February 22, 2025April 24, 2025 Defender for Cloud – Part 7: Cloud Security Explorer Table of Contents The Cloud Security Explorer -feature was introduced to Public Preview on January 2023. What is Cloud Security Explorer? Note: You need Defender CSPM plan to use Cloud Security Explorer With cloud security explorer, you can proactively identify security risks in your multicloud environment by running graph-based queries on the cloud security graph. Your security team can use the query builder to search for and locate risks, while taking your organization’s specific contextual and conventional information into account.Cloud security explorer provides you with the ability to perform proactive exploration features. You can search for security risks within your organization by running graph-based path-finding queries on top the contextual security data that is already provided by Defender for Cloud, such as cloud misconfigurations, vulnerabilities, resource context, lateral movement possibilities between resources and more.It is based on cloud security graph which is a graph-based context engine within Defender for Cloud.It has ready made templates and a query builder where you can “build” your query based on the options you select. For a more in-depth understanding and a visual demonstration of Cloud Security Explorer and its features (and of attack path analysis which was my previous post,) you might watch the following video with Yuri Diogenes and Tal Rosler: Query templates Query templates in Cloud Security Explorer are predefined sets of filters and parameters that target specific security scenarios. They serve as starting points for users to quickly generate insights without the need to construct queries from scratch. These templates can be used as-is or customized further to meet the unique security requirements of an organization. Templates page. Click to enlarge How to Use Query Templates Accessing Cloud Security Explorer:Sign in to the Azure portal.Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.Selecting a Query Template:On the right side of Cloud Security Explorer page, you’ll find a list of available query templates.Browse through the templates to find one that aligns with your security investigation needs.Click on Open query next to the desired template to load it.Customizing the Query:Once the template is loaded, you can modify the filters and parameters to better suit your environment.Adjust resource types, severity levels, or specific conditions as needed.Running the Query:After customization, click on Search to execute the query.Review the results to identify and assess potential security risks.Sharing and Collaboration:If you wish to share the query with colleagues, select Share query link to copy a direct link to the query configuration.This facilitates collaboration and ensures that all stakeholders are aligned in their security assessments.You can also Download CSV report and use like to want. The share query link content includes: "https://portal.azure.com#view/Microsoft_Azure_Security/SecurityGraph.ReactView/query/<the rest of query includes all properties you have selected to find>" While the full list of templates can be accessed within the Cloud Security Explorer, here are a few examples:Internet-Exposed Storage Containers with Sensitive Data: Identifies storage containers that are publicly accessible and contain sensitive information.Virtual Machines with High-Severity Vulnerabilities: Finds VMs that have critical vulnerabilities and are potentially exposed to threats.Kubernetes Clusters with Misconfigurations: Detects Kubernetes clusters that may be improperly configured, leading to security risks.These templates are designed to address common security concerns and can be tailored to fit the specific context of your cloud infrastructure. Query editor The Query Editor in Microsoft Defender for Cloud’s Cloud Security Explorer is a dynamic tool designed to help security teams proactively identify and mitigate risks within their cloud environments. It enables users to construct and execute graph-based queries on the cloud security graph, providing deep insights into assets, configurations, vulnerabilities, and more.Here you can first select the category which to look for issues. The main categories are:PopularComputeNetworkingDataAI & MLContainersKeys & SecretsAPIsDevOpsThose have lot’s of sub categories which will be showed when you click the main category so you can drill-in to those.Below is an image of the Query builder. The query builder. Click to enlarge. How to Use Query Templates Accessing the Cloud Security Explorer:Sign in to the Azure portal.Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.Building a Custom Query:Select a resource type from the dropdown menu to define the scope of your query.Click the “+” icon to add additional filters, such as specific subscriptions, resource groups, or security statuses.Adjust subfilters as needed to refine your query parameters.Executing the Query:After configuring your filters, click Search to run the query.Review the generated results to identify potential security risks or compliance issues.Utilizing Query Templates:At the bottom of the Cloud Security Explorer page, browse through available query templates.Select a template that aligns with your investigation needs and click Open query.Modify the pre-populated filters as necessary, then execute the query to obtain tailored insights.Sharing Queries:After constructing a query, click Share query link to copy a direct link to your clipboard.Share this link with colleagues to facilitate collaboration and ensure consistent security evaluations. Watch my video how to make a query: After making a query you can press Search to get the results if there’s a possibility to find any assets. Click to enlarge View details link opens the panel to the right side of the screen Results details. Click to enlarge What you can see as general details:Asset name, Subscription, Resource group, Cloud provider, Tags.Vulnerability Insights from the asset:CVE-ID, Description summary, Severity, CVSS vectors, CVSS score.And if you press the Open vulnerability page link the Azure opens the normal details page which can see from e.g. recommendations: Click to enlarge Here was the Cloud Security Explorer features explained. The next one is Workbooks. The parts of the MDC blog series Part 0: Microsoft Defender for Cloud – The EPIC blog series – introductionPart 1: Getting started aka Setup Part 2: The Asset Inventory Part 3: Security posturePart 4: Security recommendationsPart 5: Security alertsPart 6: Attack path analysisPart 7: Cloud security explorerPart 8: WorkbooksPart 9: Regulatory compliancePart 10: Workload protectionsPart 11: Data and AI securityPart 12: Environment settings & Defender plans Jussi Metso Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD
DEFENDER FOR CLOUD Defender for Cloud – Part 6: Attack Path Analysis February 12, 2025April 24, 2025 Defender for Cloud Attack path analysis addresses security issues that pose immediate threats and have the greatest potential for exploitation in your environment. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 10: Cloud Workload protection (CWP) April 24, 2025April 24, 2025 Cloud Workload Protection in Microsoft Defender for Cloud helps protect various cloud resources such as virtual machines, containers, databases, and applications from security threats, vulnerabilities, and misconfigurations. Read More
DEFENDER FOR CLOUD Microsoft Defender for DevOps December 21, 2022December 30, 2022 Table of Contents What is Microsoft Defender for DevOps? Microsoft Defender for DevOps adds additional security capabilities to… Read More