Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected

Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.

Risk Level: High
Cloud Entity: Defender Integrations
CloudGuard Rule ID: D9.AZU.MON.72
Covered by Spectral: Yes
Category: Security Center

GSL LOGIC

DefenderIntegrations where name='WDATP' should have properties.enabled=true

REMEDIATION

From Portal

  1. Go to 'Microsoft Defender for Cloud'.
  2. Click on 'Environment Settings' blade.
  3. Select Security policy blade.
  4. Click On Edit Settings to alter the security policy for a subscription.
  5. Select the 'Integrations' blade under Settings.
  6. Check/Enable option 'Allow Microsoft Defender for Endpoint to access my data'.
  7. Click Save.

From TF
Set the 'setting_name' and 'enabled ' arguments under 'azurerm_security_center_setting' as below:

resource "azurerm_security_center_setting" "example" {
	...
	setting_name = "WDATP"
	enabled      = true
	...
}

From Command Line
Use the below command to enable Microsoft Defender for Endpoint Integration
Run

az account get-access-token --query '{subscription:subscription,accessToken:accessToken}' --out tsv | xargs -L1 bash -c 'curl -X PUT -H 'Authorization: Bearer $1' -H 'Content-Type: application/json' https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/WDATP?api-version=2021-06-01 -d@'input.json''

Where input.json contains the Request body json data as mentioned below.
{
'id': '/subscriptions/YOUR-SUBSCRIPTIONID/providers/Microsoft.Security/settings/WDATP',
'kind': 'DataExportSettings',
'type': 'Microsoft.Security/settings',
'properties': {
'enabled': 'true'
}
}

References

  1. https://learn.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows
  2. https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_setting

Defender Integrations

To enable Defender for Cloud to integrate with other Microsoft security services

Compliance Frameworks

  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset