Defender for Cloud Coverage


Defender for Cloud is an interesting attempt by Microsoft to protect assets that are often left neglected by your usual security stack. At large Defender for Cloud is three things: Security Assessments, Defender for Endpoint and cloud resource threat detection. The combination of security assessments and threat detection is something commonly observed across the Defender suite and is something I very much welcome as the reality of most breaches isn't that the protection tools failed it's that humans did.

I'm going to be writing more on Defender for Cloud but in this blog, I've listed each of the separate 'Defender' technologies under the Defender for Cloud banner and which features you get.

Defender for Cloud

There are important distinctions between each Defender for Cloud technology in particular around how threat detection is achieved but at large below is a summary:

  • Security Assessments - Defender for Cloud will identify configuration-related vulnerabilities either through its own means or where the data already exists in Azure through other services like Defender for Cloud App.
    • Defender for Endpoint - For the compute-related Defender for cloud technologies such as virtual machines Defender for Cloud will either leverage the entire Defender for Endpoint offering (Sense, SenseIR and Antivirus engine) or just the Threat vulnerability management capability depending on relevancy.
    • Cloud resource threat detection - Some of the Defender for Cloud technologies will utilize their own exclusive threat detection capabilities most of which do not impact the resource they are protecting. Examples of this are monitoring blob operations for anomalies or applying TI feeds to network traffic leaving resources.

    *The above table lists features gained by enabling Defender for Cloud. As stated above Defender for cloud will utilize other data sources if already available so this is not an exhaustive list.

    Just at a glance the breadth of controls Defender for Cloud offers is impressive and if an organization heavily relies on Azure, it is a very easy decision to turn it on. Most of the threat detection capabilities Defender for Cloud provides could be achieved by ingesting the data/telemetry into Microsoft Sentinel and writing the appropriate near real-time rules. If that's an exercise you want to complete use this resource ( to reverse engineer, the alerts generated by Defender for Cloud into your own custom rules.

    Popular posts from this blog

    Endpoint on Adrenaline : One

    Brilliance in the Basics