Introduction to Azure Defender for Resource Manager

Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.

The cloud management layer is a crucial service connected to all your cloud resources. Because of this, it is also a potential target for attackers. Consequently, we recommend security operations teams monitor the resource management layer closely.

Azure Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Azure Defender runs advanced security analytics to detect threats and alert you about suspicious activity.

Availability

Aspect Details
Release state: Preview
The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Pricing: Azure Defender for Resource Manager is billed as shown on the pricing page
Clouds: Yes Commercial clouds
No National/Sovereign (US Gov, China Gov, Other Gov)

What are the benefits of Azure Defender for Resource Manager?

Azure Defender for Resource Manager protects against issues including:

  • Suspicious resource management operations, such as operations from suspicious IP addresses, disabling antimalware and suspicious scripts running in VM extensions
  • Use of exploitation toolkits like Microburst or PowerZure
  • Lateral movement from the Azure management layer to the Azure resources data plane

Azure Resource Manager overview diagram

A full list of the alerts provided by Azure Defender for Resource Manager is on the alerts reference page.

How to investigate alerts from Azure Defender for Resource Manager

Security alerts from Azure Defender for Resource Manager are based on threats detected by monitoring Azure Resource Manager operations. Azure Defender uses internal log sources of Azure Resource Manager as well as Azure Activity log, a platform log in Azure that provides insight into subscription-level events.

Learn more about Azure Activity log.

To investigate security alerts from Azure Defender for Resource Manager:

  1. Open Azure Activity log.

    How to open Azure Activity log

  2. Filter the events to:

    • The subscription mentioned in the alert
    • The timeframe of the detected activity
    • The related user account (if relevant)
  3. Look for suspicious activities.

Tip

For a better, richer investigation experience, stream your Azure activity logs to Azure Sentinel as described in Connect data from Azure Activity log.

Next steps

In this article, you learned about Azure Defender for Resource Manager. For related material, see the following article:

  • Security alerts might be generated by Security Center or received by Security Center from different security products. To export all of these alerts to Azure Sentinel, any third-party SIEM, or any other external tool, follow the instructions in Exporting alerts to a SIEM.