Learning Path 3 - Lab 1 - Exercise 2 - Mitigate threats using Microsoft Defender for Cloud

Lab scenario

Lab overview.

You are a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud.

Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

Task 1: Explore Regulatory Compliance

In this task, you will review Regulatory compliance configuration in Microsoft Defender for Cloud.

Important: The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references.

  1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

  2. In the Edge browser, open the Azure portal at (https://portal.azure.com).

  3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

  4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

  5. In the Search bar of the Azure portal, type Defender, then select Microsoft Defender for Cloud.

  6. Under Cloud Security, select Regulatory compliance in the portal menu.

  7. Select Manage compliance policies on the toolbar.

  8. Select your subscription.

    Hint: Select Expand all to find your subscription if you have a hierarchy of Management Groups.

  9. Under Settings, select Security policy in the portal menu.

  10. Scroll down and and review the “Security standards” available to you by default.

  11. Use the search box to find ISO 27001:2013.

  12. Select and move the Status slider to right of ISO 27001:2013 to On.

    Note: Some standards require you to assign ane Azure Policy initiative.

  13. Select Refresh on the page menu to confirm that ISO 27001:2013 is set to On for your subscription.

  14. Close the Security policies page by selecting the ‘X’ on the upper right of the page to go back to the Environment settings.

    Note: You might want to return later to Regulatory compliance to review the new standard controls and recommendations.

Task 2: Explore Security posture and recommendations

In this task, you will review cloud security posture management. The Secure Score information can take 24 hours to recalculate. It is recommended to do this task again in 24 hours.

  1. Under Cloud Security, select Security posture in the portal menu.

  2. The Secure score will default to the Azure environment.

  3. Under the Environment tab, select View recommendations >.

  4. On the Recommendations page, select the All recommendation tab.

    Note: You could also use the Secure score recommendations.

  5. Select the Resource type filter and the Value dropdown selector.

  6. Select the Machines - Azure Arc checkbox and then select the OK button.

  7. Select any recommendation where the status is not “Completed”.

  8. Read through the recommendation and scroll down to select WINServer checkbox. Hint: You might need to expand and scroll down through Affected resources to display it.

  9. Select Assign owner and then expand Assignment details.

  10. In the Set owner Email address box, type in your admin email. Hint: You can copy it from the instructions in the Resources tab.

  11. Explore the Set remediation timeframe and Set email notifications options and select Create.

    Note: If you see the error Failed to create requested assignments, try again later.

  12. Close the recommendation page by selecting the ‘X’ on the upper right of the window.

Task 3: Mitigate security alerts

In this task, you will load sample security alerts and review the alert details.

  1. Under General, select Security alerts in the portal menu.

  2. Select Sample alerts from the command bar. Hint: you may need to select the ellipsis (…) button from the command bar.

  3. In the Create sample alerts (Preview) pane make sure your subscription is selected and that all sample alerts are selected in the Defender for Cloud plans area.

  4. Select Create sample alerts.

    Note: This sample alert creation process may take a few minutes to complete, wait for the “Successfully created sample alerts” notification.

  5. Once completed, select Refresh (if needed) to see the alerts appear under the Security alerts area.

  6. Choose an interesting alert with a Severity of High and perform the following actions:

    • Select the alert checkbox and the alert detail pane should appear. Select View full details.

    • Review and read the Alert details tab.

    • Select the Take action tab or scroll down and select the Next: Take Action button at the end of the page.

    • Review the Take action information. Notice the sections available to take action depending on the type of alert: Inspect resource context, Mitigate the threat, Prevent future attacks, Trigger automated response and Suppress similar alerts.

You have completed the lab.