Introduction
This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Defender for Cloud plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud please read How to Effectively Perform a Microsoft Defender for Cloud PoC article.
Planning
As part of your Microsoft Defender for Resource Manager PoC you need to identify the use case scenarios that you want to validate. A common scenario is cloud service discovery, where an adversary may try to enumerate the cloud services that are running via calls to Azure Resource Manager. You can use the Alerts identified by Microsoft Defender for Resource Manager as your starting point to plan which actions you want to execute.
Since the enablement of this plan is performed on the Azure back end, it will not affect the performance of your workloads in Azure.
Keep in mind that you have 30 days free trial of Microsoft Defender for Resource Manager, which means that you should plan to execute your PoC prior to this expiration and based on the results keep it enabled or not.
Preparation
You need at least Security Admin role to enable Microsoft Defender for Resource Manager. For more information about roles and privileges, visit this article. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at our Alerts Reference Guide.
From the readiness perspective, make sure to review the following resources to better understand Microsoft Defender for Resource Manager:
- Microsoft Defender for ARM and DNS | Microsoft Defender for Cloud in the Field #13
- Microsoft Defender for Resource Manager Documentation
Implementation and validation
You can use the sample alert feature to validate Microsoft Defender for Resource Manager alerts, or you can use the procedures from this article to simulate an attack and see how Microsoft Defender for Resource Manager detects. As you review each alert is important to understand how to make sense of the metadata available. Read this article for more information on how to respond to ARM alerts.
Conclusion
By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads.
P.S. Subscribe to our Microsoft Defender for Cloud to stay up to date on helpful tips and new releases and join our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.