What's New - Azure/Microsoft-Defender-for-Cloud Wiki

What's new in the Microsoft Defender for Cloud GitHub community?

This page shows an overview about what automation artifacts have recently been added to the Microsoft Defender for Cloud GitHub. Please note that we only list new artifacts, no maintenance commits, in the table below.


Thank you to all contributors for sharing your artifacts with the community!

Latest additions

Please find the latest additions, ordered by date, in the table below.

Artifact Description Author Date
Enable-Microsoft Defender for Endpoint Threat and Vulnerability Management This playbook is for workflow automation. It will resolve the "A vulnerability assessment solution should be enabled on your virtual machines" recommendation using Microsoft Defender for Endpoint TVM (Threat and Vulnerability Management). Nicholas DiCola 1/14/2022
Microsoft Defender for App Service - Price Estimation Workbook This workbook considers all App Services with and without Microsoft Defender for App Services enabled across your selected subscription. The results are from within the last 7 days. Sarah Wendel 11/9/2021
Recommendations Exemption removal script This PowerShell script is purposed to remove Azure Policy exemptions under a subscription. It can remove all exemptions under a subscription or single Recommendation exemptions from subscription scope. Eli Sagie 11/9/2021
Synack Vulnerabilities Workbook The Synack Vulnerabilities workbook provides an overview of the Synack Vulnerabilities data within Microsoft Defender for Cloud. Synack Inc. 10/29/2021
Microsoft Defender for Key Vault price estimation This workbook considers all Key Vaults with and without Microsoft Defender for Key Vault enabled across your selected subscription. The results are from within the last 7 days. Hélder Pinto 10/22/2021
Microsoft Defender for Servers Monitoring Workbook The new Microsoft Defender for Servers monitoring dashboard is a presentation of all machines, Azure VMs and non-Azure machines (connected through Azure Arc), that are covered by Microsoft Defender for Cloud. Tom Janetscheck 10/21/2021
Microsoft Defender for Cloud Active Alerts Workbook This custom workbook provides a representation of your active alerts in different pivots that would help you understand the overall threats on your environment and prioritize between them. Safeena Begum 10/18/2021
Block SQL Brute Force Attack When Microsoft Defender for Cloud detects a SQL brute force attack on Azure VM, this playbook will create a security rule in the NSG attached to the VM's network interface to deny inbound traffic to SQL port from the attacking IP addresses. Ayelet Shpigelman 10/11/2021
Enable-ASCJIT This LogicApp will resolve the "Management ports of virtual machines should be protected with just-in-time network access control" recommendation. wilbug1git1 10/5/2021
Extend-AlertSuppressionRulesAboutToExpire When this automation is executed it will automatically extend the expiration time of all Microsoft Defender for Cloud Alert Suppression Rules (ASRs) that are about to expire. Bojan Magusic, Liana Tomescu, Prasad Patil 10/5/2021
Notify-ASCRecommendationResourceTag This Logic App for Workflow Automations will notify Microsoft Defender for Cloud-generated recommendations to Azure Resource TAG Owners including Azure Arc resources. João Paulo Ramos and Nathan Swift 10/4/2021
Azure Security Benchmark Workbook This workbook displays the Azure Security Benchmark. TJ Banasik 9/30/2021
PowerShell - Dismiss all alerts This PowerShell script will dismiss Microsoft Defender for Cloud alerts based on a filter (default: dismiss all alerts). Or Parnes 9/30/2021
Continuous Cloud Security Optimization Dashboard This is a Continuous Cloud Security Optimization Dashboard built using Azure Workbooks to enable the customer to quickly gain insights about their Azure Platform security footprint & configuration. Mousmi Suryawanshi 8/23/2021
Azure Policy - Enable all Microsoft Defender for Cloud plans Policy definition to enable all Microsoft Defender for Cloud plans on a subscription. Nathan Swift 9/27/2021
Network Security Dashboard The new network security dashboard for Microsoft Defender for Cloud provides a unified view and full visibility to your network security and networking resources in Azure. Lior Arviv and Mohit Kumar 8/18/2021
Notify Microsoft Defender for Cloud alert IP Entity This playbook uses the GreyNoise Community API to notify a security operations team and enrich alert email notification generated by Microsoft Defender for Cloud for IP addresses. Nathan Swift 8/12/2021
Deploy builtin Qualys to Azure Arc machines This policy deploys Microsoft Defender for Cloud's built-in vulnerability assessment solution (Powered by Qualys) on ARC enabled virtual machines. Nathan Swift 8/6/2021
New-JITPolicy.ps1 Microsoft Defender for Cloud Just-in-Time (JIT) VM access policy script. Eli Sagie 8/2/2021
Activity Log Alerts For DDoS This LogicApp leverages the Resource Management, Application Insights and Azure Resource Graph REST APIs to get all subscriptions under the tenant and checks for the VNet and PublicIPAlert on each subscription and creates alert if not found. Enables the alert if it is disabled. Dharani Dharan Mariappan 7/29/2021
ASC Regulatory Compliance This LogicApp leverages the Microsoft.Security/regulatoryComplianceStandards REST API to get a regulatory compliance snapshot and send the results Azure SQL Table. Dharani Dharan Mariappan 7/29/2021
Secure Storage Remediation This LogicApp leverages the Resource Management and Azure Storage REST APIs to get all subscriptions under the tenant and checks if 'supportsHttpsTrafficOnly' property is enabled or not and enable it. Dharani Dharan Mariappan 7/29/2021
Enable Microsoft Defender for Cloud This LogicApp leverages the Azure Resource Management REST APIs to get all subscriptions under the tenant and checks if 'Pricing Tier' property is set to 'Standard' or not and changes it to 'Standard'. Dharani Dharan Mariappan 7/29/2021
Enable ASC Integrations to MDE and MCAS These custom policy definitions will enable the integration to Microsoft Defender for Endpoint and Microsoft Cloud App Security. Nathan Swift 7/9/2021
Microsoft Defender for Storage cost estimation dashboard This workbook considers all storage accounts with and without Microsoft Defender for Storage enabled across your selected subscription. The results are from within the last 7 days. Fernanda Vela 6/9/2021
Time indicators - Average time taken to remediate resources This artifact is configured to run every 24hrs and export the assessments identified by Microsoft Defender for Cloud to a custom log analytics workspace to calculate the average time taken to remediate unhealthy resources in your environment. Safeena Begum 5/31/2021
Apply Diag Settings This policy audits and deploys diagnostic settings (Activity Log) to a Log Analytics Workspace. Holger Wache 5/17/2021
Policy - audit and deploy 3rd party Qualys VA scanner This policy audits and deploys the Qualys 3rd party extension including the required license key as parameter. Holger Wache 5/14/2021
Time indicators - Notify stale resources With the new time indicator fields firstEvaluationDate and statusChangeDate, Microsoft Defender for Cloud helps you to react on unhealthy resources. This playbook will run once a week and send a notification email that will inform you about all unhealthy resources including the open recommendations that have been found during the last 7 days. Tom Janetscheck 5/11/2021
Time indicators in Azure Resource Graph This query leverages the new time indicator fields in the SecurityResources ARG table to show resources that recently changed their assessment status code to unhealthy. Tom Janetscheck 5/3/2021
Rest API Samples This folder contains a Postman collection to test a set of Microsoft Defender for Cloud REST APIs. Tom Janetscheck 4/28/2021
ASC recommendations workbook This workbook displays Microsoft Defender for Cloud recommendations. Holger Wache 4/28/2021
Policy Exemption Report This PowerShell script will generate a detailed Azure Policy exemption report of user disabled policies from Azure Security Benchmark at Subscription Scope. Nathan Swift 4/27/2021
Storage AV Automation Antivirus Automation for Azure Storage is an independent system that protects one Azure Blob Container from malware by performing a scan on each uploaded blob. The project consists of an Azure Function Blob Trigger that starts upon blob upload, and a Windows VM that utilizes Windows Defender as a malware scanner. Aviv Shitrit 4/26/2021
ARG query to show exempted resources This query returns a list of the Azure Resources that have recommendations that are Exempt due to Waiver or Mitigation and also Policy being disabled Nathan Swift 4/21/2021
Microsoft Defender for Cloud Remediation Policies Through these templates, we will create an initiative in your environment with DeployIfNotExists policies that will automatically remediate some of the recommendations from Microsoft Defender for Cloud. Joana Martins 4/16/2021
List VM Vulnerabilities in ARG Azure Resource Graph (ARG) provides an efficient way to query at scale across a given set of subscriptions for any Azure Resource. This query returns all General Vulnerabilities for your Virtual Machines. Bram v.d. Klingenberg 3/31/2021
Microsoft Defender for Cloud Onboarding Guide This document describes the actions that an organization must take in order to successfully onboard to Microsoft Defender for Cloud at scale. Martina Lang 3/15/2021
Microsoft Defender for Arc-enabled Kubernetes In this section you can find several code snippets & setting configurations required for Microsoft defender for Arc enabled Kubernetes private preview. Maya Herskovic 3/14/2021
Weekly Secure Score Progress Report It is very important to monitor Secure Score and stay on top of the recommendations displayed by Microsoft Defender for Cloud. This Automation artifact that runs weekly will send you a notification email displaying Secure Score Weekly report, in which your current secure score across subscriptions will be displayed along with Secure Score OverTime Report in a graph format and the Security controls that are open plus the Top 5 security controls that needs to be taken care of immediately. Safeena Begum 2/19/2021
Modification for SQL Vulnerability Assessment quick fix The Microsoft Defender for Cloud recommendation "Vulnerability assessment should be enabled on your SQL servers" includes a Quick Fix remediation, but this remediation creates a new storage account for every SQL server. This artifact is a modified policy definition to input a storage account as parameter. Anushka Madwesh 2/2/2021
Secure Score Subscription Management We heard your feedback on the difficulties in managing monitored vs non-monitored subscriptions for Secure Score. This automation playbook queries Root management group for subscription(s) that are not in any management groups and notifies you accordingly for better management of Secure Score. Safeena Begum 1/18/2021
Microsoft Defender for ARC-enabled K8s In this section you can find code snippets & setting configurations required for Microsoft defender for Arc enabled Kubernetes private preview Maya Herskovic 1/11/2021
KQL samples for Continuous Export of Regulatory Compliance This folder contains sample queries for the new Continuous Export of Regulatory Compliance capability. Or Serok Jeppa 1/11/2021
ASC Labs Our labs project helps you get ramped up with Microsoft Defender for Cloud and provides hands-on practical experience for product features, capabilities, and scenarios. Lior Arviv 1/10/2021
Onboard Win 2019 and Linux to Microsoft Defender for Endpoints Microsoft Defender for Servers offers an integration with Microsoft Defender for Endpoints, that allows you to onboard servers automatically from Microsoft Defender for Cloud without manual interaction. However, currently, there is no automated onboarding for Windows Server 2019 and Linux servers. This solution helps you to find these servers to get visibility and to run an automation that will onboard these servers to Microsoft Defender for Endpoints. Lior Arviv 1/3/2021
Custom policy - AppService SCM Exposed to Public Internet This example policy initiative will inform you about insecure AppService configurations. Nathan Swift 12/14/2020
ASC Built-in Vulnerability Scanner Unified Dashboard 1.0 This Workbook provides an unified view on the information collected by the the following recommendations from Microsoft Defender for Cloud. Carlos Faria 12/10/2020
Secure Score Gamification Workbook This workbook displays the Secure Score from Microsoft Defender for Cloud across all subscriptions selected, as well as the security posture by team or department. The team/department information is retrieved from the specified tag. Vanessa Bruwer 11/19/2020
Container Image Scanning Playbook This automation playbook will help you receive an email notification for any newfound vulnerabilities (findings) per image, compared to the last scan of the same image. Safeena Begum 11/12/2020
Regulatory Compliance Dashboard This workbook displays the Regulatory Compliance controls from Microsoft Defender for Cloud across all subscriptions selected. Vanessa Bruwer 11/5/2020
Notify-SecurityIssues This Logic App Playbook allows you to notify resource owner/s of outstanding security issues (unhealthy recommendations) Lior Arviv 11/1/2020
Keep track of resource exemptions With this automation playbook, you can notify stakeholders when a new resource exemption has been created and additionally export the exemption information to a Log Analytics workspace. Tom Janetscheck 10/13/2020
Add a new file path as allow list rule when an ASC alert is triggered/created for AAC policy By using this Logic App automation, you can quickly respond to Adaptive application control policy violation was audited security alert. Lior Arviv 10/13/2020
Customize Endpoint Protection Recommendation Today Microsoft Defender for Cloud detects and supports wide variety of Endpoint Protection solutions. This automation artifact will help those customers who are using an Endpoint protection solution apart from what ASC already supports. Safeena Begum 10/1/2020
ASC Secure Score by Groups A Workbook that displays the Microsoft Defender for Cloud overall Secure Score in groups of subscriptions. By default, it will load four groups; in each of them, you select the subscriptions that represent a group. Fernanda Vela  9/30/2020
Request Resource Exemption Resource exemption in Microsoft Defender for Cloud needs elevated rights to be created. This LogicApp Playbook can be manually triggered to request resource exemption in case someone has not the necessary level of access. Tom Janetscheck  9/23/2020
Export-ComplianceData This Logic App will pull compliance assessment results from all subscriptions and store it in an existing Log Analytics Workspace. Tom Janetscheck 9/16/2020
Audit Key Vaults with non-expiring secrets (currently removed for maintenance changes) This Audit Policy will inform you about Key Vault secrets that do not have an expiry date. Lior Arviv 9/10/2020
Notify recommendations based on Azure Activity A LogicApp Playbook which will inform people that have created or updated the respective Azure Resource within the last 7 days. Based on Azure Activity, one can assume that the person who has created or updated the resource is responsible for its security, too. Nathan Swift 8/27/2020
Block brute force attack A LogicApp Playbook which will automatically block attacking IP addresses in a Network Security Group (NSG) rule and send an information email once a brute force attack is detected. Safeena Begum, Tom Janetscheck 8/26/2020, 1/28/2021 (V2)
Send Secure Score Reduction Alert A LogicApp Playbook which will send you an alert email, once your Secure Score drops by a configurable percentage. Safeena Begum 7/31/2020
Send-WeeklyComplianceReport A LogicApp Playbook which will send you a weekly compliance status report for all your subscriptions per email. Tom Janetscheck 7/14/2020
Azure Resource Graph - ASC Pricing Azure Resource Graph (ARG) queries to determine the ASC pricing tier on all subscriptions Martina Lang 7/10/2020
Secure Score Over Time Reports A PowerBI dashboard madeup of the data which is gathered using the Get-SecureScoreData LogicApp. Amit Magen 7/08/2020
ASC Qualys Container Report An Azure Monitor Workbook which provides a unified view on the information collected by the Qualys agent running as part of the integrated vulnerability scanner for VMs and Containers. Nathan Swift 7/02/2020
Export-ASCDataToEventHub A LogicApp Playbook which will export Secure Score, Recommendations, and Assessment results from Microsoft Defender for Cloud APIs to an Eventhub. Tom Janetscheck 6/25/2020
Qualys VA Solution PowerShell script and Deploy if not exists (DINE) policy to enable the builtin Qualys VA solution at scale Lior Arviv 6/25/2020

If you also want to publish your automations in the Microsoft Defender for Cloud GitHub, please refer to the Get Started section in this wiki.