Hello everyone. Welcome to the Microsoft Secure Technical Accelerator session. My name is Gopal Shankar, Product Manager within the Microsoft Defender for Cloud. Today for this session, I have my colleagues, Nick Lake and Fernanda Vela, who are joining me to talk about Defender for Cloud.
In this session, we are going to first recap Microsoft's point of view in what is cloud-native application protection platform. Then, we will make the CNAP principles relevant to cybersecurity professionals by sharing some practical implementation strategies with Defender for Cloud. With digital transformation, securing the entire cloud lifecycle can be really complicated.
There's countless overlapping tools and teams have to manually stitch together insights from multiple sources spanning from development to runtime. It's labor-intensive, it's slow, and makes it too easy to miss critical vulnerabilities or misconfigurations. Instead, a better approach combines previously siloed capabilities into a simple all-in-one solution for end-to-end security.
At Microsoft, we believe in comprehensive and continuous security from code to Cloud. and we deliver on that promise with Microsoft Defender for Cloud, our market leading Cloud security platform that protects across multi-Cloud and hybrid environments. Defender for Cloud is a single Cloud native application protection platform that simplifies the complexity to provide visibility, integrated insights to prioritize critical risk, and built-in response tools to protect your environment. This means security integration, with visibility into DevOps, visibility across their multi-Cloud environments, a prioritized view of their most critical vulnerabilities and misconfigurations, built-in governance and automated remediation tools, and the means to detect and respond to modern threats across their Cloud workloads.
To address these needs, an effective CNAP should combine capabilities across the entire Cloud app lifecycle from depth of Ops Security Management, Cloud Security Posture Management, Cloud Workload Protection, Cloud Infrastructure Entitlement Management, and Network Security. First, let's start with prevention. On the Defender for Cloud platform, Defender CSPM, now generally available, helps security team cut through the noise and focus on mitigating your most critical risks.
Defender CSPM contextual cloud security including attack path analysis, Cloud Security Explorer, agentless vulnerability scanning, and data security posture management that is available in public preview. Defender CSPM has key native integration across Microsoft's portfolio. Two critical callouts are first, integration with intra permissions management, Microsoft Cloud Infrastructure Entitlement Management, to prevent permission creep and enforce the principle of least privilege. And second, integration with Defender external attack surface management into the cloud security graph enables true identification of internet-exposed resources instead of relying on configurations and cloud APIs.
But for truly strong posture, you need to shift left and start secure from the code. itself. That's why Defender CSPM seamlessly integrated into Defender for DevOps to give customers one place to unify security management for cloud and the development lifecycle, all in the Defender for Cloud platform.
Now we've covered prevention, but organizations also need to stay secure by detecting and responding to signs of breach across your multi-cloud environment. Cloud workload protection is a key solution to help organizations detect potential attacks and enforce policies at the early stages of an active threat. Detections and response to modern threats are already available today across AWS, GCP, and Azure. We are constantly adding new insights and workload coverage for threat protection.
At Microsoft Secure, we announced the Defender for Storage malware scanning feature. sensitive data threat detection, and detection of entities without identities, which we will deep dive in a bit. In all, Microsoft has one of the comprehensive cloud-native application protection platforms integrated across Microsoft's security stack, leveraging our industry-leading AI that synthesizes 65 trillion signals a day to identify emerging threats and protect our customers.
With that, I'm going to pass it to Dick Blake, who's going to talk about CSPM and DevOps. Over to you, Dick. Hey, thanks, Gopal. As Gopal discussed, cloud-native application protection platforms need to facilitate better collaboration between security stakeholders.
Today's security admins are faced with three main complex scenarios when working to reduce risk across their environments. First, how can security admins gain full visibility of their multi-cloud environments and find the most important potential risks? Imagine having a to-do list.
If you had a thousand items on it, where should you start? We've contextualized the recommendations so you can focus your efforts on mitigating the most significant risks first. So, when another widespread vulnerability comes out, you can focus your patching campaign on those assets that are at the most risk. Second, how can security admins proactively explore and hunt for risks in their cloud environment to prevent future breaches? When I ran ASOC, we had outdated Visio diagrams and we were always trying to determine If this thing gets compromised by an attacker, where can they go and what can they steal?
It was a struggle and an exercise that often ended prematurely and with inconclusive results. And finally, how can security admins be informed with operational expectations like due date and accountability or ownership, so that they know that these misconfigurations are being actioned in a timely manner? On the data awareness aspect Gopal mentioned, organizations are moving their data, and especially their sensitive data, at an exponential scale to the cloud. Research shows that organizations'top data concerns are loss of sensitive data, improper configurations, and unauthorized access. And that's because most of the reported incidents take advantage of misconfigurations that the security teams aren't even aware of.
We need tools and processes to help security professionals work more efficiently with context. Today, I'd like to share with you how CSPM capabilities within Defender for Cloud can help security admins to reduce recommendation fatigue and conduct efficient risk prioritization and risk hunting with context in multi-cloud environments. As a customer, you have two options. You can use the foundational CSPM, which are all of the capabilities that you are used to, but to help focus on your biggest risks.
We've introduced Defender CSPM, which has a bunch of capabilities that will help in identifying and reducing your risk, such as agentless vulnerability scanning so that you can have breadth and depth coverage, as well as to help identify secrets and keys on your machines. More insights or attack paths from Defender for DevOps, Defender for External Attack Surface Management, and Intra Permissions Management. Contextualization features to help prioritize your work efforts. governance capabilities, and importantly, a lens into the data layer to help reduce risk for data breaches.
To stay ahead of attackers, teams need to have a layer of data awareness when managing their cloud security posture. First, they need to be able to automatically discover their cloud data estate, all of their managed and shadow data resources in use across their multi-cloud environments. This includes all data stores, be it an object store or a database. Continuous discovery of your data estate lets security teams keep up with the dynamic nature of cloud data. Second, security teams need to know their data resources'security attributes.
That means knowing where the sensitive data is stored, who can access it, how the data flows by exploring data resources in use, and their network or access controls. Having that level of visibility helps identify risks of data exposure, data breach, and prioritization of the most effective remediation. At Microsoft, we believe that securing your data in the cloud is an important part of a comprehensive cloud security strategy. Defender for Cloud helps security teams discover the different types of data that exist within their multi-cloud environments, determine access and sensitivity, and identify cases of lacking access controls and other misconfigurations.
Defender for Cloud now automatically discovers cloud data resources and shadow data across your multi-cloud environments and connects it to the cloud security graph. In addition, we add critical security context related to the data itself, so you know its sensitivity, networking, and access controls. Let's jump into the portal and take a look at what I'm talking about.
For my demos, I have three different scenarios that I'd like to show. First up, as a security admin, I need to monitor the security in my environment and identify potential risks that an attacker can use to breach the environment. On the recommendations page, I can see a bunch of resources with outstanding recommendations, probably more than most organizations can action in a reasonable amount of time.
This is great information to have, but there's no contextualization being applied. If I were to have 1000 virtual machines with vulnerabilities, I don't get any indication that this machine is publicly exposed. If any of the vulnerabilities are remotely executable, or what that virtual machine may have access to, and I want to focus on the most important ones and take actions to resolve them. Using the attack path analysis capabilities, Defender for Cloud scans the graph and detects exploitable paths. It helps you mitigate them and prevent future breaches.
Let's explore and review the list of attack paths found. Defender for Cloud identified several attack paths in my environment. For Azure and AWS virtual machines, Defender for Cloud found vulnerable and exposed instances allowing for compute abuse.
For Kubernetes containers, Defender for Cloud found vulnerable running images allowing for remote code execution. And for data resources, we found exposed object stores containing sensitive data and exploitable SQL servers. Now, let's examine two attack paths to understand how it works. Let's focus on this attack path. Internet exposed virtual machine has high severity vulnerabilities and read permission to a key vault.
The title of the attack path gives away what's going to happen at the end of this. But what I'd like to do is start from the left and work myself to the right and just show you some cool things about this capability. When you see a resource that has a little light bulb, that means Microsoft has an insight about this resource.
So if we go and look at this public IP address, we can see that Defender external attack surface management has identified this asset as being exposed to the internet. Skipping over to the virtual machine, we can see its basic information, such as the cloud provider, which subscription it's in, or resource group. But we can see the exposure rule on why Microsoft says that this device is exposed to the internet.
We can also get a list of all of the high-severity vulnerabilities that exist on this machine. And drilling down even further, we can see... Which of those vulnerabilities are susceptible to a remote code execution attack?
Going further to the right, we can see that the remote code execution attack is a very common problem. You can see that this virtual machine can authenticate as this managed identity all the way over to a key vault. So if this machine were to be compromised, you can reasonably ascertain that the attacker would now have access to secrets inside of the key vault.
This severe combination of issues allows attackers to exploit a vulnerability and move laterally in my environment. As a result, Defender for Cloud suggests resolving relevant vulnerabilities to break the attack path and reduce risk. To remediate, let's open the relevant recommendations.
Here we can see the relevant recommendations that would, if resolved, remove this avenue of attack. Using the integrated governance capabilities, I can see who, if anyone yet, was assigned ownership of this recommendation. In this case, someone was assigned, and they are well past their target.
Defender for Cloud can be configured to send them and their manager a reminder every week. But now I know who I can directly reach out to and see why this hasn't been completed yet. Let's go back to the attack paths and investigate another interesting use case.
Using the integrated data where security posture capabilities, we're now able to identify attack paths related to sensitive data. Here, I can see I have a small handful of storage account containers, which contain sensitive data and are completely open to the Internet. If we drill down to each container, I can see examples of the files in the storage account container, whether it has a sensitivity label applied and the different types of data that are exposed. I'm going to notionally decide that storage accounts shouldn't be exposed and make sure an owner is assigned to remediate the recommendations.
So again, like we did last time, we go over to the specific recommendation and we can click assign owner. and work through the steps to make sure that an owner is assigned and getting regular updates. To summarize, using attack path analysis, Defender for Cloud identifies the riskiest issues in your multi-cloud environments and helps you to resolve them fast to prevent future breaches.
In addition, using the integrated governance capabilities allows you to achieve accountability and driver mediation quickly. For my next demonstration, I'd like to show how we can hunt through our entire multi-cloud estate for misconfigurations. Let's notionally fast forward in time and say that I've gotten comfortable with the tack paths and I'm ready to start digging into my environment using a logic float that I've created. I want to proactively understand the pain points of my environment and look for exposed VMs with a specific vulnerability, or internet exposed resources with sensitive data. The Cloud Security Explorer allows you to customize Defender for Cloud findings and run custom queries on top of the graph.
You can start by building a query from scratch, or adjusting one of the predefined templates. Let's build a query together from scratch. and look for all Azure machines or AWS machines that are vulnerable to the OpenSSL v3 vulnerability.
So the first part of my query, we've just selected all AWS EC2 instances and Azure virtual machines. And when we run this query, you can see that I get 177. Total virtual machines. But this isn't what I want.
I need more granular information. We also want to focus on a specific vulnerability and we're going to do that by CVE ID. So the OpenSSL V3 vulnerability was CVE 2022 3786. as well as CVE-2020-2-3602, if memory serves me correct, and search. And now I have six. This is great, but I still want to narrow this down more by saying only show me the internet exposed ones.
So we can add another condition or networking, and let's say it's exposed to the internet. And I took that list from originally 177 all the way down to three. And these would be the first three machines that I would want to patch. Lastly, using the data aware security posture capabilities, I can also hunt for specific cases for sensitive data which is exposed to the internet. Let's select data services.
Just go with all of them. And you can see we have 566 results. Let's narrow it down a bit.
that are exposed to the internet. We drop to 183 and also contain sensitive data. And you can see we've gone all the way down to seven total resources. If we click on this S3 bucket, we can again see what the exposure rule was, whether a sensitivity label was applied, and what type of sensitive info resides in that S3 bucket, as well as the file samples. To summarize, the Cloud Security Explorer helps you query the graph for your own custom findings to meet your organization's specific needs.
The last thing I'd like to show here is with regards to our governance capabilities. We've mentioned the governance capabilities quite a few times now, and we've looked at seeing the owner, but as a security admin, I want to see and track the overall progress towards remediation and be aware of any overdue items in my environment. Our first high level view shows you your progress across your environments, but we can drill down all the way to the assigned individual to see how many overdue recommendations and affected resources each has.
If you've created governance rules, The other view that will be extremely beneficial to use is the governance report workbook. Here we can see that I have just three rules set up in the environment, and I can drill all the way down into each rule to see what the status is per recommendation, whether it is on time or overdue, and then all the way down to the individual resource. From here, I want to shift gears completely and talk about the cloud-native application protection platform implementation based on Defender for DevOps capabilities. Security admins already have a lot on their plate.
Additionally, there are some unique challenges shifting to the DevSecOps context. Security and development teams continue to operate in silos, and don't have a shared view into the DevOps security posture. What's more, security tools are not. equipped to keep pace with developer velocity.
These factors mean security admins are wasting precious time tracking down issues and delaying fix rates. Cloud security should be a team sport, and we need to look across code to cloud to think about how we can reduce overall risk in the cloud environments while still allowing developers to build solutions. Defender for DevOps helps unify, strengthen, and manage multi-pipeline DevOps security. With Defender for DevOps, we get unified visibility into DevOps security posture. Security administrators now have full visibility into DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans.
We can strengthen cloud resource configurations through the development lifecycle with infrastructure as code scanning and container image scanning. We can minimize cloud misconfigurations reaching production environments, thereby allowing security administrators to focus on any critical evolving threats. We can prioritize the remediation of critical issues in code by applying comprehensive code-to-cloud contextual insights within Defender for Cloud.
Security admins can help developers prioritize critical code fixes with pull request annotations and assign developer ownership Bye. triggering custom workflows, feeding directly into the tools developers use and love. In the following demo, we'll take a look at how Defender for DevOps unifies security of cloud applications and improves communication between developers and security teams.
All right, let's head over to the DevOps Security Blade. First, we can see some basic information about the repositories that we have connected. On the right-hand side, you can see that I have one GitHub and one Azure DevOps connector.
And below that is the number of repositories that were auto discovered. In the middle, we can see a summary of the code scanning vulnerabilities, secrets exposed, and open source software vulnerabilities. And on the left hand side is a roll up KPI with all scan results for all of the repositories that I have onboarded.
There are three scenarios I want to highlight. Infrastructure as code, PR annotations, and integration with Cloud Security Explorer. Let's go ahead and take a look at an infrastructure's code scanning recommendation. If you know what you're looking for, you can go ahead and use this filter capability.
In the context blade, you'll see a detailed description of the finding. In this case, that a managed identity should be used in our web app. In the additional information section, you can see the branch files in the URL of the build.
Now let's take a look at this from the developer's lens. Here you can see the same information being presented to developers, all without having to leave their tool chain of choice. Heading back to Microsoft Defender for Cloud.
A new feature allowing security admins to better communicate with developers is through pull request annotations. We've already enabled pull request annotations in the Contoso Hotels repository, so let's look at an exposed secret in source code. If we look at the Contoso Hotels ADO, we can see that we have two exposed secrets in the source code.
Once we drill down to the recommendation, we can see each of the two secrets that have been committed. Now, let's look and see what the developer sees in the pull request. So when we look at the pull request, we can see... that we were able to identify this secret inside of the source code.
These pull request annotations contain the same information that we saw in the Defender for Cloud portal, and it allows security operations to communicate directly with the developers that checked in the secret. Once you find a secret in your source code, we can't stress enough that you need to take action. At a minimum, remove the secret and invalidate it.
You can also consider alternative methods that don't expose secrets in your source code, such as using Azure Key Vault or managed identities in Azure Active Directory. The last thing I want to show you all is how Defender for DevOps helps you prioritize critical issues with code to cloud contextualization. Let's head over to the Cloud Security Explorer and build another custom query.
We're going to begin by selecting all of our repositories. You can see that we have 25, but we're only going to look for secrets inside of our GitHub repos. So we're going to select the recommendation where the title is Code Repository Should Have Code Scanning Findings Resolved. And you can see we have six repos that have code scanning findings, but we just want to focus on ones that are publicly exposed. And you can see that this graph query returned one repository that is publicly accessible and contains a credential in code.
Code repositories should absolutely have these vulnerabilities resolved. Now, security teams can quickly find and prioritize the most critical remediation issues in repositories. And now we're going to turn it over to Fernanda for the cloud workload protection scenarios. Thanks, Nick, for sharing. Microsoft Defender for Cloud offers workload protection that quickly detects threats on multi-cloud and hybrid environments.
The detection layer is resource-specific and generates contextual alerts that are mapped in the MitreTAC framework. Microsoft Defender for Cloud has a wide coverage protecting servers, databases, containers, storage, and it also offers ever-growing workload protection in AWS, GCP, and on-premises. Now, let's dive into one of these offers that we bring that is called Defender for Storage.
Microsoft Defender for Storage is a native layer of security that's built right into Azure and detects unusual and potential threats to your storage accounts. It uses activity monitoring and Microsoft Threat Intelligence data to provide contextual security alerts. Those alerts also include steps to mitigate the detected threats and prevent future attacks. Our mission is to protect customers from the top three big issues within cloud storage. One of them is malware upload that we will dive into in a few minutes.
The other one is exfiltration of sensitive data. because storage services are used to keep sensitive business and customer information. And the third one is data corruption. If malicious actors gain access into the cloud storage, they can modify, encrypt, or delete data. Defender for Storage offers a rich detection suite that covers blob storage, file shares, and Azure Data Lake Generation 2. We look at who accessed the storage account and what they did there.
We look at the storage telemetry logs. We build models from them. And that's how we learn what regular behavior looks like and find suspicious actors or actions. We can then find malicious insiders and key leaks, for example. After that, we cross these models.
with Microsoft Threat Intelligence that is constantly being updated with, for example, malicious IP addresses and providers, malicious applications, phishing campaigns. In Microsoft Secure, we announced three new advancements within cloud storage. The first one is Sensitive Data Threat Detection, which works by using sensitive data discovery to efficiently prioritize and examine security alerts by considering the sensitivity of the data that could be a risk, leading this to a better detection and preventing data breaches.
This is powered by Defender for Cloud's new sensitive data discovery agentless engine. It can easily be connected to Microsoft Purview's sensitive information types and labels to use a single set of settings across your organization. The second announcement is new entities without identities detections. Defender for Storage analyzes data from both the control and the data plane, where actors can use keys or SAS signatures to access and modify data.
These entities without identities would be otherwise invisible. We have now added new detections to catch suspicious patterns of share access signature tokens that indicate a high chance of abuse by bad actors. SaaS tokens can leak if someone accidentally shares a token somewhere public, like code repositories, or if it gets stolen.
With Defender for Storage, you will get security alerts when this kind of thing happens. So you can tighten up your security and make sure no one gets access to your data that shouldn't. And the third announcement is malware scanning. When untrusted content is uploaded to your storage, there is significant risk that malicious files would be uploaded to the storage, and then maybe downloaded and infect apps or other consumers. That's why it's important to use malware scanning in cloud storage.
With this built-in near real-time malware scanning capability, scan results are returned for each file type, allowing automated response. and quick handling of malicious files. So let's take a look at a common scenario that can benefit from malware scanning. Workload owners usually have an application that is connected to a storage account.
Users upload content to that application, and it is uploaded then to the storage account. Before this malware scanning capability came along, Defender for Storage would use hash reputation analysis supported by Microsoft Threat Intelligence to determine whether an uploaded file was suspicious. Now, this new malware scanning feature performs a full scan of the content, detecting metamorphic and polymorphic malware.
Setting up this capability at scale is simple. It doesn't require any agents to be deployed. Let's share now a demonstration on how you can do it. The new capabilities announced in Microsoft Secure will be included in a new Defender for Storage plan. The legacy plan that was charged per transaction was renamed to Defender for Storage Classic.
The new releases and all future features will be added. only to the new plan. In this demonstration, we will show how to enable Defender for Storage in three scenarios.
Enable on a new subscription, enable on the resource level, migrating from the classic Defender for Storage plan to the new one, and we will also show how the malware scanning feature works, the scan results, and the security alerts it generates. We will also show how I can set up an automation to remove malicious files from my protected storage accounts. To enable, we will go into Microsoft Defender for Cloud.
From there, we will select Environment Settings. Here, I will select the subscription that I want to protect. Once I click on it, I can see all the Defender plans available for me to enable.
In this case, I'm interested in enabling Defender for Storage. We recommend enabling Defender for Storage on the subscription level. That means that all storage accounts in the subscription will be protected, including future ones.
We also know some teams need more granular control and want to exclude or include certain storage accounts. We will share more on how to do that later. Since I want to protect my full subscription, I'm going to click on the toggle button to select on. Once I have this plan enabled, we can see that in the monitoring coverage column below full, I can also go into settings where I see I have two configurable components, malware scanning and sensitive data discovery. Within malware scanning, I can set a limit of JIG scan per month.
per storage account. This helps customers control their costs. For this demonstration, I will leave the default value of 5000 GB per month per storage account. The second component, Sensitive Data Discovery, will automatically and in an agentless way discover storage accounts that have sensitive data. I will also leave this on to have the full coverage of Defender for Storage in my subscription.
This Defender for Storage enablement process we just did through the user interface can also be done at scale by using your preferred method such as REST API, Bicep template, Terraform template, and Arm template. You can see how to use each one of these in the Defender for Storage documentation. In the user interface, I will now click on the save button to have these settings apply.
into my environment. We're now protected with Defender for storage so let's see our malware scanning feature in action. For this demonstration I will start with protecting a core application in my tenant.
This is my Contoso Finance audit application. It's tax season so it's great timing to enhance this application's protection. So here's how it works.
When I upload content to this application It is going to be uploaded to my storage account. Let's try with a benign document that is not infected. When we go to the blob container of my storage account and see the file, I can go into its properties and see under the blob index tags the malware scanning scan result. It gives me the value of no threats found and includes the time when the scan was performed. For today's demonstration, I will upload an eCard file that helps me easily simulate malware.
You can also find instructions on how to simulate this in our documentation. eCars can also easily be caught by hash analysis, but Defender for Storage does a lot more than that and will also catch the latest polymorphic and metamorphic malware. As soon as the file reaches my storage account, Defender for Storage will immediately read that content, scan in, and catch the malicious file. This time, when I look at the file, I can see the index tag has a different result. This file was detected as malicious.
Developers can easily set up automation based on these index tags. Another great way to set automations is by using the event grid configuration. Defender for storage, will send all scanned results to a custom event grid topic, allowing event-driven automations in function apps, webhooks, event hubs, and service bus queues to delete the malicious file or move it to another storage account to quarantine it.
Upon detecting malware, Defender for Storage also automatically generates a security alert in Defender for Cloud. You can connect Defender for Cloud to any SIEM solution so your SOC team can investigate the alert. Many compliance standards require incoming content from untrusted sources to be scanned for malware. Some customers tell us they would like to have evidence of each scan. And Defender for Storage allows you to easily do that by sending the scanned results to Log Analytics.
Let's see now how you can test the malware scanning in your environment. I will go to one of my storage accounts where I will start uploading content. From there, I will go to my container where my files will live.
Now, I will manually upload an eCard file using Azure's user interface. As soon as I upload it, the Fender for Storage will catch it. I will go to the blob index stack and we'll see almost instantly that the file was detected as malicious.
Defender for cloud will generate a security alert as soon as a malicious file is detected in my storage account. If I go into Defender for cloud and then into the security alert section. I can see a security alert called malicious file uploaded to the storage account.
I will click on it and its full details. Within this alert, I have on the left side the severity, time that was detected, the alert description, and the Mitra attack tactic related to this attack. On the right side, I have information such as the affected resource, the file name with its hashes and e-tags. We also have the blob container where it was uploaded, as well as the identified malware. The security alert lets me investigate further by providing additional details on what happened.
and the links to the expert knowledge on this malware type in Microsoft Security Intelligence. As I mentioned before, the best practice is to enable Defender for Storage at scale on your subscriptions. But in certain cases, customers tell us they need a more granular approach.
We support both exclusion of certain storage accounts, as well as enabling it only on some storage accounts within a subscription. I would like to show you how to enable Defender for Storage on a specific storage account. First, we will navigate to our storage account where we want to enable this feature. In this case, it's the Ninja SAM storage account. From the storage account, we will navigate to the Microsoft Defender for Cloud tab on the left side.
From there, I can enable the new Microsoft Defender for Storage plan with the two components. malware scanning, and sensitive data threat detection. I will click enable on the storage account to protect this specific resource.
We have probably tackled two scenarios that you have in your organization, but you might be wondering what happens if you already have subscriptions with the Defender for Storage Classic plan and you want to upgrade to the new plan. Let's see how to do it. We are now navigating to the subscription protected by the classic plan.
In order to use the new plan, we'll need to migrate from the classic plan to the new Defender for Storage plan. This is very similar to how you normally enable Defender for Cloud on a subscription. I will go into Microsoft Defender for Cloud and hit the environment settings.
From there, I will select the relevant subscription. Remember that all these enablement scenarios can be done through the Azure portal, building Azure policy, Terraform, Bicep, and ARM templates. As you can see, we're going into the Defender for Storage plan we have listed in the Defender plans, and we have a clickable message saying new plan available.
If we click on it, a new site menu will appear. The site menu will show information about what the new Defender for Storage plan covers, the new pricing plan that's available, and the configurable capabilities that we can define. In this case, we will enable the Unupload Malware Scanning feature. Notice that we have the option to set a limit of GXScan. per month per storage account.
We will keep everything as default and migrate this subscription from the Defender for Storage Classic to the new Defender for Storage plan. After you select confirm changes and click the save button at the top of the screen, your migration to Defender for Storage will be completed. As we mentioned at the beginning of this demonstration, There are many ways to configure automations based on index tags and event create events. Another method is to set up a response triggered by the security alert.
The one we will show now is a logic app based on Microsoft Defender security alerts that is simple, no code approach for setting up response. The response time will be slower than the code. based approach. So to create this logic app within our Microsoft Defender for Cloud GitHub community, we have one template that is called as remove malware blob that we're going to use. From here, I will just complete the resource group, the region, and the playbook name just to deploy this template.
and as soon as it is created I can go into my resource group, click the refresh button until it comes out. We can see from here that two resources were created, one of them is an API connection and the other one is the Logic App. So now I have to add a role assignment to allow my Logic App to delete blobs from my storage account. So I will go to my Logic App and then hit the Identity button in the side menu. Then from there, I'm going to click on Azure Role Assignments.
Here, I will add a role assignment in the subscription level with the role Storage Blob Data Contributor. Once I have that, I will create a workflow automation for Microsoft Defender for Cloud alerts. I will go to Microsoft Defender for Cloud in the Azure portal.
I will go into workflow automations in the site menu. Then from there, I'm going to click add a new workflow. I will fill all of these fields for example the name, I can do a description, I can select the subscription but the thing that is very important here is that in the alert name contains we will put their malicious file uploaded to a storage account. and then from there we're gonna choose the logic app in the action section once i'm done i'm gonna hit the create button to have this set up and from here i can quickly test this so i'm gonna go into my storage account i'll go into the containers select my container and then from there I'm just going to upload a malicious file.
As soon as I upload my malicious file I can click the button refresh and I'm gonna see that the malicious file is gone. And that's it! Now to Gopal.
Thank you, Fernanda and Dick, for the great demos. To recap, with accelerated digital transformation and data migration, it's critical to protect sensitive data and mitigate risk across your Cloud resources. Organizations need comprehensive Cloud security to start secure with DevOps, and stay secure with posture hardening and advanced threat protection.
Microsoft's Cloud Native Application Protection Platform, provides an end-to-end approach to multi-cloud security with centralized visibility, contextual insights, and integrated workload protection to prevent, detect, and respond to attacks from code to cloud. Defender for Cloud is the only CNAP that benefits from the scale of being a major cloud provider, accessing insight from over 65 trillion threat intelligence signals. It also has the broadest native protection across posture management, workload protection, endpoint security, DevOps and code security, identity and access management, and external service management. All these capabilities are brought together in one Defender for Cloud platform so our customers can focus on what matters most when protecting their Cloud environments. That brings us to the end of this session.
So if you're interested, don't forget to sign up for a free trial of Defender for Cloud and check out our innovations in Defender CSPM, Defender for DevOps, and Defender for Storage. Thanks everyone for joining our session today. We hope you enjoyed the session. Have a great day.