Microsoft Defender For Cloud Not Giving Any Security Alert?

Question

I have enabled MicroSoft Defender for Cloud for my Ubuntu Servers and Azure Mysql Server. I have enabled it a week ago, but it didn't send any security alert. I am wondering if there is any other configuration that i need to do before receiving any alert.

What I did ? I have just enabled it by going into environments and then servers and database (MySQL). I am assuming it works like AWS GuardDuty where we just need to get started. Do we need to install some kind of agents on my machine? I am really not sure how it works and what's wrong. Please correct me if I am wrong at any point it's my first experience with Azure.

Answer 1

Hello @Rehan Ch

It sounds like you're on the right track with enabling Microsoft Defender for Cloud, but there are a few additional steps you might need to take to ensure it's fully configured and able to send alerts.

Install the Log Analytics Agent: For Ubuntu servers, you need to install the Log Analytics agent (also known as the Microsoft Monitoring Agent). This agent collects security-related configurations and event logs from your machine and sends them to your Log Analytics workspace for analysis

Configure Vulnerability Assessment: Ensure that vulnerability assessment is enabled for your machines. This feature helps identify and remediate vulnerabilities in your environment

Enable Endpoint Protection: Microsoft Defender for Endpoint provides advanced threat protection for your servers. Make sure this is enabled and configured correctly

Agentless Scanning: If you're using Defender for Servers Plan 2, you can also leverage agentless scanning, which scans your machines for installed software and vulnerabilities without relying on agents

Check Security Recommendations: Review the security recommendations in Microsoft Defender for Cloud. These recommendations can help you identify any additional configurations or actions needed to enhance your security posture

For your Azure MySQL Server, ensure that Advanced Threat Protection (ATP) is enabled. This feature provides threat detection and alerts for suspicious activities

If you've followed these steps and still aren't receiving alerts, it might be worth checking the configuration settings in the Azure portal to ensure everything is set up correctly. Let me know if you need more detailed guidance on any of these steps!

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Answer 2

Hello Rehan Ch
Enabling agentless scanning in Microsoft Defender for Cloud can indeed help detect malware activity. This feature uses Microsoft Defender Antivirus to scan and detect threats without needing an agent installed on the virtual machines (VMs). It provides comprehensive malware detection capabilities, including heuristic and signature-based threat detection.

However, there are some considerations:

• Coverage: Agentless scanning can detect malware on both protected and unprotected machines, including files and folders that might be excluded from agent-based scans1.
• Performance: It performs scans without impacting the performance of the machine since it operates out-of-band by taking snapshots of VM disks2.

While agentless scanning is powerful, using it in conjunction with agent-based scanning can provide an additional layer of security. Agent-based scanning offers continuous, real-time protection and can detect threats that might emerge between agentless scans.

In summary, agentless scanning alone can be sufficient for detecting malware, but combining it with agent-based scanning can enhance your overall security.

For the Sql databases, if you enabled it as per the following, it is enabled. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-databases-introduction

Refer if it applies to you

https://learn.microsoft.com/en-us/azure/mysql/migrate/whats-happening-to-mysql-single-server#configure-microsoft-defender-for-cloud-properties-in-flexible-server

If I have answered your queries could you be so kind to accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Answer 3

Hi @Rehan Ch

You have 2 component 1) Ubuntu Servers and 2) Azure Mysql Server.

For 1) Ubuntu Servers:

a) Make Sure defender URLs are Whitelist in your Environment - common for 1 & 2

b) Make sure you onboard the server correctly.

Onboard Process : https://learn.microsoft.com/en-us/defender-endpoint/linux-install-manually

c) How to confirm onboard : In Microsoft Defender portal security.microsoft.com , go to Device > Search device hostname - if its appear there with Active status . Its Onboarded.

For 2) Azure MySQL Server.

1. This you need to enable from Azure portal - Defender for Cloud - Environment setting.

Note : For Agentless scanning - Defender CSPM should be On over that Subscription. You should be owner of subscription to turn On/off feature in above directory mentioned in point 2a). & Security reader role in 365 Defender portal for 1c).

--- --- --- --- --- If you find this answer helpful , Kindly accept the answer --- --- --- --- --- --- ---