Microsoft Defender for Cloud PoC Series - Defender for Servers
Published Sep 20 2021 04:14 PM 11.5K Views


This article is part of our Microsoft Defender for Cloud PoC Series which provides you with guidelines on how to perform a successful proof of concept for a specific Defender for Cloud plan. For a more holistic approach where you need to validate Defender for Cloud please read How to Effectively Perform a Microsoft Defender for Cloud PoC.


Microsoft Defender for Cloud provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network and more.


Defender for Servers adds threat detection and advanced defenses for your Windows and Linux machines.



As part of your Defender for Servers PoC, you need to identify the use case scenarios you want to validate. Defender for Servers includes several threat detection and protection capabilities, some of which are only available for Azure VMs, like Just-in-time VM access, and some can detect potentially malicious activity on your servers, regardless of what platform they are running on – Azure, AWS, GCP, on-premises, etc. You can find a list of all components and their description in our documentation.


Every component has different prerequisites and requires different technics and tools for validation.


While planning your PoC, you need to take into account that many of the Defender for Servers capabilities rely on the Log Analytics agent that collects variety of data from your servers. You can learn more about how Defender for Cloud uses the LA agent and what deployment scenarios are available to you in this article.


If you decide to make your on-premises servers or machines hosted on other clouds, e.g. AWS or GCP, part of the PoC, you need to choose how you are going to connect them to Azure so that Defender for Cloud can discover them and start protecting. There are two ways of doing this: connecting the servers from the Azure portal or using Azure Arc (which is the recommended option). Please keep in mind that certain Azure Defender capabilities in this case, like vulnerability assessments or the integration with Microsoft Defender for Endpoint, are only supported for the Arc-connected machines.


Once your servers are onboarded to Defender for Cloud you will be able to deploy the Qualys vulnerability assessment scanner if you decide to make vulnerability assessment scanning part of your PoC.


Remember that you have 30-day free trial to test Defender for Servers. Any usage beyond 30 days will be automatically charged as per the pricing scheme here.


Preparation and Implementation

In order to enable Defender for Servers, you need a user account that has at least the Security Admin role. For more information about roles and privileges, read this article.


Your first step is to enable Microsoft Defender for Cloud on the subscription(s) you are conducting the PoC in and make sure that Defender for Servers plan is selected.




Next, you also need to enable Defender for Cloud on a Log Analytics workspace you are planning to use to store data collected from your servers by the Log Analytics agent.




If you are testing Defender for Servers on your Azure virtual machines and you have configured auto-provisioning of the LA agent – you are all set – all existing and newly provisioned VMs will be automatically configured to collect and send data to a selected LA workspace.




If you have decided to deploy the LA agent manually, please review this article.



Since Defender for Servers has many capabilities, we are going to group them based on different use case scenarios.


Scenario 1: Attack Surface Reduction

Threat actors actively look for accessible machines with open management ports, like RDP or SSH. As a matter of fact, just by leaving your VM with such ports open to the Internet for a day or two (sometimes even a couple of hours) is enough to become a victim of a brute-force attack and receive a security alert like the one below (make sure you use strong passwords):




Note: Do not forget to configure email notifications to get alerts when Defender for Cloud detects new suspicious activities or attacks.


JIT VM access locks down the inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. To configure and validate JIT VM access feature please follow this guidance.


You may also consider using our playbooks for Windows and Linux to simulate certain malicious activities and trigger alerts.


Adaptive Network Hardening (ANH) uses machine learning to analyze network traffic to and from your machines and provides recommendations (see the example below) to harden the Network Security Groups (NSG) rules. For that reason, it requires at least 30 days of traffic data to build and train a ML model. Please keep this fact in mind when validating this feature.




Adaptive Application Controls (AAC) also use machine learning that needs at least two weeks of data, to analyze the applications running on your servers and create a list of known-safe software. When you've enabled and configured adaptive application controls, you'll get security alerts (see the image below) if any application (other than the ones you've defined as safe) kicks in. Please use this article to configure and validate this feature.




File integrity monitoring (FIM), also known as change monitoring, examines operating system files, Windows registries, application software, Linux system files, and more, for changes that might indicate an attack. Please use this guide to help you configure and verify FIM.


Scenario 2: Integration with an EDR solution

If you have properly enabled and configured the integration with Microsoft Defender for Endpoint (MDE), all new servers connected to Defender for Cloud will be automatically onboarded to MDE, and you will be able to see them on the Microsoft 365 Defender portal. To verify that MDE alerts successfully flow to Defender for Cloud you can use a test alert as described here.


Note: This alert is generated as Informational, so you would need to change the default severity filter in the Defender for Cloud security 
alerts dashboard to see that alert.




Scenario 3: Vulnerability Assessment

Once you have deployed the Vulnerability assessment solution (powered by Qualys) to your servers, the VA scanner will automatically start scanning your machines every 12 hours and report findings to Defender for Cloud (see the image below). Learn more about how to deploy the scanner and how to analyze and remediate vulnerabilities.




As an alternative, you can generate sample alerts to validate Defender for Servers alerts. Please refer to our documentation for a complete list of all analytics/alerts available for both Windows and Linux machines.



By the end of this PoC, you should be able to determine the value of this solution and the importance to have this level of threat detection for your servers.



P.S. Subscribe to our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

Version history
Last update:
‎Sep 26 2022 08:23 AM
Updated by: