1
00:00:01,540 --> 00:00:03,880
[Autogenerated] now we're going to come back to the automation account

2
00:00:03,880 --> 00:00:08,120
but let's jump over to defender for cloud because I wanted to briefly

3
00:00:08,120 --> 00:00:10,880
demo the Microsoft defender for servers.

4
00:00:10,880 --> 00:00:13,730
Now this is a pretty robust platform.

5
00:00:13,730 --> 00:00:16,670
We've discussed it a bit in this learning path so far.

6
00:00:16,670 --> 00:00:20,360
The bottom line is if you go to getting started you can enable the

7
00:00:20,360 --> 00:00:23,200
Microsoft defender features in your subscription.

8
00:00:23,200 --> 00:00:24,000
Ala, carte.

9
00:00:24,000 --> 00:00:27,970
And as you can see, I've turned on Microsoft defender for servers here,

10
00:00:27,970 --> 00:00:30,740
it's going to be a fixed cost per server per month.

11
00:00:30,740 --> 00:00:34,830
And this then will surface recommendations for our servers,

12
00:00:34,830 --> 00:00:37,620
our Ark servers and our native Azure servers.

13
00:00:37,620 --> 00:00:38,480
Speaking of which,

14
00:00:38,480 --> 00:00:41,460
let's come back over to secure score and let's take a

15
00:00:41,460 --> 00:00:43,830
look at some of those recommendations.

16
00:00:43,830 --> 00:00:47,240
Let's come into my subscription and we can see for instance under

17
00:00:47,240 --> 00:00:50,900
the remediate vulnerabilities capability machines should have a

18
00:00:50,900 --> 00:00:52,780
vulnerability assessment solution.

19
00:00:52,780 --> 00:00:57,000
Now, I had mentioned that when you turn on Microsoft defender for servers,

20
00:00:57,000 --> 00:01:00,380
you get an integrated license for Microsoft defender,

21
00:01:00,380 --> 00:01:01,820
the vulnerability scanner.

22
00:01:01,820 --> 00:01:06,720
So it looks like I've got five machines that do have the Microsoft threat and

23
00:01:06,720 --> 00:01:10,450
vulnerability management software or agent already installed.

24
00:01:10,450 --> 00:01:14,500
And here we have our arc machine as well as our native Windows machines.

25
00:01:14,500 --> 00:01:17,950
But I can fix this problem with cli one.

26
00:01:17,950 --> 00:01:20,500
Now notice it says fix in many cases,

27
00:01:20,500 --> 00:01:25,120
Microsoft defender for cloud is able to remediate literally its own

28
00:01:25,120 --> 00:01:28,300
automatic way but there are some remediation is that are more

29
00:01:28,300 --> 00:01:32,250
complicated that you need to spearhead and what you've got there is

30
00:01:32,250 --> 00:01:34,930
integration with the logic app platform.

31
00:01:34,930 --> 00:01:39,380
A logic app is a member of the Azure app services family that allows you

32
00:01:39,380 --> 00:01:43,370
to stitch together various rest api or application programming

33
00:01:43,370 --> 00:01:46,840
interfaces to perform business process automation.

34
00:01:46,840 --> 00:01:49,750
So in this case if this were a more complex solution,

35
00:01:49,750 --> 00:01:54,090
maybe where you wanted to install a third party vulnerability assessment

36
00:01:54,090 --> 00:01:58,570
solution that needed notification and more robust management,

37
00:01:58,570 --> 00:02:03,180
you can code that in your logic app and code is kind of a play on words

38
00:02:03,180 --> 00:02:06,920
because one of the benefits of the logic app is that there's a graphical

39
00:02:06,920 --> 00:02:11,630
designer where you can simply sign into these different SAS services and

40
00:02:11,630 --> 00:02:15,300
then stitch together your process workflow without having to know a

41
00:02:15,300 --> 00:02:16,360
programming language.

42
00:02:16,360 --> 00:02:19,880
That's actually one of the benefits of the logic app but that's an

43
00:02:19,880 --> 00:02:23,640
exam alert only inasmuch as on your a c 800 exam,

44
00:02:23,640 --> 00:02:26,770
if it talks about a way to create a more complex

45
00:02:26,770 --> 00:02:29,750
remediation and Microsoft defender for cloud er,

46
00:02:29,750 --> 00:02:30,650
Azure sentinel,

47
00:02:30,650 --> 00:02:35,150
the correct answer would be triggering or creating a logic app and then

48
00:02:35,150 --> 00:02:39,080
scheduling your fix to trigger that logic app makes sense.

49
00:02:39,080 --> 00:02:39,530
Alright,

50
00:02:39,530 --> 00:02:42,420
that's really mainly what I wanted to cover here in

51
00:02:42,420 --> 00:02:44,430
Microsoft defender for server.

52
00:02:44,430 --> 00:02:47,850
The fact that you wind up with that integrated license for the

53
00:02:47,850 --> 00:02:51,230
vulnerability scanner and you can take advantage of the

54
00:02:51,230 --> 00:02:53,770
results of those vulnerability scans.

55
00:02:53,770 --> 00:02:56,630
If we go under workload protections for example,

56
00:02:56,630 --> 00:03:00,150
we can number one scroll down to the bottom and check out

57
00:03:00,150 --> 00:03:03,520
our VM vulnerability assessment results and again it looks

58
00:03:03,520 --> 00:03:05,330
like I still have some machines,

59
00:03:05,330 --> 00:03:10,080
one arc machine and perhaps the remediation hasn't gone through

60
00:03:10,080 --> 00:03:13,240
on cli one yet to bring those guys into scope.

61
00:03:13,240 --> 00:03:14,790
But then more importantly,

62
00:03:14,790 --> 00:03:18,780
we can see the fruits of the vulnerability scanning up here,

63
00:03:18,780 --> 00:03:20,190
right on the alerts list,

64
00:03:20,190 --> 00:03:24,100
where I've got a bunch of suspicious authentication activity

65
00:03:24,100 --> 00:03:27,780
entries here for various machines and if you click in there

66
00:03:27,780 --> 00:03:31,400
you can view the full details, see the effective resource.

67
00:03:31,400 --> 00:03:34,600
Let me click view full details and in this case it shows me

68
00:03:34,600 --> 00:03:38,240
the attacker's IP address looks like they're trying to do

69
00:03:38,240 --> 00:03:42,760
rdP sessions to this machine, trying different user name.

70
00:03:42,760 --> 00:03:46,000
So this is definitely one of the hazards of having a public

71
00:03:46,000 --> 00:03:48,550
IP address on an Azure virtual machine.

72
00:03:48,550 --> 00:03:51,840
I can essentially guarantee you'll see this kind of problem.

73
00:03:51,840 --> 00:03:55,680
A nice thing about Microsoft defender for cloud and for servers

74
00:03:55,680 --> 00:03:59,850
is that you can wind up tracking incidents that is collections of

75
00:03:59,850 --> 00:04:01,910
these individual security alerts.

76
00:04:01,910 --> 00:04:05,720
Although really that notion of the collection of the incident

77
00:04:05,720 --> 00:04:09,360
has really been offloaded into Azure sentinel.

78
00:04:09,360 --> 00:04:17,000
It used to be completely a part of what was called Azure security center, but that's no longer the case