Blog Post

Microsoft Defender for Cloud Blog
4 MIN READ

Microsoft Defender for Cloud PoC Series – Microsoft Defender for DNS

Safeena Begum Lepakshi's avatar
Jul 29, 2021

Introduction

This article is a continuation of Microsoft Defender for Cloud PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender for cloud's enhanced security features, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. 

 

Defender for Cloud enhanced security features provides advanced threat detection and security alerts for all kinds of workloads, like Virtual Machines, SQL databases, Storage, Containers, Kubernetes, Key Vault, Web applications, Open-source relational databases. Recently we expanded the protection to two new plans, Microsoft Defender for DNS and ARM with the help of which you can enhance the resiliency against attacks.

 

To understand how helps your organization, make sure to read out this article. Microsoft Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources and runs advanced security analytics to alert you when suspicious activity is detected. To read more about how Microsoft Defender for DNS protects against issues, please read our official documentation.

 

Planning

With Microsoft Defender for DNS, we are looking at all the azure resources in an environment that’s connected to the Azure DNS, we are monitoring all the DNS queries that your resources are performing and detecting threats based on these queries so by doing so, we are actually protecting a variety of Azure resources that’s connected to this layer.

 

As part of your Microsoft Defender for DNS PoC you need to identify the use case scenarios that you want to validate. Common scenarios like, you may want to be notified when a DNS attack happens in your environment, DNS tunneling is another type of attack which is trying to exfiltrate sensitive data from your Azure resources, another type of attack is DNS cache poisoning for example, when an attacker is trying to redirect your communication to a malicious website. These attacks utilize DNS mechanism to attack the resource.

 

Microsoft Defender for DNS doesn’t use any agents. To protect your DNS layer, you need to enable Microsoft Defender for DNS for each of your subscriptions to protect the entire Azure subscription with Microsoft Defender for cloud.

 

Preparation

You need at least Security Admin role to enable Microsoft Defender for DNS. For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review this article that gives you guidelines on how to respond to Microsoft Defender for DNS alerts Alerts Reference Guide. You can view list of all Azure DNS alerts from this article.

 

As of this blog writing, Microsoft Defender for DNS pricing model would be $0.70/1M Queries. Please visit our Pricing page to calculate the estimation of price in your environment.

 

From the readiness perspective, make sure to review the following resources to better understand Microsoft Defender for DNS

Implementation and Validation

To test and validate the Security alerts for Microsoft Defender for DNS follow the steps from this great article to trigger a test alert. For a complete list of all analytics available for Microsoft Defender for DNS, read this documentation.

 

Whether an alert is generated by Microsoft Defender for DNS or received by Microsoft Defender for Cloud from a different Microsoft security solution (MDE for example), you can also export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM. To investigate Microsoft Defender alerts using Azure Sentinel, make sure to check out this blog to understand how they operate in a better together scenario.

 

If you find an alert not relevant, you can manually dismiss it. Alternatively, you can also use suppression rules feature to automatically dismiss similar alerts in the future. Follow our documentation if you’re looking to learn more about Suppression of alerts.

 

Make sure to check out our Microsoft Defender for Cloud Github repository which gives you access to numerous sample security playbooks that will help you automate in remediating a recommendation.

 

Conclusion

By the end of this PoC you should be able to determine the value proposition of Microsoft Defender for DNS and the importance to have this level of threat detection to your workloads.

 

Stay tuned for more Microsoft Defender for Cloud PoC Series!

 

P.S. Subscribe to our Microsoft Defender for Cloud and Defender for cloud with enhanced features Newsletter to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.

Reviewer

Special Thanks to Yuri Diogenes & Tal Rosler for reviewing this article.

 

Updated Oct 31, 2021
Version 4.0