The ten most important features / terms of Microsoft Defender for Cloud on Azure

In this article I would like to share with you the ten most important terms, based on my experience so far, of the Microsoft Defender for Cloud service. On Microsoft Defender, there are multiple overviews of security issues and navigating can be daunting. To make the introduction easier to grasp, I use the following screenshot to highlight the features in the UI and then explain each one in no more than three sentences. Let’s begin.

1. The Foundational CSPM and Defender CSPM modes

The Foundational Cloud Security Posture Management (CSPM) is the default mode and is free. Simply select the Microsoft Defender for Cloud resource, import one of your subscriptions, allow the service a few days days to gather security information, and start fixing issues. In addition, you can upgrade for the Defender CSPM, which provides extra functionality, such as Attack Path Analysis or Permissions Management Capability.

2. Recommendations

This section lists all security recommendations for your resources, proactively assessed by Azure to help you identify and remediate vulnerabilities. Each recommendation contains a title, a detailed description about the security issue and Governance rules that specify who is responsible for resolving it and the due date. You can either manually resolve the issue using the provided steps or you can also use a Workflow automation where you define a Logic App or an Azure Function triggered every time a new recommendation of a specific type is generated.

3. Security alerts

Here you’ll find a list of security alerts for affected resources, ordered by severity: High, Medium, or Low. My favorite column is the MITRE ATT&CK, which maps alerts to tactics, techniques, and procedures that are easier to understand. As with Recommendations, you can take manual action or trigger an automated response via a Logic App.

4. Inventory

This overview lists all resources in your subscription along with their vulnerabilities. It is my personal favorite because it allows me to focus on one resource at a time and resolve its security issues.

5. Cloud Security Explorer

A query builder that lets you create custom queries to obtain detailed information about security issues. If you prefer not to build a query from scratch, you can use one of the many existing templates.

6. Workbooks

A workbook is a dashboard for gathering and visualizing logged information. The collected data is exported to the Log Analytics Workspace (LAW). You can create a new workbook or use a template, wait at least a week for data to accumulate, and then begin your analysis. My favorite workbook is the Cost Estimation template, which provides consolidated price estimates for Microsoft Defender for Cloud.

7. Security posture

This section lists your Azure subscriptions with their Secure Score and the number of Unhealthy Resources for each. You can click on a specific environment to jump directly to the relevant Recommendations.

8. Regulatory compliance

A visualization of recommendations for your resources, organized by best practices, benchmarks, and standards—for example, the Microsoft Cloud Security Benchmark. You can activate additional compliance rules for your resources, which Microsoft updates regularly to reflect the latest standards.

9. Workload protections

A visualization of security alerts grouped by resource categories such as Containers, Servers, Storage, or App Services. Each category is monitored based on default or custom rules.

10. Environment Settings

This section lists your registered environments. Select one, and under Security Policies you can change the CSPM plan, add additional standards, or activate Workload Protection. You can also enable Email Notifications, define where logs are exported (to Log Analytics Workspace or Event Hub), and choose between Streaming Updates or Snapshots. Finally, you can manage the Workflow Automation settings introduced in the Recommendations section.

Conclusion

Microsoft Defender for Cloud provides a comprehensive set of tools and features to secure your Azure resources effectively. The free features offer a solid starting point for identifying and resolving vulnerabilities, while the paid features, such as Attack Path Analysis and Permissions Management Capability, add significant value by providing deeper insights and enhanced control over your security environment.