Cost Calculator for Defender for Cloud (Public Preview)
Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025. With this post, I’m sharing my experience with this new cost calculator for Microsoft Defender for Cloud, providing guidance and comparing available options to calculate the costs. https://myronhelgering.com/cost-calculator-for-defender-for-cloud/
Enable Bring Your Own License (BYOL)
A customer uses Bring your own license (BYOL) capability, which is being deprecated, to deploy Qualys extension in their VMs. They are questioning about the deprecation, this deprecation implicates the deploy won't be more available, but what happen with the machines already has deployed the Qualys extension? Will the extension be removed from machines, since it was deployed via BYOL? Or after deprecated the extension continues working for the already deployed machines?
How to programmatically assign security standards on Defender for Cloud
Hi all, i would like to know if there is a way to programmatically (REST API, Terraform,...) activate custom secutity Standards on Defender for Cloud. Basically the step 6 on this guide https://learn.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages. I didn't found any way to do that. I have a policySet that i would like to activate in an automated way. Any ideas? Thank you in advance!
KQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, SergeUnable to View Audit Logs
Hi all! I am once again coming to you, asking for assistance. We had a security alert in Azure and I was able to go all the way through to see what the issue was, BUT when I try to go into the "View Suspicious Activity" page I get the below. Now multiple users in my team get the same as me, but one user can see everything in here. He's not even in the resource with any permissions yet he can see these logs. Am I missing something really obvious? Or is this another fun little bug? Thanks in advance
Azure Advanced Threat Protection Sensor Installation Failed
I am attempting to install the AATP on a Domain Controller, but the installation fails. I have restarted the server of course and tried suggestions from other posts of this same issue to no avail. Azure ATP sensor install failing - Microsoft Community Hub Installing ATP Sensor on DC 2019 gives an 0x800070643 - Microsoft Community Hub It is a 2019 DC, and appears the sensor was on the DC prior, but it isn't currently. I was upgrading all the other DCs and noticed this one was not Msc Defender. Here are the errors I get from each log file. Thank you. Azure Advanced Threat Protection Sensor_20240804002712.log [0B68:17CC][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to install MSI package. [0B68:17CC][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to execute MSI package. [09E0:0554][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to configure per-machine MSI package. [09E0:0554][2024-08-04T00:27:31]i000: 2024-08-04 05:27:31.5905 Error Model LogError [\[]methodName=BootstrapperApplication_ExecutePackageComplete status=-2147023293 exception=[\]] [09E0:0554][2024-08-04T00:27:31]i319: Applied execute package: MsiPackage, result: 0x80070643, restart: None [09E0:0554][2024-08-04T00:27:31]e000: Error 0x80070643: Failed to execute MSI package. Azure Advanced Threat Protection Sensor_20240804002712_000_MsiPackage.log MSI (s) (E4:20) [00:27:31:559]: Note: 1: 1708 MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2205 2: 3: Error MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1708 MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2205 2: 3: Error MSI (s) (E4:20) [00:27:31:559]: Note: 1: 2228 2: 3: Error 4: SELECT `Message` FROM `Error` WHERE `Error` = 1709 MSI (s) (E4:20) [00:27:31:559]: Product: Azure Advanced Threat Protection Sensor -- Installation failed. MSI (s) (E4:20) [00:27:31:559]: Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.239.18075.31594. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 1603.
New Blog | Microsoft Defender Cloud Now Supports CIS Azure Security Foundations Benchmark 2.0.0
We are thrilled to announce that Microsoft Defender Cloud, in collaboration with the Center for Internet Security (CIS), now supports the latest CIS Azure Security Foundations Benchmark - version 2.0.0. This release also includes the new corresponding built-in policy initiative in the Azure Policy blade. Read the full update here: Microsoft Defender Cloud Now Supports CIS Azure Security Foundations Benchmark 2.0.0
New Blog Post | Securing DevOps with Microsoft's CNAPP: Defender for Cloud
As the landscape of DevOps continues to expand and confront increasingly sophisticated security threats, the need for proactive attack surface reduction measures has never been more critical. To enhance DevOps security and prevent attacks, Defender for Cloud, a Cloud Native Application Protection Platform (CNAPP), is enabling customers with new capabilities: DevOps Environment Posture Management, Code to Cloud Mapping for Service Principals, and new DevOps Attack Paths. These features represent a strategic shift towards a more integrated and holistic approach to cloud native application security throughout the entire development lifecycle. DevOps Environment Posture Management DevOps Environment Posture Management offers a deep dive into the security health of the cloud-native application lifecycle. Through deep scanning of source code management systems, Defender for Cloud identifies weaknesses in resources such as pipelines, repositories, and service connections, identifying potential vulnerabilities in platform configurations. Read the full article here: Securing DevOps with Microsoft's CNAPP: Defender for Cloud - Microsoft Community HubNew Blog| Defender for APIs Better Together w/ Azure Web Application Firewall + Azure API Management
Under the Microsoft Defender for Cloud umbrella, Microsoft Defender for APIs, offers protection for APIs at every stage of their lifecycle. This service enhances the protections from Web Application Firewalls and API Gateways, resulting in a comprehensive security framework for API endpoints. This article dives deeper into how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management (APIM). Read the full blog here: Defender for APIs Better Together with WAF and APIM (microsoft.com)
