KQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, Serge
New Blog | Enhancing Server and Container Risk Score Analysis in Power BI
By iulio Astori Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVEs). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), providing a standardized numerical score that ranges from 0.0 to 10.0, translated into severity ratings like Low, Medium, High, or Critical. While Microsoft Defender for Cloud provides a robust risk level assessment for each resource, there is an opportunity to enhance this by integrating additional factors such as the exploitability of each CVE, the age since it was made public, and whether the CVE is a zero-day vulnerability. Additionally, resources themselves have contextual elements such as the number of attack paths, which can significantly impact their overall risk. The Power BI solution builds Defender for Cloud's capabilities by integrating these multiple factors, providing a more comprehensive risk score for each resource and enhancing the prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources needing attention. Read the full post here: Enhancing Server and Container Risk Score Analysis in Power BINew Blog | Monthly news - June 2024
By Yura Lee Microsoft Defender for Cloud Monthly news June 2024 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from May 2024. Read the full post here: Monthly news - June 2024New Blog | Best Practices to Manage and Mitigate Security Recommendations
By Giulio Astori In the fast-evolving landscape of cloud security, Microsoft Defender for Cloud (MDC) stands as a robust Cloud Native Application Protection Platform (CNAPP). One of its standout features is the premium Cloud Security Posture Management (CSPM) solution, known as Defender CSPM. Among the myriads of advanced capabilities offered by Defender CSPM, the "Governance Rule" feature is a game-changer. This empowers security teams to streamline and automate the assignment, management, and tracking of security recommendations. In this blog, we'll delve into best practices for leveraging Governance Rule to ensure effective, efficient, and timely remediation actions and explore practical use cases for maximizing its potential. Understanding Governance Rule Governance Rule in Defender CSPM is designed to simplify the management of security recommendations by enhancing accountability. You can define rules that assign an owner and a due date for addressing recommendations for specific resources. This provides resource owners with a clear set of tasks and deadlines for remediating recommendations. By making the assignment and tracking of these tasks more visible, Governance Rule ensures that critical security issues are promptly addressed, reducing the risk of breaches and enhancing overall security posture. Best Practices for Utilizing Governance Rule Define Clear Remediation Ownership Assigning remediation tasks to specific owners is crucial for accountability. Governance Rule allows you to specify who is responsible for each security recommendation. Ensure that each task is assigned to the most appropriate individual or team with the necessary expertise and authority to address the issue. Clear ownership helps avoid confusion and ensures that remediation actions are taken seriously. Set Realistic ETAs and Grace Periods Establishing realistic Estimated Time of Arrival (ETA) and grace periods for remediation tasks is essential for maintaining a balance between urgency and feasibility. Overly aggressive timelines can lead to rushed and potentially ineffective fixes, while overly lenient deadlines may delay critical security improvements. Analyze the complexity and impact of each security finding to set achievable timelines that encourage timely resolution without compromising quality. Prioritize Based on Risk Not all security recommendations are created equal. Use severity-based prioritization to determine which issues need immediate attention and which can be scheduled for later remediation. Defender CSPM's Governance Rule allows you to categorize tasks based on their severity and potential impact on your organization's security posture. Focus on high-severity findings first to mitigate the most significant threats promptly. Automate Workflow Integration Leverage the automation capabilities of Governance Rule to integrate remediation workflows with your existing security tools and processes. Automated notifications, status updates, and task assignments can significantly reduce manual effort and improve coordination across teams. By integrating these workflows, you ensure that security recommendations are seamlessly managed from detection to resolution. Regularly Monitor and Adjust Rules The dynamic nature of cloud environments means that security needs can change rapidly. Regularly review and adjust your Governance Rules to ensure they remain aligned with your organization's security objectives and compliance requirements. Monitor the performance of these rules and gather feedback from your security teams to identify areas for improvement. Foster a Culture of Continuous Improvement Encourage a culture where continuous improvement is the norm. Use insights gained from the Governance Rule feature to identify recurring security issues and root causes. Implement lessons learned to refine your security policies and practices, reducing the likelihood of similar issues arising in the future. Before you begin The Defender Cloud Security Posture Management (CSPM) plan must be enabled. You need Contributor, Security Admin, or Owner permissions on the Azure subscriptions. For AWS accounts and GCP projects, you need Contributor, Security Admin, or Owner permissions on the Defender for Cloud AWS or GCP connectors. Read the full post here: Best Practices to Manage and Mitigate Security RecommendationsNew Blog | Introducing our CNAPP mastery e-book!
By Sarah Young (SECURITY ADVOCATE) Have you completed all of the Microsoft security ninja training? Now we have a new CNAPP mastery e-book for you to enjoy! Today we released an e-book all about CNAPP (Cloud Native Application Protection Platform) that has been written by some of the leading experts out there. If you don’t already know, CNAPP is a framework for securing cloud-native applications and infrastructure. The book is packed with valuable information on how to create a unified, proactive, and holistic strategy that covers all aspects of cloud security. From threat detection and scaling to governance and compliance, this book has got you covered. Here's a TL;DR of the key topics to give you a taster: Comprehensive and integrated cloud security approach: We introduce the concept of CNAPP, a framework for securing cloud-native applications and infrastructure, and explain the role of Microsoft Defender for Cloud as a CNAPP solution. Scalability and customization of Microsoft Defender for Cloud: We discover how Microsoft Defender for Cloud can adapt to the diverse needs of different organizations, regardless of their size and complexity. We discover how the platform's can scale its services, customize its features, and align its security measures with the specific requirements and objectives of a business. Read the full post here: Introducing our CNAPP mastery e-book!
New Blog | Microsoft Defender for Cloud latest protection against abuse of Azure VM Extensions
Throughout recent years, the IT world has shifted its workloads, management layers, and machines to the cloud, thus introducing a new attack surface, accompanied by new attack vectors. The following introduced a tactic for threat actors to deploy their cyber-attacks against organizations’ cloud environments, gaining strong permissions, operating for financial gain, and more. Upon succeeding in compromising an identity with sufficient permissions in Azure, threat actors often try to abuse existing features within the environment that allow them to deploy their malicious activity stealthily, efficiently, and easily, and one special feature is: Azure VM extensions. Read the full blog here: Microsoft Defender for Cloud latest protection against sophisticated abuse of Azure VM Extensions - Microsoft Community HubNew Blog| Defender for APIs Better Together w/ Azure Web Application Firewall + Azure API Management
Under the Microsoft Defender for Cloud umbrella, Microsoft Defender for APIs, offers protection for APIs at every stage of their lifecycle. This service enhances the protections from Web Application Firewalls and API Gateways, resulting in a comprehensive security framework for API endpoints. This article dives deeper into how Defender for APIs augments the security offered by Azure Web Application Firewall (Azure WAF) and Azure API Management (APIM). Read the full blog here: Defender for APIs Better Together with WAF and APIM (microsoft.com)New Blog | Enhanced Cloud Security: Value-Added with Defender CSPM's Agentless Features
In this article, we will outline how integrating the agentless approach into Defender for CSPM fosters a more robust and efficient cloud security posture. By utilizing agentless features, organizations can enhance visibility of their cloud resources, simplify deployment, maintain compatibility with diverse cloud platforms, and ensure thorough security coverage. By the end of this article, you will have a clear understanding of the benefits and considerations of leveraging agentless security in your cloud environment. Read the blog: Enhanced Cloud Security: Value-Added with Defender CSPM's Agentless Features - Microsoft Community HubMS Purview Compliance Manager and Defender for Cloud
How is MS Purview Compliance Manager and Defender for Cloud (regulatory compliance), which appear to do very similar if not identical functions, related? I know Compliance Manager uses MCCA/CAMP to evaluate environments, does Defender for Cloud use MCCA/CAMP as well to determine compliance? Just looking to understand the relationship, if any, between the two products.
