A
access management, 12
Adaptive Application Control, 215-216
application violation, 221
configuring, 217
adaptive network hardening, 134-135
ADE (Azure Disk Encryption), 19-20
AKS (Azure Kubernetes Service), 23-25
alerts, 31, 155-157. See also Security Alerts dashboard
accessing
in Microsoft Sentinel, 192-194
using Defender for Cloud REST API, 224-230
using Graph Security API, 230-232
application violation, 221
ARG (Azure Resource Graph), 163
responding to, 187
contact, 187
impact, 188
take action, 188
allowing recommendations, 84
API(s)
Graph Security
REST (Representational State Transfer)
accessing alerts using, 224-230
request/response pair, 223-224
application violation alert, 221
architecture, Microsoft Defender for Cloud
recommendations and alerts, 31
vulnerability assessment integration with Qualys, 32
workspaces, 32
ARG (Azure Resource Graph), alerts, 163
ARM templates, 89, 235-237, 240
Best Practice Analyzer, 256-257
exporting from Azure Portal, 240-241
assessment(s)
creating for AWS and GCP, 99-103
security, 105
assigning, Azure security benchmark, 65
assignments, Azure Policy, 68
assume-breach philosophy, 8
attack(s). See also threat(s)
file-less, 2
local privilege escalation, 5
spearphishing, 3
vectors, 4
AuditD, 166
authentication, multi-factor, 118-119
auto-deployment, guest configuration agent, 57
automation
remediation of security recommendations, 138-140
resource exemptions and, 141-143
Log Analytics agent for Azure Arc servers, 55-56
Log Analytics agent for VMs, 52-54
Microsoft Defender for Containers, 58-59
at-scale, 66
vulnerability assessment solutions, 56-57
AWS (Amazon Web Service)
creating custom assessments, 99-103
Azure
AD Identity Protection, 21
built-in role definitions, 47-48
defense-in-depth, 17
RBAC (role-based access control), 14
subscriptions, 14
Azure Active Directory
Identity Protection, 21
Security Defaults, 119
Azure Activity Log, 22
Blueprint assignment, 86
Blueprint definition, 86
Azure Key Vault, 20
Azure Policy, 67-68, 70, 237-238
assignments, 68
initiative, 68
policy, 69
regulatory compliance policy initiatives, 91
Azure Security Benchmark, 73-75, 93, 238-239
assigning, 65
Azure Storage API, scan phases, 9
Azure Storage Firewall, 20
B
best practices
Defender for Cloud management at scale, 239-240
Blob storage, 9
Blueprint
assignment, 86
botnets, 3
building your own compliance initiative, 96-99
built-in policy definitions, 64
bulletproof hosting services, 1-2
BYOL (bring your own license), 40
C
C2 (command-and-control) server, 4
CIS (Center of Internet Security), 74
cloud
security
compliance, 11
data protection, 13
identity and access management, 12
operational, 12
Cloud Security Map, building your own views, 152-153
cloud solution provider (CSP), 11
Colonial Pipeline incident, 1
compliance. See also regulatory standards and compliance
cloud security, 11
compute, recommendations, 121
connectors, AWS and GCP, 99-103
recommendations, 128
Vulnerability Assessment, 167-168
Continuous Export, 112
pulling Secure Score data, 112-114
Secure Score over time report, 114-115
controls
for compute, 121
Enable Endpoint Protection, 129-131
Manage Access and Permissions, 118-121
Remediate Vulnerabilities, 125-128
Secure Management Ports, 121-124
counter-antivirus (CAV) services, 1-2
creating
custom assessments for AWS and GCP, 99-103
external access prevention rule, 123-124
rules, 220
Credential Scanner tool, 257
CSPM (Cloud Security Posture Management), 27, 28
CVE-2021-44228, 3
CWPP (Cloud Workload Protection Platform), 28, 38-39
cybercrime
code injection, 2
Colonial Pipeline incident, 1
counter-antivirus (CAV) services, 1-2
Ransomware as a Service (RaaS), 1-2
Cybersecurity and Infrastructure Security Agency (CISA)
Alert Report (AA22-040A), 1
Analysis Report (AR21-013A), 6
D
FIM, 210
NSG Hardening, 134
data plane logs, 21
data protection, 13
DDoS (distributed denial-of-service), Azure security, 17-19
Defender for App Service, 169-171
Defender for Azure Storage, 20
Defender for Containers, 166-167. See also containers
Vulnerability Assessment, 167-168
Defender for Cosmos DB, 177-178
Defender for Key Vault, 179
Defender for Open-Source Relational Databases, 178-179
Defender for Resource Manager, 180-181
Defender for Servers, 28-29, 48-49
Adaptive Application Control, 215-216
application violation, 221
configuring, 217
alerts, 157
onboarding, 174
plans, 173
VA (vulnerability assessment), 174-177
Defender for Storage. See also storage
considerations before enabling, 172-173
definitions
Blueprint, 86
denying recommendations, 84
deployment and deployment scenarios
CSPM (Cloud Security Posture Management), 35-38
CWPP (Cloud Workload Protection Platform), 38-39
Microsoft Defender for Containers, 58-59
DevOps, pipeline, 246
disabling, recommendations, 76
domain dominance, 5
downgrade notification, Secure Score, 115
due date, recommendation, 145
E
EDR (endpoint protection and response), 12-13, 42
spearphishing, 3
Enable Endpoint Protection control, 129-131
endpoints, Enable Endpoint Protection control, 129-131
exemptions
exporting ARM templates from Azure Portal, 240-241
F
filtering
FIM (File Integrity Monitoring), 209-210
customizing your settings, 210-213
fine-tuning
firewall(s), Azure Storage, 20
frameworks, MITRE ATT&CK, 5
free tier, Microsoft Defender for Cloud, 28
G
GCP, creating custom assessments, 99-103
grace period, recommendation, 145
Graph Security API
guest configuration agent, auto-deployment, 57
H-I
HTTPS (Hypertext Transfer Protocol Secure), 136
IaC (infrastructure as code) scanning, 255-256
identity, 12
implementation, policy, 81
improving security posture, 6-8
incremental deployment, 235-236
initiative definition, Azure Policy, 68
intel, 4
isolation, AKS clusters, 24
J
JIT (just-in-time) VM access, 201-203
FIM (File Integrity Monitoring), 209-210
permission assignment, 202-203
JSON (JavaScript Object Notation), policy definitions, 89
K-L
KQL (Kusto Query Language), 99, 102
Kubernetes, 6
leaked credentials, 257
Linux systems
Log Analytics Agent, 31
local privilege escalation attack, 5
Lockheed Martin cyberkill chain, 4-5, 182-185
Log Analytics agent/workspace, 45
deploying to Azure Arc machines, 55-56
enabling Defender for Cloud, 49-50
Linux systems, 31
logical isolation, AKS clusters, 24
M
Manage Access and Permissions control, 118-121
MFA (multi-factor authentication), 118-119
Microsoft
assume-breach philosophy, 8
red-teaming, 8
Microsoft Defender for Cloud, 3, 18
alerts, 31, 156-157. See also alerts; Security Alerts dashboard
accessing using REST API, 224-230
Azure Security Benchmark, 73-75
connecting to source code management system, 249-251
Continuous Export, 112
pulling Secure Score data, 112-114
Secure Score over time report, 114-115
CSPM (Cloud Security Posture Management), 27, 28
CWPP (Cloud Workload Protection Platform), 28, 38-39
NSG Hardening, 134
deploying at scale
ARM templates, 235-237, 240-243
EDR (endpoint protection and response), 42
free tier, 28
integration with other solutions
Microsoft Defender for Endpoint, 196-199
Microsoft Sentinel, C07.008-192
Log Analytics agent, 31-32, 45
MITRE ATT&CK tactics, 5
networking
onboarding. See also auto-provisioning; onboarding
assigning Azure security benchmark, 65
designing your environment, 46-49
planning your Azure environment, 45-46
RBAC (role-based access control), 47-48
registering the Microsoft.Security resource provider, 63-65
subscriptions at scale, 63
plans, 29
policy(ies). See also policy(ies)
recommendations, 31. See also recommendations
compute, 121
container security, 128
controls, 117
disabling, 76
Enable Endpoint Protection control, 129-131
finding only your own, 148-149
Manage Access and Permissions control, 119-121
Remediate Vulnerabilities control, 125-128
Secure Management Ports control, 121-124
regulatory standards and compliance, 92-94
security. See also security
stakeholders, 34
use cases, 34
vulnerability(ies)
assessment integration with Qualys, 32
Microsoft Defender for DevOps, 245
developer tools, 248
MSDO (Microsoft Security DevOps) tools, 253-254
ARM Template Best Practice Analyzer, 256-257
Credential Scanner, 257
pull request annotations, 252
security assessments, 248
Microsoft Defender for Endpoint, integration with Microsoft Defender for Cloud, 196-199
Microsoft Defender for Storage, 9
Microsoft Digital Defense Report 2021, 1, 2
Microsoft Purview, integration with Microsoft Defender for Cloud, 194-196
Microsoft Security Intelligence Report Volume 22, 9
Microsoft Sentinel
integration with Microsoft Defender for Cloud, C07.008-192
Microsoft.Security resource provider
retrieving Secure Score data, 111-112
MITRE ATT&CK framework, 5
monitoring
file integrity. See FIM (File Integrity Monitoring)
policies, 81
MSDO (Microsoft Security DevOps) tools
ARM Template Best Practice Analyzer, 256-257
Credential Scanner, 257
N
Nadella, S., 246
NIST (National Institute of Standards and Technology), 74
Nitol botnet, 3
notifications. See also alerts, Secure Score downgrade, 115
NSGs (network security groups), 16
adaptive network hardening, 134-135
security rules, 17
O
onboarding
assign the Azure security benchmark, 65
auto-provisioning, 51-52, 56-57
Log Analytics agent for Azure Arc servers, 55-56
Log Analytics agent for VMs, 52-54
Defender for SQL, 174
designing your environment, 46-49
guest configuration agent, auto-deployment, 57
Microsoft Defender for Containers, 58-59
planning your Azure environment for Defender for Cloud, 45-46
RBAC (role-based access control), 47-48
registering the Microsoft.Security resource provider, 63-65
source code management system, 249-251
subscriptions at scale, 63
VMs from an Azure subscription, 49-51
operational security, 12
ownership
subscription, 120
P
permissions, JIT (just-in-time) VM access, 202-203
planning adoption, Microsoft Defender for Cloud, 34-35
plans
Defender for Containers, 166-167
Defender for SQL, 173
Microsoft Defender for Cloud, 29
policy(ies). See also Azure Policy; Azure Security Benchmark; group policy; regulatory standards and compliance
Adaptive Application Control, 217-220
assignments, 68
initiative definition, 68
policy definition, 69
built-in, 64
Enable Azure Security Center, 63
governance, 81
implementation, 81
monitoring, 81
network, 24
recommendations, 80
PowerShell activity alerts, 165-166
privileged access, 13
proactive security, 83
publisher rules, 219
pull request annotations, 252
Q
Qualys
vulnerability assessment integration, 32
query(ies)
ARG (Azure Resource Graph), 163
assessment, 103
KQL (Kusto Query Language), 102
R
Ransomware as a Service (RaaS), 1, 2
RBAC (role-based access control)
Azure, 14
recommendations, 31, 35. See also Secure Score
allowing/denying, 84
Azure Security Benchmark, 74-75
compute, 121
container security, 128
controls, 117
Enable Endpoint Protection, 129-131
Manage Access and Permissions, 118-121
Remediate Vulnerabilities, 125-128
Secure Management Ports, 121-124
CSPM (Cloud Security Posture Management), 36-38
disabling, 76
due date, 145
finding only your own, 148-149
grace period, 145
policy, 80
VA (vulnerability assessment), 167-168
red-teaming, 8
registration, Microsoft.Security resource provider, 63-65
regulatory standards and compliance
building your own compliance initiative, 96-99
customizing your experience, 94-96
Microsoft Defender for Cloud, 92-94
remediating
recommendations, 115-116, 138-140
reports
Cybersecurity and Infrastructure Security Agency (CISA)
Alert Report (AA22-040A), 1
Analysis Report (AR21-013A), 6
Secure Score, 111-112, 114-115
requesting JIT access, 207-208
resource(s)
responding to alerts, 187
contact, 187
impact, 188
take action, 188
REST (Representational State Transfer) API
accessing alerts using, 224-230
request/response pair, 223-224
REvil, 2
rules
creating, 220
external access preventions, creating, 123-124
publisher, 219
S
search box, Security Alerts dashboard, 159
Secure Management Ports control, 121-124
Secure Score, 34, 37, 82-83. See also recommendations
calculating influence per resource, 109
downgrade notification, 115
improving security posture, 105-109
preview recommendations, 108
recommendations
for compute, 121
container security, 128
controls, 117
Enable Endpoint Protection control, 129-131
finding only your own, 148-149
Manage Access and Permissions control, 118-121
Remediate Vulnerabilities control, 125-128
Secure Management Ports control, 121-124
Take Action tab, 160
vulnerabilities, remediating, 125-128
security
alerts, 156-157. See also alerts
accessing using Graph Security API, 230-232
accessing using REST API, 224-230
application violation, 221
ARG (Azure Resource Graph), 163
assessment, 105
Azure
cloud
compliance, 11
data protection, 13
identity and access management, 12
operational, 12
FIM (File Integrity Monitoring), 209-210
customizing your settings, 210-213
VA (vulnerability assessment), 40-41
proactive, 83
Security Alerts dashboard, 157-161
Alert Details page, 159
Full alert page, 160
search box, 159
Security Posture dashboard, 106-107
segmentation, VNet, 17
SIEM (Security Information Event Management), 189
SOAR (Security Orchestration Automated Response), 189, 228
SolarWinds, 4
source code management system, 1, 245-246. See also Microsoft Defender for DevOps
connecting to Defender for Cloud, 249-251
spearphishing, 3
stakeholders, 34
storage
ADE (Azure Disk Encryption), 19-20
Blob, 9
Storage Firewall, 20
“Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services”, 6
subscription(s)
Azure, 14
onboarding, 46
at scale, 63
ownership, 120
supply chain attacks, 4
T
templates, ARM, 89, 235-237, 240
Best Practice Analyzer, 256-257
exporting ARM templates from Azure Portal, 240-241
threat(s)
misconfiguration, 9
Defender for App Service, 169-171
Defender for Cosmos DB, 177-178
Defender for Key Vault, 179
Defender for Open-Source Relational Databases, 178-179
Defender for Resource Manager, 180-181
phishing attacks, 6
ransomware, 6
tiles, Microsoft Defender for Cloud dashboard, 33-34
tools, MSDO (Microsoft Security DevOps), 253-254, 256-257
ARM Template Best Practice Analyzer, 256-257
Credential Scanner, 257
TVM (Microsoft Defender for Endpoint’s Threat and Vulnerability Management), auto-provisioning, 56-57
U-V
VA (vulnerability assessment), 40-41, 167-168
Verizon Data Breach Report 2020, 6
VMBA (Virtual Machine Behavioral Analysis), 155-156
VMs (virtual machines)
AWS (Amazon Web Service), onboarding, 62-63
FIM (File Integrity Monitoring), 209-210
customizing your settings, 210-213
JIT (just-in-time) access, 201-203
Log Analytics agent, auto-provisioning, 52-54
VNets (virtual networks)
segmentation, 17
VSCode (Visual Studio Code), creating ARM templates, 241-243
vulnerabilities
CVE-2021-44228, 3
W-X-Y-Z
Windows systems, Defender for Servers, 165-166
workflow, CSPM (Cloud Security Posture Management), 35-36
18.220.203.200