Why Are There 4 Different Microsoft Defender for Cloud VM Security Extensions?


Use extensions to customize Microsoft Defender for Cloud VM security.

Microsoft Defender for Cloud uses extensions to allow users to add features to their VMs. These extensions are normally used to give VMs some new functionality, and a noticeable number of these added functionalities are used for security reasons.

In this blog, we discuss what the 4 main Microsoft Defender for Cloud VM extensions for security do. We will also go over the use cases in which the Microsoft security administrators should use these extensions on their VMs.

Microsoft Defender for Cloud Extensions

These extensions connect Windows and Linux VMs to Microsoft Defender for Cloud, which is the EDR solution built into Microsoft Defender for Cloud. Microsoft security admins would enable this extension when they believe the information stored on their VMs is valuable enough to justify the cost of the EDR solution.

This extension has additional features built into theMicrosoft Defender for Cloud platform like auto-provisioning that deploys the extensions to the VMs in their environment automatically. There are also options to customize the amount of data collected by the extensions based on how in depth the monitoring needs to be.

Microsoft Sentinel Extensions

These extensions connect Windows and Linux VMs to Microsoft Sentinel directly so that the SIEM system can collect device logs instead of just the logs from the EDR solutions. Microsoft security admins would enable this extension if they had specific detections that use device logs like many of the shared queries on the official Microsoft Sentinel GitHub.

These VM extensions can be added in the Microsoft Sentinel data connector UI and the amount of data collected can be edited in the same menu. The Syslog connector for Linux devices has a more involved setup process but provides more data collection customization options.

Microsoft Monitor Extension

This extension connects Windows and Linux VMs to Microsoft Monitor so that performance data can be collected. This data is useful for security because analysts can query the monitor data while doing advanced threat hunting to learn more about the device’s performance and activity around the time of the incidents.

MDE Extension

This extension connects compatible VMs to Microsoft Defender for Endpoints (MDE) which is the EDR component of Microsoft 365 Defender. This connection is useful for connecting VMs to a different EDR service if Microsoft Defender for Cloud does not provide adequate coverage or if some of the AIR features are needed instead of the logic app responses that are available for Microsoft Defender for Cloud.

Mixing Extensions

Microsoft security admins do not need to restrict themselves to only using one of these extensions, they can all be used in parallel. Even the Microsoft Defender for Cloud and MDE extensions can be used together as two separate EDR solutions, but they have a significant number of overlapping detections so duplicate alerts are likely to appear.

We will continue to share best practices and lessons learned in future posts on Microsoft Defender for Cloud VM security in customer environments. More extensions that are useful for security will likely appear in the future and CyberMSI is constantly monitoring for updates so that we can improve the quality of our cloud security services.

In closing, consider these three questions when using Microsoft Defender for Cloud VM extension for security in your organization:

  1. Do we have a decision matrix for determining how to secure and monitor our VMs being deployed in the cloud?
  2. How can we improve ou VM security by implementing 1 or more of these security extensions?
  3. Can we use the data gathered by these extensions to provide useful insights to our cybersecurity anlaytics with analytic tools like workbooks and notebooks?

How Can We Help?

Main Contact Form