Introduction to Azure Defender

Azure Security Center's features cover the two broad pillars of cloud security:

  • Cloud security posture management (CSPM) - Security Center is available for free to all Azure users. The free experience includes CSPM features such as secure score, detection of security misconfigurations in your Azure machines, asset inventory, and more. Use these CSPM features to strengthen your hybrid cloud posture and track compliance with the built-in policies.

  • Cloud workload protection (CWP) - Security Center's integrated cloud workload protection platform (CWPP), Azure Defender, brings advanced, intelligent, protection of your Azure and hybrid resources and workloads. Enabling Azure Defender brings a range of additional security features as described on this page. In addition to the built-in policies, when you've enabled any Azure Defender plan, you can add custom policies and initiatives. You can add regulatory standards - such as NIST and Azure CIS - as well as the Azure Security Benchmark for a truly customized view of your compliance.

The Azure Defender dashboard in Security Center provides visibility and control of the CWP features for your environment:

An example of the Azure Defender dashboard

What resource types can Azure Defender secure?

Azure Defender provides security alerts and advanced threat protection for virtual machines, SQL databases, containers, web applications, your network, and more.

When you enable Azure Defender from the Pricing and settings area of Azure Security Center, the following Defender plans are all enabled simultaneously and provide comprehensive defenses for the compute, data, and service layers of your environment:

Each of these plans is explained separately in the Security Center documentation.

Hybrid cloud protection

As well as defending your Azure environment, you can add Azure Defender capabilities to your hybrid cloud environment:

  • Protect your non-Azure servers
  • Protect your virtual machines in other clouds (such as AWS and GCP)
  • Protect your IoT devices

You'll get customized threat intelligence and prioritized alerts according to your specific environment so that you can focus on what matters the most​.

To extend protection to virtual machines and SQL databases that are in other clouds or on-premises, deploy Azure Arc and enable Azure Defender. Azure Arc for servers is a free service, but services that are used on Arc enabled servers, for example Azure Defender, will be charged as per the pricing for that service. Learn more in Add non-Azure machines with Azure Arc.

Tip

The native connector for AWS transparently handles the Azure Arc deployment for you. Learn more in Connect your AWS accounts to Azure Security Center.

Azure Defender alerts

When Azure Defender detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response.

Whether an alert is generated by Security Center, or received by Security Center from an integrated security product, you can export it. To export your alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM.

Note

Alerts from different sources might take different amounts of time to appear. For example, alerts that require analysis of network traffic might take longer to appear than alerts related to suspicious processes running on virtual machines.

Azure Defender advanced protection capabilities

Azure Defender uses advanced analytics for tailored recommendations related to your resources.

Protections include securing the management ports of your VMs with just-in-time access and adaptive application controls to create allow lists for what apps should and shouldn't run on your machines.

Use the advanced protection tiles in the Azure Defender dashboard to monitor and configure each of these protections.

Vulnerability assessment and management

Azure Defender includes vulnerability scanning for your virtual machines and container registries at no extra cost. The scanners are powered by Qualys but you don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Security Center.

Review the findings from these vulnerability scanners and respond to them all from within Security Center. This brings Security Center closer to being the single pane of glass for all of your cloud security efforts.

Learn more on the following pages:

Next steps

In this article, you learned about the benefits of Azure Defender.