Exercise 3 - Explore Secure Score, Recommendations and Inventory

Lab scenario

Previously, we briefly explored the Secure score tile on the overview page. Now let’s dive into this capability and the associated recommendations. Microsoft Defender for Cloud continually assesses your resources. All findings are aggregated into a single score (Secure score), which measures the current security posture of your subscription; the higher the score, the lower the identified risk level.

Task 1: Exploring Secure Score

  1. In the Search bar of the Microsoft Azure portal, type Defender, then select Microsoft Defender for Cloud.

  2. In the Microsoft Defender for Cloud left navigation menu, under the Cloud Security section, select on the Security posture button.

  3. On the Secure score page, review your current overall secure score percentage.

    Note: Your score is shown as a percentage value, but you can also see the number of points on which the score is being calculated based on. For more information on how the score is calculated, refer to the secure score documentation page.

  4. On the bottom part, you can see a list of subscriptions and their current score. To view the recommendations behind the score, select view recommendations.

Task 2: Exploring Security Controls and Recommendations

  1. In the Microsoft Defender for Cloud left navigation menu, under the General section, select Recommendations.

  2. On the Recommendations page, select the Switch to classic view link from the top menu. Notice the first part of the page; the summary view, which includes the current Secure score, progress on the recommendations (both completed security controls and recommendations) and resource health (by severity).

  3. On the top menu, select the Download CSV report button – this allows you to get a snapshot of your resources, their health status, and the associated recommendations. You can use it for pivoting and reporting.

  4. Select a Recommendation from the drop down list to review the format such as Storage account public access should be disallowed.

    Note: If that recommendation is not available in the lab environment, select one that is available.

  5. On the top section, notice the following:

    • Title of the recommendation: Storage account public access should be disallowed
    • Top menu controls: Exempt, Deny, View policy definition and Open query
    • Severity indicator: Medium
    • Freshness interval: 30 Min
    • Tactics and techniques: Initial Access

  6. The next important part is the Remediation Steps which contains the remediation logic where you can remediate the selected resource/s.

    Info: In the recommendation list, you can now see some recommendations flagged as in the preview. They aren’t included in the calculation of your score. They should be still remediated so that when the preview period ends, they will contribute towards your final score.

Task 3: : Exploring the Inventory capability

The Asset inventory dashboard allows you to get a single pane of glass view of all your resources covered by Microsoft Defender for Cloud. It also provides per-resource visibility to all Microsoft Defender for Cloud’s information and additional resource details including security posture and protection status. Since this dashboard is based on Azure Resource Graph (ARG), you can run queries across subscriptions at a large scale, quickly and easily

  1. From the left navigation menu, under the General section, select Inventory.

  1. In your environment, these numbers may not be the same, since it varies in time

  2. Notice the total number of resources, The total number of resources are the ones that are connected to the Microsoft Defender for Cloud and NOT the total number of resources that you have in your subscriptions.

  3. Notice the number of unhealthy resources, The unhealthy resources are the resources with actionable recommendations based on the selected filter

  4. Use the Filter by name box to search for Windows. You should now see a filtered view containing your desired resource: VM1. Hover on the red bar in the recommendations column to see a tooltip with the active recommendations. You should expect to see Active-xx of xx Recommendations – these are the active recommendations you must attend.

  5. Open the resource health pane by selecting the resource. Select VM1.

  6. On the resource health pane for VM1, review the virtual machine information alongside the recommendation list.

    Note: It could take up to 24 hours for all the recommendations to show up. And it is possible that during lab time, this may not show up – which is the case sometimes. If you don’t see the data in recommendations. You can continue to the next exercise and verify this later.

  7. From the filter pane, remove the Resource type filter, then select Add filter and notice the Security findings filter – it allows you to find all resources that are prone to a specific vulnerability. You can also search for CVE, KB ID, name, and missing update.

  8. From the filter pane, remove the Security findings filter you added in the previous step then from the top menu, select Open query

  9. On the Azure Resource Graph Explorer blade, select Run Query. You should now have the same list of resources and columns as in the previous step. This query is editable for your needs and here it gets very powerful.

  10. Save the query for later use by selecting Save as from the top menu. You can use it to create periodic reports. Name the report as asc-filtered-query and select Save.

Task 4: Understanding pricing

The pricing criteria depend on the plan you enable. In addition, as a part of Foundational CSPM (free), you get several items like Secure Score, Asset Inventory, Security Recommendations, etc.

Refer to the following to learn more about Defender for cloud pricing:

  1. From Microsoft Defender for Cloud navigation menu, select Workbooks and select the Public Templates tab. Next select the Cost Estimation workbook.
  2. In the Cost Estimation workbook, you can observe the estimated pricing for the resources in both the Defender plans for Azure.

Task 5: Overview of CWP capabilities

  1. Navigate to Workload protectionsfrom the Cloud Security section of the Microsoft Defender for Cloud menu to view the Workload Protections Dashboard.

The dashboard includes the following sections:

  • Microsoft Defender for Cloud coverage (1) - Here you can see the resource types that are in your subscription and eligible for protection by Defender for Cloud. Wherever relevant, you can upgrade here as well. If you want to upgrade all possible eligible resources, select Upgrade All.
  • ecurity alerts (2) - When Defender for Cloud detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response. Selecting anywhere in this graph opens the Security Alerts page.
  • Advanced protection (3) - Defender for Cloud includes many advanced threat protection capabilities for virtual machines, SQL databases, containers, web applications, your network, and more. In this advanced protection section, you can see the status of the resources in your selected subscriptions for each of these protections. Select any of them to go directly to the configuration area for that protection type.
  • Insights (4) - This rolling pane of news, suggested reading and high-priority alerts give Defender for Cloud insights into pressing security matters that are relevant to you and your subscription. Whether it’s a list of high-severity CVEs discovered on your VMs by a vulnerability analysis tool, or a new blog post by a member of the Defender for Cloud team, you’ll find it here in the Insights panel.

You have completed the lab