Ovaj preglednik više nije podržan.
Prijeđite na Microsoft Edge, gdje vas čekaju najnovije značajke, sigurnosna ažuriranja i tehnička podrška.
One of Microsoft Defender for Cloud's main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.
Defender for Cloud continually assesses your resources against security standards that are defined for your Azure subscriptions, AWS accounts, and GCP projects. Defender for Cloud issues security recommendations based on these assessments.
By default, when you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) compliance standard is turned on. It provides recommendations. Defender for Cloud provides an aggregated secure score based on some of the MCSB recommendations. The higher the score, the lower the identified risk level.
Defender for Cloud provides the following CSPM offerings:
Foundational CSPM - Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to Defender for Cloud.
Defender Cloud Security Posture Management (CSPM) plan - The optional, paid Defender for Cloud Secure Posture Management plan provides more, advanced security posture features.
Learn more about Defender CSPM pricing.
The following table summarizes each plan and their cloud availability.
| Feature | Foundational CSPM | Defender CSPM | Cloud availability |
|---|---|---|---|
| Security recommendations | 
|
|
Azure, AWS, GCP, on-premises , Docker Hub, JFrog Artifactory |
| Asset inventory |
|
|
Azure, AWS, GCP, on-premises, Docker Hub, JFrog Artifactory |
| Secure score |
|
|
Azure, AWS, GCP, on-premises , Docker Hub, JFrog Artifactory |
| Data visualization and reporting with Azure Workbooks |
|
|
Azure, AWS, GCP, on-premises |
| Data exporting |
|
|
Azure, AWS, GCP, on-premises |
| Workflow automation |
|
|
Azure, AWS, GCP, on-premises |
| Tools for remediation |
|
|
Azure, AWS, GCP, on-premises, Docker Hub, JFrog Artifactory |
| Microsoft Cloud Security Benchmark |
|
|
Azure, AWS, GCP |
| AI security posture management | - |
|
Azure, AWS |
| Agentless VM vulnerability scanning | - |
|
Azure, AWS, GCP |
| Agentless VM secrets scanning | - |
|
Azure, AWS, GCP |
| Attack path analysis | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Risk prioritization | - |
|
Azure, AWS, GCP , Docker Hub, JFrog Artifactory |
| Risk hunting with security explorer | - |
|
Azure, AWS, GCP , Docker Hub, JFrog Artifactory |
| Code-to-cloud mapping for containers | - |
|
GitHub, Azure DevOps2 , Docker Hub, JFrog Artifactory |
| Code-to-cloud mapping for IaC | - |
|
Azure DevOps2, , Docker Hub, JFrog Artifactory |
| PR annotations | - |
|
GitHub, Azure DevOps2 |
| Internet exposure analysis | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| External attack surface management | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Permissions Management (CIEM) | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Regulatory compliance assessments | - |
|
Azure, AWS, GCP, , Docker Hub, JFrog Artifactory |
| ServiceNow Integration | - |
|
Azure, AWS, GCP |
| Critical assets protection | - |
|
Azure, AWS, GCP |
| Governance to drive remediation at-scale | - |
|
Azure, AWS, GCP , Docker Hub, JFrog Artifactory |
| Data security posture management (DSPM), Sensitive data scanning | - |
|
Azure, AWS, GCP1 |
| Agentless discovery for Kubernetes | - |
|
Azure, AWS, GCP |
| Custom Recommendations | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| Agentless code-to-cloud containers vulnerability assessment | - |
|
Azure, AWS, GCP, Docker Hub, JFrog Artifactory |
| API security posture management (Preview) | - |
|
Azure |
| Azure Kubernetes Service security dashboard (Preview) | - |
|
Azure |
1: GCP sensitive data discovery only supports Cloud Storage. 2: DevOps security capabilities, such as code-to-cloud contextualization powering security explorer, attack paths, and pull request annotations for Infrastructure-as-Code security findings, are only available when you enable the paid Defender CSPM plan. Learn more about DevOps security support and prerequisites.
Microsoft Defender for Cloud now has built-in integrations to help you use partner systems to seamlessly manage and track tickets, events, and customer interactions. You can push recommendations to a partner ticketing tool, and assign responsibility to a team for remediation.
Integration streamlines your incident response process, and improves your ability to manage security incidents. You can track, prioritize, and resolve security incidents more effectively.
You can choose which ticketing system to integrate. For preview, only ServiceNow integration is supported. For more information about how to configure ServiceNow integration, see Integrate ServiceNow with Microsoft Defender for Cloud (preview).
Review the Defender for Cloud pricing page to learn about Defender CSPM pricing.
DevOps security posture capabilities such as Pull request annotations, code to cloud mapping, attack path analysis, and cloud security explorer are only available through the paid Defender CSPM plan. The free foundational security posture management plan provides Azure DevOps recommendations. Learn more about the features provided by Azure DevOps security features.
For subscriptions that use both Defender CSPM and Defender for Containers plans, free vulnerability assessment is calculated based on free image scans provided via the Defender for Containers plan, as summarized in the Microsoft Defender for Cloud pricing page.
Defender CSPM protects all multicloud workloads, but billing is applied only on specific resources. The following tables list the billable resources when Defender CSPM is enabled on Azure subscriptions, AWS accounts, or GCP projects.
| Azure Service | Resource types | Exclusions |
|---|---|---|
| Compute | Microsoft.Compute/virtualMachines Microsoft.Compute/virtualMachineScaleSets/virtualMachines Microsoft.ClassicCompute/virtualMachines |
- Deallocated VMs - Databricks VMs |
| Storage | Microsoft.Storage/storageAccounts | Storage accounts without blob containers or file shares |
| DBs | Microsoft.Sql/servers Microsoft.DBforPostgreSQL/servers Microsoft.DBforMySQL/servers Microsoft.Sql/managedInstances Microsoft.DBforMariaDB/servers Microsoft.Synapse/workspaces |
--- |
| AWS Service | Resource types | Exclusions |
|---|---|---|
| Compute | EC2 instances | Deallocated VMs |
| Storage | S3 Buckets | --- |
| DBs | RDS instances | --- |
| GCP Service | Resource types | Exclusions |
|---|---|---|
| Compute | 1. Google Compute instances 2. Google Instance Group |
Instances with nonrunning states |
| Storage | Storage buckets | - Buckets from classes: 'nearline', 'coldline', 'archive' - Buckets from regions other than: europe-west1, us-east1, us-west1, us-central1, us-east4, asia-south1, northamerica-northeast1 |
| DBs | Cloud SQL Instances | --- |
For commercial and national cloud coverage, review the features supported in Azure cloud environments.
For multicloud support of resource types (or services) in our foundational multicloud CSPM tier, see the table of multicloud resource and service types for AWS and GCP.
Obuka
Modul
Manage your cloud security posture management - Training
Manage your cloud security posture management
Certifikacija
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Dokumentacija
Protect your resources with Defender CSPM - Microsoft Defender for Cloud
Learn how to enable Defender CSPM on your Azure subscription for Microsoft Defender for Cloud and enhance your security posture.
Security policies in Microsoft Defender for Cloud - Microsoft Defender for Cloud
Learn how to improve your cloud security posture in Microsoft Defender for Cloud with security policies, standards, and recommendations.
Learn more about the supported resource and service types for multicloud in Microsoft Defender for Cloud's Foundational CSPM.