Control: 2.8 Ensure that Microsoft Defender for Key Vault is set to 'On'
Description
Enabling Azure Defender threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center. It also allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).
Remediation
From Console
Perform the following action to check Azure Defender is set to On for Key Vault:
- Go to
Microsoft Defender for Cloud - Select
Environment Settingsblade - Click on the subscription name
- Select the
Defender plansblade - On the line in the table for
StorageSelectOnunderPlan - Select
Save
From Command Line
Command to enable Azure defender for Key Vault
az account get-access-token --query "{subscription:subscription,accessToken:accessToken}" --out tsv | xargs -L1 bash -c 'curl -X PUT -H "Authorization: Bearer $1" -H "Content-Type: application/json" https://management.azure.com/subscriptions/$0/providers/Microsoft.Security/pricings/StorageAccounts?api-version=2018-06-01 -d@"input.json"'
Where input.json contains the request body json data as mentioned below
{ "id":"/subscriptions/<Your_Subscription_Id>/providers/Microsoft.Security/pricings/KeyVaults", "name":"KeyVaults", "type":"Microsoft.Security/pricings", "properties":{ "pricingTier":"Standard" }}
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v140_2_8Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v140_2_8 --shareSQL
This control uses a named query:
select sub_pricing.id as resource, case when pricing_tier = 'Standard' then 'ok' else 'alarm' end as status, case when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.' else 'Azure Defender off for Key Vaults.' end as reason , sub.display_name as subscriptionfrom azure_security_center_subscription_pricing sub_pricing right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_idwhere name = 'KeyVaults';