-
Notifications
You must be signed in to change notification settings - Fork 4
Governance Policies Azure Security Defender
Governance policies for Defender
Domain: azure-security
| Name | Description |
|---|---|
| Defender for Cloud with full coverage | Enable Defender Standard tier on all resource types with auto-provisioning and alert routing |
| Description | Instead |
|---|---|
| Do not use Free tier Defender in production | Enable Standard tier on all resource types used in the deployment |
| Do not skip security contact configuration | Configure security contact email with alert notifications enabled |
| Check | Severity | Description |
|---|---|---|
| AZ-DEF-001 | Required | Enable Microsoft Defender for Cloud on all resource types used in the deployment |
| AZ-DEF-002 | Required | Enable auto-provisioning of security agents and vulnerability assessment |
| AZ-DEF-003 | Required | Configure security contact for alert notifications |
| AZ-DEF-004 | Recommended | Enable continuous export of Defender alerts to Log Analytics |
Enable Microsoft Defender for Cloud on all resource types used in the deployment
Severity: Required
Rationale: Defender provides continuous threat detection, vulnerability assessment, and security recommendations
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Security/pricings
Enable auto-provisioning of security agents and vulnerability assessment
Severity: Required
Rationale: Auto-provisioning ensures all new resources are automatically protected
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Security/autoProvisioningSettings
Configure security contact for alert notifications
Severity: Required
Rationale: Security alerts must reach the operations team promptly for incident response
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer
- Microsoft.Security/securityContacts
Enable continuous export of Defender alerts to Log Analytics
Severity: Recommended
Rationale: Continuous export enables SIEM integration, custom alerting, and long-term retention beyond Defender
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer, monitoring-agent
- Microsoft.Security/pricings
Getting Started
Stages
Interfaces
Configuration
Agent System
Features
- Backlog Generation
- Cost Analysis
- Error Analysis
- Docs & Spec Kit
- MCP Integration
- Knowledge System
- Escalation
Quality
Help
Policies — Azure
AI Services
Compute
Data Services
- Azure SQL
- Backup Vault
- Cosmos Db
- Data Factory
- Databricks
- Event Grid
- Event Hubs
- Fabric
- IoT Hub
- Mysql Flexible
- Postgresql Flexible
- Recovery Services
- Redis Cache
- Service Bus
- Stream Analytics
- Synapse Workspace
Identity
Management
Messaging
Monitoring
Networking
- Application Gateway
- Bastion
- CDN
- DDoS Protection
- DNS Zones
- Expressroute
- Firewall
- Load Balancer
- Nat Gateway
- Network Interface
- Private Endpoints
- Public Ip
- Route Tables
- Traffic Manager
- Virtual Network
- Vpn Gateway
- WAF Policy
Security
Storage
Web & App
Policies — Well-Architected
Reliability
Security
Cost Optimization
Operational Excellence
Performance Efficiency
Integration