33,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
Microsoft Defender for Cloud is a multi-cloud and hybrid cloud security posture management solution that enables security administrators to build cyber defense for their Azure and non-Azure resources by providing both recommendations and security protection capabilities.
This book will start with a foundational overview of Microsoft Defender for Cloud and its core capabilities. Then, the reader is taken on a journey from enabling the service, selecting the correct tier, and configuring the data collection, to working on remediation. Next, we will continue with hands-on guidance on how to implement several security features of Microsoft Defender for Cloud, finishing with monitoring and maintenance-related topics, gaining visibility in advanced threat protection in distributed infrastructure and preventing security failures through automation.
By the end of this book, you will know how to get a view of your security posture and where to optimize security protection in your environment as well as the ins and outs of Microsoft Defender for Cloud.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 202
Veröffentlichungsjahr: 2022
Ähnliche
Microsoft Defender for Cloud Cookbook
Protect multicloud and hybrid cloud environments, manage compliance and strengthen security posture
Sasha Kranjac
BIRMINGHAM—MUMBAI
Microsoft Defender for Cloud Cookbook
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Vijin Boricha
Publishing Product Manager: Shrilekha Malpani
Senior Editor: Shazeen Iqbal
Content Development Editor: Nihar Kapadia
Technical Editor: Arjun Varma
Copy Editor: Safis Editing
Project Coordinator: Shagun Saini
Proofreader: Safis Editing
Indexer: Manju Arasan
Production Designer: Prashant Ghare
Marketing Coordinator: Hemangi Lotlikar
First published: July 2022
Production reference: 1150622
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
978-1-80107-613-5
www.packt.com
To my family.
To Noel – for being an endless well of inspiration and love.
To Adisa – for being my loving, supporting, and encouraging partner through the highs and lows of life's journey.
To Mom and Dad – for who I am, and for where I am today.
To my grandparents – for their infinite wisdom, support, and love.
– Sasha Kranjac
Contributors
About the author
Sasha Kranjac is a security and Azure person, a cloud security architect, and an instructor. He began programming in Assembler but then met Windows NT 3.5, and was hooked on IT ever since.
He owns Kloudatech and a few other IT training and consulting companies that help companies embrace the cloud and be safe in cyberspace.
Aside from cloud and security architecture and consulting, he and his company deliver Microsoft, CompTIA, EC-Council, and their custom Azure and security courses and PowerClass workshops internationally.
Sasha is a Microsoft Most Valuable Professional (MVP), Microsoft Certified Trainer (MCT), MCT Regional Lead, Certified EC-Council Instructor (CEI), and frequent speaker at various international conferences, events, and user groups.
Sasha has more than 100 IT certifications from Microsoft, CompTIA, and Amazon Web Services (AWS), and more exams and certifications are in the queue.
About the reviewers
Rod Trent is a security CSA for Microsoft and an Azure Sentinel global SME, helping customers migrate from existing SIEMs to Azure Sentinel to achieve the promise of better security through improved efficiency without compromise.
Rod is a husband, dad, and recently a first-time grandfather. He spends his spare time (if such a thing does truly exist) simultaneously watching Six Million Dollar Man TV show episodes and writing KQL queries.
Table of Contents
Preface
Chapter 1: Getting Started with Microsoft Defender for Cloud
Technical requirements
Enabling Microsoft Defender for Cloud Plans on Azure Subscriptions and Log Analytics Workspaces
Getting ready
How to do it…
How it works…
Enabling an Microsoft Defender for Cloud Plans on an Azure Subscription
Getting ready
How to do it…
How it works…
There's more…
Enabling an Microsoft Defender for Cloud Plans on a Log Analytics Workspace
Getting ready
How to do it…
How it works…
Enabling an Microsoft Defender for Cloud Plans on multiple Azure Subscriptions and Log Analytics Workspaces
Getting ready
How to do it…
How it works…
Configuring data collection in a Log Analytics Workspace
Getting ready
How to do it…
How it works…
Configuring provisioning extensions automatically
Getting ready
How to do it…
How it works…
Enabling a Log Analytics agent for Azure VMs manually in the Log Analytics Workspace settings
Getting ready
How to do it…
How it works…
Enabling a Log Analytics agent for Azure VMs manually in the Virtual Machine settings
Getting ready
How to do it…
How it works…
There's more…
Configuring a Log Analytics agent for Azure VMs extension deployment
Getting ready
How to do it…
How it works…
Configuring email notifications
Getting ready
How to do it…
How it works…
Assigning Microsoft Defender for Cloud permissions
Getting ready
How to do it…
How it works…
Onboarding Microsoft Defender for Cloud using PowerShell
Getting ready
How to do it…
How it works…
There's more…
Enabling Microsoft Defender for Cloud integration with other Microsoft security services
Getting ready
How to do it…
How it works…
Chapter 2: Multi-Cloud Connectivity
Technical requirements
Connecting non-Azure virtual machines using Azure Arc
Getting ready
How to do it…
How it works…
Connecting non-Azure virtual machines using Microsoft Defender for Cloud portal pages
Getting ready
How to do it…
How it works…
Setting up Amazon Web Services Config and Amazon Web Services Security Hub
Getting ready
How to do it…
How it works…
Creating an Identity and Access Management AWS role for Microsoft Defender for Cloud
Getting ready
How to do it…
How it works…
Connecting Amazon Web Services to Microsoft Defender for Cloud
Getting ready
How to do it…
How it works…
There's more…
Configuring GCP Security Command Center and enabling GCP Security Command Center API
Getting ready
How to do it…
How it works…
Creating a GCP service account and connecting GCP to Microsoft Defender for Cloud
Getting ready
How to do it…
How it works…
Chapter 3: Workflow Automation and Continuous Export
Technical requirements
Creating logic apps for use in Microsoft Defender for Cloud
Getting ready
How to do it…
How it works…
There's more…
See also
Automating threat detection alert responses
Getting ready
How to do it…
How it works…
Automating Microsoft Defender for Cloud recommendation responses
Getting ready
How to do it…
How it works…
Automating regulatory compliance standards responses
Getting ready
How to do it…
How it works…
Configuring continuous export to Event Hub
Getting ready
How to do it…
How it works…
Configuring continuous export to a Log Analytics workspace
Getting ready
How to do it…
How it works…
Chapter 4: Secure Score and Recommendations
Technical requirements
Understanding, filtering, and sorting recommendations
Getting ready
How to do it...
How it works...
Downloading a recommendation report
Getting ready
How to do it...
How it works...
Creating a recommendation exemption rule
Getting ready
How to do it...
How it works...
Creating a recommendation enforcement rule
Getting ready
How to do it...
How it works...
There's more...
Preventing creating resources using a Deny rule
Getting ready
How to do it...
How it works...
There's more...
Disabling a recommendation
Getting ready
How to do it...
How it works...
Fixing recommendations on affected resources
Getting ready
How to do it...
How it works...
Managing a recommendation query in Azure Resource Graph Explorer
Getting ready
How to do it...
How it works...
Getting a secure score using Azure Resource Graph
Getting ready
How to do it...
How it works...
There's more...
Chapter 5: Security Alerts
Technical requirements
Filtering, grouping, and exporting security alerts
Getting ready
How to do it
How it works
There's more
Responding to security alerts using automated responses
Getting ready
How to do it
How it works
Creating suppression rules
Getting ready
How to do it
How it works
There's more
Organizing security alerts and changing a security alert status
Getting ready
How to do it
How it works
Chapter 6: Regulatory Compliance and Security Policy
Technical requirements
Managing Microsoft Defender for Cloud's default security policy
Getting ready
How to do it…
How it works…
Adding a custom security initiative and policy
Getting ready
How to do it…
How it works…
Adding a regulatory compliance standard
Getting ready
How to do it…
How it works…
See also
Improving regulatory compliance, exempting, and denying a compliance control
Getting ready
How to do it…
How it works…
Accessing and downloading compliance reports
Getting ready
How to do it…
How it works…
Chapter 7: Microsoft Defender for Cloud Workload Protection
Technical requirements
Enabling a vulnerability assessment solution
Getting ready
How to do it…
How it works…
Enabling and configuring JIT access on a virtual machine
Getting ready
How to do it…
How it works…
Requesting access to a JIT-enabled virtual machine
Getting ready
How to do it…
How it works…
Configuring the adaptive application control group
Getting ready
How to do it…
How it works…
Managing adaptive network hardening
Getting ready
How to do it…
How it works…
There's more…
Remediating vulnerabilities in Azure Container Registry images
Getting ready
How to do it…
How it works…
Managing a SQL vulnerability assessment
Getting ready
How to do it…
How it works…
Managing file integrity monitoring
Getting ready
How to do it…
How it works…
Chapter 8: Firewall Manager
Technical requirements
Creating an Azure firewall
Getting ready
How to do it…
How it works…
Creating an Azure firewall using PowerShell
Getting ready
How to do it…
How it works…
Creating an Azure firewall policy
Getting ready
How to do it…
How it works…
Creating an Azure firewall policy using PowerShell
Getting ready
How to do it…
How it works…
Chapter 9: Information Protection
Creating and managing sensitivity labels
Getting ready
How to do it…
How it works…
There's more…
Creating and managing information types and managing information protection policy
Getting ready
How to do it…
How it works…
There's more…
Chapter 10: Workbooks
Technical requirements
Creating a workbook from an existing template
Getting ready
How to do it…
How it works…
Creating a workbook from an empty workbook
Getting ready
How to do it…
How it works…
There's more…
Managing workbooks and workbook templates
Getting ready
How to do it…
How it works…
Other Books You May Enjoy
Preface
Microsoft Defender for Cloud is a Cloud Workload Protection Platform (CWPP) that has Cloud Security Posture Management (CSPM) capabilities and supports Azure, on-premises, Amazon Web Services (AWS), and Google Cloud Platform (GCP) resources.
Defender for Cloud covers three crucial requirements for workload and infrastructure security: defending, securing, and continuously assessing protected workloads:
Defend: Helps you detect and resolve threats to services and resources.Secure: Recommendations help you prioritize hardening tasks to improve your security posture.Continuously assess: Your secure score is frequently refreshed to give you the current security situation.In this book, you will find valuable but easy-to-follow steps to get started using Defender for Cloud, followed by more advanced protections, including multi-cloud protection, as well as adjacent security services integrated and used in Defender for Cloud.
Who this book is for
This book is for security engineers, systems administrators, security professionals, IT professionals, system architects, developers… anyone whose responsibilities include maintaining security posture, identifying and remediating vulnerabilities, and securing cloud and hybrid infrastructure. It is also for anyone who is willing to learn about security in Azure and to build secure Azure and hybrid infrastructure, to improve their security posture in Azure, hybrid, and multi-cloud environments by using all the features within Defender for Cloud.
What this book covers
Chapter 1, Getting Started with Microsoft Defender for Cloud, introduces the basic but fundamental Defender for Cloud configuration and performs the initial configuration.
Chapter 2, Multi-Cloud Connectivity, shows you how to connect AWS and GCP environments to Defender for Cloud.
Chapter 3, Workflow Automation and Continuous Export, explains how to configure Defender for Cloud workflow automations, automate responses, and configure continuous data export.
Chapter 4, Secure Score and Recommendations, explains how to work with and interpret the secure score and manage security recommendations.
Chapter 5, Security Alerts, demonstrates how to manage and respond to security alerts.
Chapter 6, Regulatory Compliance and Security Policy, explains how to manage Defender for Cloud security policies and manage regulatory compliance standards.
Chapter 7, Microsoft Defender for Cloud Workload Protection, covers the protection capabilities of Defender for Cloud plans.
Chapter 8, Firewall Manager, demonstrates how to secure Azure assets and public endpoints by controlling network traffic to and from Azure.
Chapter 9, Information Protection, discusses Defender for Cloud's ability to generate alerts and recommendations based on information policy data.
Chapter 10, Workbooks, shows how to create and manage workbooks in Defender for Cloud.
To get the most out of this book
To successfully complete the recipes in this book, you will need an Azure subscription. Naturally, you will also need a web browser – although I have used Microsoft Edge, you can use any browser of your choice.
Additionally, for Defender for Cloud to generate alerts and recommendations, you will need to provision resources in Azure. Preferably, to create resources in AWS and GCP, you will need an account, and a payment method in these cloud providers as well.
Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801076135_ColorImages.pdf.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "To onboard Microsoft Defender for Cloud using PowerShell, you must use the Az.Security PowerShell module."
A block of code is set as follows:
Set-AzContext -Subscription "<subscription_ID>"Set-AzSecurityAutoProvisioningSetting '-Name "default" -EnableAutoProvisionAny command-line input or output is written as follows:
Set-AzContext -Subscription "<subscription ID>"
Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "In the top menu, click Configure."
Tips or important notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Reviews
Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.
Share Your Thoughts
Once you've read Microsoft Defender for Cloud Cookbook, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.
Chapter 1: Getting Started with Microsoft Defender for Cloud
In this first chapter, you will learn how to get started with Microsoft Defender for Cloud (MDC) I will also introduce to you the basic but fundamental Microsoft Defender for Cloud configuration and perform initial MDC configuration steps that will set a foundation for using the program's protection and monitoring capabilities.
The recipes in this chapter will explain the essential and foundational Microsoft Defender for Cloud configuration steps that influence MDC's security capabilities, infrastructure coverage, and behavior. It is vital to know which Log Analytics Workspace will be used, the level of data that's been collected, and how monitoring agents will be deployed. Although you can change these settings anytime, it is better to set foundational and basic settings first and then proceed with configuring other settings.
After all, your choices will have an impact not only on security but on cost as well.
We will cover the following recipes in this chapter:
Enabling Microsoft Defender for Cloud Plans on Azure Subscriptions and Log Analytics workspacesEnabling an Microsoft Defender for Cloud Plans on an Azure SubscriptionEnabling an Microsoft Defender for Cloud Plans on a Log Analytics workspaceEnabling an Microsoft Defender for Cloud Plans on multiple Azure Subscriptions and Log Analytics workspacesConfiguring data collection on a Log Analytics workspaceConfiguring provisioning extensions automaticallyEnabling a Log Analytics agent for Azure VMs manually in the Log Analytics workspace settingsEnabling the Log Analytics agent for Azure VMs manually in the virtual machine settingsConfiguring the Log Analytics agent for Azure VMs extension deploymentConfiguring email notificationsAssigning Microsoft Defender for Cloud permissionsOnboarding Microsoft Defender for Cloud using PowerShellEnabling Microsoft Defender for Cloud integration with other Microsoft security servicesTechnical requirements
To complete the recipes in this chapter, the following is required:
An Azure subscription (for some of the recipes in this chapter)Two or more Azure subscriptions (for some of the recipes in this chapter)Azure PowerShellA web browser, preferably Microsoft EdgeThe code samples for this chapter can be found at https://github.com/PacktPublishing/Microsoft-Defender-for-Cloud-Cookbook.
Enabling Microsoft Defender for Cloud Plans on Azure Subscriptions and Log Analytics Workspaces
Microsoft Defender for Cloud natively protects services in Azure –no steps must be followed to enable its native, basic functionality. However, you might need to protect multiple subscriptions at a more advanced level, using Microsoft Defender for Cloud Plans. In the end, you will enable Microsoft Defender for Cloud Plans on multiple Azure subscriptions and Log Analytics Workspaces at once.
Getting ready
Before you enable Microsoft Defender for Cloud Plans on multiple subscriptions, ensure you have at least two Azure subscriptions or workspaces. These should not have Microsoft Defender for Cloud Plans enabled already.
Open a web browser and navigate to https://portal.azure.com.
How to do it…
To enable Microsoft Defender for Cloud Plans on multiple subscriptions at once, complete the following steps:
In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: typing Microsoft Defender for Cloud in a search bar, clicking on a favorite link, or by going to All Services:Figure 1.1 – Microsoft Defender for Cloud Overview page
On the Microsoft Defender for Cloud menu, on the left-hand side, select Getting Started. The Getting Started page will have three tabs or pages available: Upgrade, Install Agents, and Get Started. Click on Upgrade to display a list of available subscriptions and workspaces to enable on Microsoft Defender for Cloud Plans. The following screenshot shows this:Figure 1.2 – Microsoft Defender for Cloud – Getting started page
Select all the subscriptions and workspaces you want to enable Microsoft Defender for Cloud Plans on and scroll to the end of the Upgrade page until the Upgrade button is visible. The Upgrade button is gray and will be disabled until you select at least one subscription or workspace, after which it will turn blue. Let's see what all of this looks like:Figure 1.3 – Enabling Azure Subscriptions on Azure Subscriptions and/or Log Analytics Workspaces
Select Upgrade to enable Microsoft Defender for Cloud Plans on selected subscriptions and/or workspaces.How it works…
As soon as you create an Azure Subscription, Microsoft Defender for Cloud gives you an overview of the resources that are monitored and assessed by Microsoft Defender for Cloud, as well as security recommendations for recognized resources.
To enable full coverage of Microsoft Defender for Cloud Plans on multiple Azure Subscriptions and workspaces, you can enable Microsoft Defender for Cloud Plans protection on more than one Subscription and Log Analytics workspace at once, reducing the risk of having unprotected resources and potential security issues.
Upgrading to and enabling full Microsoft Defender for Cloud Plans protection on multiple Azure Subscriptions and Log Analytics Workspaces applies to partially enabled Microsoft Defender for Cloud Plans as well.
Enabling an Microsoft Defender for Cloud Plans on an Azure Subscription
Microsoft Defender for Cloud covers two areas of cloud security: Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). Microsoft Defender for Cloud Plans is Microsoft Defender for Cloud's integrated protection platform that protects Azure and hybrid resources. If you want to enable Microsoft Defender for Cloud Plans on a particular Azure Subscription and you want to control what Microsoft Defender for Cloud Plans features are enabled or disabled on an Azure Subscription, you need to enable Microsoft Defender for Cloud Plans, as described in this recipe.
There are multiple ways to enable Microsoft Defender for Cloud Plans on a subscription, and we will show more than one way here.
After completing this recipe, you will be able to enable Microsoft Defender for Cloud Plans and Microsoft Defender for Cloud Plans's protection features on an Azure Subscription.
Getting ready
Before you enable Microsoft Defender for Cloud Plans on an Azure Subscription, you must have at least one Azure Subscription. You should not have Microsoft Defender for Cloud Plans already enabled.
Open a web browser and navigate to https://portal.azure.com.
How to do it…
To enable Microsoft Defender for Cloud Plans and Microsoft Defender for Cloud Plans's protection capabilities on different workloads more granularly, complete the following steps:
In the Azure portal, open Microsoft Defender for Cloud. You can open Microsoft Defender for Cloud in multiple ways: by typing Microsoft Defender for Cloud in the search bar, clicking on a favorite link, or by going to All Services.On the Microsoft Defender for Cloud – Overview page, from the left menu, select Environment settings, as shown in the following screenshot.Expand Management groups until you see a desired Azure subscriptionSelect the subscription that you want to enable Microsoft Defender for Cloud Plans on. The Settings – Defender Plans page will open:Figure 1.4 – Microsoft Defender for Cloud Environmental settings page – Selecting an Azure Subscription
While Microsoft Defender for Cloud Plans is disabled, all individual Microsoft Defender for Cloud Plans by resource types are grayed out and disabled. Click on Microsoft Defender for Cloud Plans on to enable Microsoft Defender for Cloud Plans, as shown in the following screenshot:Figure 1.5 – Turning Microsoft Defender for Cloud Plans on
After you select Enable all Microsoft Defender for Cloud Plans, you can select Microsoft Defender for Cloud Plans by resource type individually. Alternatively, if you select an Azure Subscription that already has Microsoft Defender for Cloud Plans turned on partially, you can enable all Microsoft Defender for Cloud Plans by clicking on the Enable all button, as shown in the following screenshot. A button or control that has changed and its current setting is not saved will be purple; otherwise, it will be blue, as shown in the following screenshot:Figure 1.6 – Selecting Microsoft Defender for Cloud Plans by resource types
Once you have selected the appropriate Microsoft Defender for Cloud Plans protection options, at the top of the window, click Save to apply your changes.How it works…
The Microsoft Defender for Cloud Plans by resource type displays resource quantities in their respective categories, as well as pricing information. Enabling protection for an individual Microsoft Defender for Cloud Plans category applies to all the resources in that category. For example, if you enable Microsoft Defender for Cloud Plans protection for servers, the setting will apply for all Servers in a subscription.
There's more…
Once you enable Microsoft Defender for Cloud Plans on Azure Subscriptions, several Microsoft Defender for Cloud Plans become available:
Microsoft Defender for Cloud Plans for Servers
