Azure Security Center and Microsoft Defender for Cloud
Azure

Azure Security Center and Microsoft Defender for Cloud

Learn how to secure your Azure resources using Security Center and Microsoft Defender for Cloud. Covers security policies, threat protection, and compliance.

March 9, 2024
Technical Writer
4 min read

Azure Security Center and Defender: A Complete Implementation Guide

Azure Security Center and Microsoft Defender for Cloud provide comprehensive security management and threat protection. This guide covers implementation details for securing your Azure environment.

Security Components Overview

Key security services in Azure:

ComponentPurposeKey Features
Security CenterSecurity managementAssessments, recommendations
Defender for CloudThreat protectionAdvanced security, CSPM
Security PoliciesPolicy enforcementCompliance, governance
Secure ScoreSecurity postureAssessment, benchmarking

Security Center Implementation

Security Policy Configuration

{ "properties": { "parameters": { "allowedLocations": { "value": [ "eastus", "westus" ] }, "allowedVMSKUs": { "value": [ "Standard_D2s_v3", "Standard_D4s_v3" ] } }, "displayName": "Security Baseline", "policyDefinitions": [ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56", "parameters": { "effect": { "value": "Audit" } } } ] } }

Automated Onboarding

# Enable Security Center Register-AzResourceProvider -ProviderNamespace 'Microsoft.Security' # Configure auto-provisioning Set-AzSecurityAutoProvisioningSetting -Name "default" -EnableAutoProvision # Enable standard tier Set-AzSecurityPricing -Name "VirtualMachines" -PricingTier "Standard" Set-AzSecurityPricing -Name "StorageAccounts" -PricingTier "Standard"

Defender for Cloud Implementation

Defender Plans Configuration

# Enable Defender plans $plans = @( "VirtualMachines", "SqlServers", "AppServices", "StorageAccounts", "KeyVaults", "Containers" ) foreach ($plan in $plans) { Set-AzSecurityPricing -Name $plan -PricingTier "Standard" } # Configure workspace mapping Set-AzSecurityWorkspaceSetting -Name "default" ` -Scope "/subscriptions/$subscriptionId" ` -WorkspaceId "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.OperationalInsights/workspaces/$workspaceName"

Security Alerts Configuration

{ "properties": { "enabled": true, "emailAddresses": [ "security@contoso.com" ], "phoneNumbers": [ "+1-555-555-5555" ], "alertNotifications": { "state": "On", "minimalSeverity": "High" }, "notificationsByRole": { "state": "On", "roles": [ "Owner", "Contributor" ] } } }

Security Policies and Compliance

Regulatory Compliance

StandardRequirementsImplementation
PCI DSSData protectionEncryption, monitoring
HIPAAHealthcare dataAccess control, auditing
ISO 27001Security managementControls, procedures
NISTSecurity frameworkRisk management

Custom Initiative Definition

{ "properties": { "displayName": "Custom Security Baseline", "description": "Custom security requirements", "metadata": { "category": "Security" }, "parameters": {}, "policyDefinitions": [ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", "parameters": {} } ] } }

Threat Protection

Just-in-Time VM Access

# Configure JIT VM access $jitPolicy = @{ Name = "JIT VM Access" VirtualMachines = @( @{ id = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Compute/virtualMachines/$vmName" ports = @( @{ number = 22 protocol = "*" allowedSourceAddressPrefix = @("*") maxRequestAccessDuration = "PT3H" }, @{ number = 3389 protocol = "*" allowedSourceAddressPrefix = @("*") maxRequestAccessDuration = "PT3H" } ) } ) } Set-AzJitNetworkAccessPolicy -ResourceGroupName $resourceGroup -Location $location -Name "default" -Kind "Basic" -VirtualMachine $jitPolicy

Adaptive Application Controls

# Enable adaptive application controls $appControlPolicy = @{ Name = "AppControl" ResourceGroupName = $resourceGroup Location = $location Mode = "Audit" ProcessesAllowList = @( "C:\Windows\System32\*.exe", "C:\Program Files\*.exe" ) } New-AzAdaptiveApplicationControlPolicy @appControlPolicy

Security Monitoring

Security Metrics

MetricThresholdAction
Secure Score< 70%Review recommendations
Alert Volume> 10/dayInvestigate threats
Failed Logins> 5/hourCheck access attempts
Policy Compliance< 90%Review violations

Security Automation

# Create Logic App for security automation $logicAppParams = @{ Name = "SecurityAutomation" ResourceGroupName = $resourceGroup Location = $location State = "Enabled" Definition = @{ "$schema" = "https://schema.management.azure.com/schemas/2016-06-01/Microsoft.Logic.json" triggers = @{ securityAlert = @{ type = "ApiConnectionWebhook" inputs = @{ host = @{ connection = @{ name = "@parameters('$connections')['azuresentinel']['connectionId']" } } } } } actions = @{ # Add remediation actions } } } New-AzLogicApp @logicAppParams

Best Practices Summary

  1. Security Baseline

    • Enable security defaults
    • Configure security policies
    • Implement compliance standards
    • Regular security reviews
  2. Threat Protection

    • Enable Defender plans
    • Configure JIT access
    • Implement adaptive controls
    • Regular threat assessments
  3. Monitoring

    • Configure alerts
    • Enable logging
    • Set up automation
    • Regular monitoring reviews
  4. Compliance

    • Define requirements
    • Implement controls
    • Regular audits
    • Documentation

Troubleshooting Guide

Common security issues and solutions:

  1. Policy Issues

    • Review policy definitions
    • Check assignments
    • Verify exemptions
    • Monitor compliance
  2. Alert Problems

    • Verify configurations
    • Check connectivity
    • Review alert logic
    • Test notifications
  3. Compliance Issues

    • Review requirements
    • Check controls
    • Verify implementations
    • Document exceptions

Next Steps

After implementing security:

  1. Regular security assessments
  2. Update security policies
  3. Review threat intelligence
  4. Train security team
  5. Document procedures

Remember to regularly review and update your security implementation to maintain optimal protection against evolving threats.

azure
security
defender
compliance