Do more with Azure Defender for Servers

Mikko Koivunen

2021/10/05

Azure Defender Ecosystem

There are many blogs and resources on Azure Defender for Servers, but quite often they only cover the getting started phase and a tour of the most prominent features in the portal.

In this article I try to go a bit deeper and showcase two of the “hidden gems” you can get for free by onboarding servers to Azure Defender:

These capabilities, in addition to the default features you automatically get after enabling Azure Defender as part of Azure Security Center, provide a comprehensive server security solution with basically a one-click onboarding process.

If you are evaluating whether to onboard to Azure Defender, I suggest you include these extra features in your plans.

#1 - Endpoint Detection & Response

Azure Defender has Threat Detection capabilities built in, with plenty of good alerting rules.

However you can take this a lot further by enabling the free integration to Microsoft Defender for Endpoint (MDE).

With MDE you get a full-blown Server EDR solution with asset management and vulnerability management features included, with no extra cost.

Enabling the MDE integration can be done in the Settings:

Enabling this integration will create a new MDE tenant for you and after some time your servers will be onboarded to MDE. If you are already using MDE for your endpoints, the servers will appear on your existing tenant.

You can access Defender for Endpoint in the Microsoft 365 Defender Portal at security.microsoft.com and review the official documentation at Microsoft Defender for Endpoint documentation.

Below are a few short videos showcasing three valuable features in MDE.

Managing an Incident in MDE

Device Timeline

Threat and Vulnerability Management (TVM)

#2 - Log management, SIEM & SOAR

if you are already using Azure Sentinel you might be familiar with the Azure Defender Data Connector, which can ingest Defender generated alerts into Sentinel.

You can also take the Defender - Sentinel integration further by making sure you use the same Log Analytics workspace for both products.

This results in logs collected by onbording servers to Azure Defender to be also usable in queries, detection rules and threat hunting in Azure Sentinel.

LA Workspace diagram

You can control the Log Analytics workspace configuration in Azure Defender settings for Virtual Machine onboarding.

In my opinion this is a best-practice design for organisations using both products. There is also a cost benefit here, as all Windows Servers onboarded to Azure Defender get a free 500MB/day log ingestion allowance that will result in a reduction of your security analytics cost for servers in Sentinel.

Below is a short video clip on setting the custom workspace and showing the collected logs from a Windows server onboarded to Azure Defender.