🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
13Dashboards
1311Benchmarks
430Queries
2Variables
GitHub

Control: 2.8 Ensure that Azure Defender is set to On for Key Vault

Description

Enabling Azure Defender threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. It also allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Remediation

From Console

Perform the following action to check Azure Defender is set to On for Key Vault:

  1. Login to Azure console and navigate to Security Center.
  2. Select Pricing & settings blade under Management.
  3. Click on the subscription name, Azure Defender plans blade got selected.
  4. For the Key Vault resource type Plan should be set to On.

Perform the following action to enable Azure Defender for Key Vault:

  1. Login to Azure console and navigate to Security Center.
  2. Select Pricing & settings blade under Management.
  3. Click on the subscription name, Azure Defender plans blade got selected.
  4. For the Key Vault resource type Plan set it to On.

From Command Line

Command to enable Azure defender for Key Vault

az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pr icings/StorageAccounts?api-version=2018-06-01 -d@"input.json"'

Where input.json contains the request body json data as mentioned below

{
  "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/pricings/ StorageAccounts",
  "name":"KeyVaults",
  "type":"Microsoft.Security/pricings",
  "properties":{
    "pricingTier":"Standard"
  }
}

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v130_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v130_2_8 --share

SQL

This control uses a named query:

select
  sub_pricing.id as resource,
  case
    when pricing_tier = 'Standard' then 'ok'
    else 'alarm'
  end as status,
  case
    when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.'
    else 'Azure Defender off for Key Vaults.'
  end as reason
  
  , sub.display_name as subscription
from
  azure_security_center_subscription_pricing sub_pricing
  right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id
where
  name = 'KeyVaults';

Tags

category = Compliance
cis = true
cis_item_id = 2.8
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.3.0
plugin = azure
service = Azure/SecurityCenter