FAQ - General questions about Microsoft Defender for Cloud

What is Microsoft Defender for Cloud?

Microsoft Defender for Cloud helps you prevent, detect, and respond to threats with increased visibility into and control over the security of your resources. It provides integrated security monitoring and policy management across your subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Defender for Cloud uses the Log Analytics agent to collect and store data. For in-depth details, see Data collection in Microsoft Defender for Cloud.

How do I get Microsoft Defender for Cloud?

Microsoft Defender for Cloud is enabled with your Microsoft Azure subscription and accessed from the Azure portal. To access it, sign in to the portal, select Browse, and scroll to Defender for Cloud.

Which Azure resources are monitored by Microsoft Defender for Cloud?

Microsoft Defender for Cloud monitors the following Azure resources:

How can I see the current security state of my Azure resources?

The Defender for Cloud Overview page shows the overall security posture of your environment broken down by Compute, Networking, Storage & data, and Applications. Each resource type has an indicator showing identified security vulnerabilities. Clicking each tile displays a list of security issues identified by Defender for Cloud, along with an inventory of the resources in your subscription.

What is a security initiative?

A security initiative defines the set of controls (policies) that are recommended for resources within the specified subscription. In Microsoft Defender for Cloud, you assign initiatives for your Azure subscriptions according to your company's security requirements and the type of applications or sensitivity of the data in each subscription.

The security policies enabled in Microsoft Defender for Cloud drive security recommendations and monitoring. Learn more in What are security policies, initiatives, and recommendations?.

Who can modify a security policy?

To modify a security policy, you must be a Security Administrator or an Owner of that subscription.

To learn how to configure a security policy, see Setting security policies in Microsoft Defender for Cloud.

What is a security recommendation?

Microsoft Defender for Cloud analyzes the security state of your Azure resources. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the needed control. Examples are:

  • Provisioning of anti-malware to help identify and remove malicious software
  • Network security groups and rules to control traffic to virtual machines
  • Provisioning of a web application firewall to help defend against attacks targeting your web applications
  • Deploying missing system updates
  • Addressing OS configurations that do not match the recommended baselines

Only recommendations that are enabled in Security Policies are shown here.

What triggers a security alert?

Microsoft Defender for Cloud automatically collects, analyzes, and fuses log data from your Azure resources, the network, and partner solutions like antimalware and firewalls. When threats are detected, a security alert is created. Examples include detection of:

  • Compromised virtual machines communicating with known malicious IP addresses
  • Advanced malware detected using Windows error reporting
  • Brute force attacks against virtual machines
  • Security alerts from integrated partner security solutions such as Anti-Malware or Web Application Firewalls

What's the difference between threats detected and alerted on by Microsoft Security Response Center versus Microsoft Defender for Cloud?

The Microsoft Security Response Center (MSRC) performs select security monitoring of the Azure network and infrastructure and receives threat intelligence and abuse complaints from third parties. When MSRC becomes aware that customer data has been accessed by an unlawful or unauthorized party or that the customer’s use of Azure does not comply with the terms for Acceptable Use, a security incident manager notifies the customer. Notification typically occurs by sending an email to the security contacts specified in Microsoft Defender for Cloud or the Azure subscription owner if a security contact is not specified.

Defender for Cloud is an Azure service that continuously monitors the customer’s Azure environment and applies analytics to automatically detect a wide range of potentially malicious activity. These detections are surfaced as security alerts in the workload protection dashboard.