft Defender for Cloud’s multi cloud capabilities for posture management and server protection for Amazon Web Services (AWS) and Google Cloud Platform (GCP) workloads are generally available. Organizations can now easily manage and track their security state across the three largest cloud providers, as well as on-premises environments, in one centralized experience.</P> <P>&nbsp;</P> <P><STRONG>Single pane of glass for security posture management enabled with a few clicks</STRONG></P> <P>Defender for Cloud’s integrated suite of posture management, advanced threat detection and vulnerability assessment comes out of the box, with no dependencies on other cloud provider capabilities. Frictionless onboarding of large environments can be done with a few clicks, and auto-provisioning of new accounts and workloads is automated with a single configuration. Among the capabilities, customers will get:</P> <UL> <LI>Frictionless and simple onboarding for AWS and GCP environments at scale</LI> <LI>Agentless CSPM, with +240 OOTB security recommendations</LI> <LI>Regulatory compliance standards (AWS: CIS 1.2.0, PCI, Foundational Security Best Practices; GCP: CIS 1.1.0, 1.2.0)</LI> <LI>Recommendations management capabilities</LI> <LI>Cross cloud asset inventory</LI> <LI>Secure score per cloud</LI> <LI>Integrated in workflow automation and exporting capabilities</LI> <LI>Out of the box overtime security state tracking with Workbooks</LI> </UL> <P><EM>Multi cloud secure score</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OrSerokJeppa_0-1648642443608.jpeg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359864iDB553C5F5357C8FA/image-size/large?v=v2&amp;px=999" role="button" title="OrSerokJeppa_0-1648642443608.jpeg" alt="OrSerokJeppa_0-1648642443608.jpeg" /></span></P> <P>&nbsp;</P> <P><EM>Security recommendations on Azure, AWS and GCP resources</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OrSerokJeppa_1-1648642443633.jpeg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359865i2ED9DBF545E13DE9/image-size/large?v=v2&amp;px=999" role="button" title="OrSerokJeppa_1-1648642443633.jpeg" alt="OrSerokJeppa_1-1648642443633.jpeg" /></span></P> <P>&nbsp;</P> <P><STRONG>Automatically protect new and existing compute instances across clouds with Defender </STRONG></P> <P>Defender for Servers offers a wide set of capabilities, ranging from EDR to vulnerability assessment. Deploying agents on compute instances is easily automated with auto-provisioning, so security teams can reduce friction and operational overhead. Protect virtual machines in Azure, AWS, GCP and on-prem with:</P> <UL> <LI>Automatic provisioning of pre-requisites on existing and new machines</LI> <LI>Integrated license for Microsoft Defender for Endpoint</LI> <LI>Vulnerability assessment</LI> <LI>OS hardening recommendations</LI> <LI>OOTB built in and custom guest configuration recommendations</LI> <LI>File integrity monitoring</LI> <LI>Adaptive application control</LI> </UL> <P><EM>Vulnerability assessment findings detected on machines from all clouds</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OrSerokJeppa_2-1648642443670.jpeg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359866iF1411FB830855053/image-size/large?v=v2&amp;px=999" role="button" title="OrSerokJeppa_2-1648642443670.jpeg" alt="OrSerokJeppa_2-1648642443670.jpeg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>More information:</P> <UL> <LI>Deep dive into <A href="#" target="_blank" rel="noopener">AWS</A> and <A href="#" target="_blank" rel="noopener">GCP</A> releases</LI> <LI>Onboard <A href="#" target="_blank" rel="noopener">AWS accounts</A> and <A href="#" target="_blank" rel="noopener">GCP projects</A></LI> <LI>Get started with a <A href="#" target="_blank" rel="noopener">free trial in Azure</A></LI> <LI>Learn how to <A href="#" target="_blank" rel="noopener">get started</A> with Microsoft Defender for Cloud</LI> <LI><A href="#" target="_blank" rel="noopener">Subscribe</A> to our YouTube series for product deep dives!</LI> <LI>Discover <A href="#" target="_blank" rel="noopener">Azure Arc</A></LI> </UL> <P>&nbsp;</P> Wed, 30 Mar 2022 15:26:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/security-posture-management-and-server-protection-for-aws-and/ba-p/3271388 OrSerokJeppa 2022-03-30T15:26:13Z New Ransomware Recommendation Dashboard in Microsoft Defender for Cloud https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/new-ransomware-recommendation-dashboard-in-microsoft-defender/ba-p/3270472 <P>The new Ransomware recommendations dashboard is an Azure workbook that provides you visibility into what security recommendations you should&nbsp;prioritize to reduce the likelihood of getting compromised by a Ransomware attack. It leverages Microsoft Defender for Cloud recommendations, and secure score to help you track progress of your security posture enhancement. Since it is based on Defender for Cloud, it also brings built-in automation capabilities to help remediate security recommendations and reduce expose factors.</P> <P>The diagram below represents a holistic view of how Azure Security Benchmark, which is the security foundation for Azure workloads, mapped to the MITRE ATT&amp;CK Matrix with data visualization for end user experience.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig1.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359627i0AC36E98D5EA6375/image-size/large?v=v2&amp;px=999" role="button" title="Fig1.JPG" alt="Fig1.JPG" /></span></P> <P>&nbsp;</P> <P>Now you will be able to identify gaps in your security hygiene that are related to Ransomware and prioritize the remediations accordingly. Addressing these will improve the overall security posture of your Azure workloads and help you in your journey to improve your secure score. This dashboard is focused on the following aspects:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig2.JPG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359628i63D74C1936FE39A3/image-size/large?v=v2&amp;px=999" role="button" title="Fig2.JPG" alt="Fig2.JPG" /></span></P> <P>&nbsp;</P> <P>In this dashboard you will find tabs that allow you to navigate and explore the security recommendations based on different criteria. Please watch the video below for a full demonstration on how to use this dashboard:</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://youtu.be/EOEd61Y0Vis" align="center" size="large" width="600" height="338" uploading="false" thumbnail="https://i.ytimg.com/vi/EOEd61Y0Vis/hqdefault.jpg" external="url"></LI-VIDEO></P> <P>&nbsp;</P> <P>By understand in which stage of the MITRE ATT&amp;CK matrix the recommendation is located, you can prioritize remediations earlier on and reduce the probability of further damage done by the attacker. The Ransomware dashboard can be utilized to prioritize the remediation of recommendations for scenarios such as:</P> <UL> <LI>Ensures up to date VMs with relevant security patches</LI> <LI>Enable anti-malware on your VMs</LI> <LI>Reduce attack surface by enabling just-in-time access to management ports</LI> </UL> <P>&nbsp;</P> <P>For more information about Ransomware attacks, make sure to read the following resources:</P> <P>&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure Defenses for Ransomware Attack</A></LI> <LI><A href="#" target="_blank" rel="noopener">Human-operated ransomware</A></LI> <LI><A href="#" target="_blank" rel="noopener">Maximize Ransomware Resiliency with Azure and Microsoft 365</A></LI> <LI><A href="#" target="_blank" rel="noopener">3 steps to prevent and recover from ransomware</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Apr 2022 20:15:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/new-ransomware-recommendation-dashboard-in-microsoft-defender/ba-p/3270472 Yuri Diogenes 2022-04-05T20:15:35Z Automation to block compromised identity detected by Microsoft Defender for Resource Manager https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/automation-to-block-compromised-identity-detected-by-microsoft/ba-p/3269257 <P>In the current Cloud Computing era, identity has become the new security perimeter, and adversaries have managed several new tactics and techniques to exploit user identities and eventually compromise them. Once an account is compromised either by its credential password or by its authentication token, it can be used for many malicious additional activities that will allow the intruder to escalate the privileges, moving laterally, etc.</P> <P>Open-source tools such as MicroBurst or PowerZure, developed for research objectives, are also used maliciously simply by weaponize them. These tools allow a malicious actor to assess and exploit resources within Microsoft cloud platforms by leveraging a compromised Azure Active Directory account and/or its token.</P> <P>Azure Resource Manager (ARM) is the deployment and management service for Azure. It provides the management layer that enables you to create, update, and delete resources in your Azure account. It can be leveraged either via Azure Portal, via Rest API or using PowerShell, Azure CLI and SDKs. Read more about Azure Resource Manager <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>This management layer is crucial; therefore, it is important to protect it. Microsoft Defender for Resource Manager protects against potential attacks including the use of exploitation tools like MicroBurst or PowerZure which will leverage compromised account and their tokens to authenticate and exploit the environment for privilege escalation, lateral movement, persistence, and more. Read more about the Microsoft Defender for Resource Manager <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>The authentication bearer token is an access token that contains claims that you can use in Azure Active Directory to identify the granted permissions to your API. Once an attack is detected by Defender for Resource Manager, if an Azure Active Directory (Azure AD) Account has been utilized, you will need to act promptly and mitigate the compromised account. Of course, you can do it manually, but automated response will ensure that the proper mitigation is indeed applied. <A href="#" target="_blank" rel="noopener">Here</A> you can find the documentation on how to obtain the Azure AD tokens.</P> <P>If an account is compromised you would disable the account temporarily, revoke all the associated authentication token, and reset the password. To automate this process, you can use the Azure Logic App we have developed to disable the account, revoke all the active tokens and notify the account’s manager if it exists or simply to a designated email address.</P> <P>You can deploy the Azure Logic App in your Subscription and use it with the Defender for Cloud Workflow Automation configured for Alerts generated from the Defender for Resource Manager.</P> <P>The following is the diagram of the Logic App automation flow:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="giulioastori_0-1648487451308.png" style="width: 851px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359215iCEED557FFD8CC79D/image-dimensions/851x568?v=v2" width="851" height="568" role="button" title="giulioastori_0-1648487451308.png" alt="giulioastori_0-1648487451308.png" /></span></P> <P>&nbsp;</P> <P>The first step is a trigger that connects to Microsoft Defender for Cloud and retrieves the Alert and all its related objects and metadata.</P> <P>If an Account is attached to the Alert as Related Entities, then the user is immediately disabled and all its tokens are revoked, therefore the account cannot be used further during the attack, even if a token has been used instead if its credential username and password.</P> <P>Once the account is disabled, a notification email is draft and sent to the account’s manager if exists. In the case the account has no manager registered under its properties, then the notification is sent to an alternative email address configured at the beginning of the Logic App deployment. This account could be changed afterward by editing the Logic App.</P> <P>Here is a snapshot of the notification email:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="giulioastori_1-1648487479004.png" style="width: 717px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/359217i22D3CBC965581AF5/image-dimensions/717x728?v=v2" width="717" height="728" role="button" title="giulioastori_1-1648487479004.png" alt="giulioastori_1-1648487479004.png" /></span></P> <P>&nbsp;</P> <P>To import and deploy the Logic App you can use the link for the GitHub repo at the end of this blog.</P> <P>The Logic App creates and uses a Managed System Identity (MSI) to authenticate and authorize against management.azure.com (or management.usgovcloudapi.net if in Azure Gov) to obtain PrincipalIDs assigned to the Azure Resource. The MSI is also used to authenticate and authorize against graph.windows.net to obtain RBAC Objects by PrincipalIDs.</P> <P>&nbsp;</P> <P>Once deployed you will need to apply the following additional configuration manually:</P> <UL> <LI>Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?view=azureadps-2.0</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">$MIGuid = "&lt;Enter your managed identity guid here&gt;" $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid $GraphAppId = "00000003-0000-0000-c000-000000000000" $PermissionName1 = "User.Read.All" $PermissionName2 = "User.ReadWrite.All" $PermissionName3 = "Directory.Read.All" $PermissionName4 = "Directory.ReadWrite.All" $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" $AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id $AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id $AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id $AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"} New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id 2. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections&lt;br&gt;&lt;br&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <UL> <LI>Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections.</LI> </UL> <P>&nbsp;</P> <P>To use the Logic App with the Defender for Cloud Workflow Automation follow the documentation <A href="#" target="_blank" rel="noopener">here</A></P> <P>&nbsp;</P> <P>This logic app as well as many other can be found here:</P> <P style="margin: 0in; background: white;"><SPAN><A href="#" target="_blank" rel="noopener">Direct Link to GitHub sample</A></SPAN></P> <P><A href="#" target="_blank" rel="noopener">Microsoft Defender for Cloud GitHub Repo&nbsp;</A></P> <P>&nbsp;</P> <P>When an account is compromised time is the essence. You must act quick to remediate the breach. This automated workflow allows to act almost immediately, secure the account, and stop the attack.</P> <P>&nbsp;</P> <P>Special thanks to:</P> <UL> <LI>Safeena Begum Lepakshi (Senior Program Manager, Microsoft Defender for Cloud) for helping with the Logic App and by reviewing this post</LI> <LI>Tal Rosler (Senior Program Manager, Microsoft Defender for Cloud) for envisioning the automation</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 28 Mar 2022 17:40:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/automation-to-block-compromised-identity-detected-by-microsoft/ba-p/3269257 giulioastori 2022-03-28T17:40:53Z Policy Distribution Dashboard for Microsoft Defender for Cloud https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/policy-distribution-dashboard-for-microsoft-defender-for-cloud/ba-p/3264712 <P>Understanding the current state of your environment is the first step towards improving its security posture. Microsoft Defender for Cloud is designed to strengthen the three pillars every enterprise relies on which is Protection, Detection &amp; Response providing you CSPM &amp; CWPP functionalities.</P> <P>In Defender for Cloud, the posture management features provide Visibility and hardening guidance and the central feature that enables you to achieve these goals is Secure Score. Defender for Cloud continually assesses your resources, subscriptions and organization for security issues, and it aggregates all the findings into a single score by providing you list of recommendations. Typically, these are gaping holes that need to be fixed ASAP, while some recommendations are more long-term or just less critical and some more critical.</P> <P>&nbsp;</P> <H2>Current Challenge</H2> <P>One of the questions we constantly get asked is, <STRONG>How do I ensure that the Security posture will not start deteriorating again after the fixes have been made (or) how do I ensure I apply guardrails at the beginning of deployment phase for every service in Azure</STRONG>. It is often the case that development teams have full control of their subscriptions/resources. As a result, the configurations start to drift. The cure is simple, we need to have a security baseline defined.</P> <P>Before you start reading about the proposed solution, it is important to understand, Defender for Cloud and Azure policies work together to help monitor and report on compliance in your environment. Like security policies, Defender for Cloud initiatives are also created in Azure Policy. You can use Azure policy to manage your policies, build initiatives, and assign initiatives to multiple subscriptions or for entire management groups. The default initiative automatically gets assigned to every subscription in Defender for Cloud and that is Azure Security Benchmark. &nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Azure Security Benchmark</A>&nbsp;(ASB) consolidates Microsoft security best practices in Azure. It’s a great resource for design decisions, and the controls are mapped to industry standards. We have also created a policy set in Azure which can be used for monitoring resource compliance against the baseline. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. Almost every recommendation from Defender for Cloud has an underlying policy that is derived from a requirement in the benchmark. To learn about the built-in policies that are monitored by Defender for Cloud, <A href="#" target="_blank" rel="noopener">check this out</A>. <A href="#" target="_blank" rel="noopener">Here</A> you can find all the Azure Policy definitions in the Defender for Cloud category.</P> <P>&nbsp;</P> <H2>Proposed Solution</H2> <P>Up until now, there was no single view with which you could visualize all the policies you have assigned to monitor compliance of your environment. You had to browse through many different blades in Azure to assess and obtain this information. With this blog, I’m introducing you to a workbook that acts as a single pane of glass representing the policies and baselines across multiple subscriptions in Azure, in your environment as the first crucial step is to inventory and gain visibility.</P> <P>&nbsp;</P> <H2>What’s in the Dashboard</H2> <P>The new Policy Distribution Dashboard for Microsoft Defender for Cloud provides a unified view and deep visibility into the configuration of your overall policy structure in Azure.&nbsp;</P> <P>The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections.</P> <P>The workbook can be edited, and all queries can be modified to meet your needs.</P> <P>&nbsp;</P> <P>The workbook provides different sections like:</P> <UL> <LI>Initiatives that’s assigned to the subscriptions</LI> <LI>The recommendations that are exempted and that are policy disabled</LI> <LI>List of Custom policies</LI> <LI>Regulatory Compliance Assessment State</LI> <LI>Policies by effect</LI> <LI>Compliance by policy assignment</LI> </UL> <H2>How to Deploy</H2> <P>The Policy Distribution Dashboard is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its <A href="#" target="_self">direct URL</A></P> <P>The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page.</P> <P>&nbsp;</P> <H2>How to Use</H2> <P>To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PolicyDistributionDashboard.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/357920iD67EA9D2F42D4096/image-size/large?v=v2&amp;px=999" role="button" title="PolicyDistributionDashboard.gif" alt="PolicyDistributionDashboard.gif" /></span></P> <P>&nbsp;</P> <H2>Conclusion</H2> <P>The Policy Distribution dashboard provides valuable information about your policy assignments and it’s status.&nbsp; The workbook is available to all customers free of charge and does not require you to be a paid customer of Microsoft Defender for Cloud.</P> <P>&nbsp;</P> <H2>Additional Resources</H2> <UL> <LI>To learn more about Microsoft Defender for Cloud, visit:&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/ascninja</A></LI> <LI>To learn about Microsoft Defender for Cloud workbooks, visit:&nbsp; <A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks</A></LI> </UL> <P>&nbsp;</P> <H2>Acknowledgements</H2> <UL> <LI>Special thanks to&nbsp;<STRONG><LI-USER uid="7427"></LI-USER>&nbsp;</STRONG>for the partnership in reviewing and providing feedbacks on the artifact and reviewing article.</LI> <LI>Many thanks to&nbsp;<STRONG>@Rebecca Halla</STRONG>&nbsp;&amp;&nbsp;<STRONG><LI-USER uid="124214"></LI-USER></STRONG>&nbsp;in supporting this initiative and suggesting feedbacks.</LI> </UL> Wed, 23 Mar 2022 14:36:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/policy-distribution-dashboard-for-microsoft-defender-for-cloud/ba-p/3264712 Safeena Begum Lepakshi 2022-03-23T14:36:30Z Azure Security Benchmark v3 Workbook https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673 <P>Today we’re announcing the <STRONG>next iteration of the Azure Security Benchmark (ASB) Workbook</STRONG>, which provides a single pane of glass for gathering and managing data to address ASB control requirements. The power of this workbook lies in its ability to aggregate data from more than 25 Microsoft Security products and to apply these insights to relevant controls in the ASB framework.</P> <DIV id="tinyMceEditorlili_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorlili_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorlili_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P class="lia-align-center"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="lili_3-1647377810443.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/356031i1852A90B40FA85CF/image-size/large?v=v2&amp;px=999" role="button" title="lili_3-1647377810443.png" alt="lili_3-1647377810443.png" /></span></P> <P><STRONG>What is the Azure Security Benchmark?</STRONG></P> <P>The<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Azure Security Benchmark (ASB)</A><SPAN>&nbsp;</SPAN>provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. Many organizations rely on standard frameworks such as CISv7.1 or NIST 800-53 R4 to improve their cloud defenses. Mapped to both CISv7.1 and NIST 800-53 R4, ASB brings consistency of security capabilities across the Azure platform. Compliance and security baselines are critical for successful cloud migration and adoption by providing consistent security standards. Whether you are new to Azure or not, ASB provides streamlined guidance for improving the security and compliance posture of your Azure resources.</P> <P>&nbsp;</P> <P><STRONG>Use Cases:</STRONG></P> <P>For customers leveraging multiple products within the Azure Security suite, it can be difficult to have a single plan for hardening. Customers spend time manually pivoting across products rather than conducting proactive cloud security posture management or responding to alerts.&nbsp;This “better together” content offering enriches granular ASB assessments with Microsoft Sentinel logging for alerts/configuration over time to provide one place for security professionals to understand their cloud security posture. With actionable insights and real time information, this workbook empowers teams by equipping them with a single source of visibility and remediation across security products.</P> <P>&nbsp;</P> <P>Rather than separately interfacing with Microsoft Defender for Cloud, Microsoft Sentinel, Azure Resource Graph, Azure Active Directory, Microsoft Defender for Endpoint, and additional products to understand compliance posture, the ASB Workbook centralizes the relevant data within the context of the ASB controls.</P> <P>&nbsp;</P> <P>Initially released last fall, this updated workbook is mapped to Azure Security Benchmark v3, which includes an updated mapping to PCI-DSS 3.2.1. The updates also include expanded coverage across new control areas and controls, including DevOps Security controls, to provide comprehensive tracking of security posture.</P> <P>&nbsp;</P> <P><LI-VIDEO vid="https://youtu.be/v57gWjvcY4o" align="center" size="custom" width="820" height="820" uploading="false" thumbnail="https://i.ytimg.com/vi/v57gWjvcY4o/hqdefault.jpg" external="url"></LI-VIDEO></P> <P><STRONG>Benefits and Improvements:&nbsp;</STRONG></P> <P>This workbook pulls data from over 25 Microsoft Security products, and as these products improve over time, the integration underlying the workbook strengthen as well. We’ve also added new control areas and controls to ensure this workbook provides a comprehensive tracking of your security posture. A controls crosswalk enables simplified searching across controls, products, or compliance assessments.</P> <P>By aggregating data across multiple sources and aligning it to ASB controls, this new workbook enhances situational and operational awareness to create a more complete view of security posture. The workbook helps address compliance requirements with applicable control evidence, which can be used in support of audit requirements. It includes direct links to actionable workflows within the products, like direct hardening and remediation steps in Microsoft Defender for Cloud and investigation workflows in Microsoft Sentinel. In this way, the process of hardening workloads and improving security posture is streamlined and optimized. The workbook also allows for easy exporting and creation of reports, with relevant data aligned to each control, for sharing with stakeholders.</P> <P>&nbsp;</P> <P><STRONG>Get Started Today!&nbsp;</STRONG></P> <UL> <LI>Onboard<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Microsoft Defender for Cloud</A></LI> <LI>Onboard<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Microsoft Sentinel</A><SPAN>&nbsp;</SPAN>(<EM>optional</EM>)</LI> <LI>Enable<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Continuous Export of SecurityRecommendation data</A></LI> <LI>Consolidate<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Microsoft Defender for Cloud and Microsoft Sentinel Logging</A><SPAN>&nbsp;</SPAN>in a Log Analytics Workspace</LI> <LI>Access the<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Azure Security Benchmark Workbook on Github</A>, Select Deploy to Azure (or Azure Gov)</LI> </UL> <P class="lia-align-left">&nbsp; &nbsp; &nbsp;&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="lili_1-1647377433705.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/356028iE30772F1A5E10A39/image-size/medium?v=v2&amp;px=400" role="button" title="lili_1-1647377433705.png" alt="lili_1-1647377433705.png" /></span></P> <UL> <LI>Authenticate to your Azure subscription</LI> <LI>Configure options &gt; Review + Create</LI> <LI>Navigate to<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Microsoft Defender for Cloud</A></LI> <LI>Select Workbooks &gt; Workbooks tab &gt; AzureSecurityBenchmarkv3</LI> <LI>Review the workbook and provide feedback through our<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">survey</A></LI> </UL> <P><STRONG>Learn more about hardening workloads with Microsoft Defender for Cloud:</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Azure Security Benchmark Introduction</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-security-center/meeting-the-cybersecurity-executive-order-requirements-with/ba-p/2683561" target="_blank" rel="noopener">Meeting the Cybersecurity Executive Order requirements with Azure Security</A></LI> <LI><A href="#" target="_self">Regulatory Compliance in Microsoft Defender for Cloud</A></LI> </UL> <P><FONT size="2"><STRONG>Disclaimer</STRONG></FONT></P> <P><FONT size="2">The Microsoft Defender for Cloud: Azure Security Benchmark Workbook demonstrates best practice guidance. This workbook provides visibility and situational awareness for cloud workload protection delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user and some panels may require additional configurations for operation. Recommendation cards do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective areas.</FONT></P> Wed, 16 Mar 2022 03:15:19 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/azure-security-benchmark-v3-workbook/ba-p/3257673 lili 2022-03-16T03:15:19Z Custom assessments and standards in Microsoft Defender for Cloud for GCP workloads (Preview) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/custom-assessments-and-standards-in-microsoft-defender-for-cloud/ba-p/3251252 <P>We recently announced that Microsoft Defender for Cloud now supports Google Cloud Platform (GCP) with its native CSPM and CWPP capabilities, without any dependencies on Google 1<SUP>st</SUP> party tools. Learn more about our new release from the blog <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/protect-your-google-cloud-workloads-with-microsoft-defender-for/ba-p/3073360" target="_blank" rel="noopener">here</A>. &nbsp;In order to protect your GCP based resources using Microsoft Defender for Coud, follow our step-by-step documentation <A href="#" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>Microsoft Defender for Cloud implements GCP security recommendations in the Defender for Cloud portal right alongside Azure recommendations. &nbsp;Here is a reference list of all the recommendations Defender for Cloud can provide for GCP resources.</P> <UL> <LI>Ensure that corporate login credentials are used</LI> <LI>Ensure that there are only GCP-managed service account keys for each service account</LI> <LI>Ensure that Service Account has no Admin privileges</LI> <LI>Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project</LI> <LI>Ensure user-managed/external keys for service accounts are rotated every 90 days or less</LI> <LI>Ensure that Separation of duties is enforced while assigning service account related roles to users</LI> <LI>Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible</LI> <LI>Ensure KMS encryption keys are rotated within a period of 90 days</LI> <LI>Ensure that Separation of duties is enforced while assigning KMS related roles to users</LI> <LI>Ensure that Cloud Audit Logging is configured properly across all services and all users from a project</LI> <LI>Ensure that sinks are configured for all log entries</LI> <LI>Ensure that retention policies on log buckets are configured using Bucket Lock</LI> <LI>Ensure log metric filter and alerts exist for project ownership assignments/changes</LI> <LI>Ensure that the log metric filter and alerts exist for Audit Configuration changes</LI> <LI>Ensure that the log metric filter and alerts exist for Custom Role changes</LI> <LI>Ensure that the log metric filter and alerts exist for VPC Network Firewall rule changes</LI> <LI>Ensure that the log metric filter and alerts exist for VPC network route changes</LI> <LI>Ensure that the log metric filter and alerts exist for VPC network changes</LI> <LI>Ensure that the log metric filter and alerts exist for Cloud Storage IAM permission changes</LI> <LI>Ensure that the log metric filter and alerts exist for SQL instance configuration changes</LI> <LI>Ensure that the default network does not exist in a project</LI> <LI>Ensure legacy networks do not exist for a project</LI> <LI>Ensure that DNSSEC is enabled for Cloud DNS</LI> <LI>Ensure that RSASHA1 is not used for the key-signing key in Cloud DNS DNSSEC</LI> <LI>Ensure that RSASHA1 is not used for the zone-signing key in Cloud DNS DNSSEC</LI> <LI>Ensure that SSH access is restricted from the internet</LI> <LI>Ensure that RDP access is restricted from the Internet</LI> <LI>Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network</LI> <LI>Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites</LI> <LI>Ensure that instances are not configured to use the default service account</LI> <LI>Ensure that instances are not configured to use the default service account with full access to all Cloud APIs</LI> <LI>Ensure "Block Project-wide SSH keys" is enabled for VM instances</LI> <LI>Ensure oslogin is enabled for a Project</LI> <LI>Ensure oslogin is enabled for all instances</LI> <LI>Ensure 'Enable connecting to serial ports' isnot enabled for VM Instance</LI> <LI>Ensure that IP forwarding is not enabled on Instances</LI> <LI>Ensure VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys</LI> <LI>Ensure Compute instances are launched with Shielded VM enabled</LI> <LI>Ensure that Compute instances do not have public IP addresses</LI> <LI>Ensure that Cloud Storage bucket is not anonymously or publicly accessible</LI> <LI>Ensure that Cloud Storage buckets have uniform bucket-level access enabled</LI> <LI>Ensure that the 'local_infile' database flag for a Cloud SQL Mysql instance is set to 'off'</LI> <LI>Ensure that the 'log_checkpoints' database flag for Cloud SQL PostgreSQL instance is set to 'on'&nbsp;</LI> <LI>Ensure that the 'log_connections' database flag for Cloud SQL PostgreSQL instance is set to 'on'</LI> <LI>Ensure that the 'log_disconnections' database flag for Cloud SQL PostgreSQL instance is set to 'on'</LI> <LI>Ensure that the 'log_lock_waits' database flag for Cloud SQL PostgreSQL instance is set to 'on'</LI> <LI>Ensure that the 'log_min_messages' database flag for Cloud SQL PostgreSQL instance is set appropriately</LI> <LI>Ensure that the 'log_temp_files' database flag for Cloud SQL PostgreSQL instance is set to '0' (on)</LI> <LI>Ensure that the 'log_min_duration_statement' database flag for Cloud SQL PostgreSQL instance is set to '-1'</LI> <LI>Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off'</LI> <LI>Ensure that the 'contained database authentication' database flag for Cloud SQL on the SQL Server instance is set</LI> <LI>Ensure that the Cloud SQL database instance requires all incoming connections to use SSL</LI> <LI>Ensure that Cloud SQL database instances are not open to the world</LI> <LI>Ensure that Cloud SQL database instances do not have public IPs</LI> <LI>Ensure that Cloud SQL database instances are configured with automated backups</LI> <LI>Ensure that BigQuery datasets are not anonymously or publicly accessible</LI> <LI>Ensure that Cloud DNS logging is enabled for all VPC networks</LI> <LI>Ensure Firewall Rules for instances behind Identity Aware Proxy (IAP) only allow the traffic from Google Cloud Loadbalancer (GCLB) Health Check and Proxy Addresses</LI> <LI>Ensure that Compute instances have Confidential Computing enabled</LI> <LI>Ensure 'skip_show_database' database flag for Cloud SQL Mysql instance is set to 'on'</LI> <LI>Ensure 'log_duration' database flag for Cloud SQL PostgreSQL instance is set to 'on'</LI> <LI>Ensure 'log_hostname' database flag for Cloud SQL PostgreSQL instance is set appropriately</LI> <LI>Ensure 'log_parser_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'</LI> <LI>Ensure 'log_planner_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'</LI> <LI>Ensure 'log_executor_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'</LI> <LI>Ensure 'log_statement_stats' database flag for Cloud SQL PostgreSQL instance is set to 'off'</LI> <LI>Ensure 'log_min_error_statement' database flag for Cloud SQL PostgreSQL instance is set to 'Error' or stricter</LI> <LI>Ensure 'external scripts enabled' database flag for Cloud SQL SQL Server instance is set to 'off'</LI> <LI>Ensure 'user connections' database flag for Cloud SQL SQL Server instance is set as appropriate</LI> <LI>Ensure 'user options' database flag for Cloud SQL SQL Server instance is not configured</LI> <LI>Ensure 'remote access' database flag for Cloud SQL SQL Server instance is set to 'off'</LI> <LI>Ensure '3625 (trace flag)' database flag for Cloud SQL SQL Server instance is set to 'off'</LI> <LI>Ensure that all BigQuery Tables are encrypted with Customer-managed encryption key (CMEK)</LI> <LI>Ensure that a Default Customer-managed encryption key (CMEK) is specified for all BigQuery Data Sets</LI> </UL> <P><SPAN>Security standards contain comprehensive sets of security recommendations to help secure your cloud environments.</SPAN><SPAN> </SPAN><SPAN>Security&nbsp;teams can&nbsp;either use the readily available regulatory standards like&nbsp;GCP CIS 1.1.0, GCP CIS 1.2.0&nbsp;and can&nbsp;also create their own&nbsp;custom standards&nbsp;and&nbsp;assessments&nbsp;to meet specific internal requirements.&nbsp;</SPAN><SPAN>&nbsp;</SPAN><BR /><BR /></P> <P>It is important to understand, there are three types of resources to create and manage custom assessments:</P> <OL> <LI>&nbsp;Assessment – contains:<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; a. assessment details (name, description, severity, remediation logic, etc.)<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; b. assessment logic in KQL<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; c. the standard it belongs to</LI> <LI>&nbsp;Standard – defines a set of assessments</LI> <LI>&nbsp;Standard assignment – defines the scope which the standard will evaluate (e.g. specific GCP account/s)</LI> </OL> <P>It is important to understand, there are three types of resources to create and manage custom assessments:</P> <OL> <LI>&nbsp;Assessment – contains:<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; a. assessment details (name, description, severity, remediation logic, etc.)<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; b. assessment logic in KQL<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; c. the standard it belongs to</LI> <LI>Standard – defines a set of assessments</LI> <LI>Standard assignment – defines the scope which the standard will evaluate (e.g. specific GCP account/s)</LI> </OL> <P>As mentioned, you can either use the built-in regulatory compliance standard or create your own custom standards and assessments.</P> <P>To assign a built-in regulatory compliance standard or to create and assign a custom standard, follow the steps below:</P> <OL> <LI>Navigate to environment settings</LI> <LI>Select the relevant account</LI> <LI>Select ‘Standards’</LI> <LI>Select ‘Add’ -&gt; ‘Standard’</LI> <LI>Choose a standard from the drop-down menu</LI> <LI>Select ‘Save’</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 920px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/354161i79829D1EC633C4DA/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/354162i9CD4900AB0CA86B4/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Picture2.png" /></span></P> <P>&nbsp;</P> <P>To create a new custom standard:</P> <OL> <LI>Navigate to environment settings</LI> <LI>Select the relevant account</LI> <LI>Select ‘Standards’</LI> <LI>Select ‘Add’ -&gt; ‘Standard’</LI> <LI>Select ‘New standard’</LI> <LI>Fill in a name and description, and select the assessment you want to be included in this standard</LI> <LI>Select ‘Save’</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3.png" style="width: 920px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/354163iADBFF7C21AF670FE/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Picture3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/354164iECA96C13D5C7A901/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Picture4.png" /></span></P> <P>&nbsp;</P> <P style="margin: 0cm; background: white;">In the screenshot above, you'd notice an additional field "Assessments" which will help you choose from already existing assessments (either built-in or a custom assessment)</P> <H2>Query result Schema</H2> <OL> <LI>The last row of the query should return all the original columns (don’t use ‘project’, ‘project-away). End the query with an&nbsp;<EM>iff&nbsp;</EM>statement that defines the healthy or unhealthy conditions: "| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')". Check out the example queries below.</LI> </OL> <H2>Write an assessment query</H2> <P><STRONG>Examples</STRONG>:</P> <UL> <LI>Ensure that Cloud Storage buckets have uniform bucket-level access enabled</LI> </UL> <P>let&nbsp;UnhealthyBuckets&nbsp;=&nbsp;Storage_Bucket&nbsp;</P> <P>|&nbsp;extend&nbsp;RetentionPolicy&nbsp;=&nbsp;Record.retentionPolicy&nbsp;</P> <P>|&nbsp;where&nbsp;isnull(RetentionPolicy)&nbsp;or&nbsp;isnull(RetentionPolicy.isLocked)&nbsp;or&nbsp;tobool(RetentionPolicy.isLocked)==false&nbsp;</P> <P>|&nbsp;project&nbsp;BucketName&nbsp;=&nbsp;RecordIdentifierInfo.CloudNativeResourceName;&nbsp;Logging_LogSink&nbsp;</P> <P>|&nbsp;extend&nbsp;Destination&nbsp;=&nbsp;split(Record.destination,'/')[0]&nbsp;</P> <P>|&nbsp;where&nbsp;Destination&nbsp;==&nbsp;'storage.googleapis.com'&nbsp;</P> <P>|&nbsp;extend&nbsp;LogBucketName&nbsp;=&nbsp;split(Record.destination,'/')[1]&nbsp;</P> <P>|&nbsp;extend&nbsp;HealthStatus&nbsp;=&nbsp;iff(LogBucketName&nbsp;in(UnhealthyBuckets),&nbsp;'UNHEALTHY',&nbsp;'HEALTHY')"</P> <P>&nbsp;</P> <UL> <LI>Ensure VM disks for critical VMs are encrypted</LI> </UL> <P>Compute_Disk&nbsp;</P> <P>|&nbsp;extend&nbsp;DiskEncryptionKey&nbsp;=&nbsp;Record.diskEncryptionKey&nbsp;</P> <P>|&nbsp;extend&nbsp;IsVmNotEncrypted&nbsp;=&nbsp;isempty(tostring(DiskEncryptionKey.sha256))&nbsp;</P> <P>|&nbsp;extend&nbsp;HealthStatus&nbsp;=&nbsp;iff(IsVmNotEncrypted&nbsp;,'UNHEALTHY'&nbsp;,'HEALTHY')"</P> <P>&nbsp;</P> <UL> <LI>Ensure Compute instances are launched with Shielded VM enabled</LI> </UL> <P>Compute_Instance&nbsp;</P> <P>|&nbsp;extend&nbsp;InstanceName&nbsp;=&nbsp;tostring(Record.id)&nbsp;&nbsp;</P> <P>|&nbsp;extend&nbsp;ShieldedVmExist&nbsp;=&nbsp;tostring(Record.shieldedInstanceConfig.enableIntegrityMonitoring)&nbsp;=~&nbsp;'true'&nbsp;and&nbsp;tostring(Record.shieldedInstanceConfig.enableVtpm)&nbsp;=~&nbsp;'true'&nbsp;</P> <P>|&nbsp;extend&nbsp;HealthStatus&nbsp;=&nbsp;iff(ShieldedVmExist,&nbsp;'HEALTHY',&nbsp;'UNHEALTHY')"</P> <P>&nbsp;</P> <UL> <LI>Ensure KMS encryption keys are rotated within a period of 90 days</LI> </UL> <P>CloudKMS_CryptoKey&nbsp;</P> <P>|&nbsp;extend&nbsp;UnhealthyCryptoKeys&nbsp;=&nbsp;toint(split(Record.rotationPeriod,&nbsp;'s')[0])&nbsp;&gt;&nbsp;7776000&nbsp;or&nbsp;todatetime(Record.nextRotationTime)&nbsp;&gt;&nbsp;now(90d)&nbsp;</P> <P>|&nbsp;extend&nbsp;HealthStatus&nbsp;=&nbsp;iff(UnhealthyCryptoKeys,&nbsp;'UNHEALTHY',&nbsp;'HEALTHY')"</P> <P>&nbsp;</P> <P><STRONG>Notes:</STRONG></P> <UL> <LI>No need to&nbsp;filter records by&nbsp;Timespan. The assessment service will filter the most recent records on each run.</LI> <LI>No need to&nbsp;filter by resource ARN, unless&nbsp;intended. The assessment service will run the query on assigned resources.</LI> <LI>Do not change the values of the original table columns, or&nbsp;use&nbsp;<EM>extend&nbsp;</EM>to override existing table columns.</LI> <LI>You may use&nbsp;<EM>join&nbsp;</EM>and&nbsp;<EM>union&nbsp;</EM>to evaluate a data type based on another type, as long as the evaluated type is the left-hand of the&nbsp;<EM>join</EM>/<EM>union&nbsp;</EM>operator and all right-hand columns added by the operator are removed from the result.</LI> <LI>If specific scope is filtered in the assessment query (e.g. specific account Id), it will apply on all resources assigned to this query.</LI> </UL> <P>Checkout these useful docs to learn and understand more on Kusto Queries: &nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/data-explorer/kql-quick-reference</A></LI> <LI><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/</A></LI> <LI><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/</A></LI> </UL> <H2><STRONG>For reference, below is a list of the&nbsp;available data types:</STRONG></H2> <TABLE> <TBODY> <TR> <TD width="198"> <P><STRONG>Resource type</STRONG></P> </TD> <TD width="255"> <P><STRONG>Table name</STRONG></P> </TD> </TR> <TR> <TD rowspan="2" width="198"> <P>BigQuery</P> </TD> <TD width="255"> <P>Bigquery_Dataset</P> </TD> </TR> <TR> <TD width="255"> <P>Bigquery_DatasetData</P> </TD> </TR> <TR> <TD rowspan="4" width="198"> <P>Cloud Key Management</P> </TD> <TD width="255"> <P>CloudKMS_CryptoKey</P> </TD> </TR> <TR> <TD width="255"> <P>CloudKMS_CryptoKeyPolicy</P> </TD> </TR> <TR> <TD width="255"> <P>CloudKMS_KeyRing</P> </TD> </TR> <TR> <TD width="255"> <P>CloudKMS_KeyRingPolicy</P> </TD> </TR> <TR> <TD rowspan="2" width="198"> <P>Cloud Resource Manager</P> </TD> <TD width="255"> <P>CloudResourceManager_Policy</P> </TD> </TR> <TR> <TD width="255"> <P>CloudResourceManager_Project</P> </TD> </TR> <TR> <TD rowspan="9" width="198"> <P>Compute</P> </TD> <TD width="255"> <P>Compute_Disk</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_Firewall</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_Instance</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_Network</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_Project</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_SslPolicy</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_Subnetwork</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_TargetHttpsProxy</P> </TD> </TR> <TR> <TD width="255"> <P>Compute_TargetSslProxy</P> </TD> </TR> <TR> <TD width="198"> <P>Containers</P> </TD> <TD width="255"> <P>Container_Cluster</P> </TD> </TR> <TR> <TD width="198"> <P>DNS</P> </TD> <TD width="255"> <P>Dns_ManagedZone</P> </TD> </TR> <TR> <TD rowspan="2" width="198"> <P>IAM</P> </TD> <TD width="255"> <P>IAM_ServiceAccount</P> </TD> </TR> <TR> <TD width="255"> <P>IAM_ServiceAccountKey</P> </TD> </TR> <TR> <TD rowspan="2" width="198"> <P>Logging</P> </TD> <TD width="255"> <P>Logging_LogMetric</P> </TD> </TR> <TR> <TD width="255"> <P>Logging_LogSink</P> </TD> </TR> <TR> <TD width="198"> <P>Monitoring Alert Policy</P> </TD> <TD width="255"> <P>Monitoring_AlertPolicy</P> </TD> </TR> <TR> <TD width="198"> <P>SQL</P> </TD> <TD width="255"> <P>SQLAdmin_DatabaseInstance</P> </TD> </TR> <TR> <TD rowspan="2" width="198"> <P>Storage</P> </TD> <TD width="255"> <P>Storage_Bucket</P> </TD> </TR> <TR> <TD width="255"> <P>Storage_BucketPolicy</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H3><STRONG>Get started today</STRONG></H3> <UL> <LI><A href="#" target="_blank" rel="noopener">Connect your GCP projects to Microsoft Defender for Cloud&nbsp;</A></LI> <LI>Check out <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/custom-assessments-and-standards-in-microsoft-defender-for-cloud/ba-p/3066575" target="_blank" rel="noopener">this article</A> for instructions on creating custom assessments and standards in Defender for Cloud for AWS workloads</LI> </UL> <H3><STRONG>Co-author &amp; Reviewer:</STRONG></H3> <P><STRONG><LI-USER uid="605968"></LI-USER>&nbsp;</STRONG></P> Wed, 09 Mar 2022 15:22:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/custom-assessments-and-standards-in-microsoft-defender-for-cloud/ba-p/3251252 Safeena Begum Lepakshi 2022-03-09T15:22:46Z Microsoft Defender for Cloud Price Estimation Dashboard https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-price-estimation-dashboard/ba-p/3247622 <P>Microsoft Defender for Cloud provides advanced threat detection capabilities across your cloud workloads. This includes comprehensive coverage plans for compute, PaaS and data resources in your environment. Before enabling Defender for Cloud across subscriptions, customers are often interested in having a cost estimation to make sure the cost aligns with the team’s budget. We previously released the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-storage-price-estimation-dashboard/ba-p/2429724" target="_blank" rel="noopener">Microsoft Defender for Storage Price Estimation Workbook</A>, which was widely and positively received by customers. Based on customer feedback, we have extended this offering by creating one comprehensive workbook that covers most Microsoft Defender for Cloud plans. This includes Defender for Key Vault, Containers, App Service, Servers, Storage and Databases. After reading this blog, you can deploy the workbook from our <A href="#" target="_blank" rel="noopener">GitHub community</A> and be sure to leave your <A href="#" target="_blank" rel="noopener">feedback</A> to be considered for future enhancements.&nbsp;Please remember these numbers are only estimated based on retail prices and do not provide actual billing data. For reference on how these prices are calculated, visit the <A href="#" target="_blank" rel="noopener">Pricing—Microsoft Defender | Microsoft Azure</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="pricedemocrop.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353112iFE499A0DB7817EBF/image-size/large?v=v2&amp;px=999" role="button" title="pricedemocrop.gif" alt="pricedemocrop.gif" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Overview</STRONG></FONT></P> <P>When first opening the workbook, an overview page is shown that displays your overall Microsoft Defender for Cloud coverage across all selected subscriptions. The coverage is represented through the green and gray “on/off” tabs. If the plan is enabled on that subscription, the tab shows green. If the plan is not enabled, the tab shows gray. When clicking on “on/off” in this table, you will be redirected to a subscription’s Defender for Cloud plans page from where you can directly enable additional plans.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="costworkbookcrop.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353113iA8D6217D0607CE48/image-size/large?v=v2&amp;px=999" role="button" title="costworkbookcrop.gif" alt="costworkbookcrop.gif" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Defender for App Service</STRONG></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="appservice.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353070i7F4F9CE21751F5F6/image-size/large?v=v2&amp;px=999" role="button" title="appservice.png" alt="appservice.png" /></span></P> <P>This workbook considers all App Services with and without Microsoft Defender for App Services enabled across your selected subscription. It is based on the retail price of $0.02 USD per App Service per hour. The column “Weekly Runtime” is showing CPU time pulled from the past 7 days. In the column “Estimated Price (7 days)”, the CPU time is multiplied by .02 to give an estimated weekly price. The “Estimated Monthly Price” uses the results of the “Estimated Price (7 days) to give the estimated price for one month.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Defender for Containers</STRONG></FONT></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="containersprice.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353072i920A13A9BB996370/image-size/large?v=v2&amp;px=999" role="button" title="containersprice.png" alt="containersprice.png" /></span></STRONG>The Defender for Containers blade shows price estimations for two different environments: Azure Kubernetes Services (AKS) clusters, and Azure Arc-enabled Kubernetes clusters. For AKS, price estimation is calculated based on the average number of worker nodes in this cluster during the past 30 days. Defender for Containers pricing is based on the average number of vCores used in a cluster so based on the average number of nodes and the VM size, we can calculate a valid price estimation. In case the workbook cannot access telemetry for average node numbers, the table will show a price estimation based on the current number of vCores used in the AKS cluster.</P> <P>For Azure Arc-enabled Kubernetes clusters, price estimation is based on the number of vCores that are configured in this cluster. Both tables will also show the number of container images that can be scanned at no additional cost based on the number of vCores used in both, AKS and Azure Arc-enabled Kubernetes clusters.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Defender for Databases</STRONG></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="databaseprice.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353075iA377C1CABE817ACC/image-size/large?v=v2&amp;px=999" role="button" title="databaseprice.png" alt="databaseprice.png" /></span></P> <P>&nbsp;</P> <P>The Defender for Databases dashboard covers three key environments: Defender for SQL on Azure SQL Databases, Defender for SQL servers on machines and Open-source relational databases.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="databasedemo.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353074iCFE9531EF1851888/image-size/large?v=v2&amp;px=999" role="button" title="databasedemo.gif" alt="databasedemo.gif" /></span></P> <P><SPAN style="font-family: inherit;">All estimations are based on the retail price of $15 USD per resource per month. “Defender for SQL on Azure SQL databases” includes&nbsp;Azure SQL Database's Single databases and Elastic pools, Azure SQL Managed Instances and Azure Synapse (formerly SQL DW). “Defender for SQL servers on machines” includes all SQL servers on Azure Virtual Machines. Lastly, “Open-source relational databases” looks at Azure Database for PostgreSQL, Azure Database for MySQL single server and Azure Database for MariaDB single server. The logic and calculation for all three environments are the same. On the backend, the workbook runs a query to find all SQL or database resources in the selected environment and multiplies each one by 15 to get the estimated monthly cost.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Defender for Key Vault</STRONG></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="keyvaultprice.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353078i0ECF37EB97700992/image-size/large?v=v2&amp;px=999" role="button" title="keyvaultprice.png" alt="keyvaultprice.png" /></span></P> <P>The Defender for Key Vault dashboard considers all Key Vaults with or without Defender for Key Vault enabled on the selected subscriptions. The calculations are based on the retail price of $0.02 USD per 10k transactions. The “Estimated Cost (7 days)” column takes the total Key Vault transactions of the last 7 days, divides them by 10K and multiples them by 0.02. In “Estimated Monthly Price”, the results of “Estimated Cost (7 days)” are multiplied by 4.35 to get the monthly estimate.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Defender for Servers</STRONG></FONT></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="serversprice.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353079i8F74E6DBECCB7C39/image-size/large?v=v2&amp;px=999" role="button" title="serversprice.png" alt="serversprice.png" /></span></STRONG></P> <P>The Defender for Servers dashboard considers all servers on your subscriptions with or without Defender for Servers enabled. This dashboard includes estimations for Azure and hybrid servers connected through Azure Arc. The estimation is based on the retail price of $0.02 USD per server per hour. This dashboard includes the option to select a Log Analytics Workspaces. By selecting a workspace, the workbook can retrieve historical data for how many hours the machine has been running in the past seven days. If there is no historical data for the machine, the workbook assumes the machine has been running for 24hrs in the past 7 days. The column “Weekly Runtime” presents the total number of running hours from the past 7 days using the aforementioned strategies. The column “Estimated Cost (7 days)" takes the weekly hours and multiplies them by .02. Finally, in “Estimated Monthly Cost”, the result from “Estimated Cost (7 days)” is multiplied by * 4.35 to give the estimated monthly cost.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Defender for Storage</STRONG></FONT></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="storageprice.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/353081i76F66DB0CCCB6263/image-size/large?v=v2&amp;px=999" role="button" title="storageprice.png" alt="storageprice.png" /></span></STRONG></P> <P>&nbsp;<SPAN style="font-family: inherit;">The Defender for Storage workbook looks at historical file and blob transaction data on supported storage types such as Blob Storage, Azure Files and Azure Data Lake Storage Gen 2. To learn more about the storage workbook, visit </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-storage-price-estimation-dashboard/ba-p/2429724" target="_blank" rel="noopener">Microsoft Defender for Storage – Price Estimation Dashboard - Microsoft Tech Community</A><SPAN style="font-family: inherit;">.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Known Issues</STRONG></FONT></P> <P>Azure Monitor Metrics data backends have limits and the number of requests to fetch data might time out. To solve this, narrow your scope by reducing the selected subscriptions or resource types.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Acknowledgements</STRONG></FONT></P> <P><SPAN>Special thanks to&nbsp;</SPAN><STRONG>Fernanda Vela</STRONG><SPAN>,&nbsp;</SPAN><STRONG>Helder Pinto</STRONG><SPAN>,&nbsp;</SPAN><STRONG>Lili Davoudian</STRONG><SPAN>,&nbsp;</SPAN><STRONG>Sarah Kriwet, Safeena Begum Lepakshi</STRONG><SPAN>&nbsp;and&nbsp;</SPAN><STRONG>Tom Janetscheck</STRONG><SPAN>&nbsp;for contributing their code to this consolidated workbook.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>References:</STRONG></FONT></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Pricing—Microsoft Defender | Microsoft Azure</A></LI> <LI><A href="#" target="_blank" rel="noopener">Workbooks gallery in Microsoft Defender for Cloud | Microsoft Docs</A></LI> <LI><A href="#" target="_blank" rel="noopener">Pricing Calculator | Microsoft Azure</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Key Vault Price Estimation Workbook</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for App Services Price Estimation Workbook</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Containers Cost Estimation Workbook</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 09 Mar 2022 17:07:44 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-price-estimation-dashboard/ba-p/3247622 fkortor 2022-03-09T17:07:44Z Detecting identity attacks in Kubernetes https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340 <P><STRONG><U>Overview</U></STRONG></P> <P>Identities and authentication are key principals in Kubernetes security. Although implementations might differ between various cloud providers, in general, we can divide authentication in Kubernetes into three main areas:</P> <OL> <LI>How users (or applications) authenticate <STRONG>with</STRONG> the cluster.</LI> <LI>How applications authenticate <STRONG>within</STRONG> the cluster.</LI> <LI>How applications in the cluster authenticate <STRONG>with outside resources</STRONG> in the cloud.</LI> </OL> <P>In this article, we will focus on areas (2) and (3). We will demonstrate how attackers might leverage those identities to escalate their permissions and how defenders can detect those threats. But first, let’s have a quick overview of all three areas.</P> <P>Users authenticate with the cluster in <A href="#" target="_blank" rel="noopener">various methods</A>. Kubernetes supports several authentication mechanisms, including basic authentication, Bearer tokens, client certificates and OpenID Connect, which is implemented by most cloud providers.</P> <P>In some cases, applications running in Kubernetes need to authenticate with the Kubernetes API server. This is done by Kubernetes service accounts that represent an application identity in the cluster. The main use case of a service account is authentication between the running pods and the API server, but service account’s tokens are valid from outside the cluster as well.</P> <P>Applications might also need to authenticate with cloud resources that reside outside the cluster. There are several solutions for such authentication, but a common method is to use cloud identities that are attached to the nodes or the workloads in the cluster.</P> <P>In this article we will elaborate on the security aspects of cluster service accounts and the usage of cloud managed identities in the cluster.</P> <P><STRONG><U>Service account activity</U></STRONG></P> <P>Service accounts are used to authenticate applications with the Kubernetes API. Kubernetes uses RBAC as an authorization mechanism: service accounts are bound to roles (in the namespace level) and cluster-roles (in the cluster level). Service account tokens are mounted to the running pods in the cluster. If attackers gain access to a running pod, they can extract the token and use it for accessing the cluster’s control plane. Service account tokens are stored as Kubernetes secrets, so if attackers have read permissions to the secrets of a certain namespace, they can get tokens of all the service accounts in the same namespace.</P> <P>In this context, <STRONG>selfsubjectrulesreviews</STRONG> is a very useful Kubernetes API call for attackers. This API, also known as “can-i” due to its kubectl implementation, retrieves the permissions of the specified service account\user. Attackers who gain access to a container can use this API to check the permissions of the mounted service account and act accordingly. For example, attackers might discover that while they don’t have permissions to create new containers in the cluster, they have permissions to update existing deployments, and therefore they can run their own code by modifying an existing deployment and even escape to the host that way (e.g. by changing the configuration to privileged). Such kind of RBAC misconfigurations were observed in production environments and were exploited for cluster takeover.</P> <P>One can use the <STRONG>selfsubjectrulesreviews</STRONG> API by kubectl client or by using the API call directly. For calling the API directly, a JSON with the request’s body should be prepared.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yoweiz_4-1646145629082.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/352032i941AF3970D3906DA/image-size/large?v=v2&amp;px=999" role="button" title="yoweiz_4-1646145629082.png" alt="yoweiz_4-1646145629082.png" /></span></P> <P>&nbsp;</P> <P>Then, this JSON is passed as the body in the request to the <STRONG>selfsubjectrulesreviews </STRONG>API:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yoweiz_5-1646145629085.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/352033iA81DBC4224B6AE39/image-size/large?v=v2&amp;px=999" role="button" title="yoweiz_5-1646145629085.png" alt="yoweiz_5-1646145629085.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><U>How to detect such activity?</U></STRONG></P> <P>The Kubernetes audit log records the cluster’s control plane. It gives visibility to the operations in the Kubernetes API, including those that were initiated by service accounts. Therefore, we can use audit log to detect suspicious operations that were performed by service accounts in the cluster.</P> <P>Tracking calls to <EM>selfsubjectrulesreviews</EM> API can help finding reconnaissance activities of service accounts in the cluster.</P> <P>To detect lateral movement in the cluster, we can track the activity of the service accounts. In many cases, the behavior of a service account is predictable: Usually a service account is attached to a specific application that accesses the API server with a specific pattern. In such cases, abnormal behavior of the service account is suspicious. By tracking the normal behavior of the various service accounts in the cluster and looking for deviations from this behavior, we can find malicious usage of service accounts.</P> <P>Microsoft Defender for Cloud (MDC) can now detect suspicious operations of service accounts. MDC tracks the behavior of service accounts and alerts when a suspicious operation is detected. In the example below, MDC alerted on an attempt to read Kubernetes secrets by a service account that doesn’t legitimately perform this action.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yoweiz_8-1646145993193.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/352037iD51CD516D1890E70/image-size/large?v=v2&amp;px=999" role="button" title="yoweiz_8-1646145993193.png" alt="yoweiz_8-1646145993193.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><U>Cloud Identity activity</U></STRONG></P> <P>Workloads in Kubernetes might need access to cloud resources. Common use cases are accessing cloud storage services, cloud secret stores, and more.<BR />There are several approaches to achieve that: one of them is using cloud identities that are attached to the nodes, allowing the nodes and the workloads to securely authenticate with other cloud resources. For example, in Azure, AKS uses managed identities (MI) to manage the cloud resources that are required for the cluster operation.</P> <P>Tokens for those identities are retrieved by a request to a metadata service that is accessible from the nodes. Depending on the configuration, the metadata service might be accessible also from the running containers. Therefore, in case attackers have access to a running container, they can acquire tokens for the identities that are attached to the nodes by accessing the metadata service.</P> <P>As Kubernetes is often run in the cloud, this method allows lateral movement from the Kubernetes cluster to other resources outside the cluster. Such behavior has already been observed in large scale campaigns that target Kubernetes clusters. For detecting such behavior, it isn’t enough to monitor the cluster’s control plane, we also need to monitor the cloud’s control plane. While the monitoring is cloud-specific, the principal is similar: We should track the behavior of the cloud identities for suspicious activity. MDC can help you to detect such activity in AKS clusters. MDC monitors Azure Resource Manager (ARM) for identifying suspicious operations of managed identities assigned to AKS clusters and alerts when a suspicious operation occurs.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="yoweiz_10-1646146270882.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/352039i93AAB70870CF5148/image-size/large?v=v2&amp;px=999" role="button" title="yoweiz_10-1646146270882.png" alt="yoweiz_10-1646146270882.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>To conclude, identities are a key aspect of Kubernetes security, and monitoring their activity is crucial for keeping your cluster secured. The Kubernetes audit log and the cloud control plane logs can be used for identifying suspicious activity of the identities in Kubernetes in both levels: the cluster-level and the cloud-level. Microsoft Defender for Cloud can help you detect malicious operations of the service account in your Kubernetes clusters. Also, MDC monitors Azure Resource Manager and detects suspicious operations of the managed identities that are assigned to your cluster.</P> Tue, 01 Mar 2022 15:48:05 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/detecting-identity-attacks-in-kubernetes/ba-p/3232340 yoweiz 2022-03-01T15:48:05Z Automation to Block Outgoing Traffic to Malicious Websites detected by Microsoft Defender for DNS https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/automation-to-block-outgoing-traffic-to-malicious-websites/ba-p/3223286 <P>One common type of security attack that occurs when an attacker has gained access to a virtual machine is that they will attempt to go to suspicious IP addresses. Attackers may do this for any number of reasons, including to perform data exfiltration<SPAN>&nbsp;</SPAN>from your Azure resources using DNS tunnelling, download malware to&nbsp;communicate with command and control servers, perform DNS attacks which is&nbsp;communication with malicious DNS resolvers, and to communicate with domains used for malicious activities<SPAN>&nbsp;</SPAN>such as phishing and crypto mining. All of these activities can be detected by <A href="#" target="_self">Microsoft Defender for DNS,&nbsp;</A>which is part of <A href="#" target="_self">Microsoft Defender for Cloud</A>.&nbsp;</P> <P>&nbsp;</P> <P>When the outgoing traffic has been detected to be to suspicious IP addresses by the Microsoft Defender for DNS plan, Microsoft Defender for DNS will trigger an <A href="#" target="_blank" rel="noopener">alert</A>. Some ways to investigate the alert can be found in the Take Action tab of the alert:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_0-1646086421344.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351864i77AA204AB5FBE483/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_0-1646086421344.png" alt="Liana_Anca_Tomescu_0-1646086421344.png" /></span></P> <P>&nbsp;</P> <P>In this case, we recommend that you set up the <A href="#" target="_blank" rel="noopener">following workflow automation</A>, which will automatically block this attack from occurring by creating a network security rule in the virtual machine's network security group to block outgoing traffic to this malicious IP address.</P> <P>&nbsp;</P> <P><STRONG>What are the prerequisites for this automation?</STRONG></P> <P>The Microsoft Defender for DNS plan should be enabled, as per <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc-series-microsoft-defender-for/ba-p/2595277" target="_self">here</A>.</P> <P>&nbsp;</P> <P>You should have deployed a VM the <A href="#" target="_blank" rel="noopener">standard</A> way with any operating system.</P> <P>&nbsp;</P> <P>Note: It’s not guaranteed for this automation to succeed correctly if the VM is using a domain controller or if the DNS is sent through a DNS server in the VNET.</P> <P>&nbsp;</P> <P>This automation can be utilised for the alerts that come from Defender for DNS that contain the malicious IP address that the attacker is attempting to go to. You can validate this by creating these alerts yourself on the VM by following the instructions <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/validating-microsoft-defender-for-dns-alerts/ba-p/2227845" target="_blank" rel="noopener">here</A>.</P> <P>&nbsp;</P> <P>This automation can be used on the following alerts:</P> <UL> <LI>Attempted communication with suspicious sinkholed domain</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_1-1646086421352.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351866iB57D0D9526D3844B/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_1-1646086421352.png" alt="Liana_Anca_Tomescu_1-1646086421352.png" /></span></P> <UL> <LI>Network intrusion detection signature activation</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_2-1646086421358.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351865iFC09382BB1A2F957/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_2-1646086421358.png" alt="Liana_Anca_Tomescu_2-1646086421358.png" /></span></P> <UL> <LI>Communication with suspicious random domain name</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_3-1646086421365.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351867i3BC0CBD0D950FF58/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_3-1646086421365.png" alt="Liana_Anca_Tomescu_3-1646086421365.png" /></span></P> <UL> <LI>Communication with possible phishing domain</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_4-1646086421369.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351868iCB77442DC001FB0B/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_4-1646086421369.png" alt="Liana_Anca_Tomescu_4-1646086421369.png" /></span></P> <UL> <LI>Anonymity network activity</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_5-1646086421374.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351869iD6D5612F5EF946D0/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_5-1646086421374.png" alt="Liana_Anca_Tomescu_5-1646086421374.png" /></span></P> <UL> <LI>Anonymity network activity using web proxy</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_6-1646086421379.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351870iC238EB143F93104F/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_6-1646086421379.png" alt="Liana_Anca_Tomescu_6-1646086421379.png" /></span></P> <P>&nbsp;</P> <P><STRONG>How does the automation work?</STRONG></P> <P>When Microsoft Defender for Cloud detects someone is attempting to go to a malicious IP address from your virtual machine, it triggers an alert to bring you awareness about this potential attack. The automation uses this alert as a trigger to block the outgoing traffic of the IP by creating a security rule in the NSG attached to the VM to deny outbound traffic to the IP address attached to the alert. In the alerts of this type, you can find the outbound IP address appearing in the 'address' field of the alert.</P> <P>&nbsp;</P> <P>The Logic App uses a system-assigned Managed Identity. You need to assign&nbsp;<A href="#" target="_blank" rel="noopener">Contributor</A>&nbsp;permissions or&nbsp;<A href="#" target="_blank" rel="noopener">Security Reader</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">Network Contributor</A>&nbsp;permissions to the Logic App's Managed Identity so it is able to create an NSG rule once there is an attack detected. You need to assign these roles on all subscriptions or management groups you want to monitor and manage resources in using this playbook.&nbsp;<STRONG>Note</STRONG>: You can assign permissions only if your account has been assigned&nbsp;<A href="#" target="_blank" rel="noopener">Owner</A>&nbsp;or&nbsp;<A href="#" target="_blank" rel="noopener">User Access Administrator</A>&nbsp;roles, and make sure all selected subscriptions registered to Microsoft Defender for Cloud.</P> <P>Refer to the&nbsp;<A href="#" target="_blank" rel="noopener">Readme</A>&nbsp;file in our GitHub Repository for detailed procedure.</P> <P>&nbsp;</P> <P><STRONG>Deployment process and details</STRONG></P> <P>Navigate to&nbsp;Microsoft Defender for Cloud&nbsp;<A href="#" target="_blank" rel="noopener">GitHub repository&nbsp;</A>and select “Deploy to Azure” as shown in&nbsp;<EM>Image 1</EM>:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_12-1646086934511.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351877iB4BE37FB4DCE393A/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_12-1646086934511.png" alt="Liana_Anca_Tomescu_12-1646086934511.png" /></span></P> <P><SPAN><EM>Image 1: Git Hub repository</EM></SPAN></P> <P>&nbsp;</P> <P>Once you have clicked on&nbsp;<EM>‘Deploy’</EM>&nbsp;option in the screen above, you should automatically be redirected to the Azure portal Custom deployment page where you can fill in the details of requirement as shown in&nbsp;<EM>Image 2</EM>, as shown below:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_8-1646086421395.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351871i06ACFD2881C7345A/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_8-1646086421395.png" alt="Liana_Anca_Tomescu_8-1646086421395.png" /></span></P> <P>&nbsp;</P> <P><SPAN><EM>Image 2: Azure portal, Custom Deployment</EM></SPAN></P> <P>&nbsp;</P> <P>The ARM template will create the Logic App Playbook and an API connection to Office 365, and ascalert.</P> <P>You need to authorize the Office 365 API connection so it can access the sender mailbox and send the email notification from there.</P> <P>&nbsp;</P> <P>Once you review and create from&nbsp;<EM>Image 2</EM>, you would notice below resources created from the ARM template (Refer<EM>&nbsp;Image 3</EM>)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_9-1646086421397.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351873iBEAE0AC11DBEC885/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_9-1646086421397.png" alt="Liana_Anca_Tomescu_9-1646086421397.png" /></span></P> <P><SPAN><EM>Image 3: Summary of the resources created from the ARM template</EM></SPAN></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Define when the Logic App should automatically run:</STRONG></P> <P>Workflow automation feature of Microsoft Defender for Cloud can trigger Logic Apps on security alerts and recommendations. For example, you might want Microsoft Defender for Cloud to email a specific user when an alert occurs. When you add the workflow automation and trigger conditions, the triggers will initiate this automatic workflow. In this example, you want the Logic App to run when a security alert that contains "domain" is generated.</P> <P>&nbsp;</P> <P>Note: Read more about workflow automation&nbsp;<A href="#" target="_blank" rel="noopener">here</A></P> <P><EM>&nbsp;</EM></P> <P>When an attempt to go to a suspicious domain is detected by Microsoft Defender for Cloud as shown in&nbsp;<EM>Image 4</EM>, this would automatically apply the automation and blocks the traffic of the IP by creating a security rule in the NSG attached to the VM to deny outbound traffic to the IP address associated with the json of the alert as shown in&nbsp;<EM>Image 4.</EM></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_10-1646086421403.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351874i055C94F8EBF6C840/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_10-1646086421403.png" alt="Liana_Anca_Tomescu_10-1646086421403.png" /></span></P> <P>&nbsp;</P> <P><SPAN><EM>Image 4: IP blocked by Microsoft Defender for Cloud</EM></SPAN></P> <P>&nbsp;</P> <P>You would receive an email notification on the alert details as shown in&nbsp;<EM>Image 5</EM>:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_11-1646086421414.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/351875i551BD8E2621C6F84/image-size/large?v=v2&amp;px=999" role="button" title="Liana_Anca_Tomescu_11-1646086421414.png" alt="Liana_Anca_Tomescu_11-1646086421414.png" /></span></P> <P>&nbsp;</P> <P><SPAN><EM>Image 5: Email received to show automation has been triggered</EM></SPAN></P> <P>&nbsp;</P> <P>This logic app as well as many other can be found here:</P> <P><A href="#" target="_self">Direct Link to GitHub sample</A></P> <P><A href="#" target="_self">Microsoft Defender for Cloud GitHub Repo</A></P> <P>&nbsp;</P> <P>Most organizations lack the time and expertise required to respond to these alerts so many go unaddressed. Having this type of automation can address the threat immediately. I hope you enjoyed reading this article and implementing it!</P> <P>&nbsp;</P> <P><STRONG>Special thanks to:</STRONG></P> <P>Tom Janetscheck, Senior Program Manager, Microsoft Defender for Cloud, Microsoft</P> <P>Safeena Begum Lepakshi, Senior Program Manager, Microsoft Defender for Cloud, Microsoft</P> <P>Ido Keshet, Senior Program Manager, Microsoft Defender for Cloud, Microsoft</P> <P>Thomas Vuylsteke, Senior Customer Engineer, Microsoft</P> <P><LI-USER uid="124214"></LI-USER>, Principal PM Manager, Microsoft Defender for Cloud</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 02 Mar 2022 19:48:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/automation-to-block-outgoing-traffic-to-malicious-websites/ba-p/3223286 Liana_Anca_Tomescu 2022-03-02T19:48:38Z Microsoft Defender for Key Vault - Deploy to Azure Synapse Analytics https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-key-vault-deploy-to-azure-synapse/ba-p/3201308 <P>We are excited to announce that Microsoft Defender for Key Vault has moved the back-end processing infrastructure to Azure Synapse Analytics. The benefits and advantages of deploying services on Azure Synapse Analytics include but not limited to:</P> <UL> <LI>It provides better compliance and security control.</LI> <LI>It has built-in support for .NET for Spark applications.</LI> <LI>It has built-in Azure Data Factory to orchestrate workflows and its engine support 90+ data sources.</LI> <LI>It provides integration with Microsoft Power BI, Azure Machine Learning, Azure Cosmos DB, Azure Data Explorer.</LI> <LI>It has both Spark Engine and SQL Engine.</LI> </UL> <P>This article is going to talk about the changes we made to move our infrastructure to Azure Synapse Analytics.</P> <P>&nbsp;</P> <H2>Overview</H2> <P>Microsoft Defender for Key Vault is a good example of a service to run on Azure Synapse Analytics as it is an end-to-end ML-based big data analytics service. This effort covers many key points, including Streaming jobs, Machine Learning development, .NET Spark jobs, and more.</P> <P><BR />As a modern data infrastructure, we made respective changes for each part to achieve the final architecture based on Azure Synapse Analytics as the following image.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="xinyetang_1-1645569904090.jpeg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/350503i504D095855D9B961/image-size/large?v=v2&amp;px=999" role="button" title="xinyetang_1-1645569904090.jpeg" alt="xinyetang_1-1645569904090.jpeg" /></span></P> <P>&nbsp;</P> <OL> <LI>Use Azure Synapse Analytics Pipelines to create, schedule, and orchestrate data processing and transformation workflows.</LI> <LI>Use Azure Synapse Analytics Spark pools to ingest raw streaming data by running micro-batch processing jobs to implement the "Hot Path" of the Lambda architecture pattern and derive insights from the stream data in transit.</LI> <LI>Use Azure Synapse Analytics Spark pools to perform historical and trend analysis on the "Cold Path" of the Lambda architecture pattern.</LI> <LI>Azure Synapse Analytics provides notebooks for ad-hoc jobs and exploratory data analysis.</LI> <LI>Raw structured, semi-structured, and unstructured data are ingested into Azure Data Lake Storage Gen2 from various sources. Azure Data Lake Storage Gen2 also stores resulting datasets such as aggregated data, features, models, and alerts.</LI> <LI>Use Azure services for collaboration, performance, reliability, governance, and security:</LI> </OL> <UL> <LI>Azure DevOps offers continuous integration and continuous deployment (CI/CD) and other integrated version control features.</LI> <LI>Azure Key Vault securely manages secrets, keys, and certificates.</LI> <LI>Azure Application Insights collects and monitors custom application metrics, streaming query events, and application log messages.</LI> <LI>Azure Active Directory (Azure AD) provides single sign-on (SSO) for Azure users.</LI> </UL> <P>Those changes include source code, deployment, and interactions with other Azure services. Rather than lift and shift or refactoring the whole service, we chose re-platforming as our final migration approach.</P> <P>&nbsp;</P> <H2>Key Learnings</H2> <P>In this section, I will go over the following key learnings from our migration in detail:</P> <UL> <LI>Microsoft Spark Utilities</LI> <LI>Secrets Management</LI> <LI>Storage Management</LI> <LI>Package &amp; Library Management</LI> <LI>Migrate Azure Data Factory V2 to Azure Synapse Analytics</LI> <LI>Support for .NET Spark Job</LI> <LI>Support for Streaming Job</LI> <LI>Support for Machine Learning</LI> <LI>Workspace Managed Identity</LI> <LI>Continuous Integration and Continuous Delivery</LI> <LI>Disaster Recovery</LI> </UL> <H3>Microsoft Spark Utilities</H3> <P>Azure Synapse Analytics provides a built-in package called Microsoft Spark Utilities on top of open-source Spark. It comprises functions to manage secrets, file systems, notebooks, secrets, etc. It is available in Azure Synapse Analytics Notebooks and Pipelines. We used these utilities to manage secrets and file systems after creating a link to an Azure Key Vault and storage account respectively. Details on how to link these services will be provided later in this article.</P> <P>Secrets Utility:</P> <UL> <LI>MSSparkUtils provides credentials utilities (mssparkutils.credentials) to manage secrets in Azure Key Vault. It can also be used to get the access token of linked services and update Azure Key Vault secrets.</LI> </UL> <P>File system Utility:</P> <UL> <LI>Azure Synapse Analytics also has file system utilities – mssparkutils.fs. It provides utilities for working with various file systems, including Azure Data Lake Storage Gen2 and Azure Blob Storage.</LI> </UL> <P>For the details of other utilities, see the official documents of Azure Synapse Analytics.</P> <P>&nbsp;</P> <H3>Secrets Management</H3> <P>On Azure, we are using Azure Key Vault to store and manage secrets. So far, you have learned how to use secret utility to access or store secrets in Azure Key Vault, but how do we configure access to Azure Key Vault in the first place?</P> <P>&nbsp;</P> <P>On Azure Synapse Analytics, we can add an Azure Key Vault account as a linked service on an Azure Synapse Studio. Then grant secret access for this Azure Synapse Workspace managed identity and your Azure AD by adding an access policy on the Azure Key Vault. Please note, Azure Synapse Analytics doesn’t support secret redaction yet to prevent from accidentally printing a secret to standard output buffers or displaying the value during the variable assignment, as of December 2021.</P> <P>&nbsp;</P> <H3>Storage Management</H3> <P>You have learned how to configure access to an Azure Key Vault. It is time to configure access to an Azure Data Lake Storage Gen2 account. All we need to do is to add the Azure Synapse Workspace managed identity and your Azure AD with Storage Blob Data Contributor role on this Azure Data Lake Storage Gen2 account. Then you can access data on this Azure Data Lake Storage Gen2 either by Azure Synapse Analytics pipelines or notebooks via the following URL:</P> <P class="lia-align-center">abfss://&lt;container_name&gt;@&lt;storage_account_name&gt;.dfs.core.windows.net/&lt;path&gt;</P> <P class="lia-align-center">&nbsp;</P> <H3>Package &amp; Library Management</H3> <P>By default, Apache Spark in Azure Synapse Analytics has a full set of <A href="#" target="_blank" rel="noopener">libraries</A> for common data engineering, data preparation, machine learning, and data visualization tasks. When a Spark instance starts up, these libraries will automatically be included.</P> <P>&nbsp;</P> <P>Often, you may want to use custom or private wheel or jar files. You can upload these files to your workspace package and later add these packages to specific Apache Spark pools in Azure Synapse Analytics. Those wheel or jar files are shared at the workspace level, instead of the pool level. So, we must name the wheel file differently every time we upload a new one.</P> <P>&nbsp;</P> <P>In some cases, you may want to install external libraries on top of the base runtime. For Python, you can provide a requirements.txt or environment.yml to specific Apache Spark pools to install packages from repositories like PyPI, Conda-Forge. For other languages, it is not supported yet (as of December 2021). But as a workaround, you can download the external libraries first, and then upload them as your workspace packages.</P> <P>&nbsp;</P> <P>A system reserved Spark job is initiated each time an Apache Spark pool in Azure Synapse Analytics is updated with a new set of libraries and can be used to monitor the status of the library installation. When you update the libraries of the Apache Spark pool in Azure Synapse Analytics, these changes will be picked up once the pool has restarted. If you have active jobs, these jobs will continue to run on the original version of the Apache Spark pool. You can force the changes to apply by selecting the Force new settings, which will end all current running and queued Spark applications for the selected Apache Spark pool. Once those are ended, the pool will be restarted and apply the new changes. For every deployment, we create a new Apache Spark pool and deploy all changes to this new pool to avoid the disruptive process. Once existing running jobs end, new jobs will start running on a new pool with new libraries.</P> <P>&nbsp;</P> <H3>Migrate Azure Data Factory V2 to Azure Synapse Analytics</H3> <P>On Azure Synapse Analytics, the data integration capabilities such as Azure Synapse Analytics pipelines and data flows are based upon those of Azure Data Factory V2. This <A href="#" target="_blank" rel="noopener">document</A> discusses the differences between Azure Synapse Analytics and Azure Data Factory V2. Azure provides a PowerShell script to migrate Azure Data Factory V2 to Azure Synapse Analytics. <A href="#" target="_blank" rel="noopener">https://github.com/Azure-Samples/Synapse/tree/main/Pipelines/ImportADFtoSynapse</A></P> <P>&nbsp;</P> <H3>Support for .NET Spark job</H3> <P>Azure Synapse Analytics provides equivalent development experience for PySpark, Scala Spark, and .NET Spark. We only need the following two steps to run a .NET Spark job on Azure Synapse Analytics:</P> <UL> <LI>Upload the ZIP file containing your .NET Spark application to an Azure Data Lake Storage Gen2 account linked to Azure Synapse Studio.</LI> <LI>Create an Apache Spark job definition by selecting the language as .NET Spark and filling in the main definition file with the ZIP file path.</LI> </UL> <P>Here are the <A href="#" target="_blank" rel="noopener">tutorials</A> for submitting an Apache Spark job of those three languages in Azure Synapse Studio.</P> <P>&nbsp;</P> <H3>Support for Streaming job</H3> <P>The full support for streaming jobs that run perpetually is on the roadmap of Azure Synapse Analytics. As of December 2021, Azure Synapse Analytics jobs are limited to 7 days. The current workaround we have is to run micro-batch processing jobs to ingest raw streaming data and restart the job every 4 hours.</P> <P>&nbsp;</P> <H3>Support for Machine Learning</H3> <P>As mentioned before, Apache Spark pools in Azure Synapse Analytics use runtimes to tie together essential component versions, and Azure Synapse Runtime has a full set of libraries including Apache Spark MLlib, Scikit Learn, NumPy for common data engineering, data preparation, machine learning, and data visualization tasks. Moreover, Azure Machine Learning is seamlessly integrated with Azure Synapse Notebooks, and users can easily leverage automated ML in Azure Synapse Analytics with passthrough Azure Active Directory authentication.</P> <P>&nbsp;</P> <H3>Workspace Managed Identity</H3> <P>A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. Managed identities eliminate the need for developers to manage credentials. System-assigned managed identities provide an identity for the service to use when connecting to resources that support Azure Active Directory (Azure AD) authentication by Azure AD tokens.</P> <P>&nbsp;</P> <P>We can authenticate Azure Synapse Workspace to access Azure Data Lake Storage Gen2 or Azure Key Vault via the workspace managed identity which is created along with the Azure Synapse Workspace.</P> <P>&nbsp;</P> <H3>Continuous Integration and Continuous Delivery (CICD)</H3> <P>Microsoft Defender for Key Vault uses Azure Repos and Azure Pipelines to produce deployable artifacts for continuous integration and release new versions for continuous deployments. Azure Resource Manager (ARM) template and custom script extensions enable us to deploy our service to Azure in stages and automatically. ARM templates are used to define the resources that are needed (e.g., Azure storage account) for the service and specify deployment parameters to input values for different environments. When some actions are not supported directly by the ARM template, we are using custom script extensions to execute user-defined actions. The following table is the ARM template support for Azure Synapse Analytics (as of December 2021).</P> <P>&nbsp;</P> <TABLE class="lia-align-center" style="width: 384px;" width="657px"> <TBODY> <TR> <TD width="343.125px" height="57px"> <P>&nbsp;</P> </TD> <TD width="314.219px" height="57px"> <P><STRONG>Azure Synapse Analytics</STRONG></P> </TD> </TR> <TR> <TD width="343.125px" height="30px"> <P>Compute Clusters</P> </TD> <TD width="314.219px" height="30px"> <P>ARM template</P> </TD> </TR> <TR> <TD width="343.125px" height="30px"> <P>Network Configuration</P> </TD> <TD width="314.219px" height="30px"> <P>ARM template</P> </TD> </TR> <TR> <TD width="343.125px" height="57px"> <P>Workspace Encryption Settings</P> </TD> <TD width="314.219px" height="57px"> <P>ARM template</P> </TD> </TR> <TR> <TD width="343.125px" height="30px"> <P>Workspace RBAC</P> </TD> <TD width="314.219px" height="30px"> <P>Extension</P> </TD> </TR> <TR> <TD width="343.125px" height="57px"> <P>Azure Data Factory V2/Azure Synapse Studio</P> </TD> <TD width="314.219px" height="57px"> <P>Extension</P> </TD> </TR> <TR> <TD width="343.125px" height="30px"> <P>Notebook</P> </TD> <TD width="314.219px" height="30px"> <P>Extension</P> </TD> </TR> <TR> <TD width="343.125px" height="30px"> <P>Managed Identity</P> </TD> <TD width="314.219px" height="30px"> <P>ARM template</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Microsoft Azure .NET SDK provides Azure Synapse Analytics development <A href="#" target="_blank" rel="noopener">client library</A> for programmatically managing artifacts, offering methods to create, update, list, and delete pipelines, datasets, data flows, notebooks, Spark job definitions, SQL scripts, linked services, and triggers.</P> <P>&nbsp;</P> <H3>Disaster Recovery</H3> <P>Business Continuity and Disaster Recovery (BCDR) is the strategy that determines how applications, workloads, and data remain available during planned and unplanned downtime. Azure Synapse Analytics only supports disaster recovery for dedicated SQL pools and doesn’t support it for Apache Spark pools and Azure Synapse Studio yet (as of December 2021). Azure Synapse Analytics uses data warehouse snapshots for disaster recovery of dedicated SQL pools. It creates a restore point you can leverage to recover or copy your data warehouse to a previous state. In the event of a disaster, we can create a new Azure Synapse Analytics environment and then deploy our service on it using Azure pipelines.</P> <P>&nbsp;</P> <H2>Conclusion</H2> <P>In this article, we have covered the architecture change of Microsoft Defender for Key Vault to deploy to Azure Synapse Analytics. We have also taken a deep dive into migration and shared our key learnings from it.</P> <P>&nbsp;</P> <H2>References</H2> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/synapse-analytics/</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/azure-defender-for-key-vault/ba-p/1825055" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/azure-defender-for-key-vault/ba-p/1825055</A></P> Wed, 23 Feb 2022 18:26:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-key-vault-deploy-to-azure-synapse/ba-p/3201308 xinye-tang 2022-02-23T18:26:45Z Protect your Google Cloud workloads with Microsoft Defender for Cloud https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/protect-your-google-cloud-workloads-with-microsoft-defender-for/ba-p/3073360 <P>Today, <A href="#" target="_blank" rel="noopener">92% of organizations embrace a multicloud strategy</A>. Reasons range from having maximum flexibility to choose between cloud services, to cost optimization. While there are many benefits to using multiple cloud vendors, security teams often struggle with the resulting complexity.</P> <P>&nbsp;</P> <P>In a recent survey, Microsoft interviewed more than 500 CISOs and found that Cloud Security remains the #1 concern and investment priority for security professionals, with Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) solutions at the top of their list.</P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/ignite-2021-microsoft-defender-for-cloud-news/ba-p/2882807" target="_blank" rel="noopener">After releasing support for AWS</A> last November, today we’re excited to announce that Microsoft Defender for Cloud now supports Google Cloud Platform (GCP) with its native CSPM and CWP capabilities, without any dependencies on Google 1<SUP>st</SUP> party tools. The support for GCP comes with a simplified onboarding experience, more than 80 out-of-the-box recommendations to harden your environment, and more.</P> <P>&nbsp;</P> <P>Organizations can now easily understand and manage their security posture across clouds and protect their workloads from a central place - no matter if they’re running in Azure, Amazon Web Services (AWS), GCP, or on-premises. It also makes Microsoft the only cloud provider who enables you to manage security centrally across clouds.</P> <P>&nbsp;</P> <P><STRONG><EM>“I consider Microsoft Defender for Cloud invaluable for giving me the full picture of how to tighten security in our infrastructure.” David Finkelstein, CISO at St. Lukes University Health Network</EM></STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 1: Overview of all 3 connected clouds in Microsoft Defender for Cloud dashboard" style="width: 852px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342827i1065E9D3FC9EEE9A/image-size/large?v=v2&amp;px=999" role="button" title="Blog Graphic_012622_v3.gif" alt="Image 1: Overview of all 3 connected clouds in Microsoft Defender for Cloud dashboard" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 1: Overview of all 3 connected clouds in Microsoft Defender for Cloud dashboard</span></span></P> <P>&nbsp;</P> <H2>Understand and manage your security posture and compliance across clouds</H2> <P>Let’s dive into the details around the new security capabilities for Google Cloud.</P> <P>&nbsp;</P> <P>The support for GCP was designed as an integral part in Microsoft Defender for Cloud, so that organizations can understand their security posture across their connected cloud environments from a single place.</P> <P>&nbsp;</P> <P>One example of how we’re enabling this, is a central, multicloud view with a new Secure Score for all clouds combined and the ability to compare your compliance status against critical benchmarks such as <A href="#" target="_blank" rel="noopener">Center of Internet Security (CIS)</A> for GCP and AWS. This allows you to understand your organization’s cloud security posture as a whole - across all connected environments.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 2: Microsoft Defender for Cloud dashboard" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/352195iEB8DDE49460C0550/image-size/large?v=v2&amp;px=999" role="button" title="defender dashboard.png" alt="Image 2: Microsoft Defender for Cloud dashboard" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 2: Microsoft Defender for Cloud dashboard</span></span></P> <P>&nbsp;</P> <P>To make it easy to understand and manage the security posture for GCP environments, Microsoft Defender for Cloud will provide more than 80 out-of-the-box recommendations to begin with. These are aligned to industry standards and security best practices, including a mapping to the CIS benchmark for Google Cloud.</P> <P>&nbsp;</P> <P>Configuration oversight can open the door to threats in your environment, that’s why it’s critical to stay on top of common risks we see across environments. Some examples of critical recommendations that Microsoft Defender for Cloud now provides for resources in GCP include:</P> <P>&nbsp;</P> <UL> <LI>Cloud Storage buckets are anonymously or publicly accessible</LI> <LI>Multi-factor authentication is not enabled for all non-service accounts</LI> <LI>Cloud SQL database instances do not require incoming connections to use SSL</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 3: Overview of recommendations for all connected cloud environments." style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/349392i636C1E82229BD875/image-size/large?v=v2&amp;px=999" role="button" title="Recommendations (3).png" alt="Image 3: Overview of recommendations for all connected cloud environments." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 3: Overview of recommendations for all connected cloud environments.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>And lastly, you can build custom recommendations to meet specific security or compliance requirements your organization may have.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Threat Protection for workloads in GCP</H2> <P>While managing risk is critical, preventing and responding to threats is equally relevant for a comprehensive cloud security strategy. That’s why we built new threat protection capabilities in Microsoft Defender for Cloud for native GCP workloads across containers and servers.</P> <P>&nbsp;</P> <P>Starting today, container protection is available for Google GKE Standard clusters. With container adoption soaring because of their scalability and portability, they are critical in any cloud environment.</P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317" target="_blank" rel="noopener">Microsoft Defender for Containers</A> provides threat detection capabilities that include Kubernetes behavioral analytics, including anomaly detection for GKE clusters and underlying hosts, as well as security best practices and built-in admission control policies to harden Kubernetes workloads.</P> <P>&nbsp;</P> <P>In addition to containers, Defender for Cloud has extended its server protection to support Google Compute Engine VMs, another critical workload type across most environments. The protection for server workloads leverages the powerful protection capabilities of <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> such as EDR and attack surface reduction. In addition, it provides server-focused vulnerability assessment, behavioral alerts for VMs, OS recommendations across security baselines, antimalware, and missing OS updates, as well as Adaptive application controls (AAC) and File integrity monitoring (FIM).</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 4: Overview of container specific alerts in Microsoft Defender for Cloud" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/349393i0A69CD27C2847D3E/image-size/large?v=v2&amp;px=999" role="button" title="MicrosoftTeams-image (1).png" alt="Image 4: Overview of container specific alerts in Microsoft Defender for Cloud" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 4: Overview of container specific alerts in Microsoft Defender for Cloud</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Easy Onboarding in 1, 2, 3</H2> <P>We created an easy process to onboard Google Cloud environments to Microsoft Defender for Cloud. To enable the CSPM capabilities, we use the native Google APIs and will soon allow security teams to connect the entire organization or individual projects to Microsoft Defender for Cloud without the need for any agents or additional Google services.</P> <P>&nbsp;</P> <P>The Defender for Cloud threat protection capabilities can be deployed to container and server workloads in GCP environments, using <A href="#" target="_blank" rel="noopener">Azure Arc</A>. Security teams have the flexibility to deploy at scale across all VMs and GKE clusters or within selected Google Cloud projects. Lastly, and to keep up with the dynamic provisioning of cloud resources, Microsoft Defender for Cloud can automatically provision container and server protections to new resources, as soon as they’re added to the GCP environment.</P> <P>&nbsp;</P> <P>So while Azure is natively integrated into Microsoft Defender for Cloud, it’s super easy to onboard Google Cloud or AWS environments as well.</P> <H2>&nbsp;</H2> <H2>Security for the cloud of your choice</H2> <P>Microsoft is committed to helping organizations protect their whole environment—across clouds, platforms, and devices. We understand that organizations today have multicloud strategies, and we want to deliver an easy and seamless experience to secure and protect those environments - no matter if you choose Azure, AWS, GCP, or all three.</P> <P>&nbsp;</P> <P>With the new support for Google Cloud Platform now in public preview, we’re enabling organizations to approach their cloud security holistically and from a single place with Microsoft Defender for Cloud.</P> <P>&nbsp;</P> <UL> <LI>Secure and protect your GCP, AWS, and Azure environments</LI> <LI>Assess and strengthen the security configuration of your cloud resources</LI> <LI>Manage compliance against critical industry and regulatory standards</LI> <LI>Protect critical workloads including containers, servers, and more against malicious attacks</LI> </UL> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P> <P>More information:</P> <UL> <LI>For a deep dive and demo of these capabilities, <A href="#" target="_blank" rel="noopener">join us at the “What’s next in security” Digital event on 2/24.</A></LI> <LI>Get started with a <A href="#" target="_blank" rel="noopener">free trial in Azure</A></LI> <LI>Learn how to <A href="#" target="_blank" rel="noopener">get started</A> with Microsoft Defender for Cloud</LI> <LI><A href="#" target="_blank" rel="noopener">Subscribe</A>&nbsp;to our YouTube series for product deep dives!</LI> <LI>Discover <A href="#" target="_blank" rel="noopener">Azure Arc</A>.</LI> </UL> Tue, 01 Mar 2022 22:06:17 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/protect-your-google-cloud-workloads-with-microsoft-defender-for/ba-p/3073360 giladelyashar 2022-03-01T22:06:17Z 7 steps to author, develop, and deploy custom recommendations for Windows using Guest Configuration https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/7-steps-to-author-develop-and-deploy-custom-recommendations-for/ba-p/3166026 <P><SPAN class="TextRun SCXW34809137 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW34809137 BCX8">While reviewing security recommendations under the </SPAN></SPAN><SPAN class="TextRun SCXW34809137 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW34809137 BCX8">‘<EM><STRONG>Implement security best practices</STRONG></EM>’</SPAN></SPAN><SPAN class="TextRun SCXW34809137 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW34809137 BCX8"> control with a customer through the Microsoft Defender for Cloud portal, the customer was asking about a particular recommendation around '</SPAN></SPAN><EM><SPAN class="TextRun SCXW34809137 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW34809137 BCX8">Guest Configuration extension should be installed on machines'</SPAN></SPAN><SPAN class="TextRun SCXW34809137 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW34809137 BCX8">.</SPAN></SPAN></EM><SPAN class="EOP SCXW34809137 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_0-1644896795652.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348214i1D79CBF89D36238E/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_0-1644896795652.png" alt="NathanSwift_0-1644896795652.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW196403405 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW196403405 BCX8">A quick examination of this recommendation reveals the ability of Microsoft Defender for Cloud to extend and </SPAN><SPAN class="NormalTextRun SCXW196403405 BCX8">monitor</SPAN><SPAN class="NormalTextRun SCXW196403405 BCX8"> security recommendations and posture management within the OS of Windows and Linux. By clicking on the related </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW196403405 BCX8">recommendations</SPAN><SPAN class="NormalTextRun SCXW196403405 BCX8"> we were able to review </SPAN><SPAN class="NormalTextRun SCXW196403405 BCX8">additional</SPAN><SPAN class="NormalTextRun SCXW196403405 BCX8"> recommendations to discover and check for compliance.</SPAN></SPAN><SPAN class="EOP SCXW196403405 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_1-1644896836097.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348216iB2F791E4A1280638/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_1-1644896836097.png" alt="NathanSwift_1-1644896836097.png" /></span></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN class="NormalTextRun SCXW41012819 BCX8">We did not stop there, explaining that Guest Configuration also supports the ability for you to customize your recommendations by looking for settings or software within the OS of servers. A whole entire security and best practices conversation </SPAN><SPAN class="NormalTextRun SCXW41012819 BCX8">opens</SPAN><SPAN class="NormalTextRun SCXW41012819 BCX8"> with a world of possibilities to check for, including your </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW41012819 BCX8">organizations</SPAN><SPAN class="NormalTextRun SCXW41012819 BCX8"> best practices and security recommendations developed and implemented over the years.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN data-contrast="auto">After discussing Guest Configuration and the ability to customize it look for your organizations recommendations, the customer had an immediate use case come to mind, they wanted to extend a new check for certain software in their Windows Servers. In this case they leveraged Nessus scanners and agents in their cloud assets and on-premises.</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="4"><SPAN data-contrast="auto">Much like a security recommendation to install an AV or install a vulnerability management they wanted to be notified of Windows servers that needed Nessus scanner agents. The following walkthrough can be used to understand the mechanics of authoring to check for installed software and provide a recommendation into Defender for Cloud. In this example you can use Nessus scanner agent.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW220913334 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW220913334 BCX8">Prerequisite:</SPAN></SPAN></SPAN></FONT></P> <P><FONT size="4"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW220913334 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW220913334 BCX8"><SPAN class="TextRun SCXW156394874 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW156394874 BCX8">In order to</SPAN><SPAN class="NormalTextRun SCXW156394874 BCX8"> take advantage of this capability you must ensure that Guest Configuration is deployed to your Azure VMs and Azure Arc Connected servers. For enterprises you will want to take advantage of native built in capabilities like Auto provisioning the Guest Configuration extension in Microsoft Defender for Cloud. This way as new VMs are created or deallocated VMs are turned on they will also receive the Guest Configuration.</SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_2-1644897030495.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348217iB5F88DA6A8CC4AF2/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_2-1644897030495.png" alt="NathanSwift_2-1644897030495.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW49901173 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW49901173 BCX8">With the Guest Configuration extension set to deploy a variety of </SPAN><SPAN class="NormalTextRun SCXW49901173 BCX8">opportunities</SPAN><SPAN class="NormalTextRun SCXW49901173 BCX8"> to check for your </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW49901173 BCX8">organizations</SPAN><SPAN class="NormalTextRun SCXW49901173 BCX8"> software requirements and settings inside the OS awaits.</SPAN></SPAN><SPAN class="EOP SCXW49901173 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW49901173 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW104684387 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW104684387 BCX8">Development Process:</SPAN></SPAN></SPAN></FONT></P> <P><SPAN data-contrast="auto">Overall, there is 7 steps documented process to author, develop, and deploy; this blog will summarize each step however will link to each Azure Doc along that step so you can get full details if desired.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Steps 1 through 6 are done in an Authoring VM with PowerShell.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Step 7 is done in the Microsoft Defender for Cloud portal, but could be done through PowerShell, this would allow a DevOps approach to existing and new subscriptions coming online.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">4 of these steps are used to produce the Desired State Configuration files for Guest Configuration.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Steps 5 and 6 use PowerShell to create the custom Guest Configuration Azure Policy and publish it to your subscription.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_3-1644897100623.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348218i48290BED7475EFE9/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_3-1644897100623.png" alt="NathanSwift_3-1644897100623.png" /></span></P> <P>&nbsp;</P> <P><FONT size="5"><A class="Hyperlink SCXW182246392 BCX8" href="#" target="_blank" rel="noopener noreferrer"><SPAN class="TextRun Underlined SCXW182246392 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW182246392 BCX8" data-ccp-charstyle="Hyperlink">Step 1:</SPAN></SPAN></A><SPAN class="TextRun SCXW182246392 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW182246392 BCX8"> build </SPAN><SPAN class="NormalTextRun SCXW182246392 BCX8">Author</SPAN><SPAN class="NormalTextRun SCXW182246392 BCX8">ing VM and </SPAN><SPAN class="NormalTextRun SCXW182246392 BCX8">Author</SPAN> <SPAN class="NormalTextRun AdvancedProofingIssueV2Themed SCXW182246392 BCX8">DSC</SPAN><SPAN class="NormalTextRun SCXW182246392 BCX8"> checking for a windows service</SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To start be sure to use the following </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Azure documentation</SPAN></A><SPAN data-contrast="auto"> to create a Azure VM that will host the Authoring tools and software to work with Guest Configuration. The key here is a Azure VM with&nbsp; Windows 10 or Windows Server. You will want to install the following:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Download and Install PowerShell 7.1.3 or higher:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://github.com/PowerShell/PowerShell/releases/download/v7.1.3/PowerShell-7.1.3-win-x64.msi</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Be sure to install any software you want to detect in our example you can install through cmdline </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Nessus Agent</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Using the PowerShell 7 (x64) console, install the following modules:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">Install-Module Az</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">Install-Module GuestConfiguration</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Once you have the tools installed and ready to go you can open up any text editor VS Code, Notepad, or PowerShell ISE console. The following below is used for checking a Windows Service, since most AV or Vulnerability scanning software on servers leverage a Windows Service and are always running this may be the easiest way to detect.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">configuration WindowsNessusAgentService { Import-DscResource -ModuleName PSDSCResources Node localhost { Service TenableNessusAgent { Name = "Tenable Nessus Agent" StartupType = "Automatic" State = "Running" Ensure = "Present" } } }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8">Save the file as </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW229528344 BCX8">WindowsNessusAgentService.ps1 .</SPAN><SPAN class="NormalTextRun SCXW229528344 BCX8"> You have just created a DSC based </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW229528344 BCX8">powerShell</SPAN><SPAN class="NormalTextRun SCXW229528344 BCX8"> script. DSC with Guest Configuration has many other </SPAN></SPAN><SPAN class="TextRun Highlight SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8">states</SPAN></SPAN><SPAN class="TextRun SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8"> to check for, please use the </SPAN></SPAN><SPAN class="TextRun Highlight SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW229528344 BCX8">PSDSCResources</SPAN></SPAN><SPAN class="TextRun SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8"> module as it works with Guest Configuration. Use the following website to see other </SPAN></SPAN><SPAN class="TextRun Highlight SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8">states</SPAN></SPAN><SPAN class="TextRun SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8"> to check for: </SPAN></SPAN><A class="Hyperlink SCXW229528344 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW229528344 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW229528344 BCX8" data-ccp-charstyle="Hyperlink">PowerShell/</SPAN><SPAN class="NormalTextRun SCXW229528344 BCX8" data-ccp-charstyle="Hyperlink">PSDscResources</SPAN><SPAN class="NormalTextRun SCXW229528344 BCX8" data-ccp-charstyle="Hyperlink"> (github.com)</SPAN></SPAN></A><SPAN class="TextRun SCXW229528344 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW229528344 BCX8">&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW229528344 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_0-1644897366394.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348219iB25FB69E2084AF3F/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_0-1644897366394.png" alt="NathanSwift_0-1644897366394.png" /></span></P> <P>&nbsp;</P> <P><FONT size="5"><A class="Hyperlink SCXW237497895 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW237497895 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW237497895 BCX8" data-ccp-charstyle="Hyperlink">Step 2:</SPAN></SPAN></A><SPAN class="TextRun SCXW237497895 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW237497895 BCX8"> Compile DSC .ps1 to generate the .</SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW237497895 BCX8">mof</SPAN><SPAN class="NormalTextRun SCXW237497895 BCX8"> state file</SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><FONT size="4"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW240535918 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW240535918 BCX8">Using the PowerShell 7 (x64) console use the following </SPAN><SPAN class="NormalTextRun AdvancedProofingIssueV2Themed SCXW240535918 BCX8">PS</SPAN><SPAN class="NormalTextRun SCXW240535918 BCX8"> commands to load the DSC into memory and compile the .</SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW240535918 BCX8">mof</SPAN><SPAN class="NormalTextRun SCXW240535918 BCX8"> file</SPAN></SPAN><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></FONT></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">. .\WindowsNessusAgentService.ps1 WindowsNessusAgentService</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><FONT size="4"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW136196505 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW136196505 BCX8">Afterwards a folder should be created called </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW136196505 BCX8">WindowsNessusAgentService</SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8"> and within the folder a compiled </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW136196505 BCX8">localhost.mof</SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8"> file. Open the </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW136196505 BCX8">localhost.mof</SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8"> file in a text editor and </SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8">take a look</SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8">, you may want to remove or update </SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8">author</SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8"> as this is the account name on the VM used to generate the .</SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW136196505 BCX8">mof</SPAN><SPAN class="NormalTextRun SCXW136196505 BCX8"> file.</SPAN></SPAN></SPAN></SPAN></FONT></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW136196505 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW136196505 BCX8"><A class="Hyperlink SCXW76002923 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW76002923 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW76002923 BCX8" data-ccp-charstyle="Hyperlink">Step 3:</SPAN></SPAN></A><SPAN class="TextRun SCXW76002923 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW76002923 BCX8"> Create a Guest Configuration package .zip file</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW136196505 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW136196505 BCX8"><SPAN class="TextRun SCXW76002923 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW76002923 BCX8"><FONT size="4"><SPAN class="TextRun SCXW179714253 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW179714253 BCX8">In this next step you will use the cmdlets from the </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW179714253 BCX8">GuestConfiguration</SPAN><SPAN class="NormalTextRun SCXW179714253 BCX8"> module to generate a package using the .</SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW179714253 BCX8">mof</SPAN><SPAN class="NormalTextRun SCXW179714253 BCX8"> and zip the data into </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW179714253 BCX8">a</SPAN><SPAN class="NormalTextRun SCXW179714253 BCX8"> archive for Azure Policy Guest Configuration.</SPAN></SPAN><SPAN class="EOP SCXW179714253 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">New-GuestConfigurationPackage ` -Name 'WindowsNessusAgentService' ` -Configuration './WindowsNessusAgentService/localhost.mof' ` -Type Audit ` -Force</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW136196505 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW136196505 BCX8"><SPAN class="TextRun SCXW76002923 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW76002923 BCX8"><A class="Hyperlink SCXW50213690 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW50213690 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW50213690 BCX8" data-ccp-charstyle="Hyperlink">Step 4:</SPAN></SPAN></A><SPAN class="TextRun SCXW50213690 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW50213690 BCX8"> Test Guest Configuration policy in local environment</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW136196505 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW136196505 BCX8"><SPAN class="TextRun SCXW76002923 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW76002923 BCX8"><SPAN class="TextRun SCXW50213690 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW50213690 BCX8"><FONT size="4"><SPAN class="TextRun SCXW31215021 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW31215021 BCX8">You want to be sure that the Guest Configuration will execute DSC properly and if the DSC results occur as desired. To do this use the following </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW31215021 BCX8">GuestConfiguration</SPAN><SPAN class="NormalTextRun SCXW31215021 BCX8"> PS cmdlet to test the package.</SPAN></SPAN><SPAN class="EOP SCXW31215021 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Get-GuestConfigurationPackageComplianceStatus -Path ./WindowsNessusAgentService/WindowsNessusAgentService.zip</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW237497895 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW240535918 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW136196505 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW136196505 BCX8"><SPAN class="TextRun SCXW76002923 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW76002923 BCX8"><SPAN class="TextRun SCXW50213690 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW50213690 BCX8"><SPAN class="EOP SCXW31215021 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><A class="Hyperlink SCXW65327749 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW65327749 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW65327749 BCX8" data-ccp-charstyle="Hyperlink">Step 5:</SPAN></SPAN></A><SPAN class="TextRun SCXW65327749 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65327749 BCX8"> Publish custom Guest Configuration package to Azure Blob Storage</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW255054357 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW255054357 BCX8">In this step you will use another </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW255054357 BCX8">GuestConfiguration</SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8"> cmdlet to upload the .zip package you tested previously to </SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8">a</SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8"> Azure Blob Storage account – in </SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8">addition</SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8"> a blob </SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8">uri</SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8"> will be returned with a </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW255054357 BCX8">sas</SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8"> signature that lasts a few years. This </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW255054357 BCX8">sas</SPAN><SPAN class="NormalTextRun SCXW255054357 BCX8"> based signature will be used when creating the Azure policy and publishing it in the next step.</SPAN></SPAN><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Publish-GuestConfigurationPackage -Path './WindowsNessusAgentService/WindowsNessusAgentService.zip' ` -ResourceGroupName SwiftSolvesDSC -StorageAccountName swiftsolvesdsc | % ContentUri</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW78461076 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW78461076 BCX8">Copy the </SPAN></SPAN><U><FONT color="#0000FF"><SPAN class="TextRun Highlight SCXW78461076 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW78461076 BCX8">sas</SPAN> <SPAN class="NormalTextRun SpellingErrorV2Themed SCXW78461076 BCX8">url</SPAN><SPAN class="NormalTextRun SCXW78461076 BCX8"> signature</SPAN></SPAN></FONT><SPAN class="EOP SCXW78461076 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></U></SPAN></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW78461076 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><A class="Hyperlink SCXW155436302 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW155436302 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW155436302 BCX8" data-ccp-charstyle="Hyperlink">Step 6:</SPAN></SPAN></A><SPAN class="TextRun SCXW155436302 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW155436302 BCX8"> Create the custom Azure Policy definition id</SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><FONT size="5" color="#000000"><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW78461076 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW155436302 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW155436302 BCX8"><FONT size="4"><SPAN class="TextRun SCXW213098089 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW213098089 BCX8">In this next step we are going to take the Guest Configuration package in Azure Blob Storage and use it to define a new custom Azure Policy definition. Start with creating a <U><FONT color="#008000">new </FONT></U></SPAN><U><FONT color="#008000"><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW213098089 BCX8">guid</SPAN></FONT><SPAN class="NormalTextRun SCXW213098089 BCX8">.</SPAN></U></SPAN><U><SPAN class="EOP SCXW213098089 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></U></FONT></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">New-Guid</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5" color="#000000"><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW78461076 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW155436302 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW155436302 BCX8"><FONT size="4"><SPAN class="EOP SCXW213098089 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW61978559 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW61978559 BCX8">With the <FONT color="#008000"><U>new </U></FONT></SPAN><FONT color="#008000"><U><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW61978559 BCX8">guid</SPAN></U></FONT><SPAN class="NormalTextRun SCXW61978559 BCX8"> and </SPAN><FONT color="#0000FF"><U><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW61978559 BCX8">sas</SPAN><SPAN class="NormalTextRun SCXW61978559 BCX8"> blob </SPAN><SPAN class="NormalTextRun SCXW61978559 BCX8">uri</SPAN></U></FONT><SPAN class="NormalTextRun SCXW61978559 BCX8"> use the following </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW61978559 BCX8">ps</SPAN><SPAN class="NormalTextRun SCXW61978559 BCX8"> cmdlets and replace where necessary.</SPAN></SPAN><SPAN class="EOP SCXW61978559 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></FONT></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">New-GuestConfigurationPolicy ` -PolicyId '79436b22-db38-4367-b41d-62a8181faf2c' ` -ContentUri 'https://somestorage.blob.core.windows.net/guestconfiguration/WindowsNessusAgentService.zip?sv=2020-08-04&amp;st=2022-02-08T17%3A12%3A03Z&amp;se=2025-02-08T17%3A12%3A03Z&amp;sr=b&amp;sp=rl&amp;sig' ` -DisplayName 'Windows Nessus Agent Service.' ` -Description 'Compliance check for Windows Nessus Agent Service. Ensure it is present on VM, Startup set to Automatic and Status is Running' ` -Path './policies' ` -Platform 'Windows' ` -Version 1.0.0 ` -Verbose</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5" color="#000000"><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW78461076 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW155436302 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW155436302 BCX8"><FONT size="4"><SPAN class="EOP SCXW213098089 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">To deploy and use:</SPAN></FONT></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Publish-GuestConfigurationPolicy -Path '.\policies'</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="5" color="#000000"><SPAN class="EOP SCXW255054357 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW78461076 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW155436302 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW155436302 BCX8"><SPAN class="EOP SCXW213098089 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><A class="Hyperlink SCXW149422433 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW149422433 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW149422433 BCX8" data-ccp-charstyle="Hyperlink">Step 7:</SPAN></SPAN></A><SPAN class="TextRun SCXW149422433 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW149422433 BCX8"> Using Defender for Cloud create a custom security recommendation</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P>Now that you deployed and created a new custom Azure Policy using Guest Configuration, you can deploy the policy to check Windows VMs on Azure and Azure Arc enabled for the Nessus Agent software. In effect you have a Azure plane using Azure Policy to check for compliance and in more advanced cases using DSC check and change or install software inside the operating system– recall the PSDscResource module and it’s capabilities. <A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">PowerShell/PSDscResources (github.com).</SPAN></A><SPAN data-contrast="auto"> You have a outer Azure Policy set and managed a cloud scale your inner servers settings.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The last step is that non compliant states can be sent to Defender for Cloud in the form of Custom security recommendations .</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_0-1644898286325.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348221i5248100174D58422/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_0-1644898286325.png" alt="NathanSwift_0-1644898286325.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this last step go to Microsoft Defender for Cloud in the Azure portal and click on the left hand blade environment settings.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Search for your Azure Subscription you deployed the custom Guest Configuration Azure Policy and click on the subscription</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_1-1644898381612.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348222iAB0C13A36D4DA699/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_1-1644898381612.png" alt="NathanSwift_1-1644898381612.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW224237580 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW224237580 BCX8">Click on the Security policy on the left blade and scroll down and click on Add a custom initiative</SPAN></SPAN><SPAN class="EOP SCXW224237580 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_2-1644898424289.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348223iE91396FD6EB9D099/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_2-1644898424289.png" alt="NathanSwift_2-1644898424289.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW26079012 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW26079012 BCX8">Fill in information, choose the existing category Security Center</SPAN></SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_3-1644898448923.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348224i4A66A7269A4CE200/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_3-1644898448923.png" alt="NathanSwift_3-1644898448923.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="NormalTextRun SCXW76866650 BCX8">Choose Add policy d</SPAN><SPAN class="NormalTextRun SCXW76866650 BCX8">efinitions,</SPAN><SPAN class="NormalTextRun SCXW76866650 BCX8"> filter on </SPAN><SPAN class="NormalTextRun SCXW76866650 BCX8">custom</SPAN><SPAN class="NormalTextRun SCXW76866650 BCX8"> and choose your uploaded custom Azure Policy at the bottom of the </SPAN><SPAN class="NormalTextRun SCXW76866650 BCX8">right hand</SPAN><SPAN class="NormalTextRun SCXW76866650 BCX8"> blade click add.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_4-1644898475855.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348225i6941CA910EFFA430/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_4-1644898475855.png" alt="NathanSwift_4-1644898475855.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW48607794 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48607794 BCX8">Click next until the Policy parameters, uncheck only show parameters that need input or review. You can now extend support to Azure Arc connected servers. By setting these values.</SPAN></SPAN><SPAN class="EOP SCXW48607794 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_5-1644898502773.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348226iD33AFF5F3C2B6BEE/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_5-1644898502773.png" alt="NathanSwift_5-1644898502773.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="NormalTextRun SCXW95679294 BCX8">Afterwards you add the new custom initiative and </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW95679294 BCX8">Create</SPAN><SPAN class="NormalTextRun SCXW95679294 BCX8"> new.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_6-1644898520484.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348227iD5B56E0AACDC8C54/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_6-1644898520484.png" alt="NathanSwift_6-1644898520484.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW207840868 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW207840868 BCX8">Now that you have connected and assigned the custom Guest Configuration Azure Policy to your subscription through Microsoft Defender for Cloud, within the recommendations screen you will now have </SPAN><SPAN class="NormalTextRun SCXW207840868 BCX8">timely</SPAN><SPAN class="NormalTextRun SCXW207840868 BCX8"> (refresh every 30 minutes) </SPAN><SPAN class="NormalTextRun SCXW207840868 BCX8">accurate</SPAN><SPAN class="NormalTextRun SCXW207840868 BCX8"> checks for Nessus software installed.</SPAN></SPAN><SPAN class="EOP SCXW207840868 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><FONT size="5"><SPAN class="EOP SCXW207840868 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW1432404 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW1432404 BCX8">Some </SPAN><SPAN class="NormalTextRun SCXW1432404 BCX8">additional</SPAN><SPAN class="NormalTextRun SCXW1432404 BCX8"> things to consider:</SPAN></SPAN></SPAN></FONT></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In Step 3 when generating the package .zip you can set </SPAN><I><SPAN data-contrast="auto">–Type</SPAN></I><SPAN data-contrast="auto"> from </SPAN><I><SPAN data-contrast="auto">Audit </SPAN></I><SPAN data-contrast="auto">to </SPAN><I><SPAN data-contrast="auto">AuditandSet</SPAN></I><SPAN data-contrast="auto"> which will also update the settings in the VM to match the desired state.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In PSDResources module there is a method for </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">MSI Installer</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Use Workflow Automation in some unique ways or a Logic App to generate a report to be emailed in html.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Take a DevOps approach as new Subscriptions come online generate the Guest Configuration policy definition in subscription and assign through Defender for Cloud custom initiatives.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Full 6 steps in authoring VM showing PS cmdlets involved.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_7-1644898598201.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348228i0070EC3698B2D72B/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_7-1644898598201.png" alt="NathanSwift_7-1644898598201.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="NathanSwift_8-1644898611309.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/348229i48C702D6E784DF4B/image-size/large?v=v2&amp;px=999" role="button" title="NathanSwift_8-1644898611309.png" alt="NathanSwift_8-1644898611309.png" /></span></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW23041360 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW23041360 BCX8">Start thinking of the ways you can use </SPAN><SPAN class="NormalTextRun SpellingErrorV2Themed SCXW23041360 BCX8">PSDResources</SPAN><SPAN class="NormalTextRun SCXW23041360 BCX8"> to craft your own Security recommendations across your hybrid clouds and </SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW23041360 BCX8">on-premise</SPAN><SPAN class="NormalTextRun SCXW23041360 BCX8"> servers.</SPAN></SPAN><SPAN class="EOP SCXW23041360 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">Special thanks to:</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">@</SPAN></STRONG><STRONG><I><SPAN data-contrast="none">Yuri Diogenes</SPAN></I></STRONG><I><SPAN data-contrast="none"> for reviewing this post</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Tue, 15 Feb 2022 13:47:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/7-steps-to-author-develop-and-deploy-custom-recommendations-for/ba-p/3166026 Nathan Swift 2022-02-15T13:47:53Z Validating Alerts on Microsoft Defender for SQL on machines https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/validating-alerts-on-microsoft-defender-for-sql-on-machines/ba-p/3070714 <H2>Introduction</H2> <P><SPAN>Microsoft Defender for SQL contains several plans: Microsoft Defender for Azure SQL database servers, Microsoft Defender for SQL servers on machines, and there is a third plan for open-source relational databases. This article is focused on validating alerts for SQL Server on Machines.</SPAN></P> <P><SPAN>Once you enable the Defender for Azure SQL database servers or the Defender for SQL servers on machines plan, you get the following capabilities that together protect your SQL environments from cyberattacks. These capabilities are:</SPAN></P> <UL> <UL> <LI><STRONG><SPAN>Vulnerability Assessment&nbsp;</SPAN></STRONG><SPAN>is a service that helps you identify and remediate vulnerabilities in your database environments to improve your security posture</SPAN></LI> <LI><STRONG><SPAN>Advanced Threat Protection&nbsp;</SPAN></STRONG><SPAN>detects suspicious activities related to your databases and alerts you with details and recommended actions.</SPAN></LI> </UL> </UL> <P><SPAN>In this article, you will learn how to validate the alert that is triggered when a suspicious activity is detected on your SQL server on a virtual machine. You will also learn how to simulate this alert in a SQL VM that has SQL installed automatically through the Azure Marketplace, or manually on the VM.</SPAN></P> <P><STRONG><SPAN>Method 1:</SPAN></STRONG><SPAN> Automatically create a SQL VM through the Azure Marketplace</SPAN> (recommended)</P> <P><STRONG><SPAN>Method 2 Additional Considerations:</SPAN></STRONG> Register an existing SQL Virtual Machine manually</P> <P>&nbsp;</P> <H2>Preparation</H2> <P><SPAN>You need at least the Security Admin role to enable Azure Defender for SQL. For more information about roles and privileges, visit&nbsp;<A href="#" target="_blank" rel="noopener">this article</A>.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <H2><SPAN>Execution</SPAN></H2> <H3><STRONG><SPAN>Method 1: Automatically</SPAN></STRONG> <STRONG><SPAN>create a</SPAN></STRONG> <STRONG><SPAN>SQL</SPAN></STRONG> <STRONG><SPAN>VM</SPAN></STRONG> <STRONG><SPAN>through</SPAN></STRONG> <STRONG><SPAN>the</SPAN></STRONG> <STRONG><SPAN>Azure</SPAN></STRONG> <STRONG><SPAN>Marketplace</SPAN> (recommended)</STRONG></H3> <H4><STRONG><SPAN>Creating the VM in Azure &amp; setting up SQL server on it</SPAN></STRONG></H4> <P><SPAN>In this method of the article, you will set up SQL Server 201</SPAN>9 <SPAN>on a Windows Server 2019 Datacentres&nbsp;Virtual Machine that is hosted in Azure. You will do this through the Azure Marketplace.</SPAN></P> <P><SPAN><A href="#" target="_blank" rel="noopener">Create SQL Server on a Windows virtual machine in the Azure portal - SQL Server on Azure VMs | Microsoft Docs</A></SPAN></P> <H4><STRONG><SPAN>Enable Microsoft Defender for SQL servers on machines</SPAN></STRONG></H4> <P><SPAN>Follow the guidance </SPAN><SPAN><A href="#" target="_blank" rel="noopener">here</A></SPAN><SPAN>. </SPAN></P> <UL> <LI><SPAN><A href="#" target="_blank" rel="noopener">Step 1. Install the agent extension</A></SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Step 2. Provision the Log Analytics agent on your SQL server's host:</A></SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Step 3. Enable the optional plan in Defender for Cloud's environment settings page:</A></SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <H4><SPAN>Step 1. Install the SQL IaaS agent extension</SPAN></H4> <P><SPAN>Deploying a SQL Server VM Azure Marketplace image through the Azure portal automatically registers the SQL Server VM with the SQL IaaS agent extension, in lightweight mode (which is sufficient).&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>See more:</SPAN></P> <P><SPAN><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-single-vm?tabs=bash%2Cazure-cli#lightweight-mode</A> </SPAN></P> <P><SPAN><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/sql-server-iaas-agent-extension-automate-management?tabs=azure-powershell#management-modes</A> </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <H4><STRONG><SPAN>Step 2. Provision the Log Analytics agent on your SQL server's host</SPAN></STRONG></H4> <P>The step shown below requires you to wait for approximately 24 hours for the VM to appear in Microsoft Defender for Cloud.</P> <P>If you prefer to provision the Log Analytics agent manually but straight away (instead of waiting for 24 hours), see the guidance <A href="#" target="_blank" rel="noopener">here</A>.</P> <P><STRONG><SPAN>&nbsp;</SPAN></STRONG></P> <P><SPAN>Otherwise, i</SPAN><SPAN>f you can wait </SPAN>up to<SPAN> 24 hours after creating the VM, then you can </SPAN><STRONG><SPAN>perform the following </SPAN></STRONG><SPAN>instructions as part of this step</SPAN><STRONG><SPAN>:</SPAN></STRONG></P> <P><STRONG><SPAN>&nbsp;</SPAN></STRONG></P> <UL> <LI><SPAN>In the Azure Portal, find your virtual machine and select the virtual machine resource (not the SQL virtual machine resource, which has also been created). Ensure that the VM is started by selecting <STRONG>Start</STRONG> on the VM’s Overview (ensuring that the VM is started is a prerequisite for the log analytics agent to be able to be installed on it).</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_28-1643058021968.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342009iF719D72E0AA93F5D/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_28-1643058021968.png" alt="Liana_Anca_Tomescu_28-1643058021968.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN>Then go to the <STRONG>Microsoft Defender for Cloud</STRONG> blade.</SPAN></LI> <LI><SPAN>Go to Recommendations, and in the search box type <STRONG>Log Analytics agent should be installed on your virtual machine</STRONG>, and click on the associated recommendation.</SPAN></LI> <LI><SPAN>Then under the Affected resources, in the Unhealthy resources tab, select the VM that you just created.</SPAN></LI> <LI><SPAN>Then click <STRONG>Fix</STRONG>.</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_29-1643058021988.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342008i77561ECCDF4D64FF/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_29-1643058021988.png" alt="Liana_Anca_Tomescu_29-1643058021988.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN>In the pop-up that appears, select <STRONG>Create a new workspace</STRONG></SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_30-1643058021994.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342010i01F26A96349155C2/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_30-1643058021994.png" alt="Liana_Anca_Tomescu_30-1643058021994.png" /></span></P> <P>&nbsp;</P> <UL> <LI><SPAN>In the new screen, select a resource group and a name for the workspace.</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_31-1643058022015.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342012i551923A44B1AB08E/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_31-1643058022015.png" alt="Liana_Anca_Tomescu_31-1643058022015.png" /></span></P> <P>&nbsp;</P> <UL> <LI><SPAN>Then click <STRONG>Review + Create</STRONG>, and once the validation has passed, click <STRONG>Create</STRONG>. Now you have a customer-created Log Analytics workspace.</SPAN></LI> <LI><SPAN>Then go back to the previous tab where the following recommendation is: <STRONG>Log Analytics agent should be installed on virtual machines</STRONG></SPAN></LI> <LI><SPAN>In the Fixing resources blade, under the Workspace ID, find and select the newly created workspace, and click <STRONG>Fix 1 resource</STRONG>.</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_32-1643058022020.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342011iB1F225D97F692C3E/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_32-1643058022020.png" alt="Liana_Anca_Tomescu_32-1643058022020.png" /></span></P> <P>&nbsp;</P> <UL> <LI><SPAN>After approx. 24 hours, the VM will appear under the <STRONG>Healthy Resources</STRONG> tab in the <STRONG>Log Analytics agent should be installed on virtual machines </STRONG>recommendation.</SPAN></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN><STRONG>Note</STRONG>: If you have Auto-Provisioning configured as on for installing the log analytics agent on your resources</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><STRONG><SPAN>Step 3- Enable the optional plan in Defender for Cloud's environment settings page on your subscription</SPAN></STRONG></P> <P><SPAN>You need to enable Microsoft Defender for SQL servers on machines on your subscription: </SPAN></P> <OL> <LI><SPAN>In the <STRONG>Azure portal</STRONG>, go to the <STRONG>Microsoft Defender for Cloud</STRONG> service. </SPAN></LI> <LI><SPAN>Under <STRONG>Management</STRONG>, select <STRONG>Environment settings</STRONG>. Then click in the management groups shown until you find your subscription and click it</SPAN></LI> <LI><SPAN>Make sure that <STRONG>Enable all Microsoft Defender for Cloud plans</STRONG> is selected.</SPAN></LI> </OL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_33-1643058022044.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342013i9B515B1233CBC788/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_33-1643058022044.png" alt="Liana_Anca_Tomescu_33-1643058022044.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <OL start="4"> <LI><SPAN>Then ensure that the <STRONG>SQL servers on machines Defender plan</STRONG> is&nbsp;<STRONG>ON</STRONG>&nbsp;(as shown below) and click&nbsp;<STRONG>Save</STRONG>&nbsp;at the top of the page to commit the change.</SPAN></LI> </OL> <P><SPAN>&nbsp;&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_34-1643058022046.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342014iDEE893EBDDE9DAAD/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_34-1643058022046.png" alt="Liana_Anca_Tomescu_34-1643058022046.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <H4><STRONG><SPAN>Enable the optional plan in Defender for Cloud's environment settings page on your workspace</SPAN></STRONG></H4> <P><STRONG><SPAN>&nbsp;</SPAN></STRONG></P> <P><SPAN>In step 2, when creating the log analytics workspace, you will have created a log analytics workspace through portal. Then you connected SQL VM to the workspace (There are two ways to do this- either manually but instant, or wait for the recommendation to appear in ~24 hours, and then connect them through that recommendation). Here, I have chosen to wait for 24 hours before the next steps.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Now, you need to connect Microsoft Defender for Cloud to the workspace in the environment settings.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>You need to enable Microsoft Defender for SQL servers on machines on your subscription: </SPAN></P> <OL> <LI><SPAN>In the <STRONG>Azure portal</STRONG>, go to the <STRONG>Microsoft Defender for Cloud</STRONG> service. </SPAN></LI> <LI><SPAN>Under <STRONG>Management</STRONG>, select <STRONG>Environment settings</STRONG>. Then click in the management groups shown until you find your subscription, and then underneath the subscription, select the workspace you created, and click it</SPAN></LI> <LI><SPAN>Making sure that Enable all Microsoft Defender for Cloud plans is selected, then ensure that the <STRONG>SQL servers on machines Defender plan</STRONG> is&nbsp;<STRONG>ON</STRONG>&nbsp;(as shown below) and click&nbsp;<STRONG>Save</STRONG>&nbsp;at the top of the page to commit the change.</SPAN></LI> </OL> <P><SPAN>&nbsp;</SPAN></P> <H4><STRONG><SPAN>Validate the alert</SPAN></STRONG></H4> <OL> <LI><SPAN>Connect to the virtual machine you created using RDP.</SPAN></LI> <LI><SPAN>Open PowerShell&nbsp;and paste the query below on one line:</SPAN></LI> </OL> <P><SPAN>Import-Module&nbsp;</SPAN><SPAN>(</SPAN><SPAN>Get-ChildItem&nbsp;</SPAN><SPAN>-Path&nbsp;"</SPAN><SPAN>$Env:ProgramFiles</SPAN><SPAN>\Microsoft Monitoring Agent\Agent\Health Service State\Resources\"&nbsp;-File SqlAdvancedThreatProtectionShell.psm1 -Recurse).</SPAN><SPAN>FullName&nbsp;</SPAN><SPAN>;&nbsp;</SPAN><SPAN>Get-Command&nbsp;</SPAN><SPAN>-Module SqlAdvancedThreatProtectionShell</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <OL start="3"> <LI><SPAN>Then, from the options that appear, select <STRONG>Test-BruteForce</STRONG>. This will simulate a brute-force attack on the SQL VM.</SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_35-1643058022064.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342016i0B375221E2B9B5B8/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_35-1643058022064.png" alt="Liana_Anca_Tomescu_35-1643058022064.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <OL start="4"> <LI><SPAN>To validate this alert in the <STRONG>Azure Portal</STRONG>, go to <STRONG>Microsoft Defender for Cloud</STRONG> and go to <STRONG>Alerts</STRONG>. </SPAN></LI> <LI><SPAN>Add a new filter, and filter for <STRONG>Affected resource</STRONG> equals the name of the VM you created, and press enter.</SPAN></LI> <LI><SPAN>You will then see the following alert:</SPAN></LI> </OL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_36-1643058022070.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342015iEF1D0038D77478C5/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_36-1643058022070.png" alt="Liana_Anca_Tomescu_36-1643058022070.png" /></span></P> <P>&nbsp;</P> <H3><STRONG><SPAN>Method 2- </SPAN>Register an existing SQL Virtual Machine manually</STRONG></H3> <P><SPAN>The additional considerations that follow are if you’re installing SQL manually on a VM. Everything else, can be followed as per the steps in Method 1 of automatic VM.</SPAN></P> <OL> <LI><SPAN>&nbsp; Creating the VM &amp; Setting up SQL server on it</SPAN></LI> <LI><SPAN>&nbsp; Installing IaaS agent extension (3 parts)</SPAN></LI> </OL> <P><STRONG><SPAN>&nbsp;</SPAN></STRONG></P> <H4><STRONG><SPAN>Consideration 1 for </SPAN>Register an existing SQL Virtual Machine manually<SPAN>: Creating the VM in Azure &amp; setting up SQL server on it</SPAN></STRONG></H4> <P><SPAN>In this scenario you will set up SQL Server 2019 on a Windows Server 2019 Datacentre&nbsp;Virtual Machine that is hosted in Azure. You can use the article below as your main reference:</SPAN></P> <P><SPAN><A href="#" target="_blank" rel="noopener">Provision SQL Server on Azure VM (Azure portal) - SQL Server on Azure VMs | Microsoft Docs</A></SPAN></P> <P><SPAN>The overall steps are in the following order:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <UL> <LI><SPAN>Create a virtual machine in Azure that has Windows Server 2019 Datacentre&nbsp;Virtual Machine. Follow the Quickstart instructions </SPAN><SPAN><A href="#" target="_blank" rel="noopener">here</A></SPAN><SPAN>.</SPAN></LI> </UL> </UL> <UL> <UL> <LI><SPAN>Connect to your VM. To do this, you can follow the instructions </SPAN><SPAN><A href="#" target="_blank" rel="noopener">here</A></SPAN><SPAN>.</SPAN></LI> </UL> </UL> <UL> <UL> <LI><SPAN>Once you are connected from within the VM, you need to go to a browser and to download the SQL server on the VM (you can download from </SPAN><SPAN><A href="#" target="_blank" rel="noopener">https://www.microsoft.com/en-us/sql-server/sql-server-downloads</A></SPAN><U><SPAN>). </SPAN></U><SPAN>You need to enable that website link on the browser. Download the Developer edition as shown in the image below&nbsp; and select the basic tier.</SPAN></LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_37-1643058022083.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342018iBC2816E442BB1A12/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_37-1643058022083.png" alt="Liana_Anca_Tomescu_37-1643058022083.png" /></span></P> <P>&nbsp;</P> <UL> <UL> <LI><SPAN>You also need to download and install SSMS (SQL Server Management Studio), by following the instructions </SPAN><SPAN><A href="#" target="_blank" rel="noopener">here</A></SPAN><SPAN>. This link also provides the guidance to connect to a SQL server instance.</SPAN>&nbsp;</LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <H4><STRONG><SPAN>Update 2 for </SPAN>Register an existing SQL Virtual Machine manually<SPAN>: Installing IaaS agent extension </SPAN></STRONG></H4> <P><STRONG>Part 1 of Installing IaaS Agent Extension- Register your SQL Server VM with the SQL IaaS Agent extension</STRONG></P> <P><SPAN>Register your SQL Server VM with the SQL IaaS Agent extension as explained </SPAN><SPAN><A href="#" target="_blank" rel="noopener">here</A></SPAN><SPAN>.</SPAN></P> <UL> <UL> <LI><SPAN>Go to the Azure portal and search for <EM>Subscriptions</EM> and select the subscription you want. Under Settings on the left navigation pane, click Resource Providers. Select&nbsp;</SPAN><STRONG><SPAN>Register</SPAN></STRONG><SPAN> or&nbsp;</SPAN><STRONG><SPAN>Re-register</SPAN></STRONG><SPAN>&nbsp;for&nbsp;</SPAN><STRONG><SPAN>Microsoft.SqlVirtualMachine</SPAN></STRONG><SPAN>, depending on its current status.</SPAN></LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_38-1643058022094.jpeg" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342019iB2AC4905D5F0C94B/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_38-1643058022094.jpeg" alt="Liana_Anca_Tomescu_38-1643058022094.jpeg" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><STRONG>Part 2 of Installing IaaS Agent Extension - Upgrade SQL Server VMs to full</STRONG></P> <P><SPAN>SQL Server VMs that have registered the extension in&nbsp;<EM>lightweight</EM>&nbsp;mode need upgrade to&nbsp;<EM>full</EM>&nbsp;using the Azure portal, the Azure CLI, or Azure PowerShell. SQL Server VMs in&nbsp;<EM>NoAgent</EM>&nbsp;mode can upgrade to&nbsp;<EM>full</EM>&nbsp;after the OS is upgraded to Windows 2008 R2 and above. </SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Keep in mind that it is not possible to downgrade, in this case you will need to&nbsp;</SPAN><SPAN><A href="#" target="_blank" rel="noopener">unregister</A></SPAN><SPAN>&nbsp;the SQL Server VM from the SQL IaaS Agent extension. Doing so will remove the&nbsp;SQL virtual machine&nbsp;<EM>resource</EM>, but will not delete the actual virtual machine.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>To learn more about full mode, see&nbsp;</SPAN><SPAN><A href="#" target="_blank" rel="noopener">management modes</A></SPAN><SPAN>.</SPAN></P> <P><EM><SPAN>&nbsp;</SPAN></EM></P> <P><SPAN>To register a SQL Server VM in full mode with the Azure CLI you should follow the steps below:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <UL> <LI><SPAN>Open a cloud shell terminal from the top navigation bar as shown the example below:</SPAN></LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_39-1643058022095.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342017iF89473F969B83FCA/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_39-1643058022095.png" alt="Liana_Anca_Tomescu_39-1643058022095.png" /></span></P> <P>&nbsp;</P> <UL> <UL> <LI><SPAN>Select Bash (Cloud Shell) from the left drop-down arrow selected, if it’s not already as shown the example below:</SPAN>&nbsp;</LI> </UL> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_40-1643058022097.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342020i9849C3F0ECE572E7/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_40-1643058022097.png" alt="Liana_Anca_Tomescu_40-1643058022097.png" /></span></P> <UL> <UL> <LI><SPAN>If you don’t already have a storage account selected where to save the script, then choose a storage account</SPAN></LI> </UL> </UL> <UL> <UL> <LI><SPAN>Register in lightweight mode, using: # Register Enterprise or Standard self-installed VM in Lightweight mode, but make sure to paste in your VM’s details instead of <STRONG>&lt;vm_name&gt;, &lt;resource_group_name&gt;, &lt;vm_location&gt;, &lt;license_type&gt;.</STRONG> For license type, use PAYG.</SPAN></LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><EM>az sql vm create --name &lt;vm_name&gt; --resource-group &lt;resource_group_name&gt; --location &lt;vm_location&gt; --license-type &lt;license_type&gt;</EM></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <UL> <LI><SPAN>Then upgrade to full mode, but using your VM’s details instead of <STRONG>&lt;vm_name&gt;</STRONG> and <STRONG>&lt;resource_group_name</STRONG>&gt;.</SPAN></LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><EM>az sql vm update --name &lt;vm_name&gt; --resource-group &lt;resource_group_name&gt; --sql-mgmt-type full</EM></P> <P>&nbsp;</P> <P><STRONG>Part 3 of Installing IaaS Agent Extension - Verify registration status for the VM to be a SQL Server VM</STRONG></P> <P><SPAN>You can verify if your SQL Server VM has already been registered with the SQL IaaS Agent extension by using the Azure portal, the Azure CLI, or Azure PowerShell.</SPAN></P> <P><SPAN>Verify the registration status with the Azure portal using the following steps:</SPAN></P> <UL> <UL> <LI><SPAN>Sign in to the&nbsp;</SPAN><SPAN><A href="#" target="_blank" rel="noopener">Azure portal</A></SPAN><SPAN>.</SPAN></LI> <LI><SPAN>Go to your&nbsp;</SPAN><SPAN><A href="#" target="_blank" rel="noopener">SQL Server VMs</A></SPAN><SPAN>.</SPAN></LI> <LI><SPAN>Select your SQL Server VM from the list. If your SQL Server VM is not listed here, it likely hasn't been registered with the SQL IaaS Agent extension.</SPAN></LI> </UL> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Liana_Anca_Tomescu_41-1643058022103.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/342021iAD6E4374B25806AA/image-size/medium?v=v2&amp;px=400" role="button" title="Liana_Anca_Tomescu_41-1643058022103.png" alt="Liana_Anca_Tomescu_41-1643058022103.png" /></span></P> <P>&nbsp;</P> <P><SPAN>View the value under&nbsp;Status. If&nbsp;Status&nbsp;is&nbsp;Succeeded, then the SQL Server VM has been registered with the SQL IaaS Agent extension successfully.</SPAN></P> <P>&nbsp;</P> <P><SPAN><STRONG style="font-family: inherit;">Note:</STRONG><SPAN style="font-family: inherit;"> This article only goes through natively creating a SQL VM in Azure. If you wish to use a SQL server outside of Azure that you’d like to test, make sure to follow this article about </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">SQL Server on Azure Arc-enabled servers | Microsoft Docs</A><SPAN style="font-family: inherit;">. Then, look at </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">this</A><SPAN style="font-family: inherit;"> article for getting it connected to Microsoft Defender for Cloud.&nbsp;&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <H2><STRONG>Conclusion</STRONG></H2> <P>By the end of this article, you should be able to validate an alert coming from Microsoft Defender for SQL on machines and the importance of having this level of threat detection for your SQL on machine workloads.</P> <P>&nbsp;</P> <P><STRONG>P.S.</STRONG>&nbsp;<A href="#" target="_blank" rel="noopener">Subscribe</A>&nbsp;to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and&nbsp;<A href="#" target="_blank" rel="noopener">join</A>&nbsp;our&nbsp;Tech Community&nbsp;where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.</P> <P>&nbsp;</P> <H2><STRONG>Reviewers</STRONG></H2> <P>Special thanks to <LI-USER uid="124214"></LI-USER>&nbsp;, Tomer Rotstein and David Trigano for reviewing this article.</P> <P>&nbsp;</P> Tue, 01 Feb 2022 23:29:56 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/validating-alerts-on-microsoft-defender-for-sql-on-machines/ba-p/3070714 Liana_Anca_Tomescu 2022-02-01T23:29:56Z Custom assessments and standards in Microsoft Defender for Cloud for AWS workloads (Preview) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/custom-assessments-and-standards-in-microsoft-defender-for-cloud/ba-p/3066575 <P>Microsoft Defender for Cloud implements AWS security recommendations in the Defender for Cloud portal right alongside Azure recommendations. There are more than 160 out-of-box recommendations for IaaS and PaaS services as well as support for regulatory standards including CIS, PCI and AWS Foundational Security Best Practices. Check out the security recommendations for AWS resources <A href="#" target="_blank" rel="noopener">here</A>. To learn more about Defender for cloud and it’s support for AWS, check out <A href="#" target="_blank" rel="noopener">this article</A>. You should continuously review the security recommendations to assess and evaluate the current status of your platform's security posture and identify important configuration gaps.&nbsp;</P> <P>&nbsp;</P> <P><SPAN class="TextRun Highlight SCXW216014789 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW216014789 BCX8">Security standards contain comprehensive sets of security recommendations to help secure your cloud environments.</SPAN></SPAN><SPAN class="TextRun Highlight SCXW216014789 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW216014789 BCX8"> </SPAN></SPAN><SPAN class="TextRun Highlight SCXW216014789 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW216014789 BCX8">Security</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8"> teams can </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">either use the readily available regulatory standards like </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">AWS CIS 1.2.0, AWS </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">F</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">oundational </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">S</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">ecurity </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">B</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">est </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">P</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">ractices, AWS PCI DSS 3.2.1</SPAN> <SPAN class="NormalTextRun SCXW216014789 BCX8">and </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">also</SPAN> <SPAN class="NormalTextRun SCXW216014789 BCX8">can </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">create their own </SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">custom standards</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8"> and</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8"> a</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">ssessments</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8"> to meet specific internal requirements.</SPAN><SPAN class="NormalTextRun SCXW216014789 BCX8">&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW216014789 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">It is important to understand, there are three types of resources to create and manage custom assessments:</SPAN></P> <P><SPAN data-contrast="none">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1.&nbsp; &nbsp;Assessment – contains: <BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; a. assessment details (name, description, severity, remediation logic, etc.)<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; b. assessment logic in KQL<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; c. the standard it belongs to <BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2.&nbsp; Standard – defines a set of assessments<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 3.&nbsp; Standard assignment – defines the scope which the standard will evaluate (e.g. specific AWS account/s)</SPAN></P> <P>&nbsp;</P> <P>As mentioned, you can either use the built-in regulatory compliance standard or create your own custom standards and assessments.</P> <P>&nbsp;</P> <P>To assign a built-in regulatory compliance standard or a custom standard that has already been created:</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;1.&nbsp; Navigate to environment settings</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;2.&nbsp; Select the relevant account</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;3.&nbsp; Select ‘Standards’</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;4.&nbsp; Select ‘Add’ -&gt; ‘Standard’</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;5.&nbsp; Choose a standard from the drop-down menu</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;6.&nbsp; Select ‘Save’</P> <P>&nbsp;</P> <P>To create a new custom standard:</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 1. Navigate to environment settings</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 2. Select the relevant account</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 3. Select ‘Standards’</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 4. Select ‘Add’ -&gt; ‘Standard’</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 5. Select ‘New standard’</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 6. Fill in a name and description, and select the assessment you want to be included in this standard</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; 7. Select ‘Save’</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 544px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/340896i1079DFE2E4BC480D/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span></P> <P>This standard will now be assigned on the account you’ve created it in. You can assign the same on other accounts that you have Contributor and up access to.</P> <P>&nbsp;</P> <P>To assign a built-in assessment, or a custom assessment that has already been created:</P> <OL> <LI>Navigate to environment settings</LI> <LI>Select the relevant account</LI> <LI>Select ‘Standards’</LI> <LI>Select ‘Add’ -&gt; ‘Assessment’</LI> <LI>Select the assessment/s you’d like to assign</LI> <LI>Select the standard/s you’d like to add these assessments to</LI> <LI>Elect ‘Save’</LI> </OL> <P>To create a new custom assessment:</P> <OL> <LI>Navigate to environment settings</LI> <LI>Select the relevant account</LI> <LI>Select ‘Standards’</LI> <LI>Select ‘Add’ -&gt; ‘Assessment’</LI> <LI>Fill in the assessment details (e.g. name, severity)</LI> <LI>Paste the KQL query which will define the assessment logic <OL> <LI>If you’d like to create a new query, click the link for ‘Azure Data Explorer’. The explorer will contain mock data on all the native APIs we support, to assist in constructing the queries. The data will appear in the same structure as contracted in the API.</LI> </OL> </LI> <LI>Select the standard/s you’d like to add this assessment to</LI> <LI>Select ‘Save’</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.png" style="width: 553px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/340897i91D19544F1A91DE0/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Picture2.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Table structure</STRONG></P> <P>Sample for table ‘EC2_Address’:</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; - <STRONG>TimeStamp</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;2021-10-07T10:30:21.403732Z<BR />&nbsp; &nbsp; &nbsp; &nbsp; - <STRONG>SdksInfo</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"AWSSDK.EC2": "3.7.5.2"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; }</P> <P>&nbsp; &nbsp; &nbsp; - <STRONG>RecordProviderInfo</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "CloudName": "AWS",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"CspmDiscoveryCloudRoleArn": "arn:aws:iam::123456789123:role/CSPMMonitoring",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Type": "MultiCloudDiscoveryServiceDataCollector",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"HierarchyIdentifier": "123456789123",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"ConnectorId": "b3113210-63f9-43c5-a6a7-f14a2a5b3cd0"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}<BR />&nbsp; &nbsp; &nbsp; - <STRONG>RecordOrganizationInfo</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Type": "MyOrganization",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"TenantId": "bda8bc53-d9f8-4248-b9a9-3a6c7fe0b92f",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"SubscriptionId": "69444886-de6b-40c5-8b43-065f739fffb9",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"ResourceGroupName": "MyResourceGroupName"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}</P> <P>&nbsp; &nbsp; &nbsp;- <STRONG>CorrelationId</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; 4f5e50e1d92c400caf507036a1237c72<BR />&nbsp; &nbsp; - <STRONG>RecordRegionalInfo</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Type": "MultiCloudRegion",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "RegionUniqueName": "eu-west-2",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "RegionDisplayName": "EU West (London)",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "IsGlobalForRecord": false<BR />&nbsp; &nbsp; &nbsp; &nbsp; }</P> <P>&nbsp; &nbsp; &nbsp;- <STRONG>RecordIdentifierInfo</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Type": "MultiCloudDiscoveryServiceDataCollector",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "RecordNativeCloudUniqueIdentifier": "arn:aws:ec2:eu-west-2:123456789123:elastic-ip/eipalloc-1234abcd5678efef9",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "RecordAzureUniqueIdentifier": "/subscriptions/69444886-de6b-40c5-8b43-065f739fffb9/resourcegroups/MyResourceGroupName/providers/Microsoft.Security/securityconnectors/b3113210-63f9-43c5-a6a7-f14a2a5b3cd0/securityentitydata/aws-ec2-elastic-ip-eipalloc-1234abcd5678efef9-eu-west-2",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "RecordIdentifier": "eipalloc-1234abcd5678efef9-eu-west-2",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "ResourceProvider": "EC2",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "ResourceType": "elastic-ip"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}<BR />&nbsp; &nbsp; &nbsp; - <STRONG>Record</STRONG><BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"AllocationId": "eipalloc-1234abcd5678efef9",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "AssociationId": "eipassoc-234abcd5678efef90",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "CarrierIp": null,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "CustomerOwnedIp": null,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "CustomerOwnedIpv4Pool": null,<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Domain": {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Value": "vpc"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;},<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"InstanceId": "i-0a8fcc00493c4625d",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"NetworkBorderGroup": "eu-west-2",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"NetworkInterfaceId": "eni-34abcd5678efef901",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"NetworkInterfaceOwnerId": "123456789123",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"PrivateIpAddress": "172.31.21.88",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"PublicIp": "19.218.211.431",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"PublicIpv4Pool": "amazon",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Tags": [<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Value": "arn:aws:cloudformation:eu-west-2:123456789123:stack/awseb-e-sjuh4tkr7a-stack/4ff15da0-2512-11ec-ab59-023b28e97f64",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Key": "aws:cloudformation:stack-id"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; },<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Value": "e-sjuh4tkr7a",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Key": "elasticbeanstalk:environment-id"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; },<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Value": "AWSEBEIP",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Key": "aws:cloudformation:logical-id"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; },<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Value": "awseb-e-sjuh4tkr7a-stack",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Key": "aws:cloudformation:stack-name"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; },<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; {<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Value": "Mebrennetest3-env",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Key": "elasticbeanstalk:environment-name"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;},<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;{<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; "Value": "Mebrennetest3-env",<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;"Key": "Name"<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ]<BR />&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;}</P> <P>&nbsp;</P> <P><SPAN>The ‘Record’ field contains the data structure as it is returned from the AWS API. Use this field to define conditions which will determine if the resource is healthy or unhealthy. </SPAN></P> <P><SPAN><STRONG>Note</STRONG>: Access internal properties of ‘Record’ filed using a dot notation. Example: | extend EncryptionType = Record.Encryption.Type</SPAN></P> <P>&nbsp;</P> <P>Checkout these useful docs to learn and understand more on Kusto Queries: &nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/data-explorer/kql-quick-reference</A></LI> <LI><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/</A></LI> <LI><A href="#" target="_blank" rel="noopener">https://azurecloudai.blog/2021/11/17/must-learn-kql-part-1-tools-and-resources/</A></LI> </UL> <P>&nbsp;</P> <P><STRONG>Query result schema</STRONG></P> <OL> <LI>The last row of the query should return all the original columns (don’t use ‘project’, ‘project-away). End the query with an <SPAN style="font-style: normal !msorm;"><EM>iff </EM></SPAN>statement that defines the healthy or unhealthy conditions: "| extend HealthStatus = iff([boolean-logic-here], 'UNHEALTHY','HEALTHY')". Check out the example queries below.</LI> </OL> <P><STRONG>Write an assessment query</STRONG></P> <P><STRONG>Examples</STRONG>:</P> <UL> <LI><SPAN style="font-weight: normal !msorm;"><STRONG>Stopped EC2 instances should be removed after a specified time period</STRONG></SPAN></LI> </UL> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;EC2_Instance</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| </SPAN><SPAN>extend</SPAN> <SPAN>State</SPAN><SPAN> = </SPAN><SPAN>tolower</SPAN><SPAN>(</SPAN><SPAN>tostring</SPAN><SPAN>(</SPAN><SPAN>Record</SPAN><SPAN>.</SPAN><SPAN>State</SPAN><SPAN>.</SPAN><SPAN>Name</SPAN><SPAN>.</SPAN><SPAN>Value</SPAN><SPAN>))</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| </SPAN><SPAN>extend</SPAN> <SPAN>StoppedTime</SPAN><SPAN> = </SPAN><SPAN>todatetime</SPAN><SPAN>(</SPAN><SPAN>tostring</SPAN><SPAN>(</SPAN><SPAN>Record</SPAN><SPAN>.</SPAN><SPAN>StateTransitionReason</SPAN><SPAN>))</SPAN></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| </SPAN><SPAN>extend</SPAN> <SPAN>HealthStatus</SPAN><SPAN> = </SPAN><SPAN>iff</SPAN><SPAN>(</SPAN><SPAN>not</SPAN><SPAN>(</SPAN><SPAN>State</SPAN><SPAN> == </SPAN><SPAN>'stopped'</SPAN> <SPAN>and</SPAN> <SPAN>StoppedTime</SPAN><SPAN> &lt; </SPAN><SPAN>ago</SPAN><SPAN>(30d)), </SPAN><SPAN>'HEALTHY'</SPAN><SPAN>, </SPAN><SPAN>'UNHEALTHY'</SPAN><SPAN>)</SPAN></P> <P>&nbsp;</P> <UL> <LI><SPAN style="font-weight: normal !msorm;"><STRONG>EC2 subnets should not automatically assign public IP addresses</STRONG></SPAN></LI> </UL> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;EC2_Subnet</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend MapPublicIpOnLaunch = tolower(tostring(Record.MapPublicIpOnLaunch))</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend HealthStatus = iff(MapPublicIpOnLaunch == 'false' ,'HEALTHY', 'UNHEALTHY')</P> <P>&nbsp;</P> <UL> <LI><STRONG>E</STRONG><SPAN style="font-weight: normal !msorm;"><STRONG>C2 instances should not use multiple ENIs</STRONG></SPAN></LI> </UL> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;EC2_Instance</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend NetworkInterfaces = parse_json(Record)['NetworkInterfaces']</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend NetworkInterfaceCount = array_length(parse_json(NetworkInterfaces))</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend HealthStatus = iff(NetworkInterfaceCount == 1 ,'HEALTHY', 'UNHEALTHY')</P> <P>&nbsp;</P> <UL> <LI><SPAN style="font-weight: normal !msorm;"><STRONG>S3 Block Public Access setting should be enabled at the bucket level</STRONG></SPAN></LI> </UL> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;let HealthyBuckets = S3_BucketPublicAccessBlockConfiguration</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| where Record.BlockPublicAcls == true and Record.IgnorePublicAcls == true and Record.BlockPublicPolicy == true and&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Record.RestrictPublicBuckets == true</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend BucketName = tostring(Record.BucketName)</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| project BucketName; S3_S3Bucket</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend BucketName = tostring(Record.BucketName)</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;| extend HealthStatus = iff(BucketName in (HealthyBuckets), 'HEALTHY', 'UNHEALTHY')</P> <P>&nbsp;</P> <UL> <LI> <P><SPAN style="font-weight: normal !msorm;"><STRONG>Link</STRONG></SPAN><SPAN style="font-weight: normal !msorm;"><STRONG> the query to a list that's dynamically updated, for allow-listing</STRONG></SPAN>.</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; In this example, the dynamic list is hosted as a CSV file in the Storage account and the query is correlating with the CSV file in the storage account.</P> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Make sure to create a SASToken from the storage account in order to use it in the query.</P> <P>&nbsp;</P> <P>Let AllowListInstance = externaldata(Instance:string)&nbsp; [h"SASToken"] with (ignoreFirstRecord=true);</P> <P>EC2_Instance</P> <P>| extend Instance = Record.InstanceId</P> <P>| where Instance !in (AllowListInstance)</P> <P>| extend State = tolower(tostring(Record.State.Name.Value))</P> <P>| extend StoppedTime = todatetime(tostring(Record.StateTransitionReason))</P> <P>| extend HealthStatus = iff(not(State == 'stopped'andStoppedTime &lt; ago(30d)), 'HEALTHY', 'UNHEALTHY')</P> </LI> </UL> <P>To learn more on the externaldata operator, check out this <A href="#" target="_blank" rel="noopener">link</A> and this <A href="#" target="_blank" rel="noopener">example</A>. &nbsp;</P> <P>&nbsp;</P> <P><STRONG>Notes: </STRONG></P> <UL> <LI><SPAN>No need to&nbsp;</SPAN>filter records by&nbsp;Timespan. The assessment service will filter the most recent records on each run.</LI> <LI><SPAN>No need to </SPAN> filter by resource ARN<SPAN>, unless</SPAN><SPAN> intended</SPAN>. The assessment service will run the query on assigned resources.</LI> <LI>Do not change the values of the original table columns<SPAN>, or</SPAN> use&nbsp;<SPAN style="font-style: normal !msorm;"><EM>extend&nbsp;</EM></SPAN>to override existing table columns.</LI> <LI>You may use&nbsp;<SPAN style="font-style: normal !msorm;"><EM>join&nbsp;</EM></SPAN>and&nbsp;<SPAN style="font-style: normal !msorm;"><EM>union&nbsp;</EM></SPAN>to evaluate a data type based on another type, as long as the evaluated type is the left-hand of the&nbsp;<SPAN style="font-style: normal !msorm;"><EM>join</EM></SPAN>/<SPAN style="font-style: normal !msorm;"><EM>union&nbsp;</EM></SPAN>operator and all right-hand columns added by the operator are removed from the result.</LI> <LI>If specific scope is filtered in the assessment query (e.g. specific account Id), it will apply on all resources assigned to this query.</LI> </UL> <P><STRONG><SPAN>For re</SPAN><SPAN>ference, below is a list of the </SPAN><SPAN>a</SPAN>vailable data types:</STRONG></P> <TABLE> <TBODY> <TR> <TD width="251"> <P><STRONG>API </STRONG><STRONG>Gateway</STRONG></P> </TD> <TD width="372"> <P>ApiGateway_RestApi</P> <P>ApiGateway_Stage</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Auto Scaling</STRONG></P> </TD> <TD width="372"> <P>ApplicationAutoScaling_ScalableTarget</P> <P>AutoScaling_AutoScalingGroup</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Certificate Manager (ACM)</STRONG></P> </TD> <TD width="372"> <P>CertificateManager_CertificateDetail</P> <P>CertificateManager_CertificateSummary</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>CloudFormation</STRONG></P> </TD> <TD width="372"> <P>CloudFormation_StackInstance</P> <P>CloudFormation_StackInstanceSummary</P> <P>CloudFormation_StackSet</P> <P>CloudFormation_StackSetSummary</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>CloudFront</STRONG></P> </TD> <TD width="372"> <P>CloudFront_DistributionConfig</P> <P>CloudFront_DistributionSummary</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>CloudTrail</STRONG></P> </TD> <TD width="372"> <P>CloudTrail_EventSelector</P> <P>CloudTrail_Trail</P> <P>CloudTrail_TrailStatus</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>CloudWatch</STRONG></P> </TD> <TD width="372"> <P>CloudWatch_MetricAlarm</P> <P>CloudWatchLogs_LogGroup</P> <P>CloudWatchLogs_MetricFilter</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>CodeBuild</STRONG></P> </TD> <TD width="372"> <P>CodeBuild_Project</P> <P>CodeBuild_ProjectName</P> <P>CodeBuild_SourceCredentialsInfo</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Config</STRONG></P> </TD> <TD width="372"> <P>ConfigService_ConfigurationRecorder</P> <P>ConfigService_ConfigurationRecorderStatus</P> <P>ConfigService_DeliveryChannel</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Database Migration Service (DMS)</STRONG></P> </TD> <TD width="372"> <P>DatabaseMigrationService_ReplicationInstance</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>DynamoDB</STRONG></P> </TD> <TD width="372"> <P>DAX_Cluster</P> <P>DynamoDB_ContinuousBackupsDescription</P> <P>DynamoDB_TableDescription</P> <P>DynamoDB_TableName</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elastic Compute Cloud (EC2)</STRONG></P> </TD> <TD width="372"> <P>EC2_Address</P> <P>EC2_CreateVolumePermission</P> <P>EC2_EbsEncryptionByDefault</P> <P>EC2_FlowLog</P> <P>EC2_Image</P> <P>EC2_Instance</P> <P>EC2_InstanceStatus</P> <P>EC2_NetworkAcl</P> <P>EC2_NetworkInterface</P> <P>EC2_Region</P> <P>EC2_Reservation</P> <P>EC2_RouteTable</P> <P>EC2_SecurityGroup</P> <P>EC2_Snapshot</P> <P>EC2_Subnet</P> <P>EC2_Volume</P> <P>EC2_Vpc</P> <P>EC2_VpcEndpoint</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elastic Container Service (ECS)</STRONG></P> </TD> <TD width="372"> <P>ECS_ClusterArn</P> <P>ECS_Service</P> <P>ECS_ServiceArn</P> <P>ECS_TaskDefinition</P> <P>ECS_TaskDefinitionArn</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elastic File System (EFS)</STRONG></P> </TD> <TD width="372"> <P>EFS_FileSystemDescription</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elastic Kubernetes Service (EKS)</STRONG></P> </TD> <TD width="372"> <P>EKS_Cluster</P> <P>EKS_ClusterName</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elastic Beanstalk</STRONG></P> </TD> <TD width="372"> <P>ElasticBeanstalk_ConfigurationSettingsDescription</P> <P>ElasticBeanstalk_EnvironmentDescription</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elastic Load Balancing</STRONG></P> </TD> <TD width="372"> <P>ElasticLoadBalancing_LoadBalancer</P> <P>ElasticLoadBalancing_LoadBalancerAttributes</P> <P>ElasticLoadBalancingV2_Listener</P> <P>ElasticLoadBalancingV2_LoadBalancer</P> <P>ElasticLoadBalancingV2_LoadBalancerAttribute</P> <P>ElasticLoadBalancingV2_Rule</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Elasticsearch</STRONG></P> </TD> <TD width="372"> <P>Elasticsearch_DomainInfo</P> <P>Elasticsearch_DomainStatus</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>EMR (Amazon Elastic MapReduce)</STRONG></P> </TD> <TD width="372"> <P>EMR_Cluster</P> <P>EMR_ClusterSummary</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>GuardDuty</STRONG></P> </TD> <TD width="372"> <P>GuardDuty_DetectorId</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>IAM</STRONG></P> </TD> <TD width="372"> <P>Iam_AccessKeyLastUsed</P> <P>Iam_AccessKeyMetadata</P> <P>Iam_AttachedPolicyType</P> <P>Iam_CredentialReport</P> <P>Iam_Group</P> <P>Iam_ManagedPolicy</P> <P>Iam_MFADevice</P> <P>Iam_PasswordPolicy</P> <P>Iam_PolicyGroup</P> <P>Iam_PolicyName</P> <P>Iam_PolicyRole</P> <P>Iam_PolicyUser</P> <P>Iam_PolicyVersion</P> <P>Iam_SummaryMap</P> <P>Iam_User</P> <P>Iam_VirtualMFADevice</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Key Management Service (KMS)</STRONG></P> </TD> <TD width="372"> <P>KMS_KeyListEntry</P> <P>KMS_KeyMetadata</P> <P>KMS_KeyRotationStatus</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Lambda</STRONG></P> </TD> <TD width="372"> <P>Lambda_FunctionConfiguration</P> <P>Lambda_FunctionPolicy</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Network Firewall</STRONG></P> </TD> <TD width="372"> <P>NetworkFirewall_Firewall</P> <P>NetworkFirewall_FirewallMetadata</P> <P>NetworkFirewall_FirewallPolicy</P> <P>NetworkFirewall_FirewallPolicyMetadata</P> <P>NetworkFirewall_RuleGroup</P> <P>NetworkFirewall_RuleGroupMetadata</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Relational Database Service (RDS)</STRONG></P> </TD> <TD width="372"> <P>RDS_DBCluster</P> <P>RDS_DBClusterSnapshot</P> <P>RDS_DBInstance</P> <P>RDS_DBSnapshot</P> <P>RDS_DBSnapshotAttributesResult</P> <P>RDS_EventSubscription</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Redshift</STRONG></P> </TD> <TD width="372"> <P>Redshift_Cluster</P> <P>RedShift_LoggingStatus</P> <P>RedShift_Parameter</P> <P>RedShift_ParameterGroup</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>S3</STRONG></P> </TD> <TD width="372"> <P>S3_BucketEncryption</P> <P>S3_BucketPolicy</P> <P>S3_BucketPublicAccessBlockConfiguration</P> <P>S3_ReplicationConfiguration</P> <P>S3_S3AccessControlList</P> <P>S3_S3Bucket</P> <P>S3_S3BucketLoggingConfig</P> <P>S3_S3Region</P> <P>S3Control_PublicAccessBlockConfiguration</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>SageMaker</STRONG></P> </TD> <TD width="372"> <P>SageMaker_DescribeNotebookInstanceResponse</P> <P>SageMaker_NotebookInstanceSummary</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Secrets Manager</STRONG></P> </TD> <TD width="372"> <P>SecretsManager_DescribeSecretResponse</P> <P>SecretsManager_SecretListEntry</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Simple Notification Service (SNS)</STRONG></P> </TD> <TD width="372"> <P>SNS_Subscription</P> <P>SNS_Topic</P> <P>SNS_TopicAttributes</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Simple Queue Service (SQS)</STRONG></P> </TD> <TD width="372"> <P>SQS_Queue</P> <P>SQS_QueueAttributes</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Systems Manager (SSM)</STRONG></P> </TD> <TD width="372"> <P>SimpleSystemsManagement_InstanceInformation</P> <P>SimpleSystemsManagement_ParameterMetadata</P> <P>SimpleSystemsManagement_ResourceComplianceSummary</P> </TD> </TR> <TR> <TD width="251"> <P><STRONG>Web Application Firewall (WAF)</STRONG></P> </TD> <TD width="372"> <P>WAF_LoggingConfiguration</P> <P>WAF_WebACL</P> <P>WAF_WebACLSummary</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Get started today</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Connect your AWS accounts to Microsoft Defender for Cloud&nbsp;</A></LI> <LI>Check out <A href="#" target="_blank" rel="noopener">this article</A> to view list of recommendations you might see in Microsoft Defender for Cloud if you've connected an AWS account from the Environment settings page</LI> </UL> <P><STRONG>Co-author &amp; Reviewer:</STRONG></P> <P><STRONG><LI-USER uid="605968"></LI-USER>&nbsp;</STRONG></P> Tue, 01 Feb 2022 23:28:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/custom-assessments-and-standards-in-microsoft-defender-for-cloud/ba-p/3066575 Safeena Begum Lepakshi 2022-02-01T23:28:08Z Microsoft Defender for Cloud PoC Series - Microsoft Defender for Containers https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc-series-microsoft-defender-for/ba-p/3064644 <P><STRONG>Introduction</STRONG></P> <P>In this blog, I continue the Microsoft Defender PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the new Microsoft Defender for Containers plan. With the release of the <A href="#" target="_blank" rel="noopener">new Microsoft Defender for Containers plan</A>, we have merged the previous Microsoft for Kubernetes and Microsoft for Container Registries into one offering.&nbsp; Aside from combining the features of the two previous plans, this offering brings new and improved features including multi-cloud support and host level threat detection. For a more holistic approach on Microsoft Defender for Cloud as a whole, check out <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-security-center/how-to-effectively-perform-an-azure-security-center-poc/ba-p/516874" target="_blank" rel="noopener">How to Effectively Perform a Microsoft Defender for Cloud PoC</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Planning</STRONG></P> <P>Defender for Containers protects your Kubernetes clusters in both Azure and AWS as well as on-prem/IaaS. For Kubernetes clusters hosted outside of Azure, Azure Arc-enabled Kubernetes is required to connect the clusters to Azure and provide threat protection from Microsoft Defender for Containers. Once the Kubernetes cluster is connected to Azure, an Arc extension collects Kubernetes <A href="#" target="_blank" rel="noopener">audit logs data</A>. For EKS-based clusters, you’ll need to <A href="#" target="_blank" rel="noopener">connect your AWS accounts to Microsoft Defender for cloud.</A> Run-time protection for Kubernetes nodes is also provided by the Defender for Containers plan, allowing you to quickly remediate security issues.</P> <P>&nbsp;</P> <P>Another key part of this plan is vulnerability assessment scanning. The Defender for Containers plan includes an integrated vulnerability scanner for scanning images in Azure Container Registries. The scan includes a few triggers: push, pull, import and continuously when an image has recently been pulled (once a week for30 days). In addition to the vulnerability assessment, security recommendations are generated for images with vulnerabilities. Before deploying Microsoft Defender for Containers, please be sure to check that your registries and images as well as Kubernetes distributions are supported by this plan.</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Container security with Microsoft Defender for Cloud | Microsoft Docs</A></LI> </UL> <P>&nbsp;</P> <P>At the time of publication, the current price of Microsoft Defender for Containers is $7 per vCore per month. This price includes 20 free scans per vCore where the count will be based on the previous month’s consumption.</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Pricing—Microsoft Defender | Microsoft Azure</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Containers Cost Estimation Dashboard</A></LI> </UL> <P><SPAN>You can enable Microsoft Defender for Containers on the subscription level, with a<A href="#" target="_self"> 30-day&nbsp;free trial</A>. Keeping that in mind, you should plan to execute your PoC prior to this expiration and, based on the results, decide to keep it enabled or not.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Preparation</STRONG></P> <P>To <A href="#" target="_blank" rel="noopener">enable Microsoft Defender</A> for Containers, you will need the Security Admin role. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Defender for Containers pricing" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/340366iD172C10ED96693D4/image-size/large?v=v2&amp;px=999" role="button" title="container.png" alt="Defender for Containers pricing" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Defender for Containers pricing</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The Security Admin role is also needed to dismiss alerts and the Security Reader role is needed to view findings. To familiarize yourself with the alerts you may receive with this plan, review the <A href="#" target="_blank" rel="noopener">Alerts Reference Guide</A>.</P> <P>&nbsp;</P> <P>To make sure you have a complete understanding of Microsoft Defender for Containers, please be sure to also check out the following resources:</P> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317" target="_blank" rel="noopener">Microsoft launches dedicated Container protection plan</A></LI> <LI><A href="#" target="_blank" rel="noopener">Overview of Azure Arc-enabled Kubernetes - Azure Arc | Microsoft Docs</A></LI> <LI><A href="#" target="_blank" rel="noopener">How to use Microsoft Defender for container registries | Microsoft Docs</A></LI> <LI><A href="#" target="_blank" rel="noopener">Workload protections for your Kubernetes workloads | Microsoft Docs</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Containers | Defender for Cloud in the Field #3 - YouTube</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Implementation and Validation</STRONG></P> <P>Once enabled, the vulnerability assessment scanner will automatically <A href="#" target="_blank" rel="noopener">start scanning existing subscriptions</A> for Azure Container Registries. After scanning the images, the recommendation “Container registry images should have vulnerability findings resolved” will appear to show all unhealthy registries with all unhealthy images in them. The “Affected Resources” tab shows you vulnerable container registries while the “Security Checks” tab shows you the vulnerabilities. Clicking on a specific “Security Check” will open a pane that gives you more information the security finding and how to remediate it. Vulnerabilities can be exported using&nbsp;<A href="#" target="_blank" rel="noopener">Continuous&nbsp;</A><FONT color="#146cac"><U>Export or</U></FONT>&nbsp;accessed via our&nbsp;<A href="#" target="_blank" rel="noopener">Sub Assessments REST API</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Container registry scanning" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/340371i91BE5E44599DDFE1/image-size/large?v=v2&amp;px=999" role="button" title="vulrecc.png" alt="Container registry scanning" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Container registry scanning</span></span></P> <P>&nbsp;</P> <P>You can also check to see if Microsoft Defender for Containers is running properly by simulating an alert.&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Alert validation in Microsoft Defender for Cloud | Microsoft Docs</A></LI> </UL> <P>If you find alerts that are not relevant to your environment, you can either <A href="#" target="_blank" rel="noopener">manually dismiss</A> them or create <A href="#" target="_blank" rel="noopener">suppression rules</A> to automatically dismiss them in the future.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Conclusion</STRONG></P> <P>By the end of this PoC, you should be able to determine the value of Microsoft Defender for Containers and the significance of this level of threat detection on your workloads.</P> <P>&nbsp;</P> <P>Reviewers: Tom Janetscheck, <EM>Senior Program Manager</EM></P> Tue, 01 Feb 2022 23:26:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-poc-series-microsoft-defender-for/ba-p/3064644 fkortor 2022-02-01T23:26:21Z How Defender for Cloud displays machines affected by Log4j vulnerabilities https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271 <P>When news breaks of a major security story, like the&nbsp;vulnerability in the open-source Apache logging library Log4j (CVE-2021-44228), vendors and organizations move as fast as they can to understand the issue, determine their exposure, and mitigate the risks.</P> <P>&nbsp;</P> <P><A title="Microsoft’s Response to CVE-2021-44228 Apache Log4j 2" href="#" target="_blank" rel="noopener">The Microsoft Security Response Center was quick to release guidance and background on this issue</A>. We continue to update that page as we, and the rest of the infosec community, gain a deeper understanding of the impact of this threat.</P> <P>&nbsp;</P> <P>In situations like this, organizations that are using Microsoft Defender for Cloud can immediately begin investigations - even before there's a CVE number - with our <A title="Microsoft Defender for Cloud's asset inventory tools - Microsoft Docs" href="#" target="_blank" rel="noopener">Inventory tools</A>&nbsp;as shown below.</P> <P>&nbsp;</P> <P>In addition, our threat detection capabilities have already been expanded to ensure we're surfacing exploitation of&nbsp;CVE-2021-44228 in several&nbsp;relevant security alerts.</P> <P>&nbsp;</P> <H2>Inventory filters</H2> <P>Using inventory, you have two powerful ways to begin determining your exposure across your hybrid and multi-cloud resources:</P> <P>&nbsp;</P> <UL> <LI> <P class="lia-align-left"><STRONG>Vulnerability assessment findings</STRONG> - If you've enabled <STRONG><EM>any</EM> </STRONG>of the vulnerability assessment tools for your machines (whether it's&nbsp;<A title="Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management | Microsoft Docs" href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint's threat and vulnerability management module</A>,&nbsp;<A title="Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines | Microsoft Docs" href="#" target="_blank" rel="noopener">the built-in Qualys scanner</A>,&nbsp;or&nbsp;a <A title="Deploy a bring your own license (BYOL) vulnerability assessment solution | Microsoft Docs" href="#" target="_blank" rel="noopener">bring your own license solution</A>), you can search by a CVE identifier when it's released.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="find-by-cve.png" style="width: 565px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/333499i151B105AE56D4F0A/image-size/large?v=v2&amp;px=999" role="button" title="find-by-cve.png" alt="find-by-cve.png" /></span></P> <P>&nbsp;</P> </LI> </UL> <UL> <LI><STRONG>Software inventory</STRONG>&nbsp;- With the combination of the <A title="Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint | Microsoft Docs" href="#" target="_blank" rel="noopener">integration with Microsoft Defender for Endpoint</A> and <A title="Introduction to Microsoft Defender for servers | Microsoft Docs" href="#" target="_blank" rel="noopener">Microsoft Defender for servers</A>, you can search your resources by installed applications and discover which is running the vulnerable software.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="find-by-installed-applications.png" style="width: 571px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/333496i0BA3D63F555700A8/image-size/large?v=v2&amp;px=999" role="button" title="find-by-installed-applications.png" alt="find-by-installed-applications.png" /></span></LI> </UL> <P>&nbsp;</P> <P>A quick demo of how you'd search for all your resources to see which ones have Log4j installed is shown below.&nbsp;Of course, this doesn't replace a search of your codebase. There's also the possibility that software with integrated Log4j libraries won't appear in this list. But it's definitely helpful for initial triaging when a major incident is unfolding.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="log4j-inventory.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/333730i11969CFD8919378B/image-size/large?v=v2&amp;px=999" role="button" title="log4j-inventory.gif" alt="log4j-inventory.gif" /></span></P> <P>&nbsp;</P> <H2>Search Azure Resource Graph data</H2> <P>Azure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal.</P> <P>&nbsp;</P> <P>ARG provides another way to query your resource data for resources found to be vulnerable to&nbsp;the&nbsp;Log4j&nbsp;vulnerability:</P> <P>&nbsp;</P> <OL class="code-line" data-line="139"> <LI class="code-line" data-line="139"> <P class="code-line" data-line="139">Open<SPAN>&nbsp;</SPAN><STRONG>Azure Resource Graph Explorer</STRONG>.</P> <DIV><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="opening-resource-graph-explorer.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/333733i618D2944CA4E03D4/image-size/large?v=v2&amp;px=999" role="button" title="opening-resource-graph-explorer.png" alt="opening-resource-graph-explorer.png" /></span> <P>&nbsp;</P> </DIV> </LI> <LI class="code-line" data-line="143"> <P class="code-line" data-line="143">Enter the following query and select<SPAN>&nbsp;</SPAN><STRONG>Run query:</STRONG></P> </LI> </OL> <P>&nbsp;</P> <LI-CODE lang="sql">securityresources | where type =~ "microsoft.security/assessments/subassessments" | extend assessmentKey=extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id), subAssessmentId=tostring(properties.id), parentResourceId= extract("(.+)/providers/Microsoft.Security", 1, id) | extend Props = parse_json(properties) | extend additionalData = Props.additionalData | extend cves = additionalData.cve | where isnotempty(cves) and array_length(cves) &gt; 0 | mv-expand cves | where tostring(cves) has "CVE-2021-44228" | distinct parentResourceId</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Learn more</H2> <P>For extensive&nbsp;guidance, workarounds, background, analysis of the vulnerability, and the latest updates,&nbsp;check the continually maintained&nbsp;<A title="Microsoft’s Response to CVE-2021-44228 Apache Log4j 2" href="#" target="_blank" rel="noopener">post on the Microsoft Security Response Center (MSRC) blog</A>.</P> Tue, 01 Feb 2022 17:31:26 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/how-defender-for-cloud-displays-machines-affected-by-log4j/ba-p/3037271 melvynadam 2022-02-01T17:31:26Z Introducing Microsoft Defender for Containers https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317 <P>Container adoption is booming - <SPAN>production deployments&nbsp;of&nbsp;Kubernetes&nbsp;clusters&nbsp;and containers continue to soar&nbsp;as organizations increasingly containerize applications to meet their needs for scalability, portability, and more. <A href="#" target="_blank" rel="noopener">Since 2016</A>, the use of containers in production has increased by 300%</SPAN><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>In line with </SPAN>these widespread adoption trends, the security &amp; threat landscape has shown a rapid increase in the number and sophistication of attacks targeting containers and Kubernetes as shown in image 1.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 1: Growth overview of attack trends between June 2019 and December 2020 as seen in the 2020 Cloud Native Threat Report." style="width: 462px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332415i602AD936187CA371/image-size/large?v=v2&amp;px=999" role="button" title="KimKischel_0-1638912704362.png" alt="Image 1: Growth overview of attack trends between June 2019 and December 2020 as seen in the 2020 Cloud Native Threat Report." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 1: Growth overview of attack trends between June 2019 and December 2020 as seen in the 2020 Cloud Native Threat Report.</span></span></P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ftnref1" target="_blank" rel="noopener" name="_ftn1"></A></P> <P>Traditional security tools aren’t setup to provide visibility into container usage and monitor traffic flows, making it challenging to stay on top of secure configurations drifts. Unlike traditional compute, containerized applications are elastic, spawn, and are often short lived – creating the need to fix vulnerabilities early and often and making a dedicated container security strategy essential.</P> <P>&nbsp;</P> <H1>Advanced threat protection for container solutions</H1> <P>To address the evolving security challenges surrounding container solutions, we are excited to announce <STRONG>Microsoft Defender for Containers</STRONG> – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, and on-prem environments. It is part of Microsoft Defender for Cloud.&nbsp;</P> <P>&nbsp;</P> <P>Critical capabilities include native at-scale onboarding for Kubernetes, hardening controls, vulnerability assessment, and run-time protection.&nbsp;The new plan merges the capabilities of the two existing Microsoft Defender for Cloud plans, <EM>Microsoft Defender for Kubernetes</EM> and <EM>Microsoft Defender for container registries</EM>, and adds a new set of critical features shown in image 2.</P> <P>&nbsp;</P> <P><FONT color="#FFFF00"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 2: Overview of the added capabilities in Defender for Containers" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332696iC819EEB74E4AB019/image-size/medium?v=v2&amp;px=400" role="button" title="feature overview.png" alt="Image 2: Overview of the added capabilities in Defender for Containers" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 2: Overview of the added capabilities in Defender for Containers</span></span></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For a live demo of the new capabilities, watch the latest episode of Defender for Cloud in the field.</P> <P>&nbsp;</P> <P><FONT color="#000000"><LI-VIDEO vid="https://youtu.be/KeH0a3enLJ0" align="center" size="medium" width="400" height="225" uploading="false" thumbnail="https://i.ytimg.com/vi/KeH0a3enLJ0/hqdefault.jpg" external="url"></LI-VIDEO></FONT></P> <P>&nbsp;</P> <P><STRONG>Getting started </STRONG></P> <P>Starting today, Microsoft Defender for Containers is available as a new plan in Microsoft Defender for Cloud. You can <A href="#" target="_blank" rel="noopener">onboard</A> any of your Azure subscriptions or AWS accounts and start protecting your container solutions with a broad set of capabilities.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Kubernetes-native deployment</H2> <P>We understand how critical it is to protect containers as soon as they are deployed into your environment. That’s why we developed an automatic deployment capability, so you can easily enable Microsoft Defender for Containers across all Kubernetes resources in your organization, in the Microsoft Defender for Cloud portal.</P> <P>The solution is designed to support any Kubernetes, Azure &amp; non-Azure workloads with a <A href="#" target="_blank" rel="noopener">DaemonSet</A><SPAN>,</SPAN> that is deployed and maintained on the Kubernetes control plane. This gives customers visibility and management capabilities directly via Kubernetes-native tooling. It is also integrated into the <A href="#" target="_blank" rel="noopener"><EM>Azure Kubernetes Service (AKS)</EM></A> as a Security profile and into <A href="#" target="_blank" rel="noopener"><EM>Azure Arc</EM></A> connected clusters as a <A href="#" target="_blank" rel="noopener">cluster extension</A> for both multi-cloud and on-prem scenarios.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 3: Onboarding to the Microsoft Defender for Containers with automatic at scale deployment" style="width: 975px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332416i00398F22E460235F/image-size/large?v=v2&amp;px=999" role="button" title="KimKischel_0-1638912819948.png" alt="Image 3: Onboarding to the Microsoft Defender for Containers with automatic at scale deployment" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 3: Onboarding to the Microsoft Defender for Containers with automatic at scale deployment</span></span></P> <P>&nbsp;</P> <H2>Advanced Threat Detection</H2> <P>To expand threat detection beyond the Kubernetes management layer, Microsoft Defender for Containers now offers host level threat detection with over 60 (!) new Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. The solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the <A href="#" target="_blank" rel="noopener">MITRE ATT&amp;CK® matrix for Containers</A>, a framework that was developed by the <A href="#" target="_blank" rel="noopener">Center for Threat-Informed Defense</A> in close partnership with Microsoft and others.</P> <P>The full list of available threat detection alerts can be found <A href="#" target="_blank" rel="noopener">here</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 4: Examples of container specific threat detection alerts in Microsoft Defender for Cloud" style="width: 906px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332411i681C59191FC54048/image-size/large?v=v2&amp;px=999" role="button" title="KimKischel_3-1638912435096.png" alt="Image 4: Examples of container specific threat detection alerts in Microsoft Defender for Cloud" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 4: Examples of container specific threat detection alerts in Microsoft Defender for Cloud</span></span></P> <P>&nbsp;</P> <P><SPAN><STRONG>To make investigations easier by providing runtime context, we have added new entities to Kubernetes security alerts</STRONG> including image, registry, pod, service, namespace, and more. In addition, the new entities can be used to provide more granularity for customers' suppression logic to fine tune alerts and reduce alert fatigue.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 5: Examples of new entities to Kubernetes security alerts" style="width: 975px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332410iD2F25CDF93353961/image-size/large?v=v2&amp;px=999" role="button" title="KimKischel_2-1638912409600.png" alt="Image 5: Examples of new entities to Kubernetes security alerts" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 5: Examples of new entities to Kubernetes security alerts</span></span></P> <P>&nbsp;</P> <P><STRONG>Coming soon: Fileless attack detection</STRONG>. Fileless attacks are typically used by attackers to execute code without presence on the filesystem; thereby preventing detection by traditional anti-virus software. With the new Fileless Attack Detection capability, automated memory forensic techniques will identify fileless attack toolkits, techniques, and behaviors. The detection mechanism periodically scans your nodes at runtime and extracts insights directly from the memory of the running processes. It can find evidence of exploitation, code injection and execution of malicious payloads. Fileless attack detection generates detailed security alerts to accelerate alert triage, correlation, and downstream response time.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Vulnerability Assessment</H2> <P>A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Microsoft Defender for Cloud provides out of the box vulnerability assessment capabilities and integrates with the tools of your choice to regularly check your resources for vulnerabilities.</P> <P>&nbsp;</P> <P>As part of the Microsoft Defender for Containers plan, we added a new detection for <STRONG>Runtime visibility of vulnerabilities. </STRONG>This new recommendation shows only running images with vulnerabilities, enabling customers to better prioritize and focus on the vulnerabilities that pose the highest risk to their organization.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Image 6: Vulnerability security alert specific to containers" style="width: 804px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332409i16E8D64AAB921E92/image-size/large?v=v2&amp;px=999" role="button" title="KimKischel_1-1638912363203.png" alt="Image 6: Vulnerability security alert specific to containers" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 6: Vulnerability security alert specific to containers</span></span></P> <P>&nbsp;</P> <P><SPAN>We also enhanced the periodic scanning of images that have been pulled from Azure Container registry (ACR) during the last 30 days, with a continuous image scan for all <STRONG>ACR </STRONG><STRONG>images running on a Kubernetes cluster</STRONG>.</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Planning your container security spend</H2> <P>We know that understanding cost across your workloads and protections is critical. That’s why we created a cost estimation workbook that allows you to estimate the anticipated costs for Microsoft Defender for Containers across all your subscriptions. The workbook estimates costs for your Kubernetes clusters based on your average usage over the last 30 days. In addition, it shows the number of container images that are included for vulnerability assessment scanning based on your configuration. You can deploy the workbook to your Defender for Cloud environment using the <A href="#" target="_blank" rel="noopener">ARM template</A> and learn more in the Defender for Cloud <A href="#" target="_blank" rel="noopener">GitHub repository</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 7: Overview of the cost estimation workbook for Microsoft Defender for Containers." style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/332408i54B6E3FB5738F84C/image-size/large?v=v2&amp;px=999" role="button" title="KimKischel_0-1638912326267.png" alt="Image 7: Overview of the cost estimation workbook for Microsoft Defender for Containers." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 7: Overview of the cost estimation workbook for Microsoft Defender for Containers.</span></span></P> <P>&nbsp;</P> <P>The new Microsoft Defender for Containers plan provides organizations with a streamlined way to enable advanced threat protection for all their container workloads across Azure, AWS, and in hybrid cloud environments and keep their critical resources secure.</P> <P>&nbsp;</P> <H1>More information</H1> <UL> <LI><A href="#" target="_blank" rel="noopener">Sign up for our live webinar</A> on January 12 where we will walk through the new plan, demo the capabilities and open up for Q&amp;A.</LI> <LI>Check out our <A href="#" target="_blank" rel="noopener">documentation</A> and learn how to protect your container solutions with the new Defender for Containers offering</LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/bg-p/MicrosoftDefenderCloudBlog" target="_blank" rel="noopener">Subscribe to our blog</A> and stay up to date with the latest Defender for Cloud news</LI> </UL> <P>&nbsp;</P> <UL> <LI><STRONG style="font-family: inherit;">How much does Microsoft Defender for Containers cost? -&nbsp;</STRONG>The price for Microsoft Defender for Containers is $7/ Kubernetes vCore/month.&nbsp;It includes 20 free scans per vCore. Every subsequent scan will be charged at $0.29 per image digest. We expect that &gt;90 of customers will not require additional scans.&nbsp;Furthermore, we removed the cost-incurring dependency on Microsoft Defender for Servers to enable host-level protection of Kubernetes clusters through the addition of native, node-level protection capabilities in Microsoft Defender for Containers.</LI> </UL> Thu, 09 Dec 2021 14:24:17 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317 Maya_Herskovic 2021-12-09T14:24:17Z Microsoft Defender for Cloud - Use cases https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-use-cases/ba-p/2953619 <P>The way we look at threats and the mechanisms we implement to protect, detect, and respond to them has changed drastically. It is no longer a cat and mouse game between us and the attackers. Technology advancements and sophistication have given threat actors a multitude of options to combat the mindset and mechanisms we have been carrying over for years.</P> <P>&nbsp;</P> <P>It’s time to understand how we can leverage modern technology to combat the attackers, but before we start thinking about the “How”, we need to be clear on “What".</P> <P>&nbsp;</P> <P>Microsoft Defender for Cloud is a security posture management and workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and provides threat protection for workloads across multi-cloud and hybrid environments.</P> <P>Microsoft Defender for Cloud covers two broad aspects for securing your cloud resources:</P> <P>&nbsp;</P> <P><STRONG>Cloud Security Posture Management (CSPM) –</STRONG> Gives organizations visibility on their security posture via the secure score, detection of security misconfigurations, asset inventory and more.</P> <P>&nbsp;</P> <P><STRONG>Cloud Workload Protection Platform (CWPP) –</STRONG> Uses advanced AI and ML based intelligent protection and detection capabilities for your Azure and hybrid cloud workloads. It also helps you track your compliance with regulatory frameworks and compliance standards (like PCI-DSS, NIST, ISO 27001, etc.).</P> <P>&nbsp;</P> <P>In this blog, I will discuss some real-world use cases for how Microsoft Defender for Cloud can be leveraged against these modern-day threats. This blog will discuss how the Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities can help address these complex use cases and give visibility on the security posture and threats across your hybrid and multiload environments.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="186.865px" height="57px"> <P><STRONG>Security and Compliance Use cases</STRONG></P> </TD> <TD width="494.146px" height="57px"> <P><STRONG>Details</STRONG></P> </TD> <TD width="291.323px" height="57px"> <P><STRONG>Microsoft Defender for Cloud Capability</STRONG></P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="276px"> <P>Assess and Visualize Security State of your rapidly changing resources on Azure, on-premises, and other clouds in near real time.</P> </TD> <TD width="494.146px" height="276px"> <P>While we may have the best tools to secure our eco-system, there have been a lot of compromises that have happened due to lack of visibility of assets, vulnerabilities, misconfigurations, and compliance with industry best practices. For example: WannaCrypt would not have happened if the patch MS17-010 which was released 3 months before WannaCrypt created havoc was deployed on the systems.</P> </TD> <TD width="291.323px" height="276px"> <P>Microsoft Defender for Cloud assesses the security state of all your cloud resources, including servers, storage, SQL, networks, applications, and workloads that are running in Azure, on-premises, and in other clouds. Visualize your security state and improve your security posture by using&nbsp;Azure <A href="#" target="_blank" rel="noopener">Secure Score&nbsp;recommendations.</A></P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="249px"> <P>Simplify enterprise compliance and view your compliance against regulatory requirements</P> </TD> <TD width="494.146px" height="249px"> <P>While we strive to keep our environment safe and secure against the modern-day threats, we need to know the best practices and follow best practices frameworks like ISO 27001, NIST, CSA, CIS etc. In addition compliance to applicable industry and federal regulations (PCI-DSS, HIPAA,etc) is critical. While organizations understand this, it’s important to have unified view of the various controls and resource compliance. There are many complex customizations that many organizations do today to get these reports which may not be accurate</P> </TD> <TD width="291.323px" height="249px"> <P>Microsoft Defender for Cloud allow you to view your <A href="#" target="_blank" rel="noopener">compliance</A> against a wide variety of regulatory requirements or company security requirements by centrally managing security policies. Perform ongoing assessment and get rich, actionable insights and reports to simplify compliance.</P> </TD> </TR> <TR> <TD width="186.865px" height="194px"> <P>Identification and analysis of vulnerabilities.</P> </TD> <TD width="494.146px" height="194px"> <P>Identifying security weaknesses quickly, especially those which can be exploited, is key for rapidly changing and evolving workloads such as virtual machines, SQL and AKS.</P> </TD> <TD width="291.323px" height="194px"> <P><A href="#" target="_blank" rel="noopener">Vulnerability assessment is part of the&nbsp;Microsoft Defender for SQL&nbsp;offering</A>, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed via the central Microsoft Defender for SQL portal.</P> </TD> </TR> <TR> <TD width="186.865px" height="85px"> <P>&nbsp;Virtual machines</P> </TD> <TD width="494.146px" height="85px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="85px"> <P>The <A href="#" target="_blank" rel="noopener">integrated vulnerability assessment</A> solution supports both Azure virtual machines and hybrid machines.</P> </TD> </TR> <TR> <TD width="186.865px" height="331px"> <P>&nbsp;Containers</P> </TD> <TD width="494.146px" height="331px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="331px"> <P>When you push an image to <A href="#" target="_blank" rel="noopener">Container Registry</A>, Defender for Cloud automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file.<BR />When the scan completes (after about 10 minutes), Microsoft Defender for Cloud provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.</P> </TD> </TR> <TR> <TD width="186.865px" height="358px"> <P>Limit access to your Virtual machines only when required to reduce lateral movements or system compromise.</P> </TD> <TD width="494.146px" height="358px"> <P>Attackers commonly target cloud environments with brute force or port scanning attacks, typically against management ports like RDP and SSH that are left open to enable administrator access. All your virtual machines are potential targets for an attack. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment.</P> </TD> <TD width="291.323px" height="358px"> <P>As with all cybersecurity prevention techniques, your goal should be to reduce the attack surface. In this case, that means having fewer open ports, especially management ports.<BR />Your legitimate users also use these ports, so it's not practical to keep them closed. To solve this dilemma, <A href="#" target="_blank" rel="noopener">Microsoft Defender for Cloud offers JIT</A>. With JIT, you can lock down the inbound traffic to your VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.</P> </TD> </TR> <TR> <TD width="186.865px" height="467px"> <P>Visibility or Oversight on Execution of untrusted or unsafe Applications on your virtual machines using machine learning techniques.</P> </TD> <TD width="494.146px" height="467px"> <P>One of the key challenges for organizations is to restrict APT or zero-day payloads, adwares or unwanted applications, etc. and a layered security on top of the EDR's and NGAV's already being used. By defining known safe applications and gaining timely oversight when an unknown application else is executed, the attack surface is substantially reduced and compliance goals can be met as well.</P> </TD> <TD width="291.323px" height="467px"> <P><A href="#" target="_blank" rel="noopener">Adaptive Application Control</A> in Microsoft Defender for Cloud allows you to:<BR /><BR />Identify potential malware, even any that might be missed by antimalware solutions.<BR />Improve compliance with local security policies that dictate the use of only licensed software.<BR />Identify outdated or unsupported versions of applications.<BR />Identify software that's banned by your organization but is nevertheless running on your machines<BR />Increase oversight of apps that access sensitive data.</P> </TD> </TR> <TR> <TD width="186.865px" height="577px"> <P>Track and provide data of activities on files that are being monitored, such as potential unauthorized changes.</P> </TD> <TD width="494.146px" height="577px"> <P>While attackers are in a constant endeavor to succeed in executing ransomware, data exfiltration, supply chain attacks, using system or application files, it is important to monitor the integrity of such files to prevent an attack.</P> </TD> <TD width="291.323px" height="577px"> <P><A href="#" target="_blank" rel="noopener">File integrity monitoring (FIM),</A> also known as change monitoring, examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack.<BR />Microsoft Defender for Cloud recommends entities to monitor with FIM, and you can also define your own FIM policies or entities to monitor. FIM informs you about suspicious activity such as:<BR /><BR />File and registry key creation or removal.<BR />File modifications (changes in file size, access control lists, and hash of the content).<BR />Registry modifications (changes in size, access control lists, type, and the content).</P> </TD> </TR> <TR> <TD width="186.865px" height="303px"> <P>Visibility into Azure Network Topology and recommendations</P> </TD> <TD width="494.146px" height="303px"> <P>It’s important to understand how your resources in Azure connect with each other, the allowed traffic between them, and getting insights and recommendations to improve your network security posture.</P> </TD> <TD width="291.323px" height="303px"> <P>The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources. Using the map you can see the network topology of your Azure workloads, connections between your virtual machines and subnets, and the capability to drill down from the map into specific resources and the recommendations for those resources.</P> </TD> </TR> <TR> <TD width="186.865px" height="167px"> <P>Unified security solution for identifying IoT/OT devices, vulnerabilities, and threats.</P> </TD> <TD width="494.146px" height="167px"> <P>Operational technology (OT) networks power many of the most critical aspects of our society. But many of these technologies were not designed with security in mind and can't be protected with traditional IT security controls. Meanwhile, the Internet of Things (IoT) is enabling a new wave of innovation with billions of connected devices, increasing the attack surface and risk.</P> </TD> <TD width="291.323px" height="167px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="276px"> <P>Detecting Identity/Access based attacks on Virtual machines, Containers, Azure Storage, Key Vault, Resource Manager (Privilege Escalation, Credential Access, Initial Access)</P> </TD> <TD width="494.146px" height="276px"> <P><STRONG>Virtual Machines:&nbsp;</STRONG>ML/AI based detections on VM's like Logons from malicious IP addresses, account enumerations (local and domain), Credential dumping, brute force attack, Kerberos Golden Ticket Compromise, detection of credential, unusual config reset in your virtual machine, unusual user password reset in your virtual machine</P> </TD> <TD width="291.323px" height="276px"> <P><A href="#" target="_blank" rel="noopener">Alerts</A> are the notifications that Microsoft Defender for Cloud generates when it detects threats on your resources and prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. It also provides detailed steps to help you remediate attacks. Alerts data is retained for 90 days.<BR /><BR /></P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="85px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="85px"> <P><STRONG>Containers:</STRONG> Container with a sensitive volume, exposed Kubernetes dashboard detected, exposed Kubernetes service, exposed Redis service in AKS, detection of privileged containers</P> </TD> <TD width="291.323px" height="85px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="276px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="276px"> <P><STRONG>Azure Storage/Key Vault/Resource Manager:</STRONG> Privileged custom role created for your subscription&nbsp;: Access from a suspicious IP address, Storage account with potentially sensitive data has been detected with a publicly exposed container, Access from a TOR exit node to a key vault, High volume of operations in a key vault, Suspicious policy change and secret query in a key vault ,Suspicious secret listing and query in a key vault, Unusual application accessed a key vault, Unusual operation pattern in a key vault, Unusual user accessed a key vault, Unusual user-application pair accessed a key vault, User accessed high volume of key vaults</P> </TD> <TD width="291.323px" height="276px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="276px"> <P>Detecting Defense Evasion techniques on Virtual machines, Azure App Services, Containers and Azure Resource Manager</P> </TD> <TD width="494.146px" height="276px"> <P><STRONG>Virtual Machines: Antimalware</STRONG> disabled in your virtual machine, Antimalware file exclusion and code execution in your virtual machine, Antimalware real-time protection was disabled in your virtual machine, Antimalware scans blocked for files potentially related to malware campaigns on your virtual machine, Fileless Attack Detection, Suspicious system process executed, Access of htaccess file detected, Attempt to stop apt-daily-upgrade.timer service detected, Manipulation of host firewall detected, Possible Log Tampering Activity Detected, Script extension mismatch detected</P> </TD> <TD width="291.323px" height="276px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="112px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="112px"> <P><STRONG>Azure App Service:</STRONG> encoded executable in command line data, Executable decoded using certutil, Fileless Attack Toolkit Detected, Possible Crypto coinminer download detected, Suspicious SVCHOST process executed,</P> </TD> <TD width="291.323px" height="112px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="139px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="139px"> <P><STRONG>Containers/Azure Resource Manager: </STRONG>Kubernetes events deleted, Docker build operation on Kubernetes node, Azure Resource Manager operation from suspicious proxy IP address, Permissions granted for an RBAC role in an unusual way for your Azure environment</P> </TD> <TD width="291.323px" height="139px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="549px"> <P>Detection of Malicious Executions and Exploitation on Virtual machines, App Services, Containers, Databases, Azure Resource Manager and Azure Storage</P> </TD> <TD width="494.146px" height="549px"> <P><STRONG>Virtual machines:</STRONG> Custom script extension with suspicious command in your virtual machine, Custom script extension with suspicious entry-point in your virtual machine, Custom script extension with suspicious payload in your virtual machine, decoding of an executable using built-in certutil.exe tool, obfuscated command line, Petya ransomware indicators, possible execution of keygen executable/malware dropper, suspicious combination of HTA and PowerShell, Detected suspicious command line arguments, suspicious credentials in command line, suspicious execution of VBScript.Encode command,&nbsp; suspicious execution via rundll32.exe, suspicious file cleanup commands, suspicious file creation, suspicious named pipe communications, Dynamic PS script construction, Executable found running from a suspicious location, Fileless attack technique, SuspiciousPsExec execution, Suspicious system process executed, Behavior similar to common Linux bots, Behavior similar to Fairware ransomware, Exposed Docker daemon on TCP socket, Possible exploitation of Hadoop Yarn, Possible exploitation of the mail server , SSH server is running inside a container, Suspicious PHP execution, Suspicious request to Kubernetes API</P> </TD> <TD width="291.323px" height="549px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="167px"> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> </TD> <TD width="494.146px" height="167px"> <P><STRONG>App Services: </STRONG>encoded executable in command line data, Digital currency mining related behavior, Executable decoded using certutil, Fileless Attack Technique, PHP file in upload folder, Possible Cryptocoinminer download, Potential reverse shell, Raw data download, Suspicious PowerShell cmdlets/PHP Executions/SVC Host executions, Suspicious WordPress theme invocation,</P> </TD> <TD width="291.323px" height="167px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="112px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="112px"> <P><STRONG>Containers: </STRONG>K8S API requests from proxy IP address, Digital currency mining container, Kubernetes penetration testing tool, Container with a miner image, Exposed Docker daemon, SSH server is running inside a container, Suspicious request to Kubernetes API</P> </TD> <TD width="291.323px" height="112px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="112px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="112px"> <P><STRONG>Databases (SQL/Opensource RD/Cosmos)</STRONG> - Log on from an unusual location, Login from a principal user not seen in 60 days, Logon from an unusual cloud provider, Log on from an unusual location, Access from an unusual location to a Cosmos DB account</P> </TD> <TD width="291.323px" height="112px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="167px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="167px"> <P><STRONG>Azure Resource Manager/Azure Storage:</STRONG> MicroBurst exploitation toolkit used, Storage account identified as source for distribution of malware, Access from a Tor exit node to a storage account, Access from an unusual location to a storage account, unusual application accessing a storage account, unusual uploads of .cspkg to a storage account, unusual uploads of .exe to a storage account</P> </TD> <TD width="291.323px" height="167px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="249px"> <P>Detection of Lateral/Persistence Movements across Virtual Machines, App Services, Containers, Azure Resource Manager, Storage Accounts and Network Layer.</P> </TD> <TD width="494.146px" height="249px"> <P><STRONG>Virtual Machines:</STRONG> PsExec execution, Windows registry persistence method, Suspicious Windows Scheduled Task Creation, Access of htaccess file, persistence attempt via startup scripts, suspicious remote file download, suspicious use of the useradd command on Linux, Indicators associated with DDOS toolkit, New SSH key added, Possible malicious web shell, Potential overriding of common files</P> </TD> <TD width="291.323px" height="249px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="139px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="139px"> <P><STRONG>App Services/Containers </STRONG>Suspicious process name, suspicious file download, CoreDNS modification in Kubernetes, Creation of admission webhook configuration, new container in the kube-system namespace, New high-privileges role, Role binding to the cluster-admin role, Suspicious request to the Kubernetes Dashboard,</P> </TD> <TD width="291.323px" height="139px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="167px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="167px"> <P><STRONG>Resource Manager:</STRONG> Permissions granted for an RBAC role in an unusual way for your Azure environment, Suspicious management session using an inactive account, Suspicious management session using PowerShell, Suspicious management session using Azure portal, Usage of MicroBurst exploitation toolkit to run an arbitrary code or exfiltrate Azure Automation account credentials,</P> </TD> <TD width="291.323px" height="167px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="112px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="112px"> <P><STRONG>Storage Accounts:</STRONG> Storage account identified as source for distribution of malware, Potential malware uploaded to a storage account, unusual change of access permissions, upload of cspkg, or upload of .exe</P> </TD> <TD width="291.323px" height="112px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="57px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="57px"> <P><STRONG>Network Layer: </STRONG>Suspicious outgoing RDP network activity, Suspicious outgoing SSH network activity</P> </TD> <TD width="291.323px" height="57px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="249px"> <P>Detection of activities related to Probing, Preattack, Discovery, Collection on Virtual Machines, App Service, Databases, Azure Resource Manager, Azure Storage and Network Layer.</P> </TD> <TD width="494.146px" height="249px"> <P><STRONG>Virtual Machines:</STRONG> Suspicious authentication activity, Failed SSH brute force attack, Local host reconnaissance, possible local reconnaissance activity</P> </TD> <TD width="291.323px" height="249px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="85px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="85px"> <P><STRONG>App Service:</STRONG> NMap scanning, Phishing content hosted on Azure Webapps, Vulnerability scanner, Web fingerprinting, Website is tagged as malicious in threat intelligence feed</P> </TD> <TD width="291.323px" height="85px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="139px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="139px"> <P><STRONG>Databases (SQL/Opensource RD/Cosmos): </STRONG>A possible vulnerability to SQL Injection, Attempted logon by a potentially harmful application, Log-on from an unusual Azure Data Center, Login from a suspicious IP, Potential SQL Brute Force attempt, Potential SQL injection, suspected brute force attack using a valid user,</P> </TD> <TD width="291.323px" height="139px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="85px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="85px"> <P><STRONG>Resource Manager:</STRONG> PowerZure exploitation toolkit used to enumerate resources, PowerZure exploitation toolkit used to extract Runbooks content, Azurite toolkit run</P> </TD> <TD width="291.323px" height="85px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="112px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="112px"> <P><STRONG>Azure Storage: </STRONG>Anonymous scan of public storage containers, Phishing content hosted on a storage account, Access from a Tor exit node to a storage account, Unusual access inspection or data exploration in a storage account.</P> </TD> <TD width="291.323px" height="112px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="276px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="276px"> <P><STRONG>Network Layer:</STRONG> Possible incoming brute force attempts detected, Possible outgoing port scanning activity detected, Suspicious incoming RDP network activity from multiple sources, Suspicious incoming RDP network activity, Suspicious incoming SSH network activity from multiple sources, Suspicious outgoing protocol traffic detected, Suspicious outgoing RDP network activity to multiple destinations, Suspicious outgoing SSH network activity to multiple destinations, Traffic detected from IP addresses recommended for blocking, DDoS Attack detected for Public IP, DDoS Attack mitigated for Public IP</P> </TD> <TD width="291.323px" height="276px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="139px"> <P>Detection of Exfiltration Attempts from Virtual Machines, App Services, Databases, DNS and Storage Accounts</P> </TD> <TD width="494.146px" height="139px"> <P><STRONG>Virtual Machines: </STRONG>Detected file download from a known malicious source, Possible loss of data, Potential port forwarding to external IP address</P> </TD> <TD width="291.323px" height="139px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="85px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="85px"> <P><STRONG>App Services/Databases:</STRONG> Suspicious domain name reference, Possible loss of data, unusual export location, unusual amounts of data extracted from a Cosmos DB account</P> </TD> <TD width="291.323px" height="85px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="249px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="249px"> <P><STRONG>DNS: </STRONG>Anomalous network protocol usage, Anonymity network activity, Anonymity network activity using web proxy, Attempted communication with suspicious sink holed domain, Communication with possible phishing domain, Communication with suspicious algorithmically generated domain, Communication with suspicious random domain name, Digital currency mining activity, Network intrusion detection signature activation, Possible data download via DNS tunnel, Possible data exfiltration via DNS tunnel, Possible data transfer via DNS tunnel</P> </TD> <TD width="291.323px" height="249px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="30px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="30px"> <P>&nbsp;</P> </TD> <TD width="291.323px" height="30px"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="186.865px" height="57px"> <P>&nbsp;</P> </TD> <TD width="494.146px" height="57px"> <P><STRONG>Storage Accounts: </STRONG>Unusual amounts of data extracted from a storage account, unusual deletions in a storage account</P> </TD> <TD width="291.323px" height="57px"> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Thu, 11 Nov 2021 16:03:05 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-use-cases/ba-p/2953619 prapati 2021-11-11T16:03:05Z