Add Custom Recommendations in Microsoft Defender for Cloud

4 Min. Read

In this article, we will show you how to add custom recommendations in Microsoft Defender for Cloud and tailor your security requirements based on your organization’s needs.

Introduction

Microsoft Defender for Cloud has two main goals: the first one is to help you understand your current security situation, and the second one is to help you efficiently and effectively improve your security posture. The central aspect of the Security Center that enables you to achieve those goals is the Secure Score.

Security recommendations are (built-in) actions for you to take in order to secure your resources. Security Center periodically analyzes the security state of your Azure and non-Azure resources to identify potential security vulnerabilities. It then provides you with recommendations on how to remove them which will impact your secure score.

As part of the enhanced secure score model, recommendations have been grouped into security controls, which are logical groups of security recommendations. Those built-in recommendations were created based on the Microsoft security research team which are identified as best practices, as well as based on security recommendations from the product group that owns each Azure service (i.e. storage, key vault, compute, network, app service, key vaults, etc).

The security controls allow you to focus on all recommendations that are relevant to a specific scenario, for example, Secure management ports. Each security control shown in the figure below represents a security risk you should mitigate. You need to start first by addressing the recommendations in each control, focusing on the controls worth the most points. To get the max score, you need to fix all recommendations for all resources in each control. To understand each security control in more detail, please refer to the following guide from Microsoft.

Microsoft Defender for Cloud | Recommendations
Microsoft Defender for Cloud | Recommendations

A not long time ago, Microsoft announced that you can create your own custom recommendations to help secure your environment based on your organization’s needs. Wouldn’t be nice to include your custom recommendations besides the existing (built-in) security recommendations?

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription. If you don’t have an Azure subscription, you can create a free one here.

2) Microsoft Defender for Cloud (free or Microsoft Defender plan enabled). The free tier is enough to leverage custom recommendations. So why not use the free tier for all your Azure resources to get continuous assessment and security recommendations for your custom policies.

3) One or more (new) custom policy initiatives added to Settings | Security policy. Please note that custom recommendations have been moved to a separate security control as shown in the figure below.

Microsoft Defender for Cloud | Custom recommendations
Microsoft Defender for Cloud | Custom recommendations

Create a custom policy initiative

To create a security custom policy, you need first to navigate to the Environment settings blade in Microsoft Defender for Cloud. Click on your desired Management Group OR Subscription for which you would like to add a custom policy as shown in the figure below.

Settings | Security policy
Settings | Security policy

In the Settings | Security policy blade, under Custom initiative, click “Add a custom initiative“. Please note that you need to have Resource Policy Contributor permissions or Security Admin role to “Add a custom initiative“. The same will apply if you want to “Add more standards” as well.

Add a custom initiative
Add a custom initiative

In the Add custom initiatives blade, you can select one of the custom policy initiatives that are available for the selected scope or you can create a new initiative by clicking on “Create new” as shown in the figure below.

Add custom initiatives
Add custom initiatives

In the initiative definition blade, select one of your existing custom policy definitions. For this example, I have already a custom policy definition to “Security – Resource Groups – AuditRGLock“. The following policy definition will audit resource groups that do not have security locks:

{
  "mode": "All",
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Resources/subscriptions/resourceGroups"
    },
    "then": {
      "effect": "auditIfNotExists",
      "details": {
        "type": "Microsoft.Authorization/locks",
        "existenceCondition": {
          "field": "Microsoft.Authorization/locks/level",
          "equals": "[parameters('resourceGroupLockLevel')]"
        }
      }
    }
  },
  "parameters": {
    "resourceGroupLockLevel": {
      "type": "String",
      "metadata": {
        "displayName": "Lock level",
        "description": "Required lock level for resource groups."
      },
      "allowedValues": [
        "CanNotDelete",
        "ReadOnly"
      ]
    }
  }
}

Enter a name, description, and select an existing category or create a new one. Then insert Parameters (if required) and then click Save.

Initiative definition
Initiative definition

In the “Add custom initiatives” blade, click Refresh. You should see the newly added custom initiative policy.

As shown in the figure below, the Status is “Not assigned” yet. To assign the custom policy initiative, Click “Add“.

Add custom initiatives
Add custom initiatives

In the Assign initiative blade, click Next and then click “Review + Create“, and finally click “Create“. The initiative policy assignment will be completed successfully. In the Security policy blade, you should see now the newly assigned custom initiative policy.

Your custom initiatives
Your custom initiatives

Please note that the policy assignment will take between 30 minutes to one hour to take effect. After that time, you can navigate to the Recommendations page and see the new custom recommendation with a “Custom” label as shown in the figure below.

Controls
Controls

View custom recommendations

Once the custom recommendation was added, it would appear in Microsoft Defender for Cloud | Recommendations blade.

After adding the custom policy successfully, you need to wait between 30 minutes to take effect. After that time, you can navigate to the Recommendations page and see the new custom recommendation with a “Custom” label under “Custom recommendations” security control as shown in the figure below.

Custom recommendations
Custom recommendations

There’s more…

The built-in recommendations supplied with Microsoft Defender for Cloud include details such as severity levels and remediation instructions. If you want to add this type of information to your custom recommendations so that it appears in the Azure portal or wherever you access your recommendations, you’ll need to use the REST API.

The two types of information you can add are:

RemediationDescription – String
Severity – Enum [Low, Medium, High]

The metadata should be added to the policy definition for a policy that is part of the custom initiative. It should be in the ‘securityCenter’ property, as shown:

 "metadata": {
	"securityCenter": {
		"RemediationDescription": "Custom description goes here",
		"Severity": "High"
    },

For more details of using the securityCenter property, please check this section of the REST API documentation.

That’s it there you have it!

Summary

Custom recommendations in Microsoft Defender for Cloud are a great way to customize and tailor your security requirements based on your organization’s needs and internal processes.

In this article, we showed you how to create your own custom policy initiatives, and then add and integrate the custom recommendation(s) in Microsoft Defender for Cloud, so you can efficiently and effectively improve your security posture which is the central aspect of Defender for Cloud.

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Install System Center Virtual Machine Manager 2022 on Windows Server 2022 and SQL Server 2019

Accelerate Compliance with Microsoft Security

Next

Let me know what you think, or ask a question...

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!