You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-cloud/defender-for-cloud-planning-and-operations-guide.md
+31-17Lines changed: 31 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,14 +3,15 @@ title: Defender for Cloud Planning and Operations Guide
3
3
description: This document helps you to plan before adopting Defender for Cloud and considerations regarding daily operations.
4
4
ms.topic: conceptual
5
5
ms.custom: ignite-2022
6
-
ms.date: 12/12/2022
6
+
ms.date: 01/08/2023
7
7
---
8
+
8
9
# Planning and operations guide
9
10
10
11
This guide is for information technology (IT) professionals, IT architects, information security analysts, and cloud administrators planning to use Defender for Cloud.
11
12
12
-
13
13
## Planning guide
14
+
14
15
This guide provides the background for how Defender for Cloud fits into your organization's security requirements and cloud management model. It's important to understand how different individuals or teams in your organization use the service to meet secure development and operations, monitoring, governance, and incident response needs. The key areas to consider when planning to use Defender for Cloud are:
15
16
16
17
- Security Roles and Access Controls
@@ -22,11 +23,11 @@ This guide provides the background for how Defender for Cloud fits into your org
22
23
23
24
In the next section, you'll learn how to plan for each one of those areas and apply those recommendations based on your requirements.
24
25
25
-
26
26
> [!NOTE]
27
27
> Read [Defender for Cloud frequently asked questions (FAQ)](faq-general.yml) for a list of common questions that can also be useful during the designing and planning phase.
28
28
29
29
## Security roles and access controls
30
+
30
31
Depending on the size and structure of your organization, multiple individuals and teams may use Defender for Cloud to perform different security-related tasks. In the following diagram, you have an example of fictitious personas and their respective roles and security responsibilities:
@@ -63,67 +64,78 @@ Defender for Cloud enables these individuals to meet these various responsibilit
63
64
Defender for Cloud uses [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md), which provides [built-in roles](../role-based-access-control/built-in-roles.md) that can be assigned to users, groups, and services in Azure. When a user opens Defender for Cloud, they only see information related to resources they have access to. Which means the user is assigned the role of Owner, Contributor, or Reader to the subscription or resource group that a resource belongs to. In addition to these roles, there are two roles specific to Defender for Cloud:
64
65
65
66
-**Security reader**: a user that belongs to this role is able to view only Defender for Cloud configurations, which include recommendations, alerts, policy, and health, but it won't be able to make changes.
67
+
66
68
-**Security admin**: same as security reader but it can also update the security policy, dismiss recommendations and alerts.
67
69
68
70
The personas explained in the previous diagram need these Azure RBAC roles:
69
71
70
72
**Jeff (Workload Owner)**
71
73
72
-
- Resource Group Owner/Contributor
74
+
- Resource Group Owner/Contributor.
73
75
74
76
**Ellen (CISO/CIO)**
75
77
76
-
- Subscription Owner/Contributor or Security Admin
78
+
- Subscription Owner/Contributor or Security Admin.
77
79
78
80
**David (IT Security)**
79
81
80
-
- Subscription Owner/Contributor or Security Admin
82
+
- Subscription Owner/Contributor or Security Admin.
81
83
82
84
**Judy (Security Operations)**
83
85
84
-
- Subscription Reader or Security Reader to view Alerts
85
-
- Subscription Owner/Contributor or Security Admin required to dismiss Alerts
86
+
- Subscription Reader or Security Reader to view alerts.
87
+
88
+
- Subscription Owner/Contributor or Security Admin required to dismiss alerts.
86
89
87
90
**Sam (Security Analyst)**
88
91
89
-
- Subscription Reader to view Alerts
90
-
- Subscription Owner/Contributor required to dismiss Alerts
92
+
- Subscription Reader to view alerts.
93
+
94
+
- Subscription Owner/Contributor required to dismiss alerts.
95
+
91
96
- Access to the workspace may be required
92
97
93
98
Some other important information to consider:
94
99
95
100
- Only subscription Owners/Contributors and Security Admins can edit a security policy.
101
+
96
102
- Only subscription and resource group Owners and Contributors can apply security recommendations for a resource.
97
103
98
104
When planning access control using Azure RBAC for Defender for Cloud, make sure you understand who in your organization needs access to Defender for Cloud the tasks they'll perform. Then you can configure Azure RBAC properly.
99
105
100
106
> [!NOTE]
101
107
> We recommend that you assign the least permissive role needed for users to complete their tasks. For example, users who only need to view information about the security state of resources but not take action, such as applying recommendations or editing policies, should be assigned the Reader role.
102
-
>
103
-
>
104
108
105
109
## Security policies and recommendations
106
110
A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements. In Defender for Cloud, you can define policies for your Azure subscriptions, which can be tailored to the type of workload or the sensitivity of data.
107
111
108
-
Defender for Cloud policies contain the following components:
112
+
Defenders for Cloud policies contain the following components:
113
+
109
114
-[Data collection](monitoring-components.md): agent provisioning and data collection settings.
115
+
110
116
-[Security policy](tutorial-security-policy.md): an [Azure Policy](../governance/policy/overview.md) that determines which controls are monitored and recommended by Defender for Cloud. You can also use Azure Policy to create new definitions, define more policies, and assign policies across management groups.
117
+
111
118
-[Email notifications](configure-email-notifications.md): security contacts and notification settings.
119
+
112
120
-[Pricing tier](enhanced-security-features-overview.md): with or without Microsoft Defender for Cloud's enhanced security features, which determine which Defender for Cloud features are available for resources in scope (can be specified for subscriptions and workspaces using the API).
113
121
114
122
> [!NOTE]
115
123
> Specifying a security contact ensures that Azure can reach the right person in your organization if a security incident occurs. Read [Provide security contact details in Defender for Cloud](configure-email-notifications.md) for more information on how to enable this recommendation.
116
124
117
125
### Security policies definitions and recommendations
126
+
118
127
Defender for Cloud automatically creates a default security policy for each of your Azure subscriptions. You can edit the policy in Defender for Cloud or use Azure Policy to create new definitions, define more policies, and assign policies across management groups. Management groups can represent the entire organization or a business unit within the organization. You can monitor policy compliance across these management groups.
119
128
120
129
Before configuring security policies, review each of the [security recommendations](review-security-recommendations.md):
121
130
122
131
- See if these policies are appropriate for your various subscriptions and resource groups.
132
+
123
133
- Understand what actions address the security recommendations.
134
+
124
135
- Determine who in your organization is responsible for monitoring and remediating new recommendations.
125
136
126
137
## Data collection and storage
138
+
127
139
Defender for Cloud uses the Log Analytics agent and the Azure Monitor Agent to collect security data from your virtual machines. [Data collected](monitoring-components.md) from this agent is stored in your Log Analytics workspaces.
128
140
129
141
### Agent
@@ -144,6 +156,7 @@ Data collected from the Log Analytics agent can be stored in an existing Log Ana
144
156
In the Azure portal, you can browse to see a list of your Log Analytics workspaces, including any created by Defender for Cloud. A related resource group is created for new workspaces. Resources are created according to this naming convention:
For workspaces created by Defender for Cloud, data is retained for 30 days. For existing workspaces, retention is based on the workspace pricing tier. If you want, you can also use an existing workspace.
@@ -152,7 +165,6 @@ If your agent reports to a workspace other than the **default** workspace, any M
152
165
153
166
> [!NOTE]
154
167
> Microsoft makes strong commitments to protect the privacy and security of this data. Microsoft adheres to strict compliance and security guidelines—from coding to operating a service. For more information about data handling and privacy, read [Defender for Cloud Data Security](data-security.md).
155
-
>
156
168
157
169
## Onboard non-Azure resources
158
170
@@ -188,6 +200,7 @@ You can use [adaptive application controls](adaptive-application-controls.md) to
188
200
189
201
190
202
## Incident response
203
+
191
204
Defender for Cloud detects and alerts you to threats as they occur. Organizations should monitor for new security alerts and take action as needed to investigate further or remediate the attack. For more information on how Defender for Cloud threat protection works, read [How Defender for Cloud detects and responds to threats](alerts-overview.md#detect-threats).
192
205
193
206
Although we can't create your Incident Response plan, we'll use Microsoft Azure Security Response in the Cloud lifecycle as the foundation for incident response stages. The stages of incident response in the cloud lifecycle are:
@@ -196,12 +209,13 @@ Although we can't create your Incident Response plan, we'll use Microsoft Azure
196
209
197
210
> [!NOTE]
198
211
> You can use the National Institute of Standards and Technology (NIST) [Computer Security Incident Handling Guide](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) as a reference to assist you building your own.
199
-
>
200
212
201
-
You can use Defender for Cloud Alerts during the following stages:
213
+
You can use Defender for Cloud alerts during the following stages:
202
214
203
215
-**Detect**: identify a suspicious activity in one or more resources.
216
+
204
217
-**Assess**: perform the initial assessment to obtain more information about the suspicious activity.
218
+
205
219
-**Diagnose**: use the remediation steps to conduct the technical procedure to address the issue.
206
220
207
221
Each Security Alert provides information that can be used to better understand the nature of the attack and suggest possible mitigations. Some alerts also provide links to either more information or to other sources of information within Azure. You can use the information provided for further research and to begin mitigation, and you can also search security-related data that is stored in your workspace.
@@ -210,7 +224,7 @@ The following example shows a suspicious RDP activity taking place:
This page shows the details regarding the time that the attack took place, the source hostname, the target VM and also gives recommendation steps. In some circumstances, the source information of the attack may be empty. Read [Missing Source Information in Defender for Cloud Alerts](/archive/blogs/azuresecurity/missing-source-information-in-azure-security-center-alerts) for more information about this type of behavior.
227
+
This page shows the details regarding the time that the attack took place, the source hostname, the target VM and also gives recommendation steps. In some circumstances, the source information of the attack may be empty. Read [Missing Source Information in Defender for Cloud alerts](/archive/blogs/azuresecurity/missing-source-information-in-azure-security-center-alerts) for more information about this type of behavior.
214
228
215
229
Once you identify the compromised system, you can run a [workflow automation](workflow-automation.md) that was previously created. Workflow automations are a collection of procedures that can be executed from Defender for Cloud once triggered by an alert.
title: Enhancements in Defender for SQL vulnerability assessment | Defender for Cloud in the field
3
+
titleSuffix: Microsoft Defender for Cloud
4
+
description: Learn about Enhancements in Defender for SQL Vulnerability Assessment
5
+
ms.topic: reference
6
+
ms.date: 01/05/2023
7
+
---
8
+
9
+
# Enhancements in Defender for SQL vulnerability assessment | Defender for Cloud in the field
10
+
11
+
**Episode description**: In this episode of Defender for Cloud in the Field, Catalin Esanu joins Yuri Diogenes to talk about the enhancements in Defender for SQL Vulnerability Assessment (VA) capability that were announced. Catalin explains how the new SQL VA Express changed to allow a frictionless onboarding experience and how it became easier to manage VA baselines. Catalin demonstrates how to enable this experience and how to customize the baseline with companion scripts.
-[Learn more](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-express-configuration-for-vulnerability-assessment-in/ba-p/3695390) about Defender for SQL Vulnerability Assessment (VA).
25
+
- Subscribe to [Microsoft Security on YouTube](https://www.youtube.com/playlist?list=PL3ZTgFEc7LysiX4PfHhdJPR7S8mGO14YS)
0 commit comments