Set Microsoft Defender for ARM to the Standard tier

Security · Microsoft Defender for Cloud · Rule · 2023_03 · Critical

Enable Microsoft Defender for Azure Resource Manager (ARM).

Description

Microsoft Defender for ARM provides additional protection for control plane activities. It does this by detecting suspicious activities such as disabling security features or attempts at lateral movement.

Protection is provided by analyzing telemetry from Azure Resource Manager operations. Which allows Microsoft Defender for Cloud to detect anomalous activities regardless of the tool used to perform the operation. For example: Azure CLI, Azure Portal, PowerShell, REST API, Terraform, etc.

When anomalous activities occur, Microsoft Defender for ARM shows alerts to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

Microsoft Defender for ARM can be enabled at the subscription level.

Recommendation

Consider using Microsoft Defender for Resource Manager to provide additional protection to control plane activities.

Examples

Configure with Azure template

To enable Microsoft Defender for Resource Manager:

• Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure Template snippet

{
    "type": "Microsoft.Security/pricings",
    "apiVersion": "2022-03-01",
    "name": "Arm",
    "properties": {
        "pricingTier": "Standard"
    }
}

Configure with Bicep

To enable Microsoft Defender for Resource Manager:

• Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure Bicep snippet

resource defenderForArm 'Microsoft.Security/pricings@2022-03-01' = {
  name: 'Arm'
  properties: {
    pricingTier: 'Standard'
  }
}

Configure with Azure CLI

To enable Microsoft Defender for Resource Manager:

• Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure CLI snippet

az security pricing create -n 'Arm' --tier 'standard'

Configure with Azure PowerShell

To enable Microsoft Defender for Resource Manager:

• Set the Standard pricing tier for Microsoft Defender for Resource Manager.

For example:

Azure PowerShell snippet

Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'

Notes

This rule applies when analyzing resources deployed (in-flight) to Azure.

Links

• Security operations in Azure
• What is Microsoft Defender for Cloud?
• Overview of Microsoft Defender for Resource Manager
• Quickstart: Enable enhanced security features
• Azure security baseline for Azure Resource Manager
• LT-1: Enable threat detection capabilities
• Azure Policy built-in policy definitions
• Azure deployment reference

Comments