Getting Started with Defender for Cloud Autopilot - Recommendations#
Introduction#
Defender for Cloud Autopilot is a tool that allows you to retrieve data (alerts or recommendations) from Microsoft Defender for Cloud, along with their metadata.
Note
This tutorial provides an introduction to the Defender for Cloud Autopilot and demonstrates how to configure it to fetch recommendations. If you are interested in the fetch of alerts, please check this tutorial.
It has the ability to filter recommendations based on certain aspects, such as the severity, the category, the threats, the user impact, the implementation effort or by searching certain keywords in the recommendation’s name and description.
To understand this guide, it is essential to have completed the following steps:
Obtain “Cloud application administrator” permissions to an Azure subscription
Use-cases#
For this example, we are using the following use cases:
Retrieve the security recommendations for an Azure subscription, along with their metadata, based on the security level filter given as input
Preparation#
Obtain the Tenant ID, Subscription ID, Client ID and the Client Secret#
To acquire these environment variables, kindly refer to the preparation sections outlined in the alerts tutorial, as the procedure remains identical.
Download resources#
Please download the following file first:
Upload the files to the Yaku service. If you are unsure how to perform those steps, take a look at the Quickstart Tutorial.
The following steps for editing the configuration files are done directly in the web interface and the integrated editor.
Adjust the config files#
You should have uploaded the files already to the Yaku web interface.
Now open the editor of the config, which you have created for this tutorial.
Use Defender for Cloud Autopilot in qg-config.yaml#
Open the
qg-config.yamlfile and take a look at the sections. The interesting lines are the definition of thedefender-for-cloudautopilot:7 defender-autopilot: 8 run: | 9 defender-for-cloud 10 env: 11 TENANT_ID: <<your_tenant_id>> 12 SUBSCRIPTION_ID: <<your_subscription_id>> 13 CLIENT_ID: <<your_client_id>> 14 CLIENT_SECRET: ${{ secrets.CLIENT_SECRET }} 15 DATA_TYPE: "recommendations" 16 SEVERITY_FILTER: "" 17chapters: 18 "1": 19 title: Project management 20 requirements: 21 "1.15":
Now you need to adapt the environment variables defined for this autopilot script:
Line 11: The variable
TENANT_IDmust contain the id of the tenant from where the recommendations will be extracted.Line 12: The variable
SUBSCRIPTION_IDmust contain the id of the subscription from where the recommendations will be extracted.Line 13: The variable
CLIENT_IDmust contain the id of the app used to authenticate to Microsoft Defender for Cloud.Line 14: The variable
CLIENT_SECRETmust contain the secret of the app used to authenticate to Microsoft Defender for Cloud.Line 15: The variable
DATA_TYPEmust be set to “recommendations” because we want to fetch recommendations from Microsoft Defender for Cloud.Line 16: The variable
SEVERITY_FILTERis an optional filter. When provided, the autopilot will return only the recommendations whose type match at least one of the values provided as input, in our case only theHighlevel.
IMPORTANT: To learn how to use and take full advantage of all the versatile filters, please see the Filter Documentation section of the Autopilot Background Information.
Run the example#
You can now save the file and start a new run of this configuration. Please see the Example Output section of the Autopilot Background Information for the possible results of the runner.