Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender Standard Pricing Tier

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-001

Ensure that Microsoft Defender for Cloud Standard Tier (also known as enhanced security plan) is active in order to enable threat detection for networks and virtual machines, provide threat intelligence, anomaly detection, and behavior analytics within the protected subscription. You can configure the list of Azure resource types for which you want to enable Microsoft Defender for Cloud Standard Tier within the rule settings, in your Trend Cloud One™ – Conformity account.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Microsoft Defender for Cloud has two pricing tiers: the Free Tier, which provides basic security features, and the Standard Tier, which offers advanced security capabilities. The key difference between these two tiers is that the Free Tier offers basic security features at no cost, while the Standard Tier (Enhanced Security Plan) provides comprehensive, advanced security features and is billed based on resource usage. Enabling the Standard Tier for Microsoft Defender for Cloud allows for better security assessment with threat detection provided by the Microsoft Security Response Center (MSRC), advanced security policies, adaptive application control, network threat detection, and regulatory compliance management.


Audit

To determine if the Standard Tier (Enhanced Security Plan) is enabled within the Microsoft Defender for Cloud settings, perform the following operations:

Using Azure Console

01 Sign in to your Trend Cloud One™ – Conformity account, access the Enable Microsoft Defender Standard Pricing Tier rule settings, and identify the Azure cloud resource types for which you want to enable the Standard Tier.

02 Sign in to the Microsoft Azure Portal.

03 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

04 In the left navigation panel, under Management, choose Environment settings.

05 Under Azure, click on the name (link) of the Azure subscription that you want to access.

06 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

07 On the Defender plans page, perform the following actions:

  1. Under Cloud Security Posture Management (CSPM), find the Defender CSPM pricing plan, and check the plan status displayed in the Status column. If Cloud Posture is selected in the conformity rule settings, identified at step no. 1, and the Defender CSPM pricing plan status is set to Off, Defender Cloud Security Posture Management (Defender CSPM) is disabled, therefore, the Standard Tier is not enabled for Defender CSPM in the selected Azure subscription.
  2. Under Cloud Workload Protection (CWP), check the pricing plan status displayed in the Status column for each Azure resource type supported by Microsoft Defender for Cloud. If Status is set to Off for one or more Azure resource types selected in the conformity rule settings, identified at step no. 1, the Standard Tier (Enhanced Security Plan) is not enabled for your Azure cloud resources, in the selected subscription.

08 Repeat steps no. 5 – 7 for each subscription created within your Microsoft Azure account.

Using Azure CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access the Enable Microsoft Defender Standard Pricing Tier rule settings, and identify the Azure cloud resource types for which you want to enable the Standard Tier.

02 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

03 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

04 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

05 Run security pricing list command (Windows/macOS/Linux) with custom output filters to describe the pricing tier for Defender Cloud Security Posture Management (Defender CSPM) and for each Azure resource type supported by Microsoft Defender for Cloud:

az security pricing list
  --query 'value[?(deprecated!=`true`)].{name:name,pricingTier:pricingTier}'

06 The command output should return the pricing tier for each Azure cloud resource type (including the Defender CSPM, i.e. "CloudPosture", pricing tier):

[
	{
		"name": "VirtualMachines",
		"pricingTier": "Free"
	},
	{
		"name": "SqlServers",
		"pricingTier": "Free"
	},
	{
		"name": "AppServices",
		"pricingTier": "Free"
	},
	{
		"name": "StorageAccounts",
		"pricingTier": "Free"
	},
	{
		"name": "SqlServerVirtualMachines",
		"pricingTier": "Free"
	},
	{
		"name": "KeyVaults",
		"pricingTier": "Free"
	},
	{
		"name": "Arm",
		"pricingTier": "Free"
	},
	{
		"name": "OpenSourceRelationalDatabases",
		"pricingTier": "Free"
	},
	{
		"name": "CosmosDbs",
		"pricingTier": "Free"
	},
	{
		"name": "Containers",
		"pricingTier": "Free"
	},
	{
		"name": "CloudPosture",
		"pricingTier": "Free"
	},
	{
		"name": "Api",
		"pricingTier": "Free"
	}
]

Check the "pricingTier" attribute value set for "CloudPosture" (i.e. Defender CSPM). If Cloud Posture is selected in the conformity rule settings identified at step no. 1, and the "pricingTier" value is set to "Free", the Standard Tier is disabled for Defender CSPM in the selected Azure subscription. Check the "pricingTier" attribute value for each Azure resource type supported by Microsoft Defender for Cloud. If the "pricingTier" value is set to "Free" for one or more Azure resource types selected in the conformity rule settings, identified at step no. 1, the Standard Tier (Enhanced Security Plan) is not enabled for your Azure cloud resources, in the selected subscription.

07 Repeat steps no. 4 - 6 for each subscription available in your Microsoft Azure cloud account.

Remediation / Resolution

To enable Microsoft Defender for Cloud Standard Tier for your Azure cloud resources, perform the following operations:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#view/Microsoft_Azure_Security/SecurityMenuBlade/~/0.

03 In the left navigation panel, under Management, choose Environment settings.

04 Under Azure, click on the name (link) of the Azure subscription that you want to access.

05 In the left navigation panel, under Settings, choose Defender plans to access the Defender for Cloud pricing plans available for the selected Azure subscription.

06 On the Defender plans page, perform the following actions:

  1. To enable the Standard Tier for Defender CSPM in the selected Azure subscription, identify the Defender CSPM pricing plan listed under Cloud Security Posture Management (CSPM), and choose On from the Status column.
  2. To enable the Standard Tier for the Azure resource types supported by Microsoft Defender for Cloud, choose On from the Status column for each resource type selected in the conformity rule settings. For APIs, select the appropriate entitlement limit, and choose Save to save the selection.
  3. Choose Save from the page top menu to apply the changes.

07 Repeat steps no. 4 – 6 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account:

az account list
  --query '[*].id'

02 The command output should return the requested subscription identifiers (IDs):

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to access as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output):

az account set
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 To enable the Standard Tier for Defender CSPM in the selected Azure subscription, run security pricing create command (Windows/macOS/Linux) with the --name command parameter set to CloudPosture:

az security pricing create
  --name CloudPosture
  --tier standard

05 The command output should return the configuration information available for the Defender CSPM plan:

{
	"deprecated": null,
	"enablementTime": "2024-07-29T09:48:54.390561+00:00",
	"extensions": [
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "SensitiveDataDiscovery",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "ContainerRegistriesVulnerabilityAssessments",
			"operationStatus": null
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "True",
			"name": "AgentlessDiscoveryForKubernetes",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": {
			"ExclusionTags": "[]"
			},
			"isEnabled": "True",
			"name": "AgentlessVmScanning",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "False",
			"name": "EntraPermissionsManagement",
			"operationStatus": null
		}
	],
	"freeTrialRemainingTime": "25 days, 1:49:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/CloudPosture",
	"name": "CloudPosture",
	"pricingTier": "Standard",
	"replacedBy": null,
	"subPlan": null,
	"type": "Microsoft.Security/pricings"
}

06 Run security pricing create command (Windows/macOS/Linux) to enable the Standard Tier for the Azure resource types supported by Microsoft Defender for Cloud, selected in the conformity rule settings. Use the security pricing list command to describe the name of each resource type supported by Microsoft Defender for Cloud. The following command example enables Standard Tier for virtual machine (VM)servers in the selected subscription:

az security pricing create
  --name VirtualMachines
  --tier standard

07 The command output should return the configuration information available for modified plan:

{
	"deprecated": null,
	"enablementTime": "2024-07-29T10:01:46.708481+00:00",
	"extensions": [
		{
			"additionalExtensionProperties": null,
			"isEnabled": "False",
			"name": "MdeDesignatedSubscription",
			"operationStatus": null
		},
		{
			"additionalExtensionProperties": {
			"ExclusionTags": "[]"
			},
			"isEnabled": "True",
			"name": "AgentlessVmScanning",
			"operationStatus": {
			"code": "Succeeded",
			"message": "Successfully enabled extension"
			}
		},
		{
			"additionalExtensionProperties": null,
			"isEnabled": "False",
			"name": "FileIntegrityMonitoring",
			"operationStatus": null
		}
	],
	"freeTrialRemainingTime": "0:00:00",
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/VirtualMachines",
	"name": "VirtualMachines",
	"pricingTier": "Standard",
	"replacedBy": null,
	"subPlan": "P2",
	"type": "Microsoft.Security/pricings"
}

08 Repeat steps no. 3 - 7 for each subscription available in your Microsoft Azure cloud account.

References

Publication date May 21, 2019