Workbooks
21 TopicsMicrosoft Defender for Cloud Cost Estimation Dashboard
This blog was updated on April 16 th , 2023 to reflect the latest version of the Cost Estimation workbook. Microsoft Defender for Cloud provides advanced threat detection capabilities across your cloud workloads. This includes comprehensive coverage plans for compute, PaaS and data resources in your environment. Before enabling Defender for Cloud across subscriptions, customers are often interested in having a cost estimation to make sure the cost aligns with the team’s budget. We previously released the Microsoft Defender for Storage Price Estimation Workbook, which was widely and positively received by customers. Based on customer feedback, we have extended this offering by creating one comprehensive workbook that covers most Microsoft Defender for Cloud plans. This includes Defender for Containers, App Service, Servers, Storage, Cloud Security Posture Management and Databases. The Cost Estimation workbook is out-of-the box and can be found in the Defender for Cloud portal. After reading this blog and using the workbook, be sure to leave your feedback to be considered for future enhancements. Please remember these numbers are only estimated based on retail prices and do not provide actual billing data. For reference on how these prices are calculated, visit the Pricing—Microsoft Defender | Microsoft Azure. Overview The cost estimation workbook provides a consolidated price estimation for Microsoft Defender for Cloud plans based on the resource telemetry in your organization’s environment. The workbook allows you to select which subscriptions you would like to estimate the price for as well as the Defender Plans. In a single pane of glass, organizations can see the estimated cost per plan on each subscription as well as the grand total for all the selected subscriptions and plans. To see which plans are currently being used on the subscription, consider using the coverage workbook. Defender Cloud Security Posture Management (CSPM) Defender CSPM protects all resources across your subscriptions, but billing only applies to Compute, Databases and Storage accounts. Billable workloads include VMs, Storage accounts, open-source relational databases and SQL PaaS & Servers on machines. See here for more information regarding pricing. On the backend, the workbook checks to see how many billable resources were detected and if any of the above plans are enabled on the subscription. It then takes the number of billable resources and multiplies it by the Defender CSPM price. Defender for App Service The estimation for Defender for App Services is based on the retail price of $14.60 USD per App Service per month. Check out the Defender for App Service Price Estimation Dashboard for a more detailed view on estimated pricing with information such as CPU time and a list of App Services detected. Defender for Containers The estimation for Defender for Containers is calculated based on the average number of worker nodes in the cluster during the past 30 days. For a more detailed view on containers pricing such as average vCores detected and the number of image scans included, consider also viewing the stand-alone Defender for Containers Cost Estimation Workbook. Defender for Databases Pricing for Defender for Databases includes Defender for SQL Databases and Defender for open-source relational databases (OSS DBs). This includes PostgreSQL, MySQL and MariaDB. All estimations are based on the retail price of $15 USD per resource per month. On the backend, the workbook runs a query to find all SQL databases and OSS DBs in the selected subscriptions and multiplies the total amount by 15 to get the estimated monthly cost. Defender for Key Vault Defender for Key Vault cost estimation is not included in the out of the box workbook, however, a stand-alone workbook is available in the Defender for Cloud GitHub. The Defender for Key Vault dashboard considers all Key Vaults with or without Defender for Key Vault enabled on the selected subscriptions. The calculations are based on the retail price of $0.02 USD per 10k transactions. The “Estimated Cost (7 days)” column takes the total Key Vault transactions of the last 7 days, divides them by 10K and multiples them by 0.02. In “Estimated Monthly Price”, the results of “Estimated Cost (7 days)” are multiplied by 4.35 to get the monthly estimate. Defender for Servers Defender for Servers includes two plan options, Plan 1 and Plan 2. The workbook gives you the option to toggle between the two plans to see the difference in how they would effect pricing. Plan 1 is currently charged at $5 per month where as Plan 2 is currently charged at $15. Defender for Storage The Defender for Storage workbook allows you to estimate the cost of the two pricing plans: the legacy per-transaction plan and the new per-storage plan. The workbook looks at historical file and blob transaction data on supported storage types such as Blob Storage, Azure Files, and Azure Data Lake Storage Gen 2. We have released a new version of this workbook, and you can find it here: Microsoft-Defender-for-Cloud/Workbooks/Microsoft Defender for Storage Price Estimation and learn more about the storage workbook in Microsoft Defender for Storage – Price Estimation blog post. Limitations Azure Monitor Metrics data backends have limits and the number of requests to fetch data might time out. To solve this, narrow your scope by reducing the selected subscriptions and Defender plans. The workbook currently only includes Azure resources. Acknowledgements Special thanks to everyone who contributed to different versions of this workbook: Fernanda Vela, Helder Pinto, Lili Davoudian, Sarah Kriwet, Safeena Begum Lepakshi, Tom Janetscheck, Amit Biton, Ahmed Masalha, Keren Damari, Nir Sela, Mark Kendrick, Yaniv Shasha, Mauricio Zaragoza, Kafeel Tahir, Mary Lieb, Chris Tucci, Brian Roosevelt References: What is Microsoft Defender for Cloud? - Microsoft Defender for Cloud | Microsoft Learn Pricing—Microsoft Defender | Microsoft Azure Workbooks gallery in Microsoft Defender for Cloud | Microsoft Docs Pricing Calculator | Microsoft Azure Microsoft Defender for Key Vault Price Estimation Workbook Microsoft Defender for App Services Price Estimation Workbook Microsoft Defender for Containers Cost Estimation Workbook Coverage WorkbookMicrosoft Defender for API Security Dashboard
Microsoft Defender for APIs is a plan provided by Microsoft Defender for Cloud that offers full lifecycle protection, detection, and response coverage for APIs. Defender for APIs is currently in public preview and currently provides security for APIs published in Azure API Management. Microsoft Defender for API plan provides us with amazing capabilities like, giving security admins the visibility to their business-critical managed APIs, provides you with security findings to investigate and improve your API security posture, also provides you with sensitive-data classification (API data classification) where the plan classifies APIs that are exposing, receiving or responding with sensitive data, also comes with real-time threat detection that generates alerts for suspicious activities. Defender for API plan continuously assesses the configurations of your managed APIs and compares them with the best practices and finds misconfigurations which generates security recommendations that will be published on Defender for Cloud's Recommendations page. As you can imagine, that’s a lot of information to keep track. So we wanted to provide you with a single-pane of glass view to help view all the findings associated with the Defender for APIs plan. With this blog, we are introducing you to Microsoft Defender for API Security Dashboard, that provides representation of the security posture of your API’s in different pivots that help you understand the overall security findings, threats in your environment and how to prioritize them. What’s in the Dashboard Defender for API Security dashboard is a workbook that provides a unified view and deep visibility into the issues. This workbook allows you to visualize the state of your API posture for the API endpoints that you have onboarded to Defender for APIs to better understand your unhealthy recommendations and the identified data classifications, authorization status, usage, and exposure of your APIs. You can also investigate detected threats on affected API resources, including the most affected API collections and endpoints, the top alert types, and progression of alerts over time. Pie-Charts & Details Example Overview: The overview section contains six pie-charts that represents the total number of alerts and how they map to the MITRE ATT&CK Tactics, security recommendations, coverage for API endpoints, and coverage for different subscriptions that you have access to. Hardening Recommendations: To drill into security recommendations, select the Hardening Recommendations tab. On this tab, you can investigate your unhealthy recommendations by severity level, see all affected resources, and get security insights such as unauthorized API endpoints that are externally facing and transfer sensitive data. Threat Detection – Alerts The Alerts tab displays your top 10 alerts type, a list of your affected resources, active alerts on selected resources, alerts over time, and a map of your affected APIs. Note You must enable Defender for APIs and onboard API endpoints in order to utilize this workbook How to Deploy Great News...!! This workbook is built into Microsoft Defender for Cloud portal. In the Azure portal > Navigate to Microsoft Defender for Cloud > Workbooks Additional Resources To learn more about Microsoft Defender for API offering, make sure to check out our documentation We are eager to hear your feedback on your experience with Defender for API capabilities. Please take sometime to fill in the survey Learn about API Security Alerts Learn about API Security RecommendationsHow to keep track of Defender for Cloud Coverage
A while back, we introduced the Coverage workbook in Microsoft Defender for Cloud which gives you an easy view into which Defender for Cloud plan has been enabled on a subscription, or multicloud connector. In this blog, you will learn more about the information shown in the workbook, and about our latest additions that will help you understand the overall coverage across your environment.Microsoft Defender for Cloud Onboarding workbook V2
The Defender for Cloud Onboarding Workbook V2 is the latest version of this workbook that was originally published August 2022. You can read more about the purpose of this workbook in this post. What’s New: The Defender Plans Onboarded Tab - displays the subscriptions that are onboarded to a Defender plan, status of the Defender Plan, and the resources deployed in the subscription. You can click on the status of the Defender Plan to On / Off on the subscription. You will be directed to the Defender Plans Blade on your selected Subscription. You can notice the status of each Defender Plan is On/Off, and the Resource quantity column displays the Resources deployed in the subscription. You can edit the status of the selected Defender Plan from here and click on save. Please be noted that Foundational CSPM is by default “On” on all subscriptions. The CSPM Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender CSPM Plan on the subscription, and the resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The Agentless Capabilities covered under Defender CSPM displays the Status is On/Off. “Not Available” indicates the required Defender Plan is not enabled, and hence the capability is not available. You can click on the On/Off status on the subscription to edit the Agentless capability. Edit the Status On/Off, and click “Continue” and “Save” the settings The API Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender for APIs Plan on the subscription, and the APIM resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The APIM resources overview displays the APIM resources deployed in the subscription, and their Public Network Access is Enabled/Disabled, and if the APIM is deployed into a VNET. The Onboard API collections displays if all the API collections in an APIM are onboarded to Defender for APIs. Click on “Not Onboarded” to onboard the API collection. You are directed to the assessment “Azure API Management APIs should be onboarded to Defender for APIs”. Select the API Endpoints under the Unhealthy resources and click on “Fix” The Storage Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender for Storage Plan on the subscription, and the Storage Account resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The Agentless capabilities like Data Sensitivity Discovery, Malware Scanning are only available with the DefenderForStorageV2Plan. “Not Available” indicates that the required plan is not enabled. The Containers Tab - displays the subscriptions that are onboarded to a Defender for Cloud, status of the Defender for Containers Plan on the subscription, and the Container resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. The Agentless capability Container Registries VA is available with both the Defender For Containers Plan and Defender CSPM Plan. “Not Available” indicates that the required plan is not enabled. The Devops Tab - displays the Github Connectors and Azure Devops Connectors onboarded to the subscription The Github repositories that need to be enabled for Code Scanning, Secret scanning, Depandabot scanning are displayed. Click on “Unhealthy” status to enable scanning. You are directed to the relevant Recommendation. Select the Unhealthy resources and assign Owner to remediate the Recommendation. The AWS Tab - displays the the AWS Connectors deployed in the subscription, yhe status of the Defender Plans on the AWS Connector. You can click on the status of the Defender Plan to On/Off on the Connector. AWS Agentless capabilities like "Agentless VM scanning", "Data Sensitivity Discovery" are displayed. You are directed to the AWS Defender plans blade. You can edit the Defender plan on the AWS connector and click on “Configure access” When the Defender Plan settings are edited on the AWS connector, you need to download the cloud formation template and update the AWS environment. This is a required step to reflect your changes on the AWS connector, to the AWS environment. The GCP Tab - displays the the GCP Connectors deployed in the subscription, the status of the Defender Plans on the GCP Connector. You can click on the status of the Defender Plan to On/Off on the Connector. You are directed to the GCP Defender plans blade. You can edit the Defender plan on the GCP connector and click on “Configure access” and “Update” How to Deploy The Defender for Cloud Onboarding Workbook is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its Defender for Cloud Onboarding Workbook V2 The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page. Additional Resources To learn more about Microsoft Defender for Cloud, visit: https://aka.ms/ascninja To learn about Microsoft Defender for Cloud workbooks, visit: https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks Acknowledgements Many thanks to Yuri Diogenes & Safeena Begum in supporting my initiative and suggesting feedbacks.Defender for Cloud Onboarding workbook
By default, Microsoft Defender for Cloud is not enabled on an Azure Subscription. However, if you visit Defender for Cloud in the Azure portal for the first time or if you enable it programmatically via the REST API, Defender for Cloud is enabled for free on all your Azure subscriptions. In large-scale deployments that involve dozens of subscriptions with hundreds and thousands of resources, it may be a challenge to have a centralized view of the current state of Defender for Cloud enablement across all Azure subscriptions. Learn about Defender for Cloud enhanced security features. How does the Onboarding workbook help? This workbook helps you track which Azure subscriptions under your Tenant are onboarded with Defender for Cloud. Also, it lists the resources deployed into these subscriptions that can be protected by the Defender for Cloud workload protection plans, and it checks if any required agents are missing for the workload protection. The workbook provides different tabs organized as: Subscription Onboarding Defender Plans Onboarded Onboarding Agents Health The sample screenshot below shows how these tabs are distributed in the main dashboard: The Subscription Onboarding Tab displays the list of “Subscriptions Onboarded to Defender for Cloud” and “Subscriptions which are NOT Onboarded to Defender for Cloud” as shown in the screenshot. To onboard a subscription to Defender for Cloud a user must be a Security Admin, an Owner or Contributor of that subscription. User can check the permissions on the subscription by clicking on “Check User Access” option as shown in the screenshot below. A user with required permissions, can click on “Click here” to Enable Defender for Cloud for the Subscriptions or Management Group. The Defender Plans Onboarded Tab - displays the subscriptions that are onboarded to a Defender plan, status of the Defender Plan, and the resources deployed in the subscription. You can click on the status of the Defender Plan to On/Off on the subscription. Also, the Log Analytics workspaces that are onboarded to a Defender plan, status of the Defender Plan is displayed. You can click on the status of the Defender Plan to On/Off on the Log Analytics Workspace, as shown below: The Onboarding Agents Health Tab displays the Unhealthy status of the Log Analytics agent, Endpoint Protection Solution, Vulnerability Solution for Azure VMs, VM Scalesets, and Arc-enabled VMs, SQL VMs. It also displays the Unhealthy status of the Defender Profile, Azure Policy Extension for Azure AKS and Arc-enabled Kubernetes Clusters. Click on the Unhealthy status to go to recommendation and fix the issue, as screenshot below: How to Deploy The Defender for Cloud Onboarding Workbook is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its Defender for Cloud Onboarding Workbook The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page. Additional Resources To learn more about Microsoft Defender for Cloud, visit: https://aka.ms/ascninja To learn about Microsoft Defender for Cloud workbooks, visit: https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks Acknowledgements Special thanks to Shay Amar for the partnership in reviewing and providing feedbacks on the artifact. Many thanks to Tom Janescheck & Yuri Diogenes in supporting my initiative and suggesting feedbacks.Containers Security Mapping Dashboard
Microsoft Defender for Containers merges the capabilities of the two previously offered Microsoft Defender for Cloud plans, Microsoft Defender for Kubernetes and Microsoft Defender for Container registries, and adds a new set of critical features on top of the previously offered ones. Make sure to read this article for more details. Multi-cloud support: AKS and any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters (through Azure Arc) Kubernetes-native deployment: automatic deployment using DaemonSet Advanced Threat Detection: deterministic, AI, and anomaly-based detection Vulnerability assessment: continuous scan for running images Make sure to read one of our customer story, Land Lakes Inc., use and benefit from Microsoft Defender for Containers for their complex landscape. Current Challenge Defender for Containers plan provides us with amazing capabilities like, scanning images for vulnerabilities stored in an ACR Defender for Containers also provides real-time threat protection and generates alerts for suspicious activities. Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. When Defender for Container plan is enabled on a cluster, it will also monitor the Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control pane. To protect the workloads of your Kubernetes containers with tailored recommendations, you can install the Azure Policy for Kubernetes. You can also auto deploy this component as explained in enable auto provisioning of agents and extensions. With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure it to enforce the best practices and mandate them for future workloads. To learn more about the offering capabilities, check out our documentation here. One of the challenges we hear from customers is, ‘I have to navigate through multiple blades in order to view all the great capabilities Defender for Containers offers'. Proposed Solution Up until now, there was no single view with which you could visualize all the vulnerability assessments Defender for Container provides scanning your Azure Container Registries, Kubernetes runtimes, Threat Detection alerts, hardening recommendations and security best practices that the plan offers. You had to browse through recommendations and alerts blades in azure to assess and obtain this information. With this blog, we’re introducing you to a workbook that acts as a single pane of glass representing all the vulnerabilities, alerts, that Defender for Container found in your environment, all in one single pane of glass. What’s in the Dashboard The new ‘Containers Security Mapping Dashboard’ for Microsoft Defender for Cloud provides a unified view and deep visibility into the issues to provide security mappings for Defender for Containers plan based on the resource telemetry in your own environment. The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections. The workbook can be edited, and all queries can be modified based on your needs. The workbook provides different sections like: Containers Vulnerabilities by Category & Severity (ACR) Hardening recommendations Kubernetes - Running Images Vulnerabilities by Category & Severity (Kubernetes Runtime) Alert summary mapped by MITRE ATT&CK Tactics. How to Deploy The Containers Security Mapping Dashboard is available in the Microsoft Defender for Cloud dashboard under Workbooks blade and in the Community section. How to Use To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard. Conclusion Microsoft Defender for Containers significantly improves the security of the container environments. Once enabled on a cluster, it will monitor the Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control pane. The solution extends to your AWS (EKS Clusters) and GCP (GKE Clusters) resources as well. Make sure to utilize our ‘Containers Security Mapping Dashboard’ to get a single pane of glass view of the security of your environment. Additional Resources To learn more about Microsoft Defender for Containers offering, make sure to check out our documentation To understand Defender for Containers feature availability check out this documentation here Check out our multi-cloud documentation to understand the capabilities we offer to monitor your EKS and GKE Clusters. Acknowledgements Special Thanks to Maya, Tomer for the partnership and for reviewing and providing feedbacks of improvement on the artifact.What’s New: Azure Security Benchmark Workbook (Preview)
The Azure Security Benchmark (ASB) Workbook provides a single pane of glass for gathering and managing data to address ASB control requirements. The power of this workbook lies in its ability to aggregate data from 25+ Microsoft security products and to apply these insights to relevant controls in the ASB framework. Rather than separately interfacing with Microsoft Defender for Cloud, Microsoft Sentinel, Azure Resource Graph, Azure Active Directory, Microsoft Defender for Endpoint, and additional products to understand compliance posture, the Azure Security Benchmark Workbook centralizes the relevant data within the context of the ASB controls.Microsoft Defender for Cloud Alerts Workbook
Microsoft Defender for Cloud is an evolution of threat-detection technologies protecting Azure, On-premises, and hybrid cloud environments. Security Alerts are the notifications that Defender for Cloud generates when it detects threats on your resources. Defender for Cloud prioritizes and lists the alerts, along with information needed for you to quickly investigate the problem. Defender for Cloud also provides detailed steps to help you remediate attacks. Alerts data is retained for 90 days. Here is the list of resource types that Defender for Cloud secures. Make sure to visit this article that lists the security alerts you might get from Defender for Cloud and any Enhanced security features plans you’ve enabled. Defender for Cloud allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source. For example, with Secure Score Over Time report, you can track your organization’s security posture. Read more about how workbooks provide rich set of functionalities in our Azure monitor documentation and to understand workbooks gallery in Defender for Cloud, make sure to review our documentation. With this blog, I’m introducing you to another great template that provides representation of your active alerts in different pivots that help you understand the overall threats in your environment and how to prioritize them. Pre-requisite: Most of the workbook uses Azure Resource Graph to query the data. In some cases (to display Map View) it uses Log Analytics workspace to query the data. So, make sure you have continuous export turned on and exporting the Security Alerts to the Log Analytics workspace as shown in the image (1) below. To configure continuous export across your organization, use the supplied Azure Policy 'DeployIfNotExist' policies described in Configure continuous export at scale. The Microsoft Defender for Cloud Alerts workbook creates three pie charts and six graphs for the subscriptions as explained in detail below - Pie Charts: Pie-Chart Example Severity Use this section to monitor the number of active alert counts and its severity rank for your subscriptions. This will help you to immediately understand the magnitude of the main threats on your environment. Resource Group Use this section to monitor the number of active alerts in each Resource Group. This graph will help you remediate the active alerts very easily based on the Resource Group. Tag Use this section to monitor the count of active alerts per Tags. This graph will help you remediate the active alerts very easily based on the tags. Graphs: The workbook has several graphs displaying detailed information on the alerts as follows: Graph Example Top 5 attacked resources: This table will display Top five attacked resources with resource names and the count. The table will further drill down to each alert providing you details like AlertDisplayName, Tactics, SeverityRank, SubscriptionId and more. (Refer to the GIF below for the output example) ResourceId representing “All” in these three graphs, shows you all the attacked resources in your environment (regardless of their Severity). Top Alert Types: This table will display a list of Top alerts in your environment with the alert display name and how many times an alert has appeared in your environment as shown in image (3). These details will give you a good understanding of the common alerts your environment has been experiencing in order to help you take proactive action. New Alerts: This table will display information if your environment has any new alerts since last 24hrs. This information will help you react quickly to the immediate threats on your environment. Example of alerts navigation: As you navigate through the alerts in the above graphs, you could dig through deep into the alert to understand the number of alerts raised for that resource. As you navigate through these three graphs to review the alerts, make sure you click on the ‘little arrow’ at the top of each table (that reads ‘clear selection’) to clear the current selection before you start clicking on the alerts from the second and third graphs. Clicking on any alert you want to review in the graphs will present you ‘Open Alert View’ button at the bottom of the table clicking on which would open-up more details about the alert you selected. Refer to the example below on alerts navigation. MITRE ATT&CK tactics The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The objectives are presented linearly from the point of reconnaissance to the final goal of exfiltration or "impact". Within each tactic of the MITRE ATT&CK matrix there are adversary techniques, which describe the actual activity carried out by the adversary. Enhanced security features alerts presents the kill-chain stage of the detected suspicious activity based on MITRE ATT&CK matrix. Enabling enhanced security features monitors for many threats to resources and most alerts have MITRE ATT&CK tactics that can help you understand the kill chain intent. Defender for Cloud’s supported kill-chain intents are based on version 7 of the MITRE ATT&CK matrix. In this section of the workbook, you’ll be presented with a graph representing the number of active alerts in each kill-chain stage. This graph will help you understand the kill-chain intent of an attack so that you investigate and report the event more easily and address the more urgent alerts (in advanced MITRE ATT&CK tactic) sooner. List View & This section of the workbook will provide you details of all current active alerts in your organization in two views (List View and Map View). Displays very important information that you should pay attention to. For eg., Severity, AlertDisplayName, If this is an Incident (Defender for Cloud provides a correlated view called Incidents) or an alert etc. Use this data to analyze what actions the attacker took, and what resources were affected. Have strategies to react to alerts as soon as they are generated. Use the data to support these activities: Remediation of threats. Investigation of an incident. Proactive hunting activities. Under List View, clicking on any alert you want to review will present you ‘Open Alert View’ button at the bottom of the table which would open-up more details about the alert you selected. The workbook also presents you with Map View, this map represents security alerts that contain IP addresses targetting your resources. Markings on the map represent sources of the attack on your resources. Inorder to review the alert, you can click on the dot in the AlertsMapView table, which will present another table with the affected ResourceId, AlertDisplayName, SubscriptionId, StartTime and Resource Group that’s under attack. You can further drill down to the details of the specific alert you wish to, by selecting the alert which will present a button at the bottom of the graph ‘Open Alert View’, clicking on which would take you to the details of the alert. To select another dot and view details of that alert, you might have to clear selection by clicking on the ‘arrow’ (that reads ‘clear selection’) at the top of the map graph. Check out the below that gives you an overview of the usage of these fields. Make sure to refer to this article to understand list of security alerts you might get from Microsoft Defender for Cloud and any enhanced security plans you’ve enabled. Make sure to utilize the additional filters we have in the workbook, to search for the alerts for eg., with just high/low/medium severity etc. You can find this workbook in our Github repository Direct link to the Azure Defender Active Alerts workbook We hope you have fun deploying and navigating through the workbook to get an end-to-end experience on the alerts and would love any feedback. Co-authors: Lihie_Berkovitz and tal_rosler