Validating Microsoft Defender for Resource Manager Alerts
This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. As announced at Ignite 2021, Microsoft Defender for Resource Manager plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation. You can enable Microsoft Defender for Resource Manager on your subscription via environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change. Now that you have this plan set to ON, you can use the steps below to validate this threat detection. First, make sure that you The script must be executed by a cloud user with read permissions on the subscription. you need to have the Az PowerShell module installed before running the script. It can be installed using: "Install-Module -Name Az". After ensuring those two items are done, run the script below: # Script to alert ARM_MicroBurst.AzDomainInfo alert Import-Module Az # Login to the Azure account and get a random Resource group $accountContext = Connect-AzAccount $subscriptionId = $accountContext.Context.Subscription.Name $resourceGroup = Get-AzResourceGroup | Get-Random $rg = $resourceGroup.ResourceGroupName Write-Output "[*] Dumping information`nSubscription: $subscriptionId`nResource group: $rg." Write-Output "[*] Scanning Storage Accounts..." $storageAccountLists = Get-AzStorageAccount -ResourceGroupName $rg | select StorageAccountName,ResourceGroupName Write-Output "[*] Scanning Azure Resource Groups..." $resourceGroups = Get-AzResourceGroup Write-Output "[*] Scanning Azure Resources..." $resourceLists = Get-AzResource Write-Output "[*] Scanning AzureSQL Resources..." $azureSQLServers = Get-AzResource | where {$_.ResourceType -Like "Microsoft.Sql/servers"} Write-Output "[*] Scanning Azure App Services..." $appServs = Get-AzWebApp -ResourceGroupName $rg Write-Output "[*] Scanning Azure App Services #2..." $appServs = Get-AzWebApp -ResourceGroupName $rg Write-Output "[*] Scanning Azure Disks..." $disks = (Get-AzDisk | select ResourceGroupName, ManagedBy, Zones, TimeCreated, OsType, HyperVGeneration, DiskSizeGB, DiskSizeBytes, UniqueId, EncryptionSettingsCollection, ProvisioningState, DiskIOPSReadWrite, DiskMBpsReadWrite, DiskIOPSReadOnly, DiskMBpsReadOnly, DiskState, MaxShares, Id, Name, Location -ExpandProperty Encryption) Write-Output "[*] Scanning Azure Deployments and Parameters..." $idk = Get-AzResourceGroupDeployment -ResourceGroupName $rg Write-Output "[*] Scanning Virtual Machines..." $VMList = Get-AzVM Write-Output "[*] Scanning Virtual Machine Scale Sets..." $scaleSets = Get-AzVmss Write-Output "[*] Scanning Network Interfaces..." $NICList = Get-AzNetworkInterface Write-Output "[*] Scanning Public IPs for each Network Interface..." $pubIPs = Get-AzPublicIpAddress | select Name,IpAddress,PublicIpAllocationMethod,ResourceGroupName Write-Output "[*] Scanning Network Security Groups..." $NSGList = Get-AzNetworkSecurityGroup | select Name, ResourceGroupName, Location, SecurityRules, DefaultSecurityRules Write-Output "[*] Scanning RBAC Users and Roles..." $roleAssignment = Get-AzRoleAssignment Write-Output "[*] Scanning Roles Definitions..." $roles = Get-AzRoleDefinition Write-Output "[*] Scanning Automation Account Runbooks and Variables..." $autoAccounts = Get-AzAutomationAccount Write-Output "[*] Scanning Tenant Information..." $tenantID = Get-AzTenant | select TenantId Write-Output "[!] Done Running." There may be a delay of up to 60 minutes between script completion and the alert appearing in the client environment (With an average of 45 min). An example of this alert is shown below: Reviewers Dick Lake, Senior Product Manager Script by Yuval Barak, Security ResearcherProtect what matters to your organization using filtering in Defender for Storage
Microsoft Defender for Storage is a cloud-native, agentless security solution within Microsoft Defender for Cloud, part of Microsoft’s CNAPP offering. With seamless onboarding, it helps safeguard your organization’s most valuable data by detecting and preventing malicious uploads, sensitive data exfiltration, and data corruption. Powered by Microsoft Threat Intelligence, it delivers advanced threat detection to enhance your storage security. Are all crown jewels made equally? Defender for Storage provides exclusive, agentless malware protection for Azure Blob Storage, helping detect and mitigate malware threats against your organization’s data. Powered by Microsoft Defender Antivirus, this solution ensures data compliance and offers flexible scanning options, including on-upload and on-demand protection. While maintaining visibility across all organizational data is crucial, some data requires higher scrutiny than others. Here are key use case scenarios: Contoso Financial Corporation prioritizes scanning high-risk files, such as external uploads, downloads, and files from untrusted sources. Contoso IT Department needs to filter out known internal files that typically generate false positives, reducing unnecessary security alerts and minimizing distractions from real malware threats. Contoso Health Department uses a trusted application that generates files and would like to optimize malware scanning for other, potentially riskier files. 🎉Introducing customizable on-upload scanning filters (Public Preview) Defender for Storage provides security administrators with granular controls, offering flexibility to tailor security and deployment settings to their organization’s needs. These include configuring malware scanning caps, setting exclusions at the resource level, and more. A recently introduced feature now allows customization of on-upload malware scanning filters, delivering key benefits such as reducing unnecessary scans and lowering costs—without compromising security. This new feature supports customizable filter such as: Exclude specific blob with prefix Exclude blobs with suffix Exclude blobs large (x) bytes Start filtering your files today Malware protection in Defender for Storage is exclusively available in the latest plan. If your organization is still using the classic Defender for Storage plan, we highly recommend upgrading to take advantage of the full range of security benefits and the latest features. Upgrading ensures access to enhanced threat detection, improved security controls, and ongoing feature updates that help protect your organization’s data more effectively. To begin your malware protection journey, review our documentation for detailed information on prerequisites and deployment guidelines. This will help you seamlessly integrate malware protection into your existing security strategy and maximize the value of Defender for Storage here. Once Defender for Storage is enabled, follow the instructions below to use the filtering configurations: Navigate to your storage account that you want to filter on-upload scans Under “Security + networking”, select Microsoft Defender for Cloud Select settings under Microsoft Defender for Storage Under “On-upload malware scanning”, select which filters to apply. Example: Conclusion The introduction of customizable on-upload scanning filters provides granular control for security administrators, allowing for more flexibility and efficiency in malware protection. This feature helps reduce unnecessary scans and costs without compromising security. For customers using the classic Defender for Storage plan, upgrading to the latest plan is highly recommended to fully benefit from these advanced features. For more information about Defender for Storage please visit our public document aka.ms/defenderforstorage Additional Resources We want to hear from you! Please take a moment to fill out this survey to provide direct feedback to the Defender for Storage engineering team.Microsoft Defender for Cloud Customer Newsletter
What’s new in Defender for Cloud? We're enhancing the severity levels of recommendations to improve risk assessment and prioritization. As part of this update, we reevaluated all severity classifications and introduced a new level — Critical. See this page for more info. General Availability of File Integrity Monitoring (FIM) based on Microsoft Defender for Endpoint in Azure Government File Integrity Monitoring based on Microsoft Defender for Endpoint is now GA in Azure Government (GCCH) as part of Defender for Servers Plan 2. For more details, please refer to our documentation Blog(s) of the month In March, our team published the following blog posts we would like to share: Integrating Security into DevOps Workflows with Microsoft Defender CSPM New innovations to protect custom AI applications with Defender for Cloud All Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels GitHub Community Learn more about code reachability in Defender for Cloud: Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Visit our GitHub page Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Unveiling Kubernetes lateral movement in Defender for Cloud Manage cloud security posture with Microsoft Defender for Cloud Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Danfuss. Danfoss’s growth contrasted with inefficient manual, on-premises security solutions. It wanted a scalable security solution to defend its global data and SAP landscape while lifting security team effectiveness. Danfoss adopted Microsoft Sentinel and the Microsoft Sentinel solution for SAP applications. It ingests logs from 20 applications and thousands of devices with the connectors including Defender for Cloud. Show me more stories Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month! April 15 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud April 30 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? On-demand malware scanning in Defender for Storage is now in GA! This feature also supports blobs up to 50 GB in size (previously limited to 2GB). See this page for more info. 31 new and enhanced Multicloud regulatory standards We’ve published enhanced and expanded support of over 31 security and regulatory frameworks in Defender for Cloud across Azure, AWS & GCP. For more details, please refer to our documentation. Blogs of the month In February, our team published the following blog posts we would like to share: Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud New and enhanced multicloud regulatory compliance standards in Defender for Cloud Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM GitHub Community Learn more about Code Reachability Vulnerabilities with Endor Labs with Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episodes here: Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis Visit our YouTube page! Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Kurita Water Industries, a water treatment solutions company, that leverages both Microsoft Entra Permissions Management and Defender for Cloud’s CSPM for resource statuses, vulnerabilities, state of access permissions, and risk prioritization and CWPP capabilities to continuously monitor and protect cloud workloads Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month in the link below! MAR 5 Microsoft Defender for Cloud | API Security Posture with Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeSecure containers software supply chain across the SDLC
In today’s digital landscape, containerization is essential for modern application development, but it also expands the attack surface with risks like vulnerabilities in base images, misconfigurations, and malicious code injections. Securing containers across their lifecycle is critical. Microsoft Defender for Cloud delivers end-to-end protection, evaluating threats at every stage—from development to runtime. Recent advancements further strengthen container security, making it a vital solution for safeguarding applications throughout the Software development lifecycle (SDLC). Container software development lifecycle The lifecycle of containers involves several stages, during which the container evolves through different software artifacts. Container software supply chain It all starts with a container or docker script file, created or edited by developer in development phase, submitted into the code repository. Script file converts into a container image during the build phase via the CI/CD pipeline, submitted into container registry as part of the ship phase When a container image is deployed into a Kubernetes cluster, it transforms into running, ephemeral container instances, marking the transition to the runtime phase. A container may encounter numerous challenges throughout its transition from development to runtime. Ensuring its security requires maintaining visibility, mitigating risks, and implementing remediation measures at each stage of its journey. Microsoft Defender for Cloud's latest advancements in container security assist in securing your container's journey and safeguarding your containerized environments Command line interface (CLI) tool for container image scanning at build phase, is now in public preview Integrating security into every phase of your software development is crucial. To effectively incorporate container security evaluation early in the container lifecycle, particularly during the development phase, and to seamlessly integrate it into diverse DevSecOps ecosystems, the use of a Command Line Interface (CLI) is essential. This new capability of Microsoft Defender for Cloud provides an alternative method for assessing container image for security findings. This capability, available through a CLI abstract layer, allows for seamless integration into any tool or process, independently of Microsoft Defender for Cloud portal. Key purpose of Microsoft Defender for Cloud CLI: Expanding container security to cover the development phase, code repository phase, and CI/CD phase: o Development phase: Developers can scan container images locally on Windows, Linux, or Mac OS using PowerShell or any scripting terminal. o Code repository phase: Integrate the CLI into code repositories with webhook integrations like GitHub actions to scan and potentially abort pull requests based on findings. o CI/CD phase: Scan container images in the CI/CD pipeline to detect and block vulnerabilities during the build stage. Invoke scanning on-demand for specific container images. Integrate easily into existing DevSecOps processes and tools. For more details watch the demo CLI demo How it works Microsoft Defender for Cloud CLI requires authentication through API tokens. These tokens are managed via the Integrations section in the Microsoft Defender for Cloud Portal, by Security Administrators. Figure 3: API push tokens management The CLI supports Microsoft proprietary and third-party engines like Trivy, enabling vulnerability assessment of container images and generating results in SARIF format. It integrates with Microsoft Defender for Cloud for further analysis and helps incorporate security guardrails early in development. Additionally, it provides visibility of container artifacts' security posture from code to runtime and context essential for security issues remediations such as artifact owner and repo of origin. For more details, setup guides, and use cases, please refer to official documentation. Vulnerabilities assessment of container images in third party registries, now in public preview Container registries are centralized repositories used to store container images for the ship phase, prior deployment to Kubernetes clusters. They play an essential role in the container's software supply chain and accessing container images for vulnerabilities at this phase might be the last chance to prevent vulnerable images from reaching your production runtime environments. Many organizations use a mix of cloud-native (ACR, ECR, GCR, GAR) and 3 rd party container registries. To enhance coverage, Microsoft Defender for Cloud now offers vulnerability assessments for third-party registries like Docker Hub and Jfrog Artifactory. These are popular 3 rd party container registries. You can now integrate them into your Microsoft Defender for Cloud tenant to scan container images for security vulnerabilities, improving your organization's coverage of the container software supply chain. This integration offers key benefits: Automated vulnerability scanning: Automatically scans container images for known vulnerabilities, helping identify and fix security issues early. Continuous monitoring: Ensures that new vulnerabilities are promptly detected and addressed. Compliance management: Assists organizations in maintaining compliance by providing detailed security posture reports on container images and resources. Actionable security recommendations: Provides recommendations based on best practices to improve container security. Figure 4: Docker Hub & Jfrog Artifactory environments Figure 5: Jfrog Artifactory container images in Security Explorer To learn more please refer to official documentation for Docker Hub and Jfrog Artifactory. Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal Microsoft Defender for Cloud aims to provide security insights relevant to each audience in the context of their existing tools & process, helping various roles prioritize security and build secure software applications essential to ensure your containers security across SDLC. To learn more please explore AKS Security Dashboard Conclusion Microsoft Defender for Cloud introduces groundbreaking advancements in container security, providing a robust framework to protect containerized applications. With integrated vulnerability assessment, malware detection, and comprehensive security insights, organizations can strengthen their security posture across the software development lifecycle (SDLC). These enhancements simplify security management, ensure compliance, and offer risk prioritization and visibility tailored to different audiences and roles. Explore the latest innovations in Microsoft Defender for Cloud to safeguard your containerized environments- New Innovations in Container Security with Unified Visibility and Investigations.
Prevent malware from spreading by scanning cloud storage accounts on-demand
What’s new? On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Previously, customers could get malware scanning results when uploading files to Azure blob storage. Now, customers can scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. On-demand scanning allows you to scan existing files directly from Azure storage accounts What’s the relationship between Defender for Storage and Malware Scanning? Defender for Storage is the storage security plan under Microsoft Defender for Cloud, a Cloud Native Application Protection Platform (CNAPP). It helps Security Operations Center (SOC) analysts to monitor and react to threats in near real-time, prioritize threat protection for sensitive data and keep cloud storage malware-free. Malware Scanning is a paid add-on of Defender for Storage that helps customers to prevent malware from spreading in storage. It helps SOC analysts and security admins to prevent malware from spreading by scanning stored or newly uploaded data. What is coming next? In the coming weeks, we’ll expand file size support to 50 GB—a 25x increase from the current 2 GB limit. Additionally, new filtering options for on-upload scanning will allow you to exclude files based on prefixes, suffixes, and size, providing more precise control over scanning scope and costs. Why Malware Scanning? 1)Shadow data is a hidden security risk untracked data in cloud storage, introduces security and compliance risks even without active downstream consumers. Misconfigurations, weak access controls, or lack of encryption can make these hidden data stores attractive targets for attackers. They also complicate compliance by potentially violating data governance policies. Legacy security tools often focus on administrative actions, overlooking risks tied to unmanaged data. This gap leaves shadow data vulnerable to exploitation and compliance failures. Effective solutions must provide visibility into shadow data, enforce robust controls, and reduce these risks without adding operational complexity. 2)AI boom amplifies cloud storage risks The rapid growth of AI and Large Language Models (LLMs) is driving massive demands on cloud storage, with training and operational use generating and accessing terabytes of sensitive data. This surge in storage usage introduces unique security challenges. AI datasets, often proprietary and distributed, are attractive targets for cyber threats like ransomware, data breaches, and adversarial attacks, requiring a re-evaluation of storage security strategies. Why us? 1)Easy maintenance, and better accuracy Microsoft Defender for Storage addresses these challenges with a comprehensive, cloud-native malware scanning solution powered by Defender Antivirus and Microsoft Threat Intelligence. Traditional malware scanning solutions for cloud storage often require extensive infrastructure, such as proxies, compute resources, or third-party integrations, adding latency, increasing security gaps, and escalating maintenance costs. Defender for Storage overcomes these challenges with a fully cloud-native design that directly embeds malware scanning within Azure, requiring no additional agent. By analyzing storage logs, it delivers accurate, proactive threat detection with minimal impact on storage performance, using Microsoft’s industry-leading threat intelligence and machine learning (ML) detection algorithms. This built-in design makes Defender for Storage particularly well-suited for dynamic cloud environments, where it provides comprehensive, scalable protection without altering existing architecture. 2) Flexibility in scanning options to streamline security operations Malware scanning supports both scanning on-upload of storage files and scanning of existing files within storage accounts. Multiple entry points of scanning capabilities give security admins the flexibility to operationalize malware scanning based on their organizational needs. Similarly, for flexibility and customization, the to-be-released up-to 50 GB scanning capacity caters to large file scanning scenarios. How to use Malware Scanning? When to use on-upload vs. on-demand malware scanning Each type of malware scanning in Defender for Storage serves distinct scenarios, tailored to meet different security needs and operational contexts: On-Upload Scanning: Designed for immediate, proactive protection at the point of entry, on-upload scanning inspects files as they’re uploaded or modified in real time. This type of scanning is ideal for scenarios where immediate data integrity is crucial, such as in collaborative platforms, file-sharing applications, and web applications that regularly receive external content. Additionally, regulated industries like finance and healthcare benefit from on-upload scanning because it provides near real-time defenses for incoming data, helping maintain compliance and prevent malware from embedding in critical workflows. By scanning files upon entry, organizations can prevent malicious content from reaching end users or impacting downstream processes, ensuring data security in high-upload environments. On-Demand Scanning: On-demand scanning provides retrospective, flexible protection for files already stored in the cloud, making it especially useful for incident response, audits, and compliance checks. This mode is ideal when organizations need to inspect older data against updated threat definitions or when scanning is triggered by security events flagged in Microsoft Sentinel or other monitoring tools. On-demand scanning works well for organizations with archival data, where periodic assessments are necessary to meet evolving compliance and security standards. It’s also valuable for checking files after a potential breach or suspicious activity to confirm there’s no lingering malware in the environment. With scheduled or API-triggered scans, on-demand scanning allows organizations to proactively review their storage environment without constant manual intervention. Key capabilities of Defender for Storage Malware Scanning Microsoft Defender for Storage’s malware scanning provides advanced features tailored to modern storage environments, with unique benefits that distinguish it from traditional solutions: Cloud-Native Integration: Embedded fully within Azure, Defender for Storage eliminates the need for third-party setups, allowing for streamlined deployment and ongoing maintenance without modifying architecture or application code. Comprehensive Threat Detection: Defender for Storage leverages Microsoft Defender Antivirus and global threat intelligence to detect a wide range of threats, including polymorphic and metamorphic malware, supporting both standard and archive file types (e.g., ZIP, RAR). Upcoming updates will expand support to scan files up to 50GB, meeting larger storage needs. Flexible Scanning Options: By offering both on-upload and on-demand scanning, Defender for Storage provides adaptable security to cover both immediate and ongoing protection needs across new and existing data. Automated Response Capabilities: Defender for Storage enables automated actions based on scan results, such as quarantining or deleting flagged files and moving clean files to secure storage locations. This capability is enhanced by attribute-based access control (ABAC), which can restrict access to flagged files, ensuring that only safe, scanned files are accessible. Incident Response Playbooks: Organizations can configure playbooks for on-demand scanning that trigger scans in response to suspicious activity, enabling rapid, automated investigation and containment of potential threats. Scheduled Scanning for Continuous Protection: Using Logic Apps, Automation Runbooks, or PowerShell scripts, organizations can schedule recurring scans of high-risk resources based on tags or names, allowing for proactive monitoring and enhancing security posture over time. Cost Control and Management: Defender for Storage includes flexible cost management features, allowing customers to set monthly caps on on-upload scanning to control expenses. For on-demand scanning, cost estimates are provided before scans begin, supporting budget-conscious decision-making. Usecases of Malware Scanning in Defender for Storage Defender for Storage’s malware scanning addresses a variety of real-world use cases across different industries: Incident Response and Threat Hunting: When Microsoft Defender XDR and Sentinel detects unusual access, on-demand scanning can be triggered to inspect impacted files, helping security teams respond to potential threats effectively. Compliance in Regulated Sectors: Sectors like finance, healthcare, and government rely on Defender for Storage’s on-upload and on-demand scanning to meet strict data integrity and compliance requirements, with auditable records for regulatory standards. Securing Archived Data: On-demand scanning ensures that files stored for extended periods are inspected against the latest threat definitions, protecting data integrity before archived files are used or shared. Preventing Malware Distribution: By scanning all uploads, on-upload malware scanning blocks malicious files as they enter storage, while on-demand scanning secures existing data. Together, these modes provide layered protection against malware propagation within and outside the organization. Case studies The following scenarios illustrate how Microsoft Defender for Storage’s capabilities are applied to real-world challenges that enterprises face in securing cloud storage. These examples demonstrate how different organizations might leverage features such as malware scanning, sensitive data threat detection, and activity monitoring to protect critical data and maintain compliance: Case Study 1: Large Enterprise Secures AI-Driven Workflows with On-Upload and On-Demand Malware Scanning A large enterprise implementing AI-driven workflows across departments needed to secure the vast datasets stored in Azure Blob Storage against malware without disrupting critical business operations. By adopting Microsoft Defender for Storage’s on-upload malware scanning, the organization ensured that all files uploaded for AI and machine learning processes were scanned at the point of entry, preventing malicious content from embedding within key datasets. Additionally, on-demand malware scanning allowed them to periodically assess legacy files against updated threat intelligence, proactively mitigating risks across both newly added and older data. This approach provided robust, low-maintenance protection that scaled across the organization, helping ensure data integrity without impacting performance or requiring significant architectural changes. Case Study 2: Financial Institution Detects and Mitigates Misconfigured SAS Tokens to Protect Sensitive Data A financial institution with strict policies for secure cloud storage access recently encountered an incident involving a misconfigured shared access signature (SAS) token. Although their organizational policy mandated access through identities only, a configuration drift allowed a storage account with sensitive data to be accessed via an overly permissive SAS token with a long expiration period. The compromised token was detected by Microsoft Defender for Storage’s data-plane activity monitoring, which flagged unusual access patterns, generating a security alert about the potential misuse. In response, the institution immediately rotated the key, effectively revoking the compromised SAS token, and then traced the owner of the impacted Infrastructure as Code (IaC) template to update the configuration to enforce keyless access. This detection and corrective action improved their security posture, reinforcing adherence to internal policies and reducing the risk of unauthorized data access. Case Study 3: Global Manufacturer Uses Automated Workflows to Prevent Malware Distribution to Partners A global manufacturing company that shares design and media files across Azure Blob Storage with external partners needed a solution to prevent malware from spreading through shared resources. By enabling Defender for Storage’s on-upload malware scanning, the company ensured that any files uploaded to shared storage accounts were scanned for malicious content before being accessible to internal teams and external collaborators. They integrated automated workflows using Event Grid and Function Apps to quarantine flagged files immediately and route clean files to designated storage locations. This seamless, automated approach minimized manual intervention, providing an efficient way to prevent malware distribution while supporting uninterrupted collaboration with partners and maintaining secure shared storage environments. Explore additional resources to protect your cloud storage: Get started: 📖 On-Demand Malware Scanning Docs https://lnkd.in/gYfyDG4Q 📚 GitHub Lab for a hands-on walkthrough via UI and API https://lnkd.in/g37YJMbx 🛠️ PowerShell script that lets you automate on-demand malware scans on Storage Accounts tagged with specific key-value pairs https://lnkd.in/gGq8N23s Learn more about storage security in Defender for Cloud. Test out Defender for Storage and Malware Scanning with Defender for Cloud Labs. Ready to protect your cloud data? Explore Microsoft Defender for Storage today: Start a Free Trial. Learn about our recent Ignite releases. Learn how you can unlock business value with Defender for Cloud.Boost Security with API Security Posture Management
API security posture management is now natively integrated into Defender CSPM and available in public preview at no additional cost. This integration provides comprehensive visibility, proactive API risk analysis, and security best practice recommendations for Azure API Management APIs. Security teams can use these insights to identify unauthenticated, inactive, dormant, or externally exposed APIs, and receive risk-based security recommendations to prioritize and implement API security best practices.
Microsoft Defender for Cloud - Elevating Runtime Protection
In today's rapidly evolving digital landscape, runtime security is crucial for maintaining the integrity of applications in containerized environments. As threats become increasingly sophisticated, the demand for more adaptive protection continues to rise. Attackers are no longer relying on generic exploits — they are actively targeting vulnerabilities in container configurations, runtime processes, and shared resources. From injecting malicious code to escalating privileges and exploiting kernel vulnerabilities, their tactics are constantly evolving. Overcoming these challenges requires continuous monitoring, validating container immutability, and detecting anomalies to prevent and respond to threats in real time, ensuring container security throughout their lifecycle. Building on these best practices, Microsoft Defender for Cloud delivers advanced and innovative runtime threat protection for containerized environments, providing real-time defense and adaptive security to address evolving threats head-on. Empowering SOC with real-time threat detection At the heart of our enhanced runtime protection lies our advanced detection capabilities. To stay ahead of evolving threats and offer near real-time threat detection, Microsoft Defender for Cloud is proud to announce significant advancements in its unique eBPF sensor. This sensor now provides Kubernetes alerts, powered by Microsoft Defender for Endpoint (MDE) detection engine in the backend. Leveraging Microsoft’s industry-leading security expertise, we've tailored MDE's robust security capabilities to specifically address the unique challenges of containerized environments. By carefully validating detections against container-specific threat landscapes, adding relevant context, and adjusting alerts as needed, we've optimized the solution for maximum accuracy and effectiveness that is needed for cloud-native environments. By utilizing the MDE detection engine, we offer the following enhancements: Near real-time detection: Our solution provides timely alerts, enabling you to respond quickly to threats and minimize their impact. Expanded threat coverage: We've expanded our detection capabilities to cover a broader range of threats such as binary drift and additional threat matrix coverage. Enhanced visibility: Gain deeper insights into your container environment with detailed threat information and context that is sent to Defender XDR for further investigation. Switching between multiple portals leaves customers with a fragmented view of their security landscape, hindering their ability to investigate and respond to security incidents efficiently. To combat this, Defender for Cloud alerts are integrated with Defender XDR. By centralizing alerts from both solutions within Defender XDR, customers can gain comprehensive visibility of their security landscape and simplify incident detection, investigation, and response effectively. Introducing binary drift detection to maintain optimal security and performance, containerized applications should strictly adhere to their defined boundaries. With binary drift detection in place, unauthorized code injections can be swiftly identified. By comparing the modified container image against the original, the system detects any discrepancies, enabling timely response to potential threats. By combining binary drift detection with other security measures, organizations can reduce the risk of exploitation and protect their containerized applications from malicious attacks. An example of binary drift detection Key takeaways from above illustration: Common Vulnerability and Exposures (CVE) pose significant risks to containerized environments. Binary drift detection can help identify unauthorized changes to container images, even if they result from CVE exploitation. Regular patching and updating of container images are crucial to prevent vulnerabilities. In some customer environments, it's common to deviate from best practices. For example, tasks like debugging and monitoring often require running processes that aren’t part of the original container image. To handle this, we offer binary drift detection along with a flexible policy system. This lets you choose when to receive alerts or ignore them. You can customize these settings based on your cloud environment or by filtering specific Kubernetes resources. Learn more about binary drift detection For a deep dive into binary drift detection and how it can enhance your container security posture, please see Container, Security, Kubernetes. Presenting new scenario-driven alert simulation Simulate real-world attack scenarios within your containerized environments with this innovative simulator, enabling you to test your detection capabilities and response procedures. You can enhance your security posture and protect your containerized environments from emerging threats by leveraging this powerful tool. Examples of some of the attack scenarios that can be simulated using this tool are: Reconnaissance activity: Mimic the actions of attackers as they gather information about your cluster. Cluster-to-cloud: Simulate lateral movement as attackers attempt to spread across your environment. Secret gathering: Test your ability to detect attempts to steal sensitive information. Crypto-mining activity: Simulate the impact of resource-intensive crypto-mining operations. Webshell invocation: Test your detection capabilities for malicious web shells. You can gain valuable insights into your security controls and identify areas for improvement. This tool provides a safe and controlled environment to practice incident response, ensuring that your team is well-prepared to handle real-world threats. Key benefits of scenario-driven alert simulation: Test detection capabilities: Validate your ability to identify and respond to various attack types. Validate response procedures: Ensure your incident response teams are prepared to handle real-world threats. Identify gaps in security: Discover weaknesses in your security posture and address them proactively. Improve incident response time: Practice handling simulated incidents to reduce response times in real-world situations. Alert simulation tool Enhancing Cloud Detection and Response (CDR) From detection to resolution, we've streamlined every step of the process to ensure robust and efficient threat management. By enabling better visibility, faster investigation, and precise response capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Cloud-native response actions for containers Swift and precise containment is critical in dynamic, containerized environments. To address this, we’ve introduced cloud-native response actions in Defender XDR, enabling SOC teams to: Cut off unauthorized pod access and prevent lateral movement by instantly isolating compromised pods. Stop ongoing malicious pod activity and minimize impact by terminating compromised pods with a single click. These capabilities are specifically designed to meet the unique challenges of multi-cloud ecosystems, empowering security teams to reduce Mean Time to Resolve (MTTR) and ensure operational continuity. Response actions Action center view Log collection in advanced hunting Limited visibility in Kubernetes activities, cloud infrastructure changes, and runtime processes weakens effective threat detection and investigation in containerized environments. To bridge this gap, we’ve enhanced Defender XDR’s advanced hunting experience by collecting: KubeAudit logs: Delivering detailed insights into Kubernetes events and activities. Azure Control Plane logs: Providing a comprehensive view of cloud infrastructure activities. Process events: Capturing detailed runtime activity. This enriched data enables SOC teams to do deeper investigations, hunt for advanced threats, and create custom detection rules. With full visibility across AKS, EKS, and GKE, these capabilities strengthen defenses and support proactive security strategies. Advance hunting view Accelerating investigations with built-in queries Lengthy investigation processes can delay incident resolution and can potentially lead to a successful attack attempt. To address this, we’ve equipped go hunt with pre-built queries specifically tailored for cloud and containerized threats. These built-in queries allow SOC teams to: Focus their time in quickly identifying attacker activity and not write custom queries. Gain insights in minutes vs. hours, reducing the investigation time enormously. This streamlined approach enhances SOC efficiency, ensuring that teams spend more time on remediation and less on query development. Go hunt view Bridging knowledge gaps with guided response using Microsoft Security Copilot Many security teams, especially those working in complex environments like containers, may not have deep expertise in every aspect of container threat response. Additionally, security teams might encounter threats or vulnerabilities they haven’t seen before. We are excited to integrate with Security Copilot to bridge this gap. Security Copilot serves as a valuable tool that offers: Step-by-step, context-rich guidance for each incident. Tailored recommendations for effective threat containment and remediation. By leveraging AI-driven insights, Security Copilot empowers SOC teams of varying expertise levels to navigate incidents with precision, ensuring consistent and effective responses across the board. Security copilot recommendations Summary Microsoft Defender for Cloud has introduced significant advancements in runtime protection for containerized environments. By leveraging the Microsoft Defender for Endpoint (MDE) detection engine, this solution now offers near real-time threat detection, enhancing threat visibility and response capabilities. A key feature, binary drift detection, monitors changes in container images to identify unauthorized modifications and prevent security breaches. Additionally, the integration with Defender XDR centralizes alerts, providing comprehensive visibility and simplifying incident detection, investigation, and response. With enhanced cloud-native response actions and advanced hunting capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Learn more Ready to elevate your container security? Experience the power of our new features firsthand with our cutting-edge simulator—test them in your containerized environments and see the difference! Alerts for Kubernetes Clusters - Microsoft Defender for Cloud | Microsoft LearnAKS Security Dashboard
In today’s digital landscape, the speed of development and security must go hand in hand. Applications are being developed and deployed faster than ever before. Containerized application developers and platform teams enjoy the flexibility and scale that Kubernetes has brought to the software development world. Open-source code and tools have transformed the industry - but with speed comes increased risk and a growing attack surface. However, in vast parts of the software industry, developers and platform engineering teams find it challenging to prioritize security. They are required to deliver features quickly and security practices can sometimes be seen as obstacles that slow down the development process. Lack of knowledge or awareness of the latest security threats and best practices make it challenging to build secure applications. The new Azure Kubernetes Service (AKS) security dashboard aims to alleviate these pains by providing comprehensive visibility and automated remediation capabilities for security issues, empowering platform engineering teams to secure their Kubernetes environment more effectively and easily. Consolidating security and operational data in one place directly within the AKS portal allows engineers to benefit from a unified view of their Kubernetes environment. Enabling more efficient detection, and remediation of security issues, with minimal disruption to their workflows. Eventually reducing the risk of oversight security issues and improving remediation cycles. To leverage the AKS security dashboard, navigate to the Microsoft Defender for Cloud section in the AKS Azure portal. If your cluster is already onboarded to Defender for Containers or Defender CSPM, security recommendations will appear on the dashboard. If not, it may take up to 24 hours after onboarding before Defender for Cloud scans your cluster and delivers insights. Security issues identified in the cluster, surfaced in the dashboard are prioritized to risk. Risk level is dynamically calculated by an automatic attack path engine operating behind the scenes. This engine assesses the exploitability of security issues by considering multiple factors, such as cluster RBAC (Role Based Access Control), known exploitability in the wild, internet exposure, and more. Learn more about how Defender for Cloud calculates risk. Security issues surfaced in the dashboard are divided into different tabs: Runtime environment vulnerability assessment: The dynamic and complex nature of Kubernetes environments means that vulnerabilities can arise from multiple sources, with different ownership for the fix. For vulnerabilities originating from the containerized application code, Defender for Cloud will point out every vulnerable container running in the cluster. For each vulnerable container Defender for cloud will surface remediation guidelines that include the list of vulnerable software packages and specify the version that contains the fix. The scanning of container images powered by Microsoft Defender Vulnerability Management (MDVM) includes scanning of both OS packages and language specific packages see the full list of the supported OS and their versions. For vulnerabilities originating from the AKS infrastructure, Defender for cloud will include a list of all identified CVEs (common vulnerabilities and exposures) and recommend next steps for remediation. Remediation may include upgrading the Node pool image version or the AKS version itself. Since new vulnerabilities are discovered daily, even if a scanning tool is deployed as part of the CI/CD process, runtime scan can’t be overlooked. Defender for cloud makes sure Kubernetes workloads are scanned daily compared to an up-to-date vulnerability list. Security misconfigurations: Security misconfigurations are also highlighted in the AKS security dashboard, empowering developers and platform teams to execute fixes that can significantly minimize the attack surface. In some cases, changing a single line of code in a container's YAML file, without affecting application functionality, can eliminate a significant attack vector. Each security misconfiguration highlighted in the AKS security dashboard includes manual remediation steps, and where applicable, an automated fix button is also available. For containers misconfigurations, a quick link to a built-in Azure policy is included for easily preventing future faulty deployments of that kind. This approach empowers DevOps & platform engineering teams to use the “Secure by Default” method for application development. To conclude - automated remediation and prevention can be a game changer in keeping the cluster secure- a proactive approach that can help prevent security breaches before they can cause damage, ensuring that the cluster remains secure and compliant with industry standards. Ultimately, automated remediation empowers security teams to focus on more strategic tasks, knowing that their Kubernetes environment is continuously monitored and protected. Assigning owners to security issues Since cluster administration and containers security issues remediation is not always the responsibility of a single team or person, it is recommended to use the “assign owner” button in the security dashboard to notify the correct owner about the issue need to be handled. It is also possible to filter the view using the built-in filters and assign multiple issues to the same person quickly. Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide for a full subscription coverage, or enable on a single cluster using the dashboard settings section. Learn More If you haven’t already, check out our previous blog post that introduced this journey: New Innovations in Container Security with Unified Visibility and Investigations. This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.
