There are many blogs and resources on Azure Defender for Servers, but quite often they only cover the getting started phase and a tour of the most prominent features in the portal.
In this article I try to go a bit deeper and showcase two of the “hidden gems” you can get for free by onboarding servers to Azure Defender:
- Endpoint Detection & Response (with Defender for Endpoint integration)
- Log management, SIEM & SOAR (with a shared workspace with Azure Sentinel)
These capabilities, in addition to the default features you automatically get after enabling Azure Defender as part of Azure Security Center, provide a comprehensive server security solution with basically a one-click onboarding process.
If you are evaluating whether to onboard to Azure Defender, I suggest you include these extra features in your plans.
#1 - Endpoint Detection & Response
Azure Defender has Threat Detection capabilities built in, with plenty of good alerting rules.
However you can take this a lot further by enabling the free integration to Microsoft Defender for Endpoint (MDE).
With MDE you get a full-blown Server EDR solution with asset management and vulnerability management features included, with no extra cost.
Enabling the MDE integration can be done in the Settings:
Enabling this integration will create a new MDE tenant for you and after some time your servers will be onboarded to MDE. If you are already using MDE for your endpoints, the servers will appear on your existing tenant.
Below are a few short videos showcasing three valuable features in MDE.
Managing an Incident in MDE
- In this clip I am investigating a single incident in MDE, generated from dozens of events and alerts that were caused by running all of the APT Simulator tests in a Windows server.
- Here I show how network, file and process events on a server are gathered into Device Timeline.
Threat and Vulnerability Management (TVM)
- In this last clip I give a quick overview of the Threat and Vulnerability management features in MDE.
#2 - Log management, SIEM & SOAR
if you are already using Azure Sentinel you might be familiar with the Azure Defender Data Connector, which can ingest Defender generated alerts into Sentinel.
You can also take the Defender - Sentinel integration further by making sure you use the same Log Analytics workspace for both products.
This results in logs collected by onbording servers to Azure Defender to be also usable in queries, detection rules and threat hunting in Azure Sentinel.
You can control the Log Analytics workspace configuration in Azure Defender settings for Virtual Machine onboarding.
In my opinion this is a best-practice design for organisations using both products. There is also a cost benefit here, as all Windows Servers onboarded to Azure Defender get a free 500MB/day log ingestion allowance that will result in a reduction of your security analytics cost for servers in Sentinel.
Below is a short video clip on setting the custom workspace and showing the collected logs from a Windows server onboarded to Azure Defender.