This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender portal for centralized threat management.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionsecuring-azure-with-microsoft-defenderExecute the skills CLI command in your project's root directory to begin installation:
Fetches securing-azure-with-microsoft-defender from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate securing-azure-with-microsoft-defender. Access via /securing-azure-with-microsoft-defender in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | securing-azure-with-microsoft-defender |
| description | 'This skill instructs security practitioners on deploying Microsoft Defender for Cloud as a cloud-native application protection platform for Azure, multi-cloud, and hybrid environments. It covers enabling Defender plans for servers, containers, storage, and databases, configuring security recommendations, managing Secure Score, and integrating with the unified Defender portal for centralized threat management. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - microsoft-defender - azure-security - cnapp - secure-score - cloud-workload-protection |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for AWS-only environments (see implementing-aws-security-hub), for identity provider configuration (see managing-cloud-identity-with-okta), or for network-level firewall rule management (see implementing-cloud-waf-rules).
Activate Defender plans for each workload type: Servers, Containers, App Service, Storage, Databases, Key Vault, Resource Manager, and DNS. Each plan provides specialized threat detection and vulnerability assessment.
# Enable Defender for Servers Plan 2
az security pricing create --name VirtualMachines --tier Standard --subplan P2
# Enable Defender for Containers
az security pricing create --name Containers --tier Standard
# Enable Defender for Storage with malware scanning
az security pricing create --name StorageAccounts --tier Standard \
--extensions '[{"name":"OnUploadMalwareScanning","isEnabled":"True",
"additionalExtensionProperties":{"CapGBPerMonthPerStorageAccount":"5000"}}]'
# Enable Defender for Databases
az security pricing create --name SqlServers --tier Standard
az security pricing create --name CosmosDbs --tier Standard
# Enable Defender for Key Vault
az security pricing create --name KeyVaults --tier Standard
# Verify all enabled plans
az security pricing list --query "[?pricingTier=='Standard'].{Plan:name, Tier:pricingTier, SubPlan:subPlan}" -o table
Connect AWS accounts and GCP projects to Defender for Cloud for unified security posture management across cloud providers.
# Create AWS connector for CSPM
az security security-connector create \
--name aws-production-connector \
--resource-group security-rg \
--environment-name AWS \
--hierarchy-identifier "123456789012" \
--offerings '[{
"offeringType": "CspmMonitorAws",
"nativeCloudConnection": {"cloudRoleArn": "arn:aws:iam::123456789012:role/DefenderForCloudRole"}
}]'
# Create GCP connector
az security security-connector create \
--name gcp-production-connector \
--resource-group security-rg \
--environment-name GCP \
--hierarchy-identifier "my-gcp-project-id" \
--offerings '[{"offeringType": "CspmMonitorGcp"}]'
Analyze the Secure Score across all subscriptions. Each recommendation includes a risk priority based on asset exposure, internet exposure, and threat intelligence context.
# Get current Secure Score
az security secure-score list \
--query "[].{Name:displayName, Score:current, Max:max, Percentage:percentage}" -o table
# List unhealthy recommendations sorted by severity
az security assessment list \
--query "[?properties.status.code=='Unhealthy'].{Name:properties.displayName, Severity:properties.metadata.severity, Resources:properties.resourceDetails.id}" \
--output table
# Get specific recommendation details
az security assessment show \
--assessment-name "4fb67663-9ab9-475d-b026-8c544cced439" \
--query "{Name:properties.displayName, Description:properties.metadata.description, Remediation:properties.metadata.remediationDescription}"
Enable Just-In-Time VM access to reduce the attack surface by opening management ports only when needed, and deploy adaptive application controls to whitelist approved executables.
# Enable JIT VM access policy
az security jit-policy create \
--resource-group production-rg \
--location eastus \
--name default \
--virtual-machines '[{
"id": "/subscriptions/sub-id/resourceGroups/production-rg/providers/Microsoft.Compute/virtualMachines/web-server-01",
"ports": [
{"number": 22, "protocol": "TCP", "allowedSourceAddressPrefix": "10.0.0.0/8", "maxRequestAccessDuration": "PT3H"},
{"number": 3389, "protocol": "TCP", "allowedSourceAddressPrefix": "10.0.0.0/8", "maxRequestAccessDuration": "PT1H"}
]
}]'
# Request JIT access
az security jit-policy initiate \
--resource-group production-rg \
--location eastus \
--name default \
--virtual-machines '[{
"id": "/subscriptions/sub-id/resourceGroups/production-rg/providers/Microsoft.Compute/virtualMachines/web-server-01",
"ports": [{"number": 22, "duration": "PT1H", "allowedSourceAddressPrefix": "203.0.113.10"}]
}]'
Configure workflow automation to trigger Logic Apps or Azure Functions when security alerts are generated. Set up email notifications for Critical and High severity alerts.
# Create workflow automation for high severity alerts
az security automation create \
--name high-severity-alert-automation \
--resource-group security-rg \
--scopes '[{"description": "Production subscription", "scopePath": "/subscriptions/<sub-id>"}]' \
--sources '[{
"eventSource": "Alerts",
"ruleSets": [{"rules": [{"propertyJPath": "Severity", "propertyType": "String", "expectedValue": "High", "operator": "Equals"}]}]
}]' \
--actions '[{
"logicAppResourceId": "/subscriptions/<sub-id>/resourceGroups/security-rg/providers/Microsoft.Logic/workflows/alert-handler",
"actionType": "LogicApp"
}]'
# Configure email notifications
az security contact create \
--name default \
--email "[email protected]" \
--alert-notifications "on" \
--alerts-to-admins "on"
Use the cloud security graph to visualize attack paths that adversaries could exploit to reach critical assets. Prioritize remediation based on actual exploitability rather than individual finding severity.
# Query attack paths via Resource Graph
az graph query -q "
securityresources
| where type == 'microsoft.security/attackpaths'
| extend riskLevel = properties.riskLevel
| extend entryPoint = properties.attackPathDisplayName
| where riskLevel == 'Critical'
| project entryPoint, riskLevel, properties.description
| limit 20
"
| Term | Definition |
|---|---|
| Secure Score | A numerical measure of an organization's security posture based on the percentage of implemented security recommendations, scored per subscription and aggregated at the management group level |
| Cloud Security Graph | A graph database mapping relationships between cloud resources, identities, network exposure, and vulnerabilities to identify exploitable attack paths |
| Attack Path Analysis | Visualization of multi-step attack chains an adversary could follow from an entry point to a high-value target, prioritized by real-world exploitability |
| Just-In-Time Access | Security control that blocks management ports by default and opens them temporarily upon approved request, reducing the VM attack surface |
| Adaptive Application Controls | Machine-learning-based allowlisting that recommends which applications should run on VMs and alerts on deviations |
| Defender CSPM | Enhanced cloud security posture management plan providing agentless scanning, attack path analysis, and cloud security graph capabilities |
| Security Connector | Integration point connecting AWS or GCP environments to Defender for Cloud for multi-cloud posture management |
Context: Defender for Cloud identifies an Azure SQL Server with a public endpoint, an unpatched critical CVE, and a service principal with database owner permissions that also has access to a Key Vault containing production encryption keys.
Approach:
Pitfalls: Focusing on the SQL vulnerability alone misses the lateral movement path to Key Vault. Restricting the endpoint without updating application connection strings causes an outage.
Microsoft Defender for Cloud Security Report
=============================================
Tenant: acme-corp.onmicrosoft.com
Subscriptions Monitored: 12
Report Date: 2025-02-23
SECURE SCORE: 72/100
DEFENDER PLANS STATUS:
Servers (P2): ENABLED - 156 VMs covered
Containers: ENABLED - 8 AKS clusters covered
Storage: ENABLED - 342 storage accounts, malware scanning active
Databases: ENABLED - 23 SQL servers, 5 Cosmos DB accounts
Key Vault: ENABLED - 18 vaults monitored
AWS Connector: ENABLED - 3 accounts connected
GCP Connector: ENABLED - 2 projects connected
CRITICAL ATTACK PATHS:
[AP-001] Internet -> VM (RDP open) -> Managed Identity -> Storage (PII data)
Risk: Critical | Affected Resources: 3 | Remediation: Close RDP, restrict MI scope
[AP-002] Internet -> App Service (SQLi vuln) -> SQL DB -> Service Principal -> Key Vault
Risk: Critical | Affected Resources: 5 | Remediation: Patch app, private endpoint
ALERT SUMMARY (Last 30 Days):
Critical: 5 | High: 23 | Medium: 67 | Low: 134
Top Alert Types:
- Suspicious login activity (18)
- Malware detected in storage (7)
- Anomalous resource deployment (12)
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Solid pick for teams standardizing on skills: securing-azure-with-microsoft-defender is focused, and the summary matches what you get after install.
I recommend securing-azure-with-microsoft-defender for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
securing-azure-with-microsoft-defender fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
We added securing-azure-with-microsoft-defender from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
securing-azure-with-microsoft-defender reduced setup friction for our internal harness; good balance of opinion and flexibility.
securing-azure-with-microsoft-defender has been reliable in day-to-day use. Documentation quality is above average for community skills.
Solid pick for teams standardizing on skills: securing-azure-with-microsoft-defender is focused, and the summary matches what you get after install.
securing-azure-with-microsoft-defender fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for securing-azure-with-microsoft-defender matched our evaluation — installs cleanly and behaves as described in the markdown.
Registry listing for securing-azure-with-microsoft-defender matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 58