Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Exempting resources and recommendations from your secure score
In this articleA core priority of every security team is to ensure analysts can focus on the tasks and incidents that matter to the organization. Defender for Cloud has many features for customizing the experience and making sure your secure score reflects your organization's security priorities. The exempt option is one such feature. When you investigate your security recommendations in Microsoft Defender for Cloud, one of the first pieces of information you review is the list of affected resources. Occasionally, a resource will be listed that you feel shouldn't be included. Or a recommendation will show in a scope where you feel it doesn't belong. The resource might have been remediated by a process not tracked by Defender for Cloud. The recommendation might be inappropriate for a specific subscription. Or perhaps your organization has decided to accept the risks related to the specific resource or recommendation. In such cases, you can create an exemption for a recommendation to:
Availability
Define an exemptionTo fine-tune the security recommendations that Defender for Cloud makes for your subscriptions, management group, or resources, you can create an exemption rule to:
Note Exemptions can be created only for recommendations included in Defender for Cloud's default initiative, Microsoft cloud security benchmark or any of the supplied regulatory standard initiatives. Recommendations that are generated from any custom initiatives assigned to your subscriptions cannot be exempted. Learn more about the relationships between policies, initiatives, and recommendations. To create an exemption rule:
Monitor exemptions created in your subscriptionsAs explained earlier on this page, exemption rules are a powerful tool providing granular control over the recommendations affecting resources in your subscriptions and management groups. To keep track of how your users are exercising this capability, we've created an Azure Resource Manager (ARM) template that deploys a Logic App Playbook and all necessary API connections to notify you when an exemption has been created.
Use the inventory to find resources that have exemptions appliedThe asset inventory page of Microsoft Defender for Cloud provides a single page for viewing the security posture of the resources you've connected to Defender for Cloud. Learn more in Explore and manage your resources with asset inventory. The inventory page includes many filters to let you narrow the list of resources to the ones of most interest for any given scenario. One such filter is the Contains exemptions. Use this filter to find all resources that have been exempted from one or more recommendations.
Find recommendations with exemptions using Azure Resource GraphAzure Resource Graph (ARG) provides instant access to resource information across your cloud environments with robust filtering, grouping, and sorting capabilities. It's a quick and efficient way to query information across Azure subscriptions programmatically or from within the Azure portal. To view all recommendations that have exemption rules:
Learn more in the following pages:
FAQ - Exemption rules
What happens when one recommendation is in multiple policy initiatives?Sometimes, a security recommendation appears in more than one policy initiative. If you've got multiple instances of the same recommendation assigned to the same subscription, and you create an exemption for the recommendation, it will affect all of the initiatives that you have permission to edit. For example, the recommendation **** is part of the default policy initiative assigned to all Azure subscriptions by Microsoft Defender for Cloud. It's also in XXXXX. If you try to create an exemption for this recommendation, you'll see one of the two following messages:
Are there any recommendations that don't support exemption?These generally available recommendations don't support exemption:
Next stepsIn this article, you learned how to exempt a resource from a recommendation so that it doesn't impact your secure score. For more information about secure score, see:
FeedbackSubmit and view feedback for Which of the following tools would you use to monitor a single system for problematic activity or violations of policy?An intrusion detection system ( IDS ) is a device or software application that monitors a network or systems for malicious activity or policy violations.
When looking at security standards and compliance which three 3 are characteristics of best practices baselines and frameworks?When looking at security standard and compliance, which three (3) are characteristics of best practices, baselines and frameworks ? They seek to improve performance, controls and metrics. They help translate the business needs into technical or operational needs.
What is the main difference between a next generation firewall Ngfw and a traditional firewall coursera?Traditional firewalls provide partial application control and visibility only. Next-generation firewall provides comprehensive application control and visibility. Traditional firewalls work at layer 2 to layer 4 only. Next-generation firewalls work at layer 2 to layer 7.
Which US government agency is a co publisher of the database security requirements guide SRG?To assist United States Department of Defense (DoD) organizations with implementing secure deployments of products used in their systems, the Defense Information Systems Agency (DISA) has created a set of Security Requirements Guides (SRGs) and related Security Technical Implementation Guides (STIGs) for different ...
|