Forum Discussion
Solved
Policy change alert on Defender for Cloud
Does Defender for Cloud generate any alerts when a security policy is changed or disabled? What's the best way to monitor this?
- Under normal circumstances it does not. If you have defender for ARM plan enabled, we can detect the following potentially malicious administrative/management activities: https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-resourcemanager Otherwise following the least privileged strategy along with proper RBAC and identity protection in place is the way to go. In addition, all management activities are stored in Azure Activity Logs and can be streamed to a SIEM or alike tools.
- StanislavBelov
Microsoft
Under normal circumstances it does not. If you have defender for ARM plan enabled, we can detect the following potentially malicious administrative/management activities: https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-resourcemanager Otherwise following the least privileged strategy along with proper RBAC and identity protection in place is the way to go. In addition, all management activities are stored in Azure Activity Logs and can be streamed to a SIEM or alike tools.
