Overview


About

Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment and can protect workloads across multi-cloud and hybrid environments from evolving threats. When integrated with your Vulcan Platform, you'll be able to review Cloud Resource/Image vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability, automation, and remediation.


Configure the Microsoft Defender for Cloud connector

On Microsoft Azure Portal:

  1. First, you need to register the Vulcan app in Microsoft Azure and grant the access control:

    1. Make sure you are logged in as Admin

    2. Go to Azure Active Directory > App registrations and create new registration

    3. Go to Subscriptions → Access control (IAM) and click Add

      • Role: Reader

      • Members: Click on Select members and insert your new app registration name, then click Select.

      • Review + assign: Click on Review + assign button.

  2. Go back to the new app registration → Certificates & secrets and create a new client secret (don't forget to save the secret value).

  3. Then, you need to retrieve the following information from your Microsoft Defender:

    1. Azure Tenant ID - Get from the new app registration overview.

    2. Azure App ID - Get from the new app registration overview.

    3. Azure App Secret (API Token) - The Client Secret you generated in the step before.

On the Vulcan Platform:

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Defender for Cloud icon

  4. Enter the following information into the connector setup page.

    • Tenant ID, App ID, API Token (Secret Key), and Subscription IDs

  5. Click to Load the Subscription IDs in your organization and select the relevant ones from the list of IDs.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender (Azure) instance, then click Create (or Save Changes).

  7. Allow some time for the sync to complete. You can review the sync status under Log.

  8. To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the Microsoft Defender for Cloud icon shows Connected, the connection is complete.

    Note: If after syncing the connector you add more subscriptions to the Microsoft Defender for Cloud and you wish to sync the new subscriptions with the Vulcan Platform, you need to come back to the connector's settings page, load the new subscriptions, select them and save the changes.


From Microsoft Defender to the Vulcan Platform - Fields Mapping

Connector Fields Mapping - Hosts

Microsoft Defender for Cloud

Vulcan field

Notes

Asset name and details

Asset name + details

Relevant asset details are mapped into the Asset Details section

Hosts

Asset Type

Vulnerability name and details

Vulnerability name and details

Relevant vulnerability details are mapped into the Vulnerability Details section

Connector Fields Mapping - Cloud Resources

Vulcan field

Microsoft Defender for Cloud field

Value Example

Notes

Call Stack

Asset Name

*ame

defender-for-cloud-vm1

-

Alerts - List:

value[0].properties.entities[0].*ame

Resource ID

$id

centralus_3

-

Alerts - List:

value[0].properties.entities[0].$id

Asset details

-

-

Most asset-specific data is added to the Asset details section

Alerts - List:

value[0].properties.entities[0]

Asset type

N/A

Cloud Resources

Static

N/A

Asset Tags

-

-

-

get by azure id

Vulnerability title

alertDisplayName

Failed SSH brute force attack

-

Alerts - List:

value[0].properties.alertDisplayName

Vulnerability score

severity

Medium

-

Alerts - List:

value[0].properties.severity

Vulnerability description

description

"Failed SSH brute force attacks were detected on defender-for-cloud-vm1"

-

Alerts - List:

value[0].properties.description

Vulnerability details

-

-

Most vulnerability-specific data is added to the Vulnerability details section

Alerts - List:

value[0].properties

Vulnerability status

status

Active

-

Alerts - List:

value[0].properties.status

Fix title

-

Remediation steps

Static

-

Fix description

remediation steps

-

value[0].properties.remediationSteps

Fix references

-

-

Inside the description (N/A)

N-

Alerts Status Mapping

Vulcan status

Connector Status

Vulnerable

Active

Fixed

Resolved

Ignored - false positive

Ignored risk acknowledged

Dismissed

Assessments Status Mapping

Vulcan status

Connector Status

Vulnerable

Unhealthy

Fixed

Healthy

Ignored - false positive

Ignored risk acknowledged

NotApplicable

Alerts Score Mapping

Vulcan score

Connector Score

10

High

7

Medium

5

Low

3

-

0

Informational

Recommendations Score Mapping

Vulcan score

Connector Score

10

7

High

5

Medium

3

Low

0


Locating Microsoft Defender vulnerabilities in the Vulcan Platform

As Microsoft Defender discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and vulnerabilities, discovering specific vulnerabilities via source is made easy with filters.

  1. Open the Vulcan Platform dashboard and navigate to the Vulnerabilities tab. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.

  2. Locate Microsoft Defender on the vulnerability source list and click to filter results.

  3. Click on any vulnerability to view further information.

Note: Vulcan only retrieved sub-assessments categorized as vulnerabilities when the field properties.additionalData.type (for hosts) or the field properties.additionalData.assessedResourceType (for cloud resources) contains the expression "vuln" (case insensitive).


Locating Microsoft Defender assets in the Vulcan Platform

To quickly locate all synced Cloud Resources assets from Microsoft Defender, Go to the Assets tab in Vulcan Cyber.

  1. Open the Vulcan Cyber dashboard and navigate to Assets > Cloud Resources tab.

  2. Click on the Search or filter websites input box and select Connector from the drop-down selection.

  3. Locate the Microsoft Defender option to view all synced assets.


Automating Microsoft Defender vulnerability actions in the Vulcan Platform

Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the Microsoft Defender connector.

Here is an example of creating email automation (other automation types are also available):

  1. Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.

  2. First, give your automation playbook an indicative name.

  3. Select Microsoft Defender for the source of vulnerabilities, and continue to set the vulnerability condition as Risk is Critical / High (for example), leaving the rest as defaults, or simply set the conditions as it suits your needs.

  4. Continue to the Remediation actions and select the take-action channel. In this example, we selected "Assign via email".

  5. Choose how the separation of tickets is handled. In this example, we selected the "up to 200 vulnerabilities are aggregated into a single email" option. Then add the recipient emails to be notified.

  6. Leave all other steps as default (or modify if needed) and click on Save and Run.

Did this answer your question?