lacework-global-608
2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On' (Manual)
Profile Applicability
• Level 2
Description
Microsoft Defender for DNS scans all network traffic exiting from within a subscription.
Rationale
DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.
Impact
Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a small amount per million queries.
Audit
From Azure Portal
- Go to
Microsoft Defender for Cloud
- Select
Environment Settings
blade - Click on the subscription name
- Select the
Defender plans
blade - Review the chosen pricing tier. For the
DNS
resource typePlan
should be set toOn
.
From Azure CLI
Ensure the output of the below command is Standard
az security pricing show -n 'DNS' --query 'PrincingTier'
From Azure PowerShell
Get-AzSecurityPricing --Name 'DNS' | Select-Object Name,PricingTier
Ensure output of PricingTier
is Standard
Remediation
From Azure Portal
- Go to
Microsoft Defender for Cloud
- Select
Environment Settings
blade - Click on the subscription name
- Select the
Defender plans
blade - On the line in the table for
DNS
SelectOn
underPlan
. - Select `Save
From Azure Powershell
Use the below command to enable Standard pricing tier for App Service
az security pricing create -n 'DNS' --tier 'Standard'
From Azure PowerShell
Set-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard'
References
https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/dns-security-baseline
https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-alerts
https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-10-ensure-domain-name-system-dns-security
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities