<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.threads-in-node</title>
    <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/ct-p/microsoft-defender-for-cloud</link>
    <description>rss.livelink.threads-in-node</description>
    <pubDate>Thu, 09 Jul 2026 17:24:52 GMT</pubDate>
    <dc:creator>microsoft-defender-for-cloud</dc:creator>
    <dc:date>2026-07-09T17:24:52Z</dc:date>
    <item>
      <title>Microsoft Defender for Cloud Customer Newsletter</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4533200</link>
      <description>&lt;H1&gt;What's new in Defender for Cloud?&lt;/H1&gt;
&lt;P&gt;Microsoft Defender for Open-Source Relational Databases is now generally available for Amazon Web Services Relational Database Service (AWS RDS) instances. Receive database threat protection and sensitive data discovery insights for supported open-source relational databases, including Aurora PostgreSQL, Aurora MySQL, PostgreSQL, MySQL, and MariaDB on AWS RDS.&lt;/P&gt;
&lt;P&gt;For more information, see our public&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/mdc_GAawsrds" target="_blank" rel="noopener"&gt;documentation&lt;/A&gt;.&lt;/P&gt;
&lt;H2&gt;Expanded multicloud security coverage now GA&lt;/H2&gt;
&lt;P&gt;Microsoft Defender for Cloud's expanded multicloud security coverage is now generally available. This release significantly broadens posture assessment for AWS and GCP environments, adding support for about 90 new resource types and over 200 new security recommendations across data, identity and access, networking, compute, and container categories.&lt;/P&gt;
&lt;P&gt;For more details, please refer to this&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/mdc_multicloudpostureGA" target="_blank" rel="noopener"&gt;documentation&lt;/A&gt;.&amp;nbsp;&lt;/P&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;&lt;A class="lia-external-url" href="https://aka.ms/MDCNewsJust" target="_blank" rel="noopener"&gt;Check out other updates from last month here!&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;&lt;A class="lia-external-url" href="https://aka.ms/mdc_mtpblog" target="_blank" rel="noopener"&gt;Check out monthly news for the rest of the MTP suite here!&lt;/A&gt;&amp;nbsp;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Blogs of the month&lt;/H2&gt;
&lt;P&gt;In June, our team published the following blog posts we would like to share:&lt;/P&gt;
&lt;UL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:false,&amp;quot;orderedStyleType&amp;quot;:1}"&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog1" target="_blank" rel="noopener"&gt;&lt;U&gt;Now Generally Available: Microsoft Defender for open source relational databases on AWS RDS&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog2" target="_blank" rel="noopener"&gt;&lt;U&gt;Start Secure, Stay Secure: How Microsoft is Closing the Gap from Code to Runtime&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog3" target="_blank" rel="noopener"&gt;&lt;U&gt;The end of patching era for containers: Microsoft Defender for Cloud expands hardened image support&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/closing-the-loop-on-container-security-from-code-to-runtime-in-the-ai-era/4528599" target="_blank" rel="noopener"&gt;&lt;U&gt;Closing the loop on container security: From code to runtime in the AI era&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog4" target="_blank" rel="noopener"&gt;&lt;U&gt;Microsoft Defender for Cloud expands multicloud coverage across AWS and Google Cloud&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;Defender for Cloud in the field&lt;/H2&gt;
&lt;P&gt;Watch the latest Defender for Cloud in the Field YouTube episode here:&lt;/P&gt;
&lt;UL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:true,&amp;quot;orderedStyleType&amp;quot;:1}"&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/mdc_staysecureAIpoweredfixes" target="_blank" rel="noopener"&gt;&lt;U&gt;Stay Secure: AI-powered Faster fixes&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsField&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921371778%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=Ni9o%2FuGnNm5keL5pEgpww3s46S3nE6EfDiG3Z28cPhI%3D&amp;amp;reserved=0" target="_blank" rel="noopener"&gt;&lt;U&gt;Visit our YouTube page&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;GitHub Community&lt;/H2&gt;
&lt;P&gt;Check out Defender for Cloud GitHub lab module 25. It walks through the integration between Defender for Cloud and XDR to provide a comprehensive CDR solution. &amp;nbsp;&lt;/P&gt;
&lt;UL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:true}"&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/mdcgit_module25" target="_blank" rel="noopener"&gt;&lt;U&gt;Module 25 -&amp;nbsp; MDC and Defender portal integration&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsGit&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921474195%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=ZBr6NDY28EuqIzivYaky1d%2FBvBAr2oYHDW2vHcYuJKM%3D&amp;amp;reserved=0" target="_blank" rel="noopener"&gt;&lt;U&gt;Visit our GitHub page&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;Customer journey&lt;/H2&gt;
&lt;P&gt;Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsStory1" target="_blank" rel="noopener"&gt;&lt;U&gt;Hassan Allam Holding&lt;/U&gt;&lt;/A&gt;. Hassan Allam Holding is an Egyptian private-sector company with operations spanning engineering, construction, and infrastructure investment and was facing operational complexity. To overcome, they leveraged an end-to-end Microsoft Security ecosystem with Defender XDR, which integrates with Defender for Cloud and other products to centralize detection and signals across endpoint, identity, email and cloud workloads. As a result, alert noise reduce by up to 90%, and Hassan Allam Holding is able to respond faster with far less complexity.&amp;nbsp;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Join our community!&lt;/H2&gt;
&lt;P&gt;We offer several customer connection programs within our private communities. By signing up, you can help us&amp;nbsp;shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at&amp;nbsp;&lt;A class="lia-external-url" href="https://www.aka.ms/JoinCCP" target="_blank" rel="noopener"&gt;aka.ms/JoinCCP.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/PublicContentFeedback" target="_blank" rel="noopener" aria-label="Link https://aka.ms/PublicContentFeedback"&gt;https://aka.ms/PublicContentFeedback.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;PRE&gt;Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:&amp;nbsp;&lt;A class="lia-external-url" href="https://aka.ms/MDCNewsSubscribe" target="_blank" rel="noopener"&gt;https://aka.ms/MDCNewsSubscribe&lt;/A&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 02 Jul 2026 18:11:31 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4533200</guid>
      <dc:creator>Yura_Lee</dc:creator>
      <dc:date>2026-07-02T18:11:31Z</dc:date>
    </item>
    <item>
      <title>Now generally available: Serverless posture coverage in Microsoft Defender CSPM</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/now-generally-available-serverless-posture-coverage-in-microsoft/ba-p/4532353</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Serverless workloads are a foundation of modern application development, powering everything from low-code and no-code solutions to AI applications and agentic workflows. Development teams use functions, app services, containers, APIs, and event-driven infrastructure to move quickly, scale on demand, and reduce operational overhead. As AI applications and autonomous workflows increasingly rely on distributed services, background tasks, retrieval pipelines, and event-driven components, serverless architectures have become a natural fit.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;At the same time, they introduce new visibility and posture management challenges. While cloud providers manage the underlying infrastructure, organizations&amp;nbsp;remain&amp;nbsp;responsible for securing their applications, including code, container images, dependencies, configurations, identities, permissions, and access paths.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Today,&amp;nbsp;we're&amp;nbsp;announcing the&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;&lt;STRONG&gt;general availability of Serverless Container posture in Microsoft Defender Cloud Security Posture Management (Defender CSPM).&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Building on the recent general availability of&lt;STRONG&gt; Serverless Compute posture in Defender CSPM&lt;/STRONG&gt;, these capabilities extend agentless posture coverage across supported serverless containers, applications, and functions in Azure and AWS.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;With this expanded serverless posture coverage, security teams can:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="17" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Discover serverless workloads as first-class assets in a unified cloud inventory&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="17" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Assess workload-specific vulnerabilities, insecure dependencies, and risky configurations&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="17" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Surface exposure, identity, permission, and configuration context&amp;nbsp;that&amp;nbsp;helps prioritize contextual attack paths to broader applications&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="17" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Prioritize risk using security graph context and attack path analysis&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="17" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Act on severity-ranked recommendations in Defender for Cloud&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559739&amp;quot;:0}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Serverless posture&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;coverage&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;&amp;nbsp;across containers, apps, and functions&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Defender CSPM extends posture management across supported serverless workloads in Azure and AWS.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 95.5556%; border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Category&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Covered workloads&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Serverless applications and functions&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Functions, Azure Web Apps, AWS Lambda&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Serverless containers&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Azure Container Apps, Azure Container Instances, AWS ECS on Fargate&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 31.2447%" /&gt;&lt;col style="width: 68.8416%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These resources are automatically discovered and surfaced in Defender cloud inventory, helping security teams&amp;nbsp;maintain&amp;nbsp;visibility across dynamic, event-driven application environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Across supported serverless workloads, multiple layers of posture assessment are provided:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Inventory:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Serverless&amp;nbsp;compute&amp;nbsp;and container workloads are automatically discovered and mapped with key properties, helping teams understand what is running across their environment.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;STRONG&gt;&lt;SPAN data-contrast="auto"&gt;Misconfiguration&amp;nbsp;assessment:&amp;nbsp;&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;SPAN data-contrast="auto"&gt;identify&amp;nbsp;risky settings such as internet exposure, missing HTTPS, and other configuration issues that can increase exposure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Vulnerability management:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Vulnerabilities are detected across supported serverless workloads and tracked over time, helping teams understand where exposed workloads may also&amp;nbsp;contain&amp;nbsp;known CVEs.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Attack path analysis:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Serverless resources are connected into the&amp;nbsp;Security Graph, so teams can understand how a compromised function or container could reach sensitive assets.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="5" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Actionable&amp;nbsp;recommendations:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Findings are surfaced as resource-level recommendations, making it easier to assign ownership, remediate, and track progress.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="25" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="6" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Secure Score impact:&lt;/STRONG&gt; &lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Serverless findings contribute to the broader Secure Score, so risk reduction is reflected in the organization’s overall posture.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559739&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;These findings are incorporated into Security Graph and attack path analysis, helping security teams understand risk in context and prioritize remediation based on how serverless workloads connect to other resources across the cloud environment.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;img /&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;In practice&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:160,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Exposed function with access to sensitive data:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;A serverless function may look like a simple HTTP endpoint, but if it is internet-facing, running with broad identity permissions, and connected to sensitive storage, it can become part of a real attack path.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;Defender&amp;nbsp;CSPM&amp;nbsp;helps connect these signals across exposure, vulnerabilities, identity, and data&amp;nbsp;access&amp;nbsp;so teams can prioritize the workload based on actual risk, not just isolated findings.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="27" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;&lt;STRONG&gt;Serverless container running a vulnerable image:&lt;/STRONG&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;A serverless container running on Azure Container Apps, Azure Container Instances, or Amazon ECS on AWS Fargate may be fully managed at the infrastructure layer, but the customer still owns the image, application code, identity, configuration, and exposure.&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;If that workload is internet-facing, built from an image with a critical CVE, and connected to Key Vault, storage, or other sensitive services, Defender&amp;nbsp;CSPM&amp;nbsp;helps teams discover it, assess the risk, and prioritize remediation in context.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;One consistent Defender experience&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Defender CSPM&amp;nbsp;now natively&amp;nbsp;includes serverless posture coverage.&amp;nbsp;Discovered functions, web apps, and serverless containers appear in the unified cloud inventory, are evaluated through security recommendations,&amp;nbsp;integrate&amp;nbsp;into attack path analysis, and are&amp;nbsp;queryable&amp;nbsp;through Cloud Security Explorer.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This consistency matters because serverless workloads rarely&amp;nbsp;operate&amp;nbsp;in isolation. A function might call an API, read from a queue, authenticate with a managed identity, and write to storage. A serverless container might expose an endpoint, pull an image from a registry, process events, and connect to secrets or databases.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Defender CSPM helps security&amp;nbsp;teams evaluate these workloads with surrounding context, including exposure, vulnerabilities, identity permissions, configuration risk, and relationships&amp;nbsp;to&amp;nbsp;other resources. That context helps teams move from isolated findings to prioritized remediation.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P aria-level="1"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;Built for modern and&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 1"&gt;AI-ready applications&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;134245418&amp;quot;:true,&amp;quot;134245529&amp;quot;:true,&amp;quot;335559738&amp;quot;:360,&amp;quot;335559739&amp;quot;:80}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As organizations build AI-powered applications, agentic workflows, and distributed cloud services, serverless infrastructure continues to play a growing role in delivering scalability and operational efficiency.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Defender CSPM helps security teams gain visibility into supported serverless containers, applications, and functions, assess vulnerabilities and misconfigurations, and prioritize remediation using Security Graph context and attack path analysis. By bringing serverless workloads into inventory, recommendations, Cloud Security Explorer, and attack path analysis experiences, Defender CSPM helps organizations better understand and reduce risk across their cloud environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:300}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Explore the documentation for &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/serverless-protection" target="_blank" rel="noopener"&gt;serverless protection&lt;/A&gt; and &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/posture-for-serverless-containers" target="_blank" rel="noopener"&gt;posture for serverless container workloads&lt;/A&gt;, and discover the latest innovations in Microsoft Defender for Cloud in the &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes" target="_blank" rel="noopener"&gt;release notes.&lt;/A&gt;&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 01 Jul 2026 16:00:48 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/now-generally-available-serverless-posture-coverage-in-microsoft/ba-p/4532353</guid>
      <dc:creator>donnalee</dc:creator>
      <dc:date>2026-07-01T16:00:48Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender for Cloud expands multicloud coverage across AWS and Google Cloud</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-expands-multicloud-coverage-across/ba-p/4532200</link>
      <description>&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Organizations are building and running applications across multiple cloud platforms and hybrid environments to move faster, improve resilience, and choose the services that best fit each workload. But that flexibility also changes how teams need to manage exposure. A risk may start with an internet-facing resource, an over-permissive identity, a misconfigured managed service, a vulnerable container image, or a serverless workload with access to sensitive data. When those signals are spread across multiple cloud providers and tools, it becomes harder to understand how exposure is created and which actions will reduce risk fastest.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Today, Microsoft is expanding multicloud coverage in Microsoft Defender for Cloud with general availability of&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;approximately 90&amp;nbsp;new&amp;nbsp;AWS and Google Cloud resource types and more than 200 recommendations&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;. Building on recent enhancements in CIEM, identity security, containers, and serverless workloads, this expansion helps customers evaluate more of their cloud estate through a unified security experience.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;With broader coverage across cloud-native applications, data platforms, identity services, networking components, and managed services, security teams can move beyond isolated findings and gain more context across resources, configurations, identities, exposure signals, and prioritization.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;What’s&lt;/SPAN&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;&amp;nbsp;new: broader AWS and Google Cloud coverage&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;img /&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Security teams cannot reduce exposure they cannot see. The expanded coverage brings more AWS and Google Cloud resources into the Defender for Cloud experience, helping customers assess a wider set of modern cloud services through a unified security lens, reducing blind spots where teams increasingly build and operate: serverless applications, containers and build systems, identity and entitlement controls, data and analytics services, AI and ML, networking, messaging, storage, and other managed cloud services.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;App, platform, and serverless services, including Cloud Run and&amp;nbsp;EventBridge,&amp;nbsp;to help teams&amp;nbsp;identify&amp;nbsp;exposure&amp;nbsp;in&amp;nbsp;cloud-native applications and event-driven workloads.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Containers, registries, and build systems, including Artifact Registry and&amp;nbsp;CodePipeline, to connect software supply chain posture with workload risk.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Identity, data, and managed services, including Cognito and&amp;nbsp;BigQuery, to help teams understand how access, data, and platform configurations can increase exposure.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="4" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Multicloud&amp;nbsp;compliance and data protection controls, improving visibility into encryption, logging, backup, auditability, and resilience scenarios.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This broader view helps customers understand their real exposure surface and act on recommendations tied to the scenarios that matter most.&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-recommendations-alerts" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Find the full list of&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;recommendation&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;s here&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;See exposure in context&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Exposure is rarely created by a single finding. Consider a security team managing applications across AWS and Google Cloud. A publicly accessible&amp;nbsp;BigQuery&amp;nbsp;dataset, a cloud-native application running in Cloud Run, and an over-permissioned identity may each generate separate findings. Viewed independently, these issues can appear as routine posture alerts;&amp;nbsp;together, they reveal a higher-risk exposure scenario that could lead to unauthorized access to sensitive data. More AWS and Google Cloud resources can now be assessed in the same security experience, helping teams move beyond isolated findings and toward a clearer understanding of potential exposure and remediation priority.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Why this matters&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For most security teams, the bigger challenge isn't generating more findings,&amp;nbsp;it's&amp;nbsp;prioritizing the ones that matter most.&amp;nbsp;By bringing more AWS and Google Cloud resources into inventory, evaluating them with recommendations, and correlating them with identity context, exposure signals, regulatory compliance results, Secure Score&amp;nbsp;insights, and business criticality, Defender for Cloud helps teams focus on the exposures most likely to impact their organization, without adding another fragmented tool to the stack. As coverage expands, teams can answer practical questions across a broader part of their environment:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which AWS and Google Cloud services are now visible in my cloud inventory?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which newly evaluated resources have recommendations that should be reviewed?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Which findings are tied to exposed, high-value, or security-sensitive resources?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="2" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Where should my team prioritize remediation based on exposure, not just finding volume?&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Building on recent multicloud investments&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This release builds on a series of multicloud investments in Defender for Cloud over the past several months that bring deeper, more consistent protection&amp;nbsp;across&amp;nbsp;multicloud&amp;nbsp;environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;CIEM and identity:&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;Identity is one of the most common&amp;nbsp;entry&amp;nbsp;points for cloud exposure.&amp;nbsp;Defender for Cloud evaluates overprovisioned&amp;nbsp;identities, risky permissions, weak authentication, and privilege-escalation paths. Modernized CIEM logic now assesses identity risk based on actual entitlement usage rather than sign-in activity, using a 90-day lookback.&amp;nbsp;&amp;nbsp;Customers&amp;nbsp;benefit&amp;nbsp;from&amp;nbsp;improved accuracy using&amp;nbsp;log&amp;nbsp;ingestion&amp;nbsp;from&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/integrate-cloud-trail" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;AWS CloudTrail&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and Google Cloud Logging, and drive actionable recommendations. Learn more about&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/azure/defender-for-cloud/permissions-management" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;permissions management.&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="1" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Containers and serverless:&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-contrast="auto"&gt;In containers and serverless,&amp;nbsp;Microsoft&amp;nbsp;expanded&amp;nbsp;multicloud&amp;nbsp;posture coverage across serverless&amp;nbsp;compute, serverless containers, and modern Kubernetes environments. This&amp;nbsp;expansion brings&amp;nbsp;more cloud-native workloads into a unified code-to-runtime security model with vulnerability assessment, misconfiguration analysis, container-level recommendations, and&amp;nbsp;a richer&amp;nbsp;exposure context. Last month we introduced&amp;nbsp;general availability of serverless compute posture coverage for AWS Lambda, Azure Functions, and Azure Web Apps, and the public preview of serverless container posture coverage for Azure Container Apps, Azure Container Instances, and Amazon ECS on AWS Fargate. Learn more about the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/closing-the-loop-on-container-security-from-code-to-runtime-in-the-ai-era/4528599" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;latest in container securit&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;y&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, and find documentation about&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/serverless-protection" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;serverless protection&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;and&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/serverless-protection" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;serverless containers&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;&amp;nbsp;posture protection.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Together, these investments give security teams a more complete view of exposure across Azure, AWS, and Google Cloud.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Built into the Microsoft Security experience&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The expanded AWS and Google Cloud coverage strengthens the foundation for multicloud exposure management in Defender for Cloud. Customers can use the same experience they already rely on to understand inventory, posture, serverless and container risk, CIEM and identity context, compliance, Secure Score, and risk prioritization across more of their cloud estate.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Because exposure is&amp;nbsp;shaped by&amp;nbsp;relationships across resources, identities, entitlements, workloads, configurations, controls, and reachable services, a more complete&amp;nbsp;multicloud&amp;nbsp;view helps security teams understand risk and act with greater confidence. For customers&amp;nbsp;standardizing on&amp;nbsp;Microsoft Security, this means broader&amp;nbsp;multicloud&amp;nbsp;exposure management in one place&amp;nbsp;–&amp;nbsp;without adding another fragmented tool to the stack.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Get started&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Customers can begin reviewing the expanded coverage by exploring Cloud Inventory, filtering by cloud provider and resource category, reviewing newly introduced recommendations, and&amp;nbsp;monitoring&amp;nbsp;Secure Score changes as broader assessment becomes available.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;We recommend that security teams:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="8" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Use Cloud Inventory to understand which&amp;nbsp;additional&amp;nbsp;AWS and Google Cloud resource types are now represented in Defender for Cloud.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="8" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Review new recommendations across key workload, identity, compliance, data protection, and networking.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="8" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Reassess top exposure scenarios across clouds, including serverless, containers, identity, data, and managed services.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="8" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559683&amp;quot;:0,&amp;quot;335559684&amp;quot;:-2,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;hybridMultilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Prioritize remediation based on exposure, criticality, and business context, not only recommendation volume.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 aria-level="2"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="heading 2"&gt;Learn more&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;335559738&amp;quot;:260,&amp;quot;335559739&amp;quot;:140}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;With expanded AWS and Google Cloud coverage, Microsoft Defender for Cloud helps security teams improve&amp;nbsp;multicloud&amp;nbsp;visibility, assess more resources, and prioritize exposure across their cloud estate.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;To learn more, visit the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft Defender for Cloud documentat&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;ion&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, review&amp;nbsp;the latest&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;r&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;elease notes&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt;, and follow the&amp;nbsp;&lt;/SPAN&gt;&lt;A href="https://techcommunity.microsoft.com/category/microsoft-defender-for-cloud/blog/microsoftdefendercloudblog" target="_blank" rel="noopener"&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Microsoft&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Defender for Cloud&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;Tech Community&amp;nbsp;&lt;/SPAN&gt;&lt;SPAN data-ccp-charstyle="Hyperlink"&gt;blog&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;/A&gt;&lt;SPAN data-contrast="auto"&gt; for updates on cloud security&amp;nbsp;and posture management.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{&amp;quot;201341983&amp;quot;:0,&amp;quot;335559740&amp;quot;:259}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 17:36:56 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-expands-multicloud-coverage-across/ba-p/4532200</guid>
      <dc:creator>donnalee</dc:creator>
      <dc:date>2026-06-30T17:36:56Z</dc:date>
    </item>
    <item>
      <title>Exempt a specific container in MDC</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-a-specific-container-in-mdc/m-p/4531081#M2153</link>
      <description>&lt;P&gt;You don't need a full exemption for this — the built-in policy behind "Immutable (read-only) root filesystem should be enforced for containers" already supports &lt;STRONG&gt;per-container and per-image exclusions natively&lt;/STRONG&gt;, which is more precise than exempting at the resource/cluster level.&lt;/P&gt;&lt;P&gt;This recommendation is implemented via the Azure Policy Add-on for Kubernetes (Gatekeeper constraint) as part of Defender for Cloud's data plane hardening. The underlying policy definition supports these parameters:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;excludedContainers — exclude by &lt;STRONG&gt;container name&lt;/STRONG&gt;&lt;/LI&gt;&lt;LI&gt;excludedImages — exclude by image (supports prefix matching, e.g. myregistry.azurecr.io/legacy-app:*)&lt;/LI&gt;&lt;LI&gt;excludedNamespaces — exclude entire namespaces (e.g., kube-system, useful for system pods that legitimately can't run read-only)&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;To configure: &lt;STRONG&gt;Defender for Cloud → Recommendations →&lt;/STRONG&gt; select this recommendation &lt;STRONG&gt;→ Take action tab&lt;/STRONG&gt;, where you can set these parameters directly without touching raw policy JSON. Alternatively, if you manage policy via Environment Settings → Security policies → Standards, you can set the same parameters on the standard assignment.&lt;/P&gt;&lt;P&gt;Given you said multiple containers across airflow/db1, airflow/sql1, etc. show "Unhealthy" — if these are legitimate exceptions (e.g., a database container that needs to write to its filesystem by design, not just a misconfiguration), excludedContainers naming each container is the cleanest fix and keeps the recommendation enforcing everywhere else in the cluster. I'd reserve a full policy exemption (Azure Policy exemption resource) for cases where you need it tracked for compliance/audit purposes specifically — the parameter-based exclusion is the more "native" and maintainable fix for ongoing operational cases like this.&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jun 2026 20:22:45 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-a-specific-container-in-mdc/m-p/4531081#M2153</guid>
      <dc:creator>gokhantatar</dc:creator>
      <dc:date>2026-06-25T20:22:45Z</dc:date>
    </item>
    <item>
      <title>Exempt - Azure CSPM Recommendation" (Terraform exemption</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-azure-cspm-recommendation-quot-terraform-exemption/m-p/4531079#M2152</link>
      <description>&lt;P&gt;The reason you're not finding a standalone policyAssignmentId/policyDefinitionId for this specific recommendation is that it isn't a standalone assignment — it's one control &lt;STRONG&gt;inside&lt;/STRONG&gt; the built-in CSPM initiative (the "ASC Default" / Microsoft Cloud Security Benchmark assignment). That initiative &lt;EM&gt;does&lt;/EM&gt; have an assignment ID; you just need to target the specific control within it, not look for a separate one.&lt;/P&gt;&lt;P&gt;In azurerm_resource_policy_exemption (or the subscription/resource-group variants), the relevant fields are:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;policy_assignment_id → the ID of the &lt;STRONG&gt;initiative assignment&lt;/STRONG&gt; (ASC Default / MCSB), not a per-recommendation assignment&lt;/LI&gt;&lt;LI&gt;policy_definition_reference_ids → an array scoping the exemption to just this one control instead of the whole initiative&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;resource "azurerm_resource_policy_exemption" "function_app_network_exemption" {&lt;/P&gt;&lt;P&gt;name = "exempt-function-network-restriction"&lt;/P&gt;&lt;P&gt;resource_id = azurerm_linux_function_app.example.id&lt;/P&gt;&lt;P&gt;policy_assignment_id = data.azurerm_subscription_policy_assignment.asc_default.id&lt;/P&gt;&lt;P&gt;policy_definition_reference_ids = [&lt;/P&gt;&lt;P&gt;"&amp;lt;reference-id-for-the-specific-control&amp;gt;"&lt;/P&gt;&lt;P&gt;]&lt;/P&gt;&lt;P&gt;exemption_category = "Waiver" # or "Mitigated" if an equivalent control exists&lt;/P&gt;&lt;P&gt;expires_on = "2026-12-31T00:00:00Z"&lt;/P&gt;&lt;P&gt;}&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;To find the policy_definition_reference_id for this specific control: in the Azure Portal, go to &lt;STRONG&gt;Policy → Definitions&lt;/STRONG&gt;, search for "Restricted network access should be configured on Internet exposed Function app" to get its definition ID, then open the initiative definition (ASC Default) and find the matching entry in its policyDefinitions[].policyDefinitionReferenceId array — that string is what goes in the array above.&lt;/P&gt;&lt;P&gt;Two things worth deciding upfront before automating this:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;&lt;STRONG&gt;Waiver vs Mitigated&lt;/STRONG&gt; — if you've genuinely restricted access another way (e.g., Private Endpoint), use Mitigated so it's distinguishable from accepted risk in reporting.&lt;/LI&gt;&lt;LI&gt;Consider whether the exemption belongs at the &lt;STRONG&gt;resource&lt;/STRONG&gt; scope (just this Function App) vs &lt;STRONG&gt;resource group/subscription&lt;/STRONG&gt; — narrower is safer, but if you have a pattern of similar apps, a tagged-based resourceSelectors block can scale this without per-resource blocks.&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Thu, 25 Jun 2026 20:22:04 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-azure-cspm-recommendation-quot-terraform-exemption/m-p/4531079#M2152</guid>
      <dc:creator>gokhantatar</dc:creator>
      <dc:date>2026-06-25T20:22:04Z</dc:date>
    </item>
    <item>
      <title>Remediation Workflow Automation — Biggest Gap vs. Competing Exposure Management Platforms?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-security-exposure/remediation-workflow-automation-biggest-gap-vs-competing/m-p/4531077#M2</link>
      <description>&lt;P&gt;Exposure graph and attack path correlation in MSEM are genuinely strong — the cross-domain visibility (endpoints, identities, cloud, external surface) is one of the better implementations I've worked with, especially for shops already standardized on the Microsoft stack.&lt;/P&gt;&lt;P&gt;The gap I keep running into is &lt;STRONG&gt;closed-loop remediation orchestration&lt;/STRONG&gt;. Right now, when an attack path or critical exposure is identified, there's no native way to auto-generate a ticket, assign ownership, and track an SLA against it — that handoff still has to be built externally (Logic Apps, Sentinel playbooks, or a 3rd-party ITSM integration). This isn't just my experience; it's echoed in published Gartner Peer Insights reviews of the product, where users specifically flag the absence of in-platform workflows to raise tickets automatically and route them to the owning team.&lt;/P&gt;&lt;P&gt;For comparison, Qualys built this natively into their Enterprise TruRisk Platform (QFlow) — automatic ticket creation in ServiceNow/Jira, ownership assignment, and SLA tracking, all without manual handoffs. Tenable One markets "workflow automation" as a core differentiator of its unified platform for the same reason: it's what turns continuous &lt;EM&gt;detection&lt;/EM&gt; into continuous &lt;EM&gt;risk reduction&lt;/EM&gt;, not just a better dashboard.&lt;/P&gt;&lt;P&gt;Questions for the team / community:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;Is closed-loop ticketing/SLA tracking on the roadmap natively, or is the expectation that this stays external (Logic Apps/Sentinel)?&lt;/LI&gt;&lt;LI&gt;For those running MSEM at scale — how are you currently bridging this gap operationally? Custom playbooks, or a 3rd-party orchestration layer on top?&lt;/LI&gt;&lt;/UL&gt;</description>
      <pubDate>Thu, 25 Jun 2026 20:05:56 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-security-exposure/remediation-workflow-automation-biggest-gap-vs-competing/m-p/4531077#M2</guid>
      <dc:creator>gokhantatar</dc:creator>
      <dc:date>2026-06-25T20:05:56Z</dc:date>
    </item>
    <item>
      <title>Exempt - Azure CSPM Recommendation</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-azure-cspm-recommendation/m-p/4528662#M2151</link>
      <description>&lt;P&gt;We are implementing creating exemptions on policies through Terraform.&lt;/P&gt;&lt;P&gt;Is there a way to exempt this specific Azure CSPM standard policy "&lt;STRONG&gt;Restricted network access should be configured on Internet exposed Function app&lt;/STRONG&gt;" through Terraform since it does not have any &lt;STRONG&gt;policyassignmentid&lt;/STRONG&gt; and &lt;STRONG&gt;policyid&lt;/STRONG&gt;.&lt;/P&gt;&lt;P&gt;I think this standard policy cannot be exempted with this code. Please confirm.&amp;nbsp;&lt;/P&gt;&lt;P&gt;My understanding is this is Assessment type and has no policy id or policy assessment id. I can exempt through Azure Portal but not from Terraform.&amp;nbsp;&lt;/P&gt;&lt;P&gt;Any guidance is greatly appreciated.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;resource "azurerm_subscription_policy_exemption" "this" {&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;for_each = local.subscription_exemptions&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;name = each.key&lt;/P&gt;&lt;P&gt;subscription_id = each.value.resource_id&lt;/P&gt;&lt;P&gt;policy_assignment_id = each.value.policy_assignment_id&lt;/P&gt;&lt;P&gt;policy_definition_reference_ids = each.value.policy_definition_reference_ids&lt;/P&gt;&lt;P&gt;exemption_category = each.value.category&lt;/P&gt;&lt;P&gt;expires_on = each.value.expires_on&lt;/P&gt;&lt;P&gt;description = "Ticket: ${each.value.ticket} | ${each.value.remediation_plan}"&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;metadata = jsonencode(merge(var.tags, {&lt;/P&gt;&lt;P&gt;owner = each.value.owner&lt;/P&gt;&lt;P&gt;ticket = each.value.ticket&lt;/P&gt;&lt;P&gt;risk_level = each.value.risk_level&lt;/P&gt;&lt;P&gt;remediation_plan = each.value.remediation_plan&lt;/P&gt;&lt;P&gt;approved_by = each.value.approved_by&lt;/P&gt;&lt;P&gt;approval_date = each.value.approval_date&lt;/P&gt;&lt;P&gt;environment = var.environment&lt;/P&gt;&lt;P&gt;managed_by = "terraform"&lt;/P&gt;&lt;P&gt;}))&lt;/P&gt;&lt;P&gt;}&lt;/P&gt;&lt;P&gt;Thanks,&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;&lt;P&gt;Anshu&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jun 2026 00:40:30 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-azure-cspm-recommendation/m-p/4528662#M2151</guid>
      <dc:creator>ABhatia610</dc:creator>
      <dc:date>2026-06-17T00:40:30Z</dc:date>
    </item>
    <item>
      <title>Closing the loop on container security: 
From code to runtime in the AI era</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/closing-the-loop-on-container-security-from-code-to-runtime-in/ba-p/4528599</link>
      <description>&lt;P&gt;Containers are the backbone of modern cloud-native apps — and increasingly, the infrastructure powering AI, from AI assistants to a new wave of intelligent agents. They also blur the line between &lt;STRONG&gt;build&lt;/STRONG&gt;, &lt;STRONG&gt;deploy&lt;/STRONG&gt;, and &lt;STRONG&gt;runtime&lt;/STRONG&gt;: a single code change can become a running workload in minutes. A misconfiguration committed in the morning can be deployed in minutes and exploited before noon. At that speed, container security can no longer be a point-in-time check, it has to work as one continuous loop.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;The numbers back this up.&lt;STRONG&gt; &lt;/STRONG&gt;For the first time, &lt;STRONG&gt;31% of breaches now begin with an attacker exploiting a software vulnerability&lt;/STRONG&gt; — overtaking stolen credentials as the most common way in — and &lt;STRONG&gt;15% of attack techniques are now accelerated by generative AI&lt;/STRONG&gt;, with adversaries using it to find gaps and write malware faster at every stage.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;EM&gt;&lt;SPAN class="lia-text-color-19"&gt;Source:&lt;/SPAN&gt; &lt;/EM&gt;&lt;A class="lia-external-url" href="https://www.verizon.com/business/resources/reports/dbir/" target="_blank" rel="noopener"&gt;Verizon 2026 Data Breach Investigations Report&lt;/A&gt;&lt;EM&gt; &lt;SPAN class="lia-text-color-19"&gt;(incidents Nov 2024–Oct 2025).&lt;/SPAN&gt;&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Over the last few quarters, Microsoft Defender for Cloud has been evolving to offer you this continuous security, end to end. &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes" target="_blank" rel="noopener"&gt;Explore container security’s new capabilities&lt;/A&gt; across posture, shift-left, runtime, multicloud coverage, and operations. Collectively they form a more comprehensive approach to container security — one that offers security right during developing a code to a running pod across Azure, AWS, and GCP.&lt;/P&gt;
&lt;P&gt;There is a second reason why container security matters more in 2026: containers are increasingly where AI runs. Many AI workloads — from model-serving APIs to retrieval systems and intelligent agents — now live as pods on AKS, EKS, and GKE (the managed Kubernetes services from Azure, AWS, and Google), often connected to some of an organization’s most sensitive models and data. As those crown jewels move into the cluster, the same posture, code‑to‑runtime, and runtime protections described in this post extend to AI workloads. The contest is increasingly AI against AI: attackers use it to find and reach the cluster faster, while defenders use it to push back — surfacing the risks that matter most and turning runtime findings into AI‑assisted code fixes.&lt;/P&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-20"&gt;One platform, code to runtime&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;A container finding is not treated as an isolated issue; it is connected to the identity it runs under, the registry and code repository it came from, and the cluster where it is running - all unified under one Microsoft Defender platform.&lt;/P&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-20"&gt;Container posture and shift-left security are now redesigned for least vulnerabilities in production&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;Conventional container security posture offered challenges to scale: a single grouped recommendation could stack thousands of findings under one bucket, making ownership, exemptions, and risk scoring too coarse to act on. That experience is now evolved. We have rebuilt the experience so that &lt;STRONG&gt;each finding is its own recommendation&lt;/STRONG&gt; — per software, per image, per container. If two CVEs in the same image belong to two different teams, they can now be triaged, exempted, and reported separately. The &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#general-availability-of-individual-recommendations-for-defender-for-cloud-in-azure-portal-and-deprecation-of-legacy-grouped-recommendations" target="_blank" rel="noopener"&gt;grouped recommendations are deprecated and will be removed on July 30, 2026&lt;/A&gt;, We suggest updating any automation, export rules, and ServiceNow integrations to target the new per-finding recommendations before that date.&lt;/P&gt;
&lt;P&gt;That per-finding precision becomes even more powerful once you connect each finding to its source code and to the runtime resources it impacts. Defender for Cloud — part of Microsoft Defender suite — connects this &lt;STRONG&gt;code-to-runtime&lt;/STRONG&gt; chain end-to-end. For example, an image built through &lt;STRONG&gt;Azure DevOps&lt;/STRONG&gt; or &lt;STRONG&gt;GitHub&lt;/STRONG&gt;, pushed to ACR, ECR, Google Artifact Registry, Docker Hub, or JFrog, and pulled by AKS, EKS, or GKE is one continuous evidence chain — traceable from a running container back to the pull request (PR) and line of code that introduced the risk. With &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-advanced-security-overview" target="_blank" rel="noopener"&gt;GitHub Advanced Security&lt;/A&gt; integrated (GA), secrets, code, and dependency findings join the same attack story. The developer-first &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/defender-cli-overview" target="_blank" rel="noopener"&gt;Defender for Cloud CLI&lt;/A&gt; runs the same scanner locally or in any CI/CD pipeline, with consistent exit codes for gating.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;The Code-to-Runtime “Development phases” diagram: one continuous Code → Build → Ship → Runtime evidence chain, with a one-click path to open a GitHub issue.&lt;/EM&gt;&lt;/img&gt;
&lt;P&gt;In this diagram, you can see how we have embedded container security at every stage of the software development lifecycle (SDLC), not just the endpoints. At &lt;STRONG&gt;Code&lt;/STRONG&gt;, GitHub Advanced Security and the Defender for Cloud CLI catch secrets, vulnerable dependencies, and insecure code before commit. At &lt;STRONG&gt;Build&lt;/STRONG&gt;, the same scanner runs as a CI/CD gate — in GitHub Actions, Azure DevOps, Jenkins, or Bitbucket — failing the pipeline on critical findings. At &lt;STRONG&gt;Ship&lt;/STRONG&gt;, registry scanning and Gated Deployment block risky or misconfigured images at the cluster door. And at &lt;STRONG&gt;Runtime&lt;/STRONG&gt;, the sensor enforces anti-malware and binary-drift policy on the live workload. No stage is left as a blind spot, and a finding can be traced forward to the running pod or backward to the developer who introduced it.&lt;/P&gt;
&lt;P&gt;Visibility without enforcement only creates backlog. &lt;STRONG&gt;Gated Deployment&lt;/STRONG&gt; — a Kubernetes admission controller — uses the same vulnerability signal, you trust, to block risky images at the cluster level. It supports phased rollout (audit, then deny), targets rules by cluster, namespace, pod, image, or label, and runs across AKS (including AKS Automatic), EKS, and GKE. A newer extension gates on &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#kubernetes-misconfiguration-enforcement-in-defender-for-containers-preview" target="_blank" rel="noopener"&gt;Kubernetes misconfigurations&lt;/A&gt; too. Posture practitioners also get &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#container-level-misconfiguration-recommendations-for-kubernetes-preview" target="_blank" rel="noopener"&gt;KSPM at container granularity&lt;/A&gt; — Kubernetes security posture management, available through both Defender for Containers and Defender CSPM — and, on Azure, a new actionable recommendation, &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#new-actionable-recommendation-to-upgrade-aks-for-system-pod-vulnerabilities-preview" target="_blank" rel="noopener"&gt;Upgrade Azure Kubernetes Service Version (preview)&lt;/A&gt;, that helps you remediate vulnerabilities in AKS-managed system pods.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;&lt;EM&gt;Misconfiguration gating rules in Defender for Cloud — block risky deployment before they reach production.&lt;/EM&gt;&lt;/img&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-20"&gt;Coverage that matches containers’ evolution&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;Historically, many container security programs concentrated on managed Kubernetes clusters in AKS, EKS, and GKE. The 2026 reality is broader: a growing share of production runs on &lt;STRONG&gt;serverless container platforms&lt;/STRONG&gt; that abstract the cluster away, many sensitive workloads sit behind &lt;STRONG&gt;private, network-isolated clusters&lt;/STRONG&gt;, and platform teams increasingly standardize on &lt;STRONG&gt;hardened or distroless base images&lt;/STRONG&gt;. The surfaces that were blind spots are now part of the same posture graph as everything else.&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#serverless-protection-for-azure-and-aws-is-now-generally-available" target="_blank" rel="noopener"&gt;Serverless compute posture&lt;/A&gt; is now generally available across AWS Lambda, Azure Functions, and Web Apps, while &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/posture-for-serverless-containers" target="_blank" rel="noopener"&gt;Serverless containers posture&lt;/A&gt; (preview) takes the same idea to Azure Container Apps, ACI, and AWS Fargate. Together, they bring more of today’s cloud-native production footprint into the same posture graph.&lt;/P&gt;
&lt;P&gt;Coverage also improves where platform teams are standardizing on locked-down environments. The long-standing gap around &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#vulnerability-assessment-extended-to-runtime-discovered-container-images-on-eks-and-gke-preview" target="_blank" rel="noopener"&gt;private EKS and GKE clusters&lt;/A&gt; is closed, bringing some of the hardest-to-reach environments into the same security model. Scanning now works on &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#scanning-support-for-docker-hardened-container-images-preview" target="_blank" rel="noopener"&gt;hardened images&lt;/A&gt; from Docker Hardened or Minimus, and runtime protection supports &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#defender-for-containers-runtime-protection-on-eks-bottlerocket-is-now-generally-available" target="_blank" rel="noopener"&gt;BottleRocket&lt;/A&gt; on EKS — with the full feature set also available in &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#general-availability-of-container-security-capabilities-in-azure-government-cloud" target="_blank" rel="noopener"&gt;Azure Government&lt;/A&gt;, which matters for teams running regulated workloads.&lt;/P&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-20"&gt;Runtime threat protection that prevents, not just detects&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;Posture closes the door on attackers; runtime threat protection guards the room if they still succeed. The key shift is that the Defender for Containers sensor now adds &lt;STRONG&gt;prevention&lt;/STRONG&gt; on top of detection. The goal is simple: stop malicious code before it runs. &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#anti-malware-detection-and-blocking-is-now-generally-available" target="_blank" rel="noopener"&gt;Anti-malware detection and prevention&lt;/A&gt; (GA) scans container workloads and Kubernetes nodes and, based on the policies you define, blocks malicious execution instead of only alerting. Those alerts then flow into &lt;STRONG&gt;Microsoft Defender XDR&lt;/STRONG&gt;’s unified incident model.&lt;/P&gt;
&lt;P&gt;The second is &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/binary-drift-detection" target="_blank" rel="noopener"&gt;binary drift detection and prevention&lt;/A&gt; (preview). Containers are meant to be immutable. When a process starts from a binary that was not part of the original image, that is drift — and one of the highest-signal indicators of compromise in cloud-native workloads. Defender detects drifts and, with policy enabled, can now also block the drifted process before it executes.&lt;/P&gt;
&lt;P&gt;Anti-malware and Drift policies can be scoped by cloud, cluster, namespace, image, or label, with allow-lists for legitimate cases.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img&gt;
&lt;P&gt;&lt;EM&gt;Anti-malware policies can alert, block, or ignore — scoped to clusters, namespaces, pods, labels, or images. &lt;/EM&gt;&lt;/P&gt;
&lt;/img&gt;
&lt;P&gt;Rounding out runtime protection, &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/release-notes#dns-detection-for-kubernetes-is-now-generally-available" target="_blank" rel="noopener"&gt;DNS-based threat detection&lt;/A&gt; (GA) catches command-and-control beaconing, DGA traffic, and exfiltration over DNS.&lt;/P&gt;
&lt;H2&gt;&lt;SPAN class="lia-text-color-20"&gt;A unified approach to container security&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;Step back, and the bigger picture is simple. The same platform that secured your VMs and identities now extends across AKS, EKS, GKE, private clusters, serverless containers, and serverless compute. The same Code-to-Runtime chain that once tied Infrastructure as Code (IaC) findings to running infrastructure now connects Dockerfile commits — through CI/CD and any major registry — to the running pod. Admission control turns posture findings into prevention at deploy time, and runtime protection actively blocks. That is a continuous container security loop living inside Microsoft Defender — not a checklist bolted onto Kubernetes. And it rebalances the fight: as attackers use AI to find and exploit gaps faster, the durable answer is security teams using AI of their own — protecting and triaging at machine speed.&lt;/P&gt;
&lt;P&gt;If you’ve already enabled container security with Microsoft, the clearest next step is to strengthen the core lifecycle stages first:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Code + build:&lt;/STRONG&gt; connect GitHub Advanced Security and integrate the Defender for Cloud CLI into your pipelines so findings are caught early and CI/CD gates can fail builds before an image is pushed.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Ship:&lt;/STRONG&gt; stand up Gated Deployment in audit mode on a non-production cluster, tune it, then flip to deny; extend it to Kubernetes misconfigurations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Run:&lt;/STRONG&gt; enable the Defender for Containers sensor, extend it to private EKS and GKE clusters, then tune anti-malware and binary-drift rules in Block mode — starting with your crown-jewel namespaces.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Extend protection:&lt;/STRONG&gt; turn on serverless compute posture for Lambda, Functions, and Web Apps, and enable serverless container posture for Container Apps, ACI, or Fargate.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 16 Jun 2026 23:15:21 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/closing-the-loop-on-container-security-from-code-to-runtime-in/ba-p/4528599</guid>
      <dc:creator>mahersko</dc:creator>
      <dc:date>2026-06-16T23:15:21Z</dc:date>
    </item>
    <item>
      <title>Ask Microsoft Anything: Microsoft Defender expands protection to AWS RDS</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/ask-microsoft-anything-microsoft-defender-expands-protection-to/m-p/4526819#M2150</link>
      <description>&lt;P&gt;Hey all! We are currently answering questions over on the event page here:&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://aka.ms/DefenderAWSExpansionAMA" target="_blank"&gt;https://aka.ms/DefenderAWSExpansionAMA&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Come join and learn something about Defender for Cloud and the expansion of protection!&lt;/P&gt;</description>
      <pubDate>Tue, 09 Jun 2026 16:19:01 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/ask-microsoft-anything-microsoft-defender-expands-protection-to/m-p/4526819#M2150</guid>
      <dc:creator>Trevor_Rusher</dc:creator>
      <dc:date>2026-06-09T16:19:01Z</dc:date>
    </item>
    <item>
      <title>Exempt a specific container in MDC</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-a-specific-container-in-mdc/m-p/4526806#M2149</link>
      <description>&lt;P&gt;I have this recommendation showing in defender.&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Immutable (read-only) root filesystem should be enforced for containers&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;There are multiple containers inside AKS that are showing as "Unhealthy"&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;airflow/db1&lt;/LI&gt;&lt;LI&gt;airflow/sql1&lt;/LI&gt;&lt;LI&gt;airflow/scheduler1&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;Is there a way to exempt a specific container or the whole recommendation has to be exempted.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanks&lt;/P&gt;</description>
      <pubDate>Tue, 09 Jun 2026 15:25:11 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/exempt-a-specific-container-in-mdc/m-p/4526806#M2149</guid>
      <dc:creator>ABhatia610</dc:creator>
      <dc:date>2026-06-09T15:25:11Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender for Cloud Customer Newsletter</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4525656</link>
      <description>&lt;H1&gt;What's new in Defender for Cloud?&lt;/H1&gt;
&lt;P&gt;Defender for Cloud is now integrated into the Defender portal to bring together cloud security posture management and threat protection in a single experience. Read more about it &lt;A href="https://aka.ms/mdc_DefenderPortal" target="_blank"&gt;here&lt;/A&gt;.&lt;/P&gt;
&lt;H2&gt;Cloud security reporting in the Defender portal is now in public preview&lt;/H2&gt;
&lt;P&gt;Customers can now create, customize, and share security insights across the organization through Defender portal’s integrated cloud security reporting capabilities. With these reporting capabilities, customers can view built-in reports like CNAPP Executive Summary, create custom reports, export to PDF and more. For more details, please refer to this &lt;A href="https://aka.ms/mdc_Defenderportal_reporting" target="_blank"&gt;documentation&lt;/A&gt;.&lt;/P&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/MDCNewsJust" target="_blank"&gt;Check out other updates from last month here!&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdc_mtpblog" target="_blank"&gt;Check out monthly news for the rest of the MTP suite here!&lt;/A&gt; &amp;nbsp;&lt;/P&gt;
&lt;H2&gt;Blog(s) of the month&lt;/H2&gt;
&lt;P&gt;In May, our team published the following blog posts we would like to share:&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog1" target="_blank"&gt;Better together with Azure WAF + Defender for Storage + Defender for Azure SQL Databases&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog2" target="_blank"&gt;Public preview: Expanded coverage and unified management for SQL VA Express Configuration | Microsoft Community Hub&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;Defender for Cloud in the field&lt;/H2&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;Check out the two short videos on Defender Portal integration and Start Secure Stay Secure with Defender for Cloud&lt;/P&gt;
&lt;UL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:true,&amp;quot;orderedStyleType&amp;quot;:1}"&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdc_youtube_Defenderportal" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Microsoft Defender for Cloud deeply integrates with Microsoft Defender&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdc_youtube_startsecurestaysecure" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Start secure and stay secure with Microsoft Defender for Cloud&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsField&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921371778%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=Ni9o%2FuGnNm5keL5pEgpww3s46S3nE6EfDiG3Z28cPhI%3D&amp;amp;reserved=0" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Visit our YouTube page&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;GitHub Community&lt;/H2&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;Check out this PS script and CLI to help you enable Defender for API at scale:&lt;/P&gt;
&lt;UL&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdcgit_apiatscale" target="_blank"&gt;Onboard to Defender for API at scale&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsGit&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921474195%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=ZBr6NDY28EuqIzivYaky1d%2FBvBAr2oYHDW2vHcYuJKM%3D&amp;amp;reserved=0" target="_blank"&gt;Visit our GitHub page&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;Customer journey&lt;/H2&gt;
&lt;P&gt;Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsStory1" target="_blank"&gt;Loyens &amp;amp; Loeff&lt;/A&gt;, a law and tax firm, that operates in a high complex environment, sought to modernize the digital workplace with Microsoft 365 Copilot, Defender for Cloud and Purview.&lt;/P&gt;
&lt;H2&gt;Join our community!&lt;/H2&gt;
&lt;P&gt;We offer several customer connection programs within our private communities. By signing up, you can help us&amp;nbsp;shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at&amp;nbsp;&lt;A href="https://www.aka.ms/JoinCCP" target="_blank"&gt;aka.ms/JoinCCP.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in&amp;nbsp;&lt;A href="https://aka.ms/PublicContentFeedback" aria-label="Link https://aka.ms/PublicContentFeedback" target="_blank"&gt;https://aka.ms/PublicContentFeedback.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsSubscribe" target="_blank"&gt;https://aka.ms/MDCNewsSubscribe&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Thu, 04 Jun 2026 18:30:12 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4525656</guid>
      <dc:creator>Yura_Lee</dc:creator>
      <dc:date>2026-06-04T18:30:12Z</dc:date>
    </item>
    <item>
      <title>The end of patching era for containers: Microsoft Defender for Cloud expands hardened image support</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/the-end-of-patching-era-for-containers-microsoft-defender-for/ba-p/4524798</link>
      <description>&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;Why hardened images are becoming the new baseline for container image security&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Container security is evolving beyond vulnerability scanning alone. Across the ecosystem - spanning container platforms, registries, and software supply chain tooling - customers are increasingly adopting hardened container images - images that are minimal by design, transparent in composition, and continuously maintained to reduce inherited risk at the base layer.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This shift is happening against a backdrop of increasingly fast-moving attacks. AI-assisted techniques - such as those demonstrated by Mythos-class tooling - continue to compress the time between vulnerability discovery and exploitation. In this environment, reducing exposure to exploitable vulnerabilities and attack surfaces in container images before deployment is becoming just as critical as detecting vulnerabilities after the fact.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Traditional container images are optimized for flexibility and reuse, not for security - meaning they are not designed to minimize included components, reduce attack surface, or limit inherited vulnerabilities by default. As a result, many base images include large package sets and transitive dependencies that significantly increase attack surface and vulnerability noise.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Hardened images take a different approach:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="13" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Minimal by construction, including only what’s required to run the workload&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="13" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Reduced attack surface, limiting exploitable components&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="13" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Strong transparency, with SBOMs and provenance metadata&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="13" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Continuous maintenance, so vulnerabilities are addressed through rebuilding rather than downstream patching&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;For customers, this represents a shift from reactive CVE triage to preventative risk reduction at the image layer.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;In practice, this changes how container image risk is managed - from prioritizing and patching vulnerabilities in place to replacing images with updated, rebuilt versions, making remediation more predictable and easier to scale across environments.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As hardened images become more widely adopted, organizations still need to continuously assess these images for vulnerabilities and compliance, since minimal or frequently rebuilt images can still introduce new risks over time or differ from expected configurations - making continuous image scanning and monitoring essential.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;Microsoft Defender for Cloud’s approach: support choice, centralize visibility&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Today, Microsoft Defender for Cloud already supports vulnerability assessment for hardened image providers such as Chainguard, alongside traditional Linux distributions. We recently expanded this coverage further with additional hardened image types, giving customers more flexibility to adopt secure-by-default images while continuing to scan these images and manage findings in a centralized Microsoft Defender for Cloud experience.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft Defender for Cloud does not prescribe a single hardened image solution. Instead, it focuses on enabling customer choice while providing consistent, centralized vulnerability assessment and posture management.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;This capability builds on the container vulnerability assessment foundation powered by Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management (MDVM), bringing together high-fidelity vulnerability insights across the container lifecycle with support for modern, hardened image models.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;From now on, Microsoft Defender for Cloud’s vulnerability assessment supports hardened image ecosystems including:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Chainguard images, rebuilt from source and designed to minimize inherited vulnerabilities&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Minimus images, which are minimal and continuously rebuilt to ship with zero known CVEs at publish time&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Docker Hardened Images (DHI), secure, minimal, production-ready base images maintained by Docker&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt; &lt;STRONG&gt;(recently added)&lt;/STRONG&gt;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="14" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Photon OS-based images and other minimal operating system distributions&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Across all of these, Microsoft Defender for Cloud’s experience remains consistent:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="15" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Images are scanned through the existing container vulnerability assessment pipeline&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="15" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Findings surface in the same Azure and Defender portals&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="15" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Policy evaluation, alerting, and compliance reporting stay centralized&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Security teams do not need to onboard new scanners, manage separate dashboards, or maintain parallel remediation workflows. Hardened image adoption fits directly into existing Microsoft Defender for Cloud posture management.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;What this means for customers&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;As hardened image adoption accelerates, Microsoft Defender for Cloud enables customers to adopt secure&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;by&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;default foundations without fragmenting their security posture.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;The benefits are tangible:&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="1" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Reduced vulnerability noise from inherited base&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;image packages&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="2" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Earlier risk reduction at the image layer&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="3" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Consistent vulnerability assessment across hardened image providers&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;UL&gt;
&lt;LI aria-setsize="-1" data-leveltext="" data-font="Symbol" data-listid="12" data-list-defn-props="{&amp;quot;335552541&amp;quot;:1,&amp;quot;335559685&amp;quot;:720,&amp;quot;335559991&amp;quot;:360,&amp;quot;469769226&amp;quot;:&amp;quot;Symbol&amp;quot;,&amp;quot;469769242&amp;quot;:[8226],&amp;quot;469777803&amp;quot;:&amp;quot;left&amp;quot;,&amp;quot;469777804&amp;quot;:&amp;quot;&amp;quot;,&amp;quot;469777815&amp;quot;:&amp;quot;multilevel&amp;quot;}" data-aria-posinset="4" data-aria-level="1"&gt;&lt;SPAN data-contrast="auto"&gt;Centralized security posture, compliance, and reporting&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Whether customers choose Chainguard, Minimus, Docker Hardened Images, Photon OS–based images, or a combination, Microsoft Defender for Cloud provides a single control plane for understanding and managing container image risk - without forcing a change in operational model.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;How this works across hardened image providers&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft Defender for Cloud supports multiple hardened image providers, enabling organizations to adopt secure&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;by&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;default container images while maintaining a consistent approach to vulnerability assessment and posture management.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;While each provider takes a different approach to minimizing risk at the image layer, Microsoft Defender for Cloud ensures that all images are scanned through the same vulnerability assessment pipeline, with findings surfaced centrally for security teams to monitor, prioritize, and remediate.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="none"&gt;&lt;SPAN data-ccp-parastyle="Subtitle"&gt;Examples:&lt;/SPAN&gt;&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="auto"&gt;Minimus&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Minimal, continuously rebuilt container images designed to ship with zero known CVEs at publish time. Microsoft Defender for Cloud enables native scanning of Minimus images stored in Azure Container Registry, allowing security teams to assess vulnerabilities and maintain centralized visibility without introducing new workflows.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H5&gt;&lt;SPAN data-contrast="auto"&gt;Docker Hardened Images (DHI)&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/H5&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Production&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;ready, minimal base images designed as drop&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;in replacements for standard container images. By supporting DHI, Microsoft Defender for Cloud allows customers to adopt these hardened images while continuing to rely on the same vulnerability scanning, governance, and reporting capabilities.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;H3 aria-level="2"&gt;&lt;SPAN class="lia-text-color-15"&gt;Looking ahead&amp;nbsp;&lt;/SPAN&gt;&lt;/H3&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Hardened images are no longer niche - they are becoming a foundational element of modern container security. As attacker automation and AI&lt;/SPAN&gt;‑&lt;SPAN data-contrast="auto"&gt;assisted attack techniques continue to shorten response windows, reducing exposure at build and image layers becomes increasingly important.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Microsoft Defender for Cloud will continue expanding support for hardened and minimal image ecosystems, ensuring customers can evolve their image strategies without sacrificing visibility, control, or operational simplicity.&lt;/SPAN&gt;&lt;SPAN data-ccp-props="{}"&gt;&amp;nbsp;&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Security should start with what you build on - not with what you fix later.&lt;/SPAN&gt;&lt;/P&gt;
&lt;P&gt;&lt;SPAN data-contrast="auto"&gt;Learn more:&amp;nbsp;&lt;/SPAN&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#scanning-support-for-docker-hardened-container-images-preview" target="_blank" rel="noopener"&gt;Scanning support for Docker Hardened container images &lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 22:53:19 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/the-end-of-patching-era-for-containers-microsoft-defender-for/ba-p/4524798</guid>
      <dc:creator>Yulia_Zhurbinsky</dc:creator>
      <dc:date>2026-06-02T22:53:19Z</dc:date>
    </item>
    <item>
      <title>Start Secure, Stay Secure: How Microsoft is Closing the Gap from Code to Runtime</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/start-secure-stay-secure-how-microsoft-is-closing-the-gap-from/ba-p/4524580</link>
      <description>&lt;P&gt;Modern software applications composed of hundreds of artifacts, multiple programing languages, and cloud infrastructure provide an extensive attack surface that only continues to expand in the era of AI. According to Microsoft Threat Intelligence and industry research, threat actors are also increasingly leveraging AI-assisted techniques to accelerate vulnerability discovery and exploitation (Source: &lt;A href="https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025" target="_blank" rel="noopener"&gt;Digital Defense Report 2025&lt;/A&gt;). Rule-based scanning and manual review alone may not keep pace with the speed and scale of these emerging threats.&lt;/P&gt;
&lt;P&gt;As AI-generated code grows exponentially, organizations need tools designed to apply security researcher-inspired techniques at scale, keeping pace with new development processes and a rising number of AI-powered threats. That is the challenge we set out to solve.&lt;/P&gt;
&lt;P&gt;At Build 2026, we are taking two steps forward: the expanded preview of Codename MDASH, a multi-model agentic scanning system designed to find and validate exploitable vulnerabilities, and the general availability of the Microsoft Defender for Cloud and &amp;nbsp;GitHub Code Security native integration, which connects runtime risk to code and bridges the gap between security and development teams in a single workflow.&lt;/P&gt;
&lt;P&gt;Together, these announcements represent a shift in how organizations should address software security considerations across the development lifecycle, natively integrating into their existing tooling and work processes.&lt;/P&gt;
&lt;H3&gt;The Problem: Alert Fatigue, Disconnected Tools, and a Widening Gap&lt;/H3&gt;
&lt;P&gt;Industry data consistently shows that critical and high-severity vulnerabilities take an average of more than 100 days to remediate. Research suggests applications face attacks as frequently as once every three minutes (Source: &lt;A href="https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025" target="_blank" rel="noopener"&gt;Digital Defense Report 2025&lt;/A&gt;).&lt;/P&gt;
&lt;P&gt;Security teams are overwhelmed with alerts they cannot easily prioritize and assign. Developers spend time investigating issues that may never be exploited in production. Both teams often rely on separate, non-integrated tools, making collaboration slower and more difficult. The result is a growing gap between how fast organizations ship code and how fast they can secure it.&lt;/P&gt;
&lt;P&gt;The answer is not more alerts, but higher actionable findings, smarter triage, and workflows designed to support more efficient agentic remediation, fostering improved collaboration between security teams and developers.&lt;/P&gt;
&lt;H3&gt;Codename MDASH: Agentic Vulnerability Discovery (Expanded Preview)&lt;/H3&gt;
&lt;P&gt;Codename MDASH introduces a new approach to vulnerability discovery and validation. Built by Microsoft's Autonomous Code Security team, which includes members of the DARPA AI Cyber Challenge-winning Team Atlanta, codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and validate exploitable security findings end to end.&lt;/P&gt;
&lt;P&gt;Unlike single-model approaches, codename MDASH works as a coordinated system. Different agents scan code for potential vulnerabilities. A separate set of agents debate whether each finding is real and exploitable. A final set constructs proof-of-concept attacks to confirm the bugs exist. The goal is to deliver validated findings, like the test results listed below, intended to help teams focus on security issues that are more likely to be exploitable, rather than theoretical warnings.&lt;/P&gt;
&lt;P&gt;Results from internal testing and the public &lt;A href="https://www.cybergym.io/" target="_blank" rel="noopener"&gt;CyberGym benchmark&lt;/A&gt; (developed by UC Berkeley researchers, covering 1,507 real-world vulnerability reproduction tasks across 188 open-source projects, as of May 2026):&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;16 New Vulnerabilities Discovered and Patched&lt;/STRONG&gt; across the Windows networking and authentication stack, including four critical remote code execution flaws, all patched in the May 2026 Patch Tuesday release. (&lt;A href="Microsoft%20Security%20Response%20Center%20(MSRC),%20%22Security%20Update%20Guide%20—%20May%202026%20Release%20Notes,%22%20May%2012,%202026.%20https:/msrc.microsoft.com/update-guide/releaseNote/2026-May" target="_blank" rel="noopener"&gt;Source: MSRC CVE disclosures, May 12, 2026.&lt;/A&gt;)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;MDASH identified all 21 planted vulnerabilities&lt;/STRONG&gt; in a controlled test, with no false positives observed in that test. Results in broader production environments may vary. (Source: &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/?msockid=0aa1140e16426ea40e2c00cb17f16ff2" target="_blank" rel="noopener"&gt;Microsoft Security Blog&lt;/A&gt;)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Near-Total Recall on Historical MSRC Cases&lt;/STRONG&gt; 96% recall against five years of confirmed MSRC cases in clfs.sys and 100% recall in tcpip.sys. These are retrospective recall benchmarks on internal code with a finite case count; they indicate the system would have been useful had it existed at the time, but do not by themselves predict future performance. (Source: &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/?msockid=0aa1140e16426ea40e2c00cb17f16ff2" target="_blank" rel="noopener"&gt;Microsoft Security Blog&lt;/A&gt;)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Codename MDASH recently jumped ~10% in less than three weeks&lt;/STRONG&gt; to a new CyberGym industry benchmark score of 96.55%.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;o&amp;nbsp;&amp;nbsp; CyberGym scores are self-reported by participating organizations; the benchmark code is public, but no independent party has verified any of the scores. Benchmark results do not necessarily reflect real-world performance across all environments. (Source&lt;A href="https://www.cybergym.io/" target="_blank" rel="noopener"&gt;: CyberGym public leaderboard, cybergym.ai&lt;/A&gt;)&lt;/P&gt;
&lt;P&gt;What makes the architecture durable is its model-agnostic design. When a new model becomes available, the targeting, debating, deduplication, and proof stages do not need to be rewritten. That means every improvement in the underlying AI automatically makes your existing scans smarter, without requiring teams to rebuild context, retune plugins, or revalidate proving agents. The work you put in today keeps paying off tomorrow.&lt;/P&gt;
&lt;P&gt;Codename MDASH will be in expanded preview at Build 2026. Please reach out to your Microsoft Account rep for more information.&lt;/P&gt;
&lt;H3&gt;Microsoft Defender for Cloud+GitHub Code Security: Now Generally Available&lt;/H3&gt;
&lt;img /&gt;
&lt;P&gt;Codename MDASH brings a new class of multi-model agentic discovery to high-value targets. The Microsoft Defender for Cloud and GitHub Code Security native integration brings runtime context to vulnerability detections that developers already see in their pull requests, so both teams can prioritize what's exploitable and remediate inside the same workflow. This integration, now generally available, connects runtime context to code, so developer and security teams can prioritize and fix what matters.&lt;/P&gt;
&lt;P&gt;Here is the core problem it solves: a vulnerability flagged in your codebase might look critical in isolation, but is it running in production? Is it internet-facing? Is it touching sensitive data? Those three questions should drive everything. Until now, getting those answers typically meant jumping between tools, chasing context, and hoping someone on the other team had the right information.&lt;/P&gt;
&lt;div data-video-id="https://youtu.be/q4nvbBpubOI?si=PyzvRGE-twFfxty4/1780346318092" data-video-remote-vid="https://youtu.be/q4nvbBpubOI?si=PyzvRGE-twFfxty4/1780346318092" class="lia-video-container lia-media-is-center lia-media-size-large"&gt;&lt;iframe src="https://cdn.embedly.com/widgets/media.html?src=https%3A%2F%2Fwww.youtube.com%2Fembed%2Fq4nvbBpubOI%3Ffeature%3Doembed&amp;amp;display_name=YouTube&amp;amp;url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3Dq4nvbBpubOI&amp;amp;image=https%3A%2F%2Fi.ytimg.com%2Fvi%2Fq4nvbBpubOI%2Fhqdefault.jpg&amp;amp;type=text%2Fhtml&amp;amp;schema=youtube" allowfullscreen="" style="max-width: 100%"&gt;&lt;/iframe&gt;&lt;/div&gt;
&lt;P&gt;The integration changes that in three ways:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Real-time visibility &lt;/STRONG&gt;across the app lifecycle so developer and security teams can collaborate in the tools they already use. Security teams can track the status of vulnerabilities detected by GitHub Code Security directly in Defender for Cloud. When remediation is needed, a security campaign alerts GitHub repository owners, and developers can open a GitHub issue straight from Defender for Cloud to track progress from fix to close.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Critical alert prioritization&lt;/STRONG&gt; By connecting runtime context to code, developer teams will be able to prioritize exploitable issues. Security teams will be able to understand the traceability of the artifact from code to runtime and trace runtime threats directly to the code in GitHub. As a result, the most critical alerts will be fixed first.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Remediation time reduction&lt;/STRONG&gt; AI-suggested fixes with Copilot Autofix and GitHub Copilot cloud agent will automatically be generated, making it faster for developers to help accelerate remediation.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Together, Defender and GitHub Code Security give security and engineering teams a shared, runtime-prioritized list of vulnerabilities, so the alerts developers see in their pull requests are the ones the security team has already confirmed are deployed, exposed, and worth fixing. Copilot Autofix turns those prioritized findings into review-ready pull requests, with developers in control of what merges.&amp;nbsp; We believe this combination of runtime-to-code correlation and agentic AI remediation within a single integrated workflow is a meaningful differentiator. Check out our new &lt;A href="https://aka.ms/DefenderGHCSOnboardingVideos" target="_blank" rel="noopener"&gt;onboarding videos&lt;/A&gt; to help you get started today.&lt;/P&gt;
&lt;H3&gt;How It All Fits Together: Code to Runtime&lt;/H3&gt;
&lt;P&gt;Codename MDASH and the Defender and GitHub Code Security integration are two parts of the same vision: enforcing security across the entire software lifecycle, from the first line of code to the running workload. By helping organizations find and fix vulnerabilities faster, development teams can help reduce time spent on security remediation and more time building new products.&lt;/P&gt;
&lt;P&gt;At the code level, codename MDASH adds a new layer of multi-model agentic discovery focused on high-value targets like logic flaws, race conditions, and AI-specific risks such as prompt injection and insecure model endpoints. It complements the deep semantic analysis that GitHub Code Security already performs on every pull request with CodeQL. It validates findings using multiple AI models and aims to deliver proven results rather than theoretical warnings.&lt;/P&gt;
&lt;P&gt;At the runtime level, Defender provides the context that turns a finding into an actionable priority: is this deployed, is it exposed, and does it matter right now? When a fix is needed, Copilot can assist with remediation, with the developer retaining control over what gets merged.&lt;/P&gt;
&lt;P&gt;The developer stays in GitHub. The security team stays in Defender. Both can see how code problems become real security risks, and both can act on them with reduced context switching and fewer handoff delays.&lt;/P&gt;
&lt;H3&gt;Get Started&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;Microsoft Defender for Cloud + GitHub Advanced Security is now generally available. &lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-advanced-security-overview" target="_blank" rel="noopener"&gt;Set up the integration&lt;/A&gt; in the Defender for Cloud portal and connect your GitHub organization. &lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-advanced-security-overview" target="_blank" rel="noopener"&gt;[learn.microsoft.com]&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Check out our new onboarding videos here: &lt;A href="https://aka.ms/DefenderGHCSOnboardingVideos" target="_blank" rel="noopener"&gt;https://aka.ms/DefenderGHCSOnboardingVideos&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Codename MDASH expanded preview launches at Build 2026.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Read the full technical deep dive: &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/" target="_blank" rel="noopener"&gt;Defense at AI speed: Microsoft's new multi-model agentic security system tops leading industry benchmark&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;Read the full Microsoft Security Build update: &lt;A href="https://aka.ms/BUILD_SecurityBlog" target="_blank" rel="noopener"&gt;https://aka.ms/BUILD_SecurityBlog&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;With AI-powered vulnerability discovery, runtime-to-code context, and AI-assisted remediation built into the developer workflow, these tools are designed to help teams move faster while maintaining a strong security posture&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sources:&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Microsoft Digital Defense Report 2025, MSRC Patch Tuesday trend data, industry publications on AI-assisted exploit development. Digital Defense Report 2025: &lt;A href="https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025" target="_blank" rel="noopener"&gt;https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2025&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Microsoft Security Response Center (MSRC), "Security Update Guide — May 2026 Release Notes," May 12, 2026. &lt;A href="https://msrc.microsoft.com/update-guide/releaseNote/2026-May" target="_blank" rel="noopener"&gt;https://msrc.microsoft.com/update-guide/releaseNote/2026-May&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Microsoft Security Blog, "Defense at AI Speed: Microsoft's New Multi-Model Agentic Security System Tops Leading Industry Benchmark," May 12, 2026. &lt;A href="https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/" target="_blank" rel="noopener"&gt;https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;GitHub and Microsoft internal analysis of enterprise security backlogs. See the Microsoft Defender for Cloud blog (&lt;A class="lia-external-url" href="https://aka.ms/SecureCodetoCloudBlog" target="_blank" rel="noopener"&gt;aka.ms/SecureCodetoCloudBlog&lt;/A&gt;) for methodology.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Tue, 02 Jun 2026 21:22:01 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/start-secure-stay-secure-how-microsoft-is-closing-the-gap-from/ba-p/4524580</guid>
      <dc:creator>JasonWeber</dc:creator>
      <dc:date>2026-06-02T21:22:01Z</dc:date>
    </item>
    <item>
      <title>Now Generally Available: Microsoft Defender for open source relational databases on AWS RDS</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/now-generally-available-microsoft-defender-for-open-source/ba-p/4514651</link>
      <description>&lt;H5&gt;Securing multicloud databases to help reduce risks&lt;/H5&gt;
&lt;P&gt;Open‑source (OSS) relational databases are becoming increasingly critical and increasingly targeted in organization of all sizes. As organizations adopt multicloud architectures, these databases often run across Azure and Amazon Web Services (AWS), while security tools remain fragmented. The result is inconsistent visibility into sensitive data, disconnected alerts, and limited insight into how database exposure translates into real risk.&lt;/P&gt;
&lt;P&gt;Today, Microsoft announces the general availability (GA) of &lt;A href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/microsoft-defender-for-open-source-relational-databases-now-supports-multicloud-/4127655" target="_blank" rel="noopener"&gt;Microsoft Defender for open‑source relational databases with support for Amazon Relational Database Service (AWS RDS&lt;/A&gt;). &amp;nbsp;Customers can gain visibility into potentially sensitive data, identify indicators of database threats, and support risk prioritization across Azure and AWS through a unified experience in Microsoft Defender for Cloud, with capabilities that continue to expand across environments.&lt;/P&gt;
&lt;P&gt;This GA release highlights Microsoft’s existing protection for open‑source relational databases in Azure and extends the same database‑focused security signals, risk context, and investigation capabilities to AWS RDS: helping organizations strengthen database security the way modern applications are actually deployed.&lt;/P&gt;
&lt;H5&gt;What’s new with GA support for AWS RDS&lt;/H5&gt;
&lt;P&gt;Defender for open-source relational databases now provides GA support for security capabilities designed for enterprise cloud environments, including:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Amazon Aurora for PostgreSQL&lt;/LI&gt;
&lt;LI&gt;Amazon Aurora for MySQL&lt;/LI&gt;
&lt;LI&gt;Amazon RDS for PostgreSQL&lt;/LI&gt;
&lt;LI&gt;Amazon RDS for MySQL&lt;/LI&gt;
&lt;LI&gt;Amazon RDS for MariaDB&lt;BR /&gt;&lt;BR /&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;These capabilities are integrated directly into Microsoft Defender for Cloud, providing consistent visibility and protection across Azure and AWS environments.&lt;/P&gt;
&lt;H5&gt;Core security capabilities for multicloud databases&lt;/H5&gt;
&lt;P&gt;Defender for Cloud delivers database‑specific security signals that help teams move beyond isolated alerts to risk‑based prioritization. This strengthens Defender for Cloud’s visibility into databases security by extending sensitive data discovery insights and threat protection specifically to supported AWS resources. As part of this delivery, we’ve also added recommendations that help validate AWS RDS resources’ enablement, discovery, scanning and protection status. &amp;nbsp;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Advanced threat protection at the database layer&lt;/H5&gt;
&lt;P&gt;Defender for Cloud detects suspicious access patterns and brute force attempts that indicate active database threats. Alerts are enriched with cloud and workload context to help security teams quickly determine which issues require immediate attention.&lt;/P&gt;
&lt;H5&gt;Built‑in sensitive data discovery&lt;/H5&gt;
&lt;P&gt;Automated, recurring and agentless scans help identify data that may be sensitive, such as payment details or credentials without requiring additional configuration in supported AWS resources. This visibility helps teams understand where high-risk data resides and focus protection efforts where exposure matters most.&lt;/P&gt;
&lt;H5&gt;Attack path analysis with cloud context&lt;/H5&gt;
&lt;P&gt;Rather than viewing alerts in isolation, Defender provides visibility into potential attack paths, showing how exposed databases, weak authentication, and sensitive data can combine into real attack scenarios. This capability, provided by also enabling Defender CSPM, enables teams to prioritize remediation that breaks the attack chain to not only their Azure resources but also AWS RDS databases.&lt;/P&gt;
&lt;img /&gt;
&lt;H5&gt;Unified investigation with Microsoft Defender portal&lt;/H5&gt;
&lt;P&gt;Database alerts integrate with Microsoft Defender portal, allowing security operations teams to correlate database incidents with signals from identities, endpoints, and workloads to support investigation and response workflows. This plan allows for supported AWS RDS signals to be added and correlated as well.&lt;/P&gt;
&lt;img /&gt;
&lt;H5&gt;Why this matters now&lt;/H5&gt;
&lt;P&gt;Together, these capabilities help organizations move beyond isolated database alerts toward risk‑based prioritization, which becomes especially critical as open‑source databases increasingly store high‑value and regulated data in multicloud architectures.&lt;/P&gt;
&lt;H5&gt;Customer outcomes: prioritized database risk across clouds&lt;/H5&gt;
&lt;P&gt;With GA support for AWS RDS, organizations can move from fragmented database security to prioritized risk management across Azure and AWS:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Detect real database threats&lt;/STRONG&gt; by identifying risky access patterns tied directly to exposed databases.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Understand where sensitive data lives&lt;/STRONG&gt; through built‑in discovery that highlights high‑risk data stores automatically.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;See how attacks actually unfold&lt;/STRONG&gt; using attack path analysis that connects exposure, misconfiguration, and data sensitivity and connecting those to actual alerts generated on the resource.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Customer can respond faster&lt;/STRONG&gt; with database alerts integrated into Microsoft Defender XDR for unified investigation across environments and correlation into incidents and attack stories across various resources and plans.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Together, these outcomes help security teams move from reactive database monitoring to proactive risk reduction in multicloud architecture.&lt;/P&gt;
&lt;H5&gt;Database security as part of a unified CNAPP strategy&lt;/H5&gt;
&lt;P&gt;This GA milestone is part of Microsoft’s broader Cloud‑Native Application Protection Platform (CNAPP) approach, which brings together posture management, workload protection, and threat protection across the cloud lifecycle.&lt;/P&gt;
&lt;P&gt;By integrating database security into CNAPP, Defender for Cloud ensures databases are not isolated controls, but a critical part of a unified view across applications, identities, workloads, and data to support risk reduction while maintaining operational efficiency.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt; &lt;/STRONG&gt;&lt;/P&gt;
&lt;H5&gt;Get started today&lt;/H5&gt;
&lt;P&gt;GA support for AWS RDS is available now.&lt;/P&gt;
&lt;P&gt;Billing for this plan starts on &lt;STRONG&gt;June 1, 2026&lt;/STRONG&gt;, and charges will appear on the &lt;STRONG&gt;July 2026 bill&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Enable Microsoft Defender for open‑source relational databases in the Azure portal to begin applying additional protections for open-source databases across Azure and AWS with unified visibility and risk‑based security.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Learn more → &lt;/STRONG&gt;&lt;A href="https://www.microsoft.com/en-us/security/business/solutions/cloud-security" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Cloud Security Solutions | Microsoft Security&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;H5&gt;Resources:&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Learn more about &lt;A href="https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-cloud" target="_blank" rel="noopener"&gt;Microsoft Defender for Cloud&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Read the &lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-introduction" target="_blank" rel="noopener"&gt;Defender for open‑source relational databases documentation&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Explore &lt;A href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/data-security-review-risks" target="_blank" rel="noopener"&gt;sensitive data discovery&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Review available &lt;A href="https://aka.ms/DefenderForCloudTrial" target="_blank" rel="noopener"&gt;trial options&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Share your experience with Microsoft Defender for Cloud on &lt;A href="https://techcommunity.microsoft.com/discussions/microsoft-security/share-your-experience-with-microsoft-security-products-on-gartner-peer-insights/4449254" target="_blank" rel="noopener"&gt;Gartner Peer Insights&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 01 Jun 2026 17:11:16 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/now-generally-available-microsoft-defender-for-open-source/ba-p/4514651</guid>
      <dc:creator>lisetteranga</dc:creator>
      <dc:date>2026-06-01T17:11:16Z</dc:date>
    </item>
    <item>
      <title>Public preview: Expanded coverage and unified management for SQL VA Express Configuration</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/public-preview-expanded-coverage-and-unified-management-for-sql/ba-p/4514652</link>
      <description>&lt;P&gt;SQL Vulnerability Assessment (SQL VA) is a core capability in Defender for SQL that helps customers identify possible misconfigurations, excessive permissions, and other deviations from security best practices through continuous scanning of their databases. Traditionally, enabling SQL VA on SQL PaaS resources required customers to provision and maintain a dedicated Azure Storage account to hold scan results and baselines. In addition, managing SQL VA across resource types required different API endpoints, which made it harder to script consistent enablement and baseline management across a mixed SQL estate. For customers managing large SQL estates, this added operational overhead to onboarding and ongoing management. This friction may lead to inconsistent enablement across environments and leave gaps in vulnerability visibility. &amp;nbsp;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;To simplify this experience, Microsoft introduced Express Configuration, which uses Microsoft-managed storage and does not require a customer-provisioned storage account. Express Configuration is generally available for Azure SQL Database and is the recommended enablement mode for SQL VA, where supported.&lt;/P&gt;
&lt;P&gt;This public preview extends Express Configuration to Azure SQL Managed Instance and Azure Synapse Analytics workspaces, and introduces a new preview API version that brings SQL VA management under a unified model across Azure SQL Database, SQL Managed Instance, Synapse workspaces, and SQL on machines (Azure VMs and Arc-enabled SQL Servers). Customers can now enable SQL VA on SQL Managed Instance and Synapse workspaces without provisioning a dedicated storage account and can manage SQL VA across all supported resource types through a single API.&lt;/P&gt;
&lt;P&gt;Together, these changes broaden Express Configuration coverage across Azure SQL PaaS services and consolidate SQL VA operations under a single API, helping standardize how SQL VA is enabled and managed and reduce operational overhead across a customer's SQL estate.&lt;/P&gt;
&lt;H4&gt;What’s new in this release&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Express Configuration support for additional Azure SQL PaaS services: Azure SQL Managed Instance (public preview) and Azure Synapse Analytics workspaces (dedicated SQL pools, public preview); Express Configuration for Azure SQL Database remains generally available.&lt;/LI&gt;
&lt;LI&gt;Express Configuration is the default when enabling Defender for SQL on a resource from the UI.&lt;/LI&gt;
&lt;LI&gt;New preview API version for unified SQL VA management across Azure SQL Database, SQL Managed Instance, Azure Synapse Analytics workspaces (Express Configuration only), and SQL on machines (Azure Virtual Machines and Arc-enabled SQL Servers).&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Why use Express Configuration&lt;/H4&gt;
&lt;P&gt;Express Configuration simplifies how SQL Vulnerability Assessment is enabled and managed for Azure SQL Managed Instance and Azure Synapse Analytics workspaces, without changing the security coverage or rule set provided by SQL VA.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;No customer-managed storage required. Express Configuration uses Microsoft-managed storage, so customers don’t need to provision or maintain storage accounts for scan results and baselines.&lt;/LI&gt;
&lt;LI&gt;Automatic weekly scans and on-demand scans through the UI, unified API, or scripts.&lt;/LI&gt;
&lt;LI&gt;Baseline management at scale, including setting baselines per finding or in bulk. Baseline changes take effect without waiting for the next scan to complete.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Unified management across SQL platforms&lt;/H4&gt;
&lt;P&gt;The latest preview API version enables a unified model for configuration, scanning, and governance for SQL Vulnerability Assessment across all supported SQL deployments:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Manage SQL VA across Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics workspaces.&lt;/LI&gt;
&lt;LI&gt;Manage SQL VA across SQL on machines, including Azure Virtual Machines and Arc-enabled SQL Servers.&lt;/LI&gt;
&lt;LI&gt;Use a consistent model for configuration, scans, results retrieval, and baseline management across supported resource types.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Limitations and prerequisites Permissions&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Task&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Required roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;View SQL vulnerability assessment results in Microsoft Defender for Cloud recommendations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Admin or Security Reader&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Change SQL vulnerability assessment settings&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Admin or SQL Security Manager&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Access resource-level scan results or automated email links&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Admin or SQL Security Manager&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Classic Configuration conflict:&lt;/STRONG&gt; If Classic Configuration is already enabled on a resource, enabling Express Configuration through the API will fail with an error. To migrate an existing Classic Configuration to Express Configuration, use the &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/powershell-sample-vulnerability-assessment-azure-sql?tabs=preview#public-preview-for-azure-sql-managed-instance-and-azure-synapse-analytics-workspace-unified-api" target="_blank"&gt;updated migration script&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;UI enablement supports clearing Classic Configuration settings and re-enabling with Express Configuration.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SQL Managed Instance prerequisite&lt;/STRONG&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; A system-assigned managed identity is required for Express Configuration to work on SQL Managed Instance.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Preview enablement scope:&lt;/STRONG&gt; During public preview subscription-level enablement does not automatically apply Express Configuration to SQL Managed Instance or Synapse workspaces during public preview.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Reverting to Classic Configuration:&lt;/STRONG&gt; After migrating to Express Configuration, reverting to Classic Configuration is possible programmatically but not through the UI.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Get started&lt;/H4&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt;Try it through the portal:&lt;/STRONG&gt; &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/sql-azure-vulnerability-assessment-enable" target="_blank" rel="noopener"&gt;Enable Express Configuration&lt;/A&gt; on a SQL Managed Instance or Synapse workspace through the Defender for Cloud portal, run an on-demand scan, and review findings in Defender for Cloud recommendations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Automate your first steps:&lt;/STRONG&gt; Use the SQL VA Express Configuration &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/powershell-unified-api-quickstart" target="_blank" rel="noopener"&gt;quickstart script&lt;/A&gt; to enable Express Configuration, discover databases, run scans, and manage baselines through the unified API.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Migrate from Classic Configuration:&lt;/STRONG&gt; If you have Classic Configuration enabled on existing resources, use &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/defender-for-cloud/powershell-sample-vulnerability-assessment-azure-sql?tabs=preview#public-preview-for-azure-sql-managed-instance-and-azure-synapse-analytics-workspace-unified-api" target="_blank" rel="noopener"&gt;the migration script &lt;/A&gt;&amp;nbsp;to move to Express Configuration.&lt;/LI&gt;
&lt;/OL&gt;</description>
      <pubDate>Tue, 19 May 2026 21:11:13 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/public-preview-expanded-coverage-and-unified-management-for-sql/ba-p/4514652</guid>
      <dc:creator>Catalin Esanu</dc:creator>
      <dc:date>2026-05-19T21:11:13Z</dc:date>
    </item>
    <item>
      <title>Microsoft.Security/policies GET endpoint returning 404 — deprecated? What is the replacement?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-security-policies-get-endpoint-returning-404/m-p/4520003#M2147</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;We are using the Azure Security Center REST API (api-version=2015-06-01-preview) to retrieve security policies for a subscription. We are hitting a 404 Not Found error on the Get endpoint while the List&lt;/P&gt;&lt;P&gt;endpoint works fine. Looking for clarification on whether this resource type has been deprecated and what the modern replacement is.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Endpoints in use&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;List Security Policies (WORKING):&lt;/P&gt;&lt;P&gt;GET https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.Security/policies?api-version=2015-06-01-preview&lt;/P&gt;&lt;P&gt;This returns a valid JSON response with an array of policies, each having an id, name, type, and a properties object containing policyLevel, recommendations, pricingConfiguration,&lt;/P&gt;&lt;P&gt;securityContactConfiguration, etc.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Get Security Policy by Name (BROKEN):&lt;/P&gt;&lt;P&gt;GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/policies/{policyName}?api-version=2015-06-01-preview&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Error received&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Not Found for url:&lt;/P&gt;&lt;P&gt;https://management.azure.com/subscriptions/&amp;lt;sub-id&amp;gt;/resourceGroups/AzureEventHubIT-resource-group/providers/Microsoft.Security/policies/AzureEventHubIT-resource-group?api-version=2015-06-01-preview&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;HTTP Status: 404 Not Found&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;What we've observed&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;- The List endpoint works and returns policies whose id values follow this exact structure:&lt;/P&gt;&lt;P&gt;/subscriptions/{sub-id}/resourceGroups/{rg-name}/providers/microsoft.Security/policies/{policy-name}&lt;/P&gt;&lt;P&gt;- The policy name in the List response matches the resource group name (1:1 mapping), so we are passing the correct value to the Get endpoint.&lt;/P&gt;&lt;P&gt;- Despite using the exact name and resource group from the List response, the Get endpoint returns 404.&lt;/P&gt;&lt;P&gt;- We also checked the https://learn.microsoft.com/en-us/rest/api/defenderforcloud/operation-groups?view=rest-defenderforcloud-2015-06-01-preview and noticed that Security Policies does not appear as a&lt;/P&gt;&lt;P&gt;documented operation group in any version — including 2015-06-01-preview. The only documented groups for that version are: Discovered Security Solutions, Locations, Operations, and Tasks.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;---&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;Questions&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;1. Has the Microsoft.Security/policies resource type at the resource group scope been officially deprecated or removed? If so, is there a migration guide or announcement?&lt;/P&gt;&lt;P&gt;2. Why does the List endpoint still respond successfully while the individual Get endpoint returns 404? Is the List endpoint returning legacy/cached data?&lt;/P&gt;&lt;P&gt;3. What are the recommended replacement APIs for the functionality that was in the old policies resource? Specifically we need equivalents for:&lt;/P&gt;&lt;P&gt;- properties.pricingConfiguration → Is this now covered by https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get?view=rest-defenderforcloud-2024-01-01?&lt;/P&gt;&lt;P&gt;- properties.recommendations (patch, antimalware, diskEncryption, etc.) → Is this now https://learn.microsoft.com/en-us/rest/api/defenderforcloud/assessments?view=rest-defenderforcloud-2020-01-01?&lt;/P&gt;&lt;P&gt;- properties.securityContactConfiguration → Is this now Microsoft.Security/securityContacts (2020-01-01-preview)?&lt;/P&gt;&lt;P&gt;4. Is there any announced retirement date for the List endpoint as well?&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Any official documentation links or migration guides would be very helpful.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thank you.&lt;/P&gt;</description>
      <pubDate>Fri, 15 May 2026 07:58:31 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-security-policies-get-endpoint-returning-404/m-p/4520003#M2147</guid>
      <dc:creator>mahendra_kamble_sumo</dc:creator>
      <dc:date>2026-05-15T07:58:31Z</dc:date>
    </item>
    <item>
      <title>Better together with Azure WAF + Microsoft Defender for Storage + Defender for Azure SQL Databases</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/better-together-with-azure-waf-microsoft-defender-for-storage/ba-p/4517101</link>
      <description>&lt;P&gt;Authored by: &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="157704" data-lia-user-login="Fernanda_Vela" class="lia-mention lia-mention-user"&gt;Fernanda_Vela​&lt;/a&gt; , &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2933317" data-lia-user-login="saikishor" class="lia-mention lia-mention-user"&gt;saikishor​&lt;/a&gt;, &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="13689" data-lia-user-login="Yura_Lee" class="lia-mention lia-mention-user"&gt;Yura_Lee​&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Reviewed by: &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="124214" data-lia-user-login="YuriDiogenes" class="lia-mention lia-mention-user"&gt;YuriDiogenes​&lt;/a&gt;, &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="786329" data-lia-user-login="Mohit_Kumar" class="lia-mention lia-mention-user"&gt;Mohit_Kumar​&lt;/a&gt;, &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="1207475" data-lia-user-login="Amir_Dahan" class="lia-mention lia-mention-user"&gt;Amir_Dahan​&lt;/a&gt;, &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="2859467" data-lia-user-login="eitanbremler" class="lia-mention lia-mention-user"&gt;eitanbremler​&lt;/a&gt; , &lt;a href="javascript:void(0)" data-lia-user-mentions="" data-lia-user-uid="983767" data-lia-user-login="Kitt_Weatherman" class="lia-mention lia-mention-user"&gt;Kitt_Weatherman​&lt;/a&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Introduction&lt;/H1&gt;
&lt;P&gt;Often, customers ask why additional workload protection is needed when a web application firewall is already in place. Azure Web Application Firewall (WAF) serves as a critical control at the application edge, inspecting inbound HTTP/S traffic and blocking common web-based exploits before they reach backend services. However, modern attack paths are no longer limited to the web entry point. Attackers increasingly target components that bypass HTTP/S inspection altogether such as direct access to storage and SQL through SDKs, native integration tools, private endpoints, or compromised identities and third-party integrations.&lt;/P&gt;
&lt;P&gt;This is where Microsoft Defender for Cloud complements WAF. While WAF focuses on securing the application boundary, Defender for Cloud extends protection into the resource layer by providing Cloud-Native Application Protection Platform (CNAPP) capabilities, including security posture management and workload protection. Using resource-native signals, it helps identify misconfigurations and detect suspicious control-plane and data-plane activity that would otherwise remain invisible to perimeter controls.&lt;/P&gt;
&lt;P&gt;The Azure Networking Security blog post &lt;A href="https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/zero-trust-with-azure-firewall-azure-ddos-protection-and-azure-waf-a-practical-u/4490595" target="_blank" rel="noopener"&gt;&lt;EM&gt;“Zero Trust with Azure Firewall, Azure DDoS Protection, and Azure WAF: A practical approach”&lt;/EM&gt;&lt;/A&gt; highlights WAF’s role in inspecting inbound HTTP/S traffic, detecting malicious request patterns (such as OWASP Top 10 vulnerabilities), and reducing direct exposure of backend endpoints by enforcing a controlled application entry point.&lt;/P&gt;
&lt;P&gt;Building on that foundation, this blog focuses on a “better together” approach that combines WAF with Microsoft Defender for Cloud protecting storage and database. Through practical scenarios and posture insights, we will underline how these controls together:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Reduces attack surface at the application entry point&lt;/LI&gt;
&lt;LI&gt;Continuously improves security posture through configuration and exposure analysis&lt;/LI&gt;
&lt;LI&gt;Detects and responds to threats targeting storage accounts and SQL databases beyond the web perimeter&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;By the end of this post, you will understand how Defender for Cloud’s Storage and SQL protections extend the visibility provided by WAF, enabling protection not only at the edge, but also across the underlying data services. Together, these controls form a cohesive model that addresses both external attack vectors and internal or indirect access paths.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;&lt;EM&gt;Note: &lt;/EM&gt;&lt;/STRONG&gt;&lt;EM&gt;This is not a deep configuration guide for rule tuning, nor a replacement for official product documentation. It is intended to help architects and security teams align responsibilities and understand how these services reinforce each other.&lt;/EM&gt;&lt;/P&gt;
&lt;H2&gt;&lt;SPAN style="color: rgb(30, 30, 30); font-size: 32px;"&gt;Architecture:&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P&gt;The architecture below shows the traffic flow and where each service fits in the lab used in this blog to simulate the attacks. Azure Application Gateway with WAF is the internet-facing entry point, inspecting inbound HTTP/S traffic before it reaches the backend. Behind it, Azure Firewall provides both network- and application-layer inspection for inbound and outbound flows. In the backend subnet, multiple VMs host the workload.&lt;/P&gt;
&lt;P&gt;For our demonstration, we focus on a single host running:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;OWASP Juice Shop (port 3000),&lt;/LI&gt;
&lt;LI&gt;An upload API that writes to Azure Storage (port 8080)&lt;/LI&gt;
&lt;LI&gt;An API that connects to Azure SQL Database (port 5000).&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This setup allows us to simulate realistic attack paths originating both from the internet and from within the network.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;Figure 1: Architecture that shows resources with Application Gateway with WAF, Azure Firewall Premium and inbound traffic&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Note: The patterns in this blog apply to both Azure WAF platforms: Application Gateway WAF and Azure Front Door WAF. The lab uses Application Gateway WAF for the demonstration.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Now, let’s head to the next section where we dive deep into these services to understand their capabilities with some attacks, alerts and insights.&lt;/P&gt;
&lt;H2&gt;Azure Web Application Firewall at the Edge&lt;/H2&gt;
&lt;P&gt;As we may have understood by now, Azure WAF is the first layer of protection,&amp;nbsp;inspecting external web traffic for malicious patterns. Each incoming request is evaluated against its rulesets to either allow, block or log this traffic by using its managed and custom rulesets. Now, what are these rulesets?&lt;/P&gt;
&lt;P&gt;Azure WAF uses managed rule sets like the Default Rule Set (DRS) (version 2.2 as of this writing), which incorporate OWASP Top 10 protections and Microsoft threat intelligence to block common attacks (SQL injection, XSS, remote file inclusion, etc.) in real time. Additional managed sets include a Bot Protection rule set (to guard against malicious bots scraping content) and HTTP DDoS rule set (to detect Layer 7 DDoS patterns). Beyond the built-ins, you can define custom WAF rules for application-specific needs—blocking or allowing traffic based on attributes like geolocation, IP ranges, or specific URL paths.&lt;/P&gt;
&lt;P&gt;Now let’s talk about an example scenario. In our lab, Azure WAF is protecting multiple backend services on different paths and ports. When an external attacker tries to exploit the Juice Shop app with a crafted XSSattack, Azure WAF immediately detects the malicious pattern and blocks the request at the gateway as seen below.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 2: An XSS attack on the juiceshop website, immediately results in a 403 Forbidden as WAF catches this attack in the application layer.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;However, WAF’s inspection is inherently limited to traffic it can see, primarily, the HTTP/S flows it fronts. Let’s say our attacker changes tactics: instead of trying to force malicious code through the web interface, they obtain a stolen storage key or credentials through phishing and attempt to access the Azure Storage account directly via APIs. This request never goes through WAF, so WAF cannot assess or block it. In such a case, Microsoft Defender for Storage’s threat detection monitors for such suspicious activity, for example by raising an alert about the unusual direct access or flagging a malware file uploaded to a blob container. Likewise, if our attacker exploited a weakness in application code to run malicious SQL commands on the database (whether through potentially harmful application or a suspicious service account), Defender for SQL monitors for and alerts anomalous query patterns or suspicious logins. This illustrates why WAF and Defender for Cloud are complementary: WAF stops web attacks at the door, while Defender for Cloud watches for threats that get inside or come through alternate doors.&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 3:&lt;/EM&gt;&lt;EM&gt; Single-host lab architecture with Azure Application Gateway (WAF) and resource‑level protection&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Figure 3 illustrates the key distinction: WAF inspects and protects the application entry point, while Defender for Cloud provides visibility into the resources themselves. Together, they cover both the path into the application and the behavior within the environment—forming a complete protection model across layers. Because not all access to storage and databases may flow through the application gateway, you also need resource-level posture and threat detection to see and stop activity that never appears in WAF logs.&lt;/P&gt;
&lt;H2&gt;Cloud Security Posture Management with Defender for Cloud&lt;/H2&gt;
&lt;P&gt;With the edge covered, the next challenge is reducing risk that originates from misconfiguration and resource exposure. Most successful attacks originate from exposed services and misconfigurations rather than direct application-layer exploits.&lt;/P&gt;
&lt;P&gt;Microsoft Defender for Cloud’s storage and database protection provide security posture insights that help identify and prioritize these security gaps at the resource level. Defender for Cloud has visibility insights that capture the resources’ misconfigurations on the control and data plane via the Recommendations view in the Azure portal, as shown in the example below:&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 4: Juice Shop’s storage account and SQL server recommendations&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Figure 4 is a list of recommendations organized by risk level for this particular environment. The security team should harden the “defendertestsai” storage asset by preventing shared access keys, and the “juiceshop” SQL database by provisioning an Entra administrator. Each recommendation will also provide guidance to remediate these findings.&lt;/P&gt;
&lt;P&gt;The “Data &amp;amp; AI Dashboard” in Defender for Cloud, with Defender CSPM, will also provide security posture insight into storage, database and AI resources by surfacing their risks, alerts and sensitive data discovery all in one dashboard.&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 5: Juice Shop’s Sensitive data discovery and Data threat detection dashboard in Defender for Cloud’s “Data&amp;amp;AI section”.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Under &lt;EM&gt;Data closer look&lt;/EM&gt;,&lt;EM&gt; &lt;/EM&gt;in Figure 5, you can see in this example, starting from the left, sensitive information found in scanned resources, level alerts for databases and storage resources based on severity, templatized queries from the Cloud Security Explorer, and a graph displaying all internet exposed data resources below. These powerful insights on data resources all come from Defender for Cloud, designed to help customers harden their environment by priority through visibility across their entire data ecosystem based on risk level.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 6: Juice Shop’s attack path “Internet exposed Azure VM with high severity vulnerabilities allows lateral movement to Critical Storage used by Azure AI Foundry”.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Attack paths are potential avenues in which an attacker can infiltrate and compromise data. In Figure 6 above, we see insight into not only the storage account itself, but the context around it: an internet exposed storage account is connected to other assets like a virtual machine and a managed identity that has permissions to manipulate data.&lt;/P&gt;
&lt;P&gt;These Defender for Cloud security posture insights complement WAF and complete the defense-in-depth security approach: harden the data services so that even if an attacker reaches them the blast radius is smaller, and the likelihood of compromise is reduced.&lt;/P&gt;
&lt;H2&gt;Defender for Cloud’s advanced threat protection&lt;/H2&gt;
&lt;P&gt;Even in well-secured environments, attackers often interact directly with storage accounts or databases through identities, APIs, or trusted internal paths. Reducing exposure is critical but not sufficient. Detection is required once an attacker begins interacting with data Defender for Cloud’s advanced threat protection for Storage and SQL surfaces resource-level security alerts such as suspicious access patterns, anomalous queries, and malware detections—often with richer context than perimeter telemetry alone.&lt;/P&gt;
&lt;P&gt;Let’s use a malware alert for a storage account in the Defender portal as an example:&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 7: Juice Shop’s storage account security alert “Malicious blob uploaded to storage account”.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Malware scanning is a common requirement for teams that process user uploads or must meet security benchmarks. In this lab, Juice Shop allows users to upload files (for example, feedback attachments), and the upload API writes those files to Azure Blob Storage.&lt;/P&gt;
&lt;P&gt;Azure WAF inspects the HTTP request that delivers the upload headers, parameters, payload patterns and blocks web-layer attacks like XSS or SQLi. Scanning blob contents after they land is a different job, performed at the resource layer by Defender for Storage. With Defender for Storage malware scanning enabled, each uploaded blob is scanned; if the verdict is malware, Defender for Cloud raises an alert such as “Malicious blob uploaded to storage account” as shown in figure 7.&amp;nbsp; Then, with Defender for Storage’s automated malware remediation, the malicious blog is set to soft-delete for quarantine and further analysis.&lt;/P&gt;
&lt;P&gt;SQL databases are high-value targets for data access, privilege escalation, and exploitation of vulnerable applications. Database protection in Defender for Cloud has the visibility to provide customers with control plane and data plane level insight to alert on suspicious activity such as anomalous logons, unusual client applications, and injection-like query patterns.&lt;/P&gt;
&lt;P&gt;For example, here’s a potential SQL injection alert for a database in the Defender portal:&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-align-center"&gt;&lt;EM&gt;Figure 8: Juice Shop’s database security alert on a potential SQL injection.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;These alerts typically include investigation context such as the client application, client principal name, and the statement or pattern in question, along with severity to help you prioritize, as shown in Figure 8. From there, analysts can use recommended response actions (for example, to contain risky access paths or harden the database) to reduce the chance of repeat activity.&lt;/P&gt;
&lt;P&gt;In practice, Defender for Cloud threat detection gives SOC teams prioritized, resource-specific alerts with the context needed to investigate quickly and take action at the storage and database layers.&lt;/P&gt;
&lt;H1&gt;Conclusion&lt;/H1&gt;
&lt;P&gt;Azure Application Gateway with WAF is a necessary control to reduce application-layer risk at the edge. But defense in depth requires the assumption that some threats will reach or target data services directly. By layering Microsoft Defender for Storage and Microsoft Defender for SQL on top of Azure WAF, you add continuous posture insights to reduce preventable exposure, plus threat protection that detects suspicious activity at the resource layer. Operated together, these services provide stronger prevention, better detection coverage, and clearer response paths than single control alone.&lt;/P&gt;</description>
      <pubDate>Wed, 06 May 2026 17:22:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/better-together-with-azure-waf-microsoft-defender-for-storage/ba-p/4517101</guid>
      <dc:creator>Yura_Lee</dc:creator>
      <dc:date>2026-05-06T17:22:23Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender for Cloud Customer Newsletter</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4516842</link>
      <description>&lt;H1&gt;What's new in Defender for Cloud?&lt;/H1&gt;
&lt;P&gt;Container runtime anti-malware detection and blocking and DNS Detection for Kubernetes is now GA in Defender for Containers for AKS, EKS, and GKE. Learn more about these announcements&amp;nbsp;&lt;A href="https://aka.ms/mdcnews_DfContainers_antimalware_blocking" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;here&lt;/U&gt;&lt;/A&gt;&amp;nbsp;and&amp;nbsp;&lt;A href="https://aka.ms/mdcnews_DfContainers_dnsdetection" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;here&lt;/U&gt;&lt;/A&gt;.&lt;/P&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;&lt;SPAN data-ogsc=""&gt;Defender for Storage integration in Azure Portal Storage Center now Generally Available&lt;/SPAN&gt;&lt;/H2&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;Customers can now view Defender for Storage threat protection and security posture coverage directly in Storage Center, next to their storage resources to understand which storage accounts are protected, where malware scanning, activity monitoring and sensitive data discovery are enabled and identify security gaps in Azure Blog Storage and Azure File storage.&amp;nbsp;For more details, please refer to this&amp;nbsp;&lt;A href="https://aka.ms/mdcnews_DfStorage_AzureIntegration" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;documentation&lt;/U&gt;&lt;/A&gt;.&lt;/P&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/MDCNewsJust" target="_blank"&gt;Check out other updates from last month here!&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdc_mtpblog" target="_blank"&gt;Check out monthly news for the rest of the MTP suite here!&lt;/A&gt; &amp;nbsp;&lt;/P&gt;
&lt;H1 data-ogsc="rgb(0, 0, 0)"&gt;Blogs of the month&lt;/H1&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;In April, our team published the following blog posts we would like to share:&lt;/P&gt;
&lt;OL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:false,&amp;quot;orderedStyleType&amp;quot;:1}"&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/MDCNewsBlog1" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Securing multicloud (Azure, AWS &amp;amp; GCP) with Microsoft Defender for Cloud: Connector best practices&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;Defender for Cloud in the field&lt;/H2&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;Check out the two short videos on Defender Portal integration and Start Secure Stay Secure with Defender for Cloud&lt;/P&gt;
&lt;UL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:true,&amp;quot;orderedStyleType&amp;quot;:1}"&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdc_youtube_Defenderportal" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Microsoft Defender for Cloud deeply integrates with Microsoft Defender&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdc_youtube_startsecurestaysecure" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Start secure and stay secure with Microsoft Defender for Cloud&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsField&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921371778%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=Ni9o%2FuGnNm5keL5pEgpww3s46S3nE6EfDiG3Z28cPhI%3D&amp;amp;reserved=0" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Visit our YouTube page&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;GitHub Community&lt;/H2&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;Check out the AI Red Teaming Workshop below:&lt;/P&gt;
&lt;UL data-editing-info="{&amp;quot;applyListStyleFromLevel&amp;quot;:true}"&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://aka.ms/mdcgit_AIRedTeamingWorkshop" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;AI Red Teaming Workshop&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;LI data-ogsc="rgb(0, 0, 0)"&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsGit&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921474195%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=ZBr6NDY28EuqIzivYaky1d%2FBvBAr2oYHDW2vHcYuJKM%3D&amp;amp;reserved=0" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Visit our GitHub page&lt;/U&gt;&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2 data-ogsc="rgb(0, 0, 0)"&gt;Customer journey&lt;/H2&gt;
&lt;P data-ogsc="rgb(0, 0, 0)"&gt;Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsStory1" data-ogsc="rgb(5, 99, 193)" target="_blank"&gt;&lt;U data-ogsc=""&gt;Photon Education&lt;/U&gt;&lt;/A&gt;, a Poland-based edtech company that uses Defender for Cloud to protect their App Services and databases immediately.&lt;/P&gt;
&lt;H2&gt;Join our community!&lt;/H2&gt;
&lt;P&gt;We offer several customer connection programs within our private communities. By signing up, you can help us&amp;nbsp;shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at&amp;nbsp;&lt;A href="https://www.aka.ms/JoinCCP" target="_blank"&gt;aka.ms/JoinCCP.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in&amp;nbsp;&lt;A href="https://aka.ms/PublicContentFeedback" aria-label="Link https://aka.ms/PublicContentFeedback" target="_blank"&gt;https://aka.ms/PublicContentFeedback.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;PRE&gt;Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsSubscribe" target="_blank"&gt;https://aka.ms/MDCNewsSubscribe&lt;/A&gt;&lt;/PRE&gt;</description>
      <pubDate>Mon, 04 May 2026 16:47:10 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4516842</guid>
      <dc:creator>Yura_Lee</dc:creator>
      <dc:date>2026-05-04T16:47:10Z</dc:date>
    </item>
    <item>
      <title>Securing multicloud (Azure, AWS &amp; GCP) with Microsoft Defender for Cloud: Connector best practices</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/securing-multicloud-azure-aws-gcp-with-microsoft-defender-for/ba-p/4508563</link>
      <description>&lt;P&gt;Many organizations run workloads across multiple cloud providers and need to maintain a strong security posture while ensuring interoperability. Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) solution that helps secure these environments by providing unified visibility and protection for resources in AWS and GCP alongside Azure.&lt;/P&gt;
&lt;H2&gt;Planning for multicloud security with Microsoft Defender for Cloud&lt;/H2&gt;
&lt;P&gt;As customers adopt Microsoft Defender for Cloud in multicloud environments, Microsoft provides several resources to support planning, deployment, and scalable onboarding:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Planning Guides: &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/plan-multicloud-security-get-started" target="_blank" rel="noopener"&gt;Multicloud Protection Planning Guide&lt;/A&gt; that walks through key design considerations for securing multicloud with Microsoft Defender for Cloud.&lt;/LI&gt;
&lt;LI&gt;Deployment Guides: &lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription" target="_blank" rel="noopener"&gt;Connect your Azure subscriptions - Microsoft Defender for Cloud&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;With the right planning and adoption strategy, onboarding to Microsoft Defender for Cloud can be smooth and predictable. However, support cases show that some common challenges can still arise during or after onboarding AWS or GCP environments. Below, we walk through frequent multicloud scenarios, their symptoms, and recommended troubleshooting steps.&lt;/P&gt;
&lt;H2&gt;Common multicloud connector problems and how to resolve them&lt;/H2&gt;
&lt;P&gt;&lt;STRONG&gt;1. Problem: Removed cloud account still appears in Microsoft Defender for Cloud&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The AWS/GCP account is deleted or removed from your organization, but in Microsoft Defender for Cloud it still appears under connected environments. Additionally, security recommendations for resources in the deleted account may still show up in recommendations page.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Cause&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Microsoft Defender for Cloud does not automatically delete a cloud connector when the external account is removed. The security connector in Azure is a separate object that remains unless explicitly removed. Microsoft Defender for Cloud isn’t aware that the AWS/GCP side was decommissioned as there’s no automatic callback to Azure when an AWS account is closed. Therefore, the connector and its last known data linger until manually removed.&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;&lt;STRONG&gt;Solution&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Delete the connector to clean up the stale entry. Use one of the following methods.&lt;/P&gt;
&lt;P&gt;Option 1: Use the Azure portal&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Sign in to the Azure portal.&lt;/LI&gt;
&lt;LI&gt;Go to Microsoft Defender for Cloud &amp;gt; Environment settings.&lt;/LI&gt;
&lt;LI&gt;Select the AWS account or GCP project that no longer exists.&lt;/LI&gt;
&lt;LI&gt;Select Delete to remove the connector.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Option 2: REST API&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Delete the connector by using the REST API: &lt;A class="lia-external-url" href="https://learn.microsoft.com/rest/api/defenderforcloud/security-connectors/delete?view=rest-defenderforcloud-2024-03-01-preview&amp;amp;tabs=HTTP" target="_blank" rel="noopener"&gt;Security Connectors - Delete - REST API (Azure Defender for Cloud)&lt;/A&gt;.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Note: If a multicloud organization connector was set up and the organization was later decommissioned or some accounts were removed, there would be several connectors to clean up. Start by deleting the organization’s management account connector, then remove any remaining child connectors. Removing connectors in this order helps prevent leftover dependencies.&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Additional guidance see: &lt;/EM&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/what-you-need-to-know-when-deleting-and-re-creating-the-security-connectors-in-d/3712772" target="_blank" rel="noopener" data-lia-auto-title="What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud" data-lia-auto-title-active="0"&gt;What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;2. Problem: Identity provider is missing or partially configured&amp;nbsp;&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;After running the AWS CloudFormation template, the connector setup fails. Microsoft Defender for Cloud shows the AWS environment in an error state because the identity link between Azure and AWS is not established.&lt;/P&gt;
&lt;P&gt;On the AWS side, the CloudFormation stack exists, but the required OIDC identity provider or the IAM role trust policy that allows Microsoft Defender for Cloud to assume the role via web identity federation is missing or misconfigured.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Cause &lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The AWS CloudFormation template doesn’t match the correct Azure subscription or tenant. This can happen if:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;You were signed in to the wrong Azure directory when generating the template.&lt;/LI&gt;
&lt;LI&gt;You deployed the template to a different AWS account than intended.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In both cases, the Azure and AWS IDs won’t align, and the connector setup will fail.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Solution&lt;/STRONG&gt;&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Verify your Azure directory and subscription.
&lt;UL&gt;
&lt;LI&gt;In the Azure portal, go to Directories + subscriptions and make sure the correct directory and subscription are selected before you set up the connector.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;OL start="2"&gt;
&lt;LI&gt;Clean up the incorrect configuration
&lt;UL&gt;
&lt;LI&gt;In AWS, delete the CloudFormation stack and any IAM roles or identity providers it created.&lt;/LI&gt;
&lt;LI&gt;In Microsoft Defender for Cloud, remove the failed connector from Environment settings.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;OL start="3"&gt;
&lt;LI&gt;Re-create the connector.
&lt;UL&gt;
&lt;LI&gt;Follow the steps in&amp;nbsp;&lt;A class="lia-external-url" style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://learn.microsoft.com/azure/defender-for-cloud/connect-azure-subscription" target="_blank" rel="noopener"&gt;Connect your Azure subscriptions - Microsoft Defender for Cloud&lt;/A&gt;&lt;SPAN style="color: rgb(30, 30, 30);"&gt; to generate and deploy a new CloudFormation template using the correct Azure and AWS accounts.&lt;/SPAN&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;OL start="4"&gt;
&lt;LI&gt;Verify the connection.
&lt;UL&gt;
&lt;LI&gt;After the connection succeeds, the AWS environment shows Healthy in Microsoft Defender for Cloud. Resources and recommendations begin appearing within about an hour.&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;3. Problem: Duplicate security connector prevents onboarding&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;When an AWS or GCP connector is added in Microsoft Defender for Cloud, onboarding fails with an error that indicates another connector with the same hierarchyId already exists. In the Azure portal, the environment shows Failed, and no resources appear in Microsoft Defender for Cloud.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Cause &lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Microsoft Defender for Cloud allows only one connector per cloud account within the same Microsoft Entra ID tenant. The hierarchyId uniquely identifies the cloud account (for example, an AWS account ID or a GCP project ID). If the account was previously onboarded in another Azure subscription within the same tenant, you can’t onboard it again until the existing connector is removed.&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Solution&lt;/STRONG&gt;&lt;BR /&gt;Find and remove the existing connector and then retry onboarding.&lt;/P&gt;
&lt;P&gt;Step 1: Identify the existing connector&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Sign in to the Azure portal.&lt;/LI&gt;
&lt;LI&gt;Go to Microsoft Defender for Cloud &amp;gt; Environment settings.&lt;/LI&gt;
&lt;LI&gt;Check each subscription in the same tenant for a pre-existing AWS account or GCP project connector.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;If you have access, you can also query Azure Resource Graph to locate existing connectors:&lt;/P&gt;
&lt;LI-CODE lang="json"&gt;| resources
| where type == "microsoft.security/securityconnectors"
| project name, location, properties.hierarchyIdentifier, tenantId, subscriptionId&lt;/LI-CODE&gt;
&lt;P&gt;&lt;BR /&gt;Step 2: Remove the duplicate connector&lt;BR /&gt;Delete the connector that uses the same hierarchyId. Follow the steps outlined in the previous troubleshooting scenario for deleting security connectors.&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;Step 3: Retry onboarding After the connector is removed, add the AWS or GCP connector again in the target subscription. If the error persists, verify that all duplicate connectors were deleted and allow a short time for changes to propagate.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H2&gt;&lt;STRONG&gt;Conclusion&lt;/STRONG&gt;&lt;/H2&gt;
&lt;P&gt;Microsoft Defender for Cloud supports a strong multicloud security strategy, but cloud security is an ongoing effort. Onboarding multicloud environments is only the first step. After onboarding, regularly review security recommendations, alerts, and compliance posture across all connected clouds. With the right configuration, Microsoft Defender for Cloud provides a single source of truth to maintain visibility and control as threats continue to evolve.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Further Resources:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/plan-multicloud-security-get-started" target="_blank" rel="noopener"&gt;Microsoft Defender for Cloud – Multicloud Security Planning Guide&lt;/A&gt; – Start here to design your strategy for AWS/GCP integration, with guidance on prerequisites and best practices.&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/defender-for-cloud/quickstart-onboard-aws?tabs=Defender-for-Containers" target="_blank" rel="noopener"&gt;Connect your AWS account - Microsoft Defender for Cloud&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://learn.microsoft.com/azure/defender-for-cloud/quickstart-onboard-gcp" target="_blank" rel="noopener"&gt;Connect your GCP project - Microsoft Defender for Cloud&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" style="font-style: normal; font-weight: 400; background-color: rgb(255, 255, 255);" href="https://learn.microsoft.com/azure/defender-for-cloud/troubleshoot-connectors" target="_blank" rel="noopener"&gt;Troubleshoot connectors guide - Microsoft Defender for Cloud&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;We hope this guide helps you successfully implement end-to-end ingestion of Microsoft Intune logs into Microsoft Sentinel. If you have any questions, feel free to leave a comment below or reach out to us on X &lt;A class="lia-external-url" href="https://aka.ms/MSFTSecSuppTeam" target="_blank" rel="noopener"&gt;@MSFTSecSuppTeam&lt;/A&gt;.&lt;/P&gt;</description>
      <pubDate>Fri, 10 Apr 2026 18:03:39 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/securing-multicloud-azure-aws-gcp-with-microsoft-defender-for/ba-p/4508563</guid>
      <dc:creator>ckyalo</dc:creator>
      <dc:date>2026-04-10T18:03:39Z</dc:date>
    </item>
    <item>
      <title>Microsoft Defender for Cloud Customer Newsletter</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4508180</link>
      <description>&lt;H1&gt;What's new in Defender for Cloud?&lt;/H1&gt;
&lt;OL&gt;
&lt;LI&gt;Kubernetes gated deployment is now generally available for AKS automatic clusters. Use help to deploy the Defender for Containers sensor to use this feature. More information can be found &lt;A href="https://aka.ms/mdc_kub_gateddeployments" target="_blank"&gt;here&lt;/A&gt;.&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Grouped recommendations are converted into individual ones to list each finding separately. While grouped recommendations are still available, new individual recommendations are now marked as preview and are not yet part of the Secure Score. This new format will allow for better prioritization, actionable context and better governance and tracking. For more details, please refer to this&amp;nbsp;&lt;A href="https://aka.ms/mdc_newindividualrecco" target="_blank"&gt;documentation&lt;/A&gt;.&amp;nbsp;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://aka.ms/MDCNewsJust" target="_blank"&gt;Check out other updates from last month here!&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;A class="lia-external-url" href="https://aka.ms/mdc_mtpblog" target="_blank"&gt;Check out monthly news for the rest of the MTP suite here!&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;H1&gt;Blogs of the month&lt;/H1&gt;
&lt;P&gt;In March, our team published the following blog posts we would like to share:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog1" target="_blank"&gt;Defending Container Runtime from Malware with Defender for Containers&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://techcommunity.microsoft.com/t5/aka.ms/mdcnewsblog2" target="_blank"&gt;Modern Database Protection: From Visibility to Threat Detection with Defender for Cloud&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/MDCNewsBlog3" target="_blank"&gt;New innovations in Microsoft Defender to strengthen multi-cloud, containers, and AI model security&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;
&lt;P&gt;&lt;A href="https://aka.ms/MDCNewsBlog4" target="_blank"&gt;Defending the AI Era: New Microsoft Capabilities to Protect AI&lt;/A&gt;&lt;/P&gt;
&lt;/LI&gt;
&lt;/OL&gt;
&lt;H1&gt;Defender for Cloud in the field&lt;/H1&gt;
&lt;P&gt;Revisit the malware automated remediation announcement since this feature is now in GA!&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/mdcinthefield_65" target="_blank"&gt;Automated remediation for malware in storage&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsField&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921371778%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=Ni9o%2FuGnNm5keL5pEgpww3s46S3nE6EfDiG3Z28cPhI%3D&amp;amp;reserved=0" target="_blank"&gt;Visit our YouTube page&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;GitHub Community&lt;/H1&gt;
&lt;P&gt;Check out the new Module 28 in the MDC Lab: Defending Container Runtime from Malware with Microsoft Defender for Containers&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/mdcnews_git_module28" target="_blank"&gt;Defending Container Runtime from Malware&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2FMDCNewsGit&amp;amp;data=05%7C02%7CYura.Lee%40microsoft.com%7C3927ff7829b9416ac31c08dd447f9315%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638742036921474195%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&amp;amp;sdata=ZBr6NDY28EuqIzivYaky1d%2FBvBAr2oYHDW2vHcYuJKM%3D&amp;amp;reserved=0" target="_blank"&gt;Visit our GitHub page&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;Customer journey&lt;/H1&gt;
&lt;P&gt;Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsStory1" target="_blank"&gt;ManpowerGroup&lt;/A&gt;, a global workforce solutions leader, deployed Microsoft 365 E5, and Microsoft Security to modernize and future-proof their cyber security platform. ManpowerGroup leverages Entra ID, Defender for Endpoint, Defender for Identity, Defender for O365, Defender for Cloud, Microsoft Security Copilot and Purview to transform itself as an AI Frontier Firm.&lt;/P&gt;
&lt;H2&gt;Join our community!&lt;/H2&gt;
&lt;P&gt;We offer several customer connection programs within our private communities. By signing up, you can help us&amp;nbsp;shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at&amp;nbsp;&lt;A href="https://www.aka.ms/JoinCCP" target="_blank"&gt;aka.ms/JoinCCP.&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in&amp;nbsp;&lt;A href="https://aka.ms/PublicContentFeedback" aria-label="Link https://aka.ms/PublicContentFeedback" target="_blank"&gt;https://aka.ms/PublicContentFeedback.&lt;/A&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;/P&gt;
&lt;PRE&gt;Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:&amp;nbsp;&lt;A href="https://aka.ms/MDCNewsSubscribe" target="_blank"&gt;https://aka.ms/MDCNewsSubscribe&lt;/A&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 02 Apr 2026 20:43:28 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/microsoft-defender-for-cloud-customer-newsletter/ba-p/4508180</guid>
      <dc:creator>Yura_Lee</dc:creator>
      <dc:date>2026-04-02T20:43:28Z</dc:date>
    </item>
  </channel>
</rss>

