Infrastructure integrations

Infrastructure comprises the hardware, software, micro-services, networking infrastructure, and facilities required to support IT services for an organization. Zero Trust infrastructure solutions assess, monitor, and prevent security threats to these services.

Zero Trust infrastructure solutions support the principles of Zero Trust by ensuring that access to infrastructure resources is verified explicitly, access is granted using principles of least privilege access, and mechanisms are in place that assume breach and look for and remediate security threats in infrastructure.

This guidance is for software providers and technology partners who want to enhance their infrastructure security solutions by integrating with Microsoft products.

Zero Trust integration for Infrastructure guide

This integration guide includes strategy and instructions for integrating with Microsoft Defender for Cloud and its integrated cloud workload protection plans, Microsoft Defender for ... (Servers, Containers, Databases, Storage, App Services, and more).

The guidance includes integrations with the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), Endpoint Detection and Response (EDR), and IT Service Management (ITSM) solutions.

Zero Trust and Defender for Cloud

Our Zero Trust infrastructure deployment guidance provides key stages of the Zero Trust strategy for infrastructure. These are:

  1. Assess compliance with chosen standards and policies
  2. Harden configuration wherever gaps are found
  3. Employ other hardening tools such as just-in-time (JIT) VM access
  4. Set up threat detection and protections
  5. Automatically block and flag risky behavior and take protective actions

There's a clear mapping from the goals we've described in the infrastructure deployment guidance to the core aspects of Defender for Cloud.

Zero Trust goal Defender for Cloud feature
Assess compliance In Defender for Cloud, every subscription automatically has the Microsoft cloud security benchmark (MCSB) assigned as the default security initiative.
Using the secure score tools and the regulatory compliance dashboard you can get a deep understanding of your customer's security posture.
Harden configuration Assigning security initiatives to subscriptions, and reviewing the secure score, leads you to the hardening recommendations built into Defender for Cloud. Defender for Cloud periodically analyzes the compliance status of resources to identify potential security misconfigurations and weaknesses. It then provides recommendations on how to remediate those issues.
Employ hardening mechanisms As well as one-time fixes to security misconfigurations, Defender for Cloud includes features to further harden your resources such as:
Just-in-time (JIT) virtual machine (VM) access
Adaptive network hardening
Adaptive application controls.
Set up threat detection Defender for Cloud offers integrated cloud workload protection plans, for threat detection and response. The plans provide advanced, intelligent, protection of Azure, hybrid, and multicloud resources and workloads.
One of the Microsoft Defender plans, Defender for servers, includes a native integration with Microsoft Defender for Endpoint.
Learn more in Introduction to Microsoft Defender for Cloud.
Automatically block suspicious behavior Many of the hardening recommendations in Defender for Cloud offer a deny option. This feature lets you prevent the creation of resources that don't satisfy defined hardening criteria. Learn more in Prevent misconfigurations with Enforce/Deny recommendations.
Automatically flag suspicious behavior Microsoft Defender for Cloud's security alerts are triggered by advanced detections. Defender for Cloud prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. Defender for Cloud also provides detailed steps to help you remediate attacks. For a full list of the available alerts, see Security alerts - a reference guide.

Protect your Azure PaaS services with Defender for Cloud

With Defender for Cloud enabled on your subscription, and the Defender workload protection plans enabled for all available resource types, you'll have a layer of intelligent threat protection - powered by Microsoft Threat Intelligence - protecting resources in Azure Key Vault, Azure Storage, Azure DNS, and other Azure PaaS services. For a full list, see the PaaS services listed in the Support matrix.

Azure Logic Apps

Use Azure Logic Apps to build automated scalable workflows, business processes, and enterprise orchestrations to integrate your apps and data across cloud services and on-premises systems.

Defender for Cloud's workflow automation feature lets you automate responses to Defender for Cloud triggers.

This is great way to define and respond in an automated, consistent manner when threats are discovered. For example, to notify relevant stakeholders, launch a change management process, and apply specific remediation steps when a threat is detected.

Integrate Defender for Cloud with your SIEM, SOAR, and ITSM solutions

Microsoft Defender for Cloud can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions.

There are Azure-native tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:

  • Microsoft Sentinel
  • Splunk Enterprise and Splunk Cloud
  • IBM's QRadar
  • ServiceNow
  • ArcSight
  • Power BI
  • Palo Alto Networks

Microsoft Sentinel

Defender for Cloud natively integrates with Microsoft Sentinel, Microsoft's cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution.

There are two approaches to ensuring your Defender for Cloud data is represented in Microsoft Sentinel:

Stream alerts with Microsoft Graph Security API

Defender for Cloud has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no additional costs.

You can use this API to stream alerts from the entire tenant (and data from many other Microsoft Security products) into third-party SIEMs and other popular platforms:

Learn more about Microsoft Graph Security API.

Stream alerts with Azure Monitor

Use Defender for Cloud's continuous export feature to connect Defender for Cloud with Azure monitor via Azure Event Hubs and stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions.

Learn more in Stream alerts with Azure Monitor.

This can also be done at the Management Group level using Azure Policy, see Create continuous export automation configurations at scale.

Tip

To view the event schemas of the exported data types, visit the Event Hub event schemas.

Integrate Defender for Cloud with an Endpoint Detection and Response (EDR) solution

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution.

Microsoft Defender for servers, includes an integrated license for Microsoft Defender for Endpoint. Together, they provide comprehensive endpoint detection and response (EDR) capabilities. For more information, see Protect your endpoints.

When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud and you can pivot to the Defender for Endpoint console to perform a detailed investigation and uncover the scope of the attack. Learn more about Microsoft Defender for Endpoint.

Other EDR solutions

Defender for Cloud provides hardening recommendations to ensure you're securing your organization's resources according to the guidance of Microsoft cloud security benchmark (MCSB). One of the controls in the benchmark relates to endpoint security: ES-1: Use Endpoint Detection and Response (EDR).

There are two recommendations in Defender for Cloud to ensure you've enabled endpoint protection and it's running well. These recommendations are checking for the presence and operational health of EDR solutions from:

  • Trend Micro
  • Symantec
  • McAfee
  • Sophos

Learn more in Endpoint protection assessment and recommendations in Microsoft Defender for Cloud.

Apply your Zero Trust strategy to hybrid and multi cloud scenarios

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.

Microsoft Defender for Cloud protects workloads wherever they're running: in Azure, on-premises, Amazon Web Services (AWS), or Google Cloud Platform (GCP).

Integrate Defender for Cloud with on-premises machines

To secure hybrid cloud workloads, you can extend Defender for Cloud's protections by connecting on-premises machines to Azure Arc enabled servers.

Learn about how to connect machines in Connect your non-Azure machines to Defender for Cloud.

Integrate Defender for Cloud with other cloud environments

To view the security posture of Amazon Web Services machines in Defender for Cloud, onboard AWS accounts into Defender for Cloud. This will integrate AWS Security Hub and Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations and AWS Security Hub findings and provide a range of benefits as described in Connect your AWS accounts to Microsoft Defender for Cloud.

To view the security posture of Google Cloud Platform machines in Defender for Cloud, onboard GCP accounts into Defender for Cloud. This will integrate GCP Security Command and Microsoft Defender for Cloud for a unified view of Defender for Cloud recommendations and GCP Security Command Center findings and provide a range of benefits as described in Connect your GCP accounts to Microsoft Defender for Cloud.

Next steps

To learn more about Microsoft Defender for Cloud, see the complete Defender for Cloud documentation.