Control: 2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected
Description
This setting enables Windows Defender ATP (WDATP) integration with Security Center. WDATP integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within security center. This integration helps to spot abnormalities, detect and respond to advanced attacks on Windows server endpoints monitored by Azure Security Center.
Windows Defender ATP in Security Center supports detection on Windows Server 2016, 2012 R2, and 2008 R2 SP1 operating systems in a Standard service subscription. WDATP works only with Standard Tier subscriptions.
Remediation
From Console
Perform the following action to check Azure Defender is set to On for Key Vault:
- Login to Azure console and navigate to Security Center.
- Select
Pricing & settingsblade under Management. - Click on the subscription name, select
Threat Detection. - Ensure setting
Allow Microsoft Defender ATP to access my datais selected.
Perform the following action to enable Azure Defender for Key Vault:
- Login to Azure console and navigate to Security Center.
- Select
Pricing & settingsblade under Management. - Click on the subscription name, select
Threat Detection. - Select
Allow Microsoft Defender ATP to access my data. - Click Save.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v130_2_9Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v130_2_9 --shareSQL
This control uses a named query:
select sc_sett.id as resource, case when enabled then 'ok' else 'alarm' end as status, case when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' end as reason , sub.display_name as subscriptionfrom azure_security_center_setting sc_sett right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_idwhere name = 'WDATP';