Describe Microsoft Defender for Cloud

  • 6 minutes

Defender for Cloud is a security posture management and threat protection service. It monitors cloud, on-premises, hybrid, and multicloud resources and provides recommendations and alerts to improve security posture.

Defender for Cloud helps you harden resources, track risk, and respond to threats. In Azure, it's natively integrated and can be enabled quickly.

Coverage across cloud and hybrid environments

Because Defender for Cloud is Azure-native, many Azure services can be monitored without extra deployment. For hybrid and multicloud estates, Defender for Cloud extends visibility so security teams can work from one control plane.

When needed, Defender for Cloud can deploy data collection components for security insights. Azure Arc can extend Microsoft Defender plans to non-Azure machines, and Cloud Security Posture Management (CSPM) capabilities can assess multicloud resources agentlessly.

Azure-native protections

Defender for Cloud helps you detect threats across:

  • Azure PaaS services - Detects threats across services such as App Service, Azure SQL, and Azure Storage.
  • Azure data services - Provides data security assessments and recommendations for services such as Azure SQL and Storage.
  • Networks - Helps reduce brute-force exposure through controls such as just-in-time VM access and restrictive port policies.

Defend your hybrid resources

In addition to Azure coverage, Defender for Cloud can protect non-Azure servers in hybrid environments and prioritize alerts based on your environment.

To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud's enhanced security features.

Defend resources running on other clouds

Defender for Cloud can also protect resources in other clouds, including AWS and GCP.

For connected AWS environments, Defender for Cloud can:

  • Extend CSPM recommendations and compliance assessments to AWS resources.
  • Extend Defender for Containers protections to Amazon EKS clusters.
  • Extend Defender for Servers protections to EC2 instances.

Assess, Secure, and Defend

Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:

  • Continuously assess – Know your security posture. Identify and track vulnerabilities.
  • Secure – Harden resources and services with Microsoft cloud security benchmark (MCSB).
  • Defend – Detect and resolve threats to resources, workloads, and services.

Diagram showing three pillars of Defender for Cloud: Continuously Assess, Secure, and Defend.

Continuously assess

Defender for Cloud helps you continuously assess your environment. It includes vulnerability assessment for virtual machines, container registries, and SQL servers.

Microsoft Defender for servers includes automatic, native integration with Microsoft Defender for Endpoint. With this integration enabled, you'll have access to the vulnerability findings from Microsoft Defender Vulnerability Management.

Together, these tools provide regular vulnerability visibility across compute, data, and infrastructure from a unified experience.

Secure

To secure workloads, you need policies that align to your environment. Defender for Cloud builds on Azure Policy, so controls can be scoped at management group, subscription, or tenant levels.

As new resources are deployed, Defender for Cloud evaluates them against best practices and surfaces prioritized recommendations. These recommendations align to Microsoft cloud security benchmark (MCSB) guidance.

Defender for Cloud groups recommendations into security controls and calculates a secure score so teams can quickly understand posture and prioritize improvements.

Defend

The first two areas focused on assessing, monitoring, and maintaining your environment. Defender for Cloud also defends your environment by providing security alerts and advanced threat protection features.

Security alerts

When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. Security alerts:

  • Describe details of the affected resources
  • Suggest remediation steps
  • Provide, in some cases, an option to trigger a logic app in response

Whether an alert is generated by Defender for Cloud or received from an integrated security product, you can export it. Defender for Cloud also uses kill-chain analysis to automatically correlate related alerts, helping you see the full story of an attack — where it started, which resources were affected, and what impact it had.

Advanced threat protection

Defender for Cloud provides advanced threat protection for resources such as virtual machines, SQL databases, containers, web applications, and networks. Protections include just-in-time VM access and adaptive application controls.