{"id":20697430,"url":"https://github.com/epomatti/azure-defender-for-cloud","last_synced_at":"2026-04-15T23:31:10.436Z","repository":{"id":209529536,"uuid":"721327645","full_name":"epomatti/azure-defender-for-cloud","owner":"epomatti","description":"Experimental infrastructure and concepts for Azure Defender for Cloud","archived":false,"fork":false,"pushed_at":"2024-02-16T23:22:32.000Z","size":172,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-25T22:49:11.148Z","etag":null,"topics":["antimalware","antimalware-extention","azure","azure-security","defender","defender-for-cloud","defender-for-endpoint","security-posture","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/epomatti.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-20T20:40:26.000Z","updated_at":"2023-12-28T04:12:23.000Z","dependencies_parsed_at":"2024-11-17T00:20:38.570Z","dependency_job_id":"035b7101-0390-4846-b456-1178a60a1423","html_url":"https://github.com/epomatti/azure-defender-for-cloud","commit_stats":null,"previous_names":["epomatti/azure-defender-for-cloud"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/epomatti/azure-defender-for-cloud","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-defender-for-cloud","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-defender-for-cloud/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-defender-for-cloud/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-defender-for-cloud/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/epomatti","download_url":"https://codeload.github.com/epomatti/azure-defender-for-cloud/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/epomatti%2Fazure-defender-for-cloud/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31864915,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"ssl_error","status_checked_at":"2026-04-15T15:24:39.138Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antimalware","antimalware-extention","azure","azure-security","defender","defender-for-cloud","defender-for-endpoint","security-posture","terraform"],"created_at":"2024-11-17T00:18:02.368Z","updated_at":"2026-04-15T23:31:10.413Z","avatar_url":"https://github.com/epomatti.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Azure Defender for Cloud\n\nSet of resources and configuration to apply Defender capabilities.\n\nCreate the baseline infrastructure:\n\n```sh\ncp config/sample.tfvars .auto.tfvars\n\nterraform init\nterraform apply -auto-approve\n```\n\nMake sure Defender is enabled.\n\n\u003e TODO: Document Log Analytics stuff\n\n## Environment Settings\n\nAdd the desired subscriptions to the Defender scope.\n\n### Cloud Security Posture Management (CSPM)\n\nEnable [Defender CSPM][3] to make all features available.\n\n### Cloud Workload Protection (CWP)\n\nEnable the protection for:\n\n- Servers\n- Databases\n- Key Vault\n\nOr others to track even more resource types.\n\n## Just-in-Time (JIT)\n\nJIT is implemented in my dedicated repository: https://github.com/epomatti/az-vm-jit\n\n## Server protection\n\nDefender will use Microsoft Defender for Endpoint (MDE) for EDR, as well as [agentless][2] scanning based on the OS disk.\n\nThe AMA is [not required][1] for Defender but it is installed anyways in this VM.\n\n### Billing\n\nCheck the differences between the [plans][7].\n\nDeallocated/ing or starting servers are [not billed][8].\n\nWhen you enable Defender for Servers you're charged for **_all_** connect machines based on the power state. You're also charged for on AWS.\n\n## Interactive guides\n\nOutlining Defender capabilities:\n\n- Attack path analysis\n- Hunting\n- Posture\n- Security governance (rules) - weekly email is sent to owners with the recommendations they're assigned to.\n- Multi-cloud\n- Visibility of vulnerabilities with agentless scanning\n- Protect workloads with alerts correlation\n- Malware Scanning\n- Container threat detection and policy enforcement\n- Protect your APIs\n\n## Roles\n\nThere are two specific roles for Defender for Cloud:\n\n- Security Administrator\n- Security Reader\n\n## Data collection for Servers\n\nFrom the [docs][4]:\n\n- Azure Monitor Agent (AMA)\n- Microsoft Defender for Endpoint (MDE)\n- Log Analytics agent\n- Azure Policy Add-on for Kubernetes\n\nHow to [activate the agents][5].\n\n## SQL \n\n### Alerts\n\nCheck the [Alerts for SQL Database and Azure Synapse Analytics][6] to identify threats for SQL.\n\nFor example, **SQL Injection** may have the following:\n\n- Vulnerability: Faulty SQL statement or no sanitation.\n- Potential: An active exploit has occurred against an identified application vulnerable to SQL injection.\n\n## Workflow automation\n\nUse Workflow automation to react when state changes in Defender.\n\nTrigger conditions:\n\n- Security alert\n- Recommendation\n- Regulatory compliance standards\n\nA Logic App will be created so that it can be selected via the Portal.\n\n## External Attack Surface Management (Defender EASM)\n\nTo create an EASM workspace, use the Portal.\n\n## Anti-malware\n\nEnable the anti-malware extension for the **vm-antimalware** resource, which is called `Microsoft Antimalware` in the gallery (with type `Microsoft.Azure.Security.IaaSAntimalware`).\n\nExample running a Fulls Scan scheduled every Sunday 2AM.\n\n\u003cimg src=\".assets/azure-antimalware.png\" width=700 /\u003e\n\n## VM Vulnerability Scan (Qualys)\n\nTODO: Need to implement this\n\n## AWS\n\nTo integrate with AWS:\n\n```sh\ncd aws\n\ncp config/template.tfvars .auto.tfvars\n\nterraform init\nterraform apply -auto-approve\n```\n\nCreate the resource group for the AWS integration:\n\n```sh\naz group create -l eastus2 -n rg-aws\n```\n\nConnect to Defender for Cloud and create an Amazon Web Services environment.\n\nCurrent plans supported:\n\n#### Cloud Security Posture Management (CSPM)\n\n- Foundational CSPM\n- Defender CSPM\n  - Agentless scanning (EC2 installed software and vulnerabilities)\n  - Sensitive data discovery\n  - And more\n\n#### Cloud Workload Protection\n\n- Servers (Plan 2)\n- Databases\n- Containers (EKS, ECR)\n\n\n\u003cimg src=\".assets/defender-aws.png\" /\u003e\n\n\u003cimg src=\".assets/defender-aws-cwp-servers-plan2.png\" /\u003e\n\n\n[1]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/auto-deploy-azure-monitoring-agent\n[2]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-agentless-data-collection\n[3]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/concept-cloud-security-posture-management\n[4]: https://learn.microsoft.com/en-us/training/modules/configure-integrate-analytics-agent-defender-cloud/2-set-security-event-option-workspace-level\n[5]: https://microsoftlearning.github.io/Secure-Azure-services-and-workloads-with-Microsoft-Defender-for-Cloud-regulatory-compliance-controls/Instructions/Labs/LAB_04_Configure%20and%20integrate%20a%20Log%20Analytics%20agent%20and%20workspace%20in%20Defender%20for%20Cloud.html\n[6]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-sql-db-and-warehouse\n[7]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan\n[8]: https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-servers#what-servers-do-i-pay-for-in-a-subscription-\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Fazure-defender-for-cloud","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fepomatti%2Fazure-defender-for-cloud","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fepomatti%2Fazure-defender-for-cloud/lists"}