L18. Regulatory Compliance and Governance

Regulatory Compliance Dashboard

The regulatory compliance dashboard in Defender for Cloud shows how your environment maps to industry standards and regulations. Each standard is broken into control families, and each control maps to specific security recommendations.

The dashboard displays:

• Compliance score: Percentage of passing controls per standard
• Control status: Passed, Failed, or Manual assessment needed
• Resource compliance: Per-resource compliance for each control
• Audit evidence: Exportable compliance reports

Available Compliance Standards

Defender for Cloud supports numerous standards:

Standards can be added per subscription or management group. Adding a standard maps its controls to existing Defender for Cloud recommendations. Exam tip: Adding a compliance standard does not create new assessments. It maps existing recommendations to the standard's control framework. If a control has no mapped recommendation, it requires manual attestation.

Manual Attestation

Some regulatory controls cannot be assessed automatically (e.g., "Do you have an incident response plan?"). These require manual attestation:

1. Navigate to the control in the compliance dashboard
2. Click the control requiring manual assessment
3. Select the attestation state: Compliant, Non-compliant, or Not applicable
4. Add evidence (documents, links, descriptions)
5. Set a review date

Manual attestations are tracked alongside automated assessments in the dashboard.

Governance Rules

Governance rules assign ownership and deadlines for recommendation remediation:

• Owner: Email address of the person responsible for remediation
• Deadline: Date by which the recommendation must be resolved
• Grace period: Time after which overdue items are flagged
• Email notifications: Automatic reminders sent to owners

Configure governance rules to apply to:

• Specific recommendations or recommendation categories
• Specific resource types
• Specific subscriptions or management groups

Exam tip: Governance rules track remediation ownership and deadlines but do not enforce remediation. They provide accountability through notifications and dashboard visibility.

Continuous Export

Export Defender for Cloud data for integration with external systems: Export destinations:

• Log Analytics workspace: Query data with KQL, create Sentinel analytics rules
• Event Hub: Stream to third-party SIEMs or custom applications
• CSV/PDF: Manual compliance report exports

Exportable data types:

• Security recommendations and their status
• Secure Score changes over time
• Security alerts
• Regulatory compliance assessment results

Exam tip: Continuous export to a Log Analytics workspace enables creating Sentinel analytics rules based on Defender for Cloud recommendations or score changes.

Azure Policy Integration

Defender for Cloud recommendations are driven by Azure Policy:

• Each recommendation maps to one or more policy definitions
• Policies are grouped into initiatives (the compliance standards)
• Custom policies can be created and added to custom initiatives
• Policy enforcement modes: Audit (detect only) or Deny (prevent non-compliant deployment)

The Deny effect prevents deployment of non-compliant resources at the ARM level. Use it cautiously for critical controls where non-compliance must be blocked.

Multi-Cloud Compliance

Regulatory compliance assessments extend to AWS and GCP:

• Standards are applied at the connector level
• AWS and GCP resources are assessed using equivalent controls
• A single dashboard shows cross-cloud compliance posture
• Custom standards can include cross-cloud controls

This enables organizations to demonstrate compliance across their entire cloud estate from a single interface.