compliance controls are associated with this Policy definition 'Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers' (d38668f5-d155-42c7-ab3d-9b57b50f8fbf)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| Azure_Security_Benchmark_v3.0 |
IR-3 |
Azure_Security_Benchmark_v3.0_IR-3 |
Microsoft cloud security benchmark IR-3 |
Incident Response |
Detection and analysis - create incidents based on high-quality alerts |
Shared |
**Security Principle:**
Ensure you have a process to create high-quality alerts and measure the quality of alerts. This allows you to learn lessons from past incidents and prioritize alerts for analysts, so they don't waste time on false positives.
High-quality alerts can be built based on experience from past incidents, validated community sources, and tools designed to generate and clean up alerts by fusing and correlating diverse signal sources.
**Azure Guidance:**
Microsoft Defender for Cloud provides high-quality alerts across many Azure assets. You can use the Microsoft Defender for Cloud data connector to stream the alerts to Azure Sentinel. Azure Sentinel lets you create advanced alert rules to generate incidents automatically for an investigation.
Export your Microsoft Defender for Cloud alerts and recommendations using the export feature to help identify risks to Azure resources. Export alerts and recommendations either manually or in an ongoing, continuous fashion.
**Implementation and additional context:**
How to configure export:
https://docs.microsoft.com/azure/security-center/continuous-export
How to stream alerts into Azure Sentinel:
https://docs.microsoft.com/azure/sentinel/connect-azure-security-center |
n/a |
link |
17 |
| Azure_Security_Benchmark_v3.0 |
IR-5 |
Azure_Security_Benchmark_v3.0_IR-5 |
AMicrosoft cloud security benchmark IR-5 |
Incident Response |
Detection and analysis - prioritize incidents |
Shared |
**Security Principle:**
Provide context to security operations teams to help them determine which incidents ought to first be focused on, based on alert severity and asset sensitivity defined in your organization’s incident response plan.
**Azure Guidance:**
Microsoft Defender for Cloud assigns a severity to each alert to help you prioritize which alerts should be investigated first. The severity is based on how confident Microsoft Defender for Cloud is in the finding or the analytics used to issue the alert, as well as the confidence level that there was malicious intent behind the activity that led to the alert.
Additionally, mark resources using tags and create a naming system to identify and categorize Azure resources, especially those processing sensitive data. It is your responsibility to prioritize the remediation of alerts based on the criticality of the Azure resources and environment where the incident occurred.
**Implementation and additional context:**
Security alerts in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/security-center-alerts-overview
Use tags to organize your Azure resources:
https://docs.microsoft.com/azure/azure-resource-manager/resource-group-using-tags |
n/a |
link |
17 |
| Azure_Security_Benchmark_v3.0 |
LT-1 |
Azure_Security_Benchmark_v3.0_LT-1 |
Microsoft cloud security benchmark LT-1 |
Logging and Threat Detection |
Enable threat detection capabilities |
Shared |
**Security Principle:**
To support threat detection scenarios, monitor all known resource types for known and expected threats and anomalies. Configure your alert filtering and analytics rules to extract high-quality alerts from log data, agents, or other data sources to reduce false positives.
**Azure Guidance:**
Use the threat detection capability of Azure Defender services in Microsoft Defender for Cloud for the respective Azure services.
For threat detection not included in Azure Defender services, refer to the Azure Security Benchmark service baselines for the respective services to enable the threat detection or security alert capabilities within the service. Extract the alerts to your Azure Monitor or Azure Sentinel to build analytics rules, which hunt threats that match specific criteria across your environment.
For Operational Technology (OT) environments that include computers that control or monitor Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) resources, use Defender for IoT to inventory assets and detect threats and vulnerabilities.
For services that do not have a native threat detection capability, consider collecting the data plane logs and analyze the threats through Azure Sentinel.
**Implementation and additional context:**
Introduction to Azure Defender:
https://docs.microsoft.com/azure/security-center/azure-defender
Microsoft Defender for Cloud security alerts reference guide:
https://docs.microsoft.com/azure/security-center/alerts-reference
Create custom analytics rules to detect threats:
https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom
Cyber threat intelligence with Azure Sentinel:
https://docs.microsoft.com/azure/architecture/example-scenario/data/sentinel-threat-intelligence |
n/a |
link |
20 |
| Azure_Security_Benchmark_v3.0 |
LT-2 |
Azure_Security_Benchmark_v3.0_LT-2 |
Microsoft cloud security benchmark LT-2 |
Logging and Threat Detection |
Enable threat detection for identity and access management |
Shared |
**Security Principle:**
Detect threats for identities and access management by monitoring the user and application sign-in and access anomalies. Behavioral patterns such as excessive number of failed login attempts, and deprecated accounts in the subscription, should be alerted.
**Azure Guidance:**
Microsoft Entra ID provides the following logs that can be viewed in Microsoft Entra reporting or integrated with Azure Monitor, Azure Sentinel or other SIEM/monitoring tools for more sophisticated monitoring and analytics use cases:
- Sign-ins: The sign-ins report provides information about the usage of managed applications and user sign-in activities.
- Audit logs: Provides traceability through logs for all changes done by various features within Microsoft Entra ID. Examples of audit logs include changes made to any resources within Microsoft Entra ID like adding or removing users, apps, groups, roles and policies.
- Risky sign-ins: A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.
- Users flagged for risk: A risky user is an indicator for a user account that might have been compromised.
Microsoft Entra ID also provides an Identity Protection module to detect, and remediate risks related to user accounts and sign-in behaviors. Examples risks include leaked credentials, sign-in from anonymous or malware linked IP addresses, password spray. The policies in the Microsoft Entra Identity Protection allow you to enforce risk-based MFA authentication in conjunction with Azure Conditional Access on user accounts.
In addition, Microsoft Defender for Cloud can be configured to alert on deprecated accounts in the subscription and suspicious activities such as an excessive number of failed authentication attempts. In addition to the basic security hygiene monitoring, Microsoft Defender for Cloud's Threat Protection module can also collect more in-depth security alerts from individual Azure compute resources (such as virtual machines, containers, app service), data resources (such as SQL DB and storage), and Azure service layers. This capability allows you to see account anomalies inside the individual resources.
Note: If you are connecting your on-premises Active Directory for synchronization, use the Microsoft Defender for Identity solution to consume your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
**Implementation and additional context:**
Audit activity reports in Microsoft Entra ID:
https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs
Enable Azure Identity Protection:
https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection
Threat protection in Microsoft Defender for Cloud:
https://docs.microsoft.com/azure/security-center/threat-protection |
n/a |
link |
19 |