Skip to content

Set Microsoft Defender for ARM to the Standard tier#

Security · Microsoft Defender for Cloud · Rule · 2023_03

Enable Microsoft Defender for Azure Resource Manager (ARM).

Description#

Microsoft Defender for ARM provides additional protection for control plane activities. It does this by detecting suspicious activities such as disabling security features or attempts at lateral movement.

Protection is provided by analyzing telemetry from Azure Resource Manager operations. Which allows Microsoft Defender for Cloud to detect anomalous activities regardless of the tool used to perform the operation. For example: Azure CLI, Azure Portal, PowerShell, REST API, Terraform, etc.

When anomalous activities occur, Microsoft Defender for ARM shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

Microsoft Defender for ARM can be enabled at the subscription level.

Recommendation#

Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.

Examples#

Configure with Azure template#

To enable Microsoft Defender for Resource Manager:

  • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure Template snippet
{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2022-03-01",
    "name": "Arm",
    "properties": {
        "pricingTier": "Standard"
    }
}

Configure with Bicep#

To enable Microsoft Defender for Resource Manager:

  • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure Bicep snippet
resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Arm'
  properties: {
    pricingTier: 'Standard'
  }
}

Configure with Azure CLI#

To enable Microsoft Defender for Resource Manager:

  • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure CLI snippet
az security pricing create -n 'Arm' --tier 'standard'

Configure with Azure PowerShell#

To enable Microsoft Defender for Resource Manager:

  • Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure PowerShell snippet
Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'

Notes#

This rule applies when analyzing resources deployed (in-flight) to Azure.


Last update: 2023-02-19

Comments