secure score
14 TopicsMicrosoft Defender for Cloud expands multicloud coverage across AWS and Google Cloud
Organizations are building and running applications across multiple cloud platforms and hybrid environments to move faster, improve resilience, and choose the services that best fit each workload. But that flexibility also changes how teams need to manage exposure. A risk may start with an internet-facing resource, an over-permissive identity, a misconfigured managed service, a vulnerable container image, or a serverless workload with access to sensitive data. When those signals are spread across multiple cloud providers and tools, it becomes harder to understand how exposure is created and which actions will reduce risk fastest. Today, Microsoft is expanding multicloud coverage in Microsoft Defender for Cloud with general availability of approximately 90 new AWS and Google Cloud resource types and more than 200 recommendations. Building on recent enhancements in CIEM, identity security, containers, and serverless workloads, this expansion helps customers evaluate more of their cloud estate through a unified security experience. With broader coverage across cloud-native applications, data platforms, identity services, networking components, and managed services, security teams can move beyond isolated findings and gain more context across resources, configurations, identities, exposure signals, and prioritization. What’s new: broader AWS and Google Cloud coverage Security teams cannot reduce exposure they cannot see. The expanded coverage brings more AWS and Google Cloud resources into the Defender for Cloud experience, helping customers assess a wider set of modern cloud services through a unified security lens, reducing blind spots where teams increasingly build and operate: serverless applications, containers and build systems, identity and entitlement controls, data and analytics services, AI and ML, networking, messaging, storage, and other managed cloud services. App, platform, and serverless services, including Cloud Run and EventBridge, to help teams identify exposure in cloud-native applications and event-driven workloads. Containers, registries, and build systems, including Artifact Registry and CodePipeline, to connect software supply chain posture with workload risk. Identity, data, and managed services, including Cognito and BigQuery, to help teams understand how access, data, and platform configurations can increase exposure. Multicloud compliance and data protection controls, improving visibility into encryption, logging, backup, auditability, and resilience scenarios. This broader view helps customers understand their real exposure surface and act on recommendations tied to the scenarios that matter most. Find the full list of recommendations here. See exposure in context Exposure is rarely created by a single finding. Consider a security team managing applications across AWS and Google Cloud. A publicly accessible BigQuery dataset, a cloud-native application running in Cloud Run, and an over-permissioned identity may each generate separate findings. Viewed independently, these issues can appear as routine posture alerts; together, they reveal a higher-risk exposure scenario that could lead to unauthorized access to sensitive data. More AWS and Google Cloud resources can now be assessed in the same security experience, helping teams move beyond isolated findings and toward a clearer understanding of potential exposure and remediation priority. Why this matters For most security teams, the bigger challenge isn't generating more findings, it's prioritizing the ones that matter most. By bringing more AWS and Google Cloud resources into inventory, evaluating them with recommendations, and correlating them with identity context, exposure signals, regulatory compliance results, Secure Score insights, and business criticality, Defender for Cloud helps teams focus on the exposures most likely to impact their organization, without adding another fragmented tool to the stack. As coverage expands, teams can answer practical questions across a broader part of their environment: Which AWS and Google Cloud services are now visible in my cloud inventory? Which newly evaluated resources have recommendations that should be reviewed? Which findings are tied to exposed, high-value, or security-sensitive resources? Where should my team prioritize remediation based on exposure, not just finding volume? Building on recent multicloud investments This release builds on a series of multicloud investments in Defender for Cloud over the past several months that bring deeper, more consistent protection across multicloud environments. CIEM and identity: Identity is one of the most common entry points for cloud exposure. Defender for Cloud evaluates overprovisioned identities, risky permissions, weak authentication, and privilege-escalation paths. Modernized CIEM logic now assesses identity risk based on actual entitlement usage rather than sign-in activity, using a 90-day lookback. Customers benefit from improved accuracy using log ingestion from AWS CloudTrail and Google Cloud Logging, and drive actionable recommendations. Learn more about permissions management. Containers and serverless: In containers and serverless, Microsoft expanded multicloud posture coverage across serverless compute, serverless containers, and modern Kubernetes environments. This expansion brings more cloud-native workloads into a unified code-to-runtime security model with vulnerability assessment, misconfiguration analysis, container-level recommendations, and a richer exposure context. Last month we introduced general availability of serverless compute posture coverage for AWS Lambda, Azure Functions, and Azure Web Apps, and the public preview of serverless container posture coverage for Azure Container Apps, Azure Container Instances, and Amazon ECS on AWS Fargate. Learn more about the latest in container security, and find documentation about serverless protection and serverless containers posture protection. Together, these investments give security teams a more complete view of exposure across Azure, AWS, and Google Cloud. Built into the Microsoft Security experience The expanded AWS and Google Cloud coverage strengthens the foundation for multicloud exposure management in Defender for Cloud. Customers can use the same experience they already rely on to understand inventory, posture, serverless and container risk, CIEM and identity context, compliance, Secure Score, and risk prioritization across more of their cloud estate. Because exposure is shaped by relationships across resources, identities, entitlements, workloads, configurations, controls, and reachable services, a more complete multicloud view helps security teams understand risk and act with greater confidence. For customers standardizing on Microsoft Security, this means broader multicloud exposure management in one place – without adding another fragmented tool to the stack. Get started Customers can begin reviewing the expanded coverage by exploring Cloud Inventory, filtering by cloud provider and resource category, reviewing newly introduced recommendations, and monitoring Secure Score changes as broader assessment becomes available. We recommend that security teams: Use Cloud Inventory to understand which additional AWS and Google Cloud resource types are now represented in Defender for Cloud. Review new recommendations across key workload, identity, compliance, data protection, and networking. Reassess top exposure scenarios across clouds, including serverless, containers, identity, data, and managed services. Prioritize remediation based on exposure, criticality, and business context, not only recommendation volume. Learn more With expanded AWS and Google Cloud coverage, Microsoft Defender for Cloud helps security teams improve multicloud visibility, assess more resources, and prioritize exposure across their cloud estate. To learn more, visit the Microsoft Defender for Cloud documentation, review the latest release notes, and follow the Microsoft Defender for Cloud Tech Community blog for updates on cloud security and posture management.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Now in public preview, DCSPM (Defender for Cloud Security Posture Management) extends its capabilities to cover serverless workloads in both Azure and AWS, like Azure Web Apps and AWS Lambda. For more information, see our public documentation. Defender for Cloud’s integration with Endor Labs is now GA Focus on exploitable open-source vulnerabilities across the application lifecycle with Defender for Cloud and Endor Lab integration. This feature is now generally available! For more details, please refer to this documentation. Blogs of the month In December, our team published the following blog posts: Defender for AI Alerts Demystifying AI Security Posture Management Breaking down security silos: Defender for Cloud expands into the Defender portal Part 3: Unified Security Intelligence – Orchestrating Gen AI Threat Detection with Microsoft Sentinel Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Malware Automated Remediation New Secure score in Defender for Cloud GitHub Community Check out Module 27 in the Defender for Cloud lab on GitHub. This module covers gating mechanisms to enforce security policies and prevent deployment of insecure container images. Click here for MDC Github lab module 27 Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Ford Motor Company. Ford Motor Company, an American multinational automobile manufacturer, and its innovative and evolving technology footprint and infrastructure needed equally sophisticated security. With Defender and other Microsoft products like Purview, Sentinel and Entra, Ford was able to modernize and deploy end-to-end protection, with Zero-trust architecture, and reduce vulnerabilities across the enterprise. Additionally, Ford’s SOC continues to respond with speed and precision with the help of Defender XDR. Join our community! JANUARY 20 (8:00 AM- 9:00 AM PT) What's new in Microsoft Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe941Views0likes2CommentsBreaking down security silos: Microsoft Defender for Cloud Expands into the Defender Portal
Picture this: You’re managing security across Azure, AWS, and GCP. Alerts are coming from every direction, dashboards are scattered and your team spends more time switching portals than mitigating threats. Sound familiar? That’s the reality for many organizations today. Now imagine a different world—where visibility, control and response converge into one unified experience, where posture management, vulnerability insights and incident response live side by side. That world is no longer a dream: Microsoft Defender for Cloud (MDC) is now integrated into Defender XDR in public preview. The expansion of MDC into the Defender portal isn’t just a facelift. It’s a strategic leap forward toward a Cloud-Native Application Protection Platform (CNAPP) that scales with your business. With Microsoft Defender for Cloud’s deep integration into the unified portal, we eliminate security silos and bring a modern, streamlined experience that is more intuitive and purpose-built for today’s security teams, while delivering a single pane of glass for hybrid and multi-cloud security. Here’s what makes this release a game-changer: Unified dashboard See everything with a single pane of glass—security posture, coverage, trends—across Azure, AWS and GCP. No more blind spots. Risk-based recommendations Prioritize by exploitability and business impact. Focus on what matters most, not just noise. Attack path analysis across all Defenders Visualize potential breach paths and cut them off before attackers can exploit them. Unified cloud assets inventory A consolidated view of assets, health data and onboarding state—so you know exactly where you stand. Cloud scopes & unified RBAC Create boundaries between teams, ensure each persona has access to the right level of data in the Defender portal. The enhanced in-portal experience includes all familiar Defender for Cloud capabilities and adds powerful new cloud-native workflows — now accessible directly within the Defender portal. Over time, additional features will be rolled out so that security teams can rely on a single pane of glass for all their pre- and post-breach operations. Unified cloud security dashboard A brand-new “Cloud Security→ Overview” page in Defender portal gives you a central place to assess your cloud posture across all connected clouds and environments (Azure, AWS, GCP, on-prem and onboarded environments such as Azure DevOps, Github, Gitlab, DockerHub, Jfrog). The unified dashboard displays the new Cloud Security Score, Threat Detection alerts and Defender coverage statistics. Amongst the high-level metrics, you can find the number of assessed resources, count of active recommendations, security alerts and more, giving you at-a-glance insight into your environment’s health. From here, you can drill into individual areas: Security posture, Exposure Management bringing visibility over Recommendations and Vulnerability Management, a unified asset inventory, workload specific insights and historical security posture data going back up to 6 months. Cloud Assets Inventory The cloud asset inventory view provides a unified, contextual inventory of all resources you have connected to Defender for Cloud — across cloud environments or on-premises. Assets are categorized by workload type, criticality, Defender coverage status, with integrated health data, risk signals, associated exposure management data, recommendations and related attack paths. Resources with unresolved security recommendations or alerts are clearly flagged — helping you quickly prioritize on risky or non-compliant assets. While you will get a complete list of cloud assets under "All assets", the rest of the tabs show you the complete view into each workload, with detailed and specific insights on each workload (VMs, Data, Containers, AI, API, DevOps, Identity and Serverless). Posture & Risk Management: From Secure Score to risk-based recommendations The traditional posture-management and CSPM capabilities of Defender for Cloud expand into the Defender portal under “Exposure Management.” A key upgrade is the new Cloud Secure Score — a risk-based model that factors in asset criticality and risk factors (e.g. internet exposure, data sensitivity) to give a more accurate, prioritized view of cloud security posture. The score ranges from 0 to 100, where 100 means perfect posture. It aggregates across all assets, weighting each asset by its criticality and the risk of its open recommendations. You can view the Cloud Secure Score overall, by subscription, cloud environment or workload type. This allows security teams to quickly understand which parts of their estate require urgent attention, and track posture improvements over time. Defender for Cloud continues to generate security recommendations based on assessments against built-in (or custom) security standards. When you have the Defender CSPM plan enabled in the Defender portal, these recommendations are surfaced with risk-based prioritization, where recommendations are tied to high-risk or critical assets show up first — helping you remediate what matters most. Each recommendation shows risk level, number of attack paths, MITRE ATT&CK tactics and techniques. For each recommendation you will see the remediation steps, attack map and the initiatives it contributes to - such as the Cloud Secure score. Continued remediation — across all subscriptions and environments — is the path toward a hardened cloud estate. Proactive Attack Surface Management: Attack path analysis A powerful addition is the "Attack paths" overview, which helps you visualize potential paths attackers could use — from external exposure zones to your most critical business assets to infiltrate your environment and access sensitive data. Defender’s algorithm models your network, resource interactions, vulnerabilities and external exposures to surface realistic, exploitable attack paths, rather than generic threat scenarios, while putting focus on the top targets, entry points and choke points involved in attack paths. The Attack Paths page organizes findings by risk level and correlates data across all Defender solutions, allowing users to rapidly detect high-impact attack paths and focus remediation on the most vulnerable assets. For some workloads, for example container-based or runtime workloads, additional prerequisites may apply (e.g. enabling agentless scanning or relevant Defender plans) to get full visualization. Governance, Visibility and Access: Cloud Scopes and Unified RBAC The expansion into the Defender portal doesn’t just bring new dashboards — it also brings unified access and governance using a single identity and RBAC model for the Defender solutions. Now you can manage cloud security permissions alongside identity, device and app permissions. Cloud Scopes ensure that teams with appropriate roles within the defined permission groups (e.g. Security operations, Security posture) can access the assets and features they need, scoped to specific subscriptions and environments. This unified scope system simplifies operations, reduces privilege sprawl and enforces consistent governance across cloud environments and across security domains. The expansion of Defender for Cloud into the Defender portal is more than a consolidation—it’s a strategic shift toward a truly integrated security ecosystem. Cloud security is no longer an isolated discipline. It is intertwined with exposure management, threat detection, identity protection and organizational governance. To conclude, this new experience empowers security teams to: Understand cloud risk in full context Prioritize remediation that reduces real-world threats Investigate attacks holistically across cloud and non-cloud systems Govern access and configurations with greater consistency Predict and prevent attack paths before they happen In this new era, cloud security becomes a continuous, intelligent and unified journey. The Defender portal is now the command center for that journey—one where insights, context and action converge to help organizations secure the present while anticipating the future. Ready to Explore? Defender for Cloud in the Defender portal Integration FAQ Enable Preview Features Azure portal vs Defender portal feature comparison What’s New in Defender for Cloud2.2KViews2likes0CommentsUnleashing the Power of Microsoft Defender for Cloud – Unique Capabilities for Robust Protection
So you have implemented a non-native Cloud Security Posture Management solution but there are security gaps that you might not have considered. How Defender for Cloud is uniquely positioned to secure your cloud attack surface.Deploy Microsoft Defender for Cloud via Terraform
Terraform is an Infrastructure as a Code tool created by Hashicorp. It’s used to manage your infrastructure in Azure, as well as other clouds. In this article, we’ll be showing you how to deploy Microsoft Defender for Cloud (MDC) using Terraform from scratch.Policy Distribution Dashboard for Microsoft Defender for Cloud
Understanding the current state of your environment is the first step towards improving its security posture. Microsoft Defender for Cloud is designed to strengthen the three pillars every enterprise relies on which is Protection, Detection & Response providing you CSPM & CWPP functionalities. In Defender for Cloud, the posture management features provide Visibility and hardening guidance and the central feature that enables you to achieve these goals is Secure Score. Defender for Cloud continually assesses your resources, subscriptions and organization for security issues, and it aggregates all the findings into a single score by providing you list of recommendations. Typically, these are gaping holes that need to be fixed ASAP, while some recommendations are more long-term or just less critical and some more critical. Current Challenge One of the questions we constantly get asked is, How do I ensure that the Security posture will not start deteriorating again after the fixes have been made (or) how do I ensure I apply guardrails at the beginning of deployment phase for every service in Azure. It is often the case that development teams have full control of their subscriptions/resources. As a result, the configurations start to drift. The cure is simple, we need to have a security baseline defined. Before you start reading about the proposed solution, it is important to understand, Defender for Cloud and Azure policies work together to help monitor and report on compliance in your environment. Like security policies, Defender for Cloud initiatives are also created in Azure Policy. You can use Azure policy to manage your policies, build initiatives, and assign initiatives to multiple subscriptions or for entire management groups. The default initiative automatically gets assigned to every subscription in Defender for Cloud and that is Azure Security Benchmark. Azure Security Benchmark (ASB) consolidates Microsoft security best practices in Azure. It’s a great resource for design decisions, and the controls are mapped to industry standards. We have also created a policy set in Azure which can be used for monitoring resource compliance against the baseline. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. Almost every recommendation from Defender for Cloud has an underlying policy that is derived from a requirement in the benchmark. To learn about the built-in policies that are monitored by Defender for Cloud, check this out. Here you can find all the Azure Policy definitions in the Defender for Cloud category. Proposed Solution Up until now, there was no single view with which you could visualize all the policies you have assigned to monitor compliance of your environment. You had to browse through many different blades in Azure to assess and obtain this information. With this blog, I’m introducing you to a workbook that acts as a single pane of glass representing the policies and baselines across multiple subscriptions in Azure, in your environment as the first crucial step is to inventory and gain visibility. What’s in the Dashboard The new Policy Distribution Dashboard for Microsoft Defender for Cloud provides a unified view and deep visibility into the configuration of your overall policy structure in Azure. The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections. The workbook can be edited, and all queries can be modified to meet your needs. The workbook provides different sections like: Initiatives that’s assigned to the subscriptions The recommendations that are exempted and that are policy disabled List of Custom policies Regulatory Compliance Assessment State Policies by effect Compliance by policy assignment How to Deploy The Policy Distribution Dashboard is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its direct URL The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page. How to Use To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard. Conclusion The Policy Distribution dashboard provides valuable information about your policy assignments and it’s status. The workbook is available to all customers free of charge and does not require you to be a paid customer of Microsoft Defender for Cloud. Additional Resources To learn more about Microsoft Defender for Cloud, visit: https://aka.ms/ascninja To learn about Microsoft Defender for Cloud workbooks, visit: https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks Acknowledgements Special thanks to Lior Arviv for the partnership in reviewing and providing feedbacks on the artifact and reviewing article. Many thanks to @Rebecca Halla & YuriDiogenes in supporting this initiative and suggesting feedbacks.Microsoft Defender for Cloud PoC Series - Multicloud with GCP
Introduction The purpose of this article is to provide specific guidelines on how to perform a Proof of Concept (PoC) for Microsoft Defender for Cloud’s native GCP (Google Cloud Platform) support. This article is part of a series of articles called The Microsoft Defender for Cloud PoC Series, each providing specific guidelines on how to perform a PoC for a specific Microsoft Defender for Cloud plan. For a more holistic approach and where you need to validate Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP) capabilities all up, see the How to Effectively Perform an Microsoft Defender for Cloud PoC article. Planning This section highlights important considerations and availability information that you should be aware of when planning for the PoC. NOTE: At the time of writing this article, Microsoft Defender for Cloud native GCP support isn’t available for national clouds (such as Azure Government and Azure China 21Vianet). For most actual information, see Feature support in government and national clouds. The first step of the PoC begins with gaining a clear understanding of the benefits the native GCP support in Microsoft Defender for Cloud brings to your organization. This includes: Native Agentless CSPM for GCP resources Native CWP support for GCP GKE clusters Native CWP support for GCP Virtual Machine instances Native CWP support for SQL servers running on GCP Compute instances The CSPM for GCP resources is completely agentless and at the time of writing this article, supports the data types in GCP as mentioned towards the end of this article. Additionally, Microsoft Defender for Cloud currently also supports assessing your GCP resources against regulatory standards which currently include: GCP Default, GCP CIS 1.1.0, GCP CIS 1.2.0, GCP ISO 27001, GCP NIST 800 53, and PCI DSS 3.2.1. NOTE: Standards are added to the dashboard as they become available. The preceding list might not contain recently added standards. Keep in mind that the CSPM plan for GCP resources is available for Free. Refer to this document for additional information. The CWP support for GCP GKE clusters offers a wide set of capabilities including discovery of unprotected clusters, advanced threat detection for the control plane and workload level, Kubernetes data plane recommendations (through the Azure Policy extension) and more. The CWP support for GCP VM instances offers a wide set of capabilities, including automatic provisioning of pre-requisites on existing and new machines, vulnerability assessment, integrated license for Microsoft Defender for Endpoint (MDE), file integrity monitoring and more. The CWP support for SQL servers running on GCP Compute Instances offers a wide set of capabilities, including advanced threat protection, vulnerability assessment scanning, and more. Now that we’ve touched briefly on the benefits that Microsoft Defender for Cloud’s native GCP support provides, let’s move onto the next step. Next up is identifying which use cases the PoC should cover. A few common use cases are ensuring that Compute instances do not have public IP addresses, ensuring that the default network does not exist in a project, or ensuring that VM disks for critical VMs are encrypted with Customer-Supplied Encryption Keys. Preparation and Implementation: This section highlights the requirements that you should be aware of before starting the PoC. For the complete list of permission requirements and additional pre-requisites, see the Availability section. There are three main steps when preparing to enable Microsoft Defender for Cloud’s native GCP support. Determining which capabilities are in the scope of the PoC At the time of writing this article, Defender for Cloud supports the following GCP capabilities: (see Figure 1): Native Agentless CSPM for GCP resources Native CWP support for GCP GKE clusters Native CWP support for GCP Virtual Machine instances Native CWP support for SQL servers running on GCP Compute Engine Figure 1: Native CSPM and CWP capabilities for GCP in Microsoft Defender for Cloud Selecting the GCP projects on which you’d like to perform the PoC For the purposes of this PoC, it’s important that you identify which GCP project(s) are going to be used to perform the PoC of Defender for Cloud’s native GCP support. You can choose a single GCP project or optionally, you can choose your GCP organization, which will include each project discovered under the provisioned organization. Connecting GCP projects Microsoft Defender for Cloud Figure 2: Connecting GCP accounts to Microsoft Defender for Cloud To connect GCP projects to Microsoft Defender for Cloud you need to perform a series of steps in Azure and GCP. For detailed technical guidance see Connect your GCP projects. For a video of step-by-step guidance on how this process looks like end-to-end in Azure and GCP, see this short video. NOTE: If you’ve enabled sending control plane audit logs from the GKE control plane to your project’s Cloud Logging and are exporting data out of GCP (i.e. to Azure or an external SIEM), you will incur additional costs on the GCP side. Validation Once you’ve created the connector, you can validate it by analyzing the data relevant to the use cases that your PoC covers. When validating recommendations for GCP resources and adding custom assessments, you can consult Custom assessments and standards in Microsoft Defender for Cloud for GCP workloads (Preview) - Microsoft Tech Community. When validating alerts for GCP VM instances, you can consult reference list of alerts for machines. When validating alerts for GKE clusters, you can consult reference list of alerts for containers – Kubernetes clusters. When validating alerts for SQL servers running on GCP VM instances, you can consult reference list of alerts. You can also export Defender for Cloud security alerts to a SIEM (i.e. Azure Sentinel or 3 rd party SIEM). Learn more about how to stream alerts to a SIEM, SOAR or ITSM. Learn more about how to investigate Microsoft Defender for Cloud alerts using Microsoft Sentinel. Closing Considerations: By the end of this PoC, you should be able to determine the value of the native GCP integration in Defender for Cloud. The native GCP support provides agentless CSPM for GCP resources and advanced CWP capabilities for servers, containers, and databases. For a more holistic approach where you need to validate Microsoft Defender for Cloud’s CSPM and CWP capabilities, see How to Effectively Perform an Microsoft Defender for Cloud PoC article. P.S. To stay up to date on helpful tips and new release, subscribe to our Microsoft Defender for Cloud Newsletter and join our Tech Community where you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Azure Security experts.