This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
There are two DevOps platforms currently covered by Defender for DevOps- GitHub and Azure DevOps. This article will go into detail about Azure DevOps Services.
If you'd like to also learn about the GitHub connector with Microsoft Defender for DevOps, then check out this article here.
Microsoft Defender for DevOps with Azure DevOps provides security teams with visibility into the security posture of their Azure DevOps environments, while also giving developers and DevOps teams a simplified remediation experience for pre-production vulnerabilities and misconfigurations.
With Defender for DevOps, security administrators get full visibility in a single view from DevOps inventory and the security posture of pre-production application code. Based on the Microsoft Security DevOps extension, you can leverage a collection of static analysis tools to scan code for security issues in Azure DevOps using Azure Pipelines. These static analysis tools include ESLint which scans Javascript code for security issues, Bandit for scanning Python code, Infrastructure as Code (IaC) scanning for Terraform (among others) using Terrascan, IaC scanning for ARM and Bicep files using Template Analyzer, and AntiMalware scanning on Windows agents from Windows Defender (not open source, and requires Windows Defender to be enabled on the Windows agent in order to run). See more here.
Teams can gather comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can also help developers prioritize critical code fixes with Pull Request annotations.
To start a POC (proof of concept) for Microsoft Defender for DevOps, you need to have the correct setup in Azure DevOps and in Microsoft Defender for Cloud.
Create an Azure DevOps Trial subscription in the same tenant as your Azure subscription where you use Microsoft Defender for Cloud. See here.
Then create an organization in Azure DevOps.
Next, you need to have the necessary permissions:
- Project Collection Admin role enabled in Azure DevOps in order to enable the connector from within Azure DevOps, as here.
- Admin privileges in order to enable the Microsoft Security DevOps extension (the Microsoft Security Devops extension installs all the security scanning tools) as per here
- Defender for Cloud permissions here (Defender for DevOps specific):
- Azure Account- with permissions to sign into Azure portal
- Contributor role- on the relevant Azure subscription
- Security Administrator role- on the relevant subscription
- OAuth enabled in the Azure DevOps Organization Settings, which you can find by looking at the Organization Settings in Azure DevOps as shown the image below.
- If you are using the free version of Azure DevOps and you're trying to execute a pipeline, you will receive an error message when trying to execute the pipeline. This message will ask you to visit here and request increased parallelism in Azure DevOps. This can take 2-4 days.
If you don’t want to wait this time, or your PoC schedule can’t afford this time, an alternative to create a pipeline is by using a Hosted Build Agent, which you can do by following these steps.
For beginning the preparation of the POC, you will need to first create the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance for enabling the Azure DevOps connector in Microsoft Defender for Cloud to authorize the connection.
Note: You will need to have an Azure subscription and Azure DevOps organization in the same tenant to enable the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance here to create a new organization in Azure DevOps. See the troubleshooting guide here.
Then, switch over to Azure DevOps, by going to https://dev.azure.com/ .
You will need to enable two extensions in Azure DevOps- the Microsoft Security DevOps extension to run the security scans, and the SARIF SAST Scans Tab extension to view the results of the Security DevOps extension in simplified manner in a new tab in the Azure DevOps build results.
Next in the Azure DevOps organization, you should create a new Azure DevOps project.
Then, you’ll be installing a new empty Git repository in that ADO project, which should include some sample code that you want to test.
The two Microsoft Defender for DevOps extensions in Azure DevOps.
You can run security scans via the Security DevOps extension on the Azure pipeline builds. For this reason, you need to configure a pipeline using YAML code. You can follow the guidance to create a new pipeline and to include the required YAML code to the Microsoft Security DevOps task and the dotnet dependencies here. This includes the yaml code with the necessary tasks for the build to run with the security scans.
Note: In the yaml file, if you would like to break the build from succeeding if any security scanning tool in the Security DevOps extension has found issues in the Build, then include the necessary category and break: true to the Security DevOps task in the yaml file. Here is an example of a configuration that will break the build if a secret is detected by Microsoft Security DevOps.
trigger:- mainpool: vmImage: windows-lateststeps:- task: MicrosoftSecurityDevOps@1 displayName: 'Security DevOps' inputs: break: trueNote: There are dotnet dependencies when using the Microsoft Security DevOps task if using a self-hosted agent to be included in the yaml (see the docs here or the Github lab 14). The dotnet dependencies are not required if using the default Azure DevOps agents of windows-latest or ubuntu-latest.
In order to validate the implementation was successful for Azure DevOps, developers can run the Azure Pipelines with the Microsoft Security DevOps extension as above, and see the security scan results during the Azure pipeline build runs. Your security team can manage secrets, code scanning findings and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. The other validation in Azure DevOps for developers involves seeing secrets at the pull request stage as pull request annotations, before they’re merged into the main branch, usually the main/master repository.
For DevOps teams, it’s useful for them to be able to see the security scan results, such as secrets, during the Azure pipeline build runs, as they are used to interacting in Azure DevOps. To validate this, go to the Pipelines in Azure DevOps.
Select your pipeline that you enabled with the Security DevOps extension, and click Run pipeline.
After a few minutes, you will see if your run has succeeded or failed.
Click on the pipeline run, and see the Summary of the run. Notice the Errors tab and the Warnings tab, which include security issues found in the repo.
Beside Summary, go to the Scans tab, which appears due to the SARIF SANS Scans Tab extension you enabled. This scans tab will show the security scan findings per scanning tools.
This is one view of the security scans that your developers can see from Azure DevOps.
However, Defender for DevOps crucially allows customers to manage the secrets, code scanning finding results and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. This means that your security team can view these ADO security issues across the Azure DevOps organizations, projects and repos from one centralised location of Microsoft Defender for Cloud. To see the credentials in Microsoft Defender for Cloud, go to the portal.azure.com and to Microsoft Defender for Cloud.
Go to Recommendations.
Under Remediate vulnerabilities, select the recommendation Code repositories should have secret scanning findings resolved.
See the secrets found under Findings.
Select the secret to get more information about it, including the Build URL and the Repo URL in Azure DevOps.
Pull Request Annotations
The other task you can do is to see pull request annotations which contain the secrets and Infrastructure As Codesecurity issues found in the Azure DevOps repos.
See here to enable ADO pull request annotations in MDC and in ADO
- In Microsoft Defender for Cloud, go to DevOps Security in the side bar. Tick the box beside the Azure DevOps project. and Configure pull request annotations.
Select Configure at the top.
In the new screen, turn on pull request annotations.
Now pull request annotations are enabled for all branches in that repository.
- Then you need to enable pull request annotations in Azure DevOps, by following the guidance here.
See the process for validating pull request annotations in Azure DevOps for secrets here.
See the pull request annotations then in Azure DevOps, by going under Repos, in Pull Requests.
Click on the pull request to see the high severity pull request annotations showing Secret Access Keys discovered.
Now, the developers can take action on these secrets (by removing them from the repository, and having them in a key vault such as Azure Key Vault). The guidance for this can be found here and in the recommendation in Microsoft Defender for Cloud.
In Microsoft Defender for Cloud, you can view workbooks which are essentially reports specific to Defender for Cloud. To see these, go to Microsoft Defender for Cloud, and from the left-hand navigation blade, under the General section, select Workbooks.
From here, under the Defender for Cloud section, you can select the workbook DevOps Security Workbook, specifically focused on allowing you to focus on Defender for DevOps, to see an overview of security findings from Azure DevOps. There are several tabs that you click through. See more information about this workbook here.
- MDC Ninja Training:Become an Azure Security Center Ninja (microsoft.com)module 9 is DfD
- MDC Labs:https://aka.ms/MDFCLabsadded DfD in module 14...working on module 15in progress for the GitHub connector
- the latest episode of Defender for Cloud in the Field features DfD:https://www.youtube.com/watch?v=wYCOyFUMRPk
- DfD Interactive Guide:Unify DevOps security management with Microsoft Defender for Cloud (cloudguides.com)
- DfD Ignite On-Demand session:https://ignite.microsoft.com/en-US/sessions/418befd8-a7ee-4f46-a6a8-8b522b120135?source=sessions
Blogs
- Pre-Deployment Protection for Infrastructure as Code - Microsoft Community Hub
- DevOps Security Workbook - Microsoft Community Hub
- Compliance for Exposed Secrets Discovered by Defender for DevOps - Microsoft Community Hub
- Automate Defender for DevOps Recommendation Remediation - Microsoft Community Hub
- Automate SecOps to Developer Communication with Defender for DevOps - Microsoft Community Hub
- Integrate security into your developer workflow with GitHub Advanced Security for Azure DevOps - Azu...
- Download(free) a special Appendix about Defender for DevOps from the latest Microsoft Defender for Cloud book published by Microsoft Press
Defender for DevOps Documentation
- Microsoft Defender for DevOps - the benefits and features | Microsoft Learn
- Quickstart: Connect your GitHub repositories to Microsoft Defender for Cloud | Microsoft Learn
- Quickstart: Connect your Azure DevOps repositories to Microsoft Defender for Cloud | Microsoft Learn
- Configure the Microsoft Security DevOps GitHub action | Microsoft Learn
- Configure the Microsoft Security DevOps Azure DevOps extension | Microsoft Learn
- Discover misconfigurations in Infrastructure as Code - Defender for Cloud | Microsoft Learn
- Detect exposed secrets in code - Defender for Cloud | Microsoft Learn
- Tutorial Enable pull request annotations in GitHub or in Azure DevOps | Microsoft Learn
By the end of this article, you should have been able to understand the value proposition of Microsoft Defender for DevOps and now have the knowledge of how to run a PoC for it on Azure DevOps.
Thanks to the following teammates for reviewing this article:
Charles Oxyer, Microsoft Defender for DevOps Product Manager
Yuri Diogenes, Principal Microsoft Defender for Cloud Product Manager
P.S.Subscribeto our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
FAQs
Is defender for DevOps free? ›
Defender for DevOps is now in preview
To preview the new features, start a free trial if you're a new customer or activate them in the Azure portal if you're an existing Microsoft Defender for Cloud customer.
Microsoft Defender for Cloud is a unified cloud-native application protection platform (CNAPP) that provides Cloud Security Posture Management, DevOps security management, and cloud workload protections across multicloud and hybrid environments.
Why would you use Microsoft Defender for Cloud? ›Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multicloud and hybrid environments.
Is Microsoft Defender alone enough? ›Yes, Windows Defender is a good basic virus protection software. You may not find everything you want if you are extremely security focused. A third-party antivirus or anti-malware software will likely find threats that Windows Defender may miss.
Does Microsoft Defender enough? ›Is Microsoft Defender enough for personal use? Yes, Microsoft Defender is a good enough choice for basic protection against malware. However, if you want more rounded device protection against online threats, there are much better antivirus options available.
Is Azure Defender worth it? ›Yes. You get a service that essentially has a system that sees billions of signals a day. It watches for almost all of the MITRE attack services, reports no longer needed dns issues. It makes protecting your resources super easy.
Do you have to pay for Azure DevOps? ›Azure DevOps Server 2022 licensing
With Azure DevOps Server 2022 you can either pay month-to-month through Azure or you can buy classic software licenses which requires a 3-year commitment.
A Basic user costs $6/month. Basic+Test Plans: have the Azure Test Plans administration on top of the features of the Basic user. A Basic+Test Plans user costs $52/month. Visual Studio Subscriber: when you pay for a Visual Studio subscription, a license to use Azure DevOps Services comes with it.
What is the difference between Defender for Cloud and 365 Defender? ›365 Defender users say it is flexible, easy to use, and well integrated, but needs better machine learning capabilities. Defender for Cloud users like its alerting tools and say it provides them with good visibility into their system.
What is the difference between Defender for Cloud and Defender for Cloud apps? ›Defender for Cloud is all about protecting workloads in Azure (and AWS & GCP, hence the name change from Azure Defender to Defender for Cloud), whereas Defender for Cloud Apps is all about spotting shadow IT, managing SaaS service access by your end-users, and applying policy.
How do I enable Microsoft Defender for cloud in Azure? ›
- Sign in to the Azure portal.
- Navigate to Microsoft Defender for Cloud > Environment settings.
- Select the subscription for which you want to enable Defender for Storage.
- On the Defender plans page, locate Storage in the list and select On and Save.
Search for and select Microsoft Defender for Cloud. In the Defender for Cloud menu, select Environment settings. Select the subscription or workspace that you want to protect. Select Enable all to enable all of the plans for Defender for Cloud.
What is the purpose of Azure Defender? ›Protect your entire database estate with attack detection and threat response for the most popular database types in Azure to protect the database engines and data types, according to their attack surface and security risks.
Is Microsoft Defender for Cloud an antivirus? ›Microsoft Defender Antivirus cloud protection helps protect against malware on your endpoints and across your network. We recommend keeping cloud protection turned on, because certain security features and capabilities in Microsoft Defender for Endpoint only work when cloud protection is enabled.
What are the disadvantages of Windows Defender? ›- Lacks integrated dashboard for all devices using Windows Defender.
- No accountability if the computer is infected by malware.
- Limited features for large scale use.
- Slows down installation of frequently-used applications.
The minimum Microsoft Defender for Endpoint version number must be 101.62. 64 Feb 2022 build. Soon after migration begins, versions older than 101.62.
What license is required for Microsoft Defender? ›A license to a Microsoft 365 security product generally entitles you to use Microsoft 365 Defender without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services.
Do I need another antivirus if I have Windows Defender? ›You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution. For example, Endpoint detection and response (EDR) in block mode provides added protection from malicious artifacts even if Microsoft Defender Antivirus is not the primary antivirus product.
What are the advantages of Microsoft Defender? ›Microsoft Defender Antivirus collects underlying system data used by threat analytics and Microsoft Secure Score for Devices. This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture.
Why do you need Microsoft Defender? ›Windows Security includes Microsoft Defender Antivirus software that protects your Windows device and data against viruses, ransomware, trojans, and other malware unless a non-Microsoft Antivirus is active.
What was Azure defender replaced with? ›
Azure Security Center/Azure Defender ➡ Microsoft Defender for Cloud. Along the same lines, Azure Security Center and Azure Defender have been consolidated and rebranded under Microsoft Defender. This Cloud Security Posture Management (CSPM) protects workloads across multi-cloud and hybrid environments.
What is Azure defender called now? ›Changes for Microsoft 365 workloads:
The first change I want to cover is Microsoft Threat Protection is now Microsoft 365 Defender. Azure Advanced Threat Protection has changed its name to Microsoft Defender for Identity. Microsoft Defender Advanced Threat Protection is now Microsoft Defender for Endpoint.
- AZ-305 Microsoft Certified: Azure Solutions Architect Expert. ...
- AZ-900 Microsoft Certified: Azure Fundamentals. ...
- AZ-104 Microsoft Certified: Azure Administrative Associate. ...
- AZ-400 Microsoft Certified: Azure DevOps Engineer.
For DevOps, the starting point for upskilling is to train non-DevOps personnel to become effective members of the DevOps team. And this is where no-code and low-code DevOps tools come in. With no-code and low-code tools, even complete development novices can learn to build websites and applications.
Is Azure DevOps free with Office 365? ›Azure DevOps provides free, private Git project hosting for up to 5 users, project and test management tools, build and CI, and team collaboration.
Do we need to learn coding for Azure DevOps? ›So, is coding required to become a DevOps/cloud engineer? The answer is no. You don't have to be a programmer to excel in the world of DevOps or cloud engineering. That being said, developing coding skills can greatly enhance your capabilities and help you stand out from the competition.
Which is better Jira or Azure DevOps? ›Jira is broadly used for problem tracking and project management, whereas Azure DevOps spans the complete software development lifecycle. If you need support managing the complete life cycle of a software application development project, from ideation to deployment, then Azure DevOps is your best choice.
Can I get Azure DevOps for free? ›Sign up with a Microsoft account
Go to Azure DevOps and select Start free. Enter your account credentials and go through the sign-up process.
How much does Azure DevOps certification cost? The cost of the Microsoft Certified: DevOps Engineer Expert certification or Exam AZ-400: Designing and Implementing Microsoft DevOps Solutions is US$165 or ₹4,800.
What are the two versions of Microsoft Defender for Office 365? ›Microsoft Defender for Office 365 comes in two different Plan types. You can tell if you have Plan 1 if you have Real-time Detections, and Plan 2, if you have Threat Explorer (also called Explorer). The Plan you have influences the tools you see, so be sure that you're aware of your Plan as you learn.
What are the two versions of Microsoft Defender for Office 365 called? ›
Microsoft Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Microsoft Defender for Office 365 Plan 1 and Defender for Office 365 Plan 2 are each available as an add-on for certain subscriptions.
Which two policy types should you create in Microsoft Defender for Cloud Apps? ›- Select Monitor only if you only want to monitor activities by users. ...
- Select Control file download (with inspection) if you want to monitor user activities. ...
- Select Block activities to block specific activities, which you can select using the Activity type filter.
Microsoft Defender for Servers extends protection to your Windows and Linux machines that run in Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises.
Does defender for Cloud include defender for endpoint? ›Defender for Cloud automatically enables the Defender for Endpoint sensor on all supported machines connected to Defender for Cloud. Single pane of glass. The Defender for Cloud portal pages displays Defender for Endpoint alerts.
Are Microsoft Defender for Cloud features free? ›Microsoft Defender for Cloud is free for the first 30 days. Any usage beyond 30 days will be automatically charged as per the pricing scheme below.
Is Azure security Center now called Microsoft Defender for Cloud? ›Azure Security Center and Azure Defender are now Microsoft Defender for Cloud. In this post we will give you additional insight into the name change and clarify how it affects your in-product experience.
How to integrate Microsoft Defender for Endpoint with Defender for Cloud Apps? ›- In Microsoft 365 Defender, from the navigation pane, select Settings.
- Select Endpoints.
- Under General, select Advanced features.
- Toggle the Microsoft Defender for Cloud Apps to On.
- Select Apply. Note.
Defender for Cloud provides unified security management and threat protection across your hybrid and multicloud workloads. While the free features offer limited security for your Azure resources only, enabling enhanced security features extends these capabilities to on-premises and other clouds.
Where does Microsoft Defender for Cloud store data? ›Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com.
Is Azure Defender a firewall? ›Display Azure WAF alerts in Defender for Cloud
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities.
What is Defender for DevOps? ›
Defender for DevOps capabilities
Give security admins full visibility into the security posture of preproduction application code and resource configurations across GitHub, Azure DevOps, and multicloud environments. Learn more about GitHub Advanced Security integration.
Microsoft Defender for Endpoint empowers your enterprise to rapidly stop attacks, scale your security resources, and evolve your defenses by delivering best-in-class endpoint security across Windows, macOS, Linux, Android, iOS, and network devices.
Is Windows Defender a firewall or antivirus? ›Feature description. Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.
Can Windows Defender remove all viruses? ›The Windows Defender Offline scan will automatically detect and remove or quarantine malware.
Is Microsoft Defender part of Azure? ›Azure Defender unifies the security management of different workload types, within the Azure Security Center.
What is Azure Defender used for? ›In this article
Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts.
Azure Security Center/Azure Defender ➡ Microsoft Defender for Cloud. Along the same lines, Azure Security Center and Azure Defender have been consolidated and rebranded under Microsoft Defender. This Cloud Security Posture Management (CSPM) protects workloads across multi-cloud and hybrid environments.
What is the difference between Defender and Defender for Cloud? ›Microsoft Defender for Endpoint and Microsoft Defender for Cloud are entirely two different products, the former is dedicated to endpoint protection and the latter is for Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios, however, by integrating Security Center with ...
What is the difference between Microsoft 365 Defender and Defender for Cloud? ›365 Defender users say it is flexible, easy to use, and well integrated, but needs better machine learning capabilities. Defender for Cloud users like its alerting tools and say it provides them with good visibility into their system.
What are the three uses of Microsoft Defender? ›Windows Security includes Microsoft Defender Antivirus software that protects your Windows device and data against viruses, ransomware, trojans, and other malware unless a non-Microsoft Antivirus is active.
How do I enable Microsoft Defender for Cloud in Azure? ›
- Sign in to the Azure portal.
- Navigate to Microsoft Defender for Cloud > Environment settings.
- Select the subscription for which you want to enable Defender for Storage.
- On the Defender plans page, locate Storage in the list and select On and Save.
- From Security Center's menu, select Pricing & settings.
- Select the relevant subscription.
- If your subscription has Azure Defender enabled, open Azure Defender plans and select Azure Defender off.
Microsoft Defender for Azure SQL helps you discover and mitigate potential database vulnerabilities and alerts you to anomalous activities that may be an indication of a threat to your databases. Vulnerability assessment: Scan databases to discover, track, and remediate vulnerabilities.
What is Defender for Cloud and Defender for endpoint? ›Defender for Endpoint quickly adapts to changing threats. It uses advanced analytics and big data. It's amplified by the power of the Intelligent Security Graph with signals across Windows, Azure, and Office to detect unknown threats. It provides actionable alerts and enables you to respond quickly.