Exercise 2 - Understanding Microsoft Defender for Cloud Dashboard

Lab scenario

You’re a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud.

Task 1: Explore Regulatory Compliance

In this task, you’ll review Regulatory compliance configuration in Microsoft Defender for Cloud.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Microsoft Edge browser, open the Azure portal at https://portal.azure.com.

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Microsoft Azure portal, type Defender, then select Microsoft Defender for Cloud.

  6. Under Cloud Security, select Regulatory compliance from the left menu items.

  7. Select Manage compliance standards on the toolbar.

  8. Select your subscription.

    Hint: Select Expand all to find your subscription if you have a hierarchy of Management Groups.

  9. Under Settings, select Security policies in the portal menu.

  10. Scroll down and review the “Security standards” available to you by default.

  11. Use the search box to find ISO 27001:2013.

  12. Select and move the Status slider to right of ISO 27001:2013 to On.

    Note: Some standards require you to assign an Azure Policy initiative.

  13. Select Refresh on the page menu to confirm that ISO 27001:2013 is set to On for your subscription.

  14. Next on the Security policies page, In the search bar, search for SOC 2 Type 2. Select the toggle button to change the status to On

  15. On the Set parameters blade, enter the following details and select Save.

    • Allowed registry or registries regex: []
    • Max allowed CPU units: 200m
    • Max allowed memory bytes: 1

  16. Close the Security policies page by selecting the ‘X’ on the upper right of the page to go back to the Environment settings.

  17. Navigate back to Regulatory compliance. To view the recently added standards select Show all

    Note: It can take up to two hours for newly added standards to appear under the Lowest compliance regulatory standard. Please move on to the next step; you can review the standards later.

Task 2: Explore Workload protectiona

In this task, you’ll review Workload protections.

  1. In the left navigation menu, expand Cloud Security section, and select Workload protections.

  2. In the Workload Protections, you can see the coverage of your connected resources for the currently selected subscription. Your current resource coverage should be fully covered 100% which means full protection. Additionally, you can also view the recent security alerts, color-coded by severity.

  3. Next Click on Inventory from the General section of the Microsoft Defender for Cloud. It shows the number of unmonitored VMs alongside the total covered resources - you should expect to have zero unmonitored VMs. Resources are classified according to their health status.

Task 3: Mitigate security alerts

In this task, you’ll load sample security alerts and review the alert details.

  1. Under General, select Security alerts in the portal menu.

  2. Select Sample alerts from the command bar. Hint: you may need to select the ellipsis (…) button from the command bar.

  3. In the Create sample alerts (Preview) pane make sure your subscription is selected and that all sample alerts are selected in the Defender for Cloud plans area.

  4. Select Create sample alerts.

    Note: This sample alert creation process may take a few minutes to complete, wait for the “Successfully created sample alerts” notification.

  5. Once completed, select Refresh (if needed) to see the alerts appear under the Security alerts area.

  6. Choose an interesting alert with a Severity of High and perform the following actions:

    • Select the alert checkbox and the alert detail pane should appear. Select View full details.

    • Review and read the Alert details tab.

    • Select the Take action tab or scroll down and select the Next: Take Action button at the end of the page.

    • Review the Take action information. Notice the sections available to take action depending on the type of alert: Inspect resource context, Mitigate the threat, Prevent future attacks, Trigger automated response and Suppress similar alerts.

You have completed the lab