🚀Launch Week 09, June 30th - July 4th, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-azure-compliance
Overview
15Dashboards
1464Benchmarks
449Queries
2Variables
GitHub

Control: 9.1.3.1 Ensure that Defender for Servers is set to 'On'

Description

The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk by providing actionable recommendations to improve and remediate machine security posture. Defender for Servers also helps to protect machines against real-time security threats and attacks.

Defender for Servers offers two paid plans:

Plan 1

The following components are enabled by default:

  • Log Analytics agent (deprecated)
  • Endpoint protection

Plan 1 also offers the following components, disabled by default:

  • Vulnerability assessment for machines
  • Guest Configuration agent (preview)

Plan 2

The following components are enabled by default:

  • Log Analytics agent (deprecated)
  • Vulnerability assessment for machines
  • Endpoint protection
  • Agentless scanning for machines

Plan 2 also offers the following components, disabled by default:

  • Guest Configuration agent (preview)
  • File Integrity Monitoring.

Enabling Defender for Servers allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).

Remediation

From Azure Portal

  1. Go to Microsoft Defender for Cloud.
  2. Under Management, select Environment settings.
  3. Click on a subscription name.
  4. Click Defender plans in the left pane.
  5. Under Cloud Workload Protection (CWP), locate Servers in the Plan column, set Status to On.
  6. Select Save.
  7. Repeat steps 1-6 for each subscription requiring remediation.

From Azure CLI

Run the following command:

az security pricing create -n VirtualMachines --tier 'standard'

From PowerShell

Run the following command:

Set-AzSecurityPricing -Name 'VirtualMachines' -PricingTier 'Standard'

Default Value

By default, the Defender for Servers plan is disabled.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.cis_v400_9_1_3_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.cis_v400_9_1_3_1 --share

SQL

This control uses a named query:

select
  p.id as resource,
  case
    when p.name = 'VirtualMachines' and p.pricing_tier = 'Standard' then 'ok'
    else 'alarm'
  end as status,
  case
    when p.name = 'VirtualMachines' and p.pricing_tier = 'Standard' 
      then 'Microsoft Defender for Servers is enabled with ' || p.pricing_tier || ' tier.'
    when p.name = 'VirtualMachines' 
      then 'Microsoft Defender for Servers is disabled, current tier: ' || p.pricing_tier || '.'
    else 'Microsoft Defender for Servers pricing not found.'
  end as reason,
  p.subscription_id,
  p.cloud_environment
from
  azure_security_center_subscription_pricing p
where
  p.name = 'VirtualMachines';

Tags

category = Compliance
cis = true
cis_item_id = 9.1.3.1
cis_level = 2
cis_section_id = 9.1.3
cis_type = automated
cis_version = v4.0.0
plugin = azure
service = Azure/SecurityCenter