Skip to main content

๐Ÿ›ก๏ธ Azure Subscription Microsoft Defender For Key Vault is not set to On๐ŸŸข

  • Contextual name: ๐Ÿ›ก๏ธ Microsoft Defender For Key Vault is not set to On๐ŸŸข
  • ID: /ce/ca/azure/subscription/microsoft-defender-for-key-vault
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logicโ€‹

Similar Policiesโ€‹

Similar Internal Rulesโ€‹

RulePoliciesFlags
โœ‰๏ธ dec-x-1a2f62791

Descriptionโ€‹

Open File

Descriptionโ€‹

Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationaleโ€‹

Enabling Microsoft Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impactโ€‹

Turning on Microsoft Defender for Key Vault incurs an additional cost per resource.

Auditโ€‹

This policy flags an Azure Subscription as INCOMPLIANT if the related Azure Defender Plan for Key Vaults has its Pricing Tier set to Free.

A Subscription is also marked as INCOMPLIANT if the Defender Plan for Key Vaults does not exist in the CMDB.

Default Valueโ€‹

By default, Microsoft Defender plan is off.

Referencesโ€‹

  1. https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities
  2. https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/list
  3. https://docs.microsoft.com/en-us/rest/api/securitycenter/pricings/update

... see more

Remediationโ€‹

Open File

Remediationโ€‹

From Azure Portalโ€‹

  1. Go to Microsoft Defender for Cloud.
  2. Under Management, select Environment Settings.
  3. Click on the subscription name.
  4. Select the Defender plans blade.
  5. Select On under Status for Key Vault.
  6. Select Save.

From Azure CLIโ€‹

Enable Standard pricing tier for Key Vault:

az security pricing create -n 'KeyVaults' --tier 'Standard'
From PowerShellโ€‹

Enable Standard pricing tier for Key Vault:

Set-AzSecurityPricing -Name 'KeyVaults' -PricingTier 'Standard'

policy.yamlโ€‹

Open File

Linked Framework Sectionsโ€‹

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 16a vulnerability and threat management;1010no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 16e security testing, including penetration testing;99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36g vulnerability management controls โ€” which identify and address information security vulnerabilities in a timely manner;1010no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 36k response controls โ€” to manage information security incidents and feedback mechanisms to address control deficiencies;99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 39a implement mechanisms that access and analyse timely threat intelligence regarding vulnerabilities, threats, methods of attack and countermeasures;1010no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 39d implement mechanisms to disrupt the various phases of an attack. Example phases include reconnaissance, vulnerability exploitation, malware installation, privilege escalation, and unauthorised access1010no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 52e monitoring for unauthorised software and hardware (e.g. key loggers, password cracking software, wireless access points, business implemented technology solutions);99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 66 Under CPS 234, an APRA-regulated entity is required to have robust mechanisms in place to detect and respond to actual or potential compromises of information security in a timely manner. The term โ€˜potentialโ€™ is used to highlight that information security incidents are commonly identified when an event occurs (e.g. unauthorised access notification, customer complaint) requiring further investigation in order to ascertain whether an actual security compromise has occurred.99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 67c sensors that provide an alert when a measure breaches a defined threshold(s) (e.g. device, server and network activity);99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 68 Monitoring processes and tools remain in step with the evolving nature of threats and contemporary industry practices.99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 73a detection of an information security event through the use of automated sensors and manual review;99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 73b identification and analysis to determine if it is an incident or an event;99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 73d containment to minimise the damage caused, and reduce the possibility of further damage;99no data
๐Ÿ’ผ APRA CPG 234 โ†’ ๐Ÿ’ผ 73e eradication which involves the removal of the source of the information security compromise (typically malware);99no data
๐Ÿ’ผ CIS Azure v1.3.0 โ†’ ๐Ÿ’ผ 2.8 Ensure that Azure Defender is set to On for Key Vault - Level 2 (Manual)11no data
๐Ÿ’ผ CIS Azure v1.4.0 โ†’ ๐Ÿ’ผ 2.8 Ensure that Microsoft Defender for Key Vault is set to 'On' - Level 2 (Manual)11no data
๐Ÿ’ผ CIS Azure v1.5.0 โ†’ ๐Ÿ’ผ 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Level 2 (Manual)11no data
๐Ÿ’ผ CIS Azure v2.0.0 โ†’ ๐Ÿ’ผ 2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Level 2 (Manual)11no data
๐Ÿ’ผ CIS Azure v2.1.0 โ†’ ๐Ÿ’ผ 2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On' - Level 2 (Automated)11no data
๐Ÿ’ผ CIS Azure v3.0.0 โ†’ ๐Ÿ’ผ 3.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated)1no data
๐Ÿ’ผ CIS Azure v4.0.0 โ†’ ๐Ÿ’ผ 9.1.8.1 Ensure That Microsoft Defender for Key Vault Is Set To 'On' (Automated)1no data
๐Ÿ’ผ Cloudaware Framework โ†’ ๐Ÿ’ผ Microsoft Defender Configuration26no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ IR-6(1) Automated Reporting (M)(H)810no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ RA-3 Risk Assessment (L)(M)(H)177no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)678no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-2 Flaw Remediation (L)(M)(H)2714no data
๐Ÿ’ผ FedRAMP High Security Controls โ†’ ๐Ÿ’ผ SI-3 Malicious Code Protection (L)(M)(H)77no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ RA-3 Risk Assessment (L)(M)(H)17no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)28no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SI-2 Flaw Remediation (L)(M)(H)14no data
๐Ÿ’ผ FedRAMP Low Security Controls โ†’ ๐Ÿ’ผ SI-3 Malicious Code Protection (L)(M)(H)7no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ IR-6(1) Automated Reporting (M)(H)10no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ RA-3 Risk Assessment (L)(M)(H)17no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ RA-5 Vulnerability Monitoring and Scanning (L)(M)(H)48no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SI-2 Flaw Remediation (L)(M)(H)214no data
๐Ÿ’ผ FedRAMP Moderate Security Controls โ†’ ๐Ÿ’ผ SI-3 Malicious Code Protection (L)(M)(H)7no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.12.2.1 Controls against malware77no data
๐Ÿ’ผ ISO/IEC 27001:2013 โ†’ ๐Ÿ’ผ A.12.6.1 Management of technical vulnerabilities77no data
๐Ÿ’ผ ISO/IEC 27001:2022 โ†’ ๐Ÿ’ผ 8.8 Management of technical vulnerabilities810no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.AE-4: Impact of events is determined1314no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-4: Malicious code is detected77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.CM-8: Vulnerability scans are performed77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-3: Detection processes are tested1314no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-4: Event detection information is communicated2933no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ DE.DP-5: Detection processes are continuously improved1316no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.RA-1: Asset vulnerabilities are identified and documented1316no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.RA-3: Threats, both internal and external, are identified and documented77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.RA-4: Potential business impacts and likelihoods are identified77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.AT-1: All users are informed and trained77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2227no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ PR.IP-12: A vulnerability management plan is developed and implemented79no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.CO-3: Information is shared consistent with response plans1618no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.MI-1: Incidents are contained77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.MI-2: Incidents are mitigated77no data
๐Ÿ’ผ NIST CSF v1.1 โ†’ ๐Ÿ’ผ RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks77no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-04: The estimated impact and scope of adverse events are understood14no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.AE-06: Information on adverse events is provided to authorized staff and tools33no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-01: Networks and network services are monitored to find potentially adverse events145no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events142no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes10no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.SC-04: Suppliers are known and prioritized by criticality7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship26no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties40no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.IM-03: Improvements are identified from execution of operational processes, procedures, and activities41no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded31no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-03: Internal and external threats to the organization are identified and recorded7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-04: Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ ID.RA-10: Critical suppliers are assessed prior to acquisition26no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind8no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected148no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.CO-02: Internal and external stakeholders are notified of incidents31no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.CO-03: Information is shared with designated internal and external stakeholders19no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MI-01: Incidents are contained7no data
๐Ÿ’ผ NIST CSF v2.0 โ†’ ๐Ÿ’ผ RS.MI-02: Incidents are eradicated7no data
๐Ÿ’ผ NIST SP 800-53 Revision 5 โ†’ ๐Ÿ’ผ SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921no data
๐Ÿ’ผ PCI DSS v3.2.1 โ†’ ๐Ÿ’ผ 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.19no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.9no data
๐Ÿ’ผ PCI DSS v4.0.1 โ†’ ๐Ÿ’ผ 11.6.1 A change- and tamper-detection mechanism is deployed.9no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 11.5.1 Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network.189no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 11.5.1.1 Intrusion-detection and/or intrusion-prevention techniques detect, alert on/prevent, and address covert malware communication channels.89no data
๐Ÿ’ผ PCI DSS v4.0 โ†’ ๐Ÿ’ผ 11.6.1 A change- and tamper-detection mechanism is deployed.9no data
๐Ÿ’ผ SOC 2 โ†’ ๐Ÿ’ผ CC7.2-3 Implements Filters to Analyze Anomalies918no data