Description:
Microsoft Defender for Cloud can be configured to check the operating systems of your Virtual Machines (VMs) for missing updates, vulnerabilities, and configurations that might put your environment at risk. Ensuring that Microsoft Defender for Cloud is set to automatically check VMs for OS updates helps maintain a secure posture by ensuring that your VMs are always up-to-date with the latest patches, reducing exposure to known vulnerabilities.
Rationale:
By automatically checking the operating systems of your VMs for updates, you can ensure that vulnerabilities in the OS are patched as soon as they are identified. This is essential for preventing exploitation by attackers who may target unpatched vulnerabilities. Enabling this feature supports compliance with security frameworks such as SOC 2, HIPAA, NIST, and CIS, which require timely patching and vulnerability management for secure cloud environments.
Impact:
When Microsoft Defender for Cloud is configured to check VM operating systems for updates, the system will automatically scan VMs for missing updates and generate alerts if any critical patches are missing. This will help your team proactively address vulnerabilities. However, enabling this feature may increase the load on your monitoring infrastructure, as it requires ongoing scans of all VMs in the environment.
Default Value:
By default, this setting may not be enabled in Microsoft Defender for Cloud and needs to be manually configured.
Pre-requisites:
Microsoft Defender for Cloud: Ensure that Microsoft Defender for Cloud is enabled and configured in your Azure environment.
Permissions: Ensure you have the Owner or Contributor role with appropriate permissions to configure Microsoft Defender for Cloud.
Virtual Machines: Ensure your Virtual Machines are running supported operating systems for update monitoring (e.g., Windows, Linux).
Remediation:
Automated Steps to Ensure Microsoft Defender for Cloud Checks VM OS for Updates:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to Microsoft Defender for Cloud:
In the Azure portal, go to Microsoft Defender for Cloud and select it.
Go to Environment Settings:
In the Microsoft Defender for Cloud dashboard, click on Environment settings under the Management section.
Enable Vulnerability Assessment:
Under Defender plans, find and select the Virtual Machines setting.
Ensure that Vulnerability Assessment for VMs is enabled. This will ensure that Defender for Cloud checks for OS updates, patches, and vulnerabilities on your VMs.
Configure the Operating System Update Check:
Ensure that Update Management is enabled. This feature is responsible for detecting missing operating system updates on VMs.
You may need to enable the Update Management solution in Azure Automation to allow Microsoft Defender for Cloud to monitor the OS update status.
Save Settings:
After enabling the required settings, save the changes to start monitoring the VMs for OS updates.
Automated Implementation Using Azure CLI:
You can also enable the Vulnerability Assessment for virtual machines through the Azure CLI. Use the following commands:
az security pricing create --name VirtualMachines --pricing-tier "Standard"
This will enable Microsoft Defender for Cloud to scan VMs for vulnerabilities, including missing OS updates.
Backout Plan:
To disable OS update checks for VMs:
Sign in to the Azure portal with appropriate permissions.
Navigate to Microsoft Defender for Cloud:
Go to Microsoft Defender for Cloud in the Azure portal.
Go to Environment Settings:
In the Microsoft Defender for Cloud dashboard, click on Environment settings.
Disable Vulnerability Assessment:
Under Defender plans, find the Virtual Machines setting.
Set the Vulnerability Assessment toggle to Off to stop monitoring OS updates.
Save Settings:
Save the changes, and Microsoft Defender for Cloud will no longer monitor VM operating systems for updates.