Sensitivity Data Flag will not be deleted after Settings are changed
We have a lot of storage accounts which are flaged with risk factor "Sensitive Data" which also means all storage Accounts which have this label have risklevel critical. We deactivated Sensitive Data Scan but nothing happens As I got it correct once a resource is flagged with "Sensitive Data" the flag will not delete anymore What we did so far: turn off/on/off… the data scanning turn off/on/off Data sensitivity deselect all of different data sensitivity categories like Finance, PII, and Credentials turn off/on/off threshold for sensitive data labels turn off/on complete Defender There is also a support ticket where the support can the recommendation was to open a discussion here to have the product team look at this error (#2502031420002278)
KQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, Serge
Azure Secure Score Comparison for Similar Organizations
Is there a way to see comparison of Azure Secure Score for similar organizations like how Microsoft Secure Score in the Defender portal shows? For example, Microsoft Secure Score has the below options, and I am looking for a something similar in Azure Secure Score/Defender for Cloud Secure Score.
New Blog | Enhancing Server and Container Risk Score Analysis in Power BI
By iulio Astori Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVEs). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), providing a standardized numerical score that ranges from 0.0 to 10.0, translated into severity ratings like Low, Medium, High, or Critical. While Microsoft Defender for Cloud provides a robust risk level assessment for each resource, there is an opportunity to enhance this by integrating additional factors such as the exploitability of each CVE, the age since it was made public, and whether the CVE is a zero-day vulnerability. Additionally, resources themselves have contextual elements such as the number of attack paths, which can significantly impact their overall risk. The Power BI solution builds Defender for Cloud's capabilities by integrating these multiple factors, providing a more comprehensive risk score for each resource and enhancing the prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources needing attention. Read the full post here: Enhancing Server and Container Risk Score Analysis in Power BINew Blog | New E-book: Building a Comprehensive API Security Strategy
By Loren Goduti APIs are everywhere – they are proliferating at a rapid pace, therefore, making them a prime target for attackers. Thus, having a plan to secure protect your APIs as part of your overall cybersecurity strategy is critical for protecting your business, as well as sensitive user data. We are excited to share our newest e-book: Building a Comprehensive API Security Strategy Read the full post here: New E-book: Building a Comprehensive API Security StrategyAzure Cloud Defender false positive
Cloud Defender threw up alert on Trojan:Script/Phonzy.B!ml for a PaloAlto virtual firewall. There are no Defender agents, (detection was agentless). I cannot find any other incidents or similar issues. The affected file is pps_parport.ko which is a library file. Currently unable to get the file off the Palo to upload to VirusTotal or similar website. No other security issues with Azure servers. Is there a way to find if this is a false positive or am is this system a canary in a coalmine?New Blog | Detect Container Drift with Microsoft Defender for Containers
By Vasavi Pasula Introduction In cloud-native Kubernetes environments, Containers are often treated as immutable resources, meaning they shouldn’t change after deployment. Immutable containers minimize the attack surface because they do not allow modifications during runtime. This limits the potential for attackers to make unauthorized changes, install malware, or create backdoors within a running container. Container drift refers to unintended or unauthorized manual changes, updates, patches, or other modifications made during its runtime. When containers drift, they may incorporate untested and unverified changes, such as software updates, configuration modifications, or new libraries. These changes can introduce new vulnerabilities that were not present in the original, vetted container image. Drift might introduce changes that grant elevated privileges to processes or users within the container, which can be exploited to gain broader access to the system or network. Changes caused by drift can alter or disable security monitoring tools within the container, making it harder to detect and respond to security incidents promptly. Microsoft Defender for Containers introduces the binary drift detection feature in public preview, to detect execution of files in a running container drifting from original Container Image which was scanned, tested, and validated. It's available for the Azure (AKS) V1.29, Amazon (EKS), and Google (GKE) clouds. Read the full post here: Detect Container Drift with Microsoft Defender for ContainersNew Blog | Securing Multi-Cloud Gen AI workloads using Azure Native Solutions
By Abhi Singh Note: This series is part of “Security using Azure Native services” series and assumes that you are or planning to leverage Defender for Cloud, Defender XDR Portal, and Azure Sentinel. Introduction AI Based Technology introduces a new set of security risks that may not be comprehensively covered by existing risk management frameworks. Based on our experience, customers often only consider the risks related to the Gen AI models like OpenAI or Anthropic. Thereby, not taking a holistic approach that cover all aspects of the workload. This article will help you: Understand a typical multi-cloud Gen AI workload pattern Articulate the technical risks exists in the AI workload Recommend security controls leveraging Azure Native services Read the full post here: Securing Multi-Cloud Gen AI workloads using Azure Native SolutionsNew Blog | Leveraging Azure Native Tooling to Hunt Kubernetes Security Issues
By singhabhi Introduction Container binary drift refers to the phenomenon where a running container deviates from its original image over time. This can happen due to various reasons, such as manual updates, automated processes, or security vulnerabilities. Essentially, the container starts to differ from the static snapshot it was created from, leading to potential inconsistencies and security risks. When thinking of container image drifts, it is important to understand the following: Security Risks: Image drift can introduce security risks, as the container may run software or processes that were not part of the original image. This can create a security blind spot, as traditional image scanning may not detect these changes Detection: Detecting image drift involves monitoring the container for changes that deviate from the original image. This can be done using tools that compare the running container's state with its original image. Prevention: To prevent image drift, it is recommended to implement image immutability, regularly update base images, and use image scanning tools. Monitoring and alerting for image drift can also help in identifying and addressing any deviations. Read the full post here: Leveraging Azure Native Tooling to Hunt Kubernetes Security Issues
