Learning Path 3 - Lab 1 - Exercise 2 - Mitigate threats using Microsoft Defender for Cloud

Lab scenario

You are a Security Operations Analyst working at a company that implemented Microsoft Defender for Cloud. You need to respond to recommendations and security alerts generated by Microsoft Defender for Cloud.

Note: An interactive lab simulation is available that allows you to click through this lab at your own pace. You may find slight differences between the interactive simulation and the hosted lab, but the core concepts and ideas being demonstrated are the same.

Task 1: Explore Regulatory Compliance

In this task, you will review Regulatory compliance configuration in Microsoft Defender for Cloud.

Important: The next steps are done in a different machine than the one you were previously working. Look for the Virtual Machine name references.

1. Log in to WIN1 virtual machine as Admin with the password: Pa55w.rd.

2. In the Edge browser, open the Azure portal at (https://portal.azure.com).

3. In the Sign in dialog box, copy, and paste in the Tenant Email account provided by your lab hosting provider and then select Next.

4. In the Enter password dialog box, copy, and paste in the Tenant Password provided by your lab hosting provider and then select Sign in.

5. In the Search bar of the Azure portal, type Defender, then select Microsoft Defender for Cloud.

6. Under Cloud Security, select Regulatory compliance in the portal menu.

7. Select Manage compliance policies on the toolbar.

8. Select your subscription.

9. Under Policy settings, select Security policy in the portal menu.

10. Scroll down and and review the “Industry & regulatory standards” available to you by default. Note that ISO 27001 is now deprecated.

11. Select Add more standards to add the updated ISO 27001:2013 regulatory standard.

12. Select the Add button to right of ISO 27001:2013.

13. A new page to assign the Azure Policy initiative opens. Confirm that your subscription is selected under Scope and click Review and create.

14. Select Create to assign the Azure Policy initiative to your subscription.

15. Select Microsoft Defender for Cloud below the search box to return to the main blade.

    Note: You might want to return later to Regulatory compliance to review the new standard controls and recommendations.

Task 2: Explore Security posture and recommendations

In this task, you will review cloud security posture management. The Secure Score information can take 24 hours to recalculate. It is recommended to do this task again in 24 hours.

1. Under Cloud Security, select Security posture in the portal menu.

2. The Secure score most likely will show N/A until the score is calculated.

3. Under General, select Recommendations in the portal menu.

4. Explore the recommendations provided for your subscription and WINServer (Arc Server).

5. Select any recommendation where the status is not “Completed” for WINServer.

6. Read through the recommendation and scroll down to select WINServer checkbox. Hint: You might need to select Affected resources to display it.

7. Select Assign owner and then Select owner.

8. In the Email address box, write down your admin email. Hint: You can copy it from the instructions in the Resources tab.

9. Select Back, change the Due date to your preference and click Save.

   Note: If you see the error Failed to create requested assignments, try again later.

10. Close the recommendation page by selecting the ‘X’ on the upper right of the window.

Task 3: Mitigate security alerts

In this task, you will load sample security alerts and review the alert details.

1. Under General, select Security alerts in the portal menu.

2. Select Sample alerts from the command bar. Hint: you may need to select the ellipsis (…) button from the command bar).

3. In the Create sample alerts (Preview) pane make sure your subscription is selected and that all sample alerts are selected in the Defender for Cloud plans area.

4. Select Create sample alerts.

   Note: This sample alert creation process may take a few minutes to complete, wait for the “Successfully created sample alerts” notification.

5. Once completed, select Refresh to see the alerts appear under the Security alerts area.

6. For the alerts that grabbed your attention, perform the following actions:

   • Select the alert, information about the alert should appear. Select View full details.

   • Review and read the Alert details tab.

   • Select the Take action tab or select the Next: Take Action button at the end of the page.

   • Review the Take action information. Notice the sections available to take action depending on the type of alert: Inspect resource context, Mitigate the threat, Prevent future attacks, Trigger automated response and Suppress similar alerts.

You have completed the lab.