Introduction
In this blog, we guide you through conducting a Proof of Concept (PoC) for Microsoft Defender for Resource Manager, part of Microsoft Defender for Cloud. This service provides advanced security analytics and monitoring for resource management operations across Azure.
This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Defender for Cloud plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud please read How to Effectively Perform a Microsoft Defender for Cloud PoC article.
Description of the Plan
Microsoft Defender for Cloud's Cloud Workload Protection (CWP) plan offers robust security measures for Azure Resource Manager (ARM). ARM is the deployment and management service in Azure, allowing you to create, update, and delete resources. This management layer is crucial for resource organization and security, utilizing access control, locks, and tags.
Defender for Resource Manager monitors all resource management operations across various interfaces such as the Azure portal, Azure REST APIs, Azure CLI, and other Azure programmatic clients. This monitoring is vital as the ARM layer is a significant target for attackers due to its extensive control over resources.
Key Benefits
- Detection of Suspicious Activities: Identifies suspicious resource management operations from malicious IP addresses, disabling antimalware, and suspicious scripts in VM extensions.
- Protection Against Exploitation Toolkits: Alerts for the use of exploitation toolkits like Microburst or PowerZure.
- Lateral Movement Detection: Prevents lateral movement from the management layer to the resource data plane.
To enable this plan, navigate to the Microsoft Defender for Cloud section in the Azure portal, select the relevant subscription, and activate the Resource Manager plan. This plan ensures continuous advanced security analytics and threat detection to protect your resource management layer.
Planning
As part of your Microsoft Defender for Resource Manager PoC you need to identify the use case scenarios that you want to validate. A common scenario is cloud service discovery, where an adversary may try to enumerate the cloud services that are running via calls to Azure Resource Manager.
You can use the Alerts identified by Microsoft Defender for Resource Manager as your starting point to plan which actions you want to execute.
Since the enablement of this plan is performed on the Azure back end, it will not affect the performance of your workloads in Azure.
Keep in mind that you have a 30 day free trial of Microsoft Defender for Resource Manager, which means that you should plan to execute your PoC prior to this expiration and based on the results keep it enabled or not.
Updated Pricing Model
The new pricing model for Microsoft Defender for Resource Manager is now $5 per subscription per month. This change simplifies billing and can lead to significant cost savings, especially for subscriptions with high API call volumes.
Switching to the New Pricing Plan
To switch, navigate to the Azure portal, select your subscriptions, and update the pricing tier to "Standard" with the "PerSubscription" sub-plan. Use the provided PowerShell script to automate this process for multiple subscriptions.
Preparation
You need at least Security Admin role to enable Microsoft Defender for Resource Manager. For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at our Alerts Reference Guide.
From the readiness perspective, make sure to review the following resources to better understand Microsoft Defender for Resource Manager:
- Microsoft Defender for ARM and DNS | Microsoft Defender for Cloud in the Field #13
- Microsoft Defender for Resource Manager Documentation
Implementation and validation
You can use the sample alert feature to validate Microsoft Defender for Resource Manager alerts, or you can use the procedures from this article to simulate an attack and see how Microsoft Defender for Resource Manager detects. As you review each alert is important to understand how to make sense of the metadata available. Read this article for more information on how to respond to ARM alerts.
Conclusion
By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads.
P.S. Subscribe to our Microsoft Defender for Cloud to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Microsoft
