Ensure That Microsoft Defender for DNS Is Set To 'On'
Microsoft Defender for DNS scans all network traffic exiting from within a subscription.
Risk Level: High
Cloud Entity: Defender Plans
CloudGuard Rule ID: D9.AZU.MON.79
Covered by Spectral: No
Category: Security Center
GSL LOGIC
DefenderPlans where name='Dns' should have properties.pricingTier='Standard'
REMEDIATION
From Portal
- Go to 'Microsoft Defender for Cloud'.
- Click on 'Environment Settings' blade.
- Click on the subscription name.
- Select the Defender plans blade.
- Select 'On' under Status for DNS.
- Click Save.
From TF
Set the 'tier' and 'resource_type' arguments under 'azurerm_security_center_subscription_pricing' as below:
resource "azurerm_security_center_subscription_pricing" "example" {
...
tier = "Standard"
resource_type = "Dns"
...
}
From Command Line
Use the below command to enable Azure Defender for Dns
Run
az security pricing create -n 'DNS' --tier 'Standard'
References
- https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/azure-dns-security-baseline
- https://learn.microsoft.com/en-us/cli/azure/security/pricing?view=azure-cli-latest
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing
Defender Plans
The Defender plans of Microsoft Defender for Cloud offer comprehensive defenses for the compute, data, and service layers of your environment
Compliance Frameworks
- Azure CIS Foundations v. 1.5.0
- Azure CIS Foundations v.2.0
- Azure CloudGuard Best Practices
- Azure NIST 800-53 Rev 5
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago