Policy: Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud > 03.01.16 - [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'

Configures auditing against a CIS Benchmark item.

Level: 2

[NOTE: As of August 1, 2023 customers with an existing subscription to Defender for DNS can continue to use the service, but new subscribers will receive alerts about suspicious DNS activity as part of Defender for Servers P2.]

Microsoft Defender for DNS scans all network traffic exiting from within a subscription.

DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.

Targets

This policy targets the following resource types:

Azure > Security Center > Security Center

Primary Policy

This policy is used with the following primary policy:

Azure > CIS v3.0 > 03 - Security > 03.01 - Microsoft Defender for Cloud

Policy Specification

Schema Type	`string`
Default	`Per Azure > CIS v3.0 > 03 - Microsoft Defender`
Valid Values [YAML]	`Per Azure > CIS v3.0 > 03 - Microsoft Defender` `Skip` `Check: Benchmark using attestation`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/cis#/control/categories/v070706

Policy Type URI

tmod:@turbot/azure-cisv3-0#/policy/types/r030116

GraphQL

query policyType(id: "tmod:@turbot/azure-cisv3-0#/policy/types/r030116") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030116'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/azure-cisv3-0#/policy/types/r030116'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/azure-cisv3-0#/policy/types/r030116"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/azure-cisv3-0#/policy/types/r030116"