compliance controls are associated with this Policy definition '[Deprecated]: Azure Defender for Kubernetes should be enabled' (523b5cd1-3e23-492f-a539-13118b6d1e3a)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
Azure_Security_Benchmark_v2.0 |
IR-3 |
Azure_Security_Benchmark_v2.0_IR-3 |
Azure Security Benchmark IR-3 |
Incident Response |
Detection and analysis - create incidents based on high quality alerts |
Customer |
Ensure you have a process to create high quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don’t waste time on false positives.
High quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.
Azure Security Center provides high quality alerts across many Azure assets. You can use the ASC data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.
Export your Azure Security Center alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.
How to configure export: https://docs.microsoft.com/azure/security-center/continuous-export
How to stream alerts into Azure Sentinel: https://docs.microsoft.com/azure/sentinel/connect-azure-security-center |
n/a |
link |
8 |
Azure_Security_Benchmark_v2.0 |
IR-5 |
Azure_Security_Benchmark_v2.0_IR-5 |
Azure Security Benchmark IR-5 |
Incident Response |
Detection and analysis - prioritize incidents |
Customer |
Provide context to analysts on which incidents to focus on first based on alert severity and asset sensitivity.
Azure Security Center assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Security Center is in the finding or the analytic used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
Security alerts in Azure Security Center: https://docs.microsoft.com/azure/security-center/security-center-alerts-overview
Use tags to organize your Azure resources: https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags |
n/a |
link |
8 |
Azure_Security_Benchmark_v2.0 |
LT-1 |
Azure_Security_Benchmark_v2.0_LT-1 |
Azure Security Benchmark LT-1 |
Logging and Threat Detection |
Enable threat detection for Azure resources |
Customer |
Ensure you are monitoring different types of Azure assets for potential threats and anomalies. Focus on getting high quality alerts to reduce false positives for analysts to sort through. Alerts can be sourced from log data, agents, or other data.
Use the Azure Security Center built-in threat detection capability, which is based on monitoring Azure service telemetry and analyzing service logs. Data is collected using the Log Analytics agent, which reads various security-related configurations and event logs from the system and copies the data to your workspace for analysis.
In addition, use Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment. The rules generate incidents when the criteria are matched, so that you can investigate each incident. Azure Sentinel can also import third party threat intelligence to enhance its threat detection capability.
Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection
Azure Security Center security alerts reference guide: https://docs.microsoft.com/azure/security-center/alerts-reference
Create custom analytics rules to detect threats: https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom
Cyber threat intelligence with Azure Sentinel: https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence |
n/a |
link |
8 |
Azure_Security_Benchmark_v2.0 |
LT-2 |
Azure_Security_Benchmark_v2.0_LT-2 |
Azure Security Benchmark LT-2 |
Logging and Threat Detection |
Enable threat detection for Azure identity and access management |
Customer |
Microsoft Entra ID provides the following user logs that can be viewed in Microsoft Entra ID reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs - Provides traceability through logs for all changes done by various features within Microsoft Entra ID. Examples of audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles and policies.
- Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
Azure Security Center can also alert on certain suspicious activities such as an excessive number of failed authentication attempts, and deprecated accounts in the subscription. In addition to the basic security hygiene monitoring, Azure Security Center’s Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources.
Audit activity reports in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs
Enable Azure Identity Protection: https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection
Threat protection in Azure Security Center: https://docs.microsoft.com/azure/security-center/threat-protection |
n/a |
link |
8 |