Infrastructure integrations
Infrastructure comprises the hardware, software, micro-services, networking infrastructure, and facilities required to support IT services for an organization. Zero Trust infrastructure solutions assess, monitor, and prevent security threats to these services.
Zero Trust infrastructure solutions support the principles of Zero Trust by ensuring that access to infrastructure resources is verified explicitly, access is granted using principles of least privilege access, and mechanisms are in place that assume breach and look for and remediate security threats in infrastructure.
This guidance is for software providers and technology partners who want to enhance their infrastructure security solutions by integrating with Microsoft products.
Zero Trust integration for Infrastructure guide
This integration guide includes strategy and instructions for integrating with Microsoft Defender for Cloud and its integrated cloud workload protection plans, Microsoft Defender for ... (Servers, Containers, Databases, Storage, App Services, and more).
The guidance includes integrations with the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), Endpoint Detection and Response (EDR), and IT Service Management (ITSM) solutions.
Zero Trust and Defender for Cloud
Our Zero Trust infrastructure deployment guidance provides key stages of the Zero Trust strategy for infrastructure. These are:
- Assess compliance with chosen standards and policies
- Harden configuration wherever gaps are found
- Employ other hardening tools such as just-in-time (JIT) VM access
- Set up threat detection and protections
- Automatically block and flag risky behavior and take protective actions
There's a clear mapping from the goals we've described in the infrastructure deployment guidance to the core aspects of Defender for Cloud.
| Zero Trust goal | Defender for Cloud feature |
|---|---|
| Assess compliance | In Defender for Cloud, every subscription automatically has the Microsoft cloud security benchmark (MCSB) assigned as the default security initiative. Using the secure score tools and the regulatory compliance dashboard you can get a deep understanding of your customer's security posture. |
| Harden configuration | Assigning security initiatives to subscriptions, and reviewing the secure score, leads you to the hardening recommendations built into Defender for Cloud. Defender for Cloud periodically analyzes the compliance status of resources to identify potential security misconfigurations and weaknesses. It then provides recommendations on how to remediate those issues. |
| Employ hardening mechanisms | As well as one-time fixes to security misconfigurations, Defender for Cloud includes features to further harden your resources such as: Just-in-time (JIT) virtual machine (VM) access Adaptive network hardening Adaptive application controls. |
| Set up threat detection | Defender for Cloud offers integrated cloud workload protection plans, for threat detection and response. The plans provide advanced, intelligent, protection of Azure, hybrid, and multicloud resources and workloads. One of the Microsoft Defender plans, Defender for servers, includes a native integration with Microsoft Defender for Endpoint. Learn more in Introduction to Microsoft Defender for Cloud. |
| Automatically block suspicious behavior | Many of the hardening recommendations in Defender for Cloud offer a deny option. This feature lets you prevent the creation of resources that don't satisfy defined hardening criteria. Learn more in Prevent misconfigurations with Enforce/Deny recommendations. |
| Automatically flag suspicious behavior | Microsoft Defender for Cloud's security alerts are triggered by advanced detections. Defender for Cloud prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. Defender for Cloud also provides detailed steps to help you remediate attacks. For a full list of the available alerts, see Security alerts - a reference guide. |
Protect your Azure PaaS services with Defender for Cloud
With Defender for Cloud enabled on your subscription, and the Defender workload protection plans enabled for all available resource types, you'll have a layer of intelligent threat protection - powered by Microsoft Threat Intelligence - protecting resources in Azure Key Vault, Azure Storage, Azure DNS, and other Azure PaaS services. For a full list, see the PaaS services listed in the Support matrix.
Azure Logic Apps
Use Azure Logic Apps to build automated scalable workflows, business processes, and enterprise orchestrations to integrate your apps and data across cloud services and on-premises systems.
Defender for Cloud's workflow automation feature lets you automate responses to Defender for Cloud triggers.
This is great way to define and respond in an automated, consistent manner when threats are discovered. For example, to notify relevant stakeholders, launch a change management process, and apply specific remediation steps when a threat is detected.
Integrate Defender for Cloud with your SIEM, SOAR, and ITSM solutions
Microsoft Defender for Cloud can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.
There are Azure-native tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:
- Microsoft Sentinel
- Splunk Enterprise and Splunk Cloud
- IBM's QRadar
- ServiceNow
- ArcSight
- Power BI
- Palo Alto Networks
Microsoft Sentinel
Defender for Cloud natively integrates with Microsoft Sentinel, Microsoft's cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.
There are two approaches to ensuring your Defender for Cloud data is represented in Microsoft Sentinel:
Sentinel connectors - Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the subscription and tenant levels:
- Stream alerts to Microsoft Sentinel at the subscription level
- Connect all subscriptions in your tenant to Microsoft Sentinel
Tip
Learn more in Connect security alerts from Microsoft Defender for Cloud.
Stream your audit logs - An alternative way to investigate Defender for Cloud alerts in Microsoft Sentinel is to stream your audit logs into Microsoft Sentinel:
Stream alerts with Microsoft Graph Security API
Defender for Cloud has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no additional costs.
You can use this API to stream alerts from the entire tenant (and data from many other Microsoft Security products) into third-party SIEMs and other popular platforms:
- Splunk Enterprise and Splunk Cloud - Use the Microsoft Graph Security API Add-On for Splunk
- Power BI - Connect to the Microsoft Graph Security API in Power BI Desktop
- ServiceNow - Follow the instructions to install and configure the Microsoft Graph Security API application from the ServiceNow Store
- QRadar - IBM's Device Support Module for Microsoft Defender for Cloud via Microsoft Graph API
- Palo Alto Networks, Anomali, Lookout, InSpark, and more - Microsoft Graph Security API
Learn more about Microsoft Graph Security API.
Stream alerts with Azure Monitor
Use Defender for Cloud's continuous export feature to connect Defender for Cloud with Azure monitor via Azure Event Hubs and stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions.
Learn more in Stream alerts with Azure Monitor.
This can also be done at the Management Group level using Azure Policy, see Create continuous export automation configurations at scale.
Tip
To view the event schemas of the exported data types, visit the Event Hub event schemas.
Integrate Defender for Cloud with an Endpoint Detection and Response (EDR) solution
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution.
Microsoft Defender for servers, includes an integrated license for Microsoft Defender for Endpoint. Together, they provide comprehensive endpoint detection and response (EDR) capabilities. For more information, see Protect your endpoints.
When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud and you can pivot to the Defender for Endpoint console to perform a detailed investigation and uncover the scope of the attack. Learn more about Microsoft Defender for Endpoint.
Other EDR solutions
Defender for Cloud provides hardening recommendations to ensure you're securing your organization's resources according to the guidance of Microsoft cloud security benchmark (MCSB). One of the controls in the benchmark relates to endpoint security: ES-1: Use Endpoint Detection and Response (EDR).
There are two recommendations in Defender for Cloud to ensure you've enabled endpoint protection and it's running well. These recommendations are checking for the presence and operational health of EDR solutions from:
- Trend Micro
- Symantec
- McAfee
- Sophos
Learn more in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.
Apply your Zero Trust strategy to hybrid and multi cloud scenarios
With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.
Microsoft Defender for Cloud protects workloads wherever they're running: in Azure, on-premises, Amazon Web Services (AWS), or Google Cloud Platform (GCP).
Integrate Defender for Cloud with on-premises machines
To secure hybrid cloud workloads, you can extend Defender for Cloud's protections by connecting on-premises machines to Azure Arc enabled servers.
Learn about how to connect machines in Connect your non-Azure machines to Defender for Cloud.
Integrate Defender for Cloud with other cloud environments
To view the security posture of Amazon Web Services machines in Defender for Cloud, onboard AWS accounts into Defender for Cloud. This will integrate AWS Security Hub and Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations and AWS Security Hub findings and provide a range of benefits as described in Connect your AWS accounts to Microsoft Defender for Cloud.
To view the security posture of Google Cloud Platform machines in Defender for Cloud, onboard GCP accounts into Defender for Cloud. This will integrate GCP Security Command and Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations and GCP Security Command Center findings and provide a range of benefits as described in Connect your GCP accounts to Microsoft Defender for Cloud.
Next steps
To learn more about Microsoft Defender for Cloud, see the complete Defender for Cloud documentation.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for