One of Microsoft Defender for Cloud's main pillars for cloud security is Cloud Security Posture Management (CSPM). CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation.
If I address only three out of four recommendations in a security control, will my secure score change?
No. It doesn't change until you remediate all of the recommendations for a single resource. To get the maximum score for a control, you must remediate all recommendations for all resources.
If a security control offers me zero points towards my secure score, should I ignore it?
In some cases, you'll see a control max score greater than zero, but the impact is zero. When the incremental score for fixing resources is negligible, it's rounded to zero. Don't ignore these recommendations because they still bring security improvements. The only exception is the "Additional Best Practice" control. Remediating these recommendations doesn't increase your score, but it enhances your overall security.
How does scanning affect the instances?
Since the scanning process is an out-of-band analysis of snapshots, it doesn't impact the actual workloads and isn't visible by the guest operating system.
How does scanning affect the account/subscription?
The scanning process has minimal footprint on your accounts and subscriptions.
| Cloud provider | Changes |
|---|---|
| Azure | - Adds a "VM Scanner Operator" role assignment - Adds a "vmScanners" resource with the relevant configurations used to manage the scanning process |
| AWS | - Adds role assignment - Adds authorized audience to OpenIDConnect provider - Snapshots are created next to the scanned volumes, in the same account, during the scan (typically for a few minutes) |
| GCP | - Adds a role assignment |
What is the Virtual Machine (VM) scan freshness?
Each VM is scanned every 24 hours.
Can I calculate the secure score at the resource group level?
Secure score is calculated per Azure subscription, AWS account, or GCP project. You can also view the secure score within the management scope such as Azure management group, AWS management account, or GCP organization. There's no secure score per resource group.