Azure security baseline for HDInsight
This security baseline applies guidance from the Azure Security Benchmark version 2.0 to HDInsight. The Azure Security Benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Azure Security Benchmark and the related guidance applicable to HDInsight.
Note
Controls not applicable to HDInsight, and those for which the global guidance is recommended verbatim, have been excluded. To see how HDInsight completely maps to the Azure Security Benchmark, see the full HDInsight security baseline mapping file.
Network Security
For more information, see the Azure Security Benchmark: Network Security.
NS-1: Implement security for internal traffic
Guidance: Perimeter security in Azure HDInsight is achieved through virtual networks. An enterprise administrator can create a cluster inside a virtual network and use a network security group (NSG) to restrict access to the virtual network. Only the allowed IP addresses in the inbound NSG rules can communicate with the Azure HDInsight cluster. This configuration provides perimeter security. All clusters deployed in a virtual network will also have a private endpoint. The endpoint will resolve to a private IP address inside the Virtual Network. It provides private HTTP access to the cluster gateways.
Based on your applications and enterprise segmentation strategy, restrict or allow traffic between internal resources based on your NSG rules. For specific, well-defined applications like a three-tier app, this can be a highly secure deny-by-default.
Ports required generally across all types of clusters:
22-23 - SSH access to the cluster resources
443 - Ambari, WebHCat REST API, HiveServer ODBC, and JDBC
For specific types of clusters and more details, review this article.
You can create private HDInsight clusters by configuring specific network properties in an Azure Resource Manager (ARM) template. There are two properties that you use to create private HDInsight clusters:
Remove public IP addresses by setting resource provider connection to outbound.
Enable Azure Private Link and use Private Endpoints by setting PrivateLink to enabled.
For more information, see the following references:
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-3: Establish private network access to Azure services
Guidance: Use Azure Private Link to enable private access to HDInsight from your virtual networks without crossing the internet. Private access adds a defense-in-depth measure to Azure authentication and traffic security.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-4: Protect applications and services from external network attacks
Guidance: Protect HDInsight resources against attacks from external networks. Attacks can include:
Distributed denial of service (DDoS) attacks
Application-specific attacks
Unsolicited and potentially malicious internet traffic
Use Azure Firewall to protect applications and services against potentially malicious traffic from the internet and other external locations. Protect assets against DDoS attacks by enabling DDoS Protection Standard on Azure virtual networks. Use Microsoft Defender for Cloud to detect misconfiguration risks in network-related resources.
Using Encryption to protect data apply built in policies for Azure HDInsight
Manage Azure DDoS Protection Standard using the Azure portal
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-6: Simplify network security rules
Guidance: Use Azure Virtual Network service tags to define network access controls for HDInsight resources in NSGs or Azure Firewall. You can use service tags in place of specific IP addresses when creating security rules. Specify a service tag name like "HDInsight" in the appropriate rule source or destination field to allow or deny traffic for the service. Microsoft manages the address prefixes the service tag encompasses, and automatically updates the service tag as addresses change.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
NS-7: Secure Domain Name Service (DNS)
Guidance: Follow the best practices for DNS security to mitigate against common attacks like:
Dangling DNS
DNS amplification attacks
DNS poisoning and spoofing
When you use Azure DNS as your DNS service, make sure to protect DNS zones and records from accidental or malicious changes by using Azure Role-Based Access Control (RBAC) and resource locks.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Identity Management
For more information, see the Azure Security Benchmark: Identity Management.
IM-1: Standardize Azure Active Directory as the central identity and authentication system
Guidance: HDInsight uses Azure AD as its default identity and access management service. Standardize Azure AD to govern your organization's identity and access management in:
Microsoft Cloud resources. Resources include:
The Azure portal
Azure Storage
Azure Linux and Windows VMs
Azure Key Vault
Platform-as-a-service (PaaS)
Software-as-a-service (SaaS) applications
Your organization's resources, such as applications on Azure or your corporate network resources.
Securing Azure AD should be a high priority for your organization's cloud security practice. Azure AD provides an identity secure score to help you compare your identity security posture to Microsoft's best practice recommendations. Use the score to gauge how closely your configuration matches best practice recommendations, and to make improvements in your security posture.
Configure Azure HDInsight clusters with Enterprise Security Package (ESP). You can connect these clusters to a domain so that users can use their domain credentials to authenticate with the clusters. Three main Azure RBAC built-in roles are available for the resource management of HDInsight:
Reader: Read access to HDInsight resources including secrets
HDInsight cluster operator: Read and write access to HDInsight resources including secrets
Contributor: Read and write access including secrets and ability to execute script actions
For row level security, Apache Ranger can be implemented to set access control policies for Hive.
Configure HDInsight clusters for Azure Active Directory integration with Enterprise Security Package
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
IM-2: Manage application identities securely and automatically
Guidance: HDInsight supports managed identities for its Azure resources. Use managed identities with HDInsight instead of creating service principals to access other resources. HDInsight can natively authenticate to the Azure services and resources that support Azure AD authentication. The authentication is supported through a pre-defined access grant rule. It doesn't use credentials hard-coded in source code or configuration files.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
IM-3: Use Azure AD single sign-on (SSO) for application access
Guidance: Use Azure HDInsight ID Broker to sign in to ESP clusters by using multifactor authentication, without providing any passwords. If you've already signed in to other Azure services, like the Azure portal, you can sign in to your Azure HDInsight cluster with an SSO experience.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
IM-7: Eliminate unintended credential exposure
Guidance: If using any code related to your Azure HDInsight deployment, you may implement Credential Scanner to identify credentials within code. Credential Scanner will also encourage moving discovered credentials to more secure locations like Azure Key Vault.
For GitHub, you can use the native secret scanning feature to identify credentials or other forms of secrets within the code.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Privileged Access
For more information, see the Azure Security Benchmark: Privileged Access.
PA-1: Protect and limit highly privileged users
Guidance: The most critical built-in Azure AD roles are the Global Administrator and the Privileged Role Administrator. Users with these two roles can delegate administrator roles.
The Global Administrator or Company Administrator has access to all Azure AD administrative features, and services that use Azure AD identities.
The Privileged Role Administrator can manage role assignments in Azure AD and Azure AD Privileged Identity Management (PIM). This role can manage all aspects of PIM and administrative units.
Use HDInsight ESP, which has the following privileged roles:
Cluster Administrator
Cluster Operator
Service Administrator
Service Operator
Cluster User
Create standard operating procedures around the use of dedicated administrative accounts. Limit the number of highly privileged accounts or roles, and protect these accounts at an elevated level. Highly privileged users can directly or indirectly read and modify all your Azure resources.
You can enable just-in-time (JIT) privileged access to Azure resources and Azure AD using Azure AD PIM. JIT grants temporary permissions to do privileged tasks only when users need it. PIM can also generate security alerts for suspicious or unsafe activity in your Azure AD organization.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-3: Review and reconcile user access regularly
Guidance: HDInsight uses Azure AD accounts to manage its resources. Review user accounts and access assignments regularly to make sure the accounts and their access are valid. You can use Azure AD and access reviews to review group memberships, access to enterprise applications, and role assignments. Azure AD reporting can provide logs to help discover stale accounts. You can also create access review report workflows in Azure AD PIM to ease the review process.
You can configure Azure AD PIM to alert you when there are too many administrator accounts. PIM can identify administrator accounts that are stale or improperly configured.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-6: Use privileged access workstations
Guidance: Secured, isolated workstations are critical for the security of sensitive roles like administrators, developers, and critical service operators. Use highly secured user workstations and Azure Bastion for administrative tasks related to managing your HDInsight resources.
Use Azure AD, Microsoft Defender ATP, or Microsoft Intune to deploy a secure and managed user workstation for administrative tasks. You can centrally manage secured workstations to enforce a security configuration that includes:
Strong authentication
Software and hardware baselines
Restricted logical and network access
For more information, see the following references:
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-7: Follow the least privilege principle of just enough administration
Guidance: HDInsight integrates with Azure RBAC to manage its resources. With RBAC, you manage Azure resource access through role assignments. You can assign roles to users, groups, service principals, and managed identities. Certain resources have pre-defined, built-in roles. You can inventory or query these roles through tools like Azure CLI, Azure PowerShell, or the Azure portal.
Limit the privileges you assign to resources through Azure RBAC to what the roles require. This practice complements the JIT approach of Azure AD PIM. Review roles and assignments periodically.
Use built-in roles to give permissions, and only create custom roles when required. HDInsight uses Apache Ranger to allow for more granular control over permissions.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PA-8: Choose approval process for Microsoft support
Guidance: In support scenarios where Microsoft needs to access customer data, HDInsight supports Customer Lockbox. It provides an interface for you to review customer data access requests and approve or reject them.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Data Protection
For more information, see the Azure Security Benchmark: Data Protection.
DP-1: Discover, classify, and label sensitive data
Guidance: Use tags on resources related to your Azure HDInsight deployments to help tracking Azure resources that store or process sensitive information. Classify and identify sensitive data using Azure Purview. Use the service for any data stored in SQL databases or Azure Storage accounts associated to your HDInsight cluster.
For the underlying platform, which Microsoft manages, Microsoft treats all customer content as sensitive. Microsoft goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
DP-2: Protect sensitive data
Guidance: Implement separate subscriptions and management groups for development, test, and production. You should separate Azure HDInsight clusters and any associated storage accounts by virtual network/subnet, tag them appropriately, and secure them within an NSG or Azure Firewall. Contain cluster data within a secured Azure Storage Account or Azure Data Lake Storage (Gen1 or Gen2).
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
DP-3: Monitor for unauthorized transfer of sensitive data
Guidance: For Azure HDInsight clusters storing or processing sensitive information, mark the cluster and related resources as sensitive using tags. To reduce the risk of data loss via exfiltration, restrict outbound network traffic for Azure HDInsight clusters using Azure Firewall.
HDInsight doesn't support automatic monitoring for unauthorized transfer of sensitive data natively.
For the underlying platform, which Microsoft manages, Microsoft treats all customer content as sensitive. Microsoft goes to great lengths to guard against customer data loss and exposure. To ensure customer data within Azure remains secure, Microsoft has implemented and maintains a suite of robust data protection controls and capabilities.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
DP-4: Encrypt sensitive information in transit
Guidance: HDInsight supports data encryption in transit with TLS v1.2 or greater. Encrypt all sensitive information in transit. Make sure that any clients connecting to your Azure HDInsight cluster or cluster data stores (Azure Storage Accounts or Azure Data Lake Storage Gen1/Gen2) can negotiate TLS 1.2 or greater. Microsoft Azure resources will negotiate TLS 1.2 by default.
To complement access controls, protect data in transit against "out of band" attacks like traffic capture. Use encryption to make sure that attackers can't easily read or modify the data.
For remote management, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol. Obsolete SSL, TLS, SSH versions and protocols, and weak ciphers should be disabled.
By default, Azure provides encryption for data in transit between Azure data centers.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
DP-5: Encrypt sensitive data at rest
Guidance: If using Azure SQL Database to store Apache Hive and Apache Oozie metadata, ensure SQL data always remains encrypted. For Azure Storage Accounts and Data Lake Storage (Gen1 or Gen2), it's recommended to allow Microsoft to manage your encryption keys, however, you can manage your own keys.
HDInsight supports multiple types of encryption in two different layers:
Server Side Encryption (SSE) - SSE is performed by the storage service. In HDInsight, SSE is used to encrypt OS disks and data disks. It's enabled by default. SSE is a layer 1 encryption service.
Encryption at host using platform-managed key - Similar to SSE, this type of encryption is performed by the storage service. However, it's only for temporary disks and isn't enabled by default. Encryption at host is also a layer 1 encryption service.
Encryption at rest using customer managed key - This type of encryption can be used on data and temporary disks. It isn't enabled by default and requires the customer to provide their own key through Azure key vault. Encryption at rest is a layer 2 encryption service.
How to create Azure Data Lake Storage using customer-managed encryption keys
How to configure Transparent Data Encryption for SQL Database using customer-managed keys
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
Asset Management
For more information, see the Azure Security Benchmark: Asset Management.
AM-1: Ensure security team has visibility into risks for assets
Guidance: Make sure to grant security teams Security Reader permissions in your Azure tenant and subscriptions, so they can monitor for security risks by using Microsoft Defender for Cloud.
Monitoring for security risks could be the responsibility of a central security team or a local team, depending on how you structure responsibilities. Always aggregate security insights and risks centrally within an organization.
You can apply Security Reader permissions broadly to an entire tenant's Root Management Group, or scope permissions to specific management groups or subscriptions.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-2: Ensure security team has access to asset inventory and metadata
Guidance: Ensure that security teams have access to a continuously updated inventory of assets on Azure, like HDInsight. Security teams often need this inventory to evaluate their organization's potential exposure to emerging risks, and as an input to continuous security improvements. Create an Azure AD group to contain your organization's authorized security team. Assign them read access to all HDInsight resources. You can simplify the process by using a single high-level role assignment within your subscription.
Apply tags to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy. Each tag consists of a name and a value pair. For example, you can apply the name "Environment" and the value "Production" to all the resources in production.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-3: Use only approved Azure services
Guidance: Use Azure Policy to audit and restrict which services users can provision in your environment. Use Azure Resource Graph to query for and discover resources within subscriptions. You can also use Azure Monitor to create rules to trigger alerts when they detect an unapproved service.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
AM-6: Use only approved applications in compute resources
Guidance: Use Azure Resource Graph to query for and discover all resources like: compute, storage, network, ports, protocols, and so on, including Azure HDInsight clusters, within your subscriptions. Remove any unapproved Azure resources that you discover. For Azure HDInsight cluster nodes, implement a third-party solution to remove or alert on unapproved software.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Logging and Threat Detection
For more information, see the Azure Security Benchmark: Logging and Threat Detection.
LT-1: Enable threat detection for Azure resources
Guidance: Azure HDInsight doesn't support defender natively, it uses ClamAV. However, when using the ESP for HDInsight, you can use some of the Microsoft Defender for Cloud built-in threat detection capability. You can also enable Microsoft Defender for your VMs associated to HDInsight.
Forward any logs from HDInsight to your SIEM, which can be used to set up custom threat detections. Ensure that you're monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high-quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-3: Enable logging for Azure network activities
Guidance: Use Microsoft Defender for Cloud and remediate network protection recommendations for the virtual network, subnet, and NSG used to secure your Azure HDInsight cluster. Enable NSG flow logs and send logs into an Azure Storage Account to support traffic audits. You may also send NSG flow logs to an Azure Log Analytics workspace and use Azure Traffic Analytics to provide insights into traffic flow in your Azure cloud. Some advantages that Azure Traffic Analytics provides are the ability to:
Visualize network activity and identify hot spots.
Identify security threats.
Understand traffic flow patterns
Pinpoint network misconfigurations.
HDInsight logs all network traffic that it processes for customer access. Enable the network flow capability within your deployed offering resources.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-4: Enable logging for Azure resources
Guidance: Activity logs are available automatically. The logs contain all PUT, POST, and DELETE, but not GET, operations for your HDInsight resources except read operations (GET). You can use activity logs to find errors when troubleshooting, or to monitor how users in your organization modified resources.
Enable Azure resource logs for HDInsight. You can use Microsoft Defender for Cloud and Azure Policy to enable resource logs and log data collecting. These logs can be critical for investigating security incidents and carrying out forensic exercises.
HDInsight also produces security audit logs for the local administer accounts. Enable these local admin audit logs.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-5: Centralize security log management and analysis
Guidance: Centralize logging storage for your HDInsight resources for analysis. For each log source, make sure you have:
An assigned data owner
Access guidance
Storage location
The tools you use to process and access the data
Data retention requirements
Make sure to integrate Azure activity logs into your central logging.
Ingest logs via Azure Monitor to aggregate security data that endpoint devices, network resources, and other security systems generate. In Azure Monitor, use Log Analytics workspaces to query and do analytics.
Use Azure Storage accounts for long-term and archival storage.
Enable and onboard data to Microsoft Sentinel or a third-party SIEM. Many organizations use Microsoft Sentinel for “hot” data they use frequently and Azure Storage for “cold” data they use less frequently.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-6: Configure log storage retention
Guidance: Make sure that any storage accounts or Log Analytics workspaces you use to store HDInsight logs have log retention periods set according to your organization's compliance regulations.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
LT-7: Use approved time synchronization sources
Guidance: Microsoft maintains time sources for most Azure platform PaaS and SaaS services. For your VMs, use a Microsoft default network time protocol (NTP) server for time synchronization unless you have a specific requirement. If you need to stand up your own NTP server, ensure that you secure the UDP service port 123. All logs generated by resources within Azure provide time stamps with the time zone specified by default.
How to configure time synchronization for Azure Windows compute resources
How to configure time synchronization for Azure Linux compute resources
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
Posture and Vulnerability Management
For more information, see the Azure Security Benchmark: Posture and Vulnerability Management.
PV-1: Establish secure configurations for Azure services
Guidance: Use Azure Policy aliases in the "Microsoft.HDInsight" namespace to create custom policies. Configure the policies to audit or enforce the network configuration of your HDInsight cluster.
If you have a Rapid7, Qualys, or any other vulnerability management platform subscription, you have options. You can use script actions to install vulnerability assessment agents on your Azure HDInsight cluster nodes and manage the nodes through the respective portal.
With Azure HDInsight ESP, you can use Apache Ranger to create and manage fine-grained access control and data obfuscation policies. You can do so for your data stored in:
Files
Folders
Databases
Tables
Rows
Columns
The Hadoop admin can configure Azure RBAC to secure Apache Hive, HBase, Kafka, and Spark using those plugins in Apache Ranger.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-2: Sustain secure configurations for Azure services
Guidance: Use Azure Policy [deny] and [deploy if not exist] to enforce secure settings for your Azure HDInsight clusters and related resources.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-3: Establish secure configurations for compute resources
Guidance: Ubuntu images become available for new Azure HDInsight cluster creation within three months of being published. Running clusters aren't autopatched. Customers must use script actions or other mechanisms to patch a running cluster. As a best practice, you can run these script actions and apply security updates right after the cluster creation
Use Microsoft Defender for Cloud and Azure Policy to establish secure configurations on all compute resources including VMs, containers, and others.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-4: Sustain secure configurations for compute resources
Guidance: Azure HDInsight Operating System Images managed and maintained by Microsoft. However, you're responsible for implementing OS-level state configuration for that image.
Use Microsoft Defender for Cloud and Azure Policy to regularly assess and remediate configuration risks on Azure compute resources, including VMs and containers. You can also use these resources to maintain the operating system security configuration your organization requires:
Azure Resource Manager (ARM) templates.
Custom operating system images.
Azure Automation state configuration.
Microsoft VM templates combined with Azure Automation State Configuration can help meet and maintain security requirements.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
PV-5: Securely store custom operating system and container images
Guidance: HDInsight lets customers manage operating system images or container images. Use Azure RBAC to ensure that only authorized users can access your custom images. Use an Azure Shared Image Gallery to share your images to different users, service principals, or Azure AD groups in your organization. Store container images in Azure Container Registry, and use Azure RBAC to ensure that only authorized users have access.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-6: Perform software vulnerability assessments
Guidance: HDInsight can use a third-party solution for performing vulnerability assessments on network devices and web applications. When conducting remote scans, don't use a single, perpetual administrative account. Consider implementing JIT provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
As required, export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-7: Rapidly and automatically remediate software vulnerabilities
Guidance: Running HDInsight clusters aren't autopatched. Only use script actions or other mechanisms to patch a running cluster. As a best practice, you can run these script actions and apply security updates right after the cluster creation.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
PV-8: Conduct regular attack simulation
Guidance: Conduct penetration testing or red team activities on your Azure resources as needed, and ensure remediation of all critical security findings.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests don't violate Microsoft policies. Use Microsoft's Red Teaming strategy and execution. Do live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Responsibility: Shared
Microsoft Defender for Cloud monitoring: None
Endpoint Security
For more information, see the Azure Security Benchmark: Endpoint Security.
ES-1: Use Endpoint Detection and Response
Guidance: Azure HDInsight doesn't support defender natively. It uses ClamAV. Forward the ClamAV logs to a centralized SIEM or other detection and alerting system.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
ES-2: Use centrally managed modern anti-malware software
Guidance: Azure HDInsight comes with Clamscan pre-installed and enabled for the cluster node images. However, you must manage the software and manually aggregate/monitor any logs Clamscan produces.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
ES-3: Ensure anti-malware software and signatures are updated
Guidance: Azure HDInsight comes with Clamscan pre-installed and enabled for the cluster node images. Clamscan will perform engine and definition updates automatically and update its anti-malware signatures based on ClamAV’s official virus signature database.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Backup and Recovery
For more information, see the Azure Security Benchmark: Backup and Recovery.
BR-3: Validate all backups including customer-managed keys
Guidance: If you're using Azure Key Vault with your Azure HDInsight deployment, periodically test restoration of backed up customer-managed keys.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
BR-4: Mitigate risk of lost keys
Guidance: If you're using Azure Key Vault with your Azure HDInsight deployment, enable soft delete in Key Vault to protect keys against accidental or malicious deletion.
Responsibility: Customer
Microsoft Defender for Cloud monitoring: None
Next steps
- See the Azure Security Benchmark V2 overview
- Learn more about Azure security baselines