Microsoft Defender for Cloud 101

Cloud Native CNAPP tool

Featured image

Let’s understand what exactly MDC or Microsoft Defender for Cloud is?

Microsoft Defender for Cloud is CNAPP tool.

CNAPP == Cloud Native Application Protection Platform

So, MDC is cloud native CNAPP tool with a set of security best practices and measures to protect cloud based APPs, Servers , API and resources.

It comes with the 3 loaded features

First let’s understand the problem statement from different stakeholder’s point of view,why do we need MDC?

Decision Makers CISO

Operational Risk

How to reduce operational risk in cloud deployment?
How to meet regulatory compliant

Single Vendor approach and feature consolidation with predictable cost
Compliance and Beyond MDC

Be compliant across estate and leverage existing investment.
SOC Analyst

Security Engineer

Workload Owner
Context, Control and Prevention

How to see context and determine security level?

Control over policy

Identify the right patch\action pre-deployment
Unified View , Coverage and Business Context

Unified views of all events from all sensors with description

Avoid agent complexity and be independent with 100% coverage

Calculate business risk and how it is linked with one's code?
Pro-Active, Confidence in change with Native solution

Identification of what's broken? RED teaming approach

Change assignment

It should be native with streamline changes during code development with runtime failure.
Cloud Architect

Operational Risk, Controls

Security towards left approach

Operational risk assessment
Comprehensive Coverage

Multi cloud support with one vendor with multi pipeline
Control and Standards

Fit natively with existing blueprint, minimal changes needed with support of standard framework

Now we do have understanding of requirements as per different stakeholder point of view, now let’s understand the who exactly Security Engineers, Security Analyst, WOrkload Owner are? and what their responsiblity wrt MDC?

Security Engineers usually incharge of maintainig and updating tools and systems.

Plan enablement

Alert tuning


Agent and extension monitoring

Security Analyst aka first responder who reports on cybersecurity threats and implements any changes needed to protect the organisation.

Alert Investigation and Response

Proactive detection /campaign detection

Action on regulatory compliance recommendation

Workload Owner they are responsible for deploying workloads and remediating misconfigurations and vulnerabilities the security team discovers.

Remediate misconfigurations

Asset Inventory

Regulatory compliance

Data Visualisation

Now let’s briefly understand the features of Microsoft Defender for cloud:-

Highlevel Dashboard of Microsoft Defender for cloud Alt text

We can strengthen multicloud security posture through Secure Score , Policy and Compliance and Automation .It leverage the Azure Arc with multicloud and hybrid workloads plans.It comes with full stack coverage with dedication detection which means we can easliy secure our compute, service layers, Databases and storage etc with MDC

Image(Img src: Microsoft)

Multicloud Protection image


Let’s understand what exactly Defender for Azure Service Layers does?

It helps to detect suspicious activities in Azure Management,Azure DNS and Azure Key Vault. This is agentless solution which means we just need to turn it ON.



Microsoft Defender for Servers

It is a complement EDR with incrased visibility,detection and prevention with following features:-


We can turn on built-in vulnerability assessment for VMs with automated deployment of the vulnerability scanner.It continusously scans installed applications to find vulnerabilities for Linux and Windows VMs. It is powered by Qualys so gives us freedom to choose between Qualys and Microsoft threat and vulnerability management capabilities.


How to on-board MDC to subscription?

Before jumping over the onboarding process, let’s do a quick basic requirements setup in a place.

  1. Management group hierarchy definition in your Azure environment according to the organisation’s needs.
  2. We have already decided on a log Analytics workspace design either centralized or distributed.

Considering above steps are configured, now there are 4 major steps for MDC on-boarding

  1. Enable Microsoft Deender for Cloud on a subscription
  2. Make sure Azure Security Benchmark is assigned
  3. Enable Defender for cloud Plans
  4. Configure Auto-provisioning

How to register the resource provider?

    "type": Microsoft.Security/pricings",
    "apiVersion": "2018-06-01",
    "name": "VirtualMachines",
    "properties": {
        "pricingTier": "free"

How to enable Defender for Cloud plans at scale?

    "type": Microsoft.Security/pricings",
    "apiVersion": "2018-06-01",
    "name": "VirtualMachines",
    "properties": {
        "pricingTier": "Standard"

and enable policy.

Thanks for reading blog, let’s keep troubleshooting