Use Azure Resource Graph to query Microsoft Defender for Cloud Plan on all subscriptions

As part of SOC work you may want to get information of Microsoft Defender for Cloud plan on each subscription so you can plan to roll out a defender plan on one that doesn’t have yet.

While Azure PowerShell, REST API or Az CLI can help retrieve information for you, this article would like to share a simple Resource Graph Explore to achieve the similar thing.

You can use the following resource graph query to get Plan of each resource type on each subscription:

| where type =~ ""
| extend planName = case(name =~ "VirtualMachines", "Server",
                         name =~ "AppServices", "App Service",
                         name =~ "SqlServers", "Azure SQL Databases",
                         name =~ "SqlServerVirtualMachines", "SQL servers on machines",
                         name =~ "OpenSourceRelationalDatabases", "Open-source relational databases",
                         name =~ "StorageAccounts", "Storage",
                         name =~ "KubernetesService", "Kubernetes",
                         name =~ "ContainerRegistry", "Container registries",
                         name =~ "KeyVaults", "Key Vault",
                         name =~ "Arm", "Resource Manager",
| extend planSet = pack(planName, pricingTier = properties.pricingTier)
| join kind=leftouter(
    | where type=='microsoft.resources/subscriptions' 
    | project subscriptionName=name, subscriptionId
) on subscriptionId
| summarize subscriptionMsftDefenderPlan = make_bag(planSet) by subscriptionId, subscriptionName

The query uses

  • case() to handle plan name friendly as a bonus. If you are familiar with the internal name that should be ok. Below is the sample
  • pack() to create a key-pair value for plan name and its pricing tier.
    "Azure SQL Databases": "Free",
    "Storage": "Standard",
    "App Service": "Standard",
    "Resource Manager": "Free",
    "DNS": "Free",
    "Key Vault": "Free",
    "Open-source relational databases": "Free",
    "Server": "Standard",
    "Container registries": "Free",
    "Kubernetes": "Standard",
    "SQL servers on machines": "Standard"

Happy querying!

This entry was posted in Governance & Compliance, Security Automation and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published.