Set of resources and configuration to apply Defender capabilities.
Create the baseline infrastructure:
cp config/sample.tfvars .auto.tfvars
terraform init
terraform apply -auto-approveMake sure Defender is enabled.
TODO: Document Log Analytics stuff
Add the desired subscriptions to the Defender scope.
Enable Defender CSPM to make all features available.
Enable the protection for:
- Servers
- Databases
- Key Vault
Or others to track even more resource types.
JIT is implemented in my dedicated repository: https://github.com/epomatti/az-vm-jit
Defender will use Microsoft Defender for Endpoint (MDE) for EDR, as well as agentless scanning based on the OS disk.
The AMA is not required for Defender but it is installed anyways in this VM.
Check the differences between the plans.
Deallocated/ing or starting servers are not billed.
When you enable Defender for Servers you're charged for all connect machines based on the power state. You're also charged for on AWS.
Outlining Defender capabilities:
- Attack path analysis
- Hunting
- Posture
- Security governance (rules) - weekly email is sent to owners with the recommendations they're assigned to.
- Multi-cloud
- Visibility of vulnerabilities with agentless scanning
- Protect workloads with alerts correlation
- Malware Scanning
- Container threat detection and policy enforcement
- Protect your APIs
There are two specific roles for Defender for Cloud:
- Security Administrator
- Security Reader
From the docs:
- Azure Monitor Agent (AMA)
- Microsoft Defender for Endpoint (MDE)
- Log Analytics agent
- Azure Policy Add-on for Kubernetes
How to activate the agents.
Check the Alerts for SQL Database and Azure Synapse Analytics to identify threats for SQL.
For example, SQL Injection may have the following:
- Vulnerability: Faulty SQL statement or no sanitation.
- Potential: An active exploit has occurred against an identified application vulnerable to SQL injection.
Use Workflow automation to react when state changes in Defender.
Trigger conditions:
- Security alert
- Recommendation
- Regulatory compliance standards
A Logic App will be created so that it can be selected via the Portal.
To create an EASM workspace, use the Portal.
Enable the anti-malware extension for the vm-antimalware resource, which is called Microsoft Antimalware in the gallery (with type Microsoft.Azure.Security.IaaSAntimalware).
Example running a Fulls Scan scheduled every Sunday 2AM.
TODO: Need to implement this
To integrate with AWS:
cd aws
cp config/template.tfvars .auto.tfvars
terraform init
terraform apply -auto-approveCreate the resource group for the AWS integration:
az group create -l eastus2 -n rg-awsConnect to Defender for Cloud and create an Amazon Web Services environment.
Current plans supported:
- Foundational CSPM
- Defender CSPM
- Agentless scanning (EC2 installed software and vulnerabilities)
- Sensitive data discovery
- And more
- Servers (Plan 2)
- Databases
- Containers (EKS, ECR)
