使用 Azure 策略为所有资源类型启用 Azure Defender

Enable Azure Defender for all resource types using Azure Policies

出于安全原因,我必须在 ASC 中为所有资源类型启用 Azure Defender。由于我们在 Azure 中确实有很多不同的订阅,而且数量还在增加,我们必须配置 Azure Policy 来强制执行。

已经有一个选项可以为所有资源启用 Azure Defender,但我没有在文档中找到任何有用的信息来通过 Azure Policy 启用它。

我有两个符合我要求的解决方案。第一个是,我们为所有资源类型启用 Azure Defender,另一个是我们只启用特定的资源类型(对我来说,目前只有开源关系数据库的资源类型是相关的)。

我只发现 initiative that deploys the Azure Defender to the database server, 但它不会在我的 Azure 安全中心内激活该选项。 Microsoft 是否有任何其他文档如何实现这一点?

我们有相同的要求。我使用“deployIfNotExists”创建了自定义策略以激活 ASC 标准层作为激活所需 Azure Defender 组件的先决条件。

"if" : {
  "allOf" : [
    {
      "field" : "type",
      "equals" : "Microsoft.Resources/subscriptions"
    }
  ]
},
"then" : {
  "effect" : "deployIfNotExists",
  "details" : {
    "type" : "Microsoft.Security/pricings",
    "deploymentScope" : "Subscription",
    "existenceScope" : "Subscription",
    "roleDefinitionIds" : [
      "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
    ],
    "existenceCondition" : {
      "field" : "Microsoft.Security/pricings/pricingTier",
      "equals" : "Standard"
    },
    "deployment" : {
      "location" : "westeurope",
      "properties" : {
        "mode" : "incremental",
        "parameters" : {},
        "template" : {
          "$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
          "contentVersion" : "1.0.0.0",
          "parameters" : {},
          "variables" : {},
          "resources" : [
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2017-08-01-preview",
              "name" : "default",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "AppServices",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "ContainerRegistry",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "KeyVaults",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "KubernetesService",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "SqlServers",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "SqlServerVirtualMachines",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "StorageAccounts",
              "properties" : {
                "pricingTier" : "Standard"
              }
            },
            {
              "type" : "Microsoft.Security/pricings",
              "apiVersion" : "2018-06-01",
              "name" : "VirtualMachines",
              "properties" : {
                "pricingTier" : "Standard"
              }
            }
          ],
          "outputs" : {}
        }
      }
    }
  }
}

但这行不通。

Reason for non-compliance Current value must be equal to the target value.

Field Microsoft.Security/pricings/pricingTier

Path properties.pricingTier

Current value "Free"

Target value "Standard"

我们已经和微软开了相应的工单,但是还没有得到他们的有效帮助。 打开工单时,我收到了这篇文章作为可能的解决方案,之前没有找到。或许对你有帮助。

https://techcommunity.microsoft.com/t5/azure-security-center/managing-security-center-at-scale-using-arm-templates-and-azure/ba-p/327761

Microsoft Defender for Cloud(Azure 安全中心)有 built-in Azure 策略来强制启用 Defender 计划。

对于单个订阅,您可以使用“Microsoft Defender for X should be enabled”推荐中的“强制”选项,这将带您进入相关策略创建页面:

或通过 Azure Policy portal,直接通过以下方式在订阅或管理组范围内分配相同的策略:“为要启用的 配置 Azure Defender”策略。用“deployifnotexist”分配它,它将强制执行 Defender 计划状态。