Exercise 2 - Understanding Microsoft Defender for Cloud Dashboard
Lab scenario
You’re a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud.
Task 1: Explore Regulatory Compliance
In this task, you’ll review Regulatory compliance configuration in Microsoft Defender for Cloud.
-
Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.
-
In the Microsoft Edge browser, open the Azure portal at https://portal.azure.com.
-
In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.
-
In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.
-
In the Search bar of the Microsoft Azure portal, type Defender, then select Microsoft Defender for Cloud.
-
Under Cloud Security, select Regulatory compliance from the left menu items.
-
Select Manage compliance standards on the toolbar.
-
Select your subscription.
Hint: Select Expand all to find your subscription if you have a hierarchy of Management Groups.
-
Under Settings, select Security policies in the portal menu.
-
Scroll down and review the “Security standards” available to you by default.
-
Use the search box to find ISO 27001:2013.
-
Select and move the Status slider to right of ISO 27001:2013 to On.
Note: Some standards require you to assign an Azure Policy initiative.
-
Select Refresh on the page menu to confirm that ISO 27001:2013 is set to On for your subscription.
-
Next on the Security policies page, In the search bar, search for SOC 2 Type 2. Select the toggle button to change the status to On
-
On the Set parameters blade, enter the following details and select Save.
- Allowed registry or registries regex: []
- Max allowed CPU units: 200m
- Max allowed memory bytes: 1
-
Close the Security policies page by selecting the ‘X’ on the upper right of the page to go back to the Environment settings.
-
Navigate back to Regulatory compliance. To view the recently added standards select Show all
Note: It can take up to two hours for newly added standards to appear under the Lowest compliance regulatory standard. Please move on to the next step; you can review the standards later.
Task 2: Explore Workload protectiona
In this task, you’ll review Workload protections.
-
In the left navigation menu, expand Cloud Security section, and select Workload protections.
-
In the Workload Protections, you can see the coverage of your connected resources for the currently selected subscription. Your current resource coverage should be fully covered 100% which means full protection. Additionally, you can also view the recent security alerts, color-coded by severity.
-
Next Click on Inventory from the General section of the Microsoft Defender for Cloud. It shows the number of unmonitored VMs alongside the total covered resources - you should expect to have zero unmonitored VMs. Resources are classified according to their health status.
Task 3: Mitigate security alerts
In this task, you’ll load sample security alerts and review the alert details.
-
Under General, select Security alerts in the portal menu.
-
Select Sample alerts from the command bar. Hint: you may need to select the ellipsis (…) button from the command bar.
-
In the Create sample alerts (Preview) pane make sure your subscription is selected and that all sample alerts are selected in the Defender for Cloud plans area.
-
Select Create sample alerts.
Note: This sample alert creation process may take a few minutes to complete, wait for the “Successfully created sample alerts” notification.
-
Once completed, select Refresh (if needed) to see the alerts appear under the Security alerts area.
-
Choose an interesting alert with a Severity of High and perform the following actions:
-
Select the alert checkbox and the alert detail pane should appear. Select View full details.
-
Review and read the Alert details tab.
-
Select the Take action tab or scroll down and select the Next: Take Action button at the end of the page.
-
Review the Take action information. Notice the sections available to take action depending on the type of alert: Inspect resource context, Mitigate the threat, Prevent future attacks, Trigger automated response and Suppress similar alerts.
-