lacework-global-608
Set Microsoft Defender for Domain Name System (DNS) To 'On' (Manual)
Profile Applicability
• Level 2
Description
Microsoft Defender for DNS scans all network traffic exiting from within a subscription.
Rationale
DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.
Impact
Enabling Microsoft Defender for DNS requires enabling Microsoft Defender for your subscription. Both will incur additional charges, with Defender for DNS being a small amount per million queries.
Audit
From Azure Portal
- Go to
Microsoft Defender for Cloud
- Select
Environment Settings
blade - Click on the subscription name
- Select the
Defender plans
blade - Review the chosen pricing tier. For the
DNS
resource typePlan
should be set toOn
.
From Azure CLI
Ensure the output of the below command is Standard
az security pricing show -n 'DNS' --query 'PrincingTier'
From Azure PowerShell
Get-AzSecurityPricing --Name 'DNS' | Select-Object Name,PricingTier
Ensure output of PricingTier
is Standard
Remediation
From Azure Portal
- Go to Microsoft Defender for Cloud.
- Select Environment Settings blade.
- Click the subscription name.
- Select the Defender plans blade.
- Select On under Status for DNS.
- Select Save.
From Azure Powershell
Enable Standard pricing tier for DNS:
az security pricing create -n 'DNS' --tier 'Standard'
From Azure PowerShell
Enable Standard pricing tier for DNS:
Set-AzSecurityPricing -Name 'DNS' -PricingTier 'Standard'
References
https://azure.microsoft.com/en-us/pricing/details/defender-for-cloud/
https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/dns-security-baseline
https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-dns-alerts
https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-network-security#ns-10-ensure-domain-name-system-dns-security
https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-logging-threat-detection#lt-1-enable-threat-detection-capabilities