Microsoft AzureOverview
This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.
Rationale
Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment.
Microsoft Defender powers several of the preceding analytics for Cloud Apps. The subscription must have a Cloud App Security license to benefit from these analytics.
Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.
Impact
Microsoft Defender for Cloud Apps works with a Standard subscription tier. Choosing the Standard pricing tier incurs an additional cost per resource.
Default Value
With a Cloud App Security license, these alerts are enabled by default.
Additional Information
NOTE: "Microsoft Defender for Cloud Apps" ("MDCA") was formerly known as "Microsoft Cloud App Security" ("MCAS"). The "MCAS" acronym is still used within Azure in several places (e.g., Azure CLI).
Remediation guidance
From Azure Portal
- Go to
Microsoft Defender for Cloud - Select the
Environment Settingsblade - Click on the subscription name
- Select the
Integrationsblade - Check
Allow Microsoft Defender for Cloud Apps to access my data - Select
Save
Using Azure Command Line Interface
Ensure the output of the command below is True
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscription ID>/providers/Microsoft.Security/settings/MCAS?api-version=2021-06-01 -d@"input.json"'
Where input.json contains the Request body json data as mentioned below.
{
"id":
"/subscriptions/<subscription ID>/providers/Microsoft.Security/settings/MCAS",
"kind": "DataExportSetting",
"type": "Microsoft.Security/settings",
"properties": {
"enabled": true
}
}
References
- https://learn.microsoft.com/en-in/azure/security-center/security-center-alerts-service-layer#azure-management-layer-azure-resource-manager-preview
- https://learn.microsoft.com/en-us/rest/api/securitycenter/settings/list
- https://learn.microsoft.com/en-us/rest/api/securitycenter/settings/update
- https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-9-secure-user-access-to--existing-applications
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Azure
Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Azure subscriptions with MCAS disabled
Connectors
Covered asset types
Expected check: eq []
{
connectors(
where: { dataExportSettings_SOME: { name: "MCAS", enabled: false } }
) {
...AssetFragment
}
}
