Skip to content

Configure Microsoft Defender for App Services to the Standard tier#

Security · Microsoft Defender for Cloud · Rule · 2022_09 · Critical

Enable Microsoft Defender for App Service.

Description#

Many attacks are performed first by probing web applications to find and exploit weaknesses. It is crucial to secure your applications, even while running in PaaS services like App Service.

Microsoft Defender for App Service identifies attacks over App Service thanks to cloud scale data analysis. It offers:

  • Hardening capabilities for your App Services through assessments and security recommendations.
  • Detection of threats at different levels such as underlying VMs, internal logs, I/O to your App Service, etc.
  • Protection against common attack patterns like MITRE ATT&CK or even dangling DNS.

The solution is particularly efficient as it can can identify attack methodologies applying to multiple targets. The log data and the infrastructure together are used to enhance Defender for App Service globally.

Recommendation#

Consider using Microsoft Defender for App Service to protect your web apps and APIs.

Examples#

Configure with Azure template#

To enable Defender for App Service:

  • Set the Standard pricing tier for Microsoft Defender for App Service.

For example:

Azure Template snippet
{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2022-03-01",
    "name": "AppServices",
    "properties": {
        "pricingTier": "Standard"
    }
}

Configure with Bicep#

To enable Defender for App Service:

  • Set the Standard pricing tier for Microsoft Defender for App Service.

For example:

Azure Bicep snippet
resource defenderForAppService 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'AppServices'
  properties: {
    pricingTier: 'Standard'
  }
}

Configure with Azure CLI#

Azure CLI snippet
az security pricing create -n 'AppServices' --tier 'standard'

Configure with Azure PowerShell#

Azure PowerShell snippet
Set-AzSecurityPricing -Name 'AppServices' -PricingTier 'Standard'

Notes#

This rule applies when analyzing resources deployed (in-flight) to Azure.

Comments