What's New
vapasula edited this page Nov 8, 2022
·
104 revisions
This page shows an overview about what automation artifacts have recently been added to the Microsoft Defender for Cloud GitHub. Please note that we only list new artifacts, no maintenance commits, in the table below.
Thank you to all contributors for sharing your artifacts with the community!
Please find the latest additions, ordered by date, in the table below.
| Artifact | Description | Author | Date |
|---|---|---|---|
| Power Shell Script - Remove Log Analytics Agent At Scale | The Powershell script will remove the Log Analytics Agent for all your Azure virtual machines. This script is especially useful if you want to switch to using AMA (Azure Monitor Agent) and no longer require the Log Analytics Agent. | Liana Tomescu | 11/03/2022 |
| Workbook Microsoft Defender for Storage - Price Estimation Dashboard 3.0 | This workbook allows you to estimate the cost for both pricing plans and considers all storage accounts with and without Microsoft Defender for Storage enabled across the selected scope. The results are derived from data extracted from the past seven days, and the estimation is for the monthly cost. | Shay Amar | 10/31/2022 |
| Policy Enable Microsoft Defender for Servers plans | This Azure policy definition allows you to enable Microsoft Defender for Servers on your subscriptions and management groups while, at the same time, selecting the Defender for Servers plan (Plan 1 or Plan 2). | Tom Janetscheck | 10/27/2022 |
| ARM Template Servers Agentless scanning enablement at Management Group Level | The policy enables Microsoft Defender for Cloud servers agentless scanning mode on Management Group level. | MatanShabtay | 10/24/2022 |
| Policy Servers Agentless scanning enablement at Subscription Level | The policy enables Microsoft Defender for Cloud servers agentless scanning mode on subscription level. | MatanShabtay | 10/24/2022 |
| Workbook Defender for Endpoint Deployment Status | This interactive workbook provides an overview of machines in your environment showing their Microsoft Defender for Endpoint extension deployment status. | Tom Janetscheck | 10/7/2022 |
| Automation Notify-SQLVulnerabilityReport | The Logic App allows you to send a weekly vulnerability report for SQL databases on servers/machines. Once triggered, the defined recipients receive an email report for every SQL server (i.e. Azure SQL server and SQL server on VM/On-Premise) connected to Microsoft Defender for Cloud. The email report summarizes the weekly vulnerability scan for every database. | Ameer Tayyem | 9/15/2022 |
| Workbook Defender for Cloud Onboarding | This Onboarding Workbook checks if all your subscriptions under your Tenant are onboarded with Defender for Cloud, Defender for Cloud Plans currently enabled across your subscriptions and Log Analytics Workspaces, Lists the resources deployed into these subscriptions that can be protected with Defender for Cloud workload protection plans, checks if any onboarding agents are missing for the workload protection. | Vasavi Pasula | 8/11/2022 |
| Workbook Microsoft Defender for Servers - CVE Dashboard | This interactive workbook provides an overview of machines in your environment that are affected by open vulnerabilities with a focus on CVE IDs. It will show vulnerability findings for either Microsoft Defender Vulnerability Management, or the integrated Qualys VA scanner. | Tom Janetscheck | 7/26/2022 |
| Workbook OMI Vulnerability Dashboard | This workbook provides an overview of machines in your environment that are affected by OMI vulnerability . It will show vulnerability findings for either Microsoft Defender Vulnerability Management, or the integrated Qualys VA scanner. | Shay Amar | 7/24/2022 |
| Automation Deploy Microsoft Defender for Cloud with Terraform | This article covers how to deploy Microsoft Defender for Cloud using Terraform | Helder Pinto & Liana Tomescu | 6/27/2022 |
| Automation Remove-KeyVault-AccessPolicies-RBACPermissions | When this automation is executed it will automatically respond to these Key vault alerts, by removing the access policies and RBAC permissions the user has in Key vault. | Future Kortor & Bojan Magusic | 6/17/2022 |
| TLS should be updated to the latest version for function apps | This sample playbook allows you to remediate TLS verion of Azure Function following "TLS should be updated to the latest version for function apps" Microsoft Defender for Cloud recomendations. | Mike Resnick | 6/14/2022 |
| Assign-MDCRecommendations-byAzureActivity | This Logic App for Workflow Automations will assign a governance owner and notify to ASC generated recommendations to recent users within last 7 days that created or updated the Azure Resource. | Nathan Swift | 6/9/2022 |
| Demo Automation Template | This template allows you to deploy a simple Windows 2019 Server build version 2803, which includes RCE vulnerabilities out of the box (unless you run an update post install). | Lara Goldstein | 5/17/2022 |
| Powershell script - Onboard your subscription to VM Scanners - Private Preview feature | This powershell script allows you to onboard your subscription to the VM Scanners Private Preview feature. | Eitan Mechtinger | 5/17/2022 |
| Create-ExemptionsByResourceTag | This automation runs on a scheduled interval to create exemptions from the ASB initiative to exempt resources with a specified tag from Secure Score calculations. | Lara Goldstein | 5/16/2022 |
| Workbook - Well Architected Framework Security Assessment -Technical Controls Evaluation | This workbook assists in answering the Well Architected Framework (WAF) Security Assessment survey, mainly for Technical Controls. It is designed to verify the deployment status of the selected technical controls mentioned in the Security Assessment. | ITSec365 | 5/10/2022 |
| Playbook - Create SNOW Incident for Vulnerability Findings | Upon 'Machines should have vulnerability findings resolved' recommendation trigger by a virtual machine this logic app will go out and retrieve the vulnerability findings on the VM and create a ServiceNow Incident Request per each vulnerability finding. | Nathan Swift | 5/7/2022 |
| Microsoft Defender for Cloud - Compute Security Dashboard | The new compute security dashboard for Microsoft Defender for Cloud provides you a unified view and full visibility to your virtual machine resources in Azure. | ITSec365 | 4/26/2022 |
| Disable AAD Account (non Admin) and revoke all Auth Tokens | Once an attack is detected by Defender for Resource Manager, if an Azure Active Directory (Azure AD) Account has been utilized, you will need to act promptly and mitigate the compromised account. You can use this Azure Logic App we have developed to disable the account, revoke all the active tokens and notify the account’s manager if it exists or simply to a designated email address. | Giulio Astori | 4/01/2022 |
| Microsoft Defender for Cloud - Policy Distribution Dashboard | The new Policy Distribution Dashboard for Microsoft Defender for Cloud provides a unified view and deep visibility into the configuration of your overall policy structure in Azure. | Safeena Begum | 3/23/2022 |
| Microsoft Defender for Cloud - Price Estimation Dashboard | This workbook provides price estimations for various Microsoft Defender for Cloud plans based on usage telemetry in a particular environment. | Future Kortor | 3/4/2022 |
| Enable Alerts Streaming To Third Party Siem | This script will create the required resources and configurations to stream alerts from Microsoft Defender for Cloud to 3rd party SIEM. | Gal Grinblat | 2/20/2022 |
| Microsoft Defender for Cloud - Coverage Dashboard | Microsoft Defender for Cloud plans are enabled per subscription what can make it hard to understand which plan is enabled on which subscription when you are not using policy enforcements. This workbook provides a consolidated view of Defender for Cloud coverage across all selected subscriptions. | Tom Janetscheck | 1/19/2022 |
| Enable-Microsoft Defender for Endpoint Threat and Vulnerability Management | This playbook is for workflow automation. It will resolve the "A vulnerability assessment solution should be enabled on your virtual machines" recommendation using Microsoft Defender for Endpoint TVM (Threat and Vulnerability Management). | Nicholas DiCola | 1/14/2022 |
| Microsoft Defender for App Service - Price Estimation Workbook | This workbook considers all App Services with and without Microsoft Defender for App Services enabled across your selected subscription. The results are from within the last 7 days. | Sarah Wendel | 11/9/2021 |
| Recommendations Exemption removal script | This PowerShell script is purposed to remove Azure Policy exemptions under a subscription. It can remove all exemptions under a subscription or single Recommendation exemptions from subscription scope. | Eli Sagie | 11/9/2021 |
| Synack Vulnerabilities Workbook | The Synack Vulnerabilities workbook provides an overview of the Synack Vulnerabilities data within Microsoft Defender for Cloud. | Synack Inc. | 10/29/2021 |
| Microsoft Defender for Key Vault price estimation | This workbook considers all Key Vaults with and without Microsoft Defender for Key Vault enabled across your selected subscription. The results are from within the last 7 days. | Hélder Pinto | 10/22/2021 |
| Microsoft Defender for Servers Monitoring Workbook | The new Microsoft Defender for Servers monitoring dashboard is a presentation of all machines, Azure VMs and non-Azure machines (connected through Azure Arc), that are covered by Microsoft Defender for Cloud. | Tom Janetscheck | 10/21/2021 |
| Microsoft Defender for Cloud Active Alerts Workbook | This custom workbook provides a representation of your active alerts in different pivots that would help you understand the overall threats on your environment and prioritize between them. | Safeena Begum | 10/18/2021 |
| Block SQL Brute Force Attack | When Microsoft Defender for Cloud detects a SQL brute force attack on Azure VM, this playbook will create a security rule in the NSG attached to the VM's network interface to deny inbound traffic to SQL port from the attacking IP addresses. | Ayelet Shpigelman | 10/11/2021 |
| Enable-ASCJIT | This LogicApp will resolve the "Management ports of virtual machines should be protected with just-in-time network access control" recommendation. | wilbug1git1 | 10/5/2021 |
| Extend-AlertSuppressionRulesAboutToExpire | When this automation is executed it will automatically extend the expiration time of all Microsoft Defender for Cloud Alert Suppression Rules (ASRs) that are about to expire. | Bojan Magusic, Liana Tomescu, Prasad Patil | 10/5/2021 |
| Notify-ASCRecommendationResourceTag | This Logic App for Workflow Automations will notify Microsoft Defender for Cloud-generated recommendations to Azure Resource TAG Owners including Azure Arc resources. | João Paulo Ramos and Nathan Swift | 10/4/2021 |
| Azure Security Benchmark Workbook | This workbook displays the Azure Security Benchmark. | TJ Banasik | 9/30/2021 |
| PowerShell - Dismiss all alerts | This PowerShell script will dismiss Microsoft Defender for Cloud alerts based on a filter (default: dismiss all alerts). | Or Parnes | 9/30/2021 |
| Continuous Cloud Security Optimization Dashboard | This is a Continuous Cloud Security Optimization Dashboard built using Azure Workbooks to enable the customer to quickly gain insights about their Azure Platform security footprint & configuration. | Mousmi Suryawanshi | 8/23/2021 |
| Azure Policy - Enable all Microsoft Defender for Cloud plans | Policy definition to enable all Microsoft Defender for Cloud plans on a subscription. | Nathan Swift | 9/27/2021 |
| Network Security Dashboard | The new network security dashboard for Microsoft Defender for Cloud provides a unified view and full visibility to your network security and networking resources in Azure. | Lior Arviv and Mohit Kumar | 8/18/2021 |
| Notify Microsoft Defender for Cloud alert IP Entity | This playbook uses the GreyNoise Community API to notify a security operations team and enrich alert email notification generated by Microsoft Defender for Cloud for IP addresses. | Nathan Swift | 8/12/2021 |
| Deploy builtin Qualys to Azure Arc machines | This policy deploys Microsoft Defender for Cloud's built-in vulnerability assessment solution (Powered by Qualys) on ARC enabled virtual machines. | Nathan Swift | 8/6/2021 |
| New-JITPolicy.ps1 | Microsoft Defender for Cloud Just-in-Time (JIT) VM access policy script. | Eli Sagie | 8/2/2021 |
| Activity Log Alerts For DDoS | This LogicApp leverages the Resource Management, Application Insights and Azure Resource Graph REST APIs to get all subscriptions under the tenant and checks for the VNet and PublicIPAlert on each subscription and creates alert if not found. Enables the alert if it is disabled. | Dharani Dharan Mariappan | 7/29/2021 |
| ASC Regulatory Compliance | This LogicApp leverages the Microsoft.Security/regulatoryComplianceStandards REST API to get a regulatory compliance snapshot and send the results Azure SQL Table. | Dharani Dharan Mariappan | 7/29/2021 |
| Secure Storage Remediation | This LogicApp leverages the Resource Management and Azure Storage REST APIs to get all subscriptions under the tenant and checks if 'supportsHttpsTrafficOnly' property is enabled or not and enable it. | Dharani Dharan Mariappan | 7/29/2021 |
| Enable Microsoft Defender for Cloud | This LogicApp leverages the Azure Resource Management REST APIs to get all subscriptions under the tenant and checks if 'Pricing Tier' property is set to 'Standard' or not and changes it to 'Standard'. | Dharani Dharan Mariappan | 7/29/2021 |
| Enable ASC Integrations to MDE and MCAS | These custom policy definitions will enable the integration to Microsoft Defender for Endpoint and Microsoft Cloud App Security. | Nathan Swift | 7/9/2021 |
| Microsoft Defender for Storage cost estimation dashboard | This workbook considers all storage accounts with and without Microsoft Defender for Storage enabled across your selected subscription. The results are from within the last 7 days. | Fernanda Vela | 6/9/2021 |
| Time indicators - Average time taken to remediate resources | This artifact is configured to run every 24hrs and export the assessments identified by Microsoft Defender for Cloud to a custom log analytics workspace to calculate the average time taken to remediate unhealthy resources in your environment. | Safeena Begum | 5/31/2021 |
| Apply Diag Settings | This policy audits and deploys diagnostic settings (Activity Log) to a Log Analytics Workspace. | Holger Wache | 5/17/2021 |
| Policy - audit and deploy 3rd party Qualys VA scanner | This policy audits and deploys the Qualys 3rd party extension including the required license key as parameter. | Holger Wache | 5/14/2021 |
| Time indicators - Notify stale resources | With the new time indicator fields firstEvaluationDate and statusChangeDate, Microsoft Defender for Cloud helps you to react on unhealthy resources. This playbook will run once a week and send a notification email that will inform you about all unhealthy resources including the open recommendations that have been found during the last 7 days. | Tom Janetscheck | 5/11/2021 |
| Time indicators in Azure Resource Graph | This query leverages the new time indicator fields in the SecurityResources ARG table to show resources that recently changed their assessment status code to unhealthy. | Tom Janetscheck | 5/3/2021 |
| Rest API Samples | This folder contains a Postman collection to test a set of Microsoft Defender for Cloud REST APIs. | Tom Janetscheck | 4/28/2021 |
| ASC recommendations workbook | This workbook displays Microsoft Defender for Cloud recommendations. | Holger Wache | 4/28/2021 |
| Policy Exemption Report | This PowerShell script will generate a detailed Azure Policy exemption report of user disabled policies from Azure Security Benchmark at Subscription Scope. | Nathan Swift | 4/27/2021 |
| Storage AV Automation | Antivirus Automation for Azure Storage is an independent system that protects one Azure Blob Container from malware by performing a scan on each uploaded blob. The project consists of an Azure Function Blob Trigger that starts upon blob upload, and a Windows VM that utilizes Windows Defender as a malware scanner. | Aviv Shitrit | 4/26/2021 |
| ARG query to show exempted resources | This query returns a list of the Azure Resources that have recommendations that are Exempt due to Waiver or Mitigation and also Policy being disabled | Nathan Swift | 4/21/2021 |
| Microsoft Defender for Cloud Remediation Policies | Through these templates, we will create an initiative in your environment with DeployIfNotExists policies that will automatically remediate some of the recommendations from Microsoft Defender for Cloud. | Joana Martins | 4/16/2021 |
| List VM Vulnerabilities in ARG | Azure Resource Graph (ARG) provides an efficient way to query at scale across a given set of subscriptions for any Azure Resource. This query returns all General Vulnerabilities for your Virtual Machines. | Bram v.d. Klingenberg | 3/31/2021 |
| Microsoft Defender for Cloud Onboarding Guide | This document describes the actions that an organization must take in order to successfully onboard to Microsoft Defender for Cloud at scale. | Martina Lang | 3/15/2021 |
| Microsoft Defender for Arc-enabled Kubernetes | In this section you can find several code snippets & setting configurations required for Microsoft defender for Arc enabled Kubernetes private preview. | Maya Herskovic | 3/14/2021 |
| Weekly Secure Score Progress Report | It is very important to monitor Secure Score and stay on top of the recommendations displayed by Microsoft Defender for Cloud. This Automation artifact that runs weekly will send you a notification email displaying Secure Score Weekly report, in which your current secure score across subscriptions will be displayed along with Secure Score OverTime Report in a graph format and the Security controls that are open plus the Top 5 security controls that needs to be taken care of immediately. | Safeena Begum | 2/19/2021 |
| Modification for SQL Vulnerability Assessment quick fix | The Microsoft Defender for Cloud recommendation "Vulnerability assessment should be enabled on your SQL servers" includes a Quick Fix remediation, but this remediation creates a new storage account for every SQL server. This artifact is a modified policy definition to input a storage account as parameter. | Anushka Madwesh | 2/2/2021 |
| Secure Score Subscription Management | We heard your feedback on the difficulties in managing monitored vs non-monitored subscriptions for Secure Score. This automation playbook queries Root management group for subscription(s) that are not in any management groups and notifies you accordingly for better management of Secure Score. | Safeena Begum | 1/18/2021 |
| Microsoft Defender for ARC-enabled K8s | In this section you can find code snippets & setting configurations required for Microsoft defender for Arc enabled Kubernetes private preview | Maya Herskovic | 1/11/2021 |
| KQL samples for Continuous Export of Regulatory Compliance | This folder contains sample queries for the new Continuous Export of Regulatory Compliance capability. | Or Serok Jeppa | 1/11/2021 |
| ASC Labs | Our labs project helps you get ramped up with Microsoft Defender for Cloud and provides hands-on practical experience for product features, capabilities, and scenarios. | Lior Arviv | 1/10/2021 |
| Onboard Win 2019 and Linux to Microsoft Defender for Endpoints | Microsoft Defender for Servers offers an integration with Microsoft Defender for Endpoints, that allows you to onboard servers automatically from Microsoft Defender for Cloud without manual interaction. However, currently, there is no automated onboarding for Windows Server 2019 and Linux servers. This solution helps you to find these servers to get visibility and to run an automation that will onboard these servers to Microsoft Defender for Endpoints. | Lior Arviv | 1/3/2021 |
| Custom policy - AppService SCM Exposed to Public Internet | This example policy initiative will inform you about insecure AppService configurations. | Nathan Swift | 12/14/2020 |
| ASC Built-in Vulnerability Scanner Unified Dashboard 1.0 | This Workbook provides an unified view on the information collected by the the following recommendations from Microsoft Defender for Cloud. | Carlos Faria | 12/10/2020 |
| Secure Score Gamification Workbook | This workbook displays the Secure Score from Microsoft Defender for Cloud across all subscriptions selected, as well as the security posture by team or department. The team/department information is retrieved from the specified tag. | Vanessa Bruwer | 11/19/2020 |
| Container Image Scanning Playbook | This automation playbook will help you receive an email notification for any newfound vulnerabilities (findings) per image, compared to the last scan of the same image. | Safeena Begum | 11/12/2020 |
| Regulatory Compliance Dashboard | This workbook displays the Regulatory Compliance controls from Microsoft Defender for Cloud across all subscriptions selected. | Vanessa Bruwer | 11/5/2020 |
| Notify-SecurityIssues | This Logic App Playbook allows you to notify resource owner/s of outstanding security issues (unhealthy recommendations) | Lior Arviv | 11/1/2020 |
| Keep track of resource exemptions | With this automation playbook, you can notify stakeholders when a new resource exemption has been created and additionally export the exemption information to a Log Analytics workspace. | Tom Janetscheck | 10/13/2020 |
| Add a new file path as allow list rule when an ASC alert is triggered/created for AAC policy | By using this Logic App automation, you can quickly respond to Adaptive application control policy violation was audited security alert. | Lior Arviv | 10/13/2020 |
| Customize Endpoint Protection Recommendation | Today Microsoft Defender for Cloud detects and supports wide variety of Endpoint Protection solutions. This automation artifact will help those customers who are using an Endpoint protection solution apart from what ASC already supports. | Safeena Begum | 10/1/2020 |
| ASC Secure Score by Groups | A Workbook that displays the Microsoft Defender for Cloud overall Secure Score in groups of subscriptions. By default, it will load four groups; in each of them, you select the subscriptions that represent a group. | Fernanda Vela | 9/30/2020 |
| Request Resource Exemption | Resource exemption in Microsoft Defender for Cloud needs elevated rights to be created. This LogicApp Playbook can be manually triggered to request resource exemption in case someone has not the necessary level of access. | Tom Janetscheck | 9/23/2020 |
| Export-ComplianceData | This Logic App will pull compliance assessment results from all subscriptions and store it in an existing Log Analytics Workspace. | Tom Janetscheck | 9/16/2020 |
| Audit Key Vaults with non-expiring secrets (currently removed for maintenance changes) | This Audit Policy will inform you about Key Vault secrets that do not have an expiry date. | Lior Arviv | 9/10/2020 |
| Notify recommendations based on Azure Activity | A LogicApp Playbook which will inform people that have created or updated the respective Azure Resource within the last 7 days. Based on Azure Activity, one can assume that the person who has created or updated the resource is responsible for its security, too. | Nathan Swift | 8/27/2020 |
| Block brute force attack | A LogicApp Playbook which will automatically block attacking IP addresses in a Network Security Group (NSG) rule and send an information email once a brute force attack is detected. | Safeena Begum, Tom Janetscheck | 8/26/2020, 1/28/2021 (V2) |
| Send Secure Score Reduction Alert | A LogicApp Playbook which will send you an alert email, once your Secure Score drops by a configurable percentage. | Safeena Begum | 7/31/2020 |
| Send-WeeklyComplianceReport | A LogicApp Playbook which will send you a weekly compliance status report for all your subscriptions per email. | Tom Janetscheck | 7/14/2020 |
| Azure Resource Graph - ASC Pricing | Azure Resource Graph (ARG) queries to determine the ASC pricing tier on all subscriptions | Martina Lang | 7/10/2020 |
| Secure Score Over Time Reports | A PowerBI dashboard madeup of the data which is gathered using the Get-SecureScoreData LogicApp. | Amit Magen | 7/08/2020 |
| ASC Qualys Container Report | An Azure Monitor Workbook which provides a unified view on the information collected by the Qualys agent running as part of the integrated vulnerability scanner for VMs and Containers. | Nathan Swift | 7/02/2020 |
| Export-ASCDataToEventHub | A LogicApp Playbook which will export Secure Score, Recommendations, and Assessment results from Microsoft Defender for Cloud APIs to an Eventhub. | Tom Janetscheck | 6/25/2020 |
| Qualys VA Solution | PowerShell script and Deploy if not exists (DINE) policy to enable the builtin Qualys VA solution at scale | Lior Arviv | 6/25/2020 |
If you also want to publish your automations in the Microsoft Defender for Cloud GitHub, please refer to the Get Started section in this wiki.