Update Azure Security Center to Microsoft Defender for Cloud (#664)

Azure · Feb 23, 2022 · c931e32 · c931e32
1 parent 028742a
commit c931e32
Show file tree

Hide file tree

Showing 12 changed files with 872 additions and 871 deletions.
diff --git a/_manifest/manifest.json b/_manifest/manifest.json
diff --git a/_manifest/manifest.json.sha256 b/_manifest/manifest.json.sha256
diff --git a/_manifest/spdx_2.2/manifest.spdx.json b/_manifest/spdx_2.2/manifest.spdx.json
diff --git a/_manifest/spdx_2.2/manifest.spdx.json.sha256 b/_manifest/spdx_2.2/manifest.spdx.json.sha256
diff --git a/docs/deployment-guide-bicep.md b/docs/deployment-guide-bicep.md
@@ -87,15 +87,15 @@ Parameter name | Default Value | Description
 
 Under the [src/bicep/modules/policies](../src/bicep/modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `<LAWORKSPACE>` that we substitute at deployment time -- any other parameter can be modified as needed).
 
-#### Azure Security Center (Microsoft Defender for Cloud)
+#### Microsoft Defender for Cloud
 
-By default [Azure Security Center](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Azure Security Center portal blade.
+By default [Microsoft Defender for Cloud](https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction) offers a free set of monitoring capabilities that are enabled via an Azure policy when you first set up a subscription and view the Microsoft Defender for Cloud portal blade.
 
-Azure Security Center offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in MLZ by setting the parameter `deployASC` during deployment. In addition you can include the `emailSecurityContact` parameter to set a contact email for alerts.
+Microsoft Defender for Cloud offers a standard/defender sku which enables a greater depth of awareness including more recomendations and threat analytics. You can enable this higher depth level of security in MLZ by setting the parameter `deployDefender` during deployment. In addition you can include the `emailSecurityContact` parameter to set a contact email for alerts.
 
 Parameter name | Default Value | Description
 -------------- | ------------- | -----------
-`deployASC` | 'false' | When set to "true", enables Azure Security Center for the subscriptions used in the deployment. It defaults to "false".
+`deployDefender` | 'false' | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
 `emailSecurityContact` | '' | Email address of the contact, in the form of [email protected]
 
 #### Azure Sentinel
@@ -400,7 +400,7 @@ The Bicep/ARM deployment of Mission Landing Zone can be deleted with these steps
 
 1. Delete all resource groups.
 1. Delete the diagnostic settings deployed at the subscription level.
-1. If Azure Security Center (ASC) was deployed (parameter `deployASC=true` was used) then remove subscription-level policy assignments and downgrade the ASC pricing tiers.
+1. If Microsoft Defender for Cloud was deployed (parameter `deployDefender=true` was used) then remove subscription-level policy assignments and downgrade the Microsoft Defender for Cloud pricing tiers.
 
 > NOTE: If you deploy and delete Mission Landing Zone in the same subscription multiple times without deleting the subscription-level diagnostic settings, the sixth deployment will fail. Azure has a limit of five diagnostic settings per subscription. The error will be similar to this: `"The limit of 5 diagnostic settings was reached."`
 
@@ -432,14 +432,14 @@ az policy assignment list -o table --query "[].{Name:name, DisplayName:displayNa
 az policy assignment delete --name "<name of policy assignment>"
 ```
 
-To downgrade the ASC pricing level in the Azure portal:
+To downgrade the Microsoft Defender for Cloud pricing level in the Azure portal:
 
 1. Navigate to the Microsoft Defender for Cloud page, then click the "Environment settings" tab in the left navigation panel.
 1. In the tree/grid select the subscription you want to manage.
 1. Click the large box near the top of the page that says "Enhanced security off".
 1. Click the save button.
 
-To downgrade the ASC pricing level using the AZ CLI:
+To downgrade the Microsoft Defender for Cloud pricing level using the AZ CLI:
 
 ```BASH
 # List the pricing tiers

diff --git a/docs/images/20220204_missionlz_as_of_Feb2022_light.svg b/docs/images/20220204_missionlz_as_of_Feb2022_light.svg
diff --git a/docs/scca.md b/docs/scca.md
@@ -24,15 +24,15 @@ Each component has a set of controls. The controls for each component are listed
 <!-- allow html for line breaks within table cells -->
 REQ ID | BCAP Security Requirements | Azure Technologies | Mission LZ
 -------|----------------------------|--------------------|------------
-2.1.1.1 | The BCAP shall provide the capability to detect and prevent malicious code injection into the DISN originating from the CSE | Azure Security Center | ✔️
-2.1.1.2 | The BCAP shall provide the capability to detect and thwart single and multiple node DOS attacks | Azure Firewall, Azure Security Center | ✔️
-2.1.1.3 | The BCAP shall provide the ability to perform detection and prevention of traffic flow having unauthorized source and destination IP addresses, protocols, and Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) ports | Azure Firewall, Azure Security Center| ✔️
+2.1.1.1 | The BCAP shall provide the capability to detect and prevent malicious code injection into the DISN originating from the CSE | Microsoft Defender for Cloud | ✔️
+2.1.1.2 | The BCAP shall provide the capability to detect and thwart single and multiple node DOS attacks | Azure Firewall, Microsoft Defender for Cloud | ✔️
+2.1.1.3 | The BCAP shall provide the ability to perform detection and prevention of traffic flow having unauthorized source and destination IP addresses, protocols, and Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) ports | Azure Firewall, Microsoft Defender for Cloud| ✔️
 2.1.1.4 | The BCAP shall provide the capability to detect and prevent IP Address Spoofing and IP Route Hijacking | Network Security Groups | ✔️
-2.1.1.5 | The BCAP shall provide the capability to prevent device identity policy infringement (prevent rogue device access) | Azure Security Center and network route configuration | ✔️
-2.1.1.6 | The BCAP shall provide the capability to detect and prevent passive and active network enumeration scanning originating from within the CSE | Azure Security Center | ✔️
+2.1.1.5 | The BCAP shall provide the capability to prevent device identity policy infringement (prevent rogue device access) | Microsoft Defender for Cloud and network route configuration | ✔️
+2.1.1.6 | The BCAP shall provide the capability to detect and prevent passive and active network enumeration scanning originating from within the CSE | Microsoft Defender for Cloud | ✔️
 2.1.1.7 | The BCAP shall provide the capability to detect and prevent unauthorized data exfiltration from the DISN to an end-point inside CSE | N/A |
-2.1.1.8 | The BCAP and/or BCAP Management System shall provide the capability to sense, correlate, and warn on advanced persistent threats | Azure Security Center | ✔️
-2.1.1.9 | The BCAP shall provide the capability to detect custom traffic and activity signatures | Azure Security Center | ✔️
+2.1.1.8 | The BCAP and/or BCAP Management System shall provide the capability to sense, correlate, and warn on advanced persistent threats | Microsoft Defender for Cloud | ✔️
+2.1.1.9 | The BCAP shall provide the capability to detect custom traffic and activity signatures | Microsoft Defender for Cloud | ✔️
 2.1.1.10 | The BCAP shall provide an interface to conduct ports, protocols, and service management (PPSM) activities in order to provide control for BCND providers | Azure Firewall <br/> Network Security Groups <br/> Network Watcher | ✔️
 2.1.1.11 | The BCAP shall provide full packet capture (FPC) for traversing communications | N/A |
 2.1.1.12 | The BCAP shall provide network packet flow metrics and statistics for all traversing communications | Azure Firewall <br/> Log Analytics <br/> Network Watcher | ✔️
@@ -47,13 +47,13 @@ REQ ID | VDSS Security Requirements | Azure Technologies | Mission LZ
 2.1.2.3 | The VDSS shall provide a reverse proxy capability to handle access requests from client systems | N/A |
 2.1.2.4 | The VDSS shall provide a capability to inspect and filter application layer conversations based on a predefined set of rules (including HTTP) to identify and block malicious content | N/A |
 2.1.2.5 | The VDSS shall provide a capability that can distinguish and block unauthorized application layer traffic | N/A |
-2.1.2.6 | The VDSS shall provide a capability that monitors network and system activities to detect and report malicious activities for traffic entering and exiting Mission Owner virtual private networks/enclaves | Azure Monitor <br/> Azure Security Center <br/> Network Watcher | ✔️
-2.1.2.7 | The VDSS shall provide a capability that monitors network and system activities to stop or block detected malicious activity | Azure Security Center | ✔️
+2.1.2.6 | The VDSS shall provide a capability that monitors network and system activities to detect and report malicious activities for traffic entering and exiting Mission Owner virtual private networks/enclaves | Azure Monitor <br/> Microsoft Defender for Cloud <br/> Network Watcher | ✔️
+2.1.2.7 | The VDSS shall provide a capability that monitors network and system activities to stop or block detected malicious activity | Microsoft Defender for Cloud | ✔️
 2.1.2.8 | The VDSS shall inspect and filter traffic traversing between mission owner virtual private networks/enclaves. | Azure Firewall <br/> Log Analytics | ✔️
 2.1.2.9 | The VDSS shall perform break and inspection of SSL/TLS communication traffic supporting single and dual authentication for traffic destined to systems hosted within the CSE. | Azure Firewall | ✔️
 2.1.2.10 | The VDSS shall provide an interface to conduct ports, protocols, and service management (PPSM) activities in order to provide control for MCD operators | Azure Firewall <br/> Network Security Groups Network Watcher | ✔️
 2.1.2.11 | The VDSS shall provide a monitoring capability that captures log files and event data for cybersecurity analysis | Azure Monitor <br/> Azure Log Analytics <br/> Azure Activity Logs | ✔️
-2.1.2.12 | The VDSS shall provide or feed security information and event data to an allocated archiving system for common collection, storage, and access to event logs by privileged users performing Boundary and Mission CND activities | Azure Security Center <br/> Azure Log Analytics | ✔️
+2.1.2.12 | The VDSS shall provide or feed security information and event data to an allocated archiving system for common collection, storage, and access to event logs by privileged users performing Boundary and Mission CND activities | Microsoft Defender for Cloud <br/> Azure Log Analytics | ✔️
 2.1.2.13 | The VDSS shall provide a FIPS-140-2 compliant encryption key management system for storage of DoD generated and assigned server private encryption key credentials for access and use by the Web Application Firewall (WAF) in the execution of SSL/TLS break and inspection of encrypted communication sessions. | Azure Key Vault | ✔️
 2.1.2.14 | The VDSS shall provide the capability to detect and identify application session hijacking | N/A |
 2.1.2.15 | The VDSS shall provide a DoD DMZ Extension to support to support Internet Facing Applications (IFAs) | N/A |
@@ -66,12 +66,12 @@ REQ ID | VDSS Security Requirements | Azure Technologies | Mission LZ
 REQ ID | VDMS Security Requirements | Azure Technologies | Mission LZ
 -------|----------------------------|--------------------|-----------
 2.1.3.1 | The VDMS shall provide Assured Compliance Assessment Solution (ACAS), or approved equivalent, to conduct continuous monitoring for all enclaves within the CSE | Azure Policy <br/> Azure Blueprints |
-2.1.3.2 | The VDMS shall provide Host Based Security System (HBSS), or approved equivalent, to manage endpoint security for all enclaves within the CSE | Azure Security Center | ✔️
+2.1.3.2 | The VDMS shall provide Host Based Security System (HBSS), or approved equivalent, to manage endpoint security for all enclaves within the CSE | Microsoft Defender for Cloud | ✔️
 2.1.3.3 | The VDMS shall provide identity services to include an Online Certificate Status Protocol (OCloud Workload Security) responder for remote system DoD Common Access Card (CAC) two-factor authentication of DoD privileged users to systems instantiated within the CSE | Multi-Factor Authentication |
 2.1.3.4 | The VDMS shall provide a configuration and update management system to serve systems and applications for all enclaves within the CSE | N/A
 2.1.3.5 | The VDMS shall provide logical domain services to include directory access, directory federation, Dynamic Host Configuration Protocol (DHCP), and Domain Name System (DNS) for all enclaves within the CSE | Azure Active Directory (AAD) <br/> Azure DNS | ✔️
 2.1.3.6 | The VDMS shall provide a network for managing systems and applications within the CSE that is logically separate from the user and data networks. | Virtual Network <br/> Azure Subnets | ✔️
-2.1.3.7 | The VDMS shall provide a system, security, application, and user activity event logging and archiving system for common collection, storage, and access to event logs by privileged users performing BCP and MCP activities. | Azure Log Analytics <br/> Azure Security Center | ✔️
+2.1.3.7 | The VDMS shall provide a system, security, application, and user activity event logging and archiving system for common collection, storage, and access to event logs by privileged users performing BCP and MCP activities. | Azure Log Analytics <br/> Microsoft Defender for Cloud | ✔️
 2.1.3.8 | The VDMS shall provide for the exchange of DoD privileged user authentication and authorization attributes with the CSP's Identity and access management system to enable cloud system provisioning, deployment, and configuration | Azure Active Directory Connect |
 2.1.3.9 | The VDMS shall implement the technical capabilities necessary to execute the mission and objectives of the TCCM role. | Azure Active Directory | ✔️
 

diff --git a/src/bicep/README.md b/src/bicep/README.md
@@ -93,7 +93,7 @@ Parameter name | Required | Description
 `windowsNetworkInterfacePrivateIPAddressAllocationMethod` | No       | [Static/Dynamic] The public IP Address allocation method for the Windows virtual machine. It defaults to "Dynamic".
 `deployPolicy`   | No       | When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".
 `policy`         | No       | [NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.
-`deployASC`     | No       | When set to "true", enables Azure Security Center for the subscriptions used in the deployment. It defaults to "false".
+`deployDefender`     | No       | When set to "true", enables Microsoft Defender for Cloud for the subscriptions used in the deployment. It defaults to "false".
 `emailSecurityContact` | No       | Email address of the contact, in the form of [email protected]
 <!-- markdownlint-enable MD034 -->