Common questions - General questions

What is Microsoft Defender for Cloud?

Microsoft Defender for Cloud helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Defender for Cloud uses monitoring components to collect and store data. For in-depth details, see Data collection in Microsoft Defender for Cloud.

How do I get Microsoft Defender for Cloud?

Microsoft Defender for Cloud is enabled with your Microsoft Azure subscription and accessed from the Azure portal. To access it, sign in to the portal, select Browse, and scroll to Defender for Cloud.

Is there a trial version of Defender for Cloud?

Defender for Cloud is free for the first 30 days. Any usage beyond 30 days is automatically charged as per the pricing scheme. Learn more. Note that malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day.

Which Azure resources are monitored by Microsoft Defender for Cloud?

Microsoft Defender for Cloud monitors the following Azure resources:

Defender for Cloud also protects on-premises resources and multicloud resources, including Amazon AWS and Google Cloud.

How can I see the current security state of my Azure, multicloud, and on-premises resources?

The Defender for Cloud Overview page shows the overall security posture of your environment broken down by Compute, Networking, Storage & data, and Applications. Each resource type has an indicator showing identified security vulnerabilities. Selecting each tile displays a list of security issues identified by Defender for Cloud, along with an inventory of the resources in your subscription.

What is a security initiative?

A security initiative defines the set of controls (policies) that are recommended for resources within the specified subscription. In Microsoft Defender for Cloud, you assign initiatives for your Azure subscriptions, AWS accounts, and GCP projects according to your company's security requirements and the type of applications or sensitivity of the data in each subscription.

The security policies enabled in Microsoft Defender for Cloud drive security recommendations and monitoring. Learn more in What are security policies, initiatives, and recommendations?.

Who can modify a security policy?

To modify a security policy, you must be a Security Administrator or an Owner of that subscription.

To learn how to configure a security policy, see Setting security policies in Microsoft Defender for Cloud.

What is a security recommendation?

Microsoft Defender for Cloud analyzes the security state of your Azure, multicloud, and on-premises resources. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the needed control. Examples are:

  • Provisioning of anti-malware to help identify and remove malicious software
  • Network security groups and rules to control traffic to virtual machines
  • Provisioning of a web application firewall to help defend against attacks targeting your web applications
  • Deploying missing system updates
  • Addressing OS configurations that don't match the recommended baselines

Only recommendations that are enabled in Security Policies are shown here.

What triggers a security alert?

Microsoft Defender for Cloud automatically collects, analyzes, and fuses log data from your Azure, multicloud, and on-premises resources, the network, and partner solutions like antimalware and firewalls. When threats are detected, a security alert is created. Examples include detection of:

  • Compromised virtual machines communicating with known malicious IP addresses
  • Advanced malware detected using Windows error reporting
  • Brute force attacks against virtual machines
  • Security alerts from integrated partner security solutions such as Anti-Malware or Web Application Firewalls

What's the difference between threats detected and alerted on by Microsoft Security Response Center versus Microsoft Defender for Cloud?

The Microsoft Security Response Center (MSRC) performs select security monitoring of the Azure network and infrastructure and receives threat intelligence and abuse complaints from third parties. When MSRC becomes aware that customer data was accessed by an unlawful or unauthorized party or that the customer's use of Azure doesn't comply with the terms for Acceptable Use, a security incident manager notifies the customer. Notification typically occurs by sending an email to the security contacts specified in Microsoft Defender for Cloud or the Azure subscription owner if a security contact isn't specified.

Defender for Cloud is an Azure service that continuously monitors the customer's Azure, multicloud, and on-premises environment and applies analytics to automatically detect a wide range of potentially malicious activity. These detections are surfaced as security alerts in the workload protection dashboard.

How can I track who in my organization enabled a Microsoft Defender plan in Defender for Cloud?

Azure Subscriptions might have multiple administrators with permissions to change the pricing settings. To find out which user made a change, use the Azure Activity Log.

Screenshot of Azure Activity log showing a pricing change event.

If the user's info isn't listed in the Event initiated by column, explore the event's JSON for the relevant details.

Screenshot of Azure Activity log JSON explorer.

What happens when one recommendation is in multiple policy initiatives?

Sometimes, a security recommendation appears in more than one policy initiative. If you have multiple instances of the same recommendation assigned to the same subscription, and you create an exemption for the recommendation, it affects all of the initiatives that you have permission to edit.

If you try to create an exemption for this recommendation, you'll see one of the two following messages:

  • If you have the necessary permissions to edit both initiatives, you'll see:

    This recommendation is included in several policy initiatives: [initiative names separated by comma]. Exemptions will be created on all of them.

  • If you don't have sufficient permissions on both initiatives, you'll see this message instead:

    You have limited permissions to apply the exemption on all the policy initiatives, the exemptions will be created only on the initiatives with sufficient permissions.

Are there any recommendations that don't support exemption?

These generally available recommendations don't support exemption:

  • All advanced threat protection types should be enabled in SQL managed instance advanced data security settings
  • All advanced threat protection types should be enabled in SQL server advanced data security settings
  • Container CPU and memory limits should be enforced
  • Container images should be deployed from trusted registries only
  • Container with privilege escalation should be avoided
  • Containers sharing sensitive host namespaces should be avoided
  • Containers should listen on allowed ports only
  • Default IP Filter Policy should be Deny
  • Immutable (read-only) root filesystem should be enforced for containers
  • IoT Devices - Open Ports On Device
  • IoT Devices - Permissive firewall policy in one of the chains was found
  • IoT Devices - Permissive firewall rule in the input chain was found
  • IoT Devices - Permissive firewall rule in the output chain was found
  • IP Filter rule large IP range
  • Least privileged Linux capabilities should be enforced for containers
  • Overriding or disabling of containers AppArmor profile should be restricted
  • Privileged containers should be avoided
  • Running containers as root user should be avoided
  • Services should listen on allowed ports only
  • SQL servers should have a Microsoft Entra administrator provisioned
  • Usage of host networking and ports should be restricted
  • Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers

We're already using conditional access (CA) policy to enforce MFA. Why do we still get the Defender for Cloud recommendations?

To investigate why the recommendations are still being generated, verify the following configuration options in your MFA CA policy:

  • You included the accounts in the Users section of your MFA CA policy (or one of the groups in the Groups section)
  • The Azure Management app ID (797f4846-ba00-4fd7-ba43-dac1f8f63013), or all apps, are included in the Apps section of your MFA CA policy
  • The Azure Management app ID isn't excluded in the Apps section of your MFA CA policy
  • OR condition is used with only MFA, or AND condition is used with MFA
  • A Conditional Access policy enforcing MFA through Authentication Strengths is currently not supported in our evaluation

We're using a third-party MFA tool to enforce MFA. Why do we still get the Defender for Cloud recommendations?

Defender for Cloud's MFA recommendations doesn't support third-party MFA tools (for example, DUO).

If the recommendations are irrelevant for your organization, consider marking them as "mitigated" as described in Exempting resources and recommendations from your secure score. You can also disable a recommendation.

Why does Defender for Cloud show user accounts without permissions on the subscription as "requiring MFA"?

Defender for Cloud's MFA recommendations refers to Azure RBAC roles and the Azure classic subscription administrators role. Verify that none of the accounts have such roles.

We're enforcing MFA with PIM. Why are PIM accounts shown as noncompliant?

Defender for Cloud's MFA recommendations currently doesn't support PIM accounts. You can add these accounts to a CA Policy in the Users/Group section.

Can I exempt or dismiss some of the accounts?

The capability to exempt some accounts that don't use MFA is available on the new recommendations in preview:

  • Accounts with owner permissions on Azure resources should be MFA enabled
  • Accounts with write permissions on Azure resources should be MFA enabled
  • Accounts with read permissions on Azure resources should be MFA enabled

To exempt account(s), follow these steps:

  1. Select an MFA recommendation associated with an unhealthy account.
  2. In the Accounts tab, select an account to exempt.
  3. Select the three dots button, then select Exempt account.
  4. Select a scope and exemption reason.

If you would like to see which accounts are exempt, navigate to Exempted accounts for each recommendation.

Tip

When you exempt an account, it won't be shown as unhealthy and won't cause a subscription to appear unhealthy.

Are there any limitations to Defender for Cloud's identity and access protections?

There are some limitations to Defender for Cloud's identity and access protections:

  • Identity recommendations aren't available for subscriptions with more than 6,000 accounts. In these cases, these types of subscriptions are listed under Not applicable tab.
  • Identity recommendations aren't available for Cloud Solution Provider (CSP) partner's admin agents.
  • Identity recommendations don't identify accounts that are managed with a privileged identity management (PIM) system. If you're using a PIM tool, you might see inaccurate results in the Manage access and permissions control.
  • Identity recommendations don't support Microsoft Entra conditional access policies with included Directory Roles instead of users and groups.

What operating systems for my EC2 instances are supported?

For a list of the AMIs with the SSM Agent preinstalled, see this page in the AWS docs.

For other operating systems, the SSM Agent should be installed manually using the following instructions:

For the CSPM plan, what IAM permissions are needed to discover AWS resources?

The following IAM permissions are needed to discover AWS resources:

DataCollector AWS Permissions
API Gateway apigateway:GET
Application Auto Scaling application-autoscaling:Describe*
Auto scaling autoscaling-plans:Describe*
autoscaling:Describe*
Certificate manager acm-pca:Describe*
acm-pca:List*
acm:Describe*
acm:List*
CloudFormation cloudformation:Describe*
cloudformation:List*
CloudFront cloudfront:DescribeFunction
cloudfront:GetDistribution
cloudfront:GetDistributionConfig
cloudfront:List*
CloudTrail cloudtrail:Describe*
cloudtrail:GetEventSelectors
cloudtrail:List*
cloudtrail:LookupEvents
CloudWatch cloudwatch:Describe*
cloudwatch:List*
CloudWatch logs logs:DescribeLogGroups
logs:DescribeMetricFilters
CodeBuild codebuild:DescribeCodeCoverages
codebuild:DescribeTestCases
codebuild:List*
Config Service config:Describe*
config:List*
DMS - database migration service dms:Describe*
dms:List*
DAX dax:Describe*
DynamoDB dynamodb:Describe*
dynamodb:List*
Ec2 ec2:Describe*
ec2:GetEbsEncryptionByDefault
ECR ecr:Describe*
ecr:List*
ECS ecs:Describe*
ecs:List*
EFS elasticfilesystem:Describe*
EKS eks:Describe*
eks:List*
Elastic Beanstalk elasticbeanstalk:Describe*
elasticbeanstalk:List*
ELB - elastic load balancing (v1/2) elasticloadbalancing:Describe*
Elastic search es:Describe*
es:List*
EMR - elastic map reduce elasticmapreduce:Describe*
elasticmapreduce:GetBlockPublicAccessConfiguration
elasticmapreduce:List*
elasticmapreduce:View*
GuardDuty guardduty:DescribeOrganizationConfiguration
guardduty:DescribePublishingDestination
guardduty:List*
IAM iam:Generate*
iam:Get*
iam:List*
iam:Simulate*
KMS kms:Describe*
kms:List*
Lambda lambda:GetPolicy
lambda:List*
Network firewall network-firewall:DescribeFirewall
network-firewall:DescribeFirewallPolicy
network-firewall:DescribeLoggingConfiguration
network-firewall:DescribeResourcePolicy
network-firewall:DescribeRuleGroup
network-firewall:DescribeRuleGroupMetadata
network-firewall:ListFirewallPolicies
network-firewall:ListFirewalls
network-firewall:ListRuleGroups
network-firewall:ListTagsForResource
RDS rds:Describe*
rds:List*
RedShift redshift:Describe*
S3 and S3Control s3:DescribeJob
s3:GetEncryptionConfiguration
s3:GetBucketPublicAccessBlock
s3:GetBucketTagging
s3:GetBucketLogging
s3:GetBucketAcl
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetReplicationConfiguration
s3:GetAccountPublicAccessBlock
s3:GetObjectAcl
s3:GetObjectTagging
s3:List*
SageMaker sagemaker:Describe*
sagemaker:GetSearchSuggestions
sagemaker:List*
sagemaker:Search
Secret manager secretsmanager:Describe*
secretsmanager:List*
Simple notification service SNS sns:Check*
sns:List*
SSM ssm:Describe*
ssm:List*
SQS sqs:List*
sqs:Receive*
STS sts:GetCallerIdentity
WAF waf-regional:Get*
waf-regional:List*
waf:List*
wafv2:CheckCapacity
wafv2:Describe*
wafv2:List*

Is there an API for connecting my GCP resources to Defender for Cloud?

Yes. To create, edit, or delete Defender for Cloud cloud connectors with a REST API, see the details of the Connectors API.

What GCP regions are supported by Defender for Cloud?

Defender for Cloud supports and scans all available regions on GCP public cloud.

Does workflow automation support any business continuity or disaster recovery (BCDR) scenarios?

When preparing your environment for BCDR scenarios, where the target resource is experiencing an outage or other disaster, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic Apps.

For every active automation, we recommend you create an identical (disabled) automation and store it in a different location. When there's an outage, you can enable these backup automations and maintain normal operations.

Learn more about Business continuity and disaster recovery for Azure Logic Apps.

What are the costs involved in exporting data?

There's no cost for enabling a continuous export. Costs might be incurred for ingestion and retention of data in your Log Analytics workspace, depending on your configuration there.

Many alerts are only provided when you enabled Defender plans for your resources. A good way to preview the alerts you get in your exported data is to see the alerts shown in Defender for Cloud's pages in the Azure portal.

Learn more about Log Analytics workspace pricing.

Learn more about Azure Event Hubs pricing.

For general information about Defender for Cloud pricing, see the pricing page.

Does the continuous export include data about the current state of all resources?

No. Continuous export is built for streaming of events:

  • Alerts received before you enabled export aren't exported.
  • Recommendations are sent whenever a resource's compliance state changes. For example, when a resource turns from healthy to unhealthy. Therefore, as with alerts, recommendations for resources that haven't changed state since you enabled export won't be exported.
  • Secure score per security control or subscription is sent when a security control's score changes by 0.01 or more.
  • Regulatory compliance status is sent when the status of the resource's compliance changes.

Why are recommendations sent at different intervals?

Different recommendations have different compliance evaluation intervals, which can range from every few minutes to every few days. So, the amount of time that it takes for recommendations to appear in your exports varies.

How can I get an example query for a recommendation?

To get an example query for a recommendation, open the recommendation in Defender for Cloud, select Open query, and then select Query returning security findings.

Screenshot of how to create example query for recommendation.

Does continuous export support any business continuity or disaster recovery (BCDR) scenarios?

Continuous export can be helpful in to prepare for BCDR scenarios where the target resource is experiencing an outage or other disaster. However, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.

Learn more in Azure Event Hubs - Geo-disaster recovery.

Can I programmatically update multiple plans on a single subscription simultaneously?

We don't recommend programmatically updating multiple plans on a single subscription simultaneously (via REST API, ARM templates, scripts, etc.). When using the Microsoft.Security/pricings API, or any other programmatic solution, you should insert a delay of 10-15 seconds between each request.