Build queries with cloud security explorer

Defenders for Cloud's contextual security capabilities help security teams reduce the risk of significant breaches. Defender for Cloud uses environmental context to assess security issues, identify the biggest risks, and distinguish them from less risky issues. The cloud security explorer uses snapshot publishing, a method of publishing data at regular intervals known as snapshots. Snapshots ensure that the workload configuration data is refreshed daily, keeping it fresh and accurate.

Use the cloud security explorer to identify security risks in your cloud environment. Run graph-based queries on the cloud security graph, Defender for Cloud's context engine. Prioritize your security team's concerns while considering your organization's specific context and conventions.

Use the cloud security explorer to query security issues and environment context. Including asset inventory, internet exposure, permissions, and lateral movement between resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

Prerequisites

• You must enable Defender Cloud Security Posture Management (CSPM)

  • You must enable agentless scanning.

  For agentless container posture, you must enable the following extensions:

  • K8S API access
  • Registry access

  Note

  If you only have Defender for Servers P2 plan 2 enabled, you can use the cloud security explorer to query for keys and secrets, but you must have Defender CSPM enabled to get the full value of the explorer.

• Required roles and permissions:

  • Security Reader
  • Security Admin
  • Reader
  • Contributor
  • Owner

Check the cloud availability tables to see which government and cloud environments are supported.

Build a query

The cloud security explorer lets you build queries to proactively hunt for security risks in your environments with dynamic and efficient features such as:

• Multi-cloud and multi-resource queries - The entity selection control filters are grouped and combined into logical control categories to help you build queries across cloud environments and resources simultaneously.

• Custom Search - Use the dropdown menus to apply filters and build your query.

• Query templates - Use any of the available prebuilt query templates to build your query more efficiently.

• Share query link - Copy and share a link to your query with others.

To build a query:

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.

   

3. Find and select a resource from the drop-down menu.

   

4. Select + to add more filters to your query.

   

5. Add subfilters if necessary.

6. After building your query, select Search to run it.

   

7. To save a copy of your results locally, select the Download CSV report button to save your search results as a CSV file.

   

Query templates

Query templates are preformatted searches using common filters. Use one of the existing query templates at the bottom of the page by selecting Open query.

Modify any template to search for specific results by changing the query and selecting Search.

Share a query

Use the query link to share a query with others. After creating a query, select Share query link. The link is copied to your clipboard.

Next step

Learn about the cloud security graph, attack path analysis, and the cloud security explorer