Defender for Cloud – Part 4: Security Recommendations

My Azure Security career started with Security recommendations. Five years ago it was almost the only way to see what you need to do to find and mitigate misconfigurations and that way enhance the security score in Defender for Cloud (of course, The Inventory showed also something and regulatory compliances).

In those days I usually asked someone to download this report from the customer Azure since I didn’t have user accounts and then sorted it out and made a roadmap how to mitigate these. After that we had a meeting with a potential customer and I usually got the job. And the rest is history.

So let’s start with Security Recommendations.

Overview of Security Recommendations

Microsoft Defender for Cloud’s aka MDC resources and workloads are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture.

There are different features in Security Recommendations plane depending which CSPM plan you use. Security Recommendations are included as default with free Foundational plan but in that case you might see some results blurred (for example risk priorization). So if you want to have all of it you need to use Defender CSPM plan.

An overview of Security Recommendations (with Defender CSPM plan enabled): I’ll open these selections below.

Sections

1 - Reports & guides

Download CSV report

As the link says you can download the selected Security recommendations as a CSV report.

Open query

Open query link opens Azure Resource Graph Explorer where you can use pre-made templates to query Security recommendations or you can made your own queries. The query languge is KQL (Kusto Query Language)

Governance report

Governance report is a report where you see Security recommendations tracked by scope, display name, priority, remediation timeframe, owner type, owner details, grace period and selected cloud (azure, aws, gcp).

And if you want to define Goverance rules you can go to Environment Settings and select the Governance rules box.

In rule set you assign an owner and a due date for Security recommendations for specific resources. This provides resource owners with a clear set of tasks and deadlines for remediating Security recommendations.

Guides & feedback

Guides & feedback only opens side panel to the right where you can read about remediation by risk and link to ms learn.

You can give feedback to Azure development team how this feature works.

Switch to classic view

As the title says it’s still possible to use the classic view of Security recommendations but I don’t elaborate it in this blog.

2 - Scopes

You can scope which connections you want to show in Security recommendations results. Those are:

Azure subscriptions
AWS accounts
GCP projects
GitHub connections
AzureDevOps connections
GitLab connections

3 - Plans

Defender CSPM

If Defender CSPM plan is enabled on environment settings Defender for Cloud performs a risk assessment of your security issues, the engine identifies the most significant security risks while distinguishing them from less risky issues. The recommendations are then sorted based on their risk level, allowing you to address the security issues that pose immediate threats with the greatest potential of being exploited in your environment.

Other metrics are the attack paths and overdue recommendations:

Attack paths are the routes which attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved to mitigate these risks. This approach helps you focus on urgent security concerns and makes remediation efforts more efficient and effective. Although risk prioritization doesn’t affect the secure score, it helps you to address the most critical security issues in your environment.

Overdue recommendations means if you have governance rules defined and those remediation time has ended because assigned owner have not done their duties,

Foundational CSPM

Foundational CSPM includes core posture management capabilities covering Multi-Cloud and hybrid environments with continuous assessments, security recommendations, and a unified Secure Score.

Foundational CSPM is enabled by default and it’s free plan.

4 - Search & Filters

Search

You can write to Search box what would you like to find.

Status

Status filter includes:

All
Unassigned
Overdue
Completed

Risk factors

Risk factors include:

All
(Blank)
Critical Resource
Exposure to the Internet
Lateral Movement
Vulnerabilities

Risk level

Risk level include:

All
Not evaluated
Low
Medium
High
Critical

Recommendation maturity

Recommendation maturity include:

All
GA
Preview

Other filters

The following filters are also available to select:

Subscription
AWS account
GCP project
Environment
Resource group
Resource type
Owner
Initiative
Tactics
Recommendation type
Tags
Resource name

5 - Results

Recommedations results are based on what you choose above. In my case and the default columns are Title, Affected resource, Risk level, Risk factors, Attack paths, Owner, Status, Insights.

And if you click the title you can drill in the chosen recommendation. But that’s a totally different story.

So here was the overview of Defender for Cloud’s Security recommendations. I hope you got some information. This is a very useful and quick tool.

The parts of the MDC blog series

Jussi Metso

Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Share on Social Media

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD #cloudsecurity #mdcseries

Table of Contents