Description

Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Rationale

Enabling Microsoft Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Impact

Turning on Microsoft Defender for Servers in Microsoft Defender for Cloud incurs an additional cost per resource.

Two Defender for Servers plans exist:

Plan 1: Subscription only
Plan 2: Subscription and workspace

Audit

From Azure Portal

Go to Microsoft Defender for Cloud.
Under Management, select Environment Settings.
Click on the subscription name.
Select Defender plans in the left pane.
Under Cloud Workload Protection (CWP), locate Server in the Plan column, ensure Status is set to On.

From Azure CLI

Run the following command:

az security pricing show -n VirtualMachines --query pricingTier

If the tenant is licensed and enabled, the output should indicate Standard.

From PowerShell

Run the following command:

Get-AzSecurityPricing -Name 'VirtualMachines' |Select-Object Name,PricingTier

If the tenant is licensed and enabled, the PricingTier parameter will indicate Standard.

From Azure Policy

If referencing a digital copy of this Benchmark, clicking a Policy ID will open a link to the associated Policy definition in Azure.

Policy ID: 4da35fc9-c9e7-4960-aec9-797fe7d9051d - Name: Azure Defender for servers should be enabled

Default Value

By default, Microsoft Defender plan is off.

Rationale​

Impact​

Audit​

From Azure Portal​

From Azure CLI​

From PowerShell​

From Azure Policy​

Default Value​

References​