Am I reading the right user guide?
Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).
To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.
Overview
About Microsoft Defender for Cloud
Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments.
Why integrating Microsoft Defender for Cloud into the Vulcan platform?
The Microsoft Defender for Cloud Connector by Vulcan integrates with the Microsoft Defender for Cloud platform to pull and ingest Host and Cloud Resources assets with their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.
Connector Details
Supported products |
|
Category | Cloud |
Ingested asset type(s) | Hosts Cloud Resources |
Integration type | UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction) |
Supported version and type | SaaS (latest) |
Connector Setup
Prerequisites and user permissions
Before you begin configuring the Connector, make sure you have the following:
Vulcan App Registration in Microsoft Azure
Go to Azure Active Directory and navigate to "App registrations." Next, create a new registration by clicking the "New registration" button.
In your Azure subscription, go to "Access control (IAM)" and click on the "Add" button.
Set the following parameters:
Role: Select "Reader" from the drop-down menu.
Members: Click on "Select members" and start typing the name of your new app registration. Then, select it from the list.
Click on the "Review + assign" button.
Return to the new app registration and navigate to "Certificates & secrets."
Create a new client secret, and save the secret value for future use.
At this point, you should have the following information:
Azure App ID: Obtain it from the new app registration overview.
Azure App Secret: This was generated when you created the new client secret.
Azure Subscription ID: Retrieve it from the Subscriptions page.
Configuring the Microsoft Defender for Cloud Connector
Log in to your Vulcan Cyber dashboard and go to Connectors.
Click on Add a Connector.
Click on the Microsoft Defender for Cloud icon.
Set up the Connector as follows with the information you generated earlier:
For Tenant ID, enter the Azure App ID.
For the App ID, enter the Azure Subscription ID.
For API Token (Client Secret), enter the Azure App Secret.
Click on Load Subscription IDS to load the subscription you created for this integration.
Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender for Cloud instance, then click Create (or Save Changes).
Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.
Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.
To confirm the sync is complete, navigate to the Connectors page. Once the Microsoft Defender for Cloud icon shows Connected, the sync is complete.
Microsoft Defender for Cloud in the Vulcan Platform
Viewing Microsoft Defender for Cloud vulnerabilities in the Vulcan Platform
To view vulnerabilities by Connector/Source:
Go to the Vulnerabilities page.
Use the Search or Filter input box to select the Vulnerability Source or Connector filter.
Select Defender for Cloud from the vulnerability source/Connector list to filter results.
Click on any vulnerability for more vulnerability details.
Viewing Microsoft Defender for Cloud assets in the Vulcan Platform
To view assets by Connector/Source:
Go to the Assets page.
Click on the relevant asset type tab.
Use the Search or filter input box to select Connector from the drop-down selection.
Select Defender for Cloud from the Asset source/Connector list to filter results and view all synced assets.
See the complete list of available asset filters per asset type
Taking Action on vulnerabilities and assets detected by Defender for Cloud
To take remediation action on vulnerabilities and assets detected by Microsoft Defender for Cloud:
Go to Vulnerabilities / Assets Page.
Click on the Search and Filter input box and select Connector from the drop-down selection.
Locate the Microsoft Defender for Cloud option to view all synced vulnerabilities/assets.
Select the relevant Vulnerability/Asset.
Click Take Action.
Automating remediation actions on vulnerabilities detected by Defender for Cloud
Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. Instead, you can take advantage of the automation capabilities of Vulcan Cyber and the Microsoft Defender for Cloud Connector.
From Microsoft Defender for Cloud to the Vulcan Platform - Data Mapping
The Vulcan Platform integrates with Microsoft Defender for Cloud through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.
Host fields mapping
Microsoft Defender for Cloud field | Vulcan field |
id | Asset uniqueness criteria |
name | Asset Name |
id (shows as azure_id) endpoint subscription name subscription id location resources vm_size | Asset Details |
Host | Asset Type |
privateIPAddress, ipAddress | Asset IP |
storageProfile.osDisk.osType | Asset OS |
storageProfile.imageReference | Asset OS Version |
timeCreated | Asset Created date |
macAddress | Asset Multiple mac addresses |
subscription name, tags | Asset Tags - Vendor’s tags |
alertDisplayName | Vulnerability uniqueness criteria |
alertDisplayName | Vulnerability Title |
description | Vulnerability Description |
status.severity publishDates.public type (corresponds to endpoint) | Vulnerability Details |
additionalData.cvss.3/2.0.base | Vulnerability CVSS |
additionalData.cve | Vulnerability CVE/S |
additionalData.cvss.3/2.0.cvssVectorString | Vulnerability CVSS attack vector |
asset id + systemAlertId (for alerts) + vulnerability id | Asset-Vulnerability connection uniqueness criteria |
startTimeUtc OR timeGenerated OR firstEvaluationDate | Asset-Vulnerability connection First seen |
endTimeUtc OR timeGenerated | Asset-Vulnerability connection Last seen |
status (using the logic described in the Vulnerability Status Mapping section) | Asset-Vulnerability connection Status |
endpoint remediation_steps severity additional_data | Asset-Vulnerability connection Info tooltip (from Assets screen) |
remediationDescription OR remediation OR extendedProperties.investigation Steps | Solution uniqueness criteria |
Fix for alertDisplayName | Solution Title |
(remediationDescription OR remediation OR extendedProperties.investigation Steps) AND impact. | Solution Description |
Cloud Resource fields mapping
Microsoft Defender for Cloud field | Vulcan field |
id | Asset uniqueness criteria |
id (the string to the right of the last / symbol) | Asset Name |
id | Asset ID |
resourceDetails.source | Asset Cloud (provider) |
azure_id endpoint subscription name subscription id additionalData.EnvironmentDisplayName additionalData.NativeCloudUniqueIdentifier additionalData.ResourceUrl additionalData.ResourceProvider additionalData.Region additionalData.__Tags__ | Asset Details |
Cloud Resource | Asset Type |
subscription name | Asset Tags - Vendor’s tags |
alertDisplayName | Vulnerability uniqueness criteria |
alertDisplayName | Vulnerability Title |
description | Vulnerability Description |
status.severity publishDates.public type (corresponds to endpoint) | Vulnerability Details |
additionalData.cvss.3/2.0.base | Vulnerability CVSS |
additionalData.cve | Vulnerability CVE/S |
additionalData.cvss.3/2.0.cvssVectorString | Vulnerability CVSS attack vector |
asset id + systemAlertId (for alerts) + vulnerability id | Asset-Vulnerability connection uniqueness criteria |
startTimeUtc OR timeGenerated OR firstEvaluationDate | Asset-Vulnerability connection First seen |
endTimeUtc OR timeGenerated | Asset-Vulnerability connection Last seen |
status (using the logic described in the Vulnerability Status Mapping section) | Asset-Vulnerability connection Status changes (including resurface) |
endpoint remediation_steps severity additional_data | Asset-Vulnerability connection Info tooltip (from Assets screen) |
remediationDescription OR remediation OR extendedProperties.investigation Steps | Solution uniqueness criteria |
Fix for alertDisplayName | Solution Fix Title |
(remediationDescription OR remediation OR extendedProperties.investigation Steps) AND impact. | Solution Description |
Vulnerability status mapping
Microsoft Defender for Cloud Status | Vulcan Status |
Active, Unhealthy | Vulnerable |
Resolved, Healthy | Fixed |
- | Ignored - false positive |
Dismissed, NotApplicable | Ignored risk acknowledged |
Vulnerability score mapping
Alerts
Microsoft Defender for Cloud Score (Alerts) | Vulcan Score |
High | 10 |
Medium | 7 |
Low | 5 |
- | 3 |
Informational | 0 |
Assessment / Sub-assessment
Microsoft Defender for Cloud Score (assessment/sub assessment) | Vulcan Score |
- | 10 |
High | 7 |
Medium | 5 |
Low | 3 |
- | 0 |
Status Update Mechanisms
Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).
The table below lists how the status update mechanism works in the Microsoft Defender for Cloud connector for the vulnerabilities and assets in the Vulcan Platform.
Update type | Mechanism |
Archiving Assets |
|
Change of vulnerability instances status from "Vulnerable" to "Fixed" | By the statuses: Active, Unhealthy. |
Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).
API Endpoints in Use
API | API Version | Use in Vulcan | Permissions required |
- | Authentication for other endpoints | No special permissions | |
2020-01-01 | Load subscription options in connector screen | No special permissions | |
2021-04 | Run microsoft.compute/virtualmachines endpoint | No special permissions | |
2022-03-01 | Assets (Host). Run Microsoft.Network/networkInterfaces endpoint | No special permissions | |
2021-05-01 | Asset enrichment (Host). Run Microsoft.Network/publicIPAddresses endpoint | No special permissions | |
2021-05-01 | Asset enrichment (Host) | No special permissions | |
2021-11-01 | Assets (Cloud Resource), asset-vulnerability connections (Host and Cloud Resource), vulnerabilities (Host and Cloud Resource), solutions (Host and Cloud Resource) | No special permissions | |
2021-06-01 | Assets (Cloud Resource), asset-vulnerability connections (Host and Cloud Resource) | No special permissions | |
2019-01-01-preview | Assets (Cloud Resource), asset-vulnerability connections (Host and Cloud Resource), vulnerabilities (Host and Cloud Resource), solutions (Host and Cloud Resource) | No special permissions | |
2021-06-01 | Vulnerabilities (Host and Cloud Resource), solutions (Host and Cloud Resource) | No special permissions |
Data Validation
The purpose of this Data Validation section is to provide a clear understanding of how data from Microsoft Defender for Cloud appears when ingested into Vulcan. By following the guidelines mentioned here, you will gain insights into matching unique vulnerabilities, assets, and vulnerability instances.
Notes:
To achieve optimal results, please ensure that you are logged into the Microsoft Defender for Cloud's UI with the appropriate user account, which is also configured in Vulcan. This will eliminate any permission or scoping discrepancies during testing.
When comparing numbers, aim for approximate matches rather than expecting a 100% match due to potential time differences during synchronization.
Matching Vulnerabilities
This step aims to compare the vulnerability count in Microsoft Defender for Cloud with that in Vulcan.
Vulcan ingests both Defender for Cloud Recommendations and Security Alerts as vulnerabilities. Here's how to retrieve the counts for each:
Matching "Recommendations" Vulnerabilities
Click on the "Recommendations" tab in the left menu of Defender for Cloud.
The "Active recommendations" count represents the number of unique recommendations, which are mapped to unique vulnerabilities in Vulcan.
To view related assets for a specific recommendation, click on its name.
Matching "Security Alerts" Vulnerabilities
Access the "Security alerts" section from the left menu.
Apply filters for "Active" and "In progress" status, considering all severities.
The count on the left represents the number of active instances, not the unique alerts count.
To obtain the unique count of security alerts, download the CSV report and remove any duplications based on the alert name. Alternatively, you can apply a filter on the portal and observe that there are five unique alerts.
Matching Assets
This step aims to compare the asset count in Microsoft Defender for Cloud with that in Vulcan.
Vulcan Hosts
In the Defender for Cloud interface, click "Inventory" and filter the resource type by virtual machines.
In Vulcan, navigate to the "Hosts" section. The asset count should correspond to the resource count in Defender for Cloud.
Vulcan Cloud Resources
All Defender for Cloud (DFC) inventory items that are not virtual machines are represented as Vulcan's cloud resources.
In the Defender for Cloud resource type filter, select all types and uncheck "virtual machines."
Regions are also ingested as cloud resources and do not appear in the inventory listing in Defender for Cloud. Therefore, Vulcan may display a higher count of assets due to this inclusion.
Matching Vulnerability Instances
This step aims to establish connections between vulnerabilities and assets in Microsoft Defender for Cloud and compare them to Vulcan.
To view vulnerability instances in the Defender for Cloud portal, click on a specific asset and filter by the "Unhealthy" status.
Each Asset in Defender for Cloud contains "Recommendations" and "Alerts," which are ingested into Vulcan as vulnerabilities.
