February 22, 2025May 25, 2025 Defender for Cloud – Part 7: Cloud Security Explorer Table of Contents The Cloud Security Explorer -feature was introduced to Public Preview on January 2023. What is Cloud Security Explorer? Note: You need Defender CSPM plan to use Cloud Security Explorer With cloud security explorer, you can proactively identify security risks in your multicloud environment by running graph-based queries on the cloud security graph. Your security team can use the query builder to search for and locate risks, while taking your organization’s specific contextual and conventional information into account.Cloud security explorer provides you with the ability to perform proactive exploration features. You can search for security risks within your organization by running graph-based path-finding queries on top the contextual security data that is already provided by Defender for Cloud, such as cloud misconfigurations, vulnerabilities, resource context, lateral movement possibilities between resources and more.It is based on cloud security graph which is a graph-based context engine within Defender for Cloud.It has ready made templates and a query builder where you can “build” your query based on the options you select. For a more in-depth understanding and a visual demonstration of Cloud Security Explorer and its features (and of attack path analysis which was my previous post,) you might watch the following video with Yuri Diogenes and Tal Rosler: Query templates Query templates in Cloud Security Explorer are predefined sets of filters and parameters that target specific security scenarios. They serve as starting points for users to quickly generate insights without the need to construct queries from scratch. These templates can be used as-is or customized further to meet the unique security requirements of an organization. Templates page. Click to enlarge How to Use Query Templates Accessing Cloud Security Explorer:Sign in to the Azure portal.Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.Selecting a Query Template:On the right side of Cloud Security Explorer page, you’ll find a list of available query templates.Browse through the templates to find one that aligns with your security investigation needs.Click on Open query next to the desired template to load it.Customizing the Query:Once the template is loaded, you can modify the filters and parameters to better suit your environment.Adjust resource types, severity levels, or specific conditions as needed.Running the Query:After customization, click on Search to execute the query.Review the results to identify and assess potential security risks.Sharing and Collaboration:If you wish to share the query with colleagues, select Share query link to copy a direct link to the query configuration.This facilitates collaboration and ensures that all stakeholders are aligned in their security assessments.You can also Download CSV report and use like to want. The share query link content includes: "https://portal.azure.com#view/Microsoft_Azure_Security/SecurityGraph.ReactView/query/<the rest of query includes all properties you have selected to find>" While the full list of templates can be accessed within the Cloud Security Explorer, here are a few examples:Internet-Exposed Storage Containers with Sensitive Data: Identifies storage containers that are publicly accessible and contain sensitive information.Virtual Machines with High-Severity Vulnerabilities: Finds VMs that have critical vulnerabilities and are potentially exposed to threats.Kubernetes Clusters with Misconfigurations: Detects Kubernetes clusters that may be improperly configured, leading to security risks.These templates are designed to address common security concerns and can be tailored to fit the specific context of your cloud infrastructure. Query editor The Query Editor in Microsoft Defender for Cloud’s Cloud Security Explorer is a dynamic tool designed to help security teams proactively identify and mitigate risks within their cloud environments. It enables users to construct and execute graph-based queries on the cloud security graph, providing deep insights into assets, configurations, vulnerabilities, and more.Here you can first select the category which to look for issues. The main categories are:PopularComputeNetworkingDataAI & MLContainersKeys & SecretsAPIsDevOpsThose have lot’s of sub categories which will be showed when you click the main category so you can drill-in to those.Below is an image of the Query builder. The query builder. Click to enlarge. How to Use Query Templates Accessing the Cloud Security Explorer:Sign in to the Azure portal.Navigate to Microsoft Defender for Cloud > Cloud Security Explorer.Building a Custom Query:Select a resource type from the dropdown menu to define the scope of your query.Click the “+” icon to add additional filters, such as specific subscriptions, resource groups, or security statuses.Adjust subfilters as needed to refine your query parameters.Executing the Query:After configuring your filters, click Search to run the query.Review the generated results to identify potential security risks or compliance issues.Utilizing Query Templates:At the bottom of the Cloud Security Explorer page, browse through available query templates.Select a template that aligns with your investigation needs and click Open query.Modify the pre-populated filters as necessary, then execute the query to obtain tailored insights.Sharing Queries:After constructing a query, click Share query link to copy a direct link to your clipboard.Share this link with colleagues to facilitate collaboration and ensure consistent security evaluations. Watch my video how to make a query: After making a query you can press Search to get the results if there’s a possibility to find any assets. Click to enlarge View details link opens the panel to the right side of the screen Results details. Click to enlarge What you can see as general details:Asset name, Subscription, Resource group, Cloud provider, Tags.Vulnerability Insights from the asset:CVE-ID, Description summary, Severity, CVSS vectors, CVSS score.And if you press the Open vulnerability page link the Azure opens the normal details page which can see from e.g. recommendations: Click to enlarge Here was the Cloud Security Explorer features explained. The next one is Workbooks. The parts of the MDC blog series Part 0: Microsoft Defender for Cloud – The EPIC blog series – introductionPart 1: Getting started aka Setup Part 2: The Asset Inventory Part 3: Security posturePart 4: Security recommendationsPart 5: Security alertsPart 6: Attack path analysisPart 7: Cloud security explorerPart 8: WorkbooksPart 9: Regulatory compliancePart 10: Workload protectionspart 10.5: Advanced Workload protectionPart 11: Data and AI security – The end of the series Jussi Metso Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Mediaxfacebooklinkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD #cloudsecurity#mdcseries
DEFENDER FOR CLOUD Defender for Cloud – Part 0: Introduction (The blog series) January 20, 2024May 25, 2025 This blog is based on my experiences but there also some quotes from MS learn and other materials from youtube etc. Images are mainly from Azure portal and from MS Learn. Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 11: Data and AI Security May 27, 2025May 25, 2025 The Data and AI security overview section displays your cloud data and AI estate for each cloud. It includes all data and AI resources, categorized into storage assets, managed databases, hosted databases (IaaS), and AI services. Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 5: Security Alerts August 31, 2024May 25, 2025 Defender for Cloud helps you to detect and prevent threats to your hybrid cloud environment. When a threat is detected, Defender for Cloud raises security alerts. On this security alerts page, you can triage your alerts, investigate the findings, and quickly respond manually or with predefined automated workflows. Read More