Enable Microsoft Defender Standard Pricing Tier

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: SecurityCenter-001

Ensure that Microsoft Defender for Cloud standard pricing tier (also known as enhanced security plan) is active in order to enable threat detection for networks and virtual machines, provide threat intelligence, anomaly detection, and behavior analytics within the protected subscription.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling Microsoft Defender for Cloud standard pricing tier allows for better security assessment with threat detection provided by the Microsoft Security Response Center (MSRC), advanced security policies, adaptive application control, network threat detection, and regulatory compliance management.


Audit

To determine if the standard pricing tier (enhanced security plan) is enabled within the Microsoft Defender for Cloud settings, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Defender plans.

06 On the Defender plans page, check the pricing tier box enabled for the selected subscription. If the pricing tier box selected is Enhanced security off, the Microsoft Defender for Cloud standard pricing tier (i.e. enhanced security plan) is not enabled for the selected subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the Microsoft Defender for Cloud pricing tier enabled for the current Azure subscription:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" GET https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.pricingTier'

02 The command output should return the name of the active pricing tier:

"Free"

If the account get-access-token command output returns "Free", as shown in the example above, the enhanced security is off, therefore the Microsoft Defender for Cloud standard pricing tier is not enabled for the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription available in your Azure cloud account.

Remediation / Resolution

To activate Microsoft Defender for Cloud standard pricing tier (also known as enhanced security plan), perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Defender plans.

06 On the Defender plans configuration page, select the Enable all Microsoft Defender for Cloud plans box to enable the Microsoft Defender for Cloud standard pricing tier. Choose Save to apply the changes. By default, the enhanced security plan will be enabled for all the supported Azure cloud resources.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the "pricingTier" parameter value is set to "Standard" to enable the enhanced security plan. Save the configuration document to a JSON file named enable-enhanced-security-plan.json and replace the highlighted details, i.e. <azure-subscription-id>, with your own Azure account subscription ID:

{
   "id":"/subscriptions/<azure-subscription-id>/providers/Microsoft.Security/pricings/default",
   "name":"default",
   "type":"Microsoft.Security/pricings",
   "properties":{
      "pricingTier":"Standard"
   }
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-enhanced-security-plan.json file), to enable the Microsoft Defender for Cloud standard pricing tier. By default, the standard pricing tier will be enabled for all the supported Azure cloud resources:

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/default?api-version=2017-08-01-preview -d@"enable-enhanced-security-plan.json"'

03 The command output should return information about the modified configuration parameter:

{
   "id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/default",
   "name":"default",
   "type":"Microsoft.Security/pricings",
   "properties":{
      "pricingTier":"Standard"
   }
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 21, 2019

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Microsoft Defender Standard Pricing Tier

Risk level: Medium