1. Plan for cloud workload protections using Microsoft Defender for Cloud
Everyone and welcome back to my course, Security Operations Analyst SC 200. Now we are starting a new section in which we are going to discuss mitigating threats using yet another tool from the Microsoft Security Stack, and that is Microsoft Defender for Cloud. So let’s take a look at what we’re going to go through in this section. First of all, we are going to explain what Microsoft Defender for Cloud is, and then we are going to talk about the cloud workload protections in Microsoft Defender for Cloud. Then we’ll go over connecting Asian assets and non-Asian resources to Microsoft Defender for the Cloud in two lessons. And in the last lesson, we are going to talk about the security alerts that are available in Microsoft Defender for the Cloud. So let’s get onto our first lesson and talk about planning for deploying Microsoft Defender for the cloud. First of all, let’s explain what Microsoft Defender for Cloud is. It is a tool for security posture management and threat protection. At the same time, it basically strengthens the security posture of your cloud resources. And with its integrated Microsoft Defender plans, it protects workloads running in Asia, hybrid workloads, and other cloud platform workloads.
Defender for Cloud provides basically all the tools needed to harden your resources, track your security posture, protect against cyberattacks, and streamline security management. Because it is natively integrated, the deployment of Defender for Cloud is very easy, providing you with a simple auto-provisioning method to secure your resources by default. Defender for Cloud fills three vital needs as you, of course, manage the security of your resources and workloads in the cloud and on premises. And those are to be constantly assessed, and let me bring up my pam to do so. Here we go. Sorry for changing that slide to continually assess resources. First of all, So basically, this helps you understand your current security posture through this continuous assessment of your resources from a security standpoint. Then it secures your resources, so it hardens all the connected resources and services, and then it defends because, basically, it detects and resolves threats to those resources and services that I’ve mentioned. Now, to help protect yourself against these challenges, Defender for Cloud provides you with tools like the Secure Score.
And here, you basically have a single score to tell you your current security situation at a glance. The higher the score, the lower the identified risk level. Then you have the security recommendations, which are customised and prioritised hardening tasks to help you improve your security posture. You implement a recommendation by following the detailed remediation steps provided in that recommendation, and for many of the recommendations, Defender for Cloud offers a fix button to basically automate the implementation of that recommendation. And then lastly, you have the security alerts. And with these enhanced security features, Defender for Cloud basically detects threats to your resources and workloads. These alerts appear in the Asia Portal, and Defender for Cloud can also send them either by email to the relevant personnel in your organisation or stream them to your security incident and event management solution.
Now, let’s talk about these points that I’ve outlined on the slide. First of all, let’s talk about the architecture of Microsoft Defender for the Cloud. Now, because it is natively part of Azure Platform as a Service, services in Asia, including the service fabric, SQL Database, SQL managed instance, and storage account, are being monitored and protected by Defender for Cloud without necessitating, let’s say, any kind of deployment. In addition, Defender for Cloud also protects non-Azure servers and virtual machines in the cloud or on-premises for both Windows and Linux servers. This is done by installing the Log Analytics agent on them, and the Azure Virtual Machines are autoprovisioned with this in Microsoft Defender for Cloud. Now, the events collected from these agents and Asia are correlated in the Security Analytics engine to provide you with tailored recommendations. As I mentioned, these are hardening tasks that you should follow to ensure your workloads are secure. You can investigate such alerts, let’s say, as soon as possible, right? to ensure that malicious attacks on your workloads do not occur When you enable Defender for Cloud, the security policy built into Defender for Cloud is reflected in Asiapolicy as a built-in initiative under the Defender for Cloud category, but we’ll talk about that in more detail when we get there.
Then it strengthens your security posture because it enables you to actually strengthen, harden, and maintain that posture, that security posture.This means it basically helps you identify and perform the hardening tasks recommended as security best practises and, of course, implement them across your machines, data services, and apps. This includes managing and enforcing your security policies and ensuring your Azure virtual machines, non-Azure servers, and Azure Platform as a Service are compliant. Defender for Cloud provides you with the tools that you need to have, let’s say, a bird’s-eye view of your workloads with focused visibility on your network security state. Then it also offers management of the organisation, security policy, and compliance. Isn’t it important to understand security basics and ensure the security of your workloads? And it starts with having tailored security policies in place. because all Defender for Cloud policies are based on Asia policy controls You are basically getting the full range and flexibility of a world-class policy solution.
In Defender for Cloud, you can set your own policies to run on management groups across subscriptions and even for the entire tenant. Then you have continuous assessment. And here, basically, Defender for Cloud continuously discovers new resources that are being deployed across your workloads and assesses whether they are configured according to security best practices. If not, they are flagged, and you get a prioritised list of recommendations for what you need to fix in order to protect your machines. to help you understand how important each recommendation is to your overall security posture. Defender for Cloud groups the recommendations into security controls and adds a security score value to each control. And this is, of course, crucial in enabling you to prioritise these security recommendations. Then it offers the network map. And one of the most powerful tools that, let’s say, Defender for Cloud provides for continuously monitoring your network security status is the network map. The map enables you to see the topology of your workloads, so you can see if each node is properly configured.
You can see, of course, how your nodes are connected, which again helps you block unwanted connections that could potentially make it easier for an attacker to creep along your network. And you will see the security map and the network map shortly. Then it also offers optimization and improved security by configuring recommended controls. And the heart of Microsoft Defender’s value lies in its recommendations. The recommendations are tailored to the particular security concerns found in your workloads. And Defender for Cloud does the security admin work for you, not only finding your vulnerabilities but also providing you with specific instructions for how to get rid of those vulnerabilities? In this way, Defender for Cloud enables you not just to set security policies but to apply security configuration standards across all your resources. Then you have the threat protection piece.
And here, Defender for Cloud’s threat protection enables you to detect and prevent threats at the infrastructure as a service layer, non-secure servers, or platform as a service services in Asia. Defender for Cloud threat protection includes Fusion Kill Chain Analysis, which automatically correlates alerts in your environment based on the Cyber Kill Chain Analysis. And this is to help you better understand the full story of an attack campaign, where it started, and what kind of impact it had on your resources. Then you have the integration with Defender for Endpoint, and Defender for Cloud includes automatic native integration with Defender for Endpoint. This means that without any further configuration, your Windows and Linux machines are fully integrated with Defender for Cloud’s recommendations and assessments. In addition, Defender for Cloud lets you automate application control policies in server environments. Defender for Cloud’s adaptive application controls enable end-to-end approval-listing across your Windows servers. You don’t need to create rules and check for violations; it’s all done automatically.
Then it safeguards Platform as a Service. Again, it detects threats across your Azure PAS services. Threats to Azure services such as Azure App Service, Azure SQL, Azure Storage Account, and others can be detected. More data services To detect anomalies in your Azure activity logs, you can also use the native integration with Microsoft Defender for Cloud apps and user- and entity-level behaviour analytics. It can also block brute-force attacks. Defender for Cloud helps you basically limit your exposure to brute force attacks by reducing access to virtual machine ports using “just-in-time” VM access. This way, you can harden your network by preventing unnecessary access. You can set secure access policies on selected ports for only authorised users, allowed source IP addresses or ranges of IP addresses, and all of these for a limited amount of time. It can also protect data services. And Defender for Cloud includes capabilities that help you perform automatic classification of your Azure data in Azure SQL. You can also get assessments for potential vulnerabilities in Asia SQL and Storage Services, as well as mitigation recommendations.
Of course, then we have the “just bear with me” moment because I’ve changed the slide unintentionally. Then we have the “Get Secure” foster piece. And here it’s all about native Azure integration. Native Azure integration combined with seamless integration with other Microsoft security solutions such as Microsoft Defender for Cloud Apps or Microsoft Defender for Endpoint helps make sure your security solution is comprehensive and simple to onboard and roll out. In addition, you can also extend the full solution beyond Azure workloads to workloads running on other clouds and in an on-premises data center, as I’ve mentioned before. And then you have automatic discovery and automatic resource provisioning. And here, Defender for Cloud provides seamless native integration with Asian resources and non-Azure resources.
That means that you can pull together a complete security story involving Azure policy and the built-in Defender for Cloud policies across all of your Azure resources and make sure that the whole thing is automatically applied to newly discovered resources as you create them in Asia. Now, going forward, we have another guided demonstration, another interactive guide, so you can familiarise yourself with the Microsoft Defender for Cloud Portal, of course, in the Azure Portal. And I again strongly recommend that you go through this guided demonstration, as it is very effective. Now it takes about 20 to 25 minutes to go through it. When you’re back, we’re going to get to our next topic, and we’ll discuss the Microsoft Defender for Cloud Workload Protections. Defender for Cloud features now essentially cover two broad pillars of cloud security. The first one is cloud security posture management. We’ll be called CSPM shortly. Right. And, in this case, Defender for Cloud is essentially free for all Asia users.
The free experience includes the CSPM features such as secure scoring, detection of security misconfiguration in your Azure Machines asset inventory, and more. You can use these CSPM features to strengthen your hybrid cloud posture and track compliance with built-in policies. And then you have the Cloud Workload Protection, which is the CWP. And here, Defender for Cloud’s Integrated Cloud Workload Protection platform brings advanced intelligent protection to your Azure and hybrid resources and workloads, enabling Defender for Cloud to bring a range of extra security features with CWP. Now, in addition to the built-in policies, when you’ve enabled any Defender for Cloud plan, you can also add custom policies and initiatives. Now, the Defender for Cloud provides visibility and control over the cloud workload protection features in your environment. And it includes all of these over here, as you can see them listed here on the slide. Let’s look at what types of resources Defender for Cloud can protect.
So again, when you enable Defender for Cloud from the pricing and settings area, and you will see how that’s done, the following Defender plans are enabled simultaneously and provide comprehensive defences for the compute, data, and service layers of your environment. And it can protect all of these kinds of resources, as you can see, from servers to app service storage accounts, SQL servers, Kubernetes container registry entries, key vaults, resource managers (DMs), and, of course, open-source relational databases. These are all the workloads that, basically, Microsoft Defender for the Cloud can secure and protect. Now, going forward, let’s talk about the Defender for Cloud’s additional capabilities. Right? So in addition to defending your Azure environment, you can add Defender for Cloud Capabilities to your hybrid cloud environment. You can protect non-Azure servers from your on-premises data centers, for example. You can also protect your virtual machines in other clouds, such as AWS or GCP, where you’ll get customised threat intelligence and prioritise alerts based on your specific environment, allowing you to focus on what matters most.
To extend, for example, protection to virtual machines and SQL databases in other clouds or on premises, you deploy AzureArc and enable Defender for Cloud on it. Azure Arc for Servers is a free service, but services used on Arc-enabled servers, such as Defender for Cloud, will be charged according to the pricing tier for that particular service. Now, we also have the Defender for Cloud Security Alerts as an additional capability. And of course, when Defender for Cloud detects a threat in any area of your environment, it generates a security alert. These alerts describe details of the affected resources, suggested remediation steps, and, in some cases, an option to trigger an automated response via the logic app. Then we have advanced protection capabilities. And here, Defender for Cloud uses advanced analytics for tailored recommendations related to your resources. Protections include securing the management ports of your VMs with just-in-time access and adaptive application controls to basically create an allow list for what apps should and should not run on your machines. It also assesses and manages vulnerabilities.
So, basically, Defender for Cloud includes vulnerability scanning for your virtual machines and container registries at no extra cost. The scanners are powered by Qualities, but you don’t need a Qualities licence or even a Qualities account. Everything is handled seamlessly inside Defender for Cloud. You can review the findings from these vulnerability scanners and respond to them all from within Defender for Cloud. As a result, Defender for Cloud is getting closer to being the “single pane of glass” for all of your cloud security efforts. Okay, that being said, let’s take a quick look at how we can enable Microsoft Defender for Cloud. Again, there are some prerequisites before you enable the Defender for Cloud. And to get started with Defender for Cloud, you must have, of course, an Azure subscription. And to enable the enhanced security features on the subscriptions, you must be assigned the role of subscription owner, subscription contributor, or security administrator. Now, to enable the Defender for Cloud, there are a few easy steps. You go to the Azure Portal. You opt for Defender for Cloud. There’s a “Get Started” button, and you basically select that. And after that, you upgrade the enhanced security features.
As shown in the slide, you essentially enable these enhanced security features on your subscription. Then, from the Defender for Cloud’s main menu, you select the environment settings, select the subscription you want to enable, and you select Enable All. Or you can selectively enable the features that you are interested in for Defender on Cloud. Again, don’t worry; you will have a lab at the end of the section that will take you through all these steps. So basically, you will enable Defender for Cloud from scratch in your trial subscription. And with that being said, this concludes the discussion for this particular lesson. I’ll see everyone in the next lesson, where we’ll discuss the cloud workload protections in Microsoft Defender for Cloud. Until then, of course, I hope this has been informative for you.
2. Cloud workload protections in Microsoft Defender for Cloud
And welcome back to my course, Security Operations Analyst, SC 200. Now, in this lesson, we are going to discuss connecting non-Asian resources to Microsoft Defender for Cloud. As we discussed in the previous lesson, Defender for Cloud can protect hybrid workloads, such as those hosted on Amazon Web Services (AWS), Google Cloud Platform (GCP), or both.
Now, first of all, today, let’s take this as a high-level overview, right? Today, companies kind of struggle, let’s say, to control and govern increasingly complex environments. These environments extend across the datacenter, probably across multiple clouds. And each environment and cloud possess their own set of disjointed management tools that you need to learn and operate. Of course, new DevOps and ITOps operational models are difficult to implement in parallel, as existing tools fail to support new cloud native patterns, right? So here we have it. Azure Arc and Azure Arc simplify governance and management by delivering, let’s say, a consistent, multicloud, and on-premises management platform. Azure Arc essentially allows you to manage your entire environment through a single pane of glass. This is not Azure on-premises or other cloud resources. You can manage virtual machines.
You can manage Kubernetes clusters. If your databases are hosted in Azure, you can manage them. You can use familiar Azure services and management capabilities regardless of where these resources live. And you can, let’s say, continue using traditional ITops while introducing DevOps practises to support the new cloud-native patterns in your environment. Now, as of the moment of the recording of this course, Azure Arc allows you to manage the following resource types outside of Azure: So you have servers, both physical and virtual, running on Windows or Linux. You have Kubernetes clusters supporting multiple Kubernetes distributions. You have Azure Data Services. Azure SQL Managed Instances and Postgrey SQL Hyper-Scale Services And on top of this, you also have—I mean, Ajuric also supports SQL Server. Essentially, you can enrol SQL Server instances from any location on Azure Arc enabled servers here. And this is only a high-level representation of how Azure ARC integrates your existing on-premises or other cloud infrastructure and resources with the Azure environment.
First and foremost, because we’ve mentioned non-Asian machines, let’s talk about protection. So let’s talk about the non-Asian machines first. Defender for Cloud can monitor the security posture of your non-Azure computers. But first, you need to connect them to Azure. So you can connect them to Azure in any of the following ways: either using ARC-enabled servers (which is the recommended option) or from Defender for Cloud’s page in the Azure Portal with the Getting Started Inventory, where you can basically do this via the Log Analytics engine. Now, adding, say, non-Azure machines to Azure Arc is quite simple.
Basically, the Arc-enabled servers are the preferred way of adding non-Asian machines to Defender for Cloud, and the machine with Asia Arc basically becomes an “Asia resource” and appears in Defender for Cloud with recommendations like your other Asia resources. Furthermore, Asia Arc enabled servers offer enhanced capabilities such as the ability to enable guest configuration policies on the machine. You can use the Log Analytics agent as an extension to make it easier to deploy other Asia services and much more. Now, when you want to, let’s say, onboard an Asia Arcservice, you can do that directly from the Asia Portal. And actually, let me just quickly show you how to do that. So you can basically go to Install Agents or Get Startedhere from the Getting Started page and manage your service. So from here, you can configure a workspace or create a new workspace, but I’m going to select an existing one and we’ll click on “Upgrade” to this one. Right now, the Defender for Cloud has been upgraded. This workspace is here, and we can click on the Add Servers button over here. Now the only thing you need to do is download the 64-bit agent for Windows machines and basically install it on the server that you want to onboard. And then you will have the option to actually configure the Log Analytics agent on that particular server with these workspace IDs and primary keys.
Now, don’t worry; in the lab for this section, you will do just this. You will onboard Windows servers; you will basically enable Azure Arc on your Windows server, then you will onboard it into Microsoft Defender for Cloud, and you will do the same for Linux servers. As you can see here, If I click on the Linux tab, you just need to download and onboard the agent via this command over here. And again, you will actually do this step-by-step in the lab for this particular section. So this is how you actually onboard a non-Azure machine into your Defender for Cloud workspace. Now let’s get back to the slides and talk about basically connecting your AWS account and onboarding your AWS account into Microsoft Defender for Cloud. It essentially integrates AWS, security, and the Cloud Hub and Defender. Defender for Cloud basically provides visibility and protection across both of these cloud environments. This is what it looks like, first of all. And this is all to provide you with automatic agent provisioning, policy management, vulnerability management, embedded endpoint detection and response, detection of security misconfigurations (not measuring, of course), a single view showing the recommendation for both Defender for Cloud and AWS Security Hub, and of course incorporation of your AWS resources into Defender for Cloud’s securescore calculations.
Now, how do you set up and connect your AWS connector? I’m going to just tell you in these high-level steps, but you will also have links in the downloadable resources for this lesson with step-by-step tutorials on how you can connect your AWS Cloud connector. So first of all, you have to set up an AWS Security Hub. So to view the security recommendations for multiple regions, you can repeat the steps for each relevant region that you might have in your AWS account. Now you can enable AWS configuration. You enable the AWS Security Hub, and you verify that the data is flowing into the AWS Security Hub. The next step is to configure Defender for Cloud authentication in AWS. Now, at a high level, there are two ways of doing this. You can create an IAM role, a Yam role, for Defender for Cloud, and this is the most secure method and the recommended method. You can also use an AWS user for Defender for Cloud, but again, this is a less secure option if you don’t have Identity Access Management (IAM) enabled shortly called Yam.Now again, I won’t go through the detailsof creating an Identity Access Management role becauseyou have it in the documentation.
The next step is to actually configure the SSM agent. And here, basically, AWS System Manager is required for automating tasks across your AWS resources. If your EC2 instances do not already have the SSMAgent, you must install it by following the instructions in Amazon’s documentation. Then the next step is to complete the Asia Arc prerequisites. And you probably need to make sure the appropriate Asia resource providers are registered within your subscription. That is the Microsoft hybrid compute and Microsoft guest configuration. But usually, they should be registered by default. But if not, you can manually register these resource providers. And again, you will have the exact steps in the documentation on how to do that. Then the only thing you have to do is connect your AWS account to Defender for Cloud. And here, from Defender for Cloud, you go to the Security Solutions menu and select MulticloudConnectors, and then you add your AWS account. Of course, you will be asked for details like the name and description. You can confirm the subscription depending on the authentication option that you’ve set. Step two includes configuring Defender for Cloud authentication as well as all other steps required to connect the AWS account.
Then you proceeded to the confirmation step. And when the connector is successfully created and the AWS Security Hub has been configured properly, Defender for Cloud basically scans the AWS EC2 instances, onboarding them into Azure Arc, enabling it to install the Log Analytics Agent, and providing threat protection and security recommendations from Microsoft Defender for Cloud. Now let’s go to the next and last resource type here on our list, and that is the GCP account. And now we’re integrating your GCPaccount with Microsoft Defender for the Cloud. Basically, it integrates the GCP Security Command and Defender for Cloud with Microsoft Defender for Cloud. So Defender for Cloud thus provides visibility and protection across both of these cloud environments to provide, in a nutshell, these basic capabilities. Over here, the detection and security misconfiguration a single view of the course, showing in Defender for Cloud the incorporation of your GC resources into Defender for Cloud. And this is for the secure score calculations and integration of the GCP Security Command and Center recommendations into Microsoft Defender for Cloud. So you’ll have all the recommendations in one place. In the screenshot, you can see projects, specifically GCP projects, displayed in the Defender for Cloud Overview Dashboard. And of course, you can click into them and drill down. Now you can again follow these high-level steps to connect your GCP Cloud connector. Let’s see. Right, so first of all, you need to setup the GCP security command centre with security health analytics.
And for all GCP projects in your organization, you must also set up the GCP Security Command Center using the GCP documentation, enable the Security Health Analytics again using the GCP documentation, and verify that the data is flowing to the Security Command Center. Now, you’ll also have the instructions for these in the downloadable resources for this particular lesson. The next step would be to enable the GCP Security Command Center API. So from Google’s Cloud Console API library, you just select the project you want to connect to in Defender for Cloud. In the API library, you select the Security Command Center API, and you click on enable. Then you get to the next step, where you basically create a dedicated service account for the security configuration integration. And here in the GCP console, you select the project again. In the navigation menu, under the Identity Access Management and Admin options, you select Service Accounts. Create a new service account. You must, of course, give the service account a name. There’s a menu you need to select Continue from, and then you’re done. Again, you’ll have the instructions in the downloadable resources. And after you create the account, you need to add a role to this account. And in the end, you basically specify the role as Microsoft Defender for CloudAdmin Viewer, and you select Save. Then the next step is to create a private key for the dedicated service account. And here we return to service accounts. You open the service account that you’ve just created. In the keys section, you click “Odd Key” and create a new key.
And then you create the new key in JSON format. And then there’s the step where you actually connect the GCP to Defender for Cloud. And again, from Defender for Cloud’s Cloud Connectors menu, you select our GCP account, and the onboarding page will appear, and all you need to do is click Next to validate the subscription. You enter a display name for your connector in the Organization ID. You enter your organisation ID, and in the Private Key box, you basically go to the JSON file that you downloaded in the previous step and create a private key for the Dedicated Service account. Here in the Microsoft Center for cloud computing And on the confirmation page, of course, if I just changed the slide when the connector is successfully created and the GCP Security Command Center has been properly configured, the GCP Sys standard will be shown in Defender for Cloud, as you can see here. Right? And, in general, the security recommendations for your cloud resources will appear in Defender for Cloud, the Defender for Cloud Portal, and the regulatory compliance dashboard within five to ten minutes of the onboarding being completed. And that is, in a nutshell, how you connect your GCP account. Now that being said, this again brings the discussion for this lesson to an end. I will see everyone in the next lesson, where we’ll discuss remediating security alerts with Microsoft Defender for the Cloud. And here we’ll get into the alerting part of Microsoft Defender for the Cloud. Until then, of course, I hope this has been informative for you, and I thank you for viewing.
3. Connect Azure Assets To Microsoft Defender for Cloud
And welcome back to my course, Microsoft Security Operations Analyst SC 200. Now in this lesson, we are going to discuss connecting Asian assets to Microsoft Defender for Cloud. So, picking up where we left off in the last lesson, resource protection in Microsoft Defender for Cloud can be automatically configured with autoprovisioning or maybe manually deployed. Now, let’s take a look at the first option that we have here, which is automatic configuration. Now, the Asset Inventory page, first of all, in Microsoft Defender for Cloud basically provides a single page for viewing the security posture of all the resources that you have connected to Defender for Cloud. It periodically analyses the security state of your Asia resources to identify potential security vulnerabilities. It then, of course, provides you with recommendations on how to remediate those vulnerabilities.
Now you can use this view from the inventory and its filters, of course. And we’re going to talk about filters shortly here to address questions such as these ones on the slides. Which of your subscriptions with Microsoft Defender for the Cloud enabled have outstanding recommendations? Which of your machines with, let’s say, the production tag here is missing the agent? How many of your machines are tagged with a specific tag? Or how many resources in a specific resource group have security findings? And these are essentially some of the questions that can be answered directly from the inventory overview page. Now going forward, let’s take a look at the key features of the asset inventory.
Now the Asset Inventory page provides the following tools: First of all, we have summaries over here. And here you can see the total resources, which is the total number of resources that are linked to Defender for Cloud. You can see the unhealthy resources; here are the resources with active security recommendations and the unmonitored resources. And here you have sources with agent monitoring issues. So they have the log analytics agent deployed, but the agent isn’t sending data or has other health issues. Then you have the filters, and the multiple filters at the top of the page will provide you with a way to quickly refine the list of resources according to the question that you’re trying to find an answer to. For example, if you wanted to answer the question, “Which of my machines has the tag production or is missing the log analytics agent?” Now, as soon as you apply the filters, the summary values are updated to relate to those particular filtering results, let’s say, right? Okay. Now you also have export options here.
So the inventory provides the option to export the results of your selected filter options, of course, to a CSV file. You can also export the query itself to Asia Resource Graph Explorer to further refine, save, or modify your Kousal query language query. Then we have the asset management options. And here, the inventory lets you perform complex discovery queries. And when you find the resources that match your queries, inventory provides shortcuts for operations such as the ones you can see here. Assigning tags to the filter resources lets you select the check boxes alongside the resources you want to tag. You can onboard new servers to Defender for Cloud, and you can automate workloads with Azure Logic App. You can use the Trigger Logic App button to run a logic app on one or more resources. And of course, your logic apps have to be prepared in advance and accept relevant triggers like HTTP requests.
Now, I am going to briefly show you these options here in the portal. But again, given the fact that it’s a trial, we don’t have a lot of data to work with. So basically, I cannot show you how to filter stuff because we only have one server onboarded at the moment in my demo subscription. Okay, now let’s take a look at how asset inventory works. Asia Resourcegraph, or Arg, is primarily used for asset inventory. This is an Azure service that allows you to query Defender for data on Cloud security capture across multiple subscriptions. Arg is designed to provide, let’s say, efficient resource exploration with the ability to query at scale using the Crystal Query Language (KQL).By cross-referencing Defender for Cloud data with other resource properties, Asset Inventory can quickly generate deep insights. Now, let’s take a look at how to actually use the resource inventory. So first of all, from the Defender for Cloud, you select the inventory blade, and then, of course, you can use the filter page to filter for items that you are basically interested in. And in fact, let me just quickly show you this in our portal here.
So, right here on Microsoft Defender for Cloud, we select the inventory blade. Of course, we select our resources over here. So we have one Azure subscription and the Windows Server that I mentioned earlier. But here on the top, you can select all of these different filters, like resource groups, resource types, defenders for cloud monitoring, agent status, like installed or not installed, and more filters. You can also add filters by clicking on this button here.And these are the filters that you have available to add to your query. And once you filter this, you’ll see the results right here. If you select one asset, for example, it will take you to this page and present you with recommendations, such as installing endpoint protection on machines. For example, this is a high security recommendation for our current Windows server that we have onboarded here in Microsoft Defender for Cloud.
Now let’s get quickly back to the slides and talk about configuring the auto-provisioning options. So, Microsoft Defender for Cloud, again, we’ve already talked about it, collects data from Asia Virtual Machines, virtual machine scale sets, containers, infrastructure as a service containers, or non-Asia Virtual Machines, including on-premises machines, to monitor for security vulnerabilities and threats. The data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status (like we saw with our server just a moment ago), and health and threat protection. Again, data collection is only needed for compute resources like VMs (virtual machines), scale-out containers, or non-Azure VMs, right? You can also benefit from Defender for Cloud even if you don’t provision the agents. However, you will have limited security, and let’s say that not all of the capabilities listed will be supported.
So, data is again collected by using the Log Analytics agent over here, which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. Examples of such data are operating system typeversion operating system logs, mainly Windows eventlogs, running processes, machine name, IP address, or logged-on users to that particular machine. Now, the security extensions, such as the AsiaPolicy add-on for Kubernetes, for example, can also provide data to Defender for Cloud regarding, let’s say, specialised resource types. Right? Here is how the page for auto provisioning looks, and you just have to enable it and set the configuration over here. I will show you this in a moment in the portal. Now, let’s take a look at, say, questions and capabilities. So, why would you use autoprovisioning in the first place? Well, any of the agents and extensions that we’re talking about here can also be manually installed manually.However, auto-provisioning reduces that management overhead by installing all the required agents and extensions on existing and new machines, basically to ensure faster security coverage for all the supported resources. Then how does auto-provisioning work? Well, Defender for Cloud’s auto-provisioning settings have a toggle, let’s say, for each type of supported extension.
When you enable auto-provisioning for an extension, you basically assign the appropriate deploy policy, if one does not already exist, to ensure that the extension is provisioned on all existing and future resources of that type. Now, if you want to enable the auto-provisioning of extensions, you can do that directly from the portal, and let me just quickly show you how to do it. So, going back to our Defender for Cloud here, if you go to environment settings and select, of course, the subscription on which you have Defender for Cloud enabled, you will have an auto-provisioning blade over here. And if we click on it, you will see all the available extensions that can be enabled, like the Log Analytics agent for Azure VMs and the Log Analytics agent for Azure Arc machines, which are usually on-premises machines that you onboard through Azure Arc and for which you can enable an extension for vulnerability assessment solutions. As a result, the qualities of vulnerability are used as a solution. It comes at no extra cost.
You can enable the guest configuration agent. And it says here exactly what this does. It looks for security misconfigurations on machines running in Azure-connected machines, and you can also enable Microsoft Defender for containers if you use containers in your environment. Now again, if you enable it, you toggle it on. And if we click here on “Edit configuration,” you can see that you have the option to connect these VMs to the default log analytics workspace that was created by Defender for Cloud when you enable the service. Or you can connect the VMs to a different workspace, like the Azure Sentinel workspace that I have here, which I’ve created specifically for enabling Microsoft Sentinel in the subscription, and we’ll talk about that later in the course. However, keep in mind that you can connect the machines and the data that flows through the Log Analytics agent from those virtual machines to a workspace other than the default one. Now, you also have the option to configure which events you want to collect.
If I click on these existing and new VMs, I won’t set the change. But I just wanted to show you that you have these options over here to collect no events, and we’ll talk about that because this is the preferred action if you’re also going to use Microsoft Sentinel because you can basically configure the collection of events from Microsoft Sentinel rather than from Defender for Cloud. But we’ll get to that when we talk about Microsoft Sentinel. You can choose to stream all minimal events. And, in this case, this basically covers only events that could indicate a successful breach and imported events with a low volume from the Windows security events. Right here we are talking about Windows security events, right? Okay, so for example, this set contains events like successful and failed logins. These are event IDs: four six to four and four six to five. But it doesn’t contain sign-out events. For example, right there you have the common set of events, and here it provides basically a full-user audit trail with this set of events. For example, this set contains both user logins and user sign-outs.
And it also includes auditing actions like security group changes, key domain controllers, Kerberos operations, and other events that are recommended by the industry’s. Let’s say best practices. And the last option here is “all events.” This does exactly what it says. It collects all security events generated by the virtual machines you’ve installed. Let me just click out of this, and the same thing goes for the log analytic agents for Azure Arc machines. Basically, these are your on-premises machines, which you connect through Azure Arc. You enable the collection of the security events, and again from here, you can edit the configuration and choose a workspace where you want those events to be streamed. And this is how you use the autoprovisioning and the extensions. To be more specific, auto-provisioning And now, as the last option, you can also manually install the log analytic agents. As I mentioned at the beginning of the lesson, all you need to do is disable auto-provisioning here for all of these extensions. You can, of course, optionally create a new workspace. Have you enabled Microsoft Defender for Cloud in that workspace?
And then, from the Defender for Cloud menu, go to the environment, to the environment settings over here, and choose a workspace, such as this one. And then you enable Microsoft Defender for Cloud, correct? And then you basically go in and install the loganalytic agents on each VM virtual machine, be it an Azure virtual machine or an on-premises virtual machine. Then, after you’ve successfully installed all of the log analytics agents on the machines and you’ve set them to basically stream the security events to the workspace that you’ve created, you go to data collection over here, and again, you have the same set of events that you can collect into your log analytics workspace. And with this being said, we conclude the discussion. For this lesson, I am going to see everyone in the next one, where we’ll talk about connecting non-Asia resources to Microsoft DefenderCloud, like your on-premises virtual machines. Until then, I hope this has been informative for you, and I thank you for viewing.
4. Connect non-Azure resources to Microsoft Defender for Cloud
And welcome back to my course, Security Operations Analyst, SC 200. Now, in this lesson, we are going to discuss connecting non-Asian resources to Microsoft Defender for Cloud. As we discussed in the previous lesson, Defender for Cloud can protect hybrid workloads, such as those hosted on Amazon Web Services (AWS), Google Cloud Platform (GCP), or both. Now, first of all, today, let’s take this as a high-level overview, right? Today, companies kind of struggle, let’s say, to control and govern increasingly complex environments. These environments extend across the datacenter, probably across multiple clouds. And each environment and cloud possess their own set of disjointed management tools that you need to learn and operate. Of course, new DevOps and Tops operational models are difficult to implement in parallel, as existing tools fail to support new cloud native patterns, right? So here we have it. Azure Arc and Azure Arc simplify governance and management by delivering, let’s say, a consistent, multicolor, and on-premises management platform. Azure Arc essentially allows you to manage your entire environment through a single pane of glass. This is not Azure on-premises or other cloud resources. You can manage virtual machines. You can manage Kubernetes clusters. If your databases are hosted in Azure, you can manage them.
You can use familiar Azure services and management capabilities regardless of where these resources live. And you can, let’s say, continue using traditional I Tops while introducing DevOps practices to support the new cloud-native patterns in your environment. Now, as of the moment of the recording of this course, Azure Arc allows you to manage the following resource types outside of Azure: So you have servers, both physical and virtual, running on Windows or Linux. You have Kubernetes clusters supporting multiple Kubernetes distributions. You have Azure Data Services. Azure SQL Managed Instances and Postgrad SQL Hyper-Scale Services And on top of this, you also have—I mean, Auric also supports SQL Server. Essentially, you can enroll SQL Server instances from any location on Azure Arc enabled servers here. And this is only a high-level representation of how Azure ARC integrates your existing on-premises or other cloud infrastructure and resources with the Azure environment. First and foremost, because we’ve mentioned non-Asian machines, let’s talk about protection.
So let’s talk about the non-Asian machines first. Defender for Cloud can monitor the security posture of your non-Azure computers. But first, you need to connect them to Azure. So you can connect them to Azure in any of the following ways: either using ARC-enabled servers (which is the recommended option) or from Defender for Cloud’s page in the Azure Portal with the Getting Started Inventory, where you can basically do this via the Log Analytics engine. Now, adding, say, non-Azure machines to Azure Arc is quite simple. Basically, the Arc-enabled servers are the preferred way of adding non-Asian machines to Defender for Cloud, and the machine with Asia Arc basically becomes an “Asia resource” and appears in Defender for Cloud with recommendations like your other Asia resources. Furthermore, Asia Arc enabled servers offer enhanced capabilities such as the ability to enable guest configuration policies on the machine. You can use the Log Analytics agent as an extension to make it easier to deploy other Asia services and much more. Now, when you want to, let’s say, onboard an Asia Arcservice, you can do that directly from the Asia Portal. And actually, let me just quickly show you how to do that.
So you can basically go to Install Agents or Get Startedhere from the Getting Started page and manage your service. So from here, you can configure a workspace or create a new workspace, but I’m going to select an existing one and we’ll click on “Upgrade” to this one. Right now, the Defender for Cloud has been upgraded. This workspace is here, and we can click on the Add Servers button over here. Now the only thing you need to do is download the 64-bit agent for Windows machines and basically install it on the server that you want to onboard. And then you will have the option to actually configure the Log Analytics agent on that particular server with these workspace IDs and primary keys. Now, don’t worry; in the lab for this section, you will do just this. You will onboard Windows servers; you will basically enable Azure Arc on your Windows server, then you will onboard it into Microsoft Defender for Cloud, and you will do the same for Linux servers.
As you can see here, If I click on the Linux tab, you just need to download and onboard the agent via this command over here. And again, you will actually do this step-by-step in the lab for this particular section. So this is how you actually onboard a non-Azure machine into your Defender for Cloud workspace. Now let’s get back to the slides and talk about basically connecting your AWS account and onboarding your AWS account into Microsoft Defender for Cloud. It essentially integrates AWS, security, and the Cloud Hub and Defender. Defender for Cloud basically provides visibility and protection across both of these cloud environments. This is what it looks like, first of all. And this is all to provide you with automatic agent provisioning, policy management, vulnerability management, embedded endpoint detection and response, detection of security misconfigurations (not measuring, of course), a single view showing the recommendation for both Defender for Cloud and AWS Security Hub, and of course incorporation of your AWS resources into Defender for Cloud’s securescore calculations.
Now, how do you set up and connect your AWS connector? I’m going to just tell you in these high-level steps, but you will also have links in the downloadable resources for this lesson with step-by-step tutorials on how you can connect your AWS Cloud connector. So first of all, you have to set up an AWS Security Hub. So to view the security recommendations for multiple regions, you can repeat the steps for each relevant region that you might have in your AWS account. Now you can enable AWS configuration. You enable the AWS Security Hub, and you verify that the data is flowing into the AWS Security Hub. The next step is to configure Defender for Cloud authentication in AWS. Now, at a high level, there are two ways of doing this. You can create an IAM role, a Yam role, for Defender for Cloud, and this is the most secure method and the recommended method. You can also use an AWS user for Defender for Cloud, but again, this is a less secure option if you don’t have Identity Access Management (IAM) enabled shortly called Yam.Now again, I won’t go through the detailsof creating an Identity Access Management role becauseyou have it in the documentation.
The next step is to actually configure the SSM agent. And here, basically, AWS System Manager is required for automating tasks across your AWS resources. If your EC2 instances do not already have the SSMAgent, you must install it by following the instructions in Amazon’s documentation. Then the next step is to complete the Asia Arc prerequisites. And you probably need to make sure the appropriate Asia resource providers are registered within your subscription. That is the Microsoft hybrid compute and Microsoft guest configuration. But usually, they should be registered by default. But if not, you can manually register these resource providers. And again, you will have the exact steps in the documentation on how to do that. Then the only thing you have to do is connect your AWS account to Defender for Cloud. And here, from Defender for Cloud, you go to the Security Solutions menu and select MulticloudConnectors, and then you add your AWS account. Of course, you will be asked for details like the name and description.
You can confirm the subscription depending on the authentication option that you’ve set. Step two includes configuring Defender for Cloud authentication as well as all other steps required to connect the AWS account. Then you proceeded to the confirmation step. And when the connector is successfully created and the AWS Security Hub has been configured properly, Defender for Cloud basically scans the AWS EC2 instances, onboarding them into Azure Arc, enabling it to install the Log Analytics Agent, and providing threat protection and security recommendations from Microsoft Defender for Cloud. Now let’s go to the next and last resource type here on our list, and that is the GCP account. And now we’re integrating your GCPaccount with Microsoft Defender for the Cloud. Basically, it integrates the GCP Security Command and Defender for Cloud with Microsoft Defender for Cloud. So Defender for Cloud thus provides visibility and protection across both of these cloud environments to provide, in a nutshell, these basic capabilities. Over here, the detection and security misconfiguration a single view of the course, showing in Defender for Cloud the incorporation of your GC resources into Defender for Cloud. And this is for the secure score calculations and integration of the GCP Security Command and Center recommendations into Microsoft Defender for Cloud. So you’ll have all the recommendations in one place.
In the screenshot, you can see projects, specifically GCP projects, displayed in the Defender for Cloud Overview Dashboard. And of course, you can click into them and drill down. Now you can again follow these high-level steps to connect your GCP Cloud connector. Let’s see. Right, so first of all, you need to setup the GCP security command centre with security health analytics. And for all GCP projects in your organization, you must also set up the GCP Security Command Center using the GCP documentation, enable the Security Health Analytics again using the GCP documentation, and verify that the data is flowing to the Security Command Center. Now, you’ll also have the instructions for these in the downloadable resources for this particular lesson. The next step would be to enable the GCP Security Command Center API. So from Google’s Cloud Console API library, you just select the project you want to connect to in Defender for Cloud. In the API library, you select the Security Command Center API, and you click on enable. Then you get to the next step, where you basically create a dedicated service account for the security configuration integration.
And here in the GCP console, you select the project again. In the navigation menu, under the Identity Access Management and Admin options, you select Service Accounts. Create a new service account. You must, of course, give the service account a name. There’s a menu you need to select Continue from, and then you’re done. Again, you’ll have the instructions in the downloadable resources. And after you create the account, you need to add a role to this account. And in the end, you basically specify the role as Microsoft Defender for CloudAdmin Viewer, and you select Save. Then the next step is to create a private key for the dedicated service account. And here we return to service accounts. You open the service account that you’ve just created. In the keys section, you click “Odd Key” and create a new key. And then you create the new key in JSON format. And then there’s the step where you actually connect the GCP to Defender for Cloud. And again, from Defender for Cloud’s Cloud Connectors menu, you select our GCP account, and the onboarding page will appear, and all you need to do is click Next to validate the subscription.
You enter a display name for your connector in the Organization ID. You enter your organisation ID, and in the Private Key box, you basically go to the JSON file that you downloaded in the previous step and create a private key for the Dedicated Service account. Here in the Microsoft Center for cloud computing And on the confirmation page, of course, if I just changed the slide when the connector is successfully created and the GCP Security Command Center has been properly configured, the GCP Sys standard will be shown in Defender for Cloud, as you can see here. Right? And, in general, the security recommendations for your cloud resources will appear in Defender for Cloud, the Defender for Cloud Portal, and the regulatory compliance dashboard within five to ten minutes of the onboarding being completed. And that is, in a nutshell, how you connect your GCP account. Now that being said, this again brings the discussion for this lesson to an end. I will see everyone in the next lesson, where we’ll discuss remediating security alerts with Microsoft Defender for the Cloud. And here we’ll get into the alerting part of Microsoft Defender for the Cloud. Until then, of course, I hope this has been informative for you, and I thank you for viewing.