Defender for Cloud
Components, Roles, Policies, and Agents
Defender for Cloud Components
Microsoft Defender for Cloud is composed of several integrated components that work together to provide continuous security posture management, threat detection, vulnerability assessment, and compliance monitoring across cloud and hybrid environments. These components operate across infrastructure, workloads, applications, and management layers to provide a unified security architecture.
The following Table describes the Primary Components of Microsoft Defender for Cloud and explains their Roles within the overall cloud Security Framework.
|
Component |
Description |
Function in Security Architecture |
|
Cloud Security Posture Management (CSPM) |
Provides continuous evaluation of cloud resource configurations against security best practices and compliance standards. |
Identifies misconfigurations, reduces attack surface, and improves overall security posture through security recommendations and Secure Score evaluation. |
|
Cloud Workload Protection Platform (CWPP) |
Provides runtime protection for workloads such as servers, containers, databases, and applications. |
Detects malicious activity, malware, suspicious processes, and abnormal behavior in running workloads. |
|
Secure Score |
A security measurement system that evaluates how well cloud resources follow recommended security practices. |
Helps administrators prioritize remediation actions by quantifying the organization’s security posture. |
|
Security Recommendations Engine |
Generates actionable remediation guidance based on detected vulnerabilities or misconfigurations. |
Guides administrators on how to fix security issues, reduce risk exposure, and improve compliance posture. |
|
Compliance Manager Integration |
Maps resource configurations to regulatory frameworks and security benchmarks. |
Helps organizations maintain compliance with standards such as CIS, regulatory frameworks, and internal policies. |
|
Defender Plans |
Individual protection plans designed for specific Azure services such as servers, containers, databases, and storage. |
Provides specialized threat detection and security controls tailored to specific workload types. |
|
Vulnerability Assessment Engine |
Continuously scans operating systems, container images, and applications for known vulnerabilities. |
Identifies outdated software, missing patches, and security weaknesses that attackers could exploit. |
|
Agent-Based Monitoring |
Uses monitoring agents deployed on servers to collect system telemetry and security data. |
Enables deep inspection of operating system activity, process behavior, and security events. |
|
Agentless Scanning |
Uses snapshot and API-based analysis to evaluate workloads without installing agents. |
Allows security teams to assess vulnerabilities across environments quickly without deploying additional software. |
|
Azure Policy Integration |
Uses policy definitions to enforce security standards across Azure resources. |
Automatically applies security configurations and ensures compliance with security policies. |
|
Security Alerts Engine |
Detects suspicious activities using analytics, machine learning, and threat intelligence. |
Generates alerts when potential security threats or anomalies are detected. |
|
Threat Intelligence Integration |
Uses Microsoft global threat intelligence feeds to identify emerging attack patterns and malicious activity. |
Enhances detection accuracy and provides context for security alerts. |
|
Attack Path Analysis |
Identifies chains of vulnerabilities that could allow attackers to move laterally across systems. |
Helps security teams understand potential attack scenarios and prioritize remediation actions. |
|
Container Security Module |
Provides vulnerability scanning and runtime protection for container workloads. |
Secures container images and Kubernetes environments against supply chain and runtime attacks. |
|
DevOps Security Integration |
Integrates with development pipelines to scan code, container images, and infrastructure templates before deployment. |
Prevents insecure configurations and vulnerable code from reaching production environments. |
|
Multicloud Connectors |
Integrates AWS and Google Cloud environments into Defender for Cloud monitoring. |
Provides consistent security visibility across multiple cloud platforms. |
|
Azure Arc Integration |
Extends Defender protections to on-premises servers and Kubernetes clusters. |
Enables hybrid cloud security management through centralized monitoring and policy enforcement. |
|
Security Dashboard |
Centralized interface within Azure portal for monitoring alerts, recommendations, and security posture metrics. |
Provides visibility into security risks and helps administrators manage remediation efforts efficiently. |
Together, these components form a layered cloud security architecture that provides visibility, protection, and governance across modern cloud infrastructures. Defender for Cloud leverages automation, analytics, and global threat intelligence to continuously monitor environments and respond to emerging threats, helping organizations maintain a strong security posture across hybrid and multi-cloud environments.
Microsoft Defender for Cloud Roles
Microsoft Defender for Cloud uses Azure Role-Based Access Control to manage permissions and responsibilities across security operations, infrastructure administration, and compliance monitoring. These roles define what actions users can perform, what security information they can access, and what configurations they can modify within Defender for Cloud.
Access to Defender for Cloud capabilities is typically assigned based on job responsibilities within the organization. Security teams often receive roles that allow them to view and manage security alerts, while infrastructure administrators may receive broader permissions to configure resources and enable protection plans. The following table lists the primary roles used when managing Microsoft Defender for Cloud environments and explains their purpose within the cloud security architecture.
|
Role |
Description |
Primary Responsibilities |
|
Owner |
The Owner role provides full administrative control over an Azure subscription including security services such as Defender for Cloud. |
Can enable Defender plans, configure security policies, manage security alerts, and assign access to other users. |
|
Contributor |
The Contributor role allows users to create and manage Azure resources but does not allow them to grant permissions to other users. |
Can configure Defender settings, implement security recommendations, and manage protected resources. |
|
Reader |
The Reader role provides read-only access to Azure resources and Defender for Cloud dashboards. |
Allows users to view security posture, alerts, and recommendations without making changes. |
|
Security Administrator |
A specialized role designed for security teams responsible for managing cloud security configurations. |
Can modify security policies, enable Defender protection plans, configure threat detection settings, and respond to alerts. |
|
Security Reader |
Provides read-only access specifically focused on security data. |
Allows users to view security alerts, recommendations, compliance reports, and Secure Score metrics. |
|
Global Administrator |
A high-level administrative role in Microsoft Entra ID that has authority across all Microsoft cloud services. |
Can configure Defender for Cloud at the organizational level and manage identity-related security settings. |
|
Compliance Administrator |
Responsible for managing regulatory compliance and security governance policies. |
Reviews compliance dashboards, ensures security configurations meet regulatory standards, and manages compliance reporting. |
|
Log Analytics Contributor |
Provides permissions to manage Log Analytics workspaces used by Defender for Cloud for telemetry and security data analysis. |
Configures data collection, monitoring rules, and security log analysis used for threat detection. |
|
Monitoring Contributor |
Allows users to configure monitoring and diagnostic settings across Azure resources. |
Enables logging, configures alerts, and manages monitoring configurations that support Defender threat detection. |
|
Kubernetes Cluster Admin |
Provides administrative access to Kubernetes clusters monitored by Defender for Containers. |
Configures cluster security, deploys Defender sensors, and manages container security policies. |
|
Azure Policy Contributor |
Allows users to create and manage Azure Policy definitions used by Defender for Cloud security posture management. |
Implements security policies that enforce configuration standards across cloud resources. |
|
DevOps Security Administrator |
Responsible for integrating security scanning into development pipelines. |
Manages container scanning, DevOps security policies, and infrastructure-as-code security analysis. |
These roles work together to create a structured security governance model for Microsoft Defender for Cloud. Infrastructure administrators maintain cloud resources, security teams monitor threats and configure protection policies, and compliance teams ensure that environments meet regulatory and organizational security requirements.
By using role-based access control, organizations can implement the principle of least privilege, ensuring that users only receive the permissions necessary to perform their responsibilities. This approach reduces the risk of unauthorized changes to security configurations while maintaining strong oversight of cloud security operations.
Microsoft Defender for Cloud Policies
Microsoft Defender for Cloud uses security policies to enforce security standards, detect configuration weaknesses, and ensure that cloud resources comply with best practices and regulatory requirements. These policies are implemented through Azure Policy and are automatically applied to Azure subscriptions, resource groups, or management groups.
Security policies define rules that continuously evaluate cloud resources. When resources do not meet required security configurations, Defender for Cloud generates recommendations and alerts. Administrators can use these policies to enforce security baselines, reduce misconfigurations, and strengthen the organization’s security posture.
The following table explains the primary Defender for Cloud policy categories and their functions within the cloud security framework.
|
Policy Category |
Description |
Security Purpose |
|
Endpoint Protection Policy |
Ensures that endpoint protection software is installed and configured on virtual machines and servers. |
Protects workloads from malware, ransomware, and other endpoint threats. |
|
System Updates Policy |
Verifies that operating systems and installed software are regularly updated with security patches. |
Reduces vulnerabilities caused by outdated software and missing security patches. |
|
Disk Encryption Policy |
Ensures that disks attached to virtual machines are encrypted using approved encryption mechanisms. |
Protects sensitive data stored on virtual machines from unauthorized access. |
|
Network Security Policy |
Evaluates network configurations such as open ports, firewall rules, and network security groups. |
Prevents exposure of resources to unauthorized external access. |
|
Identity and Access Policy |
Verifies that strong identity management practices are enforced across cloud resources. |
Reduces risks associated with excessive permissions and weak authentication practices. |
|
Storage Security Policy |
Evaluates security settings for storage accounts including encryption, access controls, and network restrictions. |
Prevents unauthorized access and protects stored data from exposure. |
|
Database Security Policy |
Monitors database configurations for vulnerabilities such as insecure authentication settings or missing encryption. |
Protects database systems from unauthorized access and data leakage. |
|
App Service Security Policy |
Evaluates web applications and APIs hosted on platform services. |
Detects insecure application configurations and reduces risk of web-based attacks. |
|
Container Security Policy |
Applies security policies to container images and Kubernetes clusters. |
Prevents deployment of vulnerable container images and enforces secure container configurations. |
|
Logging and Monitoring Policy |
Ensures that logging, auditing, and monitoring services are enabled across cloud resources. |
Provides visibility into security events and supports incident detection and investigation. |
|
Secure Transfer Policy |
Verifies that secure communication protocols such as HTTPS and TLS are enforced. |
Protects data in transit from interception and man-in-the-middle attacks. |
|
Resource Tagging and Governance Policy |
Ensures that resources follow organizational governance requirements such as tagging and classification standards. |
Improves resource management and enables better tracking of security responsibilities. |
|
Regulatory Compliance Policy |
Maps resource configurations to regulatory standards and compliance frameworks. |
Helps organizations maintain compliance with industry regulations and security benchmarks. |
|
Just-in-Time Access Policy |
Controls administrative access to virtual machines by requiring temporary access approvals. |
Reduces exposure of management ports and minimizes risk of brute-force attacks. |
|
Vulnerability Assessment Policy |
Ensures that vulnerability scanning services are enabled on servers, databases, and container images. |
Detects vulnerabilities and provides remediation guidance to reduce security risks. |
Defender for Cloud policies are continuously evaluated across the cloud environment. When policy violations are detected, the platform generates recommendations and alerts that help administrators remediate security issues quickly. Because these policies are built on Azure Policy, organizations can also customize them or create their own policies to meet specific security requirements.
Through automated enforcement and continuous assessment, Defender for Cloud policies play a critical role in maintaining a strong security posture and ensuring that cloud environments remain compliant with security standards and regulatory frameworks.
Microsoft Defender for Cloud Agents
Microsoft Defender for Cloud relies on several monitoring and protection agents that collect telemetry, detect threats, perform vulnerability assessments, and provide runtime protection for workloads. These agents operate on servers, containers, and hybrid environments to enable deep visibility into system behavior and security events. They allow Defender for Cloud to analyze operating system activity, network traffic, application processes, and security configurations in order to detect threats and identify vulnerabilities.
Some features of Defender for Cloud operate without agents using agentless scanning technologies, but many advanced capabilities such as runtime threat detection and vulnerability assessment require agents to be installed on protected workloads. The following table describes the primary agents used by Defender for Cloud and their roles within the security architecture.
|
Agent |
Description |
Security Function |
|
Azure Monitor Agent (AMA) |
The Azure Monitor Agent is the primary telemetry collection agent used in modern Azure monitoring architecture. It collects logs, metrics, and performance data from operating systems and applications running on virtual machines. |
Provides security event data to Defender for Cloud, enabling threat detection, monitoring, and investigation across servers and workloads. |
|
Log Analytics Agent (Legacy Agent) |
Previously used for collecting telemetry and sending it to Log Analytics workspaces. This agent is being replaced by the Azure Monitor Agent but may still exist in older environments. |
Supports security monitoring and event collection from servers for analysis within Defender for Cloud. |
|
Microsoft Defender for Endpoint Agent |
A security agent that provides endpoint protection, behavioral monitoring, and advanced threat detection for servers and endpoints. |
Detects malware, suspicious processes, and attack techniques such as privilege escalation and lateral movement. |
|
Azure Arc Agent |
Allows non-Azure machines and Kubernetes clusters to connect to Azure services including Defender for Cloud. |
Enables hybrid and multi-cloud workloads to receive Defender protections and policy enforcement. |
|
Kubernetes Defender Sensor |
A container security sensor deployed in Kubernetes clusters to monitor container runtime behavior and cluster security events. |
Detects container attacks, abnormal pod behavior, and suspicious cluster activity. |
|
Vulnerability Assessment Extension |
An extension deployed on virtual machines to scan operating systems and installed software for vulnerabilities. |
Identifies missing patches, outdated software, and configuration weaknesses that attackers could exploit. |
|
SQL Vulnerability Assessment Agent |
Installed on database systems to scan for database-level vulnerabilities and security misconfigurations. |
Detects weak database configurations, excessive privileges, and missing security updates. |
|
Defender for Containers Agent |
A collection of sensors and monitoring components that analyze container images and runtime container behavior. |
Identifies vulnerable container images and detects runtime container attacks. |
|
File Integrity Monitoring Agent |
Tracks changes to critical system files and configuration files on protected servers. |
Detects unauthorized modifications that could indicate malware or unauthorized system access. |
|
Guest Configuration Agent |
Enforces policy compliance inside virtual machines and monitors configuration settings. |
Ensures workloads comply with security policies defined through Azure Policy and Defender for Cloud. |
These agents collectively provide data collection and monitoring capabilities that power Microsoft Defender for Cloud’s detection and analysis engine. By gathering telemetry from operating systems, applications, containers, and infrastructure components, they enable Defender for Cloud to maintain visibility into security risks, identify vulnerabilities, and detect threats in real time across hybrid and multi-cloud environments.
What Microsoft Defender for Cloud Can Protect
Microsoft Defender for Cloud protects a wide range of infrastructure components, workloads, and services across cloud and hybrid environments. It provides security coverage for compute workloads, container platforms, databases, networking resources, storage systems, and application services.
Compute Workloads are protected through Defender for Servers, which monitors Windows and Linux virtual machines in Azure, AWS, and GCP environments. These protections include vulnerability assessment, endpoint protection integration, behavioral threat detection, and attack surface monitoring.
Containerized Workloads are secured through Defender for Containers. This protection extends to Kubernetes clusters such as Azure Kubernetes Service, Amazon EKS, and Google Kubernetes Engine. The platform scans container images for vulnerabilities and monitors runtime activity for malicious behavior.
Data Services are also protected. Defender for Databases monitors Azure SQL Database, SQL Managed Instance, and other supported database engines to detect suspicious queries, injection attacks, and privilege escalation attempts. Storage systems such as Azure Storage accounts are protected through anomaly detection that identifies unusual access patterns and potential data exfiltration attempts.
Application Services such as Azure App Service and Azure Functions are also monitored for vulnerabilities and runtime threats. Additionally, Defender for Cloud protects infrastructure configuration layers, including resource deployment operations and management API activities.
0 comments