Policy change alert on Defender for Cloud

Occasional Visitor

Does Defender for Cloud generate any alerts when a security policy is changed or disabled? What's the best way to monitor this?   

1 Reply
Under normal circumstances it does not. If you have defender for ARM plan enabled, we can detect the following potentially malicious administrative/management activities: https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-resourcemanager Otherwise following the least privileged strategy along with proper RBAC and identity protection in place is the way to go. In addition, all management activities are stored in Azure Activity Logs and can be streamed to a SIEM or alike tools.