What's new in Microsoft Defender for Cloud?

  • Članak
  • 30 min. za čitanje

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

Defender for Cloud is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about new features, bug fixes, and deprecated functionality.

This page is updated frequently, so revisit it often.

To learn about planned changes that are coming soon to Defender for Cloud, see Important upcoming changes to Microsoft Defender for Cloud.

Tip

If you're looking for items older than six months, you'll find them in the Archive for What's new in Microsoft Defender for Cloud.

December 2021

New alerts for Microsoft Defender for Storage released for general availability (GA)

Threat actors use tools and scripts to scan for publicly open containers in the hope of finding misconfigured open storage containers with sensitive data.

Microsoft Defender for Storage detects these scanners so that you can block them and remediate your posture.

The preview alert that detected this was called “Anonymous scan of public storage containers”. To provide greater clarity about the suspicious events discovered, we've divided this into two new alerts. These alerts are relevant to Azure Blob Storage only.

We have improved the detection logic, updated the alert metadata, and changed the alert name and alert type.

These are the new alerts:

Alert (alert type) Description MITRE tactic Severity
Publicly accessible storage containers successfully discovered
(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery)		 A successful discovery of publicly open storage container(s) in your storage account was performed in the last hour by a scanning script or tool.

This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.

The threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.

✔ Azure Blob Storage
✖ Azure Files
✖ Azure Data Lake Storage Gen2		 Collection Medium
Publicly accessible storage containers unsuccessfully scanned
(Storage.Blob_OpenContainersScanning.FailedAttempt)		 A series of failed attempts to scan for publicly open storage containers were performed in the last hour.

This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.

The threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.

✔ Azure Blob Storage
✖ Azure Files
✖ Azure Data Lake Storage Gen2		 Collection Low

For more information, see:

November 2021

Our Ignite release includes:

Other changes in November include:

Azure Security Center and Azure Defender become Microsoft Defender for Cloud

According to the 2021 State of the Cloud report, 92% of organizations now have a multi-cloud strategy. At Microsoft, our goal is to centralize security across these environments and help security teams work more effectively.

Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) is a Cloud Security Posture Management (CSPM) and cloud workload protection (CWP) solution that discovers weaknesses across your cloud configuration, helps strengthen the overall security posture of your environment, and protects workloads across multi-cloud and hybrid environments.

At Ignite 2019, we shared our vision to create the most complete approach for securing your digital estate and integrating XDR technologies under the Microsoft Defender brand. Unifying Azure Security Center and Azure Defender under the new name Microsoft Defender for Cloud, reflects the integrated capabilities of our security offering and our ability to support any cloud platform.

Native CSPM for AWS and threat protection for Amazon EKS, and AWS EC2

A new environment settings page provides greater visibility and control over your management groups, subscriptions, and AWS accounts. The page is designed to onboard AWS accounts at scale: connect your AWS management account, and you'll automatically onboard existing and future accounts.

Use the new environment settings page to connect your AWS accounts.

When you've added your AWS accounts, Defender for Cloud protects your AWS resources with any or all of the following plans:

  • Defender for Cloud's CSPM features extend to your AWS resources. This agentless plan assesses your AWS resources according to AWS-specific security recommendations and these are included in your secure score. The resources will also be assessed for compliance with built-in standards specific to AWS (AWS CIS, AWS PCI DSS, and AWS Foundational Security Best Practices). Defender for Cloud's asset inventory page is a multi-cloud enabled feature helping you manage your AWS resources alongside your Azure resources.
  • Microsoft Defender for Kubernetes extends its container threat detection and advanced defenses to your Amazon EKS Linux clusters.
  • Microsoft Defender for servers brings threat detection and advanced defenses to your Windows and Linux EC2 instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

Learn more about connecting your AWS accounts to Microsoft Defender for Cloud.

Prioritize security actions by data sensitivity (powered by Azure Purview) (in preview)

Data resources remain a popular target for threat actors. So it's crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments.

To address this challenge, Microsoft Defender for Cloud now integrates sensitivity information from Azure Purview. Azure Purview is a unified data governance service that provides rich insights into the sensitivity of your data within multi-cloud, and on-premises workloads.

The integration with Azure Purview extends your security visibility in Defender for Cloud from the infrastructure level down to the data, enabling an entirely new way to prioritize resources and security activities for your security teams.

Learn more in Prioritize security actions by data sensitivity.

Expanded security control assessments with Azure Security Benchmark v3

Microsoft Defender for Cloud's security recommendations are enabled and supported by the Azure Security Benchmark.

Azure Security Benchmark is the Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.

From Ignite 2021, Azure Security Benchmark v3 is available in Defender for Cloud's regulatory compliance dashboard and enabled as the new default initiative for all Azure subscriptions protected with Microsoft Defender for Cloud.

Enhancements for v3 include:

  • Additional mappings to industry frameworks PCI-DSS v3.2.1 and CIS Controls v8.

  • More granular and actionable guidance for controls with the introduction of:

    • Security Principles - Providing insight into the overall security objectives that build the foundation for our recommendations.
    • Azure Guidance - The technical “how-to” for meeting these objectives.

  • New controls include DevOps security for issues such as threat modeling and software supply chain security, as well as key and certificate management for best practices in Azure.

Learn more in Introduction to Azure Security Benchmark.

Microsoft Sentinel connector's optional bi-directional alert synchronization released for general availability (GA)

In July, we announced a preview feature, bi-directional alert synchronization, for the built-in connector in Microsoft Sentinel (Microsoft's cloud-native SIEM and SOAR solution). This feature is now released for general availability (GA).

When you connect Microsoft Defender for Cloud to Microsoft Sentinel, the status of security alerts is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert will display as closed in Microsoft Sentinel as well. Changing the status of an alert in Defender for Cloud won't affect the status of any Microsoft Sentinel incidents that contain the synchronized Microsoft Sentinel alert, only that of the synchronized alert itself.

When you enable bi-directional alert synchronization you'll automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident containing a Defender for Cloud alert is closed, Defender for Cloud will automatically close the corresponding original alert.

Learn more in Connect Azure Defender alerts from Azure Security Center and Stream alerts to Azure Sentinel.

New recommendation to push Azure Kubernetes Service (AKS) logs to Sentinel

In a further enhancement to the combined value of Defender for Cloud and Microsoft Sentinel, we'll now highlight Azure Kubernetes Service instances that aren't sending log data to Microsoft Sentinel.

SecOps teams can choose the relevant Microsoft Sentinel workspace directly from the recommendation details page and immediately enable the streaming of raw logs. This seamless connection between the two products makes it easy for security teams to ensure complete logging coverage across their workloads to stay on top of their entire environment.

The new recommendation, "Diagnostic logs in Kubernetes services should be enabled" includes the 'Fix' option for faster remediation.

We've also enhanced the "Auditing on SQL server should be enabled" recommendation with the same Sentinel streaming capabilities.

Recommendations mapped to the MITRE ATT&CK® framework - released for general availability (GA)

We've enhanced Defender for Cloud's security recommendations to show their position on the MITRE ATT&CK® framework. This globally accessible knowledge base of threat actors' tactics and techniques based on real-world observations, provides more context to help you understand the associated risks of the recommendations for your environment.

You'll find these tactics wherever you access recommendation information:

  • Azure Resource Graph query results for relevant recommendations include the MITRE ATT&CK® tactics and techniques.

  • Recommendation details pages show the mapping for all relevant recommendations:

    Screenshot of the MITRE tactics mapping for a recommendation.

  • The recommendations page in Defender for Cloud has a new filter to select recommendations according to their associated tactic:

Learn more in Review your security recommendations.

Microsoft Threat and Vulnerability Management added as vulnerability assessment solution - released for general availability (GA)

In October, we announced an extension to the integration between Microsoft Defender for servers and Microsoft Defender for Endpoint, to support a new vulnerability assessment provider for your machines: Microsoft threat and vulnerability management. This feature is now released for general availability (GA).

Use threat and vulnerability management to discover vulnerabilities and misconfigurations in near real time with the integration with Microsoft Defender for Endpoint enabled, and without the need for additional agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities based on the threat landscape and detections in your organization.

Use the security recommendation "A vulnerability assessment solution should be enabled on your virtual machines" to surface the vulnerabilities detected by threat and vulnerability management for your supported machines.

To automatically surface the vulnerabilities, on existing and new machines, without the need to manually remediate the recommendation, see Vulnerability assessment solutions can now be auto enabled (in preview).

Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.

Microsoft Defender for Endpoint for Linux now supported by Microsoft Defender for servers - released for general availability (GA)

In August, we announced preview support for deploying the Defender for Endpoint for Linux sensor to supported Linux machines. This feature is now released for general availability (GA).

Microsoft Defender for servers includes an integrated license for Microsoft Defender for Endpoint. Together, they provide comprehensive endpoint detection and response (EDR) capabilities.

When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud. From Defender for Cloud, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack.

Learn more in Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint.

Snapshot export for recommendations and security findings (in preview)

Defender for Cloud generates detailed security alerts and recommendations. You can view them in the portal or through programmatic tools. You might also need to export some or all of this information for tracking with other monitoring tools in your environment.

Defender for Cloud's continuous export feature lets you fully customize what will be exported, and where it will go. Learn more in Continuously export Microsoft Defender for Cloud data.

Even though the feature is called continuous, there's also an option to export weekly snapshots. Until now, these weekly snapshots were limited to secure score and regulatory compliance data. We've added the capability to export recommendations and security findings.

Auto provisioning of vulnerability assessment solutions released for general availability (GA)

In October, we announced the addition of vulnerability assessment solutions to Defender for Cloud's auto provisioning page. This is relevant to Azure virtual machines and Azure Arc machines on subscriptions protected by Azure Defender for servers. This feature is now released for general availability (GA).

If the integration with Microsoft Defender for Endpoint is enabled, Defender for Cloud presents a choice of vulnerability assessment solutions:

  • (NEW) The Microsoft threat and vulnerability management module of Microsoft Defender for Endpoint (see the release note)
  • The integrated Qualys agent

Your chosen solution will be automatically enabled on supported machines.

Learn more in Automatically configure vulnerability assessment for your machines.

Software inventory filters in asset inventory released for general availability (GA)

In October, we announced new filters for the asset inventory page to select machines running specific software - and even specify the versions of interest. This feature is now released for general availability (GA).

You can query the software inventory data in Azure Resource Graph Explorer.

To use these features, you'll need to enable the integration with Microsoft Defender for Endpoint.

For full details, including sample Kusto queries for Azure Resource Graph, see Access a software inventory.

New AKS security policy added to default initiative – for use by private preview customers only

To ensure that Kubernetes workloads are secure by default, Defender for Cloud includes Kubernetes level policies and hardening recommendations, including enforcement options with Kubernetes admission control.

As part of this project, we've added a policy and recommendation (disabled by default) for gating deployment on Kubernetes clusters. The policy is in the default initiative but is only relevant for organizations who register for the related private preview.

You can safely ignore the policies and recommendation ("Kubernetes clusters should gate deployment of vulnerable images") and there will be no impact on your environment.

If you'd like to participate in the private preview, you'll need to be a member of the private preview ring. If you're not already a member, submit a request here. Members will be notified when the preview begins.

Inventory display of on-premises machines applies different template for resource name

To improve the presentation of resources in the Asset inventory, we've removed the "source-computer-IP" element from the template for naming on-premises machines.

  • Previous format: machine-name_source-computer-id_VMUUID
  • From this update: machine-name_VMUUID

October 2021

Updates in October include:

Microsoft Threat and Vulnerability Management added as vulnerability assessment solution (in preview)

We've extended the integration between Azure Defender for servers and Microsoft Defender for Endpoint, to support a new vulnerability assessment provider for your machines: Microsoft threat and vulnerability management.

Use threat and vulnerability management to discover vulnerabilities and misconfigurations in near real time with the integration with Microsoft Defender for Endpoint enabled, and without the need for additional agents or periodic scans. Threat and vulnerability management prioritizes vulnerabilities based on the threat landscape and detections in your organization.

Use the security recommendation "A vulnerability assessment solution should be enabled on your virtual machines" to surface the vulnerabilities detected by threat and vulnerability management for your supported machines.

To automatically surface the vulnerabilities, on existing and new machines, without the need to manually remediate the recommendation, see Vulnerability assessment solutions can now be auto enabled (in preview).

Learn more in Investigate weaknesses with Microsoft Defender for Endpoint's threat and vulnerability management.

Vulnerability assessment solutions can now be auto enabled (in preview)

Security Center's auto provisioning page now includes the option to automatically enable a vulnerability assessment solution to Azure virtual machines and Azure Arc machines on subscriptions protected by Azure Defender for servers.

If the integration with Microsoft Defender for Endpoint is enabled, Defender for Cloud presents a choice of vulnerability assessment solutions:

  • (NEW) The Microsoft threat and vulnerability management module of Microsoft Defender for Endpoint (see the release note)
  • The integrated Qualys agent

Configure auto provisioning of Microsoft's threat and vulnerability management from Azure Security Center.

Your chosen solution will be automatically enabled on supported machines.

Learn more in Automatically configure vulnerability assessment for your machines.

Software inventory filters added to asset inventory (in preview)

The asset inventory page now includes a filter to select machines running specific software - and even specify the versions of interest.

Additionally, you can query the software inventory data in Azure Resource Graph Explorer.

To use these new features, you'll need to enable the integration with Microsoft Defender for Endpoint.

For full details, including sample Kusto queries for Azure Resource Graph, see Access a software inventory.

If you've enabled the threat and vulnerability solution, Security Center's asset inventory offers a filter to select resources by their installed software.

Changed prefix of some alert types from "ARM_" to "VM_"

In July 2021, we announced a logical reorganization of Azure Defender for Resource Manager alerts

As part of a logical reorganization of some of the Azure Defender plans, we moved twenty-one alerts from Azure Defender for Resource Manager to Azure Defender for servers.

With this update, we've changed the prefixes of these alerts to match this reassignment and replaced "ARM_" with "VM_" as shown in the following table:

Original name From this change
ARM_AmBroadFilesExclusion VM_AmBroadFilesExclusion
ARM_AmDisablementAndCodeExecution VM_AmDisablementAndCodeExecution
ARM_AmDisablement VM_AmDisablement
ARM_AmFileExclusionAndCodeExecution VM_AmFileExclusionAndCodeExecution
ARM_AmTempFileExclusionAndCodeExecution VM_AmTempFileExclusionAndCodeExecution
ARM_AmTempFileExclusion VM_AmTempFileExclusion
ARM_AmRealtimeProtectionDisabled VM_AmRealtimeProtectionDisabled
ARM_AmTempRealtimeProtectionDisablement VM_AmTempRealtimeProtectionDisablement
ARM_AmRealtimeProtectionDisablementAndCodeExec VM_AmRealtimeProtectionDisablementAndCodeExec
ARM_AmMalwareCampaignRelatedExclusion VM_AmMalwareCampaignRelatedExclusion
ARM_AmTemporarilyDisablement VM_AmTemporarilyDisablement
ARM_UnusualAmFileExclusion VM_UnusualAmFileExclusion
ARM_CustomScriptExtensionSuspiciousCmd VM_CustomScriptExtensionSuspiciousCmd
ARM_CustomScriptExtensionSuspiciousEntryPoint VM_CustomScriptExtensionSuspiciousEntryPoint
ARM_CustomScriptExtensionSuspiciousPayload VM_CustomScriptExtensionSuspiciousPayload
ARM_CustomScriptExtensionSuspiciousFailure VM_CustomScriptExtensionSuspiciousFailure
ARM_CustomScriptExtensionUnusualDeletion VM_CustomScriptExtensionUnusualDeletion
ARM_CustomScriptExtensionUnusualExecution VM_CustomScriptExtensionUnusualExecution
ARM_VMAccessUnusualConfigReset VM_VMAccessUnusualConfigReset
ARM_VMAccessUnusualPasswordReset VM_VMAccessUnusualPasswordReset
ARM_VMAccessUnusualSSHReset VM_VMAccessUnusualSSHReset

Learn more about the Azure Defender for Resource Manager and Azure Defender for servers plans.

Changes to the logic of a security recommendation for Kubernetes clusters

The recommendation "Kubernetes clusters should not use the default namespace" prevents usage of the default namespace for a range of resource types. Two of the resource types that were included in this recommendation have been removed: ConfigMap and Secret.

Learn more about this recommendation and hardening your Kubernetes clusters in Understand Azure Policy for Kubernetes clusters.

To clarify the relationships between different recommendations, we've added a Related recommendations area to the details pages of many recommendations.

The three relationship types that are shown on these pages are:

  • Prerequisite - A recommendation that must be completed before the selected recommendation
  • Alternative - A different recommendation which provides another way of achieving the goals of the selected recommendation
  • Dependent - A recommendation for which the selected recommendation is a prerequisite

For each related recommendation, the number of unhealthy resources is shown in the "Affected resources" column.

Tip

If a related recommendation is grayed out, its dependency isn't yet completed and so isn't available.

An example of related recommendations:

  1. Security Center checks your machines for supported vulnerability assessment solutions:
    A vulnerability assessment solution should be enabled on your virtual machines

  2. If one is found, you'll get notified about discovered vulnerabilities:
    Vulnerabilities in your virtual machines should be remediated

Obviously, Security Center can't notify you about discovered vulnerabilities unless it finds a supported vulnerability assessment solution.

Therefore:

  • Recommendation #1 is a prerequisite for recommendation #2
  • Recommendation #2 depends upon recommendation #1

Screenshot of recommendation to deploy vulnerability assessment solution.

Screenshot of recommendation to resolve discovered vulnerabilities.

New alerts for Azure Defender for Kubernetes (in preview)

To expand the threat protections provided by Azure Defender for Kubernetes, we've added two preview alerts.

These alerts are generated based on a new machine learning model and Kubernetes advanced analytics, measuring multiple deployment and role assignment attributes against previous activities in the cluster and across all clusters monitored by Azure Defender.

Alert (alert type) Description MITRE tactic Severity
Anomalous pod deployment (Preview)
(K8S_AnomalousPodDeployment)		 Kubernetes audit log analysis detected pod deployment that is anomalous based on previous pod deployment activity. This activity is considered an anomaly when taking into account how the different features seen in the deployment operation are in relations to one another. The features monitored by this analytics include the container image registry used, the account performing the deployment, day of the week, how often does this account performs pod deployments, user agent used in the operation, is this a namespace which is pod deployment occur to often, or other feature. Top contributing reasons for raising this alert as anomalous activity are detailed under the alert extended properties. Execution Medium
Excessive role permissions assigned in Kubernetes cluster (Preview)
(K8S_ServiceAcountPermissionAnomaly)		 Analysis of the Kubernetes audit logs detected an excessive permissions role assignment to your cluster. From examining role assignments, the listed permissions are uncommon to the specific service account. This detection considers previous role assignments to the same service account across clusters monitored by Azure, volume per permission, and the impact of the specific permission. The anomaly detection model used for this alert takes into account how this permission is used across all clusters monitored by Azure Defender. Privilege Escalation Low

For a full list of the Kubernetes alerts, see Alerts for Kubernetes clusters.

September 2021

In September, the following update was released:

Two new recommendations to audit OS configurations for Azure security baseline compliance (in preview)

The following two recommendations have been released to assess your machines' compliance with the Windows security baseline and the Linux security baseline:

These recommendations make use of the guest configuration feature of Azure Policy to compare the OS configuration of a machine with the baseline defined in the Azure Security Benchmark.

Learn more about using these recommendations in Harden a machine's OS configuration using guest configuration.

August 2021

Updates in August include:

Microsoft Defender for Endpoint for Linux now supported by Azure Defender for servers (in preview)

Azure Defender for servers includes an integrated license for Microsoft Defender for Endpoint. Together, they provide comprehensive endpoint detection and response (EDR) capabilities.

When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Security Center. From Security Center, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack.

During the preview period, you'll deploy the Defender for Endpoint for Linux sensor to supported Linux machines in one of two ways depending on whether you've already deployed it to your Windows machines:

Learn more in Protect your endpoints with Security Center's integrated EDR solution: Microsoft Defender for Endpoint.

Two new recommendations for managing endpoint protection solutions (in preview)

We've added two preview recommendations to deploy and maintain the endpoint protection solutions on your machines. Both recommendations include support for Azure virtual machines and machines connected to Azure Arc-enabled servers.

Recommendation Description Severity
Endpoint protection should be installed on your machines To protect your machines from threats and vulnerabilities, install a supported endpoint protection solution.
Learn more about how Endpoint Protection for machines is evaluated.
(Related policy: Monitor missing Endpoint Protection in Azure Security Center)		 High
Endpoint protection health issues should be resolved on your machines Resolve endpoint protection health issues on your virtual machines to protect them from latest threats and vulnerabilities. Azure Security Center supported endpoint protection solutions are documented here. Endpoint protection assessment is documented here.
(Related policy: Monitor missing Endpoint Protection in Azure Security Center)		 Medium

Note

The recommendations show their freshness interval as 8 hours, but there are some scenarios in which this might take significantly longer. For example, when an on premises machine is deleted, it takes 24 hours for Security Center to identify the deletion. After that, the assessment will take up to 8 hours to return the information. In that specific situation therefore, it may take 32 hours for the machine to be removed from the list of affected resources.

Freshness interval indicator for these two new Security Center recommendations

Built-in troubleshooting and guidance for solving common issues

A new, dedicated area of the Security Center pages in the Azure portal provides a collated, ever-growing set of self-help materials for solving common challenges with Security Center and Azure Defender.

When you're facing an issue, or are seeking advice from our support team, Diagnose and solve problems is another tool to help you find the solution:

Security Center's 'Diagnose and solve problems' page

Regulatory compliance dashboard's Azure Audit reports released for general availability (GA)

The regulatory compliance dashboard's toolbar offers Azure and Dynamics certification reports for the standards applied to your subscriptions.

Regulatory compliance dashboard's toolbar showing the button for generating audit reports.

You can select the tab for the relevant reports types (PCI, SOC, ISO, and others) and use filters to find the specific reports you need.

For more information, see Generate compliance status reports and certificates.

Tabbed lists of available Azure Audit reports. Shown are tabs for ISO reports, SOC reports, PCI, and more.

Deprecated recommendation 'Log Analytics agent health issues should be resolved on your machines'

We've found that recommendation Log Analytics agent health issues should be resolved on your machines impacts secure scores in ways that are inconsistent with Security Center's Cloud Security Posture Management (CSPM) focus. Typically, CSPM relates to identifying security misconfigurations. Agent health issues don't fit into this category of issues.

Also, the recommendation is an anomaly when compared with the other agents related to Security Center: this is the only agent with a recommendation related to health issues.

The recommendation has been deprecated.

As a result of this deprecation, we've also made minor changes to the recommendations for installing the Log Analytics agent (Log Analytics agent should be installed on...).

It's likely that this change will impact your secure scores. For most subscriptions, we expect the change to lead to an increased score, but it's possible the updates to the installation recommendation might result in decreased scores in some cases.

Tip

The asset inventory page was also affected by this change as it displays the monitored status for machines (monitored, not monitored, or partially monitored - a state which refers to an agent with health issues).

Azure Defender for container registries includes a vulnerability scanner to scan images in your Azure Container Registry registries. Learn how to scan your registries and remediate findings in Use Azure Defender for container registries to scan your images for vulnerabilities.

To limit access to a registry hosted in Azure Container Registry, assign virtual network private IP addresses to the registry endpoints and use Azure Private Link as explained in Connect privately to an Azure container registry using Azure Private Link.

As part of our ongoing efforts to support additional environments and use cases, Azure Defender now also scans container registries protected with Azure Private Link.

Security Center can now auto provision the Azure Policy's Guest Configuration extension (in preview)

Azure Policy can audit settings inside a machine, both for machines running in Azure and Arc connected machines. The validation is performed by the Guest Configuration extension and client. Learn more in Understand Azure Policy's Guest Configuration.

With this update, you can now set Security Center to automatically provision this extension to all supported machines.

Enable auto deployment of Guest Configuration extension.

Learn more about how auto provisioning works in Configure auto provisioning for agents and extensions.

Recommendations to enable Azure Defender plans now support "Enforce"

Security Center includes two features that help ensure newly created resources are provisioned in a secure manner: enforce and deny. When a recommendation offers these options, you can ensure your security requirements are met whenever someone attempts to create a resource:

  • Deny stops unhealthy resources from being created
  • Enforce automatically remediates non-compliant resources when they're created

With this update, the enforce option is now available on the recommendations to enable Azure Defender plans (such as Azure Defender for App Service should be enabled, Azure Defender for Key Vault should be enabled, Azure Defender for Storage should be enabled).

Learn more about these options in Prevent misconfigurations with Enforce/Deny recommendations.

CSV exports of recommendation data now limited to 20 MB

We're instituting a limit of 20 MB when exporting Security Center recommendations data.

Security Center's 'download CSV report' button to export recommendation data.

If you need to export larger amounts of data, use the available filters before selecting, or select subsets of your subscriptions and download the data in batches.

Filtering subscriptions in the Azure portal.

Learn more about performing a CSV export of your security recommendations.

Recommendations page now includes multiple views

The recommendations page now has two tabs to provide alternate ways to view the recommendations relevant to your resources:

  • Secure score recommendations - Use this tab to view the list of recommendations grouped by security control. Learn more about these controls in Security controls and their recommendations.
  • All recommendations - Use this tab to view the list of recommendations as a flat list. This tab is also great for understanding which initiative (including regulatory compliance standards) generated the recommendation. Learn more about initiatives and their relationship to recommendations in What are security policies, initiatives, and recommendations?.

Tabs to change the view of the recommendations list in Azure Security Center.

July 2021

Updates in July include:

Azure Sentinel connector now includes optional bi-directional alert synchronization (in preview)

Security Center natively integrates with Azure Sentinel, Azure's cloud-native SIEM and SOAR solution.

Azure Sentinel includes built-in connectors for Azure Security Center at the subscription and tenant levels. Learn more in Stream alerts to Azure Sentinel.

When you connect Azure Defender to Azure Sentinel, the status of Azure Defender alerts that get ingested into Azure Sentinel is synchronized between the two services. So, for example, when an alert is closed in Azure Defender, that alert will display as closed in Azure Sentinel as well. Changing the status of an alert in Azure Defender "won't"* affect the status of any Azure Sentinel incidents that contain the synchronized Azure Sentinel alert, only that of the synchronized alert itself.

Enabling this preview feature, bi-directional alert synchronization, will automatically sync the status of the original Azure Defender alerts with Azure Sentinel incidents that contain the copies of those Azure Defender alerts. So, for example, when an Azure Sentinel incident containing an Azure Defender alert is closed, Azure Defender will automatically close the corresponding original alert.

Learn more in Connect Azure Defender alerts from Azure Security Center.

Logical reorganization of Azure Defender for Resource Manager alerts

The alerts listed below were provided as part of the Azure Defender for Resource Manager plan.

As part of a logical reorganization of some of the Azure Defender plans, we've moved some alerts from Azure Defender for Resource Manager to Azure Defender for servers.

The alerts are organized according to two main principles:

  • Alerts that provide control-plane protection - across many Azure resource types - are part of Azure Defender for Resource Manager
  • Alerts that protect specific workloads are in the Azure Defender plan that relates to the corresponding workload

These are the alerts that were part of Azure Defender for Resource Manager, and which, as a result of this change, are now part of Azure Defender for servers:

  • ARM_AmBroadFilesExclusion
  • ARM_AmDisablementAndCodeExecution
  • ARM_AmDisablement
  • ARM_AmFileExclusionAndCodeExecution
  • ARM_AmTempFileExclusionAndCodeExecution
  • ARM_AmTempFileExclusion
  • ARM_AmRealtimeProtectionDisabled
  • ARM_AmTempRealtimeProtectionDisablement
  • ARM_AmRealtimeProtectionDisablementAndCodeExec
  • ARM_AmMalwareCampaignRelatedExclusion
  • ARM_AmTemporarilyDisablement
  • ARM_UnusualAmFileExclusion
  • ARM_CustomScriptExtensionSuspiciousCmd
  • ARM_CustomScriptExtensionSuspiciousEntryPoint
  • ARM_CustomScriptExtensionSuspiciousPayload
  • ARM_CustomScriptExtensionSuspiciousFailure
  • ARM_CustomScriptExtensionUnusualDeletion
  • ARM_CustomScriptExtensionUnusualExecution
  • ARM_VMAccessUnusualConfigReset
  • ARM_VMAccessUnusualPasswordReset
  • ARM_VMAccessUnusualSSHReset

Learn more about the Azure Defender for Resource Manager and Azure Defender for servers plans.

Enhancements to recommendation to enable Azure Disk Encryption (ADE)

Following user feedback, we've renamed the recommendation Disk encryption should be applied on virtual machines.

The new recommendation uses the same assessment ID and is called Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources.

The description has also been updated to better explain the purpose of this hardening recommendation:

Recommendation Description Severity
Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources By default, a virtual machine’s OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches aren’t encrypted, and data isn’t encrypted when flowing between compute and storage resources. For a comparison of different disk encryption technologies in Azure, see https://aka.ms/diskencryptioncomparison.
Use Azure Disk Encryption to encrypt all this data. Disregard this recommendation if: (1) you’re using the encryption-at-host feature, or (2) server-side encryption on Managed Disks meets your security requirements. Learn more in Server-side encryption of Azure Disk Storage.		 High

Continuous export of secure score and regulatory compliance data released for general availability (GA)

Continuous export provides the mechanism for exporting your security alerts and recommendations for tracking with other monitoring tools in your environment.

When you set up your continuous export, you configure what is exported, and where it will go. Learn more in the overview of continuous export.

We've enhanced and expanded this feature over time:

With this update, these two options are released for general availability (GA).

Workflow automations can be triggered by changes to regulatory compliance assessments (GA)

In February 2021, we added a preview third data type to the trigger options for your workflow automations: changes to regulatory compliance assessments. Learn more in Workflow automations can be triggered by changes to regulatory compliance assessments.

With this update, this trigger option is released for general availability (GA).

Learn how to use the workflow automation tools in Automate responses to Security Center triggers.

Using changes to regulatory compliance assessments to trigger a workflow automation.

Assessments API field 'FirstEvaluationDate' and 'StatusChangeDate' now available in workspace schemas and logic apps

In May 2021, we updated the Assessment API with two new fields, FirstEvaluationDate and StatusChangeDate. For full details, see Assessments API expanded with two new fields.

Those fields were accessible through the REST API, Azure Resource Graph, continuous export, and in CSV exports.

With this change, we're making the information available in the Log Analytics workspace schema and from logic apps.

In March, we announced the integrated Azure Monitor Workbooks experience in Security Center (see Azure Monitor Workbooks integrated into Security Center and three templates provided).

The initial release included three templates to build dynamic and visual reports about your organization's security posture.

We've now added a workbook dedicated to tracking a subscription's compliance with the regulatory or industry standards applied to it.

Learn about using these reports or building your own in Create rich, interactive reports of Security Center data.

Azure Security Center's compliance over time workbook