Lab 1 - Exercise 1 - Enable Microsoft Defender for Cloud

Lab scenario

You’re a Security Operations Analyst working at a company that is implementing cloud workload protection with Microsoft Defender for Cloud. In this lab, you enable Microsoft Defender for Cloud.

Task 1: Access the Azure portal and set up a Subscription

In this task, you’ll set up an Azure Subscription required to complete this lab and future labs.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. Open the Microsoft Edge browser or open a new tab if already open.

  3. In the Microsoft Edge browser, navigate to the Azure portal at https://portal.azure.com.

  4. In the Sign in dialog box, copy, and paste in the tenant Email account for the admin username provided by your lab hosting provider and then select Next.

  5. In the Enter password dialog box, copy, and paste in the admin’s tenant password provided by your lab hosting provider and then select Sign in.

  6. In the Search bar of the Azure portal, type Subscription, then select Subscriptions.

  7. Select the “Azure Pass - Sponsorship” subscription shown (or equivalent name in your selected language).

    Note: If the subscription is not shown, ask your instructor on how to create the Azure subscription with your tenant admin user credentials. Note: The subscription creation process could take up to 10 minutes.

  8. Select Access control (IAM) and then select View my access from the Check access tab.

  9. Verify that the Current role assignments tab has a Role assignments Role for LOD Owner. Select the X in the top right of the assignments - MOC Subscription-lodxxxxxxxx window to close it.

Task 2: Create a Log Analytics Workspace

In this task, you create a Log Analytics workspace for use with Azure Monitoring, Microsoft Sentinel and Microsoft Defender for Cloud.

  1. In the Search bar of the Azure portal, type Log Analytics workspaces, then select the same service name.

  2. Select +Create from the command bar.

  3. Select Create new for the Resource group.

  4. Enter RG-Defender and select Ok.

  5. For the Name, enter something unique like: uniquenameDefender.

  6. Select Review + Create.

  7. Once the workspace validation has passed, select Create. Wait for the new workspace to be provisioned, this may take a few minutes.

Task 3: Enable Microsoft Defender for Cloud

In this task, you’ll enable and configure Microsoft Defender for Cloud.

  1. In the Search bar of the Azure portal, type Defender, then select Microsoft Defender for Cloud.

  2. In the left menu for Microsoft Defender for Cloud, under the Management, select Environment settings.

  3. Select the “Azure Pass - Sponsorship” subscription (or equivalent name in your Language).

  4. Review the Azure resources that are now protected with the Defender for Cloud plans.

    Important: If all Defender plans are Off, select Enable all plans. Select the $200/month Microsoft Defender for APIs Plan 1 and then select Save. Select Save at the top of the page and wait for the “Defender plans (for your) subscription were saved successfully!” notifications to appear.

  5. Select the Settings & monitoring tab from the Settings area (next to Save).

  6. Review the monitoring extensions. It includes configurations for Virtual Machines, Containers, and Storage Accounts. Close the “Settings & monitoring” page by selecting the ‘X’ on the upper right of the page.

  7. Close the settings page by selecting the ‘X’ on the upper right of the page to go back to the Environment settings and select the ‘>’ to the left of your subscription.

  8. Select the Log analytics workspace you created earlier uniquenameDefender to review the available options and pricing.

  9. Select Enable all plans (to the right of Select Defender plan) and then select Save. Wait for the “Microsoft Defender plan for workspace uniquenameDefender were saved successfully!” notification to appear.

    Note: If the page is not being displayed, refresh your Edge browser and try again.

  10. Close the Defender plans page by selecting the ‘X’ on the upper right of the page to go back to the Environment settings

Task 4: Protect an Azure virtual machine

In this task, you manually install the Azure Monitor Agent by adding a Data Collection Rule (DCR) on the WINServer virtual machine.

  1. Go to Microsoft Defender for Cloud and select the Getting Started page from the left menu.

  2. Select the Get Started tab.

  3. Scroll down and select Configure under the Add non-Azure servers section.

  4. Select Upgrade next to the workspace you created earlier. This might take a few minutes. Wait until you see the notification “Microsoft Defender plan for workspace uniquenameDefender were saved successfully!”.

  5. Select + Add Servers next to the workspace you created earlier.

  6. Select Data Collection Rules

  7. Select + Create.

  8. Enter WINServer for Rule Name.

  9. Select your Azure Pass - Sponsorship subscription and select a Resource Group. Hint: RG-Defender

  10. You can keep the default East US region or select another preferable location.

  11. Select the Windows radio button for Platform Type and select Next: Resources.

  12. In the Resources tab, + Add resources.

  13. In the Select a scope page, expand the Scope column for RG-Defender (or the Resource Group your created), then select WINServer and select Apply.

    Note: You may need to set the column filter for Resource type to Server-Azure Arc if WINServer is not displayed.

  14. Select Next: Collect and deliver

  15. In the Collect and deliver tab, select + Add data source

  16. In the Add a data source page, select Performance Counters from Data source type.

    Note: For the purposes of this lab you could select Windows Event Logs. These selections can be revised later.

  17. Select the Destination tab

  18. Select Azure Monitor Logs in the Destination Type dropdown

  19. Select your Azure Pass - Sponsorship subscription from the Subscription dropdown

  20. Select your workspace name Hint: RG-Defender from the Account or namespace dropdown

  21. Select Add data source and select Review + create

  22. Select Create after Validation passed is displayed.

  23. The Data Collection Rule creation initiates the installation of the AzureMonitorWindowsAgent extension on WINServer.

  24. When the Data Collection Rule creation completes, enter WINServer in the Search resources, services and docs search bar, and select WINServer from Resources.

  25. On WINServer scroll down through the left menu to Settings and Extensions.

  26. The AzureMonitorWindowsAgent should be listed with a Status of Succeeded.

  27. You can move on to the next lab and return later to review the Inventory section of Microsoft Defender for Cloud to verify that WINServer is included.

Proceed to Exercise 2