Set of resources and configuration to apply Defender capabilities.

Create the baseline infrastructure:

cp config/sample.tfvars .auto.tfvars

terraform init
terraform apply -auto-approve

Make sure Defender is enabled.

TODO: Document Log Analytics stuff

Add the desired subscriptions to the Defender scope.

Enable Defender CSPM to make all features available.

Enable the protection for:

• Servers
• Databases
• Key Vault

Or others to track even more resource types.

JIT is implemented in my dedicated repository: https://github.com/epomatti/az-vm-jit

Defender will use Microsoft Defender for Endpoint (MDE) for EDR, as well as agentless scanning based on the OS disk.

The AMA is not required for Defender but it is installed anyways in this VM.

Check the differences between the plans.

Deallocated/ing or starting servers are not billed.

When you enable Defender for Servers you're charged for all connect machines based on the power state. You're also charged for on AWS.

Outlining Defender capabilities:

• Attack path analysis
• Hunting
• Posture
• Security governance (rules) - weekly email is sent to owners with the recommendations they're assigned to.
• Multi-cloud
• Visibility of vulnerabilities with agentless scanning
• Protect workloads with alerts correlation
• Malware Scanning
• Container threat detection and policy enforcement
• Protect your APIs

There are two specific roles for Defender for Cloud:

• Security Administrator
• Security Reader

From the docs:

• Azure Monitor Agent (AMA)
• Microsoft Defender for Endpoint (MDE)
• Log Analytics agent
• Azure Policy Add-on for Kubernetes

How to activate the agents.

Check the Alerts for SQL Database and Azure Synapse Analytics to identify threats for SQL.

For example, SQL Injection may have the following:

• Vulnerability: Faulty SQL statement or no sanitation.
• Potential: An active exploit has occurred against an identified application vulnerable to SQL injection.

Use Workflow automation to react when state changes in Defender.

Trigger conditions:

• Security alert
• Recommendation
• Regulatory compliance standards

A Logic App will be created so that it can be selected via the Portal.

To create an EASM workspace, use the Portal.

Enable the anti-malware extension for the vm-antimalware resource, which is called Microsoft Antimalware in the gallery (with type Microsoft.Azure.Security.IaaSAntimalware).

Example running a Fulls Scan scheduled every Sunday 2AM.

TODO: Need to implement this

To integrate with AWS:

cd aws

cp config/template.tfvars .auto.tfvars

terraform init
terraform apply -auto-approve

Create the resource group for the AWS integration:

az group create -l eastus2 -n rg-aws

Connect to Defender for Cloud and create an Amazon Web Services environment.

Current plans supported:

• Foundational CSPM
• Defender CSPM
  • Agentless scanning (EC2 installed software and vulnerabilities)
  • Sensitive data discovery
  • And more

• Servers (Plan 2)
• Databases
• Containers (EKS, ECR)