Azure Defender for Cloud

Set of resources and configuration to apply Defender capabilities.

Create the baseline infrastructure:

cp config/sample.tfvars .auto.tfvars

terraform init
terraform apply -auto-approve

Make sure Defender is enabled.

TODO: Document Log Analytics stuff

Environment Settings

Add the desired subscriptions to the Defender scope.

Cloud Security Posture Management (CSPM)

Enable Defender CSPM to make all features available.

Cloud Workload Protection (CWP)

Enable the protection for:

• Servers
• Databases
• Key Vault

Or others to track even more resource types.

Just-in-Time (JIT)

JIT is implemented in my dedicated repository: https://github.com/epomatti/az-vm-jit

Server protection

Defender will use Microsoft Defender for Endpoint (MDE) for EDR, as well as agentless scanning based on the OS disk.

The AMA is not required for Defender but it is installed anyways in this VM.

Billing

Check the differences between the plans.

Deallocated/ing or starting servers are not billed.

When you enable Defender for Servers you're charged for all connect machines based on the power state. You're also charged for on AWS.

Interactive guides

Outlining Defender capabilities:

• Attack path analysis
• Hunting
• Posture
• Security governance (rules) - weekly email is sent to owners with the recommendations they're assigned to.
• Multi-cloud
• Visibility of vulnerabilities with agentless scanning
• Protect workloads with alerts correlation
• Malware Scanning
• Container threat detection and policy enforcement
• Protect your APIs

Roles

There are two specific roles for Defender for Cloud:

• Security Administrator
• Security Reader

Data collection for Servers

From the docs:

• Azure Monitor Agent (AMA)
• Microsoft Defender for Endpoint (MDE)
• Log Analytics agent
• Azure Policy Add-on for Kubernetes

How to activate the agents.

SQL

Alerts

Check the Alerts for SQL Database and Azure Synapse Analytics to identify threats for SQL.

For example, SQL Injection may have the following:

• Vulnerability: Faulty SQL statement or no sanitation.
• Potential: An active exploit has occurred against an identified application vulnerable to SQL injection.

Workflow automation

Use Workflow automation to react when state changes in Defender.

Trigger conditions:

• Security alert
• Recommendation
• Regulatory compliance standards

A Logic App will be created so that it can be selected via the Portal.

External Attack Surface Management (Defender EASM)

To create an EASM workspace, use the Portal.

Anti-malware

Enable the anti-malware extension for the vm-antimalware resource, which is called Microsoft Antimalware in the gallery (with type Microsoft.Azure.Security.IaaSAntimalware).

Example running a Fulls Scan scheduled every Sunday 2AM.

VM Vulnerability Scan (Qualys)

TODO: Need to implement this

AWS

To integrate with AWS:

cd aws

cp config/template.tfvars .auto.tfvars

terraform init
terraform apply -auto-approve

Create the resource group for the AWS integration:

az group create -l eastus2 -n rg-aws

Connect to Defender for Cloud and create an Amazon Web Services environment.

Current plans supported:

Cloud Security Posture Management (CSPM)

• Foundational CSPM
• Defender CSPM
  • Agentless scanning (EC2 installed software and vulnerabilities)
  • Sensitive data discovery
  • And more

Cloud Workload Protection

• Servers (Plan 2)
• Databases
• Containers (EKS, ECR)