Edit

What's new in Microsoft Defender for Cloud?

  • Article

Defender for Cloud is in active development and receives improvements on an ongoing basis. To stay up to date with the most recent developments, this page provides you with information about new features, bug fixes, and deprecated functionality.

This page is updated frequently, so revisit it often.

To learn about planned changes that are coming soon to Defender for Cloud, see Important upcoming changes to Microsoft Defender for Cloud.

Tip

If you're looking for items older than six months, you can find them in the Archive for What's new in Microsoft Defender for Cloud.

May 2023

Updates in May include:

New alert in Defender for Key Vault

Defender for Key Vault has the following new alert:

Alert (alert type) Description MITRE tactics Severity
Unusual access to the key vault from a suspicious IP (Non-Microsoft or External)
(KV_UnusualAccessSuspiciousIP)		 A user or service principal has attempted anomalous access to key vaults from a non-Microsoft IP in the last 24 hours. This anomalous access pattern may be legitimate activity. It could be an indication of a possible attempt to gain access of the key vault and the secrets contained within it. We recommend further investigations. Credential Access Medium

For all of the available alerts, see Alerts for Azure Key Vault.

Agentless scanning now supports encrypted disks in AWS

Agentless scanning for VMs now supports processing of instances with encrypted disks in AWS, using both CMK and PMK.

This extended support increases coverage and visibility over your cloud estate without impacting your running workloads. Support for encrypted disks maintains the same zero impact method on running instances.

  • For new customers enabling agentless scanning in AWS - encrypted disks coverage is built in and supported by default.
  • For existing customers that already have an AWS connector with agentless scanning enabled, you'll need to reapply the CloudFormation stack to your onboarded AWS accounts to update and add the new permissions that are required to process encrypted disks. The updated CloudFormation template includes new assignments that allow Defender for Cloud to process encrypted disks.

You can learn more about the permissions used to scan AWS instances.

To re-apply your CloudFormation stack:

  1. Go to Defender for Cloud environment settings and open your AWS connector.
  2. Navigate to the Configure Access tab.
  3. Select Click to download the CloudFormation template.
  4. Navigate to your AWS environment and apply the updated template.

Learn more about agentless scanning and enabling agentless scanning in AWS.

Revised JIT (Just-In-Time) rule naming conventions in Defender for Cloud

We revised the JIT (Just-In-Time) rules to align with the Microsoft Defender for Cloud brand. We changed the naming conventions for Azure Firewall and NSG (Network Security Group) rules.

The changes are listed as follows:

Description Old Name New Name
JIT rule names (allow and deny) in NSG (Network Security Group) SecurityCenter-JITRule MicrosoftDefenderForCloud-JITRule
JIT rule descriptions in NSG ASC JIT Network Access rule MDC JIT Network Access rule
JIT firewall rule collection names ASC-JIT MDC-JIT
JIT firewall rules names ASC-JIT MDC-JIT

Learn how to secure your management ports with Just-In-Time access.

Onboard selected AWS regions

To help you manage your AWS CloudTrail costs and compliance needs, you can now select which AWS regions to scan when you add or edit a cloud connector. You can now scan selected specific AWS regions or all available regions (default), when you onboard your AWS accounts to Defender for Cloud. Learn more at Connect your AWS account to Microsoft Defender for Cloud.

Multiple changes to identity recommendations

The following recommendations are now released as General Availability (GA) and are replacing the V1 recommendations that are now deprecated.

General Availability (GA) release of identity recommendations V2

The V2 release of identity recommendations introduces the following enhancements:

  • The scope of the scan has been expanded to include all Azure resources, not just subscriptions. Which enables security administrators to view role assignments per account.
  • Specific accounts can now be exempted from evaluation. Accounts such as break glass or service accounts can be excluded by security administrators.
  • The scan frequency has been increased from 24 hours to 12 hours, thereby ensuring that the identity recommendations are more up-to-date and accurate.

The following security recommendations are available in GA and replace the V1 recommendations:

Recommendation Assessment Key
Accounts with owner permissions on Azure resources should be MFA enabled 6240402e-f77c-46fa-9060-a7ce53997754
Accounts with write permissions on Azure resources should be MFA enabled c0cb17b2-0607-48a7-b0e0-903ed22de39b
Accounts with read permissions on Azure resources should be MFA enabled dabc9bc4-b8a8-45bd-9a5a-43000df8aa1c
Guest accounts with owner permissions on Azure resources should be removed 20606e75-05c4-48c0-9d97-add6daa2109a
Guest accounts with write permissions on Azure resources should be removed 0354476c-a12a-4fcc-a79d-f0ab7ffffdbb
Guest accounts with read permissions on Azure resources should be removed fde1c0c9-0fd2-4ecc-87b5-98956cbc1095
Blocked accounts with owner permissions on Azure resources should be removed 050ac097-3dda-4d24-ab6d-82568e7a50cf
Blocked accounts with read and write permissions on Azure resources should be removed 1ff0b4c9-ed56-4de6-be9c-d7ab39645926

Deprecation of identity recommendations V1

The following security recommendations are now deprecated:

Recommendation Assessment Key
MFA should be enabled on accounts with owner permissions on subscriptions 94290b00-4d0c-d7b4-7cea-064a9554e681
MFA should be enabled on accounts with write permissions on subscriptions 57e98606-6b1e-6193-0e3d-fe621387c16b
MFA should be enabled on accounts with read permissions on subscriptions 151e82c5-5341-a74b-1eb0-bc38d2c84bb5
External accounts with owner permissions should be removed from subscriptions c3b6ae71-f1f0-31b4-e6c1-d5951285d03d
External accounts with write permissions should be removed from subscriptions 04e7147b-0deb-9796-2e5c-0336343ceb3d
External accounts with read permissions should be removed from subscriptions a8c6a4ad-d51e-88fe-2979-d3ee3c864f8b
Deprecated accounts with owner permissions should be removed from subscriptions e52064aa-6853-e252-a11e-dffc675689c2
Deprecated accounts should be removed from subscriptions 00c6d40b-e990-6acf-d4f3-471e747a27c4

We recommend updating your custom scripts, workflows, and governance rules to correspond with the V2 recommendations.

Deprecation of legacy standards in compliance dashboard

Legacy PCI DSS v3.2.1 and legacy SOC TSP have been fully deprecated in the Defender for Cloud compliance dashboard, and replaced by SOC 2 Type 2 initiative and PCI DSS v4 initiative-based compliance standards. We have fully deprecated support of PCI DSS standard/initiative in Azure China 21Vianet.

Learn how to customize the set of standards in your regulatory compliance dashboard.

Two Defender for DevOps recommendations now include Azure DevOps scan findings

Defender for DevOps Code and IaC has expanded its recommendation coverage in Microsoft Defender for Cloud to include Azure DevOps security findings for the following two recommendations:

  • Code repositories should have code scanning findings resolved

  • Code repositories should have infrastructure as code scanning findings resolved

Previously, coverage for Azure DevOps security scanning only included the secrets recommendation.

Learn more about Defender for DevOps.

New default setting for Defender for Servers vulnerability assessment solution

Vulnerability assessment (VA) solutions are essential to safeguard machines from cyberattacks and data breaches.

Microsoft Defender Vulnerability Management (MDVM) is now enabled as the default, built-in solution for all subscriptions protected by Defender for Servers that don't already have a VA solution selected.

If a subscription has a VA solution enabled on any of its VMs, no changes will be made and MDVM will not be enabled by default on the remaining VMs in that subscription. You can choose to enable a VA solution on the remaining VMs on your subscriptions.

Learn how to Find vulnerabilities and collect software inventory with agentless scanning (Preview).

Download a CSV report of your cloud security explorer query results (Preview)

Defender for Cloud has added the ability to download a CSV report of your cloud security explorer query results.

After your run a search for a query, you can select the Download CSV report (Preview) button from the Cloud Security Explorer page in Defender for Cloud.

Learn how to build queries with cloud security explorer

Release of containers Vulnerability Assessment powered by Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM

We're announcing the release of Vulnerability Assessment for Linux images in Azure container registries powered by Microsoft Defender Vulnerability Management (MDVM) in Defender CSPM. This release includes daily scanning of images. Findings used in the Security Explorer and attack paths rely on MDVM Vulnerability Assessment instead of the Qualys scanner.

The existing recommendation Container registry images should have vulnerability findings resolved is replaced by a new recommendation powered by MDVM:

Recommendation Description Assessment Key
Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management) Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to  improving your security posture, significantly reducing the attack surface for your containerized workloads. dbd0cb49-b563-45e7-9724-889e799fa648
is replaced by c0b7cfc6-3172-465a-b378-53c7ff2cc0d5

Learn more about Agentless Containers Posture in Defender CSPM.

Learn more about Microsoft Defender Vulnerability Management (MDVM).

Renaming container recommendations powered by Qualys

The current container recommendations in Defender for Containers will be renamed as follows:

Recommendation Description Assessment Key
Container registry images should have vulnerability findings resolved (powered by Qualys) Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. dbd0cb49-b563-45e7-9724-889e799fa648
Running container images should have vulnerability findings resolved (powered by Qualys) Container image vulnerability assessment scans container images running on your Kubernetes clusters for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. 41503391-efa5-47ee-9282-4eff6131462c

April 2023

Updates in April include:

Agentless Container Posture in Defender CSPM (Preview)

The new Agentless Container Posture (Preview) capabilities are available as part of the Defender CSPM (Cloud Security Posture Management) plan.

Agentless Container Posture allows security teams to identify security risks in containers and Kubernetes realms. An agentless approach allows security teams to gain visibility into their Kubernetes and containers registries across SDLC and runtime, removing friction and footprint from the workloads.

Agentless Container Posture offers container vulnerability assessments that, combined with attack path analysis, enable security teams to prioritize and zoom into specific container vulnerabilities. You can also use cloud security explorer to uncover risks and hunt for container posture insights, such as discovery of applications running vulnerable images or exposed to the internet.

Learn more at Agentless Container Posture (Preview).

Unified Disk Encryption recommendation (preview)

We have introduced a unified disk encryption recommendation in public preview, Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost and Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost.

These recommendations replace Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources, which detected Azure Disk Encryption and the policy Virtual machines and virtual machine scale sets should have encryption at host enabled, which detected EncryptionAtHost. ADE and EncryptionAtHost provide comparable encryption at rest coverage, and we recommend enabling one of them on every virtual machine. The new recommendations detect whether either ADE or EncryptionAtHost are enabled and only warn if neither are enabled. We also warn if ADE is enabled on some, but not all disks of a VM (this condition isn't applicable to EncryptionAtHost).

The new recommendations require Azure Automanage Machine Configuration.

These recommendations are based on the following policies:

Learn more about ADE and EncryptionAtHost and how to enable one of them.

Changes in the recommendation Machines should be configured securely

The recommendation Machines should be configured securely was updated. The update improves the performance and stability of the recommendation and aligns its experience with the generic behavior of Defender for Cloud's recommendations.

As part of this update, the recommendation's ID was changed from 181ac480-f7c4-544b-9865-11b8ffe87f47 to c476dc48-8110-4139-91af-c8d940896b98.

No action is required on the customer side, and there's no expected effect on the secure score.

Deprecation of App Service language monitoring policies

The following App Service language monitoring policies have been deprecated due to their ability to generate false negatives and because they don't provide better security. You should always ensure you're using a language version without any known vulnerabilities.

Policy name Policy ID
App Service apps that use Java should use the latest 'Java version' 496223c3-ad65-4ecd-878a-bae78737e9ed
App Service apps that use Python should use the latest 'Python version' 7008174a-fd10-4ef0-817e-fc820a951d73
Function apps that use Java should use the latest 'Java version' 9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc
Function apps that use Python should use the latest 'Python version' 7238174a-fd10-4ef0-817e-fc820a951d73
App Service apps that use PHP should use the latest 'PHP version' 7261b898-8a84-4db8-9e04-18527132abb3

Customers can use alternative built-in policies to monitor any specified language version for their App Services.

These policies are no longer available in Defender for Cloud's built-in recommendations. You can add them as custom recommendations to have Defender for Cloud monitor them.

New alert in Defender for Resource Manager

Defender for Resource Manager has the following new alert:

Alert (alert type) Description MITRE tactics Severity
PREVIEW - Suspicious creation of compute resources detected
(ARM_SuspiciousComputeCreation)		 Microsoft Defender for Resource Manager identified a suspicious creation of compute resources in your subscription utilizing Virtual Machines/Azure Scale Set. The identified operations are designed to allow administrators to efficiently manage their environments by deploying new resources when needed. While this activity may be legitimate, a threat actor might utilize such operations to conduct crypto mining.
The activity is deemed suspicious as the compute resources scale is higher than previously observed in the subscription.
This can indicate that the principal is compromised and is being used with malicious intent.		 Impact Medium

You can see a list of all of the alerts available for Resource Manager.

Three alerts in the Defender for Resource Manager plan have been deprecated

The following three alerts for the Defender for Resource Manager plan have been deprecated:

  • Activity from a risky IP address (ARM.MCAS_ActivityFromAnonymousIPAddresses)
  • Activity from infrequent country (ARM.MCAS_ActivityFromInfrequentCountry)
  • Impossible travel activity (ARM.MCAS_ImpossibleTravelActivity)

In a scenario where activity from a suspicious IP address is detected, one of the following Defenders for Resource Manager plan alerts Azure Resource Manager operation from suspicious IP address or Azure Resource Manager operation from suspicious proxy IP address will be present.

Alerts automatic export to Log Analytics workspace have been deprecated

Defenders for Cloud security alerts are automatically exported to a default Log Analytics workspace on the resource level. This causes an indeterministic behavior and therefore we have deprecated this feature.

Instead, you can export your security alerts to a dedicated Log Analytics workspace with Continuous Export.

If you have already configured continuous export of your alerts to a Log Analytics workspace, no further action is required.

Deprecation and improvement of selected alerts for Windows and Linux Servers

The security alert quality improvement process for Defender for Servers includes the deprecation of some alerts for both Windows and Linux servers. The deprecated alerts are now sourced from and covered by Defender for Endpoint threat alerts.

If you already have the Defender for Endpoint integration enabled, no further action is required. You may experience a decrease in your alerts volume in April 2023.

If you don't have the Defender for Endpoint integration enabled in Defender for Servers, you'll need to enable the Defender for Endpoint integration to maintain and improve your alert coverage.

All Defender for Servers customers, have full access to the Defender for Endpoint’s integration as a part of the Defender for Servers plan.

You can learn more about Microsoft Defender for Endpoint onboarding options.

You can also view the full list of alerts that are set to be deprecated.

Read the Microsoft Defender for Cloud blog.

We have added four new Azure Active Directory authentication-related recommendations for Azure Data Services.

Recommendation Name Recommendation Description Policy
Azure SQL Managed Instance authentication mode should be Azure Active Directory Only Disabling local authentication methods and allowing only Azure Active Directory Authentication improves security by ensuring that Azure SQL Managed Instances can exclusively be accessed by Azure Active Directory identities. Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled
Azure Synapse Workspace authentication mode should be Azure Active Directory Only Azure Active Directory only authentication methods improves security by ensuring that Synapse Workspaces exclusively require Azure AD identities for authentication. Learn more. Synapse Workspaces should use only Azure Active Directory identities for authentication
Azure Database for MySQL should have an Azure Active Directory administrator provisioned Provision an Azure AD administrator for your Azure Database for MySQL to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services An Azure Active Directory administrator should be provisioned for MySQL servers
Azure Database for PostgreSQL should have an Azure Active Directory administrator provisioned Provision an Azure AD administrator for your Azure Database for PostgreSQL to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services An Azure Active Directory administrator should be provisioned for PostgreSQL servers

The recommendations System updates should be installed on your machines (powered by Update management center) and Machines should be configured to periodically check for missing system updates have been released for General Availability.

To use the new recommendation, you need to:

After completing these steps, you can remove the old recommendation System updates should be installed on your machines, by disabling it from Defender for Cloud's built-in initiative in Azure policy.

The two versions of the recommendations:

will both be available until the Log Analytics agent is deprecated on August 31, 2024, which is when the older version (System updates should be installed on your machines) of the recommendation will be deprecated as well. Both recommendations return the same results and are available under the same control Apply system updates.

The new recommendation System updates should be installed on your machines (powered by Update management center), has a remediation flow available through the Fix button, which can be used to remediate any results through the Update Management Center (Preview). This remediation process is still in Preview.

The new recommendation System updates should be installed on your machines (powered by Update management center), isn't expected to affect your Secure Score, as it has the same results as the old recommendation System updates should be installed on your machines.

The prerequisite recommendation (Enable the periodic assessment property) has a negative effect on your Secure Score. You can remediate the negative effect with the available Fix button.

Defender for APIs (Preview)

Microsoft's Defender for Cloud is announcing the new Defender for APIs is available in preview.

Defender for APIs offers full lifecycle protection, detection, and response coverage for APIs.

Defender for APIs helps you to gain visibility into business-critical APIs. You can investigate and improve your API security posture, prioritize vulnerability fixes, and quickly detect active real-time threats.

Learn more about Defender for APIs.

March 2023

Updates in March include:

A new Defender for Storage plan is available, including near-real time malware scanning and sensitive data threat detection

Cloud storage plays a key role in the organization and stores large volumes of valuable and sensitive data. Today we're announcing a new Defender for Storage plan. If you’re using the previous plan (now renamed to "Defender for Storage (classic)"), you'll need to proactively migrate to the new plan in order to use the new features and benefits.

The new plan includes advanced security capabilities to help protect against malicious file uploads, sensitive data exfiltration, and data corruption. It also provides a more predictable and flexible pricing structure for better control over coverage and costs.

The new plan has new capabilities now in public preview:

  • Detecting sensitive data exposure and exfiltration events

  • Near real-time blob on-upload malware scanning across all file types

  • Detecting entities with no identities using SAS tokens

These capabilities enhance the existing Activity Monitoring capability, based on control and data plane log analysis and behavioral modeling to identify early signs of breach.

All these capabilities are available in a new predictable and flexible pricing plan that provides granular control over data protection at both the subscription and resource levels.

Learn more at Overview of Microsoft Defender for Storage.

Data-aware security posture (preview)

Microsoft Defender for Cloud helps security teams to be more productive at reducing risks and responding to data breaches in the cloud. It allows them to cut through the noise with data context and prioritize the most critical security risks, preventing a costly data breach.

  • Automatically discover data resources across cloud estate and evaluate their accessibility, data sensitivity and configured data flows. -Continuously uncover risks to data breaches of sensitive data resources, exposure or attack paths that could lead to a data resource using a lateral movement technique.
  • Detect suspicious activities that may indicate an ongoing threat to sensitive data resources.

Learn more about data-aware security posture.

Improved experience for managing the default Azure security policies

We introduce an improved Azure security policy management experience for built-in recommendations that simplifies the way Defender for Cloud customers fine tune their security requirements. The new experience includes the following new capabilities:

  • A simple interface allows better performance and fewer select when managing default security policies within Defender for Cloud, including enabling/disabling, denying, setting parameters and managing exemptions.
  • A single view of all built-in security recommendations offered by the Microsoft cloud security benchmark (formerly the Azure security benchmark). Recommendations are organized into logical groups, making it easier to understand the types of resources covered, and the relationship between parameters and recommendations.
  • New features such as filters and search have been added.

Learn how to manage security policies.

Read the Microsoft Defender for Cloud blog.

Defender CSPM (Cloud Security Posture Management) is now Generally Available (GA)

We're announcing that Defender CSPM is now Generally Available (GA). Defender CSPM offers all of the services available under the Foundational CSPM capabilities and adds the following benefits:

  • Attack path analysis and ARG API - Attack path analysis uses a graph-based algorithm that scans the cloud security graph to expose attack paths and suggests recommendations as to how best remediate issues that break the attack path and prevent successful breach. You can also consume attack paths programmatically by querying Azure Resource Graph (ARG) API. Learn how to use attack path analysis
  • Cloud Security explorer - Use the Cloud Security Explorer to run graph-based queries on the cloud security graph, to proactively identify security risks in your multicloud environments. Learn more about cloud security explorer.

Learn more about Defender CSPM.

Option to create custom recommendations and security standards in Microsoft Defender for Cloud

Microsoft Defender for Cloud provides the option of creating custom recommendations and standards for AWS and GCP using KQL queries. You can use a query editor to build and test queries over your data. This feature is part of the Defender CSPM (Cloud Security Posture Management) plan. Learn how to create custom recommendations and standards.

Microsoft cloud security benchmark (MCSB) version 1.0 is now Generally Available (GA)

Microsoft Defender for Cloud is announcing that the Microsoft cloud security benchmark (MCSB) version 1.0 is now Generally Available (GA).

MCSB version 1.0 replaces the Azure Security Benchmark (ASB) version 3 as Microsoft Defender for Cloud's default security policy for identifying security vulnerabilities in your cloud environments according to common security frameworks and best practices. MCSB version 1.0 appears as the default compliance standard in the compliance dashboard and is enabled by default for all Defender for Cloud customers.

You can also learn How Microsoft cloud security benchmark (MCSB) helps you succeed in your cloud security journey.

Learn more about MCSB.

Some regulatory compliance standards are now available in government clouds

We're announcing that the following regulatory standards are being updated with latest version and are available for customers in Azure Government and Azure China 21Vianet.

Azure Government:

Azure China 21Vianet:

Learn how to Customize the set of standards in your regulatory compliance dashboard.

New preview recommendation for Azure SQL Servers

We've added a new recommendation for Azure SQL Servers, Azure SQL Server authentication mode should be Azure Active Directory Only (Preview).

The recommendation is based on the existing policy Azure SQL Database should have Azure Active Directory Only Authentication enabled

This recommendation disables local authentication methods and allows only Azure Active Directory Authentication, which improves security by ensuring that Azure SQL Databases can exclusively be accessed by Azure Active Directory identities.

Learn how to create servers with Azure AD-only authentication enabled in Azure SQL.

New alert in Defender for Key Vault

Defender for Key Vault has the following new alert:

Alert (alert type) Description MITRE tactics Severity
Denied access from a suspicious IP to a key vault
(KV_SuspiciousIPAccessDenied)		 An unsuccessful key vault access has been attempted by an IP that has been identified by Microsoft Threat Intelligence as a suspicious IP address. Though this attempt was unsuccessful, it indicates that your infrastructure might have been compromised. We recommend further investigations. Credential Access Low

You can see a list of all of the alerts available for Key Vault.

February 2023

Updates in February include:

Enhanced Cloud Security Explorer

An improved version of the cloud security explorer includes a refreshed user experience that removes query friction dramatically, added the ability to run multicloud and multi-resource queries, and embedded documentation for each query option.

The Cloud Security Explorer now allows you to run cloud-abstract queries across resources. You can use either the prebuilt query templates or use the custom search to apply filters to build your query. Learn how to manage Cloud Security Explorer.

Defender for Containers' vulnerability scans of running Linux images now GA

Defender for Containers detects vulnerabilities in running containers. Both Windows and Linux containers are supported.

In August 2022, this capability was released in preview for Windows and Linux. It's now released for general availability (GA) for Linux.

When vulnerabilities are detected, Defender for Cloud generates the following security recommendation listing the scan's findings: Running container images should have vulnerability findings resolved.

Learn more about viewing vulnerabilities for running images.

Announcing support for the AWS CIS 1.5.0 compliance standard

Defender for Cloud now supports the CIS Amazon Web Services Foundations v1.5.0 compliance standard. The standard can be added to your Regulatory Compliance dashboard, and builds on MDC's existing offerings for multicloud recommendations and standards.

This new standard includes both existing and new recommendations that extend Defender for Cloud's coverage to new AWS services and resources.

Learn how to Manage AWS assessments and standards.

Microsoft Defender for DevOps (preview) is now available in other regions

Microsoft Defender for DevOps has expanded its preview and is now available in the West Europe and East Australia regions, when you onboard your Azure DevOps and GitHub resources.

Learn more about Microsoft Defender for DevOps.

The built-in policy [Preview]: Private endpoint should be configured for Key Vault has been deprecated

The built-in policy [Preview]: Private endpoint should be configured for Key Vault has been deprecated and has been replaced with the [Preview]: Azure Key Vaults should use private link policy.

Learn more about integrating Azure Key Vault with Azure Policy.

January 2023

Updates in January include:

The Endpoint protection (Microsoft Defender for Endpoint) component is now accessed in the Settings and monitoring page

To access Endpoint protection, navigate to Environment settings > Defender plans > Settings and monitoring. From here you can set Endpoint protection to On. You can also see all of the other components that are managed.

Learn more about enabling Microsoft Defender for Endpoint on your servers with Defender for Servers.

New version of the recommendation to find missing system updates (Preview)

You no longer need an agent on your Azure VMs and Azure Arc machines to make sure the machines have all of the latest security or critical system updates.

The new system updates recommendation, System updates should be installed on your machines (powered by Update management center) in the Apply system updates control, is based on the Update management center (preview). The recommendation relies on a native agent embedded in every Azure VM and Azure Arc machines instead of an installed agent. The Quick Fix in the new recommendation leads you to a one-time installation of the missing updates in the Update management center portal.

To use the new recommendation, you need to:

  • Connect your non-Azure machines to Arc
  • Turn on the periodic assessment property. You can use the Quick Fix in the new recommendation, Machines should be configured to periodically check for missing system updates to fix the recommendation.

The existing "System updates should be installed on your machines" recommendation, which relies on the Log Analytics agent, is still available under the same control.

Cleanup of deleted Azure Arc machines in connected AWS and GCP accounts

A machine connected to an AWS and GCP account that is covered by Defender for Servers or Defender for SQL on machines is represented in Defender for Cloud as an Azure Arc machine. Until now, that machine wasn't deleted from the inventory when the machine was deleted from the AWS or GCP account. Leading to unnecessary Azure Arc resources left in Defender for Cloud that represents deleted machines.

Defender for Cloud will now automatically delete Azure Arc machines when those machines are deleted in connected AWS or GCP account.

Allow continuous export to Event Hubs behind a firewall

You can now enable the continuous export of alerts and recommendations, as a trusted service to Event Hubs that are protected by an Azure firewall.

You can enable continuous export as the alerts or recommendations are generated. You can also define a schedule to send periodic snapshots of all of the new data.

Learn how to enable continuous export to an Event Hubs behind an Azure firewall.

The name of the Secure score control Protect your applications with Azure advanced networking solutions has been changed

The secure score control, Protect your applications with Azure advanced networking solutions has been changed to Protect applications against DDoS attacks.

The updated name is reflected on Azure Resource Graph (ARG), Secure Score Controls API and the Download CSV report.

The policy Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports has been deprecated

The policy Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports has been deprecated.

The Defender for SQL vulnerability assessment email report is still available and existing email configurations haven't changed.

Recommendation to enable diagnostic logs for Virtual Machine Scale Sets has been deprecated

The recommendation Diagnostic logs in Virtual Machine Scale Sets should be enabled has been deprecated.

The related policy definition has also been deprecated from any standards displayed in the regulatory compliance dashboard.

Recommendation Description Severity
Diagnostic logs in Virtual Machine Scale Sets should be enabled Enable logs and retain them for up to a year, enabling you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. Low

December 2022

Updates in December include:

Announcing express configuration for vulnerability assessment in Defender for SQL

The express configuration for vulnerability assessment in Microsoft Defender for SQL provides security teams with a streamlined configuration experience on Azure SQL Databases and Dedicated SQL Pools outside of Synapse Workspaces.

With the express configuration experience for vulnerability assessments, security teams can:

  • Complete the vulnerability assessment configuration in the security configuration of the SQL resource, without any another settings or dependencies on customer-managed storage accounts.
  • Immediately add scan results to baselines so that the status of the finding changes from Unhealthy to Healthy without rescanning a database.
  • Add multiple rules to baselines at once and use the latest scan results.
  • Enable vulnerability assessment for all Azure SQL Servers when you turn on Microsoft Defender for databases at the subscription-level.

Learn more about Defender for SQL vulnerability assessment.

Next steps

For past changes to Defender for Cloud, see Archive for what's new in Defender for Cloud?.