Logo of Trend Micro

Enable Azure Defender for Virtual Machine Servers

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: SecurityCenter-032

Ensure that the Azure Defender security feature is enabled for the virtual machine (VM) servers provisioned in your Azure cloud account. The threat detection and protection capabilities provided by Azure Defender for virtual machine servers include vulnerability assessment scanning, file integrity monitoring (also known as change monitoring), Just-in-time (JIT) virtual machine access monitoring, adaptive network hardening (ANH), fileless attack detection, and Docker host hardening.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

By default, the security feature is not enabled for your virtual machine servers. Enabling Azure Defender for Microsoft Azure virtual machines (VMs) allows for better defense-in-depth with threat detection capabilities provided by the Microsoft Security Response Center (MSRC).

Audit

To determine if the Azure Defender feature is enabled for your virtual machine (VM) servers, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure subscription that you want to examine, to access the Azure Security Center pricing and settings.

05 In the left navigation panel, under Settings, choose Azure Defender plans to view the Azure Defender pricing plans available for your subscription.

06 Select Azure Defender on to make sure that the security feature is enabled for the selected subscription, and check the Azure Defender pricing plan status for Servers, available in the Plan column. If the pricing plan status for Servers is set to Off, Azure Defender is not enabled for the Azure virtual machine (VM) servers provisioned in the selected subscription.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the name of the Azure Defender pricing plan configured for Azure virtual machines (VMs) within the current subscription: 

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="VirtualMachines")'|jq '.properties.pricingTier'

02 The command output should return the name of the configured pricing tier: 

"Free"

If the account get-access-token command output does not return "Standard" for the name of the pricing tier, Azure Defender is not enabled for the Azure virtual machine (VM) servers provisioned within the current subscription.

03 Repeat step no. 1 and 2 for each Microsoft Azure subscription available in your cloud account.

Remediation / Resolution

To enable Azure Defender for your Microsoft Azure virtual machine (VM) servers, perform the following actions:

Note: Turning on Azure Defender in Azure Security Center (ASC) incurs an additional cost per resource.

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Security Center blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/.

03 In the blade navigation panel, under Management, choose Pricing & Settings.

04 On the Pricing & Settings page, click on the name of the Azure cloud subscription that you want to access.

05 In the left navigation panel, under Settings, choose Azure Defender plans to view the Azure Defender pricing plans available for the selected subscription.

06 Select Azure Defender on to make sure that the security feature is enabled for your subscription, then choose On for the Servers pricing plan listed in the Plan column, to enable Azure Defender for Azure virtual machine (VM) servers. Choose Save from the blade main menu to apply the changes.

07 Repeat step no. 4 – 6 for each Microsoft Azure subscription available within your cloud account.

Using Azure CLI

01 Define the specifications required for the account get-access-token command, where the Azure Defender pricing plan for the Azure virtual machines is enabled by setting the feature pricing tier to "Standard". Replace the highlighted information, i.e. <azure-subscription-id>, with your own Azure subscription ID and save the following content to a JSON file named enable-defender-for-vm-servers.json: 

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/VirtualMachines",
  "name": "VirtualMachines",
  "type": "Microsoft.Security/pricings",
  "properties": {
    "pricingTier": "Standard"
  }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the specifications defined at the previous step (i.e. enable-defender-for-vm-servers.json file) to turn on Azure Defender for Azure virtual machine (VM) servers in the selected subscription: 

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/VirtualMachines?api-version=2018-06-01 -d@"enable-defender-for-vm-servers.json"'

03 The command output should return the information available for the enabled pricing tier: 

{
  "id": "/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/VirtualMachines",
  "name": "VirtualMachines",
  "type": "Microsoft.Security/pricings",
  "properties": {
  "pricingTier": "Standard",
  "freeTrialRemainingTime": "PT0S"
  }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your cloud account.

References

Publication date Sep 20, 2021

Related SecurityCenter rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Azure Defender for Virtual Machine Servers

Risk level: High