EPAC Managed DfC benchmarks lose vulnerability reports in Defender

[sdecker]

Describe the bug
We are using the latest EPAC version and have started managing the MCSB with EPAC. The deploy works as expected and everything looks good in the Azure Policy Blade, but things are inconsistent when looking at the compliance views in Defender for Cloud. Most items reflect as expected, but any compliance items related to Defender for Cloud vulnerability assessments show 0 of 0 resources.

To Reproduce
Enable Defender vulnerability scans for SQL DB, SQL VM, Containers, etc. Deploy MCSB with EPAC. Looks at the compliance in the Policy view and see non compliant resources. Look at regulatory compliance in Defender for Cloud view and see the vulnerability entries show no associated resources.

Expected behavior
Whether we managed the MCSB assignment with Defender or with EPAC the compliance dashboards all report consistently

EPAC Version
10.7.5

[apybar]

Hey @sdecker - I'll look into this. There might need to be a reconfigure of the MCSB withing DFC but let me do some digging and get back to you.

[sdecker]

Thanks for looking at this. We have also opened a ticket 2501130040014211 with the Defender team.

[sdecker]

We were able to come up with a work around for this. We have to have another assignment of the MCSB at the same level with no exclusions of any kind. We've disabled all the policies that have no relation to Defender and are using the regular epac method to manage those.

[apybar]

@sdecker - Is the new MCSB assignment deployed via EPAC driving the compliance findings in Defender for Cloud?

Is this deployed at the subcontractor level or the Management Group level?

[johanandrelundar]

We have issues with CIS Microsoft Azure Foundations Benchmark v2.0.0 that is enabled via EPAC is not visible under Regulatory Compliance in Defender at all. Seems like the only way to make those benchmarks appear is to enable it via the Defender UI, but that defeats the purpose of using EPAC unfortunately. EPAC is a great tool!

[anwather]

I wonder if this is due to meta data that Defender uses when you assign via the regulatory compliance blade. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Johan Andre Lundar ***@***.***> Sent: Thursday, March 20, 2025 6:44:01 PM To: Azure/enterprise-azure-policy-as-code ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [Azure/enterprise-azure-policy-as-code] EPAC Managed DfC benchmarks lose vulnerability reports in Defender (Issue #856) We have issues with CIS Microsoft Azure Foundations Benchmark v2.0.0 that is enabled via EPAC is not visible under Regulatory Compliance in Defender at all. Seems like the only way to make those benchmarks appear is to enable it via the Defender UI, but that defeats the purpose of using EPAC unfortunately. EPAC is a great tool! — Reply to this email directly, view it on GitHub<#856 (comment)> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACWCJVSFZH6WMJH3NE2GSTD2VJWUDBFKMF2HI4TJMJ2XIZLTSSBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDUOJ2WLJDOMFWWLLTXMF2GG2C7MFRXI2LWNF2HTAVFOZQWY5LFUVUXG43VMWSG4YLNMWVXI2DSMVQWIX3UPFYGLAVFOZQWY5LFVIZDOMRVHE4DSNBXHCSG4YLNMWUWQYLTL5WGCYTFNSWHG5LCNJSWG5C7OR4XAZNMJFZXG5LFINXW23LFNZ2KM5DPOBUWG44TQKSHI6LQMWVHEZLQN5ZWS5DPOJ42K5TBNR2WLKJTGM3TCNRSHAZTRAVEOR4XAZNFNFZXG5LFUV3GC3DVMWVDEOBQGUYTCNRRHA2YFJDUPFYGLJLMMFRGK3FFOZQWY5LFVIZDOMRVHE4DSNBXHCTXI4TJM5TWK4VGMNZGKYLUMU>. You are receiving this email because you are subscribed to this thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

[johanandrelundar]

I wonder if this is due to meta data that Defender uses when you assign via the regulatory compliance blade.

Get Outlook for Androidhttps://aka.ms/AAb9ysg
…

Sorry for the late reply. Do you know what kind of meta data and how it can be applied so that i.e. CIS kan be viewed in Defender also?

[anwather]

I'll have a go at replicating this - but probably the assignment metadata may hold a clue to how this is done - just speculation - let me test

[johanandrelundar]

I'll have a go at replicating this - but probably the assignment metadata may hold a clue to how this is done - just speculation - let me test

Thanks a lot! Would have been fantastic to get this to work with EPAC 💯

[anwather]

Can you try adding the following description to an assignment for one of those baseline you have done using EPAC?

This object has been generated by Microsoft Defender for Cloud. To make changes, navigate to the security policies management page.

When I assigned this in my environment it showed up in the reg compliance when I put that description in.

[johanandrelundar]

Can you try adding the following description to an assignment for one of those baseline you have done using EPAC?

This object has been generated by Microsoft Defender for Cloud. To make changes, navigate to the security policies management page.

When I assigned this in my environment it showed up in the reg compliance when I put that description in.

Thanks for the suggestion! Tried this today and it did not make the intiative (CIS) visible in Defender unfortunatetely :)

[apybar]

I had to give it time (approximately 24 hours) - and then go into DfC, go to regulatory compliance and find my policy definition that I deployed to get it to appear again with DfC and work correctly. Not sure if this has been tried by either of you.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/create-custom-recommendations

This might just be too much work though to maintain from a practical standpoint

[anwather]

Agree I had to wait as well for it to show - I spoke to the Product Group - they expect that those benchmarks are deployed via the Defender for Cloud process and don't support them being done by native Azure Policy. I'm going to close this as we have a resolution - "Regulatory Compliance benchmarks in order for them to show up in Regulatory Compliance blade in Defender should be deployed via Defender for Cloud".

For us EPAC people this might mean extracting those policy assignment using an Export-AzPolicyResources and then redeploying so at least the policy is managed by EPAC.