Introduction
This Azure Defender PoC Series provides guidelines on how to perform a proof of concept for a specific Azure Defender plan. For a more holistic approach where you need to validate Azure Security Center and Azure Defender, please read How to Effectively Perform an Azure Security Center PoC article.
Planning
As part of your Azure Defender for Resource Manager PoC you need to identify the use case scenarios that you want to validate. A common scenario is cloud service discovery, where an adversary may try to enumerate the cloud services that are running via calls to Azure Resource Manager. You can use the Alerts identified by Azure Defender for Resource Manager as your starting point to plan which actions you want to execute.
Since the enablement of this plan is performed on the Azure back end, it will not affect the performance of your workloads in Azure.
Keep in mind that you have 30 days free trial of Azure Defender for Resource Manager, which means that you should plan to execute your PoC prior to this expiration and based on the results keep it enabled or not.
Preparation
You need at least Security Admin role to enable Azure Defender for Resource Manager. For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at our Alerts Reference Guide.
From the readiness perspective, make sure to review the following resources to better understand Azure Defender for Resource Manager:
- Azure Defender for ARM and DNS | Azure Security Center in the Field #13
- Azure Defender for Resource Manager Documentation
Implementation and validation
You can use the sample alert feature to validate Azure Defender for Resource Manager alerts, or you can use the procedures from this article to simulate an attack and see how Azure Defender for Resource Manager detects. As you review each alert is important to understand how to make sense of the metadata available. Read this article for more information on how to respond to Azure Resource Manager alerts.
Conclusion
By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads.
Posted at https://sl.advdat.com/3kcww2G