Am I reading the right user guide?
Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
About
Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment and can protect workloads across multi-cloud and hybrid environments from evolving threats. When integrated with your Vulcan Platform, you'll be able to review Cloud Resource/Image vulnerabilities on your assets, while leveraging the power of Vulcan Cyber discoverability, automation, and remediation.
Configure the Microsoft Defender for Cloud connector
On Microsoft Azure Portal:
First, you need to register the Vulcan app in Microsoft Azure and grant the access control:
Make sure you are logged in as Admin
Go to Azure Active Directory > App registrations and create new registration
Go to Subscriptions → Access control (IAM) and click Add
Role: Reader
Members: Click on Select members and insert your new app registration name, then click Select.
Review + assign: Click on Review + assign button.
Go back to the new app registration → Certificates & secrets and create a new client secret (don't forget to save the secret value).
Then, you need to retrieve the following information from your Microsoft Defender:
Azure Tenant ID - Get from the new app registration overview.
Azure App ID - Get from the new app registration overview.
Azure App Secret (API Token) - The Client Secret you generated in the step before.
On the Vulcan Platform:
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Defender for Cloud icon
Enter the following information into the connector setup page.
Tenant ID, App ID, API Token (Secret Key), and Subscription IDs
Click to Load the Subscription IDs in your organization and select the relevant ones from the list of IDs.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender (Azure) instance, then click Create (or Save Changes).
Allow some time for the sync to complete. You can review the sync status under Log.
To confirm that the sync is complete, navigate to the Connectors tab to check the sync status. Once the Microsoft Defender for Cloud icon shows Connected, the connection is complete.
Note: If after syncing the connector you add more subscriptions to the Microsoft Defender for Cloud and you wish to sync the new subscriptions with the Vulcan Platform, you need to come back to the connector's settings page, load the new subscriptions, select them and save the changes.
From Microsoft Defender to the Vulcan Platform - Fields Mapping
Connector Fields Mapping - Hosts
Microsoft Defender for Cloud | Vulcan field | Notes |
Asset name and details | Asset name + details | Relevant asset details are mapped into the Asset Details section |
Hosts | Asset Type |
|
Vulnerability name and details | Vulnerability name and details | Relevant vulnerability details are mapped into the Vulnerability Details section |
Connector Fields Mapping - Cloud Resources
Vulcan field | Microsoft Defender for Cloud field | Value Example | Notes | Call Stack |
Asset Name | *ame | defender-for-cloud-vm1 | - | Alerts - List: value[0].properties.entities[0].*ame |
Resource ID | $id | centralus_3 | - | Alerts - List: value[0].properties.entities[0].$id |
Asset details | - | - | Most asset-specific data is added to the Asset details section | Alerts - List: value[0].properties.entities[0] |
Asset type | N/A | Cloud Resources | Static | N/A |
Asset Tags | - | - | - | get by azure id |
Vulnerability title | alertDisplayName | Failed SSH brute force attack | - | Alerts - List: value[0].properties.alertDisplayName |
Vulnerability score | severity | Medium | - | Alerts - List: value[0].properties.severity |
Vulnerability description | description | "Failed SSH brute force attacks were detected on defender-for-cloud-vm1" | - | Alerts - List: value[0].properties.description |
Vulnerability details | - | - | Most vulnerability-specific data is added to the Vulnerability details section | Alerts - List: value[0].properties |
Vulnerability status | status | Active | - | Alerts - List: value[0].properties.status |
Fix title | - | Remediation steps | Static | - |
Fix description | remediation steps | - |
| value[0].properties.remediationSteps |
Fix references | - | - | Inside the description (N/A) | N- |
Alerts Status Mapping
Vulcan status | Connector Status |
Vulnerable | Active |
Fixed | Resolved |
Ignored - false positive |
|
Ignored risk acknowledged | Dismissed |
Assessments Status Mapping
Vulcan status | Connector Status |
Vulnerable | Unhealthy |
Fixed | Healthy |
Ignored - false positive |
|
Ignored risk acknowledged | NotApplicable |
Alerts Score Mapping
Vulcan score | Connector Score |
10 | High |
7 | Medium |
5 | Low |
3 | - |
0 | Informational |
Recommendations Score Mapping
Vulcan score | Connector Score |
|
10 |
|
|
7 | High |
|
5 | Medium |
|
3 | Low |
|
0 |
|
|
Locating Microsoft Defender vulnerabilities in the Vulcan Platform
As Microsoft Defender discovers vulnerabilities, the Vulcan Platform connector imports those vulnerabilities for reporting and action. With a large number of assets and vulnerabilities, discovering specific vulnerabilities via source is made easy with filters.
Open the Vulcan Platform dashboard and navigate to the Vulnerabilities tab. Click on the Search or filter vulnerabilities search box, scroll to the Vulnerability Source option, and click to filter by the vulnerability source.
Locate Microsoft Defender on the vulnerability source list and click to filter results.
Click on any vulnerability to view further information.
Note: Vulcan only retrieved sub-assessments categorized as vulnerabilities when the field properties.additionalData.type (for hosts) or the field properties.additionalData.assessedResourceType (for cloud resources) contains the expression "vuln" (case insensitive).
Locating Microsoft Defender assets in the Vulcan Platform
To quickly locate all synced Cloud Resources assets from Microsoft Defender, Go to the Assets tab in Vulcan Cyber.
Open the Vulcan Cyber dashboard and navigate to Assets > Cloud Resources tab.
Click on the Search or filter websites input box and select Connector from the drop-down selection.
Locate the Microsoft Defender option to view all synced assets.
Automating Microsoft Defender vulnerability actions in the Vulcan Platform
Large environments quickly become unmanageable if constant manual attention and action are necessary to remediate vulnerabilities. Take advantage of the automation capabilities of Vulcan Cyber and the Microsoft Defender connector.
Here is an example of creating email automation (other automation types are also available):
Open the Vulcan Cyber dashboard and navigate to the Automation section. Once there, click the Create new Playbook button.
First, give your automation playbook an indicative name.
Select Microsoft Defender for the source of vulnerabilities, and continue to set the vulnerability condition as Risk is Critical / High (for example), leaving the rest as defaults, or simply set the conditions as it suits your needs.
Continue to the Remediation actions and select the take-action channel. In this example, we selected "Assign via email".
Choose how the separation of tickets is handled. In this example, we selected the "up to 200 vulnerabilities are aggregated into a single email" option. Then add the recipient emails to be notified.
Leave all other steps as default (or modify if needed) and click on Save and Run.
