Microsoft Defender for Cloud Cookbook

By Sasha Kranjac
    What do you get with a Packt Subscription?

  • Instant access to this title and 7,500+ eBooks & Videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Free Chapter
    Chapter 2: Multi-Cloud Connectivity
About this book

Microsoft Defender for Cloud is a multi-cloud and hybrid cloud security posture management solution that enables security administrators to build cyber defense for their Azure and non-Azure resources by providing both recommendations and security protection capabilities.

This book will start with a foundational overview of Microsoft Defender for Cloud and its core capabilities. Then, the reader is taken on a journey from enabling the service, selecting the correct tier, and configuring the data collection, to working on remediation. Next, we will continue with hands-on guidance on how to implement several security features of Microsoft Defender for Cloud, finishing with monitoring and maintenance-related topics, gaining visibility in advanced threat protection in distributed infrastructure and preventing security failures through automation.

By the end of this book, you will know how to get a view of your security posture and where to optimize security protection in your environment as well as the ins and outs of Microsoft Defender for Cloud.

Publication date:
July 2022
Publisher
Packt
Pages
314
ISBN
9781801076135

 

Chapter 1: Getting Started with Microsoft Defender for Cloud

In this first chapter, you will learn how to get started with Microsoft Defender for Cloud (MDC) I will also introduce to you the basic but fundamental Microsoft Defender for Cloud configuration and perform initial MDC configuration steps that will set a foundation for using the program's protection and monitoring capabilities.

The recipes in this chapter will explain the essential and foundational Microsoft Defender for Cloud configuration steps that influence MDC's security capabilities, infrastructure coverage, and behavior. It is vital to know which Log Analytics Workspace will be used, the level of data that's been collected, and how monitoring agents will be deployed. Although you can change these settings anytime, it is better to set foundational and basic settings first and then proceed with configuring other settings.

After all, your choices will have an impact not only on security but on cost...

 

Technical requirements

To complete the recipes in this chapter, the following is required:

  • An Azure subscription (for some of the recipes in this chapter)
  • Two or more Azure subscriptions (for some of the recipes in this chapter)
  • Azure PowerShell
  • A web browser, preferably Microsoft Edge

The code samples for this chapter can be found at https://github.com/PacktPublishing/Microsoft-Defender-for-Cloud-Cookbook.

 

Enabling Microsoft Defender for Cloud Plans on Azure Subscriptions and Log Analytics Workspaces

Microsoft Defender for Cloud natively protects services in Azure –no steps must be followed to enable its native, basic functionality. However, you might need to protect multiple subscriptions at a more advanced level, using Microsoft Defender for Cloud Plans. In the end, you will enable Microsoft Defender for Cloud Plans on multiple Azure subscriptions and Log Analytics Workspaces at once.

Getting ready

Before you enable Microsoft Defender for Cloud Plans on multiple subscriptions, ensure you have at least two Azure subscriptions or workspaces. These should not have Microsoft Defender for Cloud Plans enabled already.

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To enable Microsoft Defender for Cloud Plans on multiple subscriptions at once, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud...
 

Enabling an Microsoft Defender for Cloud Plans on an Azure Subscription

Microsoft Defender for Cloud covers two areas of cloud security: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). Microsoft Defender for Cloud Plans is Microsoft Defender for Cloud's integrated protection platform that protects Azure and hybrid resources. If you want to enable Microsoft Defender for Cloud Plans on a particular Azure Subscription and you want to control what Microsoft Defender for Cloud Plans features are enabled or disabled on an Azure Subscription, you need to enable Microsoft Defender for Cloud Plans, as described in this recipe.

There are multiple ways to enable Microsoft Defender for Cloud Plans on a subscription, and we will show more than one way here.

After completing this recipe, you will be able to enable Microsoft Defender for Cloud Plans and Microsoft Defender for Cloud Plans's protection features on an Azure Subscription.

Getting ready...

 

Enabling an Microsoft Defender for Cloud Plans on a Log Analytics Workspace

Like enabling Microsoft Defender for Cloud Plans on an Azure Subscription, you can enable Microsoft Defender for Cloud Plans on a Log Analytics Workspace.

Getting ready

Before you enable Microsoft Defender for Cloud Plans on a Log Analytics Workspace, you must have at least one Log Analytics Workspace. You should not have Microsoft Defender for Cloud Plans already enabled.

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To enable Microsoft Defender for Cloud Plans on a Log Analytics Workspace, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services.
  2. On the Microsoft Defender for Cloud – Overview page, from the left menu, select Environmental...
 

Enabling an Microsoft Defender for Cloud Plans on multiple Azure Subscriptions and Log Analytics Workspaces

This recipe will show you how to enable Microsoft Defender for Cloud Plans and Microsoft Defender for Cloud Plans's protection capabilities on multiple Azure Subscriptions and Log Analytics Workspaces.

Getting ready

Before you enable Microsoft Defender for Cloud Plans on Azure Subscriptions and Log Analytics Workspaces, you must have at least one Azure subscription and at least one Log Analytics Workspace. You should not have Microsoft Defender for Cloud Plans already enabled on these subscriptions and workspaces.

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To enable Microsoft Defender for Cloud Plans and Microsoft Defender for Cloud Plans's protection capabilities on multiple subscriptions and workspaces, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft...
 

Configuring data collection in a Log Analytics Workspace

You can configure data collection tiers in a Log Analytics Workspace. This will affect the number and type of events stored in a Log Analytics Workspace. The data that's stored in a workspace allows you to search, audit, and investigate stored events.

Getting ready

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To configure the level of data you wish to store in a Log Analytics Workspace, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services.
  2. On the Microsoft Defender for Cloud – Overview page, from the left menu, select Environmental settings.
  3. Select the Log Analytics Workspace that you want to configure the level of data to store for. The Settings...
 

Configuring provisioning extensions automatically

Microsoft Defender for Cloud uses an agent or resource extension to collect the data that's required for analysis. You can choose to install agents manually, but for the best protection and less administrative burden, you may wish to automate installations of the monitoring agent and its extensions.

Getting ready

Open a web browser and navigate to https://portal.azure.com. Microsoft Defender for Cloud Plans must be enabled on the Azure Subscription you are configuring.

How to do it…

To ensure you have the required resource extensions or agents installed automatically, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services.
  2. On the Microsoft Defender for Cloud – Overview page, from the left menu...
 

Enabling a Log Analytics agent for Azure VMs manually in the Log Analytics Workspace settings

Let's say you want to enable Log Analytics Agent on an Azure virtual machine manually. This recipe will explain how to perform such an installation using the Log Analytics Workspace blade settings.

Getting ready

Assuming auto-provisioning is disabled and that the target Azure virtual machine does not have Log Analytics Agent already installed, you can perform the steps described in this recipe. You must have a Log Analytics Workspace provisioned to conduct this recipe. Open a web browser and navigate to https://portal.azure.com.

How to do it…

The following steps are to be performed:

  1. In the Azure portal, open the Log Analytics Workspaces blade where you want to enable Log Analytics Agent manually. You can open the Log Analytics workspaces blade in multiple ways: by typing Log Analytics workspaces in a search bar, clicking on a favorite link, or by going to All...
 

Enabling a Log Analytics agent for Azure VMs manually in the Virtual Machine settings

Let's say you want to enable Log Analytics Agent on an Azure virtual machine manually. This recipe will explain how to perform such an installation using the Virtual Machine blade settings.

Getting ready

Assuming auto-provisioning is disabled and the target Azure virtual machine does not have Log Analytics Agent already installed, you can perform the steps described in this recipe. You must have a Log Analytics Workspace provisioned if you do not have one. Open a web browser and navigate to https://portal.azure.com.

How to do it…

  1. In the Azure portal, open the Virtual Machine blade where you want to enable Log Analytics Agent manually. You can open the Virtual Machine blade in multiple ways: by typing Virtual Machine in a search bar, clicking on a favorite link, or by going to All Services.
  2. From the left menu, under Monitoring, select Logs:
...
 

Configuring a Log Analytics agent for Azure VMs extension deployment

Similar to configuring the level of data that's collected by Log Analytics Workspace, you can configure data collection tiers at the Azure Subscription level, and it will affect the number and type of events stored for the Azure Subscription as well. The data that's collected by Microsoft Defender for Cloud is stored in Log Analytics Workspace so that you can search for, audit, and investigate stored events.

Getting ready

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To configure the Log Analytics Agent extension's deployment settings, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services.
  2. On the Microsoft Defender for Cloud – Overview...
 

Configuring email notifications

As a default behavior, Azure Subscription owners receive emails every time a high severity alert is activated for a subscription. To configure additional email recipients and the level of alerts to be notified, you have the option to configure the Email notifications settings for an Azure Subscription.

Getting ready

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To configure email notifications for an Azure Subscription, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services.
  2. On the Microsoft Defender for Cloud – Overview page, from the left menu, select Environmental settings.
  3. Select the Azure Subscription that you want to configure the Email notifications settings for. The Settings...
 

Assigning Microsoft Defender for Cloud permissions

Like other resources and services in Azure, role-based access control (RBAC) roles are the way to control rights and allow actions on Microsoft Defender for Cloud. In this recipe, you will assign appropriate RBAC roles to Microsoft Defender for Cloud for an Azure user.

Getting ready

Open a web browser and navigate to https://portal.azure.com.

How to do it…

  1. In the Azure portal, open Subscriptions. You can open the Subscriptions blade in multiple ways: by selecting Subscriptions from the Azure portal main page, typing Subscriptions in a search bar, clicking on a favorite link, or by going to All Services:

Figure 1.29 – Choosing an Azure Subscription

  1. On the Subscriptions blade, select the subscription you want to configure Microsoft Defender for Cloud permissions on.
  2. On the Azure subscription blade, from the left-hand side menu, select Access Control (IAM). Then, from...
 

Onboarding Microsoft Defender for Cloud using PowerShell

You can onboard Microsoft Defender for Cloud and perform the initial configuration steps using PowerShell. These steps include setting the Microsoft Defender for Cloud coverage level, configuring Log Analytics Workspace, and installing an agent.

Getting ready

Before executing Microsoft Defender for Cloud PowerShell commands, you must perform some initial steps. Run PowerShell with administrative privileges. The latest Az modules need to be installed, as follows:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Ensure that an execution policy has been set:

Set-ExecutionPolicy -ExecutionPolicy AllSigned

Ensure that the Az.Security module has been installed:

Install-Module -Name Az.Security -Force

How to do it…

To onboard Microsoft Defender for Cloud using PowerShell, complete the following steps:

  1. Register your subscriptions to the Microsoft Defender for Cloud Resource Provider...
 

Enabling Microsoft Defender for Cloud integration with other Microsoft security services

Microsoft Defender for Cloud extends its protection capabilities beyond Microsoft Defender for Cloud Plans security. To configure additional threat protection capacity in Microsoft Defender for Cloud, Microsoft Defender for Cloud Plans must be enabled.

Getting ready

Open a web browser and navigate to https://portal.azure.com.

How to do it…

To configure and enable Microsoft Defender for Cloud integration with Microsoft Cloud App Security and Microsoft Defender for Endpoint, complete the following steps:

  1. In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services.
  2. On the Microsoft Defender for Cloud – Overview page, from the left menu, select Environmental settings.
  3. Select the Azure Subscription...
About the Author
  • Sasha Kranjac

    Sasha is a Security and Cloud professional, architect, and instructor. More than two decades ago, he began programming in Assembler on Sir Clive Sinclair's ZX, met Windows NT 3.5, and was hooked to IT ever since. He is CEO at Kloudatech - Microsoft Partner, CompTIA Authorized Delivery Partner, Amazon Web Services Partner company - that helps businesses and individuals around the globe to embrace the cloud and be safe in cyberspace. Aside from Cloud/Security Architecture and consulting, he delivers Microsoft, EC-Council, CompTIA and bespoke courses and PowerClass Workshops internationally.

    For exceptional community contributions, Sasha has been awarded a Microsoft Most Valuable Professional (MVP) award in the Azure category. Sasha is a Microsoft Certified Trainer (MCT), MCT Regional Lead, Certified EC-Council Instructor (CEI), and a frequent speaker at various international conferences, user groups and events.

    Browse publications by this author
Microsoft Defender for Cloud Cookbook
Unlock this book and the full library FREE for 7 days
Start now