Description:
Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center.
Rationale:
Enabling Azure Defender for Key Vault allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).
Impact:
Azure Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence. This layer of protection allows you to address threats without being a security expert, and without the need to manage third-party security monitoring systems.
Note: Turning on Azure Defender in Azure Security Center incurs an additional cost per resource.
Default Value:
By default, Azure Defender off is selected.
Audit:
Sign into your Azure account.
Go to Security Center
Select Pricing & settings blade
Click on the appropriate subscription name for which you wanted to turned on the defender on
Select the Azure Defender plans blade
Review the chosen pricing tier. For the Key Vault resource type Plan should be set to On.
Using Azure Command Line Interface 2.0
Ensure the output of the below command is Standard
az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pr icings?api-version=2018-06-01' | jq '.|.value[] | select(.name=="KeyVaults")'|jq '.properties.pricingTier'
Using PowerShell
Get-AzAccount
Get-AzSecurityPricing | Where-Object {$_.Name -eq 'StorageAccounts'} | Select-Object Name, PricingTier
Ensure output for Name PricingTier is KeyVaults Standard
Remediation:
Pre-requisites:
An Azure account
An Azure Defender plan for Enhanced security plan (Azure Defender is free for the first 30 days. At the end of 30 days, if you choose to continue using the service, you’ll automatically charged for usage).
Implementation Steps:
Go to Security Center
Select Pricing & settings blade
Click on the subscription name
Select the Azure Defender plans blade
Review the chosen pricing tier. For the Key Vault type Plan should be set to On and click on save
Backout Plan:
Go to Security Center
Select Pricing & settings blade
Click on the subscription name
Select the Azure Defender plans blade
Ensure that Azure Defender is set to Off for Key Vault(how we can revoke the changes)
Using Azure Command Line Interface 2.0
Use the below command to enable Standard pricing tier for Storage
az account get-access-token --query
"{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json"
https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pr icings/StorageAccounts?api-version=2018-06-01 -d@"input.json"'
Where input.json contains the Request body json data as mentioned below.
{
"id": "/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/pricings/ StorageAccounts",
"name": "KeyVaults",
"type": "Microsoft.Security/pricings", "properties": {
"pricingTier": "Standard"
}
}
References:
https://docs.microsoft.com/en-us/azure/security-center/security-center- detection-capabilities
https://docs.microsoft.com/en-us/powershell/module/az.security/get- azsecuritypricing
https://docs.microsoft.com/en-us/azure/security/benchmarks/security-controls- v2-identity-management#im-8-secure-user-access-to-legacy-applications