Skip to main content

πŸ“ [LEGACY] Azure Subscription Microsoft Defender For DNS is not set to On 🟒

  • Contextual name: πŸ“ Microsoft Defender For DNS is not set to On 🟒
  • ID: /ce/ca/azure/subscription/LEGACY-microsoft-defender-for-dns
  • Located in: πŸ“ Azure Subscription

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

  • Internal
    • dec-x-7bde497d

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-7bde497d1

Logic​

Description​

Open File

Description​

[NOTE: As of August 1, 2023 customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.]

Microsoft Defender for DNS scans all network traffic exiting from within a subscription.

Rationale​

DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

Impact​

Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a small amount per million queries.

Audit​

From Azure Portal​
  1. Go to Microsoft Defender for Cloud.
  2. Under Management, select Environment Settings
  3. Click on the subscription name
  4. Select the Defender plans blade

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to Microsoft Defender for Cloud.
  2. Under Management, select Environment Settings.
  3. Click on the subscription name.
  4. Select the Defender plans blade.
  5. Select On under Status for DNS.
  6. Select Save.

From Powershell​

Enable Standard pricing tier for DNS:

az security pricing create -n 'DNS' --tier 'Standard'

From PowerShell​

Enable Standard pricing tier for DNS:

Set-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard'

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16a vulnerability and threat management;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 16e security testing, including penetration testing;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36g vulnerability management controls β€” which identify and address information security vulnerabilities in a timely manner;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36k response controls β€” to manage information security incidents and feedback mechanisms to address control deficiencies;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1111
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term β€˜potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73a detection of an information security event through the use of automated sensors and manual review;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73b identification and analysis to determine if it is an incident or an event;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73d containment to minimise the damage caused, and reduce the possibility of further damage;1010
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 73e eradication which involves the removal of the source of the information security compromise (typically malware);1010
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' - Level 2 (Manual)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' - Level 2 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Microsoft Defender Configuration26
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)79
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SI-4(4) Inbound and Outbound Communications Traffic (M)(H)9
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.8 Management of technical vulnerabilities99
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1920
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.16 Monitoring activities66
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-4(4) System Monitoring _ Inbound and Outbound Communications Traffic22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1820