Does MS Defender provides security features (like vulnerability scanning and Intrusion prevention etc) can be configure for Azure Cloud service (extended support) CS-ES.

Question

Defender documentation shows The vulenerability scan is limited to VM as supported destinations only. Also the Defender inventory list does not shows any CS-ES instances protected by it.

Answer 1

Hello @Gaurav Sharma

I see you're referring to the limitations of Microsoft Defender's vulnerability scanning capabilities.
You're correct that Microsoft Defender Vulnerability Management primarily supports vulnerability scanning for virtual machines (VMs) as the main destination. This includes Azure virtual machines and Azure Arc-enabled machines
Regarding the inventory list, it seems that CS-ES (Cloud Services - Enterprise Scale) instances are not currently included in the supported inventory for Microsoft Defender. This document below might explain why you're not seeing any CS-ES instances protected by it.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-defender-vulnerability-management
You can also look at the following support matrix link for defender for cloud https://learn.microsoft.com/en-us/azure/defender-for-cloud/support-matrix-defender-for-cloud#security-benefits-for-azure-services

Hope this helps! If you have any questions, please tag me in your comments.

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Answer 2

Hi Gaurav

If you are referring to Defender for cloud CWP (Cloud Workload Protection) in general It's not limited to Azure VM /VMSS , you also have Azure storage (Malware scanning ) , Containers (K8S and Azure container registry) and Azure SQL . Azure Firewall is the right service that offers IPS/IDS.

According to doc only CSPM is supported for Azure Cloud service