Hello and welcome to Microsoft Defender for Cloud. In this lesson, we’ll take a quick look at what it is, what it does, and why you use it.

Microsoft calls Defender for Cloud a security posture management and threat protection tool. In other words, it’s an offering that is designed to help you protect workloads from threats, track your security posture, and it helps streamline security management. It can protect Azure workloads, hybrid workloads than run in the cloud and on-prem, and it can protect workloads on other cloud platforms.

Defender for Cloud provides you with a Secure Score, Security Recommendations, and Security Alerts. The Secure Score is designed to give you an at-a-glance view of your security posture. Put simply, the higher your Secure Score, the lower the identified risk level. The Security Recommendations supplied by Defender for Cloud are designed to help you harden your resources and services. They offer guidance and suggest tasks you should complete to harden your environment and to improve your security posture. Some of these remediation tasks can be completed right from within Defender for Cloud, via a “fix” button that is sometimes available, depending on the issue identified.

Security Alerts are what they sound like they are. Whenever Defender for Cloud identifies a threat to your workloads, it generates an alert that appears in the Azure Portal. Defender for Cloud can also send these alerts out via email to those in your organization that need to see them. They can even be streamed to SIEM and SOAR solutions if necessary.

The most visible feature of Defend for Cloud is the Secure Score that it provides. The Secure Score is an aggregated value that represents the security posture of your environment. To calculate it, Defender for Cloud assesses the security of your resources, subscriptions, and organization. It identifies issues, assigns values to them, and then calculates the score, which provides you with an at-a-glance idea of what your security posture is. The higher the secure score, the lower the risk level. The lower the score, the higher the risk level.

In addition to providing the Secure Score, Defender for Cloud also offers hardening recommendations for your resources and environment. These recommendations are based on security weaknesses that it finds during its continual assessments of your environment. You can then implement these recommendations to strengthen the security posture of your resources, whether they are on-prem, in Azure, or on other cloud platforms.

Before we wrap this intro up, I just want to touch on the various security features that are available in Defender for Cloud. These security features can be accessed from the Defender plans page of Microsoft Defender for Cloud. They include Microsoft Defender for servers, Defender for Storage, Defender for SQL, and Microsoft Defender for Containers. Also included are Microsoft Defender for App Service, Defender for Key Vault, Defender for Resource Manager, Defender for DNS, and Microsoft Defender for open-source relational databases.

Microsoft Defender for Servers is an advanced feature in Defender for Cloud that allows you to add threat detection to both Windows machines and Linux machines, whether they're in Azure, on-prem, or in a multi-cloud environment.

Microsoft Defender for Storage is another feature of Defender for Cloud. It detects attempts to access or exploit storage accounts and provides you with security alerts and recommendations. Microsoft Defender for SQL discovers and helps mitigate database vulnerabilities, while Microsoft Defender for Containers is a cloud-native solution for securing containers. Microsoft Defender for App Service identifies attacks that target apps running on the App Service, while Microsoft Defender for Key Vault protects your Key Vaults by detecting unusual attempts to access them. 

And then we have Microsoft Defender for Resource Manager. What this feature does is automatically monitor resource management operations that happen within the organization. It monitors these operations whether they are performed via the Azure portal, the Azure CLI, Azure REST APIs, or via other Azure programmatic clients. It detects threats and alerts you about suspicious activity that it identifies.

Microsoft Defender for DNS can detect suspicious activities like DNS attacks, communications with domains that are used for malicious activities like phishing or crypto mining, and it can identify malware that’s communicating with control servers. It can also detect data exfiltration from Azure resources, through DNS tunneling.

And lastly, we have Defender for open-source relational databases. What this offering does is provide alerts when it detects suspicious database access and query patterns or when it detects suspicious database activities. Each of these features can be monitored and configured from the Defender for Cloud workload protections dashboard.