Theory — Defender for Cloud (CSPM)
Theory — Defender for Cloud (CSPM)
Microsoft Sentinel monitors your runtime workloads — the logs, alerts, and incidents that happen when systems are running. But before you can monitor them, you need to know whether they are configured securely.
Defender for Cloud (formerly Azure Security Center) is Microsoft's cloud security posture management (CSPM) tool. It continuously assesses your Azure environment against security benchmarks and recommends improvements.
What Defender for Cloud Does
| Capability | What It Checks | Example Finding |
|---|---|---|
| Secure Score | Overall security posture | "Enable MFA for all admins" (+50 points) |
| Security recommendations | Resource-specific misconfigurations | "App Service has public network access enabled" |
| Vulnerability assessment | Known CVEs in OS and dependencies | "Ubuntu 22.04 has 3 critical CVEs" |
| Regulatory compliance | Alignment with standards (ISO 27001, NIST, CIS) | "Missing encryption at rest on Storage account" |
| Exposure Management | Attack paths that could lead to compromise | "Public VM → Key Vault → Admin access" |
SBOM Generation and Vulnerability Scanning
When you enable Defender plans (particularly Defender for Containers or Defender for DevOps), the platform automatically:
- Generates SBOMs — Software Bill of Materials — for your container images and deployed resources, listing every package and dependency
- Scans for vulnerabilities — compares your SBOMs against known CVE databases (NVD, GitHub Advisory Database, etc.)
- Reports findings to Sentinel — each vulnerability appears in the
Vulnerabilitytable with severity, resource ID, CVE details, and remediation guidance
The same applies to infrastructure-as-code: when Defender scans Terraform files or Dockerfiles, IaC misconfigurations appear as security alerts in Sentinel.
Data Flow
Defender for DevOps
Defender for DevOps specifically monitors your Azure DevOps or GitHub pipelines. It detects:
- Pipeline tampering — unauthorised modifications to pipeline definitions
- Malicious code injection — suspicious changes in PRs or commits
- Service connection abuse — new or modified service connections pointing to unknown targets
- Secret exposure — tokens, passwords, or keys committed to repositories
When Defender for DevOps is enabled, it generates findings in Sentinel that are correlated with your pipeline activity logs. This gives you a complete view: who changed the pipeline (DevOps audit log) and what vulnerabilities were introduced (Defender scanning).
#question( "Why is it important to have both the DevOps audit log AND Defender for DevOps? What unique value does each provide that the other cannot?" )
Secure Score
The Secure Score is Defender for Cloud's primary metric — a percentage (0–100%) representing how well your environment aligns with security best practices.
Each recommendation has a point value based on its severity. Implementing high-severity recommendations increases your score faster than low-severity ones.
How Secure Score Works
Key insight: Secure Score is not a static number — it changes as you add resources (which adds new recommendations) and as you implement recommendations. A good practice is to set a target score and work toward it incrementally.
Defender for Cloud vs. Sentinel: Different Jobs
| Defender for Cloud | Microsoft Sentinel | |
|---|---|---|
| Focus | Prevention (posture) | Detection (runtime) |
| Question | "Are we configured securely?" | "Is something happening that we should investigate?" |
| Output | Recommendations, secure score | Incidents, alerts, dashboards |
| When it runs | Continuously | On a schedule or when triggered |
| Example | "Storage account has public access enabled" | "Someone accessed the storage account from an unusual IP" |
Together they create defence in depth: Defender for Cloud prevents misconfigurations. Sentinel detects attacks that bypass your controls.
Key Recommendations for Day 4 Labs
When you enable monitoring in today's labs, Defender for Cloud will flag several recommendations:
- Enable diagnostic settings on all resources — without these, logs don't reach Log Analytics
- Set daily ingestion cap — prevents runaway costs
- Enable MFA for admin accounts — identity is the first line of defence
- Use private endpoints — reduces attack surface
- Encrypt data at rest — protects data even if storage is compromised
Key Takeaways
- Defender for Cloud assesses your environment's security posture against benchmarks.
- Secure Score (0–100%) tracks your progress toward a more secure configuration.
- Defender for Cloud focuses on prevention; Sentinel focuses on detection. They complement each other.
- Today's monitoring setup will generate several recommendations in Defender for Cloud — use them to improve posture, not just detect threats.