Improving your security posture with Governance Rules

Microsoft Defender for Cloud analyzes your resources on a regular basis to identify potential security misconfigurations and weaknesses. It then provides detailed recommendations on the risks of those misconfigurations and actionable guidance on how to remediate those issues. Those recommendations would add up to your secure score where you can track your progress and compliance. One missing piece with this great feature is how to orchestrate assignment, tracking and reporting the progress of the remediation of those recommendations.

A new feature has been recently introduced to allow you to assign owners to recommendations based on severity or type and designate a deadline for remediation, in addition to a report to have full visibility on remdiation timelines. This feature is called Governance Rules and in this post, I will give it a spin.

Governance Rules

Looking at first at my current environment, I have a secure score of 36% with lots of recommendations.

Screenshot showing the Microsoft Defender for Cloud recommendations

If we go to the Defender for Cloud settings, we can see the new Governance Rules feature.

Screenshot showing the Microsoft Defender for Cloud portal with governance rules

Let’s try to create a new rule, give it a name, a description and explore the options available

Screenshot showing the creation of a new governance rule

Affected recommendations: I will select the High and Medium severities so that this rule only applies to recommendations with those severity levels. We can alternatively manually select the exact recommendations from the list.

Screenshot showing the creation of a new governance rule

Owner: we can type in an email address or have it populated automatically if we have the right tag applied to the resources. I already have an owner tag assigned to one of the affected resources.

Screenshot showing tags assigned to an Azure Arc server

Remediation timeframe: This will be the time it should take the owner to remediate this recommendation. We can choose to apply a Grace Period which would make this recommendation not to have an effect on our total secure score till the allocated timeframe expires.

Notification: Here we can select if there should be a weekly summary email to the owner and their manager (populated from Azure AD) for open items.

Finally, we have our governance rule all set and ready. Immediatley, we get a popup saying that our rule matches some existing recommendations.

Screenshot showing the governance rule created

Screenshot showing the governance rule popup to apply to existing recommendations

Navigating back to the Defender for Cloud portal, we can see the status column showing different statuses like On time which means the rule applies to them since they have either medium or high severity.

Screenshot showing the defender for cloud recommendations

We can also see a new Governance report button at the top which would take us to a really nice workbook that help us keep track of all work being done on the remediation process.

Screenshot showing the defender for cloud recommendations

Screenshot showing the governance rules report

Screenshot showing the governance rules report

Remember, the grace period option we specified ? After checking the secure score in 24 hours, I can see now that the score has changed since all the high and medium recommendations which are within the timeframe will not add up to the score.

Screenshot showing the secure score

In addition to that, I started to get an email in a couple of days with my manager on it about my assigned tasks and timeframe.

Screenshot showing the email digest from governance rules

Remediation process

After assigning owners and looking at the reporting, I need to start working on the remediation before the deadline. I will choose one of the recommendations on an Azure Arc-enabled server and start remediating it.

Screenshot showing the vulnrability assessment solution recommendation

Screenshot showing the recommendation remediation page

After waiting for some time for the vulnerability assessment solution to get on-boarded on the machine and start reporting back, I can see in the governance workbook that my task is now complete.

Screenshot showing the governance rules workbook

Screenshot showing the governance rules workbook


This is definitely a simple but very powerful feature to streamline the remediation process and drive accountability across system owners with enhanced reporting and weekly status emails. More information on this feature can be found here.

Share on:

You May Also Like