Introduction to Azure Defender
Azure Security Center's features cover the two broad pillars of cloud security:
Cloud security posture management (CSPM) - Security Center is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with the built-in policies.
Cloud workload protection (CWP) - Security Center's integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. Enabling Azure Defender brings a range of additional security features as described on this page. In addition to the built-in policies, when you've enabled any Azure Defender plan, you can add custom policies and initiatives. You can add regulatory standards - such as NIST and Azure CIS - as well as the Azure Security Benchmark for a truly customized view of your compliance.
The Azure Defender dashboard in Security Center provides visibility and control of the CWP features for your environment:
What resource types can Azure Defender secure?
Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more.
When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:
- Azure Defender for servers
- Azure Defender for App Service
- Azure Defender for Storage
- Azure Defender for SQL
- Azure Defender for IoT
- Azure Defender for Kubernetes
- Azure Defender for container registries
- Azure Defender for Key Vault
Each of these plans is explained separately in the Security Center documentation.
Hybrid cloud protection
As well as defending your Azure environment, you can add Azure Defender capabilities to your hybrid cloud environment:
- Protect your non-Azure servers
- Protect your virtual machines in other clouds (such as AWS and GCP)
- Protect your IoT devices
You'll get customized threat intelligence and prioritized alerts according to your specific environment so that you can focus on what matters the most.
To extend protection to virtual machines and SQL databases that are in other clouds or on-premises, deploy Azure Arc and enable Azure Defender. Azure Arc for servers is a free service, but services that are used on Arc enabled servers, for example Azure Defender, will be charged as per the pricing for that service. Learn more in Add non-Azure machines with Azure Arc.
The native connector for AWS transparently handles the Azure Arc deployment for you. Learn more in Connect your AWS accounts to Azure Security Center.
Azure Defender alerts
When Azure Defender detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.
Whether an alert is generated by Security Center, or received by Security Center from an integrated security product, you can export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM.
Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.
Azure Defender advanced protection capabilities
Azure Defender uses advanced analytics for tailored recommendations related to your resources.
Protections include securing the management ports of your VMs with just-in-time access and adaptive application controls to create allow lists for what apps should and shouldn't run on your machines.
Use the advanced protection tiles in the Azure Defender dashboard to monitor and configure each of these protections.
Vulnerability assessment and management
Azure Defender includes vulnerability scanning for your virtual machines and container registries at no extra cost. The scanners are powered by Qualys but you don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center.
Review the findings from these vulnerability scanners and respond to them all from within Security Center. This brings Security Center closer to being the single pane of glass for all of your cloud security efforts.
Learn more on the following pages:
- Security Center's integrated vulnerability assessment solution for Azure virtual machines
- Identify vulnerabilities in images in Azure container registries
In this article, you learned about the benefits of Azure Defender.