Secure score power BI dashboard
We are following https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Secure%20Score to deploy secure score over the time dashboard for MDC. however steps for the deployment are very old when we had azure security center instead of MDC and prerequisites are not properly documented. As per the article we need to: Export the secure score data to Log analytics workspace by using continuous report option in MDC portal. Deploy Secure Score over the time workbook which can export the secure score data to Log Analytics workspace (not clear if this will pull reports every 24 hours and what permissions are required on Log Analytics workspace and to deploy the workbook) Do we need to export the secure score data to same Log Analytics workspace on which MDC is deployed or a separate workspace is needed ? If MDC already uses Log analytics workspace in the backend to store the logs then why can't we pull the secure score log data directly? why we need to export the secure score data to Log Analytics workspace first then to connect it to dashboard ?Defender for Server deployed, integration for DfE checked, but M365 Defender showing "Can be onboard
I'm sure I'm missing something in the slightly complicated way of enabling servers for DfE via Defender for Cloud Server. The licensing is in-place the checkboxes to share data are ticked. The servers are showing as onboarded in Defender for Cloud however, the one portal to rule them all - Microsoft Defender 365 - is still showing the servers as "Can be onboarded" and missing the data of a properly onboarded DfE client. Where should I start my troubleshooting to determine what I've missed or what is going wrong? Paul
Question regarding manual (or delayed automatic) onboarding of VMs to Microsoft Defender for Cloud
Hello, I have a use case scenario where my infrastructure consisting of both Linux and Windows Virtual Machines is deployed via Azure DevOps Pipeline to an Azure Subscription, which has Microsoft Defender for Cloud enabled with advanced security features. I'd like for my Infrastructure Build Pipeline tasks to finish before letting Microsoft Defender for Cloud do it's magic with enabling Microsoft Defender for Endpoint features (mainly enabling EDR solution on Endpoints) in order to prevent any possible conflicts between these two actions. So here's my question - is it possible to manually onboard Virtual Machines or delay the automatic onboarding to Microsoft Defender for Cloud?
Log Analytics workspace
Hello, can anyone help me understand the workspace used for Defender for Cloud How to identify which workspace is Defender for cloud connected to, older version of Defender for cloud has clear mention of the workspace name to which it is connected, the latest version just displays it as "Default Workspace" not the actual name of the workspace, as there are multiple "Default workspaces" in a subscription/Tenant. Thanks in Adv.
Anyone using Defender for SQL for on-prem Azure Arc connected SQL servers?
We have had around 20 on-premise SQL Servers connected via Azure Arc for several months, but there have been no alerts generated in Defender for Cloud. If it is working as intended, I'm glad we have had no suspicious activity. But I'm also concerned something may not be configured correctly. In my experience with security products, there is typically a tuning period needed to eliminate false positives. Does anyone know if there is anything we can do on the DB to trigger an alert, just to make sure everything is working? I'll just add that all the servers/DBs show as "Connected" in Azure > Azure Arc > SQL Servers, and show "Protected" on the Microsoft Defender for Cloud tab. There are also "Recommendations" and "Vulnerability assessment findings" for each server. So everything appears to be connected, there just are not any alerts.Which VM security events are requried for enhanced security features, e.g. in Defender for Servers?
Hi Azure Cloud Defenders! I would like to understand which Defender for Cloud Features require VM Security Events to be collected and to which extent. According to a recent Webinar, it is a common misconception that Threat Detection and Vulnerability Assessments for VMs rely on that data beeing collected/ingested. On the other hand the docs, e.g. for adaptive application control, let me assume that gathering those events/logs is required for that feature. Can someone explain for which cases/scenarios event logs from VMs must be collected and ingested into the log analytics workspace? Furthermore, it would be good to know the level of data to store (all events, common, minimal) for each case. Thank you very much in advance!
New Blog | Incident Triage: Microsoft Defender for Cloud Attack Path Analysis and Microsoft Sentinel
Introduction If you are actively involved in the process of responding to cybersecurity incidents or work in a capacity that deals with incident response, you understand the criticality of promptly identifying and mitigating security breaches in cloud environments. Timely and accurate incident triaging is crucial to minimize the impact of potential breaches and ensure a proactive security posture. However, in many cases, security analysts are overwhelmed by the sheer volume of incidents and the manual effort required to investigate and prioritize them. To address this challenge, we have developed a solution leveraging Microsoft Defender for Cloud Attack Path Analysis into Microsoft Sentinel to streamline computer’s cyber security incident triaging and improve response times. Read the blog: Incident Triage: Microsoft Defender for Cloud Attack Path Analysis and Microsoft Sentinel - Microsoft Community Hub
