Forum Widgets
Latest Discussions
Defender for Servers plans
Article: defender-for-servers This article states the plan names as Defender for Servers Plan 1 and 2. Neither of these show up in the licensing marketplace. I do see "Microsoft Defender for Business servers", but there are no level 1 or 2 options. The article above was last updated 12/2024. Not sure where to go from here.CharlieDeltaFeb 12, 2025Copper Contributor28Views0likes1CommentDefender for Database - SQL Server on Machine Pricing
Hi Folks , while we enable defender on Databases ( enable SQL server on machine ) do we also need to enable on Server ( which is running SQL Server). Also defender for Server cost - 15$ /server/month and SQL Server on Machine cost -15$/Server/month, Separate cost for both will be applicable ? apart from enabling toggle do we need any addition configuration for enabling defender for Databases ?what is recommended setting of workspace for AMA configuration ( default or custom ) can we choose sentinel workspace ?Victor1989Jan 30, 2025Copper Contributor22Views0likes0CommentsHow to programmatically assign security standards on Defender for Cloud
Hi all, i would like to know if there is a way to programmatically (REST API, Terraform,...) activate custom secutity Standards on Defender for Cloud. Basically the step 6 on this guide https://learn.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages. I didn't found any way to do that. I have a policySet that i would like to activate in an automated way. Any ideas? Thank you in advance!diecavJan 29, 2025Copper Contributor67Views0likes0CommentsDefender for Server deployed, integration for DfE checked, but M365 Defender showing "Can be onboard
I'm sure I'm missing something in the slightly complicated way of enabling servers for DfE via Defender for Cloud Server. The licensing is in-place the checkboxes to share data are ticked. The servers are showing as onboarded in Defender for Cloud however, the one portal to rule them all - Microsoft Defender 365 - is still showing the servers as "Can be onboarded" and missing the data of a properly onboarded DfE client. Where should I start my troubleshooting to determine what I've missed or what is going wrong? Paul2.3KViews0likes5CommentsKQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, SergesnteranJan 18, 2025Copper Contributor10Views0likes0CommentsNo automatic MDE.Windows installation anymore
We have an Azure subscription to which our on-premises servers are connected via Azure Arc. Actually, only Microsoft Defender for Servers Plan 1 should be used. However, ‘Plan 2’ is billed in the cost analyses, which leads to significantly higher costs than planned. I´ve fixed it but it lead to the Problem of not installing MDE.Windows anymore. The servers are connected to Azure by executing a script, after which some plugins are installed(MDE.Windows, MicrosoftMonitoringAgent, and on some servers "WindowsPatchExtension"). In the environment management of Defender for Cloud we have explicitly selected plan 1, despite this plan 2 is activated for each server. There is no Log-Workspace. Here are the Policies, i think they go automaticly created by Azure. I´ve deleted "ASC provisioning LA agent Windows Arc" and the linux one because this is deploying the two Extensions "MicrosoftMonitoringAgent" and "WindowsPatchExtension", which activate Plan 2. After deleting those to Extensions i should not get billed as Plan 2 anymore. My Problem is now that i don´t have the policy to install the MDE Plugin anymore. How do i get this working again, i need to install only the MDE Plugin on the computers to ensure we only use Plan 1. No other extensions, no Log-Workspace... Appreciate the help.61Views0likes0CommentsAutomate the AWS account onboarding process
How can we automate the onboarding process for new tenants that ensures any new AWS account created within the landing zone is automatically onboarded to Microsoft Defender, exploring an alternative automation approach that is directly embedded within the structure of the stack set.VaibhavBeoharJan 14, 2025Copper Contributor9Views0likes0Comments"Duplicate" alerts in Defender for Cloud from MDE
Hello, I discovered that security alerts generated from Defender for Endpoint are causing "duplicate" security alerts in Defender for Cloud. We have several Azure Arc-enabled servers active with Defender for Server P1 which includes Defender for Endpoint integration. Hence Arc servers are automatically onboarded to Defender for Endpoint. We had a false positive caused by the addition of AV exclusions which generated an alert / incident in Defender XDR which was then synced to Sentinel. Closing the alerts in Defender XDR or Sentinel resulted in synced status between the two. However it seems the same alerts were also created in Defender for Cloud, and their status remained "open" even after being resolved in Defender XDR. The link in the open Defender for Cloud Alert effectively opens up the resolved alert in Defender XDR. So it seems to be the same alert but its status is not being synced. Is this a known issue?packetknightJan 12, 2025Copper Contributor81Views0likes1CommentHow to check the standard policy is working? Is there any report tracking?
How to check the standard policy is working? Is there any report tracking? https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendationsbimalashresthaJan 12, 2025Copper Contributor20Views0likes1Comment
Resources
Tags
- cloud security92 Topics
- cloud security posture management35 Topics
- security31 Topics
- microsoft defender for endpoint22 Topics
- Azure Defender for Servers22 Topics
- azure21 Topics
- threat protection19 Topics
- vulnerabilities15 Topics
- best practices12 Topics
- Security Controls12 Topics