Azure Microsoft Defender for Cloud: AI Security Recommendations Capability Group

This control's recommendations related to enforcing the usage of the secure versions of the HTTP and FTP protocols (HTTPS and FTPS) can lead to encrypting traffic which reduces the ability for an adversary to gather sensitive data via network sniffing. This also applies to the "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", "Enforce SSL connection should be enabled for MySQL database servers", "Enforce SSL connection should be enabled for PostgreSQL database servers", "Only secure connections to your Redis Cache should be enabled" and "Secure transfer to storage accounts should be enabled" recommendations for their respective protocols. The "Usage of host networking and ports should be restricted" recommendation for Kubernetes clusters can also lead to mitigating this technique. These recommendations are limited to specific technologies on the platform and therefore its coverage score is Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a few of the sub-techniques of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of config files in Kubernetes containers required to implement the behaviors described in these sub-techniques. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's recommendations about removing deprecated and external accounts with sensitive permissions from your subscription can lead to mitigating the Cloud Accounts sub-technique of this technique. Because this is a recommendation and has low coverage, it is assessed as Minimal.

This control's "Deprecated accounts should be removed from your subscription" and "Deprecated accounts with owner permissions should be removed from your subscription" recommendation can lead to removing accounts that should not be utilized from your subscriptions thereby denying adversaries the usage of these accounts to find ways to access your data without being noticed. Likewise, the recommendations related to External account permissions can also mitigate this sub-technique. Because these are recommendations and only limited to deprecated and external accounts, this is scored as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can prevent modifying the ssh_authorized keys file. Because it is a recommendation and limited to only one sub-technique, its score is Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of a Kubernetes container's file system which can mitigate this technique. Because this recommendation is specific to Kubernetes containers, its score is Minimal.

This control's "Authentication to Linux machines should require SSH keys" recommendation can lead to obviating SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Authentication to Linux machines should require SSH keys" can obviate SSH Brute Force password attacks. Because this is specific to Linux, the coverage score is Minimal leading to an overall Minimal score.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's CORS related recommendations can help lead to hardened web applications. This can reduce the likelihood of an application being exploited to reveal sensitive data that can lead to the compromise of an environment. Likewise this control's recommendations related to keeping Java/PHP up to date for API/Function/Web apps can lead to hardening the public facing content that uses these runtimes. This control's recommendations related to disabling Public network access for Azure databases can lead to reducing the exposure of resources to the public Internet and thereby reduce the attack surface. These recommendations are limited to specific technologies (Java, PHP and CORS, SQL DBs) and therefore provide Minimal coverage leading to a Minimal score.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the modification of the file system permissions in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control provides recommendations for limiting the CPU and memory resources consumed by a container to minimize resource exhaustion attacks. Because this control only covers one sub-technique of this technique, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modifications to the file system in Kubernetes containers which can mitigate adversaries installing web shells. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of systemd service files in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-techniques of this technique. Due to it being a recommendation and providing minimal coverage, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing this sub-technique which often modifies Pluggable Authentication Modules (PAM) components in the file system. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate some of the sub-techniques of this technique. Due to its partial coverage and Minimal score assessed for its sub-techniques, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation and mitigating only one sub-technique, its score is assessed as Minimal.

This control's "Container with privilege escalation should be avoided", "Least privileged Linux capabilities should be enforced for containers", "Privileged containers should be avoided", "Running containers as root user should be avoided" and "Containers sharing sensitive host namespaces should be avoided" recommendations can make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities. Because this is a recommendation, the assessed score has been capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating a sub-technique of this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" and "Usage of pod HostPath volume mounts should be restricted to a known list to restrict node access from compromised containers" recommendations can mitigate this technique. Due to it being a recommendation, its score is capped at Partial.

This control's "Management ports should be closed on your virtual machines" recommendation can lead to reducing the attack surface of your Azure VMs by recommending closing management ports. Because this is a recommendation, its score is limited to Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing system files from being modified in Kubernetes containers thereby mitigating this sub-technique since adding an account (on Linux) requires modifying system files. Because this is a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this technique by preventing modification of the local filesystem. Due to it being a recommendation, its score is capped at Partial.

This control's "Container CPU and memory limits should be enforced" recommendation can lead to preventing resource exhaustion attacks by recommending enforcing limits for containers to ensure the runtime prevents the container from using more than the configured resource limit. Because this is a recommendation, its score is capped at Partial.

This control's "Container images should be deployed from trusted registries only", "Container registries should not allow unrestricted network access" and "Container registries should use private link" recommendations can lead to ensuring that container images are only loaded from trusted registries thereby mitigating this technique.

This control provides recommendations for enabling Secure Boot of Linux VMs that can mitigate a few of the sub-techniques of this technique. Because this is a recommendation and only limited to a few sub-techniques of this technique, its assessed score is Partial.

This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.

This control's "Secure Boot should be enabled on your Linux virtual machine" and "Virtual machines should be attested for boot integrity health" recommendations can lead to enabling secure boot on Linux VMs to mitigate these sub-techniques. Because this recommendation is specific to Linux VM and is a recommendation, its score is capped at Partial.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing modification of binaries in Kubernetes containers thereby mitigating this technique. Because this is a recommendation, its score is capped at Partial.

This control may prevent downgrade attacks by enforcing use of HTTPS protocol.

This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to mitigating this sub-technique by preventing modification of the local filesystem. Likewise this control's recommendations related to using customer-managed keys to encrypt data at rest and enabling transparent data encryption for SQL databases can mitigate this sub-technique by reducing an adversary's ability to perform tailored data modifications. Due to it being a recommendation, its score is capped at Partial.