Microsoft Defender for Cloud
Cloud-Native Security for Azure Integration Workloads
Introduction
Microsoft Defender for Cloud provides unified cloud security posture management and threat protection for your Azure integration workloads. It combines Azure Security Center capabilities with enhanced threat detection, enabling you to harden resources, detect threats, and respond to attacks. For integration architectures spanning Functions, Service Bus, API Management, and more, Defender for Cloud provides critical visibility and protection.
This comprehensive guide covers:
- Defender plans — Available protection for Azure services
- Security posture — Secure score and recommendations
- Threat protection — Detecting runtime threats
- Integration — Connecting with Azure services
- Alert management — Responding to security events
Defender Plans Overview
Available Plans
┌─────────────────────────────────────────────────────────────────────┐
│ DEFENDER FOR CLOUD PLANS │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ PLAN SERVICES PROTECTED │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for Cloud All compute, storage, networking │
│ Apps (basic) │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for Servers VMs, Arc-enabled, containers │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for App Azure Functions, API Apps, │
│ Service Container Apps, Service Fabric │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for Storage Storage accounts │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for SQL Azure SQL, SQL on VMs │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for Service Bus, Event Hubs, │
│ Service Bus Event Grid │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for Key Key Vault │
│ Vault │
│ ───────────────────────────────────────────────────────────────── │
│ Defender for API Management, Logic Apps │
│ APIs (preview) │
│ │
└─────────────────────────────────────────────────────────────────────┘
Enable Plans
# Enable Defender for Cloud (Plan 1 - basic)
az security pricing create \
--name CloudPosture \
--pricing-tier Free
# Enable enhanced plans
az security pricing create \
--name Servers \
--pricing-tier Standard
az security pricing create \
--name AppService \
--pricing-tier Standard
az security pricing create \
--name Storage \
--pricing-tier Standard
az security pricing create \
--name ServiceBus \
--pricing-tier Standard
# Verify enabled plans
az security pricing list --query "[].{Name:name,PricingTier:pricingTier}"
Security Posture Management
Secure Score
{
"secureScore": {
"currentScore": 78,
"maxScore": 100,
"percentage": "78%",
"controlScores": [
{
"name": "Identity",
"score": 85,
"maxScore": 100,
"weight": "20%",
"recommendations": 3
},
{
"name": "Compute",
"score": 90,
"maxScore": 100,
"weight": "25%",
"recommendations": 2
},
{
"name": "Storage",
"score": 65,
"maxScore": 100,
"weight": "15%",
"recommendations": 5
},
{
"name": "Networking",
"score": 72,
"maxScore": 100,
"weight": "20%",
"recommendations": 4
}
]
}
}
Security Recommendations
# List recommendations for integration resources
az security recommendation list \
--query "[?contains(resourceGroup, 'integration')]"
# Get specific recommendation details
az security recommendation show \
--resource-group rg-integration \
--recommendation-id "ac2d3b1b-4a1f-4b3e-9b1a-5c3d2e4f5a6b"
# Apply recommendation (remediate)
az security task create \
--resource-id "/subscriptions/xxx/resourceGroups/rg-integration/providers/Microsoft.Web/sites/function-app" \
--recommendation-id "Enable diagnostic logging"
Threat Protection
Defender for Service Bus
{
"serviceBusAlerts": [
{
"name": "Suspicious queue access pattern",
"description": "Unusual access pattern detected on Service Bus queues",
"severity": "Medium",
"indicators": [
"Access from unusual IP range",
"Mass message retrieval",
"Access outside business hours"
],
"remediation": [
"Review access logs",
"Verify client applications",
"Update network restrictions"
]
},
{
"name": "Potential data exfiltration",
"description": "Large volume of messages being processed",
"severity": "High",
"indicators": [
"Message volume spike > 200%",
"New consumer application",
"Messages sent to external endpoint"
],
"remediation": [
"Verify business justification",
"Block suspicious consumer",
"Enable audit logging"
]
}
]
}
Defender for Functions
public class DefenderThreatDetection
{
// Defender automatically monitors:
// - Excessive function executions
// - Suspicious outbound connections
// - Code injection attempts
// - Credential access patterns
public async Task ProcessSecurityAlert(SecurityAlert alert)
{
switch (alert.AlertType)
{
case "Suspicious outbound network activity":
await HandleNetworkAlertAsync(alert);
break;
case "Malicious code execution":
await HandleCodeExecutionAlertAsync(alert);
break;
case "Brute force attempt":
await HandleBruteForceAlertAsync(alert);
break;
}
}
private async Task HandleNetworkAlertAsync(SecurityAlert alert)
{
// Block suspicious IP
var suspiciousIP = alert.EntityData["externalIp"];
await BlockSuspiciousIPAsync(suspiciousIP);
// Notify security team
await _securityNotificationService.NotifyAsync(alert);
}
}
Integration with Azure Services
Defender for API Management
# Enable Defender for APIs (preview)
az security pricing create \
--name APIs \
--pricing-tier Standard
# Configure alert rules
az security alert-config create \
--rule-type MicrosoftDefenderForCloud \
--display-name "API Security Alert" \
--enabled true \
--email-contacts "security@company.com"
Auto-Protection Configuration
{
"autoProtection": {
"autoProvision": true,
"extensions": [
{
"name": "Azure Defender extension for VMs",
"automatic": true
},
{
"name": " Defender extension for Kubernetes",
"automatic": true,
"clusterSelector": ["production", "staging"]
}
]
}
}
Alert Management
Alert Configuration
{
"alertSettings": {
"emailNotifications": {
"state": "On",
"additionalRecipients": [
"security-team@company.com",
"platform-team@company.com"
],
"severityLevels": ["High", "Medium"]
},
"securityContact": {
"email": "ciso@company.com",
"phone": "+1-555-0100",
"alertNotifications": {
"state": "On",
"minor": "On",
"critical": "On"
}
}
}
}
Alert Response Workflow
┌─────────────────────────────────────────────────────────────────────┐
│ ALERT RESPONSE WORKFLOW │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ 1. DETECT (Defender identifies threat) │
│ ↓ │
│ 2. TRIAGE (Assess severity and scope) │
│ → Critical: Immediate action required │
│ → High: Within 4 hours │
│ → Medium: Within 24 hours │
│ → Low: Next business day │
│ ↓ │
│ 3. INVESTIGATE (Gather evidence) │
│ → Review related alerts │
│ → Check resource logs │
│ → Identify affected systems │
│ ↓ │
│ 4. CONTAIN (Limit damage) │
│ → Isolate affected resources │
│ → Block malicious IPs │
│ → Revoke compromised credentials │
│ ↓ │
│ 5. REMEDIATE (Fix root cause) │
│ → Apply security recommendations │
│ → Update access policies │
│ → Deploy countermeasures │
│ ↓ │
│ 6. DOCUMENT (Record lessons learned) │
│ → Document timeline │
│ → Update runbooks │
│ → Share with team │
│ │
└─────────────────────────────────────────────────────────────────────┘
Security Posture Hardening
Integration Security Checklist
┌─────────────────────────────────────────────────────────────────────┐
│ INTEGRATION SECURITY CHECKLIST │
├─────────────────────────────────────────────────────────────────────┤
│ │
│ FUNCTIONS │
│ ✓ Enable managed identity │
│ ✓ Use HTTPS only │
│ ✓ Configure CORS restrictions │
│ ✓ Enable Application Insights logging │
│ ✓ Restrict outbound network access │
│ │
│ SERVICE BUS │
│ ✓ Enable firewall rules │
│ ✓ Use SAS policies with expiration │
│ ✓ Enable geo-disaster recovery │
│ ✓ Configure dead-letter queue alerts │
│ ✓ Enable network logging │
│ │
│ API MANAGEMENT │
│ ✓ Enable OAuth/JWT validation │
│ ✓ Configure rate limiting │
│ ✓ Enable WAF policies │
│ ✓ Use mutual TLS │
│ ✓ Set up IP restrictions │
│ │
└─────────────────────────────────────────────────────────────────────┘
Best Practices
Implementation Checklist
| Practice | Description |
|---|---|
| Enable all relevant plans | Protect compute, storage, and services |
| Review recommendations weekly | Prioritize by secure score impact |
| Configure alert notifications | Ensure right people get notified |
| Enable auto-provision | Automatically protect new resources |
| Integrate with SIEM | Send alerts to central security system |
| Use JIT access | Just-in-time VM access for administration |
Related Topics
- Zero Trust Networking — Security architecture
- Key Vault Governance — Secrets security
- Compliance as Code — Policy enforcement
Azure Integration Hub - Architect Level Security Architecture & Zero Trust