Microsoft Defender for Cloud Expert

Free vs. Paid: Foundational vs. Enhanced CSPM

This is the most important distinction in Defender for Cloud:

Foundational CSPM (Free)

Available to all Azure subscriptions at no additional cost:

• Secure score — Aggregate health score based on security recommendations
• Security recommendations — Actionable guidance to improve posture (mapped to controls)
• Regulatory compliance dashboard — Assessment against CIS, PCI DSS, NIST, etc.
• Asset inventory — Centralized view of all resources with their security state
• Workbook templates — Pre-built Azure Monitor Workbooks for security reporting

Limitations of free tier:

• No threat detection (no alerts from workload activity)
• No vulnerability assessment (no CVE scanning)
• No runtime protection
• Limited recommendation depth (e.g., no JIT, no FIM, no adaptive controls)

Enhanced CSPM (Paid)

Defender CSPM plan (paid, per-billable-resource):

• Attack path analysis — maps multi-hop paths to critical assets
• Security explorer — query the security graph
• Agentless container image scanning
• Agentless VM vulnerability assessment (via Defender Vulnerability Management)
• Data-aware security posture (DSPM capabilities for Azure data stores)
• CIEM capabilities — cloud identity and permissions analysis
• Code-to-cloud security (DevOps Security integration)
• External attack surface management (EASM) integration

Secure Score

How Secure Score Works

Secure score is a percentage metric representing your subscription's compliance with Defender for Cloud's security recommendations:

Secure Score = Sum of points earned / Sum of maximum points available

Score structure:

• Controls are groups of related recommendations (e.g., "Remediate vulnerabilities" contains multiple recommendations)
• Each control has a max score contribution (e.g., "Enable MFA" = 10 points)
• A control contributes its points to the score only when ALL recommendations within it are healthy
• Partial completion = zero points for that control (binary per control, not per recommendation)

Score impact:

• Prioritize controls with high max score and high number of unhealthy resources
• Remediating one control with max score 10 adds 10 points; 10 controls each with max score 1 also add 10 points — prioritize efficiency

Key Recommendations by Category

Identity and access:

• Enable MFA for all users with Owner permissions
• Enable MFA for all users with Contributor permissions
• Remove deprecated accounts from subscriptions
• Block guest accounts with Owner permissions

Network:

• Management ports of VMs should be closed
• Internet-facing VMs should be protected with NSGs
• Adaptive network hardening recommendations should be applied

Data and storage:

• Storage accounts should use private endpoints
• Secure transfer to storage accounts should be enabled
• Storage accounts should prevent public access

Applications:

• App Service apps should use latest TLS version
• Function App should only be accessible over HTTPS
• Vulnerabilities in container images should be remediated

Defender Plans

Defender for Servers

Provides workload protection for Windows and Linux VMs (Azure, on-prem via Arc, AWS via Arc, GCP via Arc):

Plan 1 (lower cost):

• Microsoft Defender for Endpoint (MDE) integration — brings EDR to Azure VMs
• JIT VM access (just-in-time network access via locked-down NSG rules)
• Basic vulnerability assessment (powered by MDE's vulnerability data)

Plan 2 (full): All Plan 1 capabilities plus:

• Qualys or Defender Vulnerability Management (MDVM) for comprehensive vulnerability assessment
• Adaptive application controls (application allowlisting — ML-based policy per VM group)
• File integrity monitoring (FIM) — detect changes to critical OS files and registry
• Network map — visualize network topology and exposure
• Docker host assessment (CIS Docker Benchmark)
• Free 500 MB/day of Log Analytics ingestion per server

JIT VM Access: Locks down management ports (SSH 22, RDP 3389, WinRM) by default:

Without JIT: Port 22 open to 0.0.0.0/0 in NSG
With JIT enabled:
  - Default: Port 22 blocked in NSG
  - On request: NSG rule added for specific IP, time-limited (1-8 hours)
  - After expiry: NSG rule auto-removed

Users request JIT access via Defender for Cloud console, Azure Portal, PowerShell, or API. Requests are logged for audit.

Adaptive Application Controls:

• Defender for Cloud's ML analyzes process execution patterns across VM groups
• Recommends allowlisting policies per group
• Once policy is applied, unknown processes trigger alerts (audit mode) or are blocked (enforce mode)
• Regularly updated recommendations as processes change

File Integrity Monitoring (FIM): Tracks changes to:

• Windows: Registry keys (HKLM\System, HKLM\Software), system files, system32
• Linux: /etc/passwd, /etc/shadow, /etc/sudoers, /bin, /sbin, SSH authorized_keys
• Custom paths configurable per workspace
• Changes logged to Log Analytics; alerts on suspicious changes

Defender for Containers

Protects Kubernetes clusters and container registries:

Cluster support:

• Azure Kubernetes Service (AKS) — natively integrated
• Arc-enabled Kubernetes — for EKS, GKE, OpenShift, self-managed clusters
• Requires Defender sensor (DaemonSet) deployed to cluster

Capabilities:

• Container image vulnerability scanning — Scans images in ACR registries; flags CVEs before deployment
• Kubernetes audit log analysis — Detects suspicious activity in Kubernetes API server events
• Runtime behavioral protection — Detects anomalous container runtime behavior
• Kubernetes CIS Benchmark — Checks cluster configuration against CIS Kubernetes Benchmark
• Kubernetes hardening recommendations — Specific recommendations for pod security, RBAC, network policies
• Admission control — Integration with OPA Gatekeeper or Azure Policy for Kubernetes

Container threat detections:

• Exposed Kubernetes dashboards
• Privileged container usage
• Container escape attempts
• Crypto mining in containers
• Lateral movement from containers
• Sensitive volume mount detection

Defender for Databases

Covers all major Azure database services:

SQL threat detection specifics:

• SQL injection attempts (classic, blind, time-based)
• Access from unusual locations or TOR exit nodes
• Access from unfamiliar application
• Brute force credential attacks
• Anomalous data extraction (large rowset returns, unusual tables accessed)
• Access outside normal business hours (anomaly)

Defender for Storage

Protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage Gen2:

Detection capabilities:

• Unusual data access patterns (anomalous volume, unusual client, geographic anomaly)
• Malware upload detection — scans uploaded files for malware using Microsoft Threat Intelligence
• Anonymous access detection — alerts when anonymous requests are made to storage
• Suspicious blob access — enumeration attempts, credential brute force for SAS tokens
• Data exfiltration patterns

Malware scanning:

• On-upload scanning for Blob Storage
• Uses Microsoft's threat intelligence and AV capabilities
• Per-GB pricing for malware scanning (separate from plan cost)

Defender for Key Vault

Detection capabilities:

• Access from suspicious IPs or TOR exit nodes
• High volume of operations (potential exfiltration)
• Unusual access patterns (new application, new user, cross-tenant access)
• Attempts to access deleted vault or keys
• Account takeover indicators

Defender for App Service

Detection capabilities:

• Exploitation of App Service vulnerabilities
• Web shell activity detected via App Service process telemetry
• Dangling DNS attacks (subdomain takeover via deleted App Service)
• Suspicious outbound connections from App Service
• Command injection attempts

Defender for DNS

• Monitors all DNS queries from Azure resources
• Detects: data exfiltration via DNS tunneling, C2 communication over DNS, DNS rebinding attacks, communication with malicious domains (via Microsoft threat intelligence)

Regulatory Compliance

Built-in Compliance Standards

Defender for Cloud ships with built-in assessments for:

Adding a standard: In the Azure portal: Defender for Cloud → Regulatory Compliance → Manage Compliance Policies → Add a standard

Compliance Report Export

• Download compliance reports as PDF or CSV
• Point-in-time snapshots for audit evidence
• Trend reports showing compliance posture over time
• Audit evidence: for each control, shows the specific resources assessed and their pass/fail status

Custom Compliance Frameworks

Build a custom framework by:

1. Create a custom Azure Policy initiative
2. Map policies to controls (using metadata in policy definitions)
3. Assign the initiative to the desired scope (management group, subscription, resource group)
4. It automatically appears in the Regulatory Compliance dashboard

Multi-Cloud Support

Azure Arc

Azure Arc extends Azure management (including Defender for Cloud) to non-Azure resources:

Azure Arc-enabled Servers:

• Install Azure Connected Machine agent on Windows/Linux VMs
• Works on AWS EC2, GCP GCE, on-premises VMs, other clouds
• Once Arc-enabled: the server appears in Azure as a resource
• Can then enable Defender for Servers Plan 1 or 2 on Arc servers
• Applies Azure policies, Defender for Cloud recommendations, JIT, FIM

Azure Arc-enabled Kubernetes:

• Connect any Kubernetes cluster (EKS, GKE, OpenShift, self-managed) to Azure
• Enables Defender for Containers on non-AKS clusters
• Kubernetes audit logs shipped to Azure Monitor
• Defender sensor (DaemonSet) deployed for runtime protection

Native Cloud Connectors

For AWS and GCP without Arc:

• AWS connector: Uses IAM role; pulls Security Hub findings, Config data, CloudTrail events
• GCP connector: Uses Service Account; pulls Security Command Center findings, Cloud Audit Logs
• Native connectors provide CSPM visibility without Arc agent

AWS native connector capabilities:

• Import AWS Security Hub findings into Defender for Cloud
• CSPM recommendations for AWS resources
• Agentless VM scanning for AWS EC2 (with Defender CSPM plan)

DevOps Security

Integrates with source code management platforms for shift-left security:

Supported platforms:

• GitHub (GitHub Actions + direct repository scanning)
• Azure DevOps (Azure Pipelines integration)
• GitLab (GitLab CI integration)

Capabilities:

• IaC scanning (Terraform, CloudFormation, ARM, Bicep, Helm) in pull requests
• Dependency scanning (vulnerable packages in application code)
• Secrets detection in source code
• Container image scanning in CI/CD pipelines

Pull request annotations:

• Security findings surfaced as PR comments
• Policy enforcement (configurable fail/warn thresholds)
• SARIF format output for integration with platform-native code scanning

Integration Patterns

Microsoft Sentinel

Defender for Cloud's primary SIEM integration:

• All Defender for Cloud alerts stream to Sentinel via native connector (no export configuration needed)
• Sentinel receives: security alerts, secure score changes, regulatory compliance changes
• Sentinel Analytics rules can correlate Defender for Cloud alerts with other signals (Entra ID, MDE, network)
• Automated responses via Sentinel Playbooks (Logic Apps)

Logic Apps Automation

Automate responses to Defender for Cloud recommendations and alerts:

• Trigger: recommendation becomes unhealthy / alert fires
• Actions: send Teams message, create Jira ticket, trigger Azure Policy remediation task, disable public access on storage account

Built-in automation templates:

• Send email on new high-severity alert
• Create Jira issue for new recommendation
• Notify teams on secure score decrease
• Auto-remediate specific recommendation types (e.g., enable MFA enforcement via Conditional Access)

Continuous Export

Stream findings to external systems:

• Export to Log Analytics Workspace (for custom queries, Workbooks, Sentinel)
• Export to Azure Event Hub (for SIEM integration via Event Hub connector — Splunk, Elastic, etc.)
• Export to Azure Storage (for long-term archival and compliance)

Configurable export types:

• Security alerts (all Defender plan detections)
• Security recommendations
• Secure score changes
• Regulatory compliance changes

Common Operational Tasks

Enabling a Defender Plan

Via Azure Portal:

1. Defender for Cloud → Environment settings → Select subscription
2. Defender plans blade → Toggle On the desired plan
3. Configure settings (e.g., vulnerability assessment provider, monitoring coverage)
4. Save

Via Azure Policy (enterprise scale):

{
  "type": "Microsoft.Security/pricings",
  "name": "VirtualMachines",
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "P2"
  }
}

Reviewing and Remediating Recommendations

1. Defender for Cloud → Recommendations
2. Filter by severity (Critical first)
3. For each recommendation: review affected resources, impact, remediation steps
4. Use Quick Fix (1-click remediation) where available
5. For bulk remediation: use Azure Policy remediation tasks

Secure Score Investigation

When secure score is low:

1. Go to Recommendations → sort by "Potential score increase"
2. Focus on controls with highest potential score increase
3. Within each control, use "Fix" button for Quick Fix eligible recommendations
4. For manual remediations: assign to resource owner via "Assign owner" feature

Reference Files

Load these when you need deep architectural knowledge:

• references/architecture.md -- Defender for Cloud architecture: CSPM data pipeline, Defender plan agent deployment, MDE integration, Log Analytics workspace relationship, Arc connectivity architecture, regulatory compliance assessment engine.