Respond to Security Alerts- Understanding Disaster Recovery

You can now respond to security alerts. To do so, follow these steps:

  1. From the Security Alerts list, select an alert. A side pane will open that will show you a description of the alert and all the resources that are affected.
  2. Select View Full Details to view more information. You will see two separate panes: the left pane and the right pane. On the left pane, it will show you the title, severity, status, activity time, description of the suspicious activity, and the affected resource. On the right pane you will have two tabs: Alert Details and Take Action. The Alert details tab will show you information to help you investigate the issue such as the IP addresses,

files, and processes. The Take Action tab allows you to take further actions regarding the security alert, such as the following:

       Inspect Resource Context: Sends you to the resource’s activity logs that support the security alert.

       Mitigate The Threat: Provides manual remediation steps for this security alert.

       Prevent Future Attacks: Offers security recommendations to help you reduce the attack surface, increase security posture, and thus prevent future attacks.

      Trigger Automated Response: Provides the option to trigger a logic app as a response to this security alert.

       Suppress Similar Alerts: Gives you the option to suppress future alerts with similar characteristics if the alert isn’t relevant for your organization.

For a complete list of the security alerts you may receive from Microsoft Defender for Cloud and any Microsoft Defender plans that you have enabled, check out Microsoft’s website at https://learn.microsoft.com/en- us/azure/defender- for-c loud/ alerts- reference#alerts- windows.

Azure Logic Apps

For incident response, security programs consist of several workflows. Automation can improve security by making sure that steps are performed in a timely manner, that they are consistent, and that they match your predefined requirements. Microsoft Defender for Cloud has a workflow automation feature that can trigger Logic Apps on items such as security alerts and recommendations, and if there are any changes to regulatory compliance.

Azure Logic Apps is a platform- on- the-c loud service that allows you to create and run automated workflows with little to no coding. You can use the Visual Designer or you can pick from the prebuilt operations. Here are a few things that you can do with Azure Logic Apps:

              Move uploaded files from an SFTP or FTP server to Azure Storage.

             Route and process customer orders across on- premises systems and cloud services.

                  Schedule and send email notifications using Microsoft 365 if a specific event happens.

Create a Logic App

Now, let’s take a look at how to create a Logic App and define when it should automatically run. To do this, perform the following:

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. From the portal’s menu, select Microsoft Defender for Cloud; the Overview page will open.
  3. From Defender for Cloud’s sidebar, select Workflow Automation. Then, from this page you can create new automation rules and enable, disable, or delete existing ones.
  4. To define a new workflow, select Add Workflow Automation. This will open the Options pane for your new automation. Here you can enter the following:

       In the General section, enter information such as a Name, Description, Subscription, and Resource group.

       In the Trigger Conditions section, complete fields such as Defender For Cloud Data Type, Alert Name Contains, and Alert Severity.

       The Actions section is where you will configure the Logic App to be triggered. You can select the Logic Apps page to begin the Logic App creation process. This will take you to the Azure Logic Apps – Create Logic App page.

5. Select (+) Add.

6. Fill out all of the required fields and select Review + Create.

You will get a message that the deployment is in progress. Wait for the Deployment Complete notification to appear, and then select Go To Resource from the notification.

7. Review the information you entered and click Create. In your new logic app, you can choose from built- in, predefined templates from the Security category, or you can define a custom flow of events to occur when this process is triggered. The Logic App Designer supports these Microsoft Defender for Cloud triggers:

       When A Microsoft Defender For Cloud Recommendation Is Created Or Triggered: If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you’ll need to update the trigger.

       When A Defender For Cloud Alert Is Created Or Triggered: You can customize the trigger so that it relates only to alerts with the severity levels that you are interested in.

     A Defender For Cloud Regulatory Compliance Assessment Is Created Or Triggered: Trigger automations based on updates to regulatory compliance assessments.

8. Once you have defined your logic app, return to the workflow automation definition pane (Add Workflow Automation). Click Refresh.

9. Select your logic app and save the automation.

Vulnerability Scanner for Azure and Hybrid Machines

An essential component of all security programs is the identification and analysis of vulnerabilities. Microsoft Defender for Cloud consistently checks your connected machines to make sure that they are running vulnerability assessment tools. Microsoft Defender for Cloud includes vulnerability scanning at no extra charge. This scanner is powered by Qualys.

If a machine is found that is not running a vulnerability assessment solution, Microsoft Defender for Cloud will generate a security recommendation that states “Machines should have a vulnerability assessment solution.” Use this recommendation to deploy the vulnerability assessment solution to your Azure VMs and Azure Arc–enabled hybrid machines.

How the vulnerability scanner extension works:

  1. Deploy— Microsoft Defender for Cloud monitors your machines and provides recommendations on how to deploy the extension.
  2. Gather information— The extension collects artifacts and sends them for analysis.
  3. Analyze— Qualys’s cloud service conducts the vulnerability assessment and sends its findings to Microsoft Defender for Cloud.
  4. Report— The findings are listed in Microsoft Defender for Cloud.
Deploy the Integrated Scanner to Your Azure and Hybrid Machines

To deploy the integrated scanner to your Azure and hybrid machines, perform the following:

  1. From the Azure portal, open Microsoft Defender for Cloud.
  2. From Microsoft Defender for Cloud’s menu, open the Recommendations page.
  3. Select the recommendation “Machines should have a vulnerability assessment solution.” Machines will appear in one or more of the following groups:

       Healthy Resources: Microsoft Defender for Cloud has detected a vulnerability assessment solution running on the machines.

       Unhealthy Resources: A vulnerability scanner extension can be deployed to the machines.

       Not Applicable Resources: The vulnerability scanner extension is not supported on the machines.

  1. From the list of unhealthy machines, select the ones to receive a vulnerability assessment solution and click Remediate.
  2. Choose the recommended option “Deploy integrated vulnerability scanner” and click Proceed.
  3. You’ll be asked again for further confirmation. Click Remediate. It will only take a few minutes for the scanner extension to be installed on the selected machines and scanning will start as soon as the extension is deployed. Scans will run every 12 hours (this time interval cannot be changed).

Leave a Reply

Your email address will not be published. Required fields are marked *