Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Microsoft Defender Standard Pricing Tier

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: SecurityCenter-001

Ensure that Microsoft Defender for Cloud standard pricing tier (also known as enhanced security plan) is active in order to enable threat detection for networks and virtual machines, provide threat intelligence, anomaly detection, and behavior analytics within the protected subscription.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Enabling Microsoft Defender for Cloud standard pricing tier allows for better security assessment with threat detection provided by the Microsoft Security Response Center (MSRC), advanced security policies, adaptive application control, network threat detection, and regulatory compliance management.

Audit

To determine if the standard pricing tier (enhanced security plan) is enabled within the Microsoft Defender for Cloud settings, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to examine.

05 In the navigation panel, under Settings, choose Defender plans.

06 In the Cloud Workload Protection (CWP) section, check the Status column for the listed plans to determine if the standard pricing tier is enabled for the selected subscription. The minimum requirements necessary to enable the standard tier is to enable the Servers plan. If the Status is set to Off for the Servers plan, the Microsoft Defender for Cloud standard pricing tier (i.e. enhanced security plan) is not enabled for the selected subscription.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription created within your Azure account.

Using Azure CLI

01 Run account get-access-token command (Windows/macOS/Linux) with custom query filters to describe the Microsoft Defender for Cloud pricing tier enabled for the current Azure subscription: 

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X GET -H "Authorization: Bearer $1" -H "Content-Type: application/json" GET https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings?api-version=2017-08-01-preview' | jq '.|.value[] | select(.name=="default")'|jq '.properties.pricingTier'

02 The command output should return the name of the active pricing tier: 

"Free"

If the account get-access-token command output returns "Free", as shown in the example above, the enhanced security is off, therefore the Microsoft Defender for Cloud standard pricing tier is not enabled for the current Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription available in your Azure cloud account.

Remediation / Resolution

To enable the Microsoft Defender for Cloud standard pricing tier for your Azure subscriptions, perform the following actions:

Using Azure Console

01 Sign in to the Microsoft Azure Portal.

02 Navigate to Microsoft Defender for Cloud blade at https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/0.

03 In the main navigation panel, under Management, choose Environment settings.

04 Click on the name (link) of the Azure subscription that you want to access.

05 In the navigation panel, under Settings, choose Defender plans.

06 The minimum requirements necessary to enable the standard pricing tier is to set the Servers plan to On in the Status column under Cloud Workload Protection (CWP). To enable the standard tier (i.e. enhanced security plan), set the Servers plan to On. To enable the standard pricing tier with all the enhanced security features provided by Microsoft Defender for Cloud, choose Enable all plans (recommended). Choose Save to apply the changes. If Enable all plans is selected, the enhanced security plan will be enabled for all the supported Azure cloud resources.

07 Repeat steps no. 4 – 6 for each Microsoft Azure subscription available within your Azure account.

Using Azure CLI

01 Define the configuration parameters for the account get-access-token command, where the "pricingTier" parameter value is set to "Standard" to enable the enhanced security plan. Save the configuration document to a JSON file named enable-enhanced-security-plan.json and replace [azure-subscription-id] with your own Azure account subscription ID: 

{  
	"id":"/subscriptions/[azure-subscription-id]/providers/Microsoft.Security/pricings/default",
	"name":"default",
	"type":"Microsoft.Security/pricings",
	"properties":{  
		"pricingTier":"Standard"
	}
}

02 Run account get-access-token command (Windows/macOS/Linux) using the configuration document defined at the previous step (i.e. enable-enhanced-security-plan.json file), to enable the Microsoft Defender for Cloud standard pricing tier (also known as enhanced security plan): 

az account get-access-token
  --query "{subscription:subscription,accessToken:accessToken}"
  --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/default?api-version=2017-08-01-preview -d@"enable-enhanced-security-plan.json"'

03 The command output should return information about the modified configuration parameter: 

{  
	"id":"/subscriptions/abcdabcd-1234-1234-1234-abcdabcdabcd/providers/Microsoft.Security/pricings/default",
	"name":"default",
	"type":"Microsoft.Security/pricings",
	"properties":{  
		"pricingTier":"Standard"
	}
}

04 Repeat steps no. 1 – 3 for each Microsoft Azure subscription available in your Azure cloud account.

References

Publication date May 21, 2019

Related SecurityCenter rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Microsoft Defender Standard Pricing Tier

Risk Level: Medium