Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

Security Control: Apply adaptive application control

Safeena Begum Lepakshi's avatar
Dec 03, 2020

As part of our recent Microsoft Defender for Cloud Blog Series, we are diving into the different controls within MDC’s Secure Score.  In this post we will be discussing the control of “Apply Adaptive Application control”.  

 

This security control contains up to recommendations, depending on the resources you have deployed within your environment, and it is worth maximum of 1 point (2%) that counts towards your overall Secure Score. To understand about Microsoft Defender for Cloud’s secure score make sure you read this articleThese recommendations are meant to keep your resources safe and improve your security hygiene.

 

Apply adaptive application control contains the following 7 recommendations, depending on your environment:

  • Log Analytics agent should be installed on your virtual machine 
  • Monitoring agent should be installed on your machines
  • Log Analytics agent should be installed on your Windows-based Azure Arc machines
  • Log Analytics agent should be installed on your Linux-based Azure Arc machines 
  • Log Analytics agent health issues should be resolved on your machines 
  • Adaptive application controls for defining safe applications should be enabled on your machines 
  • Allowlist rules in your adaptive application control policy should be updated 

The example screenshot below shows an environment in which only 6 of those recommendations are within the scope of Apply adaptive application control security control, because the recommendations which do not apply to any resource within your environment do not appear.  

Image 1 – Recommendations within the Apply adaptive application control

Like the rest of the Secure Score controls, all these recommendations must be considered in order to get the full points and drive up your Secure Score (you can review all of the recommendations here). Also, some might have a “Quick Fix!” button as well!  No excuses not to enable those, it simplifies remediation and enables you to quickly increase your secure score, improving your environment’s security. To understand how Quick Fix works, please make sure to visit here  

 

Category #1: Log Analytics agent should be installed on your virtual machine

To monitor for security vulnerabilities and threats, Microsoft Defender for Cloud depends on the Log Analytics Agent. The agent collects various security-related configuration details and event logs from connected machines, and then copies the data to your Log Analytics workspace for further analysis. Without the agent, Microsoft Defender for Cloud will not be able to collect security data from the VM and some security 

recommendations and alerts will be unavailable and within 24hrs, Microsoft Defender for Cloud will determine that the VM is missing the extension and recommends you to install it via this security control. You could manually install the agent with the help of this recommendation or If you have auto-provisioning turned on, when Microsoft Defender for Cloud identifies missing agent, it installs the extension automatically which in-turn reduces management overhead. Refer to this article to understand deployment options. Several questions arise at this point for scenarios like, how auto provisioning works in cases where there is already an agent installed and to understand that please read this information.

The following recommendations belong to this category:

  • Monitoring agent should be installed on your machines.
  • Log Analytics agent should be installed on your Windows-based Azure Arc machines. This recommendation applies to Windows-based Azure Arc machines
  • Log Analytics agent should be installed on your Linux-based Azure Arc machines. This recommendation applies to Linux-based Azure Arc machines

Alternatively, to fix this recommendation, you can visit our Github Repository and leverage the automations we have published there.  

 

Category #2: Log Analytics agent health issues should be resolved on your machines

You’ll notice this recommendation when Microsoft Defender for Cloud finds Log Analytics agent unhealthy which means, a VM is unmonitored by Defender for Cloud since the VM does not have healthy Log Analytics agent extension. This could be due to several reasons, one of it could be the agents are not able to connect to and register with Microsoft Defender for Cloud due to no access to the network resources. Read more about this scenario here. To fully benefit from all of Microsoft Defender for Cloud's capabilities, the Log Analytics agent extension is required.

For more information about the reasons Microsoft Defender for Cloud is unable to successfully monitor VMs and computers initialized for automatic provisioning, see Monitoring agent health issues.

 

NOTE: The above recommendations (Category #1 and #2) to install the agent and recommendation about agent health issues are pre-requisites. You might observe these recommendations also show up in a different security control, and if they were remediated there, it will not appear here in this Security control.

 

Category #3: Adaptive application controls for defining safe applications should be enabled on your machines

Application allowlist is not necessarily a new concept. One of the biggest challenges of dealing with the application allowlist is how to maintain that list. The traditional approach of using AppLocker in Windows is a good solution, but still has the overhead of keeping up with the applications and making the initial baseline work properly for our needs.

 

Adaptive application controls is one of the advanced protection features you can benefit from, when you upgrade to Microsoft Defender plans, this falls under the cloud Workload Platform Protection (CWPP).

Adaptive application controls help to harden your VMs against malware by making it easier to control which applications can run on your Azure VMs. Microsoft Defender has built-in intelligence that allows you to apply allowlist rules based on machine learning. This intelligence analyzes the processes that are running in your VMs, creates a baseline of applications, and groups the virtual machines. From here, recommendations are provided that allow you to automatically apply the appropriate allowlist rules. The use of machine learning intelligence makes it super simple to configure and maintain application the allowlist.

 

With this feature, you’re able to alert on or audit . These can even be malicious applications that might otherwise be missed by endpoint protection solutions, or applications with known vulnerabilities. By default, Microsoft Defender plans enables application control in Audit mode. No enforcement options are available at this time of writing.

 

Adaptive Application Control do not support Windows machines for which AppLocker policy is already enabled by either group policy objects (GPOs) or Local Security policy.

Hope this helps you understand why it is super important for you to enable them. Learning about Adaptive Application Control is essential for anyone looking to gain more granular control and security within their environment, so make sure to read our documentation.

 

Category #4: Allowlist rules in your adaptive application control policy should be updated

This recommendation will be displayed when Microsoft Defender’s machine learning identifies potentially legitimate behavior that hasn’t previously been allowed. This recommendation suggests you to add new rules to the existing policy to reduce the number of false positives in adaptive application controls violation alerts. To edit the application control policy please refer to this for more information.

 

Next Steps

As with all security controls, you need to make sure to remediate all recommendations within the control that apply to a particular resource in order to gain credit towards your secure score.

 

I hope you enjoyed reading this blog post as much as I enjoyed writing it and learned how this specific control can assist you to strengthen your Azure security posture.

  • The main blog post to this series (found here)
  • The DOCs article about Secure Score (this one

 

P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

 

Reviewer

Special Thanks to @Yuri Diogenes, Principal PM Manager for reviewing this article.

 

 

Updated Nov 01, 2021
Version 5.0
  • joetahsin's avatar
    joetahsin
    Copper Contributor

    Hi there, 

     

    greate blog! actually im working now on this feature, want to do some PoC with this, but im running to an issue. I have enabled the cloud for defender package for the vm's and enabled the neccessary policies. But when i want to enable this feature, i still see nothing or no option to create an allow list . Do i miss something here?  How can i make this work ?

    see screenshot.

     

     

     

     

  • joetahsin's avatar
    joetahsin
    Copper Contributor

    i've managed it now, im seeing now some things under "recommended" . Is it possible to get the logs when this has been activated or can someone tell me how long it takes before security center shows these resources here ?