Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Microsoft Defender for Cloud Recommendations

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Mixed (depending on recommendation's severity)
Rule ID: SecurityCenter-020

Ensure that all Microsoft Defender for Cloud recommendations generated for your Azure cloud account are examined and implemented in order to follow security best practices and meet regulatory compliance and standards. Microsoft Defender for Cloud is a security management service that helps you prevent, detect, and respond to threats with increased visibility and control over the security of your Azure cloud resources. The service periodically analyzes the security state of your cloud resources and when it identifies potential security vulnerabilities, it creates recommendations. These recommendations (also known as security tasks) are guided actions that you can take in order to secure the impacted resources.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

When Microsoft Defender for Cloud identifies potential security issues and vulnerabilities, it creates recommendations that guide you through the process of configuring the needed controls to harden and protect your Azure cloud resources.


Audit

To check for Microsoft Defender for Cloud recommendations within your Azure cloud account, perform the following operations:

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under General, choose Overview.

04 Choose the Azure cloud subscription that you want to examine and ensure that the appropriate Defender plans are active.

05 Navigate back to the Microsoft Defender for Cloud blade and select Recommendations from the main navigation panel.

06 Select the All Recommendations tab to list all the Microsoft Defender for Cloud recommendations generated for the selected Azure subscription.

07 Click on the name of the recommendation that you want to examine.

08 Analyze the selected Microsoft Defender for Cloud recommendation by verifying the following attributes:

  1. Severity – the severity level of the selected security recommendation/task.
  2. Description – an explicit description of the security issue found.
  3. Remediation steps – step-by-step instructions on how to implement the selected Microsoft Defender for Cloud recommendation in order to fix the issue.
  4. Affected resources – the identifier(s) of the impacted Azure cloud resource(s).

09 Follow the instructions outlined at the previous step, in the Remediation steps section, to implement the recommended fix (see Remediation/Resolution section).

10 Repeat steps no. 7 – 9 for each security recommendation identified in the selected Azure subscription.

11 Repeat steps no. 4 – 10 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Run account list command (Windows/macOS/Linux) with custom query filters to list the identifier (ID) of each cloud subscription available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription IDs:

[
  "abcdabcd-1234-abcd-1234-abcdabcdabcd",
  "abcd1234-1234-abcd-1234-abcd1234abcd"
]

03 Run security assessment list command (Windows/macOS/Linux) using the ID of the Azure cloud subscription that you want to examine as the identifier parameter and custom output filters to list the identifier (name) of each security task (i.e. recommendation) generated for the selected Azure subscription:

az security assessment list
  --subscription "abcdabcd-1234-abcd-1234-abcdabcdabcd"
  --query '[*].name'

04 The command output should return the requested recommendation identifiers(s):

[
  "abcd1234-abcd-1234-abcd-abcd1234abcd",
  "12341234-abcd-1234-abcd-123412341234",
  "abcd1234-1234-abcd-1234-abcd1234abcd"
]

05 Run security assessment show command (Windows/macOS/Linux) using the name of the Microsoft Defender for Cloud recommendation that you want to examine as the identifier parameter, to describe the details available for the selected security assessment (recommendation):

az security assessment show
  --name "abcd1234-abcd-1234-abcd-abcd1234abcd"

06 The command output should return the requested information (JSON format):

{
	"additionalData": null,
	"displayName": "Microsoft Defender for Storage should be enabled",
	"id": "/subscriptions/05b645b8-ddd2-40f3-bd71-d99bc995f124/providers/Microsoft.Security/assessments/abcd1234-abcd-1234-abcd-abcd1234abcd",
	"links": null,
	"metadata": null,
	"name": "abcd1234-abcd-1234-abcd-abcd1234abcd",
	"partnersData": null,
	"resourceDetails": {
		"Id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd",
		"Source": "Azure",
		"source": null
	},
	"status": {
		"cause": null,
		"code": "Unhealthy",
		"description": null,
		"firstEvaluationDate": "2023-04-27T15:13:47.037273+00:00",
		"statusChangeDate": "2023-04-27T15:13:47.037273+00:00"
	},
	"type": "Microsoft.Security/assessments"
}

07 Analyze the information returned at the previous step by checking the following attributes:

  1. "name" – the identifier (name) of the security assessment (i.e. recommendation).
  2. "displayName" – the display name of the security assessment.
  3. "resourceDetails.Id" – the ID of the assessed Azure cloud resource.
  4. "status.code" – the status of the selected security assessment/recommendation (e.g. Unhealthy).
  5. "status.description" – the human readable description of the assessment status.

08 Based on the information returned at the previous steps, follow the instructions outlined in the Remediation/Resolution section to implement the recommended security fix.

09 Repeat steps no. 5 – 8 for each security recommendation available within the selected Azure subscription.

10 Repeat steps no. 3 – 9 for each subscription available within your Microsoft Azure cloud account.

Remediation / Resolution

To put the specified Microsoft Defender for Cloud recommendation into action (i.e. enable Microsoft Defender for Cloud for Azure storage accounts), perform the following operations:

Note: As an example, this conformity rule demonstrates how to analyze and implement a Microsoft Defender for Cloud recommendation that proposes enabling Microsoft Defender for Cloud for Azure storage accounts. Turning on Defender for Cloud for the specified resource type (i.e. storage accounts) incurs an additional cost per resource.

Using Azure Portal

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure cloud subscription that you want to access.

05 In the navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected subscription.

06 On the Defender plans configuration page, under Cloud Workload Protection (CWP), choose On for the Storage pricing plan listed in the Plan column, to enable Microsoft Defender for Cloud for Azure storage accounts. Choose Save from the top menu to apply the changes.

07 Repeat step no. 4 – 6 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI and PowerShell

01 Define the configuration parameters for the account get-access-token command, where the "pricingTier" parameter value is set to "Standard" to turn on the Defender for Cloud pricing plan for storage accounts. Save the configuration document to a JSON file named enable-defender-for-storage-accounts.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure account subscription ID:

{  
	"id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/StorageAccounts",
	"name": "StorageAccounts",
	"type": "Microsoft.Security/pricings",
	"properties": {
		"pricingTier": "Standard"
	}
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-defender-for-storage-accounts.json file), to enable the Microsoft Defender for Cloud for all the Azure storage accounts created in the selected subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2018-06-01 -d@"enable-defender-for-storage-accounts.json"'

03 The command output should return the information available for the enabled pricing tier:

{
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/providers/Microsoft.Security/pricings/StorageAccounts",
	"name": "StorageAccounts",
	"type": "Microsoft.Security/pricings",
	"properties": {
		"pricingTier": "Standard",
		"freeTrialRemainingTime": "PT0S"
	}
}

04 Repeat steps no. 1 – 3 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jul 29, 2020