Defender for Cloud enabled (Standard)
Demonstrate that Microsoft Defender for Cloud Standard tier is enabled across all applicable Azure subscriptions and workload types to provide advanced threat protection and continuous security monitoring.
Description
What this control does
Microsoft Defender for Cloud Standard tier provides enhanced threat detection, vulnerability assessment, and advanced security monitoring capabilities for Azure resources beyond the free tier. The Standard tier includes workload protection plans such as Defender for Servers, Defender for Storage, Defender for SQL, and other resource-specific protections that continuously monitor cloud assets for malicious activity, misconfigurations, and vulnerabilities. Enabling this control ensures cloud workloads benefit from real-time threat intelligence, behavioral analytics, and integration with Microsoft's global security operations centers for proactive threat hunting and incident response.
Control objective
What auditing this proves
Demonstrate that Microsoft Defender for Cloud Standard tier is enabled across all applicable Azure subscriptions and workload types to provide advanced threat protection and continuous security monitoring.
Associated risks
Risks this control addresses
- Undetected malware or fileless attacks on virtual machines and compute resources due to absence of behavioral monitoring and threat intelligence
- Exploitation of unpatched vulnerabilities in operating systems and container images without continuous vulnerability scanning and prioritization
- Storage account compromise through unauthorized data exfiltration attempts that go undetected without blob-level anomaly detection
- SQL injection or database exploitation attempts on Azure SQL databases that bypass perimeter controls and are not monitored at the workload layer
- Lateral movement by adversaries across cloud infrastructure without detection due to lack of network traffic analysis and suspicious behavior alerting
- Delayed incident response and forensic investigation resulting from absence of centralized security event correlation and automated alert triage
- Regulatory non-compliance for frameworks requiring enhanced logging, monitoring, and threat detection capabilities beyond basic cloud provider offerings
Testing procedure
How an auditor verifies this control
- Inventory all Azure subscriptions within the organization's tenant and document the scope of subscriptions subject to security monitoring requirements.
- Log into Azure Portal with appropriate read permissions and navigate to Microsoft Defender for Cloud to review current licensing and enablement status.
- Export the Defender for Cloud coverage report showing pricing tier status for each subscription and workload type including Servers, App Service, Storage, SQL, Kubernetes, Container Registries, Key Vault, Resource Manager, and DNS.
- Review the configuration of each enabled Defender plan to verify Standard tier is active and not set to Free tier, noting any exclusions or partial coverage.
- Sample security alerts generated by Defender for Cloud over the past 90 days to confirm active detection and alerting functionality is operational.
- Verify that auto-provisioning settings are configured to deploy monitoring agents (Log Analytics agent or Azure Monitor Agent) to all applicable virtual machines and scale sets.
- Review integration settings to confirm Defender for Cloud alerts feed into the organization's SIEM, ticketing system, or security operations workflow.
- Validate that security contacts are configured with appropriate email addresses and phone numbers to receive high-severity alert notifications and security communications.
Where this control is tested