Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent
I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one. Current Setup: I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables: Defender for Cloud Plan P2 Endpoint Protection Agentless scanning I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error. What I’ve Tried: For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No. Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for: All existing subscriptions Any new subscriptions created in the future Goal: No manual intervention in Defender for Cloud portal Fully automated via Azure Policy or another recommended approach uestions: Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level? Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically? Any best practices for ensuring compliance across multiple subscriptions? Any help is much appreciated and looking forward to your expertise! Thank you in advance. Best Regards, Pascal Slot
Runtime protection - Microsoft Defender for Cloud DevOps Security (Defender CSPM)
Hi team! The current support status for Microsoft Defender for Cloud DevOps Security (Defender CSPM) and runtime protection across services are this one : Fully Supported for Runtime Protection Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS) are there more runtime in the product roadmap (Azure Container Apps, AWS, Fargate for Amazon ECS, Azure Functions, AWS Lambda)? Thanks
Defender for Cloud Inventory API Coverage — No Official Way to Retrieve Per-Resource Coverage?
I'm reaching out to the Microsoft Defender for Cloud team and the broader community because I've run into a gap that I believe others may face too — and I’m hoping for guidance or clarification. I need to programmatically retrieve a list of resources from a subscription and determine if each resource is covered by a Defender for Cloud plan. This would replicate what we see in the Azure Portal under: Microsoft Defender for Cloud > Inventory: The goal is to fetch this data via API and replicate that table — but the problem is that it seems there’s no way to retrieve the “Defender for Cloud” coverage status per resource. Here’s what I’ve tried so far: The /pricings endpoint — returns plan tiers like Free or Standard, but only for the overall subscription or service type, not individual resources. Azure Resource Graph — the properties field does not contain any Defender-related indicators that would confirm whether a specific resource is covered. My Question Does an API exist today to retrieve per-resource Defender for Cloud coverage? Is there a /coverage endpoint or equivalent that is officially supported? If anyone from the Defender for Cloud or Azure product teams can point me in the right direction, I’d truly appreciate it. Thank you!Cost Calculator for Defender for Cloud (Public Preview)
Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025. With this post, I’m sharing my experience with this new cost calculator for Microsoft Defender for Cloud, providing guidance and comparing available options to calculate the costs. https://myronhelgering.com/cost-calculator-for-defender-for-cloud/
Enable Bring Your Own License (BYOL)
A customer uses Bring your own license (BYOL) capability, which is being deprecated, to deploy Qualys extension in their VMs. They are questioning about the deprecation, this deprecation implicates the deploy won't be more available, but what happen with the machines already has deployed the Qualys extension? Will the extension be removed from machines, since it was deployed via BYOL? Or after deprecated the extension continues working for the already deployed machines?
How to programmatically assign security standards on Defender for Cloud
Hi all, i would like to know if there is a way to programmatically (REST API, Terraform,...) activate custom secutity Standards on Defender for Cloud. Basically the step 6 on this guide https://learn.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages. I didn't found any way to do that. I have a policySet that i would like to activate in an automated way. Any ideas? Thank you in advance!KQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, SergeUnable to View Audit Logs
Hi all! I am once again coming to you, asking for assistance. We had a security alert in Azure and I was able to go all the way through to see what the issue was, BUT when I try to go into the "View Suspicious Activity" page I get the below. Now multiple users in my team get the same as me, but one user can see everything in here. He's not even in the resource with any permissions yet he can see these logs. Am I missing something really obvious? Or is this another fun little bug? Thanks in advanceAzure Advanced Threat Protection Sensor Installation Failed
I am attempting to install the AATP on a Domain Controller, but the installation fails. I have restarted the server of course and tried suggestions from other posts of this same issue to no avail. Azure ATP sensor install failing - Microsoft Community Hub Installing ATP Sensor on DC 2019 gives an 0x800070643 - Microsoft Community Hub It is a 2019 DC, and appears the sensor was on the DC prior, but it isn't currently. I was upgrading all the other DCs and noticed this one was not Msc Defender. Here are the errors I get from each log file. Thank you. Azure Advanced Threat Protection Sensor_20240804002712.log [0B68:17CC][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to install MSI package. [0B68:17CC][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to execute MSI package. [09E0:0554][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to configure per-machine MSI package. [09E0:0554][2024-08-04T00:27:31]i000: 2024-08-04 05:27:31.5905 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]] [09E0:0554][2024-08-04T00:27:31]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None [09E0:0554][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to execute MSI package. Azure Advanced Threat Protection Sensor_20240804002712_000_MsiPackage.log MSI (s) (E4:20) [00:27:31:559]: Note: 1: 1708 MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2205 2: 3: Error MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2205 2: 3: Error MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (E4:20) [00:27:31:559]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (E4:20) [00:27:31:559]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.239.18075.31594. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
New Blog | Microsoft Defender Cloud Now Supports CIS Azure Security Foundations Benchmark 2.0.0
We are thrilled to announce that Microsoft Defender Cloud, in collaboration with the Center for Internet Security (CIS), now supports the latest CIS Azure Security Foundations Benchmark - version 2.0.0. This release also includes the new corresponding built-in policy initiative in the Azure Policy blade. Read the full update here: Microsoft Defender Cloud Now Supports CIS Azure Security Foundations Benchmark 2.0.0
