Description:
Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal.
Rationale:
Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.
Impact:
Enabling Microsoft Defender for Resource Manager requires enabling Microsoft Defender for your subscription. Both will incur additional charges.
Audit:
From Azure Portal
1. Go to Microsoft Defender for Cloud
2. Select Environment Settings blade
3. Click on the subscription name
4. Select the Defender plans blade
5. Ensure Status is set to On for Resource Manager.
From Azure CLI
Ensure the output of the below command is Standard
az security pricing show -n 'Arm' --query 'PricingTier'
From Azure PowerShell
Get-AzSecurityPricing -Name 'Arm' | Select-Object Name,PricingTier
Ensure the output of PricingTier is Standard
Remediation:
From Azure Portal
1. Go to Microsoft Defender for Cloud.
2. Select Environment Settings blade.
3. Click on the subscription name.
4. Select the Defender plans blade.
5. Select On under Status for Resource Manager.
6. Select `Save.
From Azure CLI
Use the below command to enable Standard pricing tier for Defender for Resource
Manager
az security pricing create -n 'Arm' --tier 'Standard'
From PowerShell
Use the below command to enable Standard pricing tier for Defender for Resource Manager
Set-AzSecurityPricing -Name 'Arm' -PricingTier 'Standard'
Default Value:
By default, Microsoft Defender for Resource Manager is not enabled.
References:
1. https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhancedsecurity
2. https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-resourcemanager-introduction
3. https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/
4. https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview