Manage system security with Microsoft Defender for Cloud (preview)
Applies to: Azure Local, versions 23H2 and 22H2
This article discusses how to use Microsoft Defender for Cloud to protect Azure Local from various cyber threats and vulnerabilities.
Defender for Cloud helps improve the security posture of Azure Local, and can protect against existing and evolving threats.
For more information about Microsoft Defender for Cloud, see Microsoft Defender for Cloud documentation.
Important
This feature is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Prerequisites
Before you begin, make sure that the following prerequisites are completed:
- You have access to Azure Local, version 23H2 or Azure Local, version 22H2 that is deployed, registered, and connected to Azure.
- You have at least Owner or Contributor roles in your Azure subscription to turn on Foundational cloud security posture management (CSPM).
Enable Defender for Cloud for Azure Local
Follow these steps to enable Defender for Cloud for Azure Local.
- Step 1: Turn on Foundational CSPM.
- Step 2: Turn on Defender for Servers for individual machines and Arc VMs.
Step 1: Turn on Foundational CSPM
This step turns on the basic Defender for Cloud plan—at no extra cost. This plan lets you monitor and identify the steps that you can take to secure Azure Local, along with other Azure and Arc resources. For instructions, see Enable Defender for Cloud on your Azure subscription.
Step 2: Turn on Defender for Servers for individual machines and Arc VMs
This step gets you enhanced security features including security alerts for individual machines and Arc VMs.
To do so, follow all the instructions in the Enable the Defender for Servers plan section, which includes:
- Selecting a plan
- Configuring monitoring coverage for:
- Log Analytics agent
- Vulnerability assessment
- Endpoint protection
Apply Microsoft Cloud Security Benchmark initiative
After you turn on the Microsoft Defender for Cloud Foundational CSPM plan, you must apply the Microsoft Cloud Security Benchmark (MCSB) initiative. You can view the security settings via the Azure portal only when the MCSB is applied. Use one of the following methods to apply the MCSB initiative:
- Apply the MCSB via the portal as described below.
- Manually apply the Azure compute security baseline in Azure policy to all cluster servers. See Windows security baseline.
Follow these steps to apply the MCSB initiative at the subscription level:
Sign into the Azure portal, and search for and select Microsoft Defender for Cloud.
On the left pane, scroll down to the Management section and select Environment settings.
On the Environment settings page, select the subscription in use from the drop-down.
Select the Security policies blade.
For Microsoft cloud security benchmark, toggle the Status button to On.
Wait for at least one hour for the Azure policy initiative to evaluate the included resources.
View security recommendations
Security recommendations are created when potential security vulnerabilities are identified. These recommendations guide you through the process of configuring the needed control.
After you've enabled Defender for Cloud for Azure Local, follow these steps to view security recommendations for Azure Local:
In the Azure portal, go to the Azure Local resource page and select your instance.
On the left pane, scroll down to the Security (preview) section and select Microsoft Defender for Cloud.
On the Microsoft Defender for Cloud page, under Recommendations, you can view the current security recommendations for the selected Azure Local instance and its workloads. By default, the recommendations are grouped by resource type.
(Optional) To view the security recommendations for multiple Azure Local instances, select the View in Defender for Cloud link. This opens the Recommendations page in the Microsoft Defender for Cloud portal. This page provides security recommendations across all your Azure resources, including Azure Local.
Note
Azure Local-exclusive recommendations are available only on Azure Local, version 23H2. Azure Local, version 22H2 shows recommendations that are also available on Windows Server.
To learn more about the security recommendations specific to Azure Local, refer to the Azure compute recommendations section in the Compute security recommendations article.
Monitor servers and Arc VMs
Go to the Microsoft Defender for Cloud portal to monitor alerts for individual servers and Arc VMs running on Azure Local. You can utilize the regulatory compliance and attack path analysis features, among other enhanced security features.
Follow these steps to access the Microsoft Defender for Cloud portal's pages to monitor individual servers and Arc VMs:
Sign into the Azure portal, and search for and select Microsoft Defender for Cloud.
The Overview page of the Microsoft Defender for Cloud portal shows the overall security posture of your environment. From the left navigation pane, navigate to various portal pages, such as Recommendations to view security recommendations for individual servers and Arc VMs running on Azure Local, or Security alerts to monitor alerts for them.