L17. Workload Protections: Servers, Containers and Databases
Video generating
Check back soon for the video lesson on Workload Protections: Servers, Containers and Databases
Defender for Cloud workload protection plans provide runtime threat detection for servers, containers, and databases. This lesson covers Defender for Servers plans, container security, database protections, and alert investigation for the SC-200 exam.
Defender for Servers
Defender for Servers protects Windows and Linux virtual machines across Azure, AWS, GCP, and on-premises (via Azure Arc). Two plans are available:
| Feature | Plan 1 | Plan 2 |
|---|---|---|
| Defender for Endpoint integration | Yes | Yes |
| Agentless vulnerability scanning | No | Yes |
| File integrity monitoring | No | Yes |
| Just-in-time VM access | No | Yes |
| Adaptive application controls | No | Yes |
| Adaptive network hardening | No | Yes |
| OS baseline compliance | No | Yes |
Just-in-Time VM Access
JIT reduces exposure of management ports:
- JIT closes management ports (e.g., 3389, 22) on the NSG by default
- An analyst requests access for a specific port, IP, and time duration
- JIT opens the port for the requested duration and source IP only
- Access automatically revokes when the time expires
JIT requests can be approved automatically or require manual approval from a security admin.
Defender for Containers
Defender for Containers protects Kubernetes environments:
| Capability | Description |
|---|---|
| Image vulnerability scanning | Scans container images in ACR, ECR, and GCR |
| Runtime protection | Detects suspicious container behavior (crypto mining, shell access, privilege escalation) |
| Kubernetes audit log analysis | Monitors API server events for suspicious operations |
| Admission control | Blocks deployment of vulnerable or non-compliant images |
| Network policy recommendations | Suggests network segmentation for pods |
- A Defender sensor (DaemonSet) is deployed on each Kubernetes node
- An Azure Policy add-on enforces admission control policies
- Container images are scanned agentlessly in the registry
Defender for Databases
Multiple database protection plans: Defender for Azure SQL:
- Detects SQL injection attempts
- Identifies anomalous database access patterns
- Alerts on brute force login attempts
- Detects access from unusual locations
- Covers PostgreSQL, MySQL, and MariaDB
- Detects anomalous access and brute force attacks
- Detects SQL injection in Cosmos DB queries
- Identifies anomalous data access patterns
- Alerts on access from suspicious locations
Defender for Storage
Defender for Storage protects Azure Blob, File, and Data Lake:
- Malware scanning: Scans uploaded files for malware (near real-time)
- Sensitive data threat detection: Alerts when sensitive data is accessed anomalously
- Anomalous access detection: Identifies unusual access patterns
Malware scanning can be configured to block malicious uploads or alert-only mode.
Security Alerts
When workload protections detect threats, they generate security alerts with:
- Severity (High, Medium, Low, Informational)
- Kill chain stage mapping (MITRE ATT&CK)
- Affected resource details
- Remediation guidance
- Raw evidence and related entities
Alerts flow into Defender for Cloud and, if connected, into Microsoft Sentinel for correlation with other security data.
Alert Suppression Rules
Create suppression rules to hide known false positive alerts:
- Filter by alert type, resource, IP, or other properties
- Set an expiration date for temporary suppressions
- Suppressed alerts are logged but not displayed in the active queue
- ✓Defender for Servers Plan 2 includes JIT VM access, file integrity monitoring, and agentless vulnerability scanning.
- ✓JIT VM access closes management ports by default and opens them only for approved requests with time limits.
- ✓Defender for Containers uses a DaemonSet sensor for runtime protection and Azure Policy add-on for admission control.
- ✓Container image scanning works agentlessly across ACR, ECR, and GCR registries.
- ✓Defender for Azure SQL detects SQL injection, anomalous access patterns, and brute force attacks.
- ✓Alert suppression rules hide known false positives while still logging them for audit purposes.
1. An organization wants to close RDP and SSH ports on Azure VMs by default and only open them when analysts need access. Which feature should they enable?
2. Which component does Defender for Containers deploy on Kubernetes nodes for runtime threat detection?
3. Defender for Servers Plan 1 includes which core capability?