secure score
31 TopicsSecure Score does not reflect settings in ASR rule
Hi, Our secure score ist pretty low, so I followed recommendations from M365 Security Center. The setting reside in one ASR rule, but Secure Score still does not reflect my settings still stating 0% achievement. I waited nearly a week. Defender is not the primary AV, but on other tenants the same setting led to success. Any ideas?68Views0likes5CommentsMicrosoft Defender for Cloud expands multicloud coverage across AWS and Google Cloud
Organizations are building and running applications across multiple cloud platforms and hybrid environments to move faster, improve resilience, and choose the services that best fit each workload. But that flexibility also changes how teams need to manage exposure. A risk may start with an internet-facing resource, an over-permissive identity, a misconfigured managed service, a vulnerable container image, or a serverless workload with access to sensitive data. When those signals are spread across multiple cloud providers and tools, it becomes harder to understand how exposure is created and which actions will reduce risk fastest. Today, Microsoft is expanding multicloud coverage in Microsoft Defender for Cloud with general availability of approximately 90 new AWS and Google Cloud resource types and more than 200 recommendations. Building on recent enhancements in CIEM, identity security, containers, and serverless workloads, this expansion helps customers evaluate more of their cloud estate through a unified security experience. With broader coverage across cloud-native applications, data platforms, identity services, networking components, and managed services, security teams can move beyond isolated findings and gain more context across resources, configurations, identities, exposure signals, and prioritization. What’s new: broader AWS and Google Cloud coverage Security teams cannot reduce exposure they cannot see. The expanded coverage brings more AWS and Google Cloud resources into the Defender for Cloud experience, helping customers assess a wider set of modern cloud services through a unified security lens, reducing blind spots where teams increasingly build and operate: serverless applications, containers and build systems, identity and entitlement controls, data and analytics services, AI and ML, networking, messaging, storage, and other managed cloud services. App, platform, and serverless services, including Cloud Run and EventBridge, to help teams identify exposure in cloud-native applications and event-driven workloads. Containers, registries, and build systems, including Artifact Registry and CodePipeline, to connect software supply chain posture with workload risk. Identity, data, and managed services, including Cognito and BigQuery, to help teams understand how access, data, and platform configurations can increase exposure. Multicloud compliance and data protection controls, improving visibility into encryption, logging, backup, auditability, and resilience scenarios. This broader view helps customers understand their real exposure surface and act on recommendations tied to the scenarios that matter most. Find the full list of recommendations here. See exposure in context Exposure is rarely created by a single finding. Consider a security team managing applications across AWS and Google Cloud. A publicly accessible BigQuery dataset, a cloud-native application running in Cloud Run, and an over-permissioned identity may each generate separate findings. Viewed independently, these issues can appear as routine posture alerts; together, they reveal a higher-risk exposure scenario that could lead to unauthorized access to sensitive data. More AWS and Google Cloud resources can now be assessed in the same security experience, helping teams move beyond isolated findings and toward a clearer understanding of potential exposure and remediation priority. Why this matters For most security teams, the bigger challenge isn't generating more findings, it's prioritizing the ones that matter most. By bringing more AWS and Google Cloud resources into inventory, evaluating them with recommendations, and correlating them with identity context, exposure signals, regulatory compliance results, Secure Score insights, and business criticality, Defender for Cloud helps teams focus on the exposures most likely to impact their organization, without adding another fragmented tool to the stack. As coverage expands, teams can answer practical questions across a broader part of their environment: Which AWS and Google Cloud services are now visible in my cloud inventory? Which newly evaluated resources have recommendations that should be reviewed? Which findings are tied to exposed, high-value, or security-sensitive resources? Where should my team prioritize remediation based on exposure, not just finding volume? Building on recent multicloud investments This release builds on a series of multicloud investments in Defender for Cloud over the past several months that bring deeper, more consistent protection across multicloud environments. CIEM and identity: Identity is one of the most common entry points for cloud exposure. Defender for Cloud evaluates overprovisioned identities, risky permissions, weak authentication, and privilege-escalation paths. Modernized CIEM logic now assesses identity risk based on actual entitlement usage rather than sign-in activity, using a 90-day lookback. Customers benefit from improved accuracy using log ingestion from AWS CloudTrail and Google Cloud Logging, and drive actionable recommendations. Learn more about permissions management. Containers and serverless: In containers and serverless, Microsoft expanded multicloud posture coverage across serverless compute, serverless containers, and modern Kubernetes environments. This expansion brings more cloud-native workloads into a unified code-to-runtime security model with vulnerability assessment, misconfiguration analysis, container-level recommendations, and a richer exposure context. Last month we introduced general availability of serverless compute posture coverage for AWS Lambda, Azure Functions, and Azure Web Apps, and the public preview of serverless container posture coverage for Azure Container Apps, Azure Container Instances, and Amazon ECS on AWS Fargate. Learn more about the latest in container security, and find documentation about serverless protection and serverless containers posture protection. Together, these investments give security teams a more complete view of exposure across Azure, AWS, and Google Cloud. Built into the Microsoft Security experience The expanded AWS and Google Cloud coverage strengthens the foundation for multicloud exposure management in Defender for Cloud. Customers can use the same experience they already rely on to understand inventory, posture, serverless and container risk, CIEM and identity context, compliance, Secure Score, and risk prioritization across more of their cloud estate. Because exposure is shaped by relationships across resources, identities, entitlements, workloads, configurations, controls, and reachable services, a more complete multicloud view helps security teams understand risk and act with greater confidence. For customers standardizing on Microsoft Security, this means broader multicloud exposure management in one place – without adding another fragmented tool to the stack. Get started Customers can begin reviewing the expanded coverage by exploring Cloud Inventory, filtering by cloud provider and resource category, reviewing newly introduced recommendations, and monitoring Secure Score changes as broader assessment becomes available. We recommend that security teams: Use Cloud Inventory to understand which additional AWS and Google Cloud resource types are now represented in Defender for Cloud. Review new recommendations across key workload, identity, compliance, data protection, and networking. Reassess top exposure scenarios across clouds, including serverless, containers, identity, data, and managed services. Prioritize remediation based on exposure, criticality, and business context, not only recommendation volume. Learn more With expanded AWS and Google Cloud coverage, Microsoft Defender for Cloud helps security teams improve multicloud visibility, assess more resources, and prioritize exposure across their cloud estate. To learn more, visit the Microsoft Defender for Cloud documentation, review the latest release notes, and follow the Microsoft Defender for Cloud Tech Community blog for updates on cloud security and posture management.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Now in public preview, DCSPM (Defender for Cloud Security Posture Management) extends its capabilities to cover serverless workloads in both Azure and AWS, like Azure Web Apps and AWS Lambda. For more information, see our public documentation. Defender for Cloud’s integration with Endor Labs is now GA Focus on exploitable open-source vulnerabilities across the application lifecycle with Defender for Cloud and Endor Lab integration. This feature is now generally available! For more details, please refer to this documentation. Blogs of the month In December, our team published the following blog posts: Defender for AI Alerts Demystifying AI Security Posture Management Breaking down security silos: Defender for Cloud expands into the Defender portal Part 3: Unified Security Intelligence – Orchestrating Gen AI Threat Detection with Microsoft Sentinel Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Malware Automated Remediation New Secure score in Defender for Cloud GitHub Community Check out Module 27 in the Defender for Cloud lab on GitHub. This module covers gating mechanisms to enforce security policies and prevent deployment of insecure container images. Click here for MDC Github lab module 27 Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Ford Motor Company. Ford Motor Company, an American multinational automobile manufacturer, and its innovative and evolving technology footprint and infrastructure needed equally sophisticated security. With Defender and other Microsoft products like Purview, Sentinel and Entra, Ford was able to modernize and deploy end-to-end protection, with Zero-trust architecture, and reduce vulnerabilities across the enterprise. Additionally, Ford’s SOC continues to respond with speed and precision with the help of Defender XDR. Join our community! JANUARY 20 (8:00 AM- 9:00 AM PT) What's new in Microsoft Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe941Views0likes2CommentsUpdating SDK for Java used by Defender for Server/CSPM in AWS
Hi, I have a customer who is Defender for Cloud/CSPM in AWS. Last week, Cloud AWS Health Dashboard lit up with a recommendation around the use of AWS SDK for Java 1.x in their organization. This version will reach end of support on December 31, 2025. The recommendation is to migrate to AWS SDK for Java 2.x. The issue is present in all of AWS workload accounts. They found that a large amount of these alerts is caused by the Defender CSPM service, running remotely, and using AWS SDK for Java 1.x. Customer attaching a couple of sample events that were gathered from the CloudTrail logs. Please note that in both cases: assumed-role: DefenderForCloud-Ciem sourceIP: 20.237.136.191 (MS Azure range) userAgent: aws-sdk-java/1.12.742 Linux/6.6.112.1-2.azl3 OpenJDK_64-Bit_Server_VM/21.0.9+10-LTS java/21.0.9 kotlin/1.6.20 vendor/Microsoft cfg/retry-mode/legacy cfg/auth-source#unknown Can someone provide guidance about this? How to find out if DfC is going to leverage AWS SDK for Java 2.x after Dec 31, 2025? Thanks, Terru185Views0likes0CommentsBreaking down security silos: Microsoft Defender for Cloud Expands into the Defender Portal
Picture this: You’re managing security across Azure, AWS, and GCP. Alerts are coming from every direction, dashboards are scattered and your team spends more time switching portals than mitigating threats. Sound familiar? That’s the reality for many organizations today. Now imagine a different world—where visibility, control and response converge into one unified experience, where posture management, vulnerability insights and incident response live side by side. That world is no longer a dream: Microsoft Defender for Cloud (MDC) is now integrated into Defender XDR in public preview. The expansion of MDC into the Defender portal isn’t just a facelift. It’s a strategic leap forward toward a Cloud-Native Application Protection Platform (CNAPP) that scales with your business. With Microsoft Defender for Cloud’s deep integration into the unified portal, we eliminate security silos and bring a modern, streamlined experience that is more intuitive and purpose-built for today’s security teams, while delivering a single pane of glass for hybrid and multi-cloud security. Here’s what makes this release a game-changer: Unified dashboard See everything with a single pane of glass—security posture, coverage, trends—across Azure, AWS and GCP. No more blind spots. Risk-based recommendations Prioritize by exploitability and business impact. Focus on what matters most, not just noise. Attack path analysis across all Defenders Visualize potential breach paths and cut them off before attackers can exploit them. Unified cloud assets inventory A consolidated view of assets, health data and onboarding state—so you know exactly where you stand. Cloud scopes & unified RBAC Create boundaries between teams, ensure each persona has access to the right level of data in the Defender portal. The enhanced in-portal experience includes all familiar Defender for Cloud capabilities and adds powerful new cloud-native workflows — now accessible directly within the Defender portal. Over time, additional features will be rolled out so that security teams can rely on a single pane of glass for all their pre- and post-breach operations. Unified cloud security dashboard A brand-new “Cloud Security→ Overview” page in Defender portal gives you a central place to assess your cloud posture across all connected clouds and environments (Azure, AWS, GCP, on-prem and onboarded environments such as Azure DevOps, Github, Gitlab, DockerHub, Jfrog). The unified dashboard displays the new Cloud Security Score, Threat Detection alerts and Defender coverage statistics. Amongst the high-level metrics, you can find the number of assessed resources, count of active recommendations, security alerts and more, giving you at-a-glance insight into your environment’s health. From here, you can drill into individual areas: Security posture, Exposure Management bringing visibility over Recommendations and Vulnerability Management, a unified asset inventory, workload specific insights and historical security posture data going back up to 6 months. Cloud Assets Inventory The cloud asset inventory view provides a unified, contextual inventory of all resources you have connected to Defender for Cloud — across cloud environments or on-premises. Assets are categorized by workload type, criticality, Defender coverage status, with integrated health data, risk signals, associated exposure management data, recommendations and related attack paths. Resources with unresolved security recommendations or alerts are clearly flagged — helping you quickly prioritize on risky or non-compliant assets. While you will get a complete list of cloud assets under "All assets", the rest of the tabs show you the complete view into each workload, with detailed and specific insights on each workload (VMs, Data, Containers, AI, API, DevOps, Identity and Serverless). Posture & Risk Management: From Secure Score to risk-based recommendations The traditional posture-management and CSPM capabilities of Defender for Cloud expand into the Defender portal under “Exposure Management.” A key upgrade is the new Cloud Secure Score — a risk-based model that factors in asset criticality and risk factors (e.g. internet exposure, data sensitivity) to give a more accurate, prioritized view of cloud security posture. The score ranges from 0 to 100, where 100 means perfect posture. It aggregates across all assets, weighting each asset by its criticality and the risk of its open recommendations. You can view the Cloud Secure Score overall, by subscription, cloud environment or workload type. This allows security teams to quickly understand which parts of their estate require urgent attention, and track posture improvements over time. Defender for Cloud continues to generate security recommendations based on assessments against built-in (or custom) security standards. When you have the Defender CSPM plan enabled in the Defender portal, these recommendations are surfaced with risk-based prioritization, where recommendations are tied to high-risk or critical assets show up first — helping you remediate what matters most. Each recommendation shows risk level, number of attack paths, MITRE ATT&CK tactics and techniques. For each recommendation you will see the remediation steps, attack map and the initiatives it contributes to - such as the Cloud Secure score. Continued remediation — across all subscriptions and environments — is the path toward a hardened cloud estate. Proactive Attack Surface Management: Attack path analysis A powerful addition is the "Attack paths" overview, which helps you visualize potential paths attackers could use — from external exposure zones to your most critical business assets to infiltrate your environment and access sensitive data. Defender’s algorithm models your network, resource interactions, vulnerabilities and external exposures to surface realistic, exploitable attack paths, rather than generic threat scenarios, while putting focus on the top targets, entry points and choke points involved in attack paths. The Attack Paths page organizes findings by risk level and correlates data across all Defender solutions, allowing users to rapidly detect high-impact attack paths and focus remediation on the most vulnerable assets. For some workloads, for example container-based or runtime workloads, additional prerequisites may apply (e.g. enabling agentless scanning or relevant Defender plans) to get full visualization. Governance, Visibility and Access: Cloud Scopes and Unified RBAC The expansion into the Defender portal doesn’t just bring new dashboards — it also brings unified access and governance using a single identity and RBAC model for the Defender solutions. Now you can manage cloud security permissions alongside identity, device and app permissions. Cloud Scopes ensure that teams with appropriate roles within the defined permission groups (e.g. Security operations, Security posture) can access the assets and features they need, scoped to specific subscriptions and environments. This unified scope system simplifies operations, reduces privilege sprawl and enforces consistent governance across cloud environments and across security domains. The expansion of Defender for Cloud into the Defender portal is more than a consolidation—it’s a strategic shift toward a truly integrated security ecosystem. Cloud security is no longer an isolated discipline. It is intertwined with exposure management, threat detection, identity protection and organizational governance. To conclude, this new experience empowers security teams to: Understand cloud risk in full context Prioritize remediation that reduces real-world threats Investigate attacks holistically across cloud and non-cloud systems Govern access and configurations with greater consistency Predict and prevent attack paths before they happen In this new era, cloud security becomes a continuous, intelligent and unified journey. The Defender portal is now the command center for that journey—one where insights, context and action converge to help organizations secure the present while anticipating the future. Ready to Explore? Defender for Cloud in the Defender portal Integration FAQ Enable Preview Features Azure portal vs Defender portal feature comparison What’s New in Defender for Cloud2.2KViews2likes0CommentsUnable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment solution should be enabled on your virtual machines". On the subscription level we have Defender for Servers Plan 2 enabled and Agentless Scanning CSPM enabled. Within a subscription some of the of these VMs are compliant and others are not. Their compliance state doesn't appear to have any relevance to if the Qualys or MDE extensions are installed. We have servers that are healthy that have Qualys, MDE, or none installed and are healthy. Our VMs are not using the full feature set of Defender Plan 2 as we use CrowdStrike so the Defender for Endpoint functionality of the Defender for Servers Plan 2 has been disabled, but to my knowledge this shouldn't impact Vulnerability assessments. In Security Portal it does seem that generally all the VMs that healthy for this recommendation are visible in the devices section. Whereas these 45 that are not, are either not searchable or have sensor health state "inactive". We have an Azure Policy generated to onboard devices to Vulnerability assessment using MDE.Tvm and it seems to be generally working but not for these 45 devices. The Microsoft Documentation is really unclear, what do we need to make these systems compliant?612Views0likes6CommentsSecure score power BI dashboard
We are following https://github.com/Azure/Microsoft-Defender-for-Cloud/tree/main/Secure%20Score to deploy secure score over the time dashboard for MDC. however steps for the deployment are very old when we had azure security center instead of MDC and prerequisites are not properly documented. As per the article we need to: Export the secure score data to Log analytics workspace by using continuous report option in MDC portal. Deploy Secure Score over the time workbook which can export the secure score data to Log Analytics workspace (not clear if this will pull reports every 24 hours and what permissions are required on Log Analytics workspace and to deploy the workbook) Do we need to export the secure score data to same Log Analytics workspace on which MDC is deployed or a separate workspace is needed ? If MDC already uses Log analytics workspace in the backend to store the logs then why can't we pull the secure score log data directly? why we need to export the secure score data to Log Analytics workspace first then to connect it to dashboard ?4.6KViews0likes2CommentsUnleashing the Power of Microsoft Defender for Cloud – Unique Capabilities for Robust Protection
So you have implemented a non-native Cloud Security Posture Management solution but there are security gaps that you might not have considered. How Defender for Cloud is uniquely positioned to secure your cloud attack surface.