🛡️ Azure Subscription Integration With Microsoft Defender For Cloud Apps is not enabled🟢

• Contextual name: 🛡️ Integration With Microsoft Defender For Cloud Apps is not enabled🟢
• ID: /ce/ca/azure/subscription/integration-with-microsoft-defender-for-cloud-apps
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure Subscription
  • 🔌 Azure Subscription - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Microsoft Defender for Cloud Apps Integration
• Internal: dec-x-8a1ecfd0

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-8a1ecfd0	1

Description

Open File

Description

This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.

Rationale

Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license.

Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.

Impact

Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource.

Audit

From Azure Portal

1. From Azure Home select the Portal Menu.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. From Azure Home select the Portal Menu.
2. Select Microsoft Defender for Cloud.
3. Under Management, select Environment Settings.
4. Select the subscription.
5. Select Integrations.
6. Check Allow Microsoft Defender for Cloud Apps to access my data.
7. Select Save.

From Azure CLI

Use the below command to set Allow Microsoft Defender for Cloud Apps to access my data:

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/<subscription_ID>/providers/Microsoft.Security/settings/MCAS?api-version=2021-06-01 -d@"input.json"'

Where input.json contains the Request body json data as mentioned below:

{
    "id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/settings/MCAS", 
    "kind": "DataExportSetting", 
    "type": "Microsoft.Security/settings", 
    "properties": { 

... [see more](remediation.md)

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 APRA CPG 234 → 💼 16a vulnerability and threat management;		10	10		no data
💼 APRA CPG 234 → 💼 16e security testing, including penetration testing;		9	9		no data
💼 APRA CPG 234 → 💼 16f information security reporting and analytics;		9	11		no data
💼 APRA CPG 234 → 💼 36g vulnerability management controls — which identify and address information security vulnerabilities in a timely manner;		10	10		no data
💼 APRA CPG 234 → 💼 36j monitoring controls — for timely detection of compromises to information security;		9	11		no data
💼 APRA CPG 234 → 💼 36k response controls — to manage information security incidents and feedback mechanisms to address control deficiencies;		9	9		no data
💼 APRA CPG 234 → 💼 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;		10	10		no data
💼 APRA CPG 234 → 💼 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access		10	10		no data
💼 APRA CPG 234 → 💼 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);		9	9		no data
💼 APRA CPG 234 → 💼 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term ‘potential’ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.		9	9		no data
💼 APRA CPG 234 → 💼 67a network and user profiling that establishes a baseline of normal activity which, when combined with logging and alerting mechanisms, can enable detection of anomalous activity;		19	22		no data
💼 APRA CPG 234 → 💼 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);		9	9		no data
💼 APRA CPG 234 → 💼 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.		9	9		no data
💼 APRA CPG 234 → 💼 73a detection of an information security event through the use of automated sensors and manual review;		9	9		no data
💼 APRA CPG 234 → 💼 73b identification and analysis to determine if it is an incident or an event;		9	9		no data
💼 APRA CPG 234 → 💼 73d containment to minimise the damage caused, and reduce the possibility of further damage;		9	9		no data
💼 APRA CPG 234 → 💼 73e eradication which involves the removal of the source of the information security compromise (typically malware);		9	9		no data
💼 CIS Azure v1.3.0 → 💼 2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected - Level 2 (Manual)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 2.10 Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected - Level 2 (Manual)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 3.1.1.2 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected (Automated)			1		no data
💼 Cloudaware Framework → 💼 Microsoft Defender Configuration			26		no data
💼 FedRAMP High Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	6	20	32		no data
💼 FedRAMP Low Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)			24		no data
💼 FedRAMP Moderate Security Controls → 💼 AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)	2		32		no data
💼 ISO/IEC 27001:2013 → 💼 A.16.1.2 Reporting information security events		9	10		no data
💼 NIST CSF v1.1 → 💼 DE.DP-4: Event detection information is communicated		29	33		no data
💼 NIST CSF v1.1 → 💼 RS.CO-2: Incidents are reported consistent with established criteria		19	22		no data
💼 NIST CSF v1.1 → 💼 RS.CO-3: Information is shared consistent with response plans		16	18		no data
💼 NIST CSF v2.0 → 💼 DE.AE-06: Information on adverse events is provided to authorized staff and tools			33		no data
💼 NIST CSF v2.0 → 💼 RC.CO-04: Public updates on incident recovery are shared using approved methods and messaging			22		no data
💼 NIST CSF v2.0 → 💼 RS.CO-02: Internal and external stakeholders are notified of incidents			31		no data
💼 NIST CSF v2.0 → 💼 RS.CO-03: Information is shared with designated internal and external stakeholders			19		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification		19	21		no data
💼 SOC 2 → 💼 CC7.2-3 Implements Filters to Analyze Anomalies		9	18		no data