Ensure that Azure Defender is set to On for Servers

ID

azure_defender_on_servers

Severity

low

Vendor

Azure

Resource

Azure Defender

Tags

reachable

Description

Azure Security Center Defender should be enabled for servers.

Microsoft Defender is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources.

While some Basic security features are enabled for free on all your Azure subscriptions, some other enhanced security features require a subscription.

See Microsoft Defender for Cloud’s basic and enhanced security features to know more about paid security features.

This detector checks that Microsoft.Security/pricings associates with Servers are not set to the Free tier.

Examples

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2018-06-01",
    "name": "VirtualMachines",
    "properties": {
      "pricingTier": "Free" (1)
    }
  }]
}
1 Free tier for Defender on servers (VMs)

Terraform

resource "azurerm_security_center_subscription_pricing" "free_servers" {
  tier          = "Free" (1)
  resource_type = "VirtualMachines"
}
1 Free tier for Defender on servers (VMs)

Mitigation / Fix

Buildtime

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2018-06-01",
    "name": "VirtualMachines",
    "properties": {
      "pricingTier": "Standard"
    }
  }]
}

Terraform

resource "azurerm_security_center_subscription_pricing" "standard_servers" {
  tier          = "Standard" (1)
  resource_type = "VirtualMachines"
}
1 Fixed, paid extra features are required