### SQL Managed Instance Scan Example Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/powershell-unified-api-quickstart Example of how to run the SQL Vulnerability Assessment scan script for a SQL Managed Instance. ```PowerShell .\Quickstart-VaScan.ps1 -ServerResourceId "/subscriptions//resourceGroups//providers/Microsoft.Sql/managedInstances/" ``` -------------------------------- ### Install Nginx Ingress Controller Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/how-to-test-attack-path-and-security-explorer-with-vulnerable-container-image Installs the Nginx Ingress Controller using Helm. This is necessary for exposing services to the internet. ```Azure CLI helm install ingress-controller oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.0.1 ``` -------------------------------- ### Microsoft.Security/securityStatuses Data Structure Example Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive Illustrates the data structure of the removed Microsoft.Security/securityStatuses table, showing aggregated policy assessments. ```json { id: "/subscriptions/449bcidd-3470-4804-ab56-2752595 felab/resourceGroups/mico-rg/providers/Microsoft.Network/virtualNetworks/mico-rg-vnet/providers/Microsoft.Security/securityStatuses/mico-rg-vnet", name: "mico-rg-vnet", type: "Microsoft.Security/securityStatuses", properties: { policyAssessments: [ {assessmentKey: "e3deicce-f4dd-3b34-e496-8b5381bazd7e", category: "Networking", policyName: "Azure DDOS Protection should be enabled",...}, {assessmentKey: "sefac66a-1ec5-b063-a824-eb28671dc527", category: "Compute", policyName: "",...} ], securitystateByCategory: [{category: "Networking", securityState: "None" }, {category: "Compute",...], name: "GenericResourceHealthProperties", type: "VirtualNetwork", securitystate: "High" } } ``` -------------------------------- ### Microsoft.Security/Assessments Data Structure Example Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive Shows the data structure for the Microsoft.Security/Assessments table, where each record represents a single policy assessment. ```json { type: "Microsoft.Security/assessments", id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourceGroups/mico-rg/providers/Microsoft. Network/virtualNetworks/mico-rg-vnet/providers/Microsoft.Security/assessments/e3delcce-f4dd-3b34-e496-8b5381ba2d70", name: "e3deicce-f4dd-3b34-e496-8b5381ba2d70", properties: { resourceDetails: {Source: "Azure", Id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourceGroups/mico-rg/providers/Microsoft.Network/virtualNetworks/mico-rg-vnet"...}, displayName: "Azure DDOS Protection should be enabled", status: (code: "NotApplicable", cause: "VnetHasNOAppGateways", description: "There are no Application Gateway resources attached to this Virtual Network"...} } { type: "Microsoft.Security/assessments", id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg-vnet/providers/Microsoft.Security/assessments/80fac66a-1ec5-be63-a824-eb28671dc527", name: "8efac66a-1ec5-be63-a824-eb28671dc527", properties: { resourceDetails: (Source: "Azure", Id: "/subscriptions/449bc1dd-3470-4804-ab56-2752595f01ab/resourcegroups/mico-rg/providers/microsoft.network/virtualnetworks/mico-rg-vnet"...), displayName: "Audit diagnostic setting", status: {code: "Unhealthy"} } } ``` -------------------------------- ### Update API Filter for Defender for Cloud Name Consolidation Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes-archive Organizations retrieving cost data via APIs need to update filter values to reflect the new consolidated Service Level 2 name for Defender for Cloud. This example shows the old filter values that will no longer return information. ```json "filter": { "dimensions": { "name": "MeterCategory", "operator": "In", "values": [ "Advanced Threat Protection", "Advanced Data Security", "Azure Defender", "Security Center" ] } } ``` -------------------------------- ### Add Assets from Onboarded Environments Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/cost-calculator Recommended for Azure environments. Select an onboarded environment and then choose the Defender for Cloud plans to estimate costs based on your selections and existing discounts. ```text In **Azure environments** , select the onboarded environment that you want to include in the cost calculation. Note The calculator discovers resources for which you have permissions. 2. Choose the plans. The calculator estimates the cost based on your selections and any existing discounts. ``` -------------------------------- ### Scan Status and Results Response Example Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/on-demand-malware-scanning An example JSON response detailing the status, start time, and summary of a malware scan, including scanned blobs/files and estimated cost. ```JSON { "scanId": "abcd1234-5678-90ab-cdef-1234567890ab", "scanStatus": "InProgress", "scanStartTime": "2024-10-03T12:34:56Z", "scanSummary": { "blobs": { "totalBlobsScanned": 150, "maliciousBlobsCount": 2, "skippedBlobsCount": 0, "scannedBlobsInGB": 10.5 }, "files": { "totalFilesScanned": 205, "maliciousFilesCount": 1, "skippedFilesCount": 0, "failedFilesCount": 0, "scannedFilesInGB": 9.76 }, "estimatedScanCostUSD": 3.2 } } ``` -------------------------------- ### Onboard APIs to Defender for APIs at Scale Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-apis Use these sample PowerShell and CLI scripts to automate the onboarding of individual APIs within Azure API Management instances at scale. These scripts support onboarding at the APIM service, subscription, and tenant levels. ```powershell # PowerShell script to onboard APIs to Defender for APIs # This is a sample script and may require modifications based on your environment. # Connect to Azure Connect-AzAccount # Set your subscription context # Set-AzContext -Subscription "YourSubscriptionId" # Define your API Management service details $apimServiceName = "YourApimServiceName" $resourceGroupName = "YourResourceGroupName" # Get all APIs in the APIM service $apis = Get-AzApiManagementApi -ApiManagementServiceName $apimServiceName -ResourceGroupName $resourceGroupName # Onboard each API to Defender for APIs foreach ($api in $apis) { try { # This is a placeholder for the actual onboarding command. # The actual command might involve setting a specific property or calling a specific API. # Example: Enable-AzDefenderForApis -ApiId $api.Id Write-Host "Attempting to onboard API: $($api.Name)" # Replace with the actual command to onboard the API # Example: Invoke-AzResourceAction -ResourceId $api.Id -Action "Microsoft.Security/apiCollections/onboard" -Force Write-Host "Successfully onboarded API: $($api.Name)" -ForegroundColor Green } catch { Write-Host "Failed to onboard API: $($api.Name) - Error: $($_.Exception.Message)" -ForegroundColor Red } } ``` -------------------------------- ### Logz.io Integration with Azure Event Hubs Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem Information on getting started with monitoring and logging using Logz.io for Java applications running on Azure. ```text For more information, see Getting started with monitoring and logging using Logz.io for Java apps running on Azure ``` -------------------------------- ### Install Az Modules Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/ai-onboarding Installs the necessary Az PowerShell modules for connecting to Azure. Run this command if you don't have the Az modules installed. ```PowerShell Install-Module -Name Az -AllowClobber Import-Module Az.Accounts ``` -------------------------------- ### Onboard APIs to Defender for APIs at Scale Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-apis Use these sample PowerShell and CLI scripts to automate the onboarding of individual APIs within Azure API Management instances at scale. These scripts support onboarding at the APIM service, subscription, and tenant levels. ```bash # CLI script to onboard APIs to Defender for APIs # This is a sample script and may require modifications based on your environment. # Log in to Azure # az login # Set your subscription context # az account set --subscription "YourSubscriptionId" # Define your API Management service details APIM_SERVICE_NAME="YourApimServiceName" RESOURCE_GROUP_NAME="YourResourceGroupName" # Get a list of all APIs in the APIM service APIS=$(az apim api list --service-name $APIM_SERVICE_NAME --resource-group $RESOURCE_GROUP_NAME --query "[].name" -o tsv) # Onboard each API to Defender for APIs for API_NAME in $APIS; do echo "Attempting to onboard API: $API_NAME" # This is a placeholder for the actual onboarding command. # The actual command might involve setting a specific property or calling a specific API. # Example: az security defender-for-apis onboard --api-id "/subscriptions/.../apis/$API_NAME" # Replace with the actual command to onboard the API # Example: az rest --method post --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.ApiManagement/service/$APIM_SERVICE_NAME/apis/$API_NAME/providers/Microsoft.Security/apiCollections/default/onboard?api-version=2023-01-01" --body '{}' if [ $? -eq 0 ]; then echo "Successfully onboarded API: $API_NAME" else echo "Failed to onboard API: $API_NAME" fi done ``` -------------------------------- ### Install Az.Security Module Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/powershell-onboarding Installs the necessary PowerShell module for interacting with Microsoft Defender for Cloud. The -Force flag ensures it's installed even if already present. ```PowerShell Install-Module -Name Az.Security -Force ``` -------------------------------- ### Run Express Configuration Migration Script Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/powershell-sample-vulnerability-assessment-azure-sql This example shows how to execute the PowerShell script for migrating to express configuration. Ensure you replace placeholder values with your actual Azure resource details. ```powershell Write-Host "----------- Migrating To express configuration example -----------" $ServerName = "" # The server name. $SubscriptionId = "" # The subscription id that the servers belong to. $ResourceGroupName = "" # The resource group name that the servers belong to. .\MigratingToExpressConfiguration.ps1 -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -ServerName $ServerName ``` -------------------------------- ### Example Azure Resource Manager (ARM) Template Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/iac-vulnerabilities This is an example of an Azure Resource Manager template for deploying a basic Linux web application. It defines parameters, variables, and resources for an App Service plan and a web app. ```json { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "webAppName": { "type": "string", "defaultValue": "AzureLinuxApp", "metadata": { "description": "The base name of the resource, such as the web app name or the App Service plan." }, "minLength": 2 }, "sku": { "type": "string", "defaultValue": "S1", "metadata": { "description": "The SKU of the App Service plan." } }, "linuxFxVersion": { "type": "string", "defaultValue": "php|7.4", "metadata": { "description": "The runtime stack of the current web app." } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "The location for all resources." } } }, "variables": { "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]", "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]" }, "resources": [ { "type": "Microsoft.Web/serverfarms", "apiVersion": "2020-06-01", "name": "[variables('appServicePlanName')]", "location": "[parameters('location')]", "sku": { "name": "[parameters('sku')]" }, "kind": "linux", "properties": { "reserved": true } }, { "type": "Microsoft.Web/sites", "apiVersion": "2020-06-01", "name": "[variables('webAppPortalName')]", "location": "[parameters('location')]", "kind": "app", "dependsOn": [ "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]" ], "properties": { "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]", "siteConfig": { "linuxFxVersion": "[parameters('linuxFxVersion')]" } } } ] } ``` -------------------------------- ### Export Alert Details Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/privacy This GET HTTP request allows you to export alert details. Refer to 'Get Security Alerts (GET Collection)' for more information. The Account Administrator role is required. ```HTTP GET https:///subscriptions/{subscriptionId}/providers/microsoft.Security/alerts?api-version={api-version} ``` -------------------------------- ### Verify Defender CLI Installation Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-cli-install After installation and configuration, verify that the Defender CLI is installed and accessible in your system's PATH by checking its version. A successful output shows the current version number. ```Bash defender --version ``` -------------------------------- ### Install Defender for SQL Extension Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/troubleshoot-sql-machines-guide Manually install the Defender for SQL extension on a virtual machine hosting a SQL Server instance. Ensure the extension publisher and type are correct and that the version is 2.X or above. ```powershell Set-AzVMExtension -Publisher 'Microsoft.Azure.AzureDefenderForSQL' -ExtensionType  'AdvancedThreatProtection.Windows' -ResourceGroupName 'resourceGroupeName' -VMName -Name 'Microsoft.Azure.AzureDefenderForSQL.AdvancedThreatProtection.Windows' -TypeHandlerVersion '2.0' -Location 'vmLocation' -EnableAutomaticUpgrade $true ``` -------------------------------- ### Setup Batch Baselines on Master Database (ARM Template) Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-vulnerability-findings-express Configure batch baselines for the master database based on the latest vulnerability assessment scan results. This is useful for server-wide baseline configurations. ```json { "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines", "apiVersion": "2022-02-01-preview", "name": "[concat(parameters('serverName'),'/master/default/default')]", "properties": { "latestScan": true } } ```