Defender for Cloud Onboarding workbook
Published Aug 11 2022 09:45 AM 4,612 Views
Microsoft

By default, Microsoft Defender for Cloud is not enabled on an Azure Subscription. However, if you visit Defender for Cloud in the Azure portal for the first time or if you enable it programmatically via the REST API, Defender for Cloud is enabled for free on all your Azure subscriptions. 

In large-scale deployments that involve dozens of subscriptions with hundreds and thousands of resources, it may be a challenge to have a centralized view of the current state of Defender for Cloud enablement across all Azure subscriptions.

Learn about Defender for Cloud enhanced security features.

 

How does the Onboarding workbook help?

This workbook helps you track which Azure subscriptions under your Tenant are onboarded with Defender for Cloud. Also, it lists the resources deployed into these subscriptions that can be protected by the Defender for Cloud workload protection plans, and it checks if any required agents are missing for the workload protection.

The workbook provides different tabs organized as:

  • Subscription Onboarding
  • Defender Plans Onboarded
  • Onboarding Agents Health

The sample screenshot below shows how these tabs are distributed in the main dashboard:

 

vp_0-1660234032373.png

 

The Subscription Onboarding Tab displays the list of “Subscriptions Onboarded to Defender for Cloud” and “Subscriptions which are NOT Onboarded to Defender for Cloud” as shown in the screenshot.

To onboard a subscription to Defender for Cloud a user must be a Security Admin, an Owner or Contributor of that subscription. User can check the permissions on the subscription by clicking on “Check User Access” option as shown in the screenshot below. A user with required permissions, can click on “Click here” to Enable Defender for Cloud for the Subscriptions or Management Group.

 

vp_1-1660234032380.png

 

 

The Defender Plans Onboarded Tab - displays the subscriptions that are onboarded to a Defender plan, status of the Defender Plan, and the resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription.

 

vp_2-1660234032385.png

 

vp_3-1660234032388.png

 

Also, the Log Analytics workspaces that are onboarded to a Defender plan, status of the Defender Plan is displayed. You can click on the status of the Defender Plan to On/Off on the Log Analytics Workspace, as shown below:

vp_4-1660234032391.png

 

 

 

The Onboarding Agents Health Tab displays the Unhealthy status of the Log Analytics agent, Endpoint Protection Solution, Vulnerability Solution for Azure VMs, VM Scalesets, and Arc-enabled VMs, SQL VMs. It also displays the Unhealthy status of the Defender Profile, Azure Policy Extension for Azure AKS and Arc-enabled Kubernetes Clusters. Click on the Unhealthy status to go to recommendation and fix the issue, as screenshot below:

 

vp_5-1660234032398.png

 

vp_6-1660234032405.png

How to Deploy

The Defender for Cloud Onboarding Workbook is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its Defender for Cloud Onboarding Workbook

The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page.

 

Additional Resources

Acknowledgements

  • Special thanks to Shay Amar for the partnership in reviewing and providing feedbacks on the artifact.
  • Many thanks to Tom Janescheck & Yuri Diogenes in supporting my initiative and suggesting feedbacks.
Co-Authors
Version history
Last update:
‎Aug 11 2022 09:45 AM
Updated by: