This reference architecture illustrates how to use Microsoft Defender for Cloud and Microsoft Sentinel to monitor the security configuration and telemetry of on-premises and Azure operating system workloads. This includes Azure Stack.
Potential use cases
Typical uses for this architecture include:
Best practices for integrating on-premises security and telemetry monitoring with Azure-based workloads
How to integrate Microsoft Defender for Cloud with Azure Stack
How to integrate Microsoft Defender for Cloud with Microsoft Sentinel
The architecture consists of the following workflow
This is an advanced, unified security-management platform that Microsoft offers to all Azure subscribers. Defender for Cloud is segmented as a cloud security posture management (CSPM) and cloud workload protection platform (CWPP). CWPP is defined by workload-centric security protection solutions, which are typically agent-based. Microsoft Defender for Cloud provides threat protection for Azure workloads, both on-premises and in other clouds, including Windows and Linux virtual machines (VMs), containers, databases, and the Internet of Things (IoT). When activated, the Log Analytics agent deploys automatically into Azure Virtual Machines. For on-premises Windows and Linux servers and VMs, you can manually deploy the agent, use your organization's deployment tool, such as Microsoft Endpoint Protection Manager, or utilize scripted deployment methods. Defender for Cloud begins assessing the security state of all your VMs, networks, applications, and data.
This is a cloud-native Security Information and Event Management (SIEM) and security orchestration automated response (SOAR) solution that uses advanced AI and security analytics to help you detect, hunt, prevent, and respond to threats across your enterprise.
This is a portfolio of products that extend Azure services and capabilities to your environment of choice, from the data center to edge locations and remote offices. Systems that you integrate with Azure Stack typically utilize racks of four to sixteen servers, built by trusted hardware partners and delivered straight to your data center.
Collects monitoring telemetry from a variety of on-premises and Azure sources. Management tools, such as those in Microsoft Defender for Cloud and Azure Automation, also push log data to Azure Monitor.
Log Analytics workspace
Azure Monitor stores log data in a Log Analytics workspace, which is a container that includes data and configuration information.
Log Analytics agent
The Log Analytics agent collects monitoring data from the guest operating system and VM workloads in Azure, other cloud providers, and on-premises. The Log Analytics Agent supports Proxy configuration and, typically in this scenario, a Microsoft Operations Management Suite (OMS) Gateway acts as a proxy.
This is the firewall configured to support HTTPS egress from defined systems.
On-premises Windows and Linux systems
Systems with the Log Analytics Agent installed.
Azure Windows and Linux VMs
Systems on which the Microsoft Defender for Cloud monitoring agent is installed.
The following recommendations apply to most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.
Microsoft Defender for Cloud upgrade
This reference architecture uses Microsoft Defender for Cloud to monitor on-premises systems, Azure VMs, Azure Monitor resources, and even VMs hosted by other cloud providers. To support that functionality, the standard fee-based tier of Microsoft Defender for Cloud is needed. We recommend that you use the 30-day free trial to validate your requirements.
Customized Log Analytics Workspace
Microsoft Sentinel needs access to a Log Analytics workspace. In this scenario, you can't use the default Defender for Cloud Log Analytics workspace with Microsoft Sentinel. You'll need to create a customized workspace. Data retention for a customized workspace is based on the workspace pricing tier, and you can find pricing models for Monitor Logs here.
Microsoft Defender for Cloud roles – Defender for Cloud assesses your resources' configuration to identify security issues and vulnerabilities, and displays information related to a resource when you are assigned the role of owner, contributor, or reader for the subscription or resource group to which a resource belongs.
In addition to these roles, there are two specific Defender for Cloud roles
Security Reader. A user that belongs to this role has read-only rights to Defender for Cloud. The user can observe recommendations, alerts, a Microsoft security policy, and security states, but can't make changes.
Security Admin. A user that belongs to this role has the same rights as the Security Reader and also can update security policies, and dismiss alerts and recommendations. Typically, these are users who manage the workload.
The security roles, Security Reader and Security Admin, have access only to Defender for Cloud. The security roles don't have access to other Azure service areas, such as storage, web, mobile, or IoT.
Microsoft Sentinel subscription
To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides.
To use Microsoft Sentinel, you need contributor or reader permissions on the resource group to which the workspace belongs.
Microsoft Sentinel is a paid service.
The Log Analytics Agent for Windows and Linux is designed to have very minimal impact on the performance of VMs or physical systems.
Microsoft Defender for Cloud operational process won't interfere with your normal operational procedures. Instead, it passively monitors your deployments and provides recommendations based on the security policies you enable.
A security policy defines the set of controls that are recommended for resources within a specified subscription. In Microsoft Defender for Cloud, you define policies for your Azure subscriptions according to your company's security requirements and the type of applications or data sensitivity for each subscription.
The security policies that you enable in Microsoft Defender for Cloud drive security recommendations and monitoring. To learn more about security policies. You can assign security policies in Microsoft Defender for Cloud only at the management or subscription group levels.
Microsoft Defender for Cloud Standard tier.
Azure Monitor workspace offers granularity of billing.
Microsoft Sentinel is a paid service.