Azure
Azure Security Center and Microsoft Defender for Cloud
Learn how to secure your Azure resources using Security Center and Microsoft Defender for Cloud. Covers security policies, threat protection, and compliance.
March 9, 2024
Technical Writer
4 min read
Azure Security Center and Defender: A Complete Implementation Guide
Azure Security Center and Microsoft Defender for Cloud provide comprehensive security management and threat protection. This guide covers implementation details for securing your Azure environment.
Security Components Overview
Key security services in Azure:
Component | Purpose | Key Features |
---|---|---|
Security Center | Security management | Assessments, recommendations |
Defender for Cloud | Threat protection | Advanced security, CSPM |
Security Policies | Policy enforcement | Compliance, governance |
Secure Score | Security posture | Assessment, benchmarking |
Security Center Implementation
Security Policy Configuration
{ "properties": { "parameters": { "allowedLocations": { "value": [ "eastus", "westus" ] }, "allowedVMSKUs": { "value": [ "Standard_D2s_v3", "Standard_D4s_v3" ] } }, "displayName": "Security Baseline", "policyDefinitions": [ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56", "parameters": { "effect": { "value": "Audit" } } } ] } }
Automated Onboarding
# Enable Security Center Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security' # Configure auto-provisioning Set-AzSecurityAutoProvisioningSetting -Name "default" -EnableAutoProvision # Enable standard tier Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard" Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Standard"
Defender for Cloud Implementation
Defender Plans Configuration
# Enable Defender plans $plans = @( "VirtualMachines", "SqlServers", "AppServices", "StorageAccounts", "KeyVaults", "Containers" ) foreach ($plan in $plans) { Set-AzSecurityPricing -Name $plan -PricingTier "Standard" } # Configure workspace mapping Set-AzSecurityWorkspaceSetting -Name "default" ` -Scope "/subscriptions/$subscriptionId" ` -WorkspaceId "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.OperationalInsights/workspaces/$workspaceName"
Security Alerts Configuration
{ "properties": { "enabled": true, "emailAddresses": [ "security@contoso.com" ], "phoneNumbers": [ "+1-555-555-5555" ], "alertNotifications": { "state": "On", "minimalSeverity": "High" }, "notificationsByRole": { "state": "On", "roles": [ "Owner", "Contributor" ] } } }
Security Policies and Compliance
Regulatory Compliance
Standard | Requirements | Implementation |
---|---|---|
PCI DSS | Data protection | Encryption, monitoring |
HIPAA | Healthcare data | Access control, auditing |
ISO 27001 | Security management | Controls, procedures |
NIST | Security framework | Risk management |
Custom Initiative Definition
{ "properties": { "displayName": "Custom Security Baseline", "description": "Custom security requirements", "metadata": { "category": "Security" }, "parameters": {}, "policyDefinitions": [ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", "parameters": {} } ] } }
Threat Protection
Just-in-Time VM Access
# Configure JIT VM access $jitPolicy = @{ Name = "JIT VM Access" VirtualMachines = @( @{ id = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Compute/virtualMachines/$vmName" ports = @( @{ number = 22 protocol = "*" allowedSourceAddressPrefix = @("*") maxRequestAccessDuration = "PT3H" }, @{ number = 3389 protocol = "*" allowedSourceAddressPrefix = @("*") maxRequestAccessDuration = "PT3H" } ) } ) } Set-AzJitNetworkAccessPolicy -ResourceGroupName $resourceGroup -Location $location -Name "default" -Kind "Basic" -VirtualMachine $jitPolicy
Adaptive Application Controls
# Enable adaptive application controls $appControlPolicy = @{ Name = "AppControl" ResourceGroupName = $resourceGroup Location = $location Mode = "Audit" ProcessesAllowList = @( "C:\Windows\System32\*.exe", "C:\Program Files\*.exe" ) } New-AzAdaptiveApplicationControlPolicy @appControlPolicy
Security Monitoring
Security Metrics
Metric | Threshold | Action |
---|---|---|
Secure Score | < 70% | Review recommendations |
Alert Volume | > 10/day | Investigate threats |
Failed Logins | > 5/hour | Check access attempts |
Policy Compliance | < 90% | Review violations |
Security Automation
# Create Logic App for security automation $logicAppParams = @{ Name = "SecurityAutomation" ResourceGroupName = $resourceGroup Location = $location State = "Enabled" Definition = @{ "$schema" = "https://schema.management.azure.com/schemas/2016-06-01/Microsoft.Logic.json" triggers = @{ securityAlert = @{ type = "ApiConnectionWebhook" inputs = @{ host = @{ connection = @{ name = "@parameters('$connections')['azuresentinel']['connectionId']" } } } } } actions = @{ # Add remediation actions } } } New-AzLogicApp @logicAppParams
Best Practices Summary
-
Security Baseline
- Enable security defaults
- Configure security policies
- Implement compliance standards
- Regular security reviews
-
Threat Protection
- Enable Defender plans
- Configure JIT access
- Implement adaptive controls
- Regular threat assessments
-
Monitoring
- Configure alerts
- Enable logging
- Set up automation
- Regular monitoring reviews
-
Compliance
- Define requirements
- Implement controls
- Regular audits
- Documentation
Troubleshooting Guide
Common security issues and solutions:
-
Policy Issues
- Review policy definitions
- Check assignments
- Verify exemptions
- Monitor compliance
-
Alert Problems
- Verify configurations
- Check connectivity
- Review alert logic
- Test notifications
-
Compliance Issues
- Review requirements
- Check controls
- Verify implementations
- Document exceptions
Next Steps
After implementing security:
- Regular security assessments
- Update security policies
- Review threat intelligence
- Train security team
- Document procedures
Remember to regularly review and update your security implementation to maintain optimal protection against evolving threats.
azure
security
defender
compliance