To enable Microsoft Defender for Cloud, you must first prepare your environment by enabling enhanced security features and provisioning agents and extensions on Azure.
What Are Enhanced Features?
The Defender for Cloud generates alerts or notifications when it detects threats on your resources. It prioritizes and lists the notifications alongside the information you need to analyze the problem quickly. Defender for Cloud also avails the detailed steps you should take to remediate risks. The platform also retains the collected alerts for 90 days. Another enhanced feature is security incidents, a collection of related alerts. Defenders of Cloud Alerts can be listed together instead of individually, using Cloud smart alert correlation. The feature, indeed, allows for a correlation of various alerts and low-fidelity signals into security incidents.
Defender for Cloud provides you with a single view of an attack campaign besides all the related alerts. The view provides a platform where you can quickly understand the actions of an attacker and the affected resources.
Turning on Enhanced Features on Subscriptions and Workspaces Within Azure
Enabling Defender for Cloud’s enhanced security features will enable you to protect an entire Azure subscription. All the resources within the subscription will inherit all the protection. A free 30-day trial period is available, after which the respective charges will apply.
The first step in enabling all Defender for Cloud Alerts features is to enable enhanced security features on the subscription containing applicable workloads. It will also enable threat protection capabilities. When you enable it at the workspace level, you don’t enable adaptive application controls, just-in-time VM access, and network detection for Azure resources.
What’s more, the workspace level only allows Microsoft Defender for SQL servers and Microsoft defender for server plans. Take note that you can enable:
- Microsoft Defender for Storage accounts at the resource or subscription level
- For open-source relational databases at the resource level only
- For SQL at the resource or subscription level
Enabling Enhanced Security Features on One Subscription
- Go to the main menu on Defender for Cloud and select environment settings
- Choose the workspace or subscription you want to protect
- Upgrade by selecting Enable all Microsoft Defender Plans
- Lastly, click on Save
Enabling Enhanced Security in Multiple Workspaces or Subscriptions
- Go to the menu on Defender for Cloud and select Getting started. The Upgrade tab lists all workspaces and subscriptions eligible for onboarding.
- Choose the workspaces and subscriptions to upgrade from the selected workspaces and subscriptions to protect yourself with Microsoft Defender for Cloud list.
- Click Upgrade to enable all security features in Microsoft Defender for Cloud.
Note not to select workspaces and subscriptions not eligible for trial as the next step will initiate charges to upgrade them. However, only the eligible subscriptions and workspaces will begin a free trial.
Disabling Enhanced Security Features
If, at any time, you need to disable enhanced security features for a workspace or subscription, the procedure is as above. However, this time you’ll select enhanced security.
- Go to Environment setting on Defender for Cloud’s menu
- Select the subscription whose security features you want to disable
- Choose Defender plans and click on Enhanced security off
- Lastly, click Save
Data collection may not cease immediately after disabling the enhanced security features on single or multiple plans.
Enabling Auto Provisioning of Log Analytics
After enabling enhanced security features, the next thing is to enable the necessary extensions and agents for automatic data collection.
Why Use Auto Provisioning?
Auto-provisioning decreases management overhead by installing all the necessary extensions and agents on new and existing machines. It then ensures faster security coverage for all supported subscriptions and workspaces.
The settings on auto-provisioning feature a toggle for each supported extension. Enabling auto-provisioning of an extension allows you to assign the relevant “Deploy if not exists” policy. The policy then ensures the provisioning of an extension on all similar future and existing resources. Auto-provisioning comes disabled by default, and Microsoft recommends enabling it in the following steps:
- Navigate to Environment Settings on Defender for Clouds menu
- Choose the relevant subscription
- Change the status of auto-provisioning for Log Analytics to On on the Auto-provisioning page.
- Move to the configuration options pane and define the workspace. Here, the task is to connect Azure VM to Defender for Cloud’s default workspace. Defender for Cloud will also create a new resource group in the same geolocation, connecting it to the agent assigned to that workspace.
Defender for Cloud will create multiple workspaces to comply with data privacy requirements if a subscription has VMs from multiple geolocations.
Next, connect Azure VM to a different workspace by selecting the workspace to store collected data from the dropdown list. Then, use this option to collect data from VMs running on various subscriptions and store it in your selected workspace. Using an existing Log Analytics workspace might be a better option if you have it, although you’ll require read and write permissions on the platform. The option is ideal for centralized workspaces when you need data collection.
- Navigate to Windows security events configuration and choose the raw event data amount to store. The four levels are None, Minimal, Common, and All events.
- Select Apply
- Select Save
You can go ahead and enable automatic provisioning of an extension after that of the Log Analytics agent by:
- Toggling the status to On for the appropriate extension
- Select Save
Finally, a prompt will appear asking if you want to reconfigure the monitored VM previously attached to the default workspace. If you select:
- No: The new workspace settings will only apply to VMs that you have newly discovered and which lack the Log Analytics
- Yes: The new workspace settings will apply to all VMs connected to the Defender for Cloud. Ensure you don’t delete the workspaces Defender for Cloud creates until all VMs reconnect to the new target workspace.
Enable Enhanced Security Features in Azure
Defender for Cloud Alerts is a crucial feature for your hybrid, on-premises, and Azure environments. The alerts are only available with enhanced security features enabled. You can then upgrade them from the Environment Settings page or have an expert in Microsoft handle the process for you.
Agile IT is a Microsoft Gold Security partner with 16 years of experience in the Microsoft Cloud. To learn how to defend every piece of your environment without information overload and using your existing Microsoft licensing, request a consultation today.