Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Policy change alert on Defender for Cloud

Copper Contributor

Does Defender for Cloud generate any alerts when a security policy is changed or disabled? What's the best way to monitor this?   

1 Reply
best response confirmed by Nakool (Copper Contributor)
Under normal circumstances it does not. If you have defender for ARM plan enabled, we can detect the following potentially malicious administrative/management activities: Otherwise following the least privileged strategy along with proper RBAC and identity protection in place is the way to go. In addition, all management activities are stored in Azure Activity Logs and can be streamed to a SIEM or alike tools.