Become a Microsoft Defender for Cloud Ninja
[Last update: 12/20/2024] This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate(Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 -AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Assigning Permissions in Microsoft Defender for Cloud Design Considerations for Log Analytics Workspace Microsoft Defender for Cloud Monitoring Agent Deployment Options Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloudusing Management Groups Planning Data Collection for IaaS VMs Considerations for Multi-Tenant Scenario How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for CloudPoC Series – Microsoft Defender for Resource Manager Microsoft Defender for CloudPoC Series – Microsoft Defender for Storage Microsoft Defender for CloudPoC Series – Microsoft Defender for DNS Microsoft Defender for CloudPoC Series – Microsoft Defender for App Service Microsoft Defender for CloudPoC Series - Microsoft Defender for Container Registries Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Protect non-Azure resources using Azure Arc and Microsoft Defender for Cloud Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture Azure Secure Score vs. Microsoft Secure Score How to calculate your secure score How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud How to keep track of Resource Exemptions in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for CloudRecommendations to Azure Resource Stakeholders Secure Score Reduction Alert Weekly Secure Score Progress Report Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Remediation Scripts Security Controls in Microsoft Defender for Cloud Enable MFA Restrict Unauthorized Network Access Secure Management Ports Secure management ports demo Apply adaptive application control Enable auditing and logging Enable auditing and logging demo Remediate security configurations Apply system updates Enable endpoint protection demo Encrypt data in transit Encrypt data at rest Protect Applications Against DDoS Attacks Implement security best practices Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Deployment Options Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Exporting Azure Container Registry Vulnerability Assessment in Microsoft Defender for Cloud Improvements in Continuous Export feature Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation Understanding Network Map Using Adaptive Network Hardening What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM (12/2024) ServiceNow's integration now includes Configuration Compliance module 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Regulatory compliance dashboard Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Define known-safe applications using Adaptive Application Control Understanding Threat Protection in Microsoft Defender Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Network Layer Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience (12/2024) Exploring the Latest Container Security Updates from Microsoft Ignite 2024 (12/2024) Improvements in Container’s Posture Management(12/2024) Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage Microsoft Defender for SQL Microsoft Defender for SQL and the Vulnerability Assessment (VA) New Defender for SQL VA Microsoft Defender for SQL Anywhere Validating Alerts on Microsoft Defender for SQL on machines New autoprovisioning process for SQL Server on machines plan Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService How Microsoft Defender for App Service works Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Investigating Microsoft Defender for Cloud alerts using Azure Sentinel Service Layer Protection - Microsoft Defender for Resource Manager and DNS Azure Arc and Azure Microsoft for Kubernetes Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Accessing Microsoft Defender for Cloud Alerts in Splunk using Graph Security API Integration Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts. API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here.If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Interactive Guide Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PM
Introducing the new File Integrity Monitoring with Defender for Endpoint integration
As the final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Defender for Endpoint, marks a significant milestone in the Defender for Servers simplification journey. The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance.Agentless scanning for virtual machines in the cloud – technical deep dive
Over the past three years, a notable shift has unfolded in the realm of cloud security. Increasingly, security vendors are introducing agentless scanning solutions to enhance the protection of their customers. These solutions empower users with visibility into their security posture and the ability to detect threats — all achieved without the need to install any additional software, commonly referred to as an agent, onto their workloads.Microsoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.Microsoft Defender for Cloud PoC Series - Defender for Servers
2024-06-27: Blog updated to keep it current with latest improvements in Defender for Servers. Introduction This article is part of our Microsoft Defender for Cloud PoC Series which provides you with guidelines on how to perform a successful proof of concept for a specific Defender for Cloud plan. For a more holistic approach where you need to validate Defender for Cloud please readHow to Effectively Perform a Microsoft Defender for Cloud PoC. Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP), providing end-to-end security for hybrid and multi-cloud platforms withDefender for Servers being Microsoft's server protection offering under this CNAPP umbrella. Planning As part of your Defender for Servers PoC, you need to identify the use case scenarios you want to validate. While Defender for Servers Plan 1 mainly focuses on integration with Microsoft Defender for Endpoint, Defender for Servers Plan 2 will offer all capabilities of Plan 1 plus enhanced scenarios for multi-cloud machines. Therefore, we will focus on Defender for Servers Plan 2 use cases in this article. Please also see this documentation to learn more about differences between Defender for Servers plans If you decide to make your on-premises servers or machines hosted on other clouds, e.g. AWS or GCP, part of the PoC, you need to choose how you are going to connect them to Azure so that Defender for Cloud can discover them and start protecting. For multi-cloud machines, you can refer to our multi-cloud onboarding guide. For onprem machines,using Azure Arcis the recommended option. Please keep in mind that certain Defender for Servers capabilities such as agentless machine scanning or Just-In-Time (JIT) VM Access are not available for onprem machines. Remember that you have 30-day free trial to test Defender for Servers. Any usage beyond 30 days will be automatically charged as per the pricing schemehere. Preparation and Implementation In order to enable Defender for Servers in your environment, you need a user account that has at least theSecurity Adminrole. For more information about roles and privileges, readthis article. Your first step is to enableMicrosoft Defender for Cloud on the subscription(s) you are conducting the PoC in and make sure that Defender for Servers plan is selected. By enabling Defender for Servers on your subscription, all relevant settings for server protection on your subscription will automatically be enabled. However, by selecting the "Settings" link, you can also disable configurations depending on your scenarios. Validation Since Defender for Servers has many capabilities, we are going to group them based on different use case scenarios. Scenario 1: Attack Surface Reduction Threat actors actively look for accessible machines with open management ports, like RDP or SSH.As a matter of fact, just by leaving your VM with such ports open to the Internet for a day or two (sometimes even a couple of hours) is enough to become a victim of a brute-force or password spray attack and receive a security alert like the one below (make sure you use strong passwords): Note: Do not forget to configure email notifications to get a notification when Defender for Cloud detects new suspicious activities or attacks. JIT VM access locks down the inbound traffic to your Azure VMs or AWS EC2 instances, reducing exposure to attacks while providing easy access to connect to VMs when needed. To configure and validate JIT VM access feature please follow this guidance. Scenario 2: Integration with an EDR solution If you have properly enabled and configured the integration with Microsoft Defender for Endpoint (MDE), all new servers connected to Defender for Cloud will automatically be onboarded to MDE. Scenario 3: Vulnerability Assessment Once you have deployed Microsoft Defender for Endpointto your servers, Microsoft Defender Vulnerability Management, the VA scanner used as part of the integration, will automatically start scanning your machines every 4 hours and report findings to Defender for Cloud and Defender XDR. Learn more about howto analyze and remediate vulnerabilities. As an alternative to using MDVM powered by MDE agent, you can also use agentless machine scanning to get vulnerability findings highlighted. Scenario 4: Agentless Scanning Agentless machine scanning is enabled by default when enabling Defender for Servers Plan 2 on a subscription. For all machines running on Azure, AWS, and GCP, agentless scanning will provide vulnerability, secret and malware findings once a day. Please note that deallocated machines are not scanned; the machine needs to be up and running for agentless scanning to create corresponding findings. Malware that is detected will be shown as a security alert, similar to the ones shown below: In order to stimulate a malware alert, you can use an Eicar test file. You can learn more about agentless secret scanning and malware detection in our documentation. Conclusion By the end of this PoC, you should be able to determine the value of this solution and the importance to have this level of threat detection for your servers. P.S.Subscribeto ourMicrosoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Microsoft Cloud Security experts.
Defender for Cloud unified Vulnerability Assessment powered by Defender Vulnerability Management
We are thrilled to announce that Defender for Cloud is unifying our vulnerability assessment engine to Microsoft Defender Vulnerability Management (MDVM)across servers and containers. Security admins will benefit from Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to identify, assess, prioritize, and remediate vulnerabilities - making it an ideal tool for managing an expanded attack surface and reducing overall cloud risk posture.Microsoft Defender for Endpoint for Linux and Microsoft Defender for Servers
When it comes to protecting servers in hybrid and multicloud environments, Microsoft Defender for Servers as part of Microsoft Defender for Cloud is the solution you might be looking for. However, with all the features, dependencies, and complexity, it might become challenging to always make the right decision when planning, integrating, and deploying Defender for Servers across your environment. With this blog, we are focusing on deployment and integration of Microsoft Defender for Endpoint with Microsoft Defender for Servers on Linux machines.Prepare for upcoming transitions in Defender for Servers
Last summer, within the scope of the upcoming Log Analytics agent deprecation, we announced a new agent strategy for Defender for Servers with the goal to simplify the onboarding and reduce external dependencies in our offering while improving existing and adding new capabilities. As part of that new strategy, we encourage our customers to enable both, agentless scanning as part of Defender for Servers Plan 2, and integration with Microsoft Defender for Endpoint in both Defender for Servers plans as a unified security agent. With this blog, we are sharing a thorough approach that you can use to make sure you are prepared for upcoming changes and that you can track your progress across your environment.
