Index

A

access management, 12

Adaptive Application Control, 215-216

application violation, 221

changing policy, 217-220

configuring, 217

adaptive network hardening, 134-135

ADE (Azure Disk Encryption), 19-20

AKS (Azure Kubernetes Service), 23-25

alerts, 31, 155-157. See also Security Alerts dashboard

accessing

in Microsoft Sentinel, 192-194

using Defender for Cloud REST API, 224-230

using Graph Security API, 230-232

application violation, 221

ARG (Azure Resource Graph), 163

Defender for Storage, 171-172

DNS, 170-171

filtering, 158-159

fusion, 182-185

PowerShell activity, 165-166

responding to, 187

contact, 187

impact, 188

mitigation, 187-188

take action, 188

simulating, 157-158

suppressing, 161-163

allowing recommendations, 84

API(s)

Graph Security

accessing alerts, 232-233

using, 232-233

REST (Representational State Transfer)

accessing alerts using, 224-230

GET request, 225-228

providers, 224-225

request/response pair, 223-224

testing, 228-230

application violation alert, 221

architecture, Microsoft Defender for Cloud

Log Analytics Agent, 31-32

recommendations and alerts, 31

vulnerability assessment integration with Qualys, 32

workspaces, 32

ARG (Azure Resource Graph), alerts, 163

ARM templates, 89, 235-237, 240

Best Practice Analyzer, 256-257

creating, 241-243

exporting from Azure Portal, 240-241

assessment(s)

creating for AWS and GCP, 99-103

security, 105

assigning, Azure security benchmark, 65

assignments, Azure Policy, 68

assume-breach philosophy, 8

attack(s). See also threat(s)

detection, 7-8

file-less, 2

local privilege escalation, 5

paths, 149-152

phishing, 2-3, 6

spearphishing, 3

vectors, 4

AuditD, 166

auditing, SQL, 136-138

authentication, multi-factor, 118-119

auto-deployment, guest configuration agent, 57

automation

remediation of security recommendations, 138-140

resource exemptions and, 141-143

auto-provisioning, 51-52

Log Analytics agent for Azure Arc servers, 55-56

Log Analytics agent for VMs, 52-54

Microsoft Defender for Containers, 58-59

at-scale, 66

vulnerability assessment solutions, 56-57

AWS (Amazon Web Service)

connecting to, 59-62

creating custom assessments, 99-103

VMs, onboarding, 62-63

Azure

AD Identity Protection, 21

built-in role definitions, 47-48

container security, 22-23

defense-in-depth, 17

logging, 21-22

RBAC (role-based access control), 14

security, 13-14

DDoS protection, 17-19

network protection, 15-17

VM protection, 14-15

storage protection, 19-20

subscriptions, 14

Azure Active Directory

Identity Protection, 21

Security Defaults, 119

Azure Activity Log, 22

Azure Blueprints, 85-86

Blueprint assignment, 86

Blueprint definition, 86

creating, 87-88

Azure Key Vault, 20

Azure Policy, 67-68, 70, 237-238

assignments, 68

definitions, 68, 69-70

initiative, 68

policy, 69

exemptions, 70-72

regulatory compliance policy initiatives, 91

Azure Security Benchmark, 73-75, 93, 238-239

assigning, 65

Secure Score, 82-83

recommendations, 74-75

Azure SQL, auditing, 136-138

Azure Storage API, scan phases, 9

Azure Storage Firewall, 20

B

behavioral analysis, 155-156

best practices

Defender for Cloud management at scale, 239-240

policy, 88-90

Blob storage, 9

Blueprint

assignment, 86

definition, 86, 87-88

botnets, 3

building your own compliance initiative, 96-99

built-in policy definitions, 64

bulletproof hosting services, 1-2

BYOL (bring your own license), 40

C

C2 (command-and-control) server, 4

CIS (Center of Internet Security), 74

cloud

security

Azure, 13-14

compliance, 11

data protection, 13

endpoint protection, 12-13

identity and access management, 12

operational, 12

risk management, 11-12

threats, 9-11

weaponization, 9-10

Cloud Security Map, building your own views, 152-153

cloud solution provider (CSP), 11

code injection, 2, 3

Colonial Pipeline incident, 1

complete deployment, 235-236

compliance. See also regulatory standards and compliance

cloud security, 11

initiative, building, 96-99

regulatory, 90-96

compute, recommendations, 121

connectors, AWS and GCP, 99-103

containers, 120-121

recommendations, 128

security, 22-23

Vulnerability Assessment, 167-168

contextual security, 143-144

Continuous Export, 112

pulling Secure Score data, 112-114

Secure Score over time report, 114-115

controls

for compute, 121

Enable Endpoint Protection, 129-131

Enable MFA, 118-119

Manage Access and Permissions, 118-121

Remediate Vulnerabilities, 125-128

Secure Management Ports, 121-124

counter-antivirus (CAV) services, 1-2

creating

ARM templates, 241-243

Blueprint definition, 87-88

custom assessments for AWS and GCP, 99-103

custom policies, 78-83

exemptions, 110-111

external access prevention rule, 123-124

policy exemptions, 71-72

rules, 220

Credential Scanner tool, 257

CSPM (Cloud Security Posture Management), 27, 28

recommendations, 35, 36-38

workflow, 35-36

CVE-2021-44228, 3

CWPP (Cloud Workload Protection Platform), 28, 38-39

cybercrime

code injection, 2

Colonial Pipeline incident, 1

counter-antivirus (CAV) services, 1-2

email phishing, 2-3

Ransomware as a Service (RaaS), 1-2

cyberkill chain, 3-5, 182-185

Cybersecurity and Infrastructure Security Agency (CISA)

Alert Report (AA22-040A), 1

Analysis Report (AR21-013A), 6

D

dashboards, 33-34

FIM, 210

JIT, 206-207

NSG Hardening, 134

Regulatory Compliance, 92-94

Security Alerts, 157-161

Security Posture, 106-107

Workload Protections, 38, 131

data plane logs, 21

data protection, 13

DDoS (distributed denial-of-service), Azure security, 17-19

default workspaces, 46-47

Defender for App Service, 169-171

Defender for Azure Storage, 20

Defender for Containers, 166-167. See also containers

auto-provisioning, 58-59

threat detection, 168-169

Vulnerability Assessment, 167-168

Defender for Cosmos DB, 177-178

Defender for DNS, 181-182

Defender for Key Vault, 179

Defender for Open-Source Relational Databases, 178-179

Defender for Resource Manager, 180-181

Defender for Servers, 28-29, 48-49

Adaptive Application Control, 215-216

application violation, 221

changing policy, 217-220

configuring, 217

alerts, 157

behavioral analysis, 155-156

for Linux, 166-167

plans, 164-165

for Windows, 165-166

Defender for SQL, 173-174

onboarding, 174

plans, 173

VA (vulnerability assessment), 174-177

Defender for Storage. See also storage

alerts, 171-172

considerations before enabling, 172-173

defense-in-depth, 13, 17, 68

definitions

Azure Policy, 68, 69-70

Blueprint, 86

denying recommendations, 84

deployment and deployment scenarios

CSPM (Cloud Security Posture Management), 35-38

CWPP (Cloud Workload Protection Platform), 38-39

Microsoft Defender for Containers, 58-59

multi-cloud, 39-40

detection, 7-8

DevOps, pipeline, 246

disabling, recommendations, 76

DNS alerts, 170-171

domain dominance, 5

downgrade notification, Secure Score, 115

due date, recommendation, 145

E

EDR (endpoint protection and response), 12-13, 42

email

phishing, 2-3, 6

spearphishing, 3

Enable Endpoint Protection control, 129-131

Enable MFA control, 118-119

endpoints, Enable Endpoint Protection control, 129-131

exemptions

Azure Policy, 70-72

creating, 110-111

policy, 109-110

resource, 141-143

exporting ARM templates from Azure Portal, 240-241

F

file-less attacks, 2, 3

filtering

recommendations, 116-117

Security Alerts, 158-159

FIM (File Integrity Monitoring), 209-210

customizing your settings, 210-213

visualizing changes, 213-214

fine-tuning

policies, 75-78

Secure Score, 109-111

firewall(s), Azure Storage, 20

frameworks, MITRE ATT&CK, 5

free tier, Microsoft Defender for Cloud, 28

G

GCP, creating custom assessments, 99-103

GitHub, 9, 38, 228

governance, 81, 90, 237

rules, 145-148

security, 143-145

grace period, recommendation, 145

Graph Security API

accessing alerts, 230-232

using, 232-233

group policy, 19-20

guest configuration agent, auto-deployment, 57

H-I

HTTPS (Hypertext Transfer Protocol Secure), 136

IaC (infrastructure as code) scanning, 255-256

identity, 12

implementation, policy, 81

improving security posture, 6-8

incremental deployment, 235-236

InfoSec Institute, 7-8

initiative definition, Azure Policy, 68

intel, 4

isolation, AKS clusters, 24

J

JIT (just-in-time) VM access, 201-203

dashboard, 206-207

FIM (File Integrity Monitoring), 209-210

permission assignment, 202-203

recommendations, 203-205

requesting, 207-208

JSON (JavaScript Object Notation), policy definitions, 89

K-L

KQL (Kusto Query Language), 99, 102

Kubernetes, 6

leaked credentials, 257

Linux systems

Defender for Servers, 166-167

Log Analytics Agent, 31

local privilege escalation attack, 5

Lockheed Martin cyberkill chain, 4-5, 182-185

Log Analytics agent/workspace, 45

Defender for Servers, 48-49

deploying to Azure Arc machines, 55-56

enabling Defender for Cloud, 49-50

Linux systems, 31

VMs, auto-provisioning, 52-54

Windows systems, 31-32

Log4J vulnerability, 3, 143

logging, Azure, 21-22

Logic App, 141-143

logical isolation, AKS clusters, 24

M

Manage Access and Permissions control, 118-121

management groups, 238-239

MFA (multi-factor authentication), 118-119

Microsoft

assume-breach philosophy, 8

red-teaming, 8

Microsoft Defender for Cloud, 3, 18

alerts, 31, 156-157. See also alerts; Security Alerts dashboard

accessing using REST API, 224-230

filtering, 158-159

fusion, 182-185

simulating, 157-158

suppressing, 161-163

Azure Security Benchmark, 73-75

connecting to source code management system, 249-251

Continuous Export, 112

pulling Secure Score data, 112-114

Secure Score over time report, 114-115

CSPM (Cloud Security Posture Management), 27, 28

recommendations, 35, 36-38

workflow, 35-36

CWPP (Cloud Workload Protection Platform), 28, 38-39

dashboards, 33-34

NSG Hardening, 134

Regulatory Compliance, 92-94

Security Alerts, 157-161

Security Posture, 106-107

Workload Protections, 38, 131

Defender for Servers, 28-29

deploying at scale

ARM templates, 235-237, 240-243

best practices, 239-240

management groups, 238-239

deployment scenarios, 27-28

EDR (endpoint protection and response), 42

free tier, 28

GitHub repository, 38, 228

integration with other solutions

Microsoft Defender for Endpoint, 196-199

Microsoft Purview, 194-196

Microsoft Sentinel, C07.008-192

Log Analytics agent, 31-32, 45

MITRE ATT&CK tactics, 5

multi-cloud deployment, 39-40

multi-tenant, 42-43

networking

adaptive hardening, 134-135

network map, 132-134

onboarding. See also auto-provisioning; onboarding

assigning Azure security benchmark, 65

auto-provisioning, 51-63

AWS VMs, 62-63

connecting to AWS, 59-62

designing your environment, 46-49

planning your Azure environment, 45-46

plans, 48-49

RBAC (role-based access control), 47-48

registering the Microsoft.Security resource provider, 63-65

subscriptions at scale, 63

VMs, 49-51

planning adoption, 34-35

plans, 29

policy(ies). See also policy(ies)

custom, 78-83

fine-tuning, 75-78

pricing tier names, 64-65

recommendations, 31. See also recommendations

compute, 121

container security, 128

controls, 117

data and storage, 135-136

disabling, 76

Enable Endpoint Protection control, 129-131

Enable MFA control, 118-119

filtering, 116-117

finding only your own, 148-149

JIT, 203-205

Manage Access and Permissions control, 119-121

Remediate Vulnerabilities control, 125-128

remediating, 115-116, 138-140

Secure Management Ports control, 121-124

regulatory standards and compliance, 92-94

security. See also security

governance, 143-148

misconfigurations, 83-85

stakeholders, 34

threat intelligence, 185-186

threat protection, 155-156

use cases, 34

vulnerability(ies)

assessment integration with Qualys, 32

remediating, 125-128

workspaces, 32, 46-47

Microsoft Defender for DevOps, 245

developer tools, 248

IaC scanning, 255-256

MSDO (Microsoft Security DevOps) tools, 253-254

ARM Template Best Practice Analyzer, 256-257

Credential Scanner, 257

onboarding your SCMS, 249-251

pull request annotations, 252

recommendations, 251-252

SecOps and, 247-248

security assessments, 248

Microsoft Defender for Endpoint, integration with Microsoft Defender for Cloud, 196-199

Microsoft Defender for Storage, 9

Microsoft Digital Defense Report 2021, 1, 2

Microsoft Purview, integration with Microsoft Defender for Cloud, 194-196

Microsoft Security Intelligence Report Volume 22, 9

Microsoft Sentinel

accessing alerts, 192-194

integration with Microsoft Defender for Cloud, C07.008-192

Microsoft.Security resource provider

registering, 63-65

retrieving Secure Score data, 111-112

misconfiguration, 9, 83-85

MITRE ATT&CK framework, 5

monitoring

file integrity. See FIM (File Integrity Monitoring)

policies, 81

MSDO (Microsoft Security DevOps) tools

ARM Template Best Practice Analyzer, 256-257

Credential Scanner, 257

multi-tenant, 42-43

N

Nadella, S., 246

networking, 131-132

adaptive hardening, 134-135

network map, 132-134

NIST (National Institute of Standards and Technology), 74

Nitol botnet, 3

notifications. See also alerts, Secure Score downgrade, 115

NSGs (network security groups), 16

adaptive network hardening, 134-135

security rules, 17

O

onboarding

assign the Azure security benchmark, 65

auto-provisioning, 51-52, 56-57

Log Analytics agent for Azure Arc servers, 55-56

Log Analytics agent for VMs, 52-54

AWS VMs, 62-63

connecting to AWS, 59-62

Defender for SQL, 174

designing your environment, 46-49

guest configuration agent, auto-deployment, 57

Microsoft Defender for Containers, 58-59

planning your Azure environment for Defender for Cloud, 45-46

plans, 48-49

RBAC (role-based access control), 47-48

registering the Microsoft.Security resource provider, 63-65

source code management system, 249-251

subscriptions at scale, 63

VMs from an Azure subscription, 49-51

operational security, 12

ownership

recommendation, 144-145

subscription, 120

P

permissions, JIT (just-in-time) VM access, 202-203

phishing, 2-3, 6

planning adoption, Microsoft Defender for Cloud, 34-35

plans

Defender for Containers, 166-167

Defender for Servers, 164-165

Defender for SQL, 173

Microsoft Defender for Cloud, 29

policy(ies). See also Azure Policy; Azure Security Benchmark; group policy; regulatory standards and compliance

Adaptive Application Control, 217-220

Azure Policy, 67-68, 70

assignments, 68

definitions, 68, 69-70

exemptions, 70-72

initiative definition, 68

policy definition, 69

best practices, 88-90

built-in, 64

custom, 78-83

Enable Azure Security Center, 63

exemptions, 109-111

fine-tuning, 75-78

governance, 81

implementation, 81

monitoring, 81

network, 24

recommendations, 80

subscription, 77-78

PowerShell activity alerts, 165-166

pricing tier names, 64-65

privileged access, 13

proactive security, 83

publisher rules, 219

pull request annotations, 252

Q

Qualys

auto-provisioning, 56-57

vulnerability assessment integration, 32

query(ies)

ARG (Azure Resource Graph), 163

assessment, 103

building your own, 152-153

KQL (Kusto Query Language), 102

R

Ransomware as a Service (RaaS), 1, 2

RBAC (role-based access control)

Azure, 14

onboarding, 47-48

recommendations, 31, 35. See also Secure Score

allowing/denying, 84

Azure Security Benchmark, 74-75

compute, 121

container security, 128

controls, 117

Enable Endpoint Protection, 129-131

Enable MFA, 118-119

Manage Access and Permissions, 118-121

Remediate Vulnerabilities, 125-128

Secure Management Ports, 121-124

CSPM (Cloud Security Posture Management), 36-38

data and storage, 135-136

Defender for DevOps, 251-252

disabling, 76

due date, 145

filtering, 116-117

finding only your own, 148-149

grace period, 145

JIT, 203-205

ownership, 144-145

policy, 80

remediating, 115-116, 138-140

VA (vulnerability assessment), 167-168

red-teaming, 8

registration, Microsoft.Security resource provider, 63-65

regulatory standards and compliance

Azure Policy, 90-91

building your own compliance initiative, 96-99

customizing your experience, 94-96

Microsoft Defender for Cloud, 92-94

remediating

recommendations, 115-116, 138-140

vulnerabilities, 125-128

reports

Cybersecurity and Infrastructure Security Agency (CISA)

Alert Report (AA22-040A), 1

Analysis Report (AR21-013A), 6

Secure Score, 111-112, 114-115

requesting JIT access, 207-208

resource(s)

attack path, 149-152

exemptions, 141-143

responding to alerts, 187

contact, 187

impact, 188

mitigation, 187-188

take action, 188

REST (Representational State Transfer) API

accessing alerts using, 224-230

GET request, 225-228

providers, 224-225

request/response pair, 223-224

REvil, 2

risk management, 11-12

rules

Alert Suppression, 161-163

creating, 220

external access preventions, creating, 123-124

governance, 145-148

publisher, 219

S

search box, Security Alerts dashboard, 159

Secure Management Ports control, 121-124

Secure Score, 34, 37, 82-83. See also recommendations

calculating influence per resource, 109

Continuous Export, 112-114

downgrade notification, 115

fine-tuning, 109-111

improving security posture, 105-109

preview recommendations, 108

recommendations

for compute, 121

container security, 128

controls, 117

data and storage, 135-136

Enable Endpoint Protection control, 129-131

Enable MFA control, 118-119

filtering, 116-117

finding only your own, 148-149

Manage Access and Permissions control, 118-121

ownership, 144-145

Remediate Vulnerabilities control, 125-128

remediating, 115-116, 138-140

Secure Management Ports control, 121-124

reports, 111-112, 114-115

security controls, 107-108

Take Action tab, 160

vulnerabilities, remediating, 125-128

security

alerts, 156-157. See also alerts

accessing using Graph Security API, 230-232

accessing using REST API, 224-230

application violation, 221

ARG (Azure Resource Graph), 163

DNS, 170-171

filtering, 158-159

fusion, 182-185

PowerShell activity, 165-166

simulating, 157-158

suppressing, 161-163

assessment, 105

Azure

cloud, 13-14

containers, 22-23

DDoS protection, 17-19

logging, 21-22

network protection, 15-17

storage protection, 19-20

VMs, 14-15

cloud

compliance, 11

data protection, 13

endpoint protection, 12-13

identity and access management, 12

operational, 12

risk management, 11-12

contextual, 143-144

FIM (File Integrity Monitoring), 209-210

customizing your settings, 210-213

visualizing changes, 213-214

governance, 81, 143-148

incident, 183-184

misconfiguration, 83-85

posture, improving, 6-8

Secure Score, 105-109

VA (vulnerability assessment), 40-41

proactive, 83

threat protection, 155-156

Security Alerts dashboard, 157-161

Alert Details page, 159

filtering alerts, 158-159

Full alert page, 160

search box, 159

simulating alerts, 157-158

Security Posture dashboard, 106-107

segmentation, VNet, 17

SIEM (Security Information Event Management), 189

simulating, alerts, 157-158

SOAR (Security Orchestration Automated Response), 189, 228

SolarWinds, 4

source code management system, 1, 245-246. See also Microsoft Defender for DevOps

connecting to Defender for Cloud, 249-251

GitHub, 9, 38, 228

spearphishing, 3

SQL, auditing, 136-138

stakeholders, 34

storage

ADE (Azure Disk Encryption), 19-20

Blob, 9

recommendations, 135-136

Storage Firewall, 20

“Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services”, 6

subscription(s)

Azure, 14

onboarding, 46

at scale, 63

VMs, 49-51

ownership, 120

policy assignments, 77-78

supply chain attacks, 4

suppressing, alerts, 161-163

T

templates, ARM, 89, 235-237, 240

Best Practice Analyzer, 256-257

creating, 241-243

exporting ARM templates from Azure Portal, 240-241

testing APIs, 228-230

threat(s)

actors, 6, 7-8

cloud, 9-11

misconfiguration, 9

weaponization, 9-10

detection, 168-169

Defender for App Service, 169-171

Defender for Cloud, 185-186

Defender for Cosmos DB, 177-178

Defender for DNS, 181-182

Defender for Key Vault, 179

Defender for Open-Source Relational Databases, 178-179

Defender for Resource Manager, 180-181

Defender for SQL, 173-177

Defender for Storage, 171-173

phishing attacks, 6

protection, 155-157

ransomware, 6

tiles, Microsoft Defender for Cloud dashboard, 33-34

tools, MSDO (Microsoft Security DevOps), 253-254, 256-257

ARM Template Best Practice Analyzer, 256-257

Credential Scanner, 257

TVM (Microsoft Defender for Endpoint’s Threat and Vulnerability Management), auto-provisioning, 56-57

U-V

VA (vulnerability assessment), 40-41, 167-168

auto-provisioning, 56-57

Defender for SQL, 174-177

Verizon Data Breach Report 2020, 6

VMBA (Virtual Machine Behavioral Analysis), 155-156

VMs (virtual machines)

AWS (Amazon Web Service), onboarding, 62-63

FIM (File Integrity Monitoring), 209-210

customizing your settings, 210-213

visualizing changes, 213-214

JIT (just-in-time) access, 201-203

permissions, 202-203

recommendations, 203-205

requesting, 207-208

Log Analytics agent, auto-provisioning, 52-54

onboarding, 49-51

security, 14-15

VNets (virtual networks)

Azure, 15-17

segmentation, 17

VSCode (Visual Studio Code), creating ARM templates, 241-243

vulnerabilities

CVE-2021-44228, 3

remediating, 125-128

W-X-Y-Z

Windows systems, Defender for Servers, 165-166

workflow, CSPM (Cloud Security Posture Management), 35-36

Workload Protections dashboard, 38, 131

workspaces, 32, 46-47