#Azure #Security #Defender #Compliance #Monitoring >[!info] Azure Security Center and Defender Overview >Microsoft Defender for Cloud (formerly Azure Security Center) provides unified security management and advanced threat protection across hybrid cloud workloads. This document covers security posture management, threat protection, and regulatory compliance. >[!related] >Related Azure services: >- [[Azure Key Vault]] - Secret management security >- [[Azure Networking Fundamentals]] - Network security >- [[Azure Monitor and Log Analytics]] - Security monitoring >- [[RBAC and ABAC]] - Access control ## Security Posture Management ### Enable Microsoft Defender for Cloud ```powershell # Register resource provider Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security' # Enable Azure Defender Set-AzSecurityPricing ` -Name "VirtualMachines" ` -PricingTier "Standard" # Enable auto-provisioning of monitoring agent Set-AzSecurityAutoProvisioningSetting ` -Name "default" ` -EnableAutoProvision # Configure workspace Set-AzSecurityWorkspaceSetting ` -Name "default" ` -Scope "/subscriptions/{subscriptionId}" ` -WorkspaceId "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}" ``` >[!tip] Security Posture Best Practices >1. Enable all relevant Defender plans >2. Configure auto-provisioning >3. Implement security recommendations >4. Regular security score review >5. Continuous monitoring ## Threat Protection ### Configure Security Alerts ```powershell # Get security alerts Get-AzSecurityAlert | Select-Object AlertDisplayName, CompromisedEntity, AlertSeverity, TimeGenerated | Format-Table # Update alert status Set-AzSecurityAlert ` -AlertId "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts/{alertId}" ` -ActionType "Dismiss" # Configure alert notifications $actionGroup = New-AzActionGroup ` -ResourceGroupName "SecurityRG" ` -Name "SecurityAlerts" ` -ShortName "SecAlerts" ` -Receiver @{ Name = "SecurityTeam" EmailAddress = "[email protected]" UseCommonAlertSchema = $true } # Create alert rule New-AzSecurityAlertRule ` -Name "HighSeverityAlerts" ` -Description "Alert on high severity security events" ` -Enabled $true ` -ActionGroup $actionGroup.Id ` -Severity "High" ``` ### Just-In-Time VM Access ```powershell # Configure JIT VM access $JitPolicy = @{ Name = "JIT Policy" VirtualMachines = @( @{ Id = "/subscriptions/{subscriptionId}/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM" Ports = @( @{ Number = 22 Protocol = "*" AllowedSourceAddressPrefix = @("*") MaxRequestAccessDuration = "PT3H" }, @{ Number = 3389 Protocol = "*" AllowedSourceAddressPrefix = @("*") MaxRequestAccessDuration = "PT3H" } ) } ) } Set-AzJitNetworkAccessPolicy ` -ResourceGroupName "SecurityRG" ` -Location "eastus" ` -Name "JIT-Policy" ` -Kind "Basic" ` -VirtualMachine $JitPolicy.VirtualMachines ``` ## Regulatory Compliance ### Compliance Assessment ```powershell # Get compliance standards Get-AzSecurityRegulatory | Select-Object Name, Description | Format-Table # Get compliance assessment Get-AzSecurityAssessment | Where-Object {$_.ResourceType -eq "Microsoft.Security/regulatoryCompliance"} | Select-Object Name, Status, Severity | Format-Table # Export compliance report $report = Get-AzSecurityAssessment | Where-Object {$_.ResourceType -eq "Microsoft.Security/regulatoryCompliance"} $report | Export-Csv -Path "compliance-report.csv" -NoTypeInformation ``` >[!warning] Compliance Requirements >1. **Standards** > - ISO 27001 > - PCI DSS > - HIPAA > - NIST > >2. **Documentation** > - Policy documentation > - Audit trails > - Incident response > - Change management ## Security Policies ### Policy Configuration ```powershell # Create security policy $policy = @{ Name = "SecurityBaseline" DisplayName = "Security Baseline Policy" Description = "Enforce security baseline requirements" Mode = "All" PolicyRule = @{ if = @{ allOf = @( @{ field = "type" equals = "Microsoft.Compute/virtualMachines" } ) } then = @{ effect = "audit" } } } New-AzPolicyDefinition @policy # Assign policy New-AzPolicyAssignment ` -Name "SecurityBaseline" ` -PolicyDefinition $policy ` -Scope "/subscriptions/{subscriptionId}" ``` ## Vulnerability Assessment ### Enable Vulnerability Scanner ```powershell # Enable vulnerability assessment $vm = Get-AzVM -ResourceGroupName "SecurityRG" -Name "MyVM" Set-AzSecurityVulnerabilityAssessmentSolution ` -ResourceGroupName $vm.ResourceGroupName ` -VirtualMachineName $vm.Name ` -SolutionName "QualysVA" ` -AssessmentTarget $vm.Id # Get vulnerability findings Get-AzSecurityAssessment | Where-Object {$_.ResourceType -eq "Microsoft.Security/assessments"} | Where-Object {$_.DisplayName -like "*vulnerability*"} | Select-Object ResourceName, Status, Severity | Format-Table ``` ## Network Security ### Network Detection ```powershell # Enable network detection Set-AzSecurityNetworkDiscovery ` -Name "default" ` -IsEnabled $true # Get detected resources Get-AzSecurityTopology | Select-Object Name, ResourceName, ResourceType | Format-Table # Configure network security groups assessment Set-AzSecurityAssessment ` -Name "NetworkSecurityGroups" ` -Status "Enabled" ``` ## Container Security ### Container Registry Scanning ```powershell # Enable container scanning Set-AzContainerRegistryVulnerabilityScanning ` -RegistryName "myregistry" ` -ResourceGroupName "SecurityRG" ` -ScanningEnabled $true # Get scan results Get-AzContainerRegistryVulnerability ` -RegistryName "myregistry" ` -ResourceGroupName "SecurityRG" | Select-Object Repository, Tag, Severity, Description | Format-Table ``` ## Security Monitoring ### Advanced Threat Protection ```powershell # Enable ATP for Storage Set-AzStorageAccountATP ` -ResourceGroupName "SecurityRG" ` -Name "mystorageaccount" ` -IsEnabled $true # Configure Defender for SQL Set-AzSqlServerAdvancedThreatProtection ` -ResourceGroupName "SecurityRG" ` -ServerName "mysqlserver" ` -IsEnabled $true # Get security findings Get-AzSecurityFinding | Where-Object {$_.Severity -eq "High"} | Select-Object ProductName, AlertDisplayName, CompromisedEntity | Format-Table ``` >[!example] Monitoring Scenarios >1. **Threat Detection** > - Malware detection > - Network attacks > - Brute force attempts > - Suspicious activities > >2. **Resource Security** > - VM security > - Storage security > - Database security > - Container security ## Incident Response ### Security Incidents ```powershell # Get security incidents Get-AzSecurityIncident | Select-Object Title, Severity, Status | Format-Table # Update incident Set-AzSecurityIncident ` -IncidentId "{incidentId}" ` -Status "Active" ` -Classification "TruePositive" ` -Owner "[email protected]" # Get incident entities Get-AzSecurityIncidentEntity ` -IncidentId "{incidentId}" | Select-Object EntityType, Name | Format-Table ``` >[!tip] Response Best Practices >1. **Incident Management** > - Quick triage > - Clear ownership > - Documented procedures > - Regular drills > >2. **Communication** > - Stakeholder notification > - Status updates > - Lessons learned > - Process improvement ## Cost Management >[!warning] Cost Considerations >1. **Licensing** > - Plan selection > - Resource coverage > - Feature requirements > - Usage monitoring > >2. **Optimization** > - Right-size protection > - Monitor usage > - Regular review > - Cost allocation