Getting Started with Microsoft Defender for Cloud

Published:1 February 2023 - 10 min. read

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Are you looking for a way to secure your IT infrastructure and keep it in good shape? You are in luck! Learn how to use Microsoft Defender for Cloud to secure your infrastructure in the best possible way so that no threat will ever harm your business.

In this tutorial, you will learn what exactly Microsoft Defender for Cloud is and how to set it up to assess, secure, and defend your resources.

Stay tuned and safeguard your infrastructure!

Requirements

This tutorial comprises hands-on demonstrations. To complete this tutorial, you will need the following:

  • A few resources in Azure to leverage the value of the service – This tutorial uses Azure Arc-enabled servers, among other resources.

What is Microsoft Defender for Cloud?

Microsoft Defender for Cloud (formerly Azure Security Center) is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) solution. These solutions apply to all enterprise resources, regardless of location.

At the time of this writing, four different sites can be connected and observed: the On-Premise Datacenter, Amazon Web Service (AWS), Google Cloud, and Azure.

This architecture below covers almost all relevant landscapes where most cloud-aware companies can be found.

Demonstrating connectable environments to Microsoft Defender for Cloud
Demonstrating connectable environments to Microsoft Defender for Cloud

Microsoft Defender for Cloud, along with natively available connectivity options, is mainly an agent-based solution, especially in monitoring non-Azure resources, as shown below. A separate agent is available depending on which environment has to be connected.

Below are the following available agents:

ℹ️ The Azure Monitoring Agent (AMA) will replace the MMA Agent in the future.

  • Microsoft Defender for Cloud Agent.
Demonstrating Microsoft Defender for Cloud system architecture
Demonstrating Microsoft Defender for Cloud system architecture

Onboarding Azure Subscription to Microsoft Defender for Cloud

A brief explanation of the Microsoft Defender for Cloud architecture will not be enough to grasp how it works, but it is a good start. The best way to experience Microsoft Defender for Cloud is to first work on onboarding your Azure Subscriptions.

Onboarding your Azure subscription creates a new authorization system in Permissions Management. The Permissions Management service is where you can monitor and manage your subscriptions.

To onboard your Azure subscriptions, follow these steps:

1. Open your favorite web browser, and log in to your Azure Portal.

2. Next, search for mic, and select Microsoft Defender for Cloud from the search result list to access the Microsoft Defender for Cloud service.

Accessing the Microsoft Defender for Cloud service
Accessing the Microsoft Defender for Cloud service

3. Click Getting started (left pane), select all your preferred subscriptions, and click Upgrade to activate the service.

Enabling Microsoft Defender for Cloud service at the subscription level
Enabling Microsoft Defender for Cloud service at the subscription level

4. Now, on the next page, click on Continue without installing agents (right-most) to decide which resources should be equipped with an agent.

Skipping the agent delivery
Skipping the agent delivery

As a result, you will see a message (top-right) saying that a free trial (of 30 days) has been successfully activated.

Confirming the trial activation
Confirming the trial activation

Your browser automatically redirects to an Overview page of the service, as shown below.

Currently, you can only see limited information: four (4) Assessed resources, zero (0) Active recommendations, and no Security alerts. But as you assign an initiative to the respective subscriptions in the following section, you will get more information presented.

Overviewing the Microsoft Defender for Cloud service
Overviewing the Microsoft Defender for Cloud service

Assigning an Initiative (Policy) to your Subscriptions

You have enabled Microsoft Defender for Cloud for specific subscriptions, but you still need to define the rule set that should be applied. The number of choices is quite large. These choices are based on the standards and regulations available to the industry, such as the ISO27001 standard.

For a non-specific use case, you can use the default initiative developed by Microsoft called Azure Security Benchmark (ASB). This initiative provides a solid security foundation and starting point. Meeting the requirements of this standard makes fulfilling other sets of rules easier.

To assign an initiative to your subscriptions, follow these steps:

1. On the Overview page, click the blue-highlighted information to access the Microsoft Defender for Cloud Environment settings page (step two).

Displaying the Microsoft Defender for Cloud Overview Page
Displaying the Microsoft Defender for Cloud Overview Page

2. Next, click the subscription to which you want to assign an initiative.

Selecting the subscription that Microsoft Defender for Cloud should manage
Selecting the subscription that Microsoft Defender for Cloud should manage

3. Navigate to Defender plans (left pane), and look at the activated Microsoft Defender for Cloud services.

Below, you can see that all plans are turned on. These are the chargeable CWPP parts of the service. If you only want to use the CSPM features, this page is where you can deactivate all plans before the 30-day trial period expires.

Reviewing the Microsoft Defender for Cloud subscription plan settings
Reviewing the Microsoft Defender for Cloud subscription plan settings

4. Now, navigate to Security policy under Policy settings (left pane), expand Default initiative, and click Assign policy to assign the initiative.

The Settings page opens, where you can configure the initiative (step five).

Assigning a policy
Assigning a policy

5. Leave all settings in the ASB initiative, and click Review + Create (bottom-left) to continue.

Assigning the ASB initiative
Assigning the ASB initiative

6. Lastly, review the summary of your selected settings, and click Create (bottom-left) to finalize assigning the ASB initiative.

Finalizing the initiative assignment
Finalizing the initiative assignment

If successful, you will see a notification regarding the initiative assignment like the one below. But note that the process takes at least 30 minutes until the first assignment results become visible.

Confirming the initiative assignment
Confirming the initiative assignment

As a result of the initiative assignment, you will see the below populated Overview page.

Depending on the initiative (set of policies) applied, assessment runs are conducted regularly, and the environment’s health status is analyzed.

Note that a Secure Score value is now available with six (6) Assessed resources, five (5) Active recommendations, and 31 Security alerts triggered. The Secure Score is your organization’s measurement for security posture bundled into controls.

In addition, the assigned initiative’s level of fulfillment is also displayed.

Reviewing the populated Overview page
Reviewing the populated Overview page

Implementing Recommendations Manually

After assigning an initiative, take a closer look at the basic features and functions of the Microsoft Defender for Cloud service — there are tons. But in this tutorial, the focus is on the most important ones.

Based on the performed assessment, manual and automatic measures can be initiated to harden the monitored environment.

There are two management principles you will explore (CSPM and CWPP). But the first feature you will explore is Recommendations, which are part of the CSPM portfolio.

To see how to work with Recommendations, follow these steps:

1. Navigate to Recommendations (left pane) → Secure score recommendations tab, as shown below, to access an overview of all Secure Score relevant recommendations.

Essentially, the Secure Score is taken from the ASB initiative you previously assigned to your subscription. Other initiatives can be activated (e.g., ISO, CIS…) depending on which standards you must comply with.

If these recommendations cannot be sorted into the existing controls, they can be found under the All Recommendations tab. But there is an overlap between the initiatives. You have already achieved a lot if you implemented the ASB initiative.

Overviewing Secure Score recommendations
Overviewing Secure Score recommendations

2. Next, expand the Manage access and permissions control bundle, and click the recommendation in the screenshot below. Doing so lets you find out more about the recommendation and remediations.

Recommendations vary depending on the configuration of the particular environment. You may not find the same recommendations in your tenant as in this tutorial.

Selecting a recommendation
Selecting a recommendation

3. Read the Description, and comply with the Remediation steps.

Capturing all recommendation processing options
Capturing all recommendation processing options

Now, take action to process the recommendation to ensure that it is not reported again. Below are the options (page bottom) available for dealing with the recommendation:

OptionDescription
Trigger logic appIf you are working on a recurring topic, with this option, you can automate the remediation process by using a logic app.
ExemptSolving the recommendation outside of Azure or accepting the risk of not implementing the recommendation is good news. Doing so makes deactivating the recommendation temporarily or permanently without penalty points on the Secure Score possible.
Assign ownerWith this option, a person required to implement the recommendation can be assigned. In addition, you can define a completion date by which the implementation must be completed.
Change owner and set ETABased on the Assign owner option, the owner and ETA can be adjusted, regardless even if it has already been assigned before.

But since you do not have a logic app that implements the recommendation (which you do not want in this case anyway), click Exempt to define an exception.

A child window opens where the scope of the exception has to be defined (step four).

Exempting a recommendation
Exempting a recommendation

Configure the exemption as follows:

  • Choose the Selected subscriptions option under Scope selection, and select Microsoft Partner Network from the dropdown field, as shown below. Doing so applies the exemption at the subscription level.Provide a descriptive Exemption name to help easily distinguish exemptions from one another.Choose the Waiver as the Exemption category to confirm you accept the resulting risk.Provide a description for creating an exemption.
Once configured, click Create to confirm your selections and create the exemption.

Setting up the recommendation exemption
Setting up the recommendation exemption

You will get a message like the one below stating that the exception was successfully created. Congratulations! You have just processed your first Recommendation.

Viewing successful creation confirmation
Viewing successful creation confirmation

Remediating Resources Automatically

Manual remediations work fine and all. But there are also recommendations that you can implement automatically. But first, you need your Workspace ID handy before you automate fixing resources.

1. Open the Azure Portal in a new browser tab, search for log, and select Log Analytics workspace to view your available workspaces.

Accessing the Log Analytic workspaces
Accessing the Log Analytic workspaces

2. Next, select your desired Log Analytic Workspace, which opens the workspace’s blade (step three).

Retrieving the Log Analytics Workspace ID
Retrieving the Log Analytics Workspace ID

3. In the Overview page, copy the Workspace ID, as shown below.

Copying the Workspace ID
Copying the Workspace ID

4. Now, switch back to the Recommendations page, expand the Enable endpoint protection control, and click the recommendation, as shown below.

Selecting a recommendation under the Enable endpoint protection control
Selecting a recommendation under the Enable endpoint protection control

5. Tick the box beside the unhealthy resource under Affected resources, and click Fix to implement the recommendation. This solution is prepared by Microsoft, which applies the recommendation automatically.

After fixing your resources, moving them to the ‘healthy resources’ tab may take up to 24 hours, as mentioned in the Remediation steps.

Fixing affected resources
Fixing affected resources

6. Return to the Fixing resources page, input the Workspace ID you copied in step three, and click Fix (x) resource.

Fixing resources with specified Workspace ID
Fixing resources with specified Workspace ID

If the remediation succeeds, you will get the message below.

Confirming the remediating is a success
Confirming the remediating is a success

You will also see another assessment run. The health status on the Recommendations overview should adjust (visible on the partially changed bar color — from red to green).

Azure Policy evaluates resource compliance automatically every 24 hours for already assigned policies or initiatives.

Confirming changing resources’ health condition
Confirming changing resources’ health condition

Remediating Resources via the Security Alerts

Besides Remediations, another defender element should not be left out, as the most important one is the paid CWPP offering — Security Alerts. This feature allows you to not only exclude threats at the configuration level but also to detect threats in real-time directly on the provisioned resource.

Defender for Cloud collects, analyzes, and integrates log data from your Azure resources, depending on which advanced feature has been activated, and uses this log data to detect threats.

To see how Security Alerts work behind the scenes, follow these steps:

1. Click Sample alerts, and a pop-up window appears where you can configure your sample alerts (step two).

Initiating creating sample alerts
Initiating creating sample alerts

Next, configure the sample alerts with the following:

  • On the pop-up window, select the Subscription where the alarms should be delivered and set an alarm type.Choose the type Virtual Machines, and click Create sample alerts to finalize creating the alerts.

Creating sample alerts
Creating sample alerts

3. Navigate to Security Alerts (left pane) to see all security alert details as follows:

  • Five (5) Open and Active alerts with one (1) Affected resource.Detailed view of prioritized security alerts, the information needed to investigate, and the steps to fix it.

Similar to the Recommendations, the alerts you will see in your environment will differ from those shown in this tutorial.

Viewing the Security Alert summary
Viewing the Security Alert summary

4. Next, click on the alarm with the highest priority in the list, and click Take action in the pop-up window, as shown below, to explore the suggested actions in another window.

Examining the response options to a security alert
Examining the response options to a security alert

5. Click on either of the following:

  • ASC Community GitHub Repo link – to read the possibilities of resolving the alert and avoiding its future occurrence.Trigger logic app – to trigger an automated response in the form of a logic app.

Another of the main tasks and functions of Microsoft Defender for Cloud is to “Defend.” If threats occur on resources explicitly selected for monitoring, action can be taken automatically, and notifications can be sent out.

Assigning an automatic response
Assigning an automatic response

6. Next, click Trigger if you choose to assign and trigger a prepared logic app.

But in this case, no logic app is prepared, and therefore none can be selected and initiated. So jump to the following step for the second option available.

Applying and triggering a logic app
Applying and triggering a logic app

7. Return to the Take action sub-window, and click Create suppression rule under Suppress similar alerts to inspect this option in more detail.

A new sub-window pops up, where you will define a rule to suppress any further alerting on this specific event.

Note that only alarms that have occurred at least once can be suppressed. Furthermore, the suppression can also be limited to certain entities (such as a User account, File, Host, Process, or Azure resource).

Inspecting the Create suppression rule option
Inspecting the Create suppression rule option

8. Configure the new suppression rule with the following:

  • Choose which Subscription and Alert the rule should be applied to.Provide a descriptive Rule name, set the rule’s State as Enabled, and specify the Reason for activating the rule.
Once configured, click Simulate to simulate the rule.

Defining and testing the new suppression rule
Defining and testing the new suppression rule

Below, the rule is simulated, which performs a dry run of the rule.

Watching the rule simulation
Watching the rule simulation

9. Once the test completes, review the notification of how many alerts this rule would have affected, and click Apply (bottom-left) to implement the new rule.

Applying the new suppression rule
Applying the new suppression rule

After a successful rule application, you will see the following message.

Confirming the successful rule application
Confirming the successful rule application

10. Return to the Take action sub-window, expand Configure email notification settings, and click Configure settings to see all available notifications possibilities.

Accessing the notification settings
Accessing the notification settings

Configure the email notification settings. as follows:

  • Choose a specific role (Owner), and set Additional email addresses to send email notifications.

  • Tick the box under Notification types to enable setting a trigger for the notification.

  • Choose the severity (High) of alerts to trigger a message.
Once configured, click Save to save the changes to the email notification settings.

Setting up the notification settings
Setting up the notification settings

The message below confirms you have successfully saved the email notification setting changes.

At this point, each time there is a security alert with High severity, the email recipients you specified in the notification settings will get an email regarding the alert.

Applying the notifications settings
Applying the notifications settings

Conclusion

A secure and well-maintained IT infrastructure is an indispensable part of modern companies. Keeping track of what needs to be done and prioritizing the necessary steps is often tricky. But the good news is that you have learned how to solve this problem with Microsoft Defender for Cloud in this tutorial.

Microsoft Defender for Cloud is only a tiny part of the Defender family. So why not explore other family members, like Microsoft Defender for Identity or Microsoft Defender for Endpoint? Nothing more is left that prevents a holistic security solution from being implemented!

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!