chore: add azure/defender metadata update to changelog

chore(azure/defender): adapt metadata to new standarized format
2026-01-25 02:08:11 +00:00 · 2025-12-22 09:45:50 +01:00 · 2025-12-22 09:45:45 +01:00
26 changed files with 483 additions and 288 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -11,6 +11,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS Step Functions service metadata to new format [(#9432)](https://github.com/prowler-cloud/prowler/pull/9432)
 - Update AWS Route 53 service metadata to new format [(#9406)](https://github.com/prowler-cloud/prowler/pull/9406)
 - Update AWS SQS service metadata to new format [(#9429)](https://github.com/prowler-cloud/prowler/pull/9429)
+- Update Azure Defender service metadata to new format [(#9618)](https://github.com/prowler-cloud/prowler/pull/9618)
+

 ---

--- a/prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_additional_email_configured_with_a_security_contact/defender_additional_email_configured_with_a_security_contact.metadata.json
@@ -1,29 +1,40 @@
 {
  "Provider": "azure",
  "CheckID": "defender_additional_email_configured_with_a_security_contact",
-  "CheckTitle": "Ensure 'Additional email addresses' is Configured with a Security Contact Email",
+  "CheckTitle": "Security contact has additional email addresses configured",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureEmailNotifications",
-  "Description": "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address.",
-  "Risk": "Microsoft Defender for Cloud emails the Subscription Owner to notify them about security alerts. Adding your Security Contact's email address to the 'Additional email addresses' field ensures that your organization's Security Team is included in these alerts. This ensures that the proper people are aware of any potential compromise in order to mitigate the risk in a timely fashion.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+  "Severity": "low",
+  "ResourceType": "microsoft.resources/subscriptions",
+  "Description": "Microsoft Defender for Cloud security contact settings include **additional email recipients** defined in the `emails` field to receive alert notifications.",
+  "Risk": "Relying only on subscription owners for alerts creates a **single point of failure**. Missed or delayed notifications extend attacker dwell time, enabling data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and service disruption (**availability**). Absence or turnover can silently suppress alerts.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/security-contact-email.html",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/database/threat-detection-configure?view=azuresql",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-security-contact-emails-is-set#terraform",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications",
+    "https://learn.microsoft.com/en-us/rest/api/defenderforcloud/security-contacts/list?view=rest-defenderforcloud-2020-01-01-preview&tabs=HTTP",
+    "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+    "https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/threat-detection-configure?view=azuresql"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/security-contact-email.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-security-contact-emails-is-set#terraform"
+      "CLI": "az rest --method put --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview --body '{ \"properties\": { \"emails\": \"<EMAIL>\" } }'",
+      "NativeIaC": "```bicep\n// Configure a security contact at subscription scope\ntargetScope = 'subscription'\n\nresource <example_resource_name> 'Microsoft.Security/securityContacts@2020-01-01-preview' = {\n  name: 'default'\n  properties: {\n    emails: '<EMAIL>' // Critical: set at least one email to pass the check\n  }\n}\n```",
+      "Other": "1. Sign in to the Azure portal\n2. Go to Microsoft Defender for Cloud > Environment settings\n3. Select the target subscription\n4. Click Email notifications\n5. In Email addresses, enter at least one email (comma-separated for multiple)\n6. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_security_center_contact\" \"<example_resource_name>\" {\n  email = \"<EMAIL>\" # Critical: ensures at least one security contact email is configured\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. Enter a valid security contact email address (or multiple addresses separated by commas) in the Additional email addresses field 7. Click Save",
-      "Url": "https://learn.microsoft.com/en-us/rest/api/defenderforcloud/security-contacts/list?view=rest-defenderforcloud-2020-01-01-preview&tabs=HTTP"
+      "Text": "Use a monitored, team-managed distribution list as the **security contact** in `emails`. Include SOC/on-call for 24/7 coverage and enable role-based notifications for redundancy. Tune severities to reduce noise while capturing high-risk events, and integrate alerts with ticketing/SIEM for **defense in depth** and rapid response.",
+      "Url": "https://hub.prowler.com/check/defender_additional_email_configured_with_a_security_contact"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_assessments_vm_endpoint_protection_installed/defender_assessments_vm_endpoint_protection_installed.metadata.json
@@ -1,29 +1,35 @@
 {
  "Provider": "azure",
  "CheckID": "defender_assessments_vm_endpoint_protection_installed",
-  "CheckTitle": "Ensure that Endpoint Protection for all Virtual Machines is installed",
+  "CheckTitle": "All virtual machines in the subscription have endpoint protection installed",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "Microsoft.Security/assessments",
-  "Description": "Install endpoint protection for all virtual machines.",
-  "Risk": "Installing endpoint protection systems (like anti-malware for Azure) provides for real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. These also offer configurable alerts when known-malicious or unwanted software attempts to install itself or run on Azure systems.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware",
+  "ResourceType": "microsoft.security/assessments/governanceassignments",
+  "Description": "**Azure virtual machines** are assessed for the presence of an **endpoint protection (antimalware)** solution and its reported health across the subscription",
+  "Risk": "Absent or unhealthy **endpoint protection** lets malware execute on VMs, risking:\n- Data exfiltration (confidentiality)\n- Tampering and credential theft (integrity)\n- Ransomware, cryptomining, and outages (availability)\n\nIt also enables persistence and lateral movement to other cloud resources.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/VirtualMachines/install-endpoint-protection.html#",
+    "https://learn.microsoft.com/en-us/azure/security/fundamentals/antimalware"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/VirtualMachines/install-endpoint-protection.html#",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Install Microsoft Antimalware (endpoint protection) on a VM\nparam vmName string = '<example_resource_name>'\nparam location string = '<LOCATION>'\n\nresource antimalware 'Microsoft.Compute/virtualMachines/extensions@2022-11-01' = {\n  name: '${vmName}/IaaSAntimalware'\n  location: location\n  properties: {\n    publisher: 'Microsoft.Azure.Security'  // Critical: publisher for Antimalware extension\n    type: 'IaaSAntimalware'                // Critical: installs endpoint protection\n    typeHandlerVersion: '1.5'\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Open Recommendations and search for \"Install endpoint protection solution on virtual machines\"\n3. Select the recommendation, click Fix\n4. Select all affected VMs and click Remediate (or Apply)\n5. Wait for remediation to complete and the recommendation status to turn Healthy",
+      "Terraform": "```hcl\n# Install Microsoft Antimalware (endpoint protection) on a VM\nresource \"azurerm_virtual_machine_extension\" \"<example_resource_name>\" {\n  name                 = \"IaaSAntimalware\"\n  virtual_machine_id   = \"<example_resource_id>\"\n  publisher            = \"Microsoft.Azure.Security\"  # Critical: Antimalware extension publisher\n  type                 = \"IaaSAntimalware\"           # Critical: installs endpoint protection\n  type_handler_version = \"1.5\"\n}\n```"
    },
    "Recommendation": {
-      "Text": "Follow Microsoft Azure documentation to install endpoint protection from the security center. Alternatively, you can employ your own endpoint protection tool for your OS.",
-      "Url": ""
+      "Text": "Enforce an **endpoint protection/EDR** baseline on every VM. Enable real-time protection, automatic updates, and alerting; use tamper protection and keep exclusions minimal. Apply **least privilege**, keep OS and agents patched, and continuously monitor coverage and health via Defender for Cloud.",
+      "Url": "https://hub.prowler.com/check/defender_assessments_vm_endpoint_protection_installed"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Endpoint protection will incur an additional cost to you."
--- a/prowler/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_attack_path_notifications_properly_configured/defender_attack_path_notifications_properly_configured.metadata.json
@@ -1,29 +1,37 @@
 {
  "Provider": "azure",
  "CheckID": "defender_attack_path_notifications_properly_configured",
-  "CheckTitle": "Ensure that email notifications for attack paths are enabled with minimal risk level",
+  "CheckTitle": "Security contact has attack path email notifications enabled at or above the configured minimum risk level",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureEmailNotifications",
-  "Description": "Ensure that Microsoft Defender for Cloud is configured to send email notifications for attack paths identified in the Azure subscription with an appropriate minimal risk level.",
-  "Risk": "If attack path notifications are not enabled, security teams may not be promptly informed about exploitable attack sequences, increasing the risk of delayed mitigation and potential breaches.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications",
+  "Severity": "high",
+  "ResourceType": "microsoft.resources/subscriptions",
+  "Description": "**Defender for Cloud** attack path email notifications are configured per subscription with a defined **minimal risk level**, and the setting is present and meets the required threshold.",
+  "Risk": "Without alerts on **exploitable attack paths**, security teams lose visibility, enabling **lateral movement**, **privilege escalation**, and **data exfiltration** before containment, degrading confidentiality, integrity, and availability.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://argonsys.com/microsoft-cloud/library/microsoft-defender-for-cloud-automate-notifications-when-new-attack-paths-are-created/",
+    "https://learn.microsoft.com/el-gr/Azure/defender-for-cloud/configure-email-notifications",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications",
+    "https://video2.skills-academy.com/en-us/answers/questions/1116749/defender-for-cloud-apps-access-policy-does-not-sen"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications",
-      "Terraform": ""
+      "CLI": "az rest --method put --uri https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/securityContacts/default?api-version=2020-01-01-preview --body '{\"properties\":{\"emails\":\"admin@example.com\",\"attackPathNotifications\":{\"state\":\"On\",\"minimalRiskLevel\":\"Low\"}}}'",
+      "NativeIaC": "```bicep\n// Enable attack path email notifications at minimal risk level\nresource securityContact 'Microsoft.Security/securityContacts@2020-01-01-preview' = {\n  name: 'default'\n  properties: {\n    emails: 'admin@example.com'\n    attackPathNotifications: {\n      state: 'On'              // CRITICAL: enables attack path email notifications\n      minimalRiskLevel: 'Low'  // CRITICAL: sets minimal risk level to pass the check\n    }\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud > Environment settings\n2. Select the target subscription\n3. Open Email notifications\n4. Enable \"Notify about attack paths with the following risk level (or higher)\"\n5. Set Risk level to Low (or your configured minimum)\n6. Click Save",
+      "Terraform": "```hcl\n# Enable attack path email notifications at minimal risk level\nresource \"azapi_resource\" \"<example_resource_name>\" {\n  type = \"Microsoft.Security/securityContacts@2020-01-01-preview\"\n  name = \"default\"\n  body = jsonencode({\n    properties = {\n      emails = \"admin@example.com\"\n      attackPathNotifications = {\n        state = \"On\"              # CRITICAL: enables attack path email notifications\n        minimalRiskLevel = \"Low\"  # CRITICAL: sets minimal risk level to pass the check\n      }\n    }\n  })\n}\n```"
    },
    "Recommendation": {
-      "Text": "Enable attack path email notifications in Microsoft Defender for Cloud to ensure that security teams are notified when potential attack paths are identified. Configure the minimal risk level as appropriate for your organization.",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications"
+      "Text": "Enable and maintain **attack path notifications** with a minimal risk level at or above your tolerance (e.g., `High`). Send to monitored, role-based recipients. Apply **defense in depth** by integrating alerts with central monitoring and automation for prompt triage.",
+      "Url": "https://hub.prowler.com/check/defender_attack_path_notifications_properly_configured"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_auto_provisioning_log_analytics_agent_vms_on/defender_auto_provisioning_log_analytics_agent_vms_on.metadata.json
@@ -1,29 +1,36 @@
 {
  "Provider": "azure",
  "CheckID": "defender_auto_provisioning_log_analytics_agent_vms_on",
-  "CheckTitle": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'",
+  "CheckTitle": "Defender auto-provisioning of Log Analytics agent for Azure VMs is enabled",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'. The Microsoft Monitoring Agent scans for various security-related configurations and events such as system updates, OS vulnerabilities, endpoint protection, and provides alerts.",
-  "Risk": "Missing critical security information about your Azure VMs, such as security alerts, security recommendations, and change tracking.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security",
+  "Severity": "high",
+  "ResourceType": "microsoft.resources/subscriptions",
+  "Description": "**Defender for Cloud** auto-provisioning of the **Log Analytics agent** to Azure VMs is configured to `On` at the subscription level",
+  "Risk": "Without automatic agent deployment, some VMs lack security telemetry, creating **blind spots** for vulnerabilities, missing patches, and threats.\n\nAttackers can persist or move laterally unnoticed, undermining **confidentiality** and **integrity**, while delayed detection hampers effective response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/azure/security-center/security-center-data-security",
+    "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/automatic-provisioning-of-monitoring-agent.html",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/azure/SecurityCenter/automatic-provisioning-of-monitoring-agent.html",
-      "Terraform": ""
+      "CLI": "az security auto-provisioning-setting update --name default --auto-provision On",
+      "NativeIaC": "```bicep\n// Enable Defender auto-provisioning of Log Analytics agent at subscription scope\ntargetScope = 'subscription'\n\nresource autoProv 'Microsoft.Security/autoProvisioningSettings@2017-08-01-preview' = {\n  name: 'default'\n  properties: {\n    autoProvision: 'On' // Critical: turns auto-provisioning ON for the subscription\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open Microsoft Defender for Cloud\n2. Select Environment settings, then choose your subscription\n3. Open Auto provisioning\n4. Set Auto-provisioning of Log Analytics agent to On\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Defender auto-provisioning of Log Analytics agent\nresource \"azurerm_security_center_auto_provisioning\" \"<example_resource_name>\" {\n  auto_provision = \"On\" # Critical: turns auto-provisioning ON\n}\n```"
    },
    "Recommendation": {
-      "Text": "Ensure comprehensive visibility into possible security vulnerabilities, including missing updates, misconfigured operating system security settings, and active threats, allowing for timely mitigation and improved overall security posture",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components"
+      "Text": "Set **Defender for Cloud auto-provisioning** to `On` so all VMs receive the monitoring agent consistently.\n\nApply **defense in depth** by enforcing coverage for new and existing machines, standardizing workspaces, and auditing enrollment. Use **least privilege** for data access and integrate with endpoint protection and vulnerability assessment.",
+      "Url": "https://hub.prowler.com/check/defender_auto_provisioning_log_analytics_agent_vms_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_auto_provisioning_vulnerabilty_assessments_machines_on/defender_auto_provisioning_vulnerabilty_assessments_machines_on.metadata.json
@@ -1,29 +1,39 @@
 {
  "Provider": "azure",
  "CheckID": "defender_auto_provisioning_vulnerabilty_assessments_machines_on",
-  "CheckTitle": "Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'",
+  "CheckTitle": "All virtual machines in the subscription have a vulnerability assessment solution installed",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines.",
-  "Risk": "Vulnerability assessment for machines scans for various security-related configurations and events such as system updates, OS vulnerabilities, and endpoint protection, then produces alerts on threat and vulnerability findings.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va",
+  "Severity": "high",
+  "ResourceType": "microsoft.security/assessmentssample",
+  "Description": "Microsoft Defender for Cloud evaluates whether **Azure VMs** and **Arc-enabled machines** have a **vulnerability assessment solution** deployed and reporting healthy coverage across the subscription.",
+  "Risk": "Without continuous **vulnerability assessment**, unpatched flaws persist, enabling:\n- **Remote code execution** and privilege escalation\n- **Ransomware** disrupting availability\n- **Data exfiltration** via lateral movement\n\nConfidentiality, integrity, and availability are reduced across affected machines.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://video2.skills-academy.com/en-us/azure/defender-for-cloud/auto-deploy-vulnerability-assessment",
+    "https://cloudadministrator.net/2022/10/20/enable-defender-for-cloud-auto-provisioning-agents-via-bicep/",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/automatic-provisioning-vulnerability-assessment-machines.html",
+    "https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/deploy-microsoft-defender-for-cloud-via-terraform/3563710",
+    "https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va",
+    "https://github.com/hashicorp/terraform-provider-azurerm/issues/16357"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/automatic-provisioning-vulnerability-assessment-machines.html",
-      "Terraform": ""
+      "CLI": "az rest --method put --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/serverVulnerabilityAssessmentsSettings/AzureServersSetting?api-version=2022-01-01-preview --body '{\"properties\":{\"selectedProvider\":\"MdeTvm\"},\"kind\":\"AzureServersSetting\"}'",
+      "NativeIaC": "```bicep\n// Enable vulnerability assessment for all machines using Microsoft Defender Vulnerability Management\n// Critical: sets the VA provider so the recommendation becomes Healthy\n@description('Deploy at subscription scope')\ntargetScope = 'subscription'\n\nresource <example_resource_name> 'Microsoft.Security/serverVulnerabilityAssessmentsSettings@2022-01-01-preview' = {\n  name: 'AzureServersSetting'\n  kind: 'AzureServersSetting'\n  properties: {\n    selectedProvider: 'MdeTvm' // Critical: enables Defender VA provider for machines\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Open Environment settings and select your <subscription>\n3. Go to Settings & monitoring (Auto-provisioning)\n4. Find Vulnerability assessment for machines, set to On, and select Microsoft Defender Vulnerability Management\n5. Click Save",
+      "Terraform": "```hcl\n# Enable vulnerability assessment for all machines using Microsoft Defender Vulnerability Management\nresource \"azapi_resource\" \"<example_resource_name>\" {\n  type      = \"Microsoft.Security/serverVulnerabilityAssessmentsSettings@2022-01-01-preview\"\n  name      = \"AzureServersSetting\"\n  parent_id = \"/subscriptions/<example_subscription_id>\"\n\n  body = jsonencode({\n    properties = {\n      selectedProvider = \"MdeTvm\" # Critical: sets VA provider so all VMs get vulnerability assessment\n    }\n    kind = \"AzureServersSetting\"\n  })\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Then Environment Settings. 4. Select a subscription. 5. Click on Settings & Monitoring. 6. Ensure that Vulnerability assessment for machines is set to On. Repeat this for any additional subscriptions.",
-      "Url": ""
+      "Text": "Enable subscription-wide **auto-provisioning** of a **vulnerability assessment** for all Azure and Arc machines and enforce it with **policy** for existing and new hosts.\n\nApply **least privilege** to deployment identities, integrate with **patch management**, and monitor findings for timely remediation.",
+      "Url": "https://hub.prowler.com/check/defender_auto_provisioning_vulnerabilty_assessments_machines_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Additional licensing is required and configuration of Azure Arc introduces complexity beyond this recommendation."
--- a/prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_container_images_resolved_vulnerabilities/defender_container_images_resolved_vulnerabilities.metadata.json
@@ -1,29 +1,42 @@
 {
  "Provider": "azure",
  "CheckID": "defender_container_images_resolved_vulnerabilities",
-  "CheckTitle": "Container images used by containers should have vulnerabilities resolved",
+  "CheckTitle": "All Azure running container images in the subscription have no unresolved vulnerabilities",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Microsoft.Security/assessments",
-  "Description": "Container images used by containers should have vulnerabilities resolved. Azure Defender for Container Registries can help you identify and resolve vulnerabilities in your container images. It provides vulnerability scanning and prioritized security recommendations for your container images. You can use Azure Defender for Container Registries to scan your container images for vulnerabilities and get prioritized security recommendations to resolve them. You can also use Azure Defender for Container Registries to monitor your container registries for security threats and get prioritized security recommendations to resolve them. Azure Defender for Container Registries integrates with Azure Security Center to provide a unified view of security across your container registries and other Azure resources. Azure Defender for Container Registries is part of Azure Defender, which provides advanced threat protection for your hybrid workloads. Azure Defender uses advanced analytics and global threat intelligence to detect attacks that might otherwise go unnoticed.",
-  "Risk": "If vulnerabilities are not resolved, attackers can exploit them to gain unauthorized access to your containerized applications and data.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health",
+  "Severity": "critical",
+  "ResourceType": "microsoft.security/assessmentssample",
+  "Description": "**Running container images** are evaluated for unresolved **vulnerability findings** (`CVEs`) reported by Microsoft Defender for Cloud. The check reviews images currently in use across Kubernetes workloads and identifies where vulnerabilities remain unremediated.",
+  "Risk": "Unremediated `CVEs` in active images enable:\n- **RCE**, container escape, and node takeover affecting **integrity/availability**\n- **Data exfiltration** and secret theft compromising **confidentiality**\nAdversaries can use public exploits to pivot across clusters and pipelines, tamper images, and disrupt services.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/container-registry/scan-images-defender",
+    "https://githubissues.com/Azure/azure-functions-docker/1062",
+    "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health",
+    "https://learn.microsoft.com/en-MY/azure/defender-for-cloud/defender-for-containers-vulnerability-assessment-azure",
+    "https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/defender-for-cloud/recommendations-reference-container.md",
+    "https://video2.skills-academy.com/en-us/answers/questions/2126414/azure-registry-container-images-should-have-vulner",
+    "https://stackoverflow.com/questions/75155810/running-container-images-should-have-vulnerability-findings-resolved",
+    "https://www.azadvertizer.net/azpolicyadvertizer/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
+      "CLI": "kubectl set image deployment/<DEPLOYMENT_NAME> <CONTAINER_NAME>=<PATCHED_IMAGE:TAG> -n <NAMESPACE>",
      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud > Recommendations\n2. Open \"Azure running container images should have vulnerabilities resolved\"\n3. Under Affected resources, select a running workload and view its vulnerable image findings\n4. Rebuild the image with patched packages or a newer base image and push it to your registry\n5. Go to your AKS cluster > Workloads > Deployments, edit the deployment, and update the container image to the patched tag; Save\n6. Wait for pods to roll out and Defender to rescan; the recommendation should turn Healthy after the next scan",
+      "Terraform": "```hcl\nresource \"kubernetes_deployment\" \"<example_resource_name>\" {\n  metadata {\n    name = \"<example_resource_name>\"\n  }\n  spec {\n    selector {\n      match_labels = { app = \"<example_resource_name>\" }\n    }\n    template {\n      metadata { labels = { app = \"<example_resource_name>\" } }\n      spec {\n        container {\n          name  = \"<example_resource_name>\"\n          image = \"<patched_image:tag>\" # Critical: use a patched image version to remove known vulnerabilities\n        }\n      }\n    }\n  }\n}\n```"
    },
    "Recommendation": {
-      "Text": "",
-      "Url": "https://learn.microsoft.com/en-us/azure/container-registry/scan-images-defender"
+      "Text": "Adopt **risk-based patching** and **least privilege**:\n- Rebuild from updated bases; pin versions, avoid `latest`\n- Sign images; enforce **admission control** to block high-severity CVEs\n- Drop root, restrict capabilities, isolate networks\n- Continuously scan in CI/CD and at runtime; retire vulnerable images",
+      "Url": "https://hub.prowler.com/check/defender_container_images_resolved_vulnerabilities"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities",
+    "container-security"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_container_images_scan_enabled/defender_container_images_scan_enabled.metadata.json
@@ -1,29 +1,42 @@
 {
  "Provider": "azure",
  "CheckID": "defender_container_images_scan_enabled",
-  "CheckTitle": "Ensure Image Vulnerability Scanning using Azure Defender image scanning or a third party provider",
+  "CheckTitle": "Subscription has container image vulnerability scanning enabled",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "Microsoft.Security",
-  "Description": "Scan images being deployed to Azure (AKS) for vulnerabilities. Vulnerability scanning for images stored in Azure Container Registry is generally available in Azure Security Center. This capability is powered by Qualys, a leading provider of information security. When you push an image to Container Registry, Security Center automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file. When the scan completes (after about 10 minutes), Security Center provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces.",
-  "Risk": "Vulnerabilities in software packages can be exploited by hackers or malicious users to obtain unauthorized access to local cloud resources. Azure Defender and other third party products allow images to be scanned for known vulnerabilities.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health",
+  "Severity": "high",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Azure subscriptions** have **container image vulnerability assessment** enabled for **Azure Container Registry** via Microsoft Defender for Cloud (`ContainerRegistriesVulnerabilityAssessments`). Images in registries are evaluated for known package vulnerabilities in their packages and dependencies.",
+  "Risk": "Without registry scanning, **known CVEs** in images can reach runtime, enabling **RCE**, privilege escalation, and lateral movement. This undermines data confidentiality and integrity and can reduce availability through cryptomining or service disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/container-registry/scan-images-defender",
+    "https://library.tf/modules/mrexojo/acr/azure/latest",
+    "https://www.linkedin.com/pulse/azure-container-registry-acr-top-questions-answers-abhay-velankar-xwoff",
+    "https://video2.skills-academy.com/en-us/answers/questions/518840/what-is-the-solution-as-of-today-to-scan-windows-i",
+    "https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health",
+    "https://learn.microsoft.com/en-us/troubleshoot/azure/azure-container-registry/image-vulnerability-assessment",
+    "https://github.com/MicrosoftDocs/azure-docs/issues/89089",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/AKS/enable-image-vulnerability-scanning.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
+      "CLI": "az rest --method put --url https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/pricings/Containers?api-version=2023-01-01 --body '{\"properties\":{\"pricingTier\":\"Standard\",\"extensions\":[{\"name\":\"ContainerRegistriesVulnerabilityAssessments\",\"isEnabled\":true}]}}'",
+      "NativeIaC": "```bicep\n// Enable Defender for Containers image vulnerability scanning at subscription scope\ntargetScope = 'subscription'\n\nresource containersPricing 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'Containers'\n  properties: {\n    pricingTier: 'Standard'\n    extensions: [\n      {\n        name: 'ContainerRegistriesVulnerabilityAssessments' // CRITICAL: enables ACR image vulnerability scanning\n        isEnabled: true                                   // CRITICAL: turns the extension ON\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, open Microsoft Defender for Cloud\n2. Go to Environment settings and select your subscription\n3. Open Settings (or Defender plans)\n4. Find Containers and set Plan to On/Standard\n5. Enable Container registries vulnerability assessments\n6. Click Save",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "",
-      "Url": "https://learn.microsoft.com/en-us/azure/container-registry/scan-images-defender"
+      "Text": "Enable **Defender for Cloud** image assessment for registries and adopt **shift-left scanning**.\n- Block deployment of images with high-severity findings\n- Rebuild from patched base images regularly\n- Enforce **least privilege** on registry access\n- Use image signing and admission controls",
+      "Url": "https://hub.prowler.com/check/defender_container_images_scan_enabled"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities",
+    "container-security"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "When using an Azure container registry, you might occasionally encounter problems. For example, you might not be able to pull a container image because of an issue with Docker in your local environment. Or, a network issue might prevent you from connecting to the registry."
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_app_services_is_on/defender_ensure_defender_for_app_services_is_on.metadata.json
@@ -1,29 +1,39 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_app_services_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for App Services Is Set To 'On' ",
+  "CheckTitle": "Microsoft Defender for App Services is set to On (Standard pricing tier) in the subscription",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for App Services Is Set To 'On' ",
-  "Risk": "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Azure subscriptions** are evaluated for **Defender for App Service** coverage by inspecting the `AppServices` pricing configuration. The finding indicates whether the plan is set to `Standard`, which applies protection to App Service resources at the subscription scope.",
+  "Risk": "Without this coverage, malicious traffic and runtime anomalies may go unseen, enabling:\n- Confidentiality loss via data exfiltration\n- Integrity compromise through web shells or code tampering\n- Availability impact from takeover and resource abuse",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-app-service-plan",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-app-service.html",
+    "https://charbelnemnom.com/azure-defender-for-app-service-in-azure-security-center/",
+    "https://video2.skills-academy.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction",
+    "https://stackoverflow.com/questions/78538166/enable-microsoft-defender-for-cloud-at-resource-level-for-app-services",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-app-service#terraform"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-app-service.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-app-service#terraform"
+      "CLI": "az security pricing create -n AppServices --tier standard",
+      "NativeIaC": "```bicep\n// Enable Defender for App Services at subscription scope\ntargetScope = 'subscription'\n\nresource example_resource_name 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'AppServices'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets the plan to Standard (ON) for App Services\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > your subscription\n3. On Defender plans, toggle App Service to On\n4. Click Save",
+      "Terraform": "```hcl\n# Enable Defender for App Services at subscription level\nresource \"azurerm_security_center_subscription_pricing\" \"example_resource_name\" {\n  tier          = \"Standard\"   # Critical: sets the plan to Standard (ON)\n  resource_type = \"AppServices\" # Applies the setting to App Services\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is not enabled for your App Service instances. Enabling the Defender security service for App Service instances allows for advanced security defense using threat detection capabilities provided by Microsoft Security Response Center.",
-      "Url": ""
+      "Text": "Enable **Defender for App Service** at subscription scope with tier `Standard`. Integrate alerts with SOC tooling, tune rules to reduce noise, and review findings regularly. Apply **defense in depth** and **least privilege**, and automate responses to contain threats quickly.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_app_services_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_arm_is_on/defender_ensure_defender_for_arm_is_on.metadata.json
@@ -1,29 +1,32 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_arm_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Azure Resource Manager Is Set To 'On' ",
+  "CheckTitle": "Microsoft Defender for Azure Resource Manager uses the Standard pricing tier",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Azure Resource Manager Is Set To 'On' ",
-  "Risk": "Scanning resource requests lets you be alerted every time there is suspicious activity in order to prevent a security threat from being introduced.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Microsoft Defender for Cloud plan for **Azure Resource Manager** is configured at the `Standard` tier for the subscription",
+  "Risk": "Without this protection, malicious or misconfigured ARM deployments can go unnoticed. Adversaries could create high-privilege roles, disable logging, or deploy exfiltration paths and crypto workloads, degrading **integrity**, **confidentiality**, and **availability** of Azure resources.",
  "RelatedUrl": "",
+  "AdditionalURLs": [],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az security pricing create --name Arm --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Azure Resource Manager at Standard tier\nresource example_pricing 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'Arm'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for ARM plan to Standard (ON)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > your subscription\n3. Open Defender plans\n4. Set \"Defender for Azure Resource Manager\" to On/Standard\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Azure Resource Manager at Standard tier\nresource \"azurerm_security_center_subscription_pricing\" \"<example_resource_name>\" {\n  tier          = \"Standard\"   # Critical: enables Standard pricing (ON)\n  resource_type = \"Arm\"        # Critical: targets Defender for Azure Resource Manager\n}\n```"
    },
    "Recommendation": {
-      "Text": "Enable  Microsoft Defender for Azure Resource Manager",
-      "Url": ""
+      "Text": "Enable Microsoft Defender for **Azure Resource Manager** at the `Standard` tier across all subscriptions. Apply least privilege to deployment principals, enforce the plan via policy for new subscriptions, and route alerts to centralized monitoring to support defense-in-depth and rapid response.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_arm_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_azure_sql_databases_is_on/defender_ensure_defender_for_azure_sql_databases_is_on.metadata.json
@@ -1,29 +1,35 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_azure_sql_databases_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'  ",
+  "CheckTitle": "Azure subscription has Microsoft Defender for Azure SQL databases enabled (Standard)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'  ",
-  "Risk": "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Microsoft Defender for Cloud plan for **Azure SQL Database Servers** is evaluated at subscription scope, expecting the `pricing_tier` set to `Standard` for `SqlServers`. Non-standard tiers indicate the plan isn't enabled.",
+  "Risk": "Without **Defender for SQL**, attacks like **SQL injection**, brute-force logins, and anomalous queries may go **undetected**, enabling data exfiltration and tampering. Limited telemetry delays **incident response**, risking loss of confidentiality and integrity and aiding lateral movement.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-azure-sql-database-servers#terraform",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-azure-sql.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-azure-sql.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-azure-sql-database-servers#terraform"
+      "CLI": "az security pricing create --name SqlServers --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Azure SQL Databases at subscription scope\ntargetScope = 'subscription'\n\nresource sqlPricing 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'SqlServers'\n  properties: {\n    pricingTier: 'Standard' // CRITICAL: Sets Defender plan for Azure SQL DB to ON (Standard)\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > your subscription\n3. Open Defender plans\n4. Turn ON the plan for Azure SQL Databases (set to Standard)\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Azure SQL Databases\nresource \"azurerm_security_center_subscription_pricing\" \"<example_resource_name>\" {\n  resource_type = \"SqlServers\"           # CRITICAL: Targets Azure SQL Databases plan\n  tier          = \"Standard\"             # CRITICAL: Enables Defender (Standard)\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is disabled for all your SQL database servers. Defender for Cloud monitors your SQL database servers for threats such as SQL injection, brute-force attacks, and privilege abuse. The security service provides action-oriented security alerts with details of the suspicious activity and guidance on how to mitigate the security threats.",
-      "Url": ""
+      "Text": "Enable the **Microsoft Defender** plan for Azure SQL databases with `pricing_tier: Standard` across applicable subscriptions. Integrate alerts with SIEM, enforce **least privilege** and **separation of duties**, and apply **defense in depth** (network controls, MFA) to prevent and promptly detect misuse.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_azure_sql_databases_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_containers_is_on/defender_ensure_defender_for_containers_is_on.metadata.json
@@ -1,29 +1,35 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_containers_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Containers Is Set To 'On' ",
+  "CheckTitle": "Azure subscription has Microsoft Defender for Containers set to On (Standard pricing tier)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Containers Is Set To 'On' ",
-  "Risk": "Ensure that Microsoft Defender for Cloud is enabled for all your Azure containers. Turning on the Defender for Cloud service enables threat detection for containers, providing threat intelligence, anomaly detection, and behavior analytics.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Azure subscriptions are assessed to determine if the **Defender for Containers** plan is configured with pricing tier `Standard`.",
+  "Risk": "Without **Defender for Containers**, images and runtimes lack continuous **threat detection** and **vulnerability assessment**. Adversaries can ship malicious images, run **cryptomining**, exfiltrate secrets, and **move laterally**, degrading **confidentiality** and **availability** of container workloads.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-container.html",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-container-registries#terraform"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-container.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-container-registries#terraform"
+      "CLI": "az security pricing create --name Containers --tier Standard",
+      "NativeIaC": "```bicep\n// Subscription-level deployment to enable Defender for Containers\ntargetScope = 'subscription'\n\nresource <example_resource_name> 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'Containers'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for Containers plan to ON (Standard)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > choose <subscription>\n3. Open Pricing & settings\n4. Find the Containers plan and set it to On (Standard)\n5. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_security_center_subscription_pricing\" \"<example_resource_name>\" {\n  resource_type = \"Containers\"   # Critical: targets Defender for Containers plan\n  tier          = \"Standard\"     # Critical: enables Standard (ON)\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is not enabled for your Azure cloud containers. Enabling the Defender security service for Azure containers allows for advanced security defense against threats, using threat detection capabilities provided by the Microsoft Security Response Center (MSRC).",
-      "Url": ""
+      "Text": "Enable the **Defender for Containers** plan at `Standard` for all relevant subscriptions. Apply **least privilege**, integrate alerts with response workflows, and use **defense in depth**: signed images, private registries, RBAC, network policies, and periodic reviews to maintain consistent coverage.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_containers_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "container-security"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_cosmosdb_is_on/defender_ensure_defender_for_cosmosdb_is_on.metadata.json
@@ -1,29 +1,38 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_cosmosdb_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' ",
+  "CheckTitle": "Subscription has Microsoft Defender for Cosmos DB plan set to On (pricing tier Standard)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Cosmos DB Is Set To 'On' ",
-  "Risk": "In scanning Cosmos DB requests within a subscription, requests are compared to a heuristic list of potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Microsoft Defender for Azure Cosmos DB** is enabled at the subscription using the `Standard` pricing tier for the `CosmosDbs` plan, covering all Cosmos DB accounts",
+  "Risk": "Without this protection, Cosmos DB activity lacks advanced threat detection and telemetry. Attacks such as **SQL injection**, credential abuse, and **anomalous access patterns** may go unnoticed, enabling data exfiltration and unauthorized changes, degrading **confidentiality** and **integrity**.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/Azure/PSRule.Rules.Azure/issues/2204",
+    "https://www.linkedin.com/pulse/dynamic-autoscale-azure-cosmos-db-how-can-help-you-save-julien-michel-8r3ne",
+    "https://video2.skills-academy.com/en-US/azure/defender-for-cloud/concept-defender-for-cosmos",
+    "https://learn.microsoft.com/th-th/Azure/defender-for-cloud/defender-for-databases-enable-cosmos-protections?tabs=azure-portal",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/CosmosDB/enable-advanced-threat-protection.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az security pricing create -n CosmosDbs --tier Standard",
+      "NativeIaC": "```bicep\n// Set Defender for Cosmos DB plan to Standard at subscription scope\ntargetScope = 'subscription'\n\nresource example_resource_name 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'CosmosDbs'\n  properties: {\n    pricingTier: 'Standard' // Critical: enables Defender for Cosmos DB (ON) at Standard tier\n  }\n}\n```",
+      "Other": "1. In Azure portal, go to Microsoft Defender for Cloud > Environment settings\n2. Select the target subscription\n3. Open Defender plans (Pricing)\n4. Find Azure Cosmos DB and set the plan to On (Standard)\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Cosmos DB at Standard tier\nresource \"azurerm_security_center_subscription_pricing\" \"example_resource_name\" {\n  resource_type = \"CosmosDbs\"  # Critical: target Cosmos DB plan\n  tier          = \"Standard\"    # Critical: sets plan to ON (Standard)\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is not enabled for your App Service instances. Enabling the Defender security service for App Service instances allows for advanced security defense using threat detection capabilities provided by Microsoft Security Response Center.",
-      "Url": "Enable Microsoft Defender for Cosmos DB"
+      "Text": "Enable the `Standard` plan for **Microsoft Defender for Azure Cosmos DB** at the subscription to ensure full coverage. Enforce **least privilege**, route alerts to your SIEM, and tune detections. Use policy to require the plan across environments and regularly review findings to strengthen **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_cosmosdb_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_databases_is_on/defender_ensure_defender_for_databases_is_on.metadata.json
@@ -1,29 +1,32 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_databases_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Databases Is Set To 'On' ",
+  "CheckTitle": "Azure subscription has Microsoft Defender for Databases enabled (Standard pricing tier)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Databases Is Set To 'On' ",
-  "Risk": "Enabling Microsoft Defender for Azure SQL Databases allows your organization more granular control of the infrastructure running your database software",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Azure subscription** is evaluated for **Defender for Databases** coverage: `Standard` pricing must be enabled for `SqlServers`, `SqlServerVirtualMachines`, `OpenSourceRelationalDatabases`, and `CosmosDbs`.",
+  "Risk": "Without this coverage, database workloads lack **advanced threat detection**, **vulnerability assessment**, and **behavior analytics**.\n\nAttacks like credential brute force, SQL injection, privilege abuse, and data exfiltration can go **undetected**, threatening **confidentiality, integrity**, and **availability**.",
  "RelatedUrl": "",
+  "AdditionalURLs": [],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Databases plans at subscription scope\ntargetScope = 'subscription'\n\nresource sqlServers 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'SqlServers'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for SQL servers to Standard (ON)\n  }\n}\n\nresource sqlServerVMs 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'SqlServerVirtualMachines'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for SQL servers on machines to Standard (ON)\n  }\n}\n\nresource openSourceDBs 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'OpenSourceRelationalDatabases'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for open-source databases to Standard (ON)\n  }\n}\n\nresource cosmosDbs 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'CosmosDbs'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for Cosmos DB to Standard (ON)\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > choose your subscription\n3. Open Defender plans\n4. Set these plans to On (Standard):\n   - SQL servers\n   - SQL servers on machines\n   - Open-source relational databases\n   - Cosmos DB\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Databases plans\nresource \"azurerm_security_center_subscription_pricing\" \"sqlservers\" {\n  resource_type = \"SqlServers\"\n  tier          = \"Standard\" # Critical: enables Defender (Standard)\n}\n\nresource \"azurerm_security_center_subscription_pricing\" \"sql_vm\" {\n  resource_type = \"SqlServerVirtualMachines\"\n  tier          = \"Standard\" # Critical: enables Defender (Standard)\n}\n\nresource \"azurerm_security_center_subscription_pricing\" \"oss_db\" {\n  resource_type = \"OpenSourceRelationalDatabases\"\n  tier          = \"Standard\" # Critical: enables Defender (Standard)\n}\n\nresource \"azurerm_security_center_subscription_pricing\" \"cosmos\" {\n  resource_type = \"CosmosDbs\"\n  tier          = \"Standard\" # Critical: enables Defender (Standard)\n}\n```"
    },
    "Recommendation": {
-      "Text": "Enable Microsoft Defender for Azure SQL Databases",
-      "Url": ""
+      "Text": "Enable **Defender for Databases** at the `Standard` tier for all supported database types across subscriptions. Integrate alerts with monitoring, automate response, and enforce **least privilege** and **network segmentation** for defense in depth. Use policy to maintain continuous coverage for new resources.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_databases_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_dns_is_on/defender_ensure_defender_for_dns_is_on.metadata.json
@@ -1,29 +1,32 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_dns_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for DNS Is Set To 'On' ",
+  "CheckTitle": "Subscription has Microsoft Defender for DNS enabled",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for DNS Is Set To 'On' ",
-  "Risk": "DNS lookups within a subscription are scanned and compared to a dynamic list of websites that might be potential security threats. These threats could be a result of a security breach within your services, thus scanning for them could prevent a potential security threat from being introduced.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Microsoft Defender for DNS** is configured at the `Standard` tier for the subscription's Defender pricing",
+  "Risk": "Absent **Defender for DNS**, query telemetry isn't inspected, allowing **C2 callbacks**, **DNS tunneling**, and **malicious domains** to bypass detection. This increases risks to **confidentiality** (exfiltration), **integrity** (malware/DGA), and **availability** (poisoned or hijacked resolution).",
  "RelatedUrl": "",
+  "AdditionalURLs": [],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az security pricing create --name Dns --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for DNS at subscription scope\ntargetScope = 'subscription'\n\nresource example_resource_name 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'Dns'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for DNS to ON (Standard tier)\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Select Environment settings and choose your subscription\n3. Open Defender plans\n4. Find DNS and set the plan to Standard (On)\n5. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_security_center_subscription_pricing\" \"example_resource_name\" {\n  resource_type = \"Dns\"\n  tier          = \"Standard\" # Critical: enables Defender for DNS\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is not enabled for your App Service instances. Enabling the Defender security service for App Service instances allows for advanced security defense using threat detection capabilities provided by Microsoft Security Response Center.",
-      "Url": ""
+      "Text": "Enable **Defender for DNS** at the `Standard` tier across applicable subscriptions. Apply **defense in depth**: restrict outbound DNS, use private DNS where feasible, and log/monitor query activity. Route alerts to centralized monitoring. Enforce **least privilege** on security settings and review exclusions regularly.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_dns_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_keyvault_is_on/defender_ensure_defender_for_keyvault_is_on.metadata.json
@@ -1,29 +1,35 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_keyvault_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for KeyVault Is Set To 'On' ",
+  "CheckTitle": "Subscription has Microsoft Defender for Key Vault enabled (Standard pricing tier)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for KeyVault Is Set To 'On' ",
-  "Risk": "By default, Microsoft Defender for Cloud is disabled for Azure key vaults. Defender for Cloud detects unusual and potentially harmful attempts to access or exploit your Azure Key Vault data. This layer of protection allows you to address threats without being a security expert, and without the need to use and manage third-party security monitoring tools or services.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Azure subscriptions** are evaluated for the **Defender for Key Vaults** plan configured at the `Standard` tier. It identifies where Key Vault protection uses this tier versus where the Defender pricing for `KeyVaults` is not set accordingly.",
+  "Risk": "Without **Defender for Key Vaults**, anomalous access and mass secret retrievals can go undetected, enabling:\n- Secret exfiltration (confidentiality)\n- Key/secret tampering (integrity)\n- Destructive actions like purge/delete (availability)\n\nLack of signals delays response and facilitates lateral movement.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-key-vault.html",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-key-vault#terraform"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-key-vault.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-key-vault#terraform"
+      "CLI": "az security pricing update --name KeyVaults --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Key Vaults (Standard tier) at subscription scope\nresource example_pricing 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'KeyVaults'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets the KeyVaults plan to Standard (ON)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings, then choose your subscription\n3. Open Defender plans\n4. Find Key Vaults and set the plan to On/Standard\n5. Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Key Vaults (Standard)\nresource \"azurerm_security_center_subscription_pricing\" \"example_resource_name\" {\n  resource_type = \"KeyVaults\"\n  tier          = \"Standard\" # Critical: sets the plan to Standard (ON)\n}\n```"
    },
    "Recommendation": {
-      "Text": "Ensure that Microsoft Defender for Cloud is enabled for Azure key vaults. Key Vault is the Azure cloud service that safeguards encryption keys and secrets like certificates, connection-based strings, and passwords.",
-      "Url": ""
+      "Text": "Enable **Defender for Key Vaults** at the `Standard` tier across all subscriptions. Integrate alerts with monitoring and tune noise. Apply **least privilege** with **RBAC**, enforce purge protection and logging, and use **defense in depth** (private access and network restrictions) to prevent abuse and accelerate detection.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_keyvault_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "secrets"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_os_relational_databases_is_on/defender_ensure_defender_for_os_relational_databases_is_on.metadata.json
@@ -1,29 +1,32 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_os_relational_databases_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' ",
+  "CheckTitle": "Microsoft Defender for open-source relational databases is On (pricing tier Standard)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' ",
-  "Risk": "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Microsoft Defender for Cloud plan for **Open-Source Relational Databases** is evaluated for the `Standard` pricing tier at the subscription level.",
+  "Risk": "Absent the `Standard` plan, open-source databases lack **threat detection** and **behavior analytics**, reducing **confidentiality** and **integrity**. SQL injection, brute-force logins, and data exfiltration may go unnoticed, delaying response and enabling **lateral movement**.",
  "RelatedUrl": "",
+  "AdditionalURLs": [],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "CLI": "az security pricing create --name OpenSourceRelationalDatabases --tier Standard",
+      "NativeIaC": "```bicep\n// Deploy at subscription scope to set Defender pricing\ntargetScope = 'subscription'\n\nresource pricingOpenSource \"Microsoft.Security/pricings@2023-01-01\" = {\n  name: 'OpenSourceRelationalDatabases'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets the plan to Standard (ON)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > your subscription\n3. Open Defender plans\n4. Find \"Open-source relational databases\" and set it to Standard/On\n5. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_security_center_subscription_pricing\" \"example_resource_name\" {\n  resource_type = \"OpenSourceRelationalDatabases\"\n  tier          = \"Standard\" # Critical: enables Defender (Standard tier)\n}\n```"
    },
    "Recommendation": {
-      "Text": "Enabling Microsoft Defender for Open-source relational databases allows for greater defense-in-depth, with threat detection provided by the Microsoft Security Response Center (MSRC).",
-      "Url": ""
+      "Text": "Enable the plan at the `Standard` tier across relevant subscriptions. Apply **defense in depth**: enforce **least privilege**, isolate databases on private networks, require strong authentication, and route alerts to centralized monitoring for rapid triage. *Review coverage regularly*.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_os_relational_databases_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_server_is_on/defender_ensure_defender_for_server_is_on.metadata.json
@@ -1,29 +1,41 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_server_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Servers Is Set to 'On'",
+  "CheckTitle": "Azure subscription has Microsoft Defender for Servers set to On (Standard pricing tier)",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Servers Is Set to 'On'",
-  "Risk": "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "**Microsoft Defender for Servers** subscription plan (`VirtualMachines`) is configured to the `Standard` tier. The evaluation checks whether the Servers plan is enabled at this level for all server workloads in the subscription.",
+  "Risk": "Without **Defender for Servers**, endpoints lack unified EDR, hardening, and threat analytics. This enables silent malware, credential theft, and lateral movement, driving data exfiltration (C), ransomware/tampering (I), and outages or cryptomining abuse (A).",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-servers",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/microsoft-defender-vm-server.html",
+    "https://learn.microsoft.com/en-us/answers/questions/1131575/defender-for-servers-policy-definitions.html",
+    "https://learn.microsoft.com/en-us/powershell/module/az.security/set-azsecuritypricing?view=azps-13.1.0",
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-servers#terraform",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-enable-servers-plan",
+    "https://learn.microsoft.com/en-us/powershell/module/az.security/set-azsecuritypricing?view=azps-13.4.0&viewFallbackFrom=azps-6.5.0"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/microsoft-defender-vm-server.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-servers#terraform"
+      "CLI": "az security pricing create --name VirtualMachines --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Defender for Servers (Standard) at subscription scope\n@description('Enable Microsoft Defender for Servers (Standard)')\ntargetScope = 'subscription'\n\nresource <example_resource_name> 'Microsoft.Security/pricings@2024-01-01' = {\n  name: 'VirtualMachines'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender for Servers to ON (Standard)\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings, then your <subscription>\n3. On Defender plans, set Servers to On (Standard)\n4. Click Save",
+      "Terraform": "```hcl\n# Enable Defender for Servers (Standard) on the subscription\nresource \"azurerm_security_center_subscription_pricing\" \"<example_resource_name>\" {\n  resource_type = \"VirtualMachines\"\n  tier          = \"Standard\" # Critical: sets Defender for Servers to ON (Standard)\n}\n```"
    },
    "Recommendation": {
-      "Text": "Enabling Microsoft Defender for Cloud standard pricing tier allows for better security assessment with threat detection provided by the Microsoft Security Response Center (MSRC), advanced security policies, adaptive application control, network threat detection, and regulatory compliance management.",
-      "Url": ""
+      "Text": "Enable the **Defender for Servers** plan at the **subscription** scope with tier `Standard`, choosing P1 or P2 per asset risk. Ensure all Azure VMs and Arc-enabled servers are covered for EDR integration. Apply **defense in depth** and **least privilege**, and continuously monitor and tune alerts.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_server_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_sql_servers_is_on/defender_ensure_defender_for_sql_servers_is_on.metadata.json
@@ -1,29 +1,35 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_sql_servers_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' ",
+  "CheckTitle": "Subscription has Microsoft Defender for SQL servers on machines enabled with pricing tier Standard",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' ",
-  "Risk": "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Subscription pricing for **Defender for SQL Server on Machines** is configured to the `Standard` plan, covering SQL Server instances running on virtual machines.",
+  "Risk": "Without **Defender for SQL Server on Machines**, attacks on SQL Server VMs can go **undetected**-including SQL injection, brute-force logons, and privilege abuse.\n\nThis risks data exfiltration (C), schema or record tampering (I), and outages or ransomware impact (A), while reducing visibility and delaying response.",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-sql-servers-on-machines#terraform",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-sql-server-virtual-machines.html"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-sql-server-virtual-machines.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-sql-servers-on-machines#terraform"
+      "CLI": "az security pricing create -n SqlServerVirtualMachines --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for SQL servers on machines at subscription scope\ntargetScope = 'subscription'\n\nresource pricing 'Microsoft.Security/pricings@2022-03-01' = {\n  name: 'SqlServerVirtualMachines'\n  properties: {\n    pricingTier: 'Standard' // Critical: sets Defender plan to Standard (ON) for SQL Server VMs\n  }\n}\n```",
+      "Other": "1. In the Azure Portal, go to Microsoft Defender for Cloud\n2. Click Environment settings and select the target subscription\n3. Open Defender plans (Plans)\n4. Find SQL servers on machines and set it to Standard (On)\n5. Click Save",
+      "Terraform": "```hcl\nresource \"azurerm_security_center_subscription_pricing\" \"<example_resource_name>\" {\n  resource_type = \"SqlServerVirtualMachines\" # Critical: target the SQL Server VMs Defender plan\n  tier          = \"Standard\"                 # Critical: enable Standard (ON)\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is disabled for the Microsoft SQL servers running on virtual machines. Defender for Cloud for SQL Server virtual machines continuously monitors your SQL database servers for threats such as SQL injection, brute-force attacks, and privilege abuse. The security service provides security alerts together with details of the suspicious activity and guidance on how to mitigate to the security threats.",
-      "Url": ""
+      "Text": "Enable the **Defender for SQL Server on Machines** plan at the `Standard` tier for subscriptions hosting SQL Server VMs.\n\nApply defense-in-depth: enforce least privilege and strong authentication, segment networks, keep SQL patched, enable auditing, and route alerts to a SIEM for rapid containment.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_sql_servers_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_defender_for_storage_is_on/defender_ensure_defender_for_storage_is_on.metadata.json
@@ -1,29 +1,37 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_defender_for_storage_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for Storage Is Set To 'On' ",
+  "CheckTitle": "Azure subscription has Microsoft Defender for Storage Accounts pricing tier set to Standard",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureDefenderPlan",
-  "Description": "Ensure That Microsoft Defender for Storage Is Set To 'On' ",
-  "Risk": "Ensure that Microsoft Defender for Cloud is enabled for your Microsoft Azure storage accounts. Defender for storage accounts is an Azure-native layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit your Azure cloud storage accounts.",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Azure subscription's **Defender for Storage** plan is set to `Standard` for Storage Accounts.",
+  "Risk": "Without **Defender for Storage**, suspicious access to blobs, files, and queues may go undetected. Compromised keys or `SAS` tokens can enable data exfiltration (**confidentiality**), object tampering (**integrity**), and mass deletion or ransomware-like encryption (**availability**).",
  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-storage#terraform",
+    "https://www.cryptohowtoeasy.com/article/enable_azure_defender",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-storage.html",
+    "https://assets.ctfassets.net/lvkf21t5nlpz/3LVbJZW5rF3ZbDM4ygPLkk/21fc29e6c5c64d0909ba786d2011f5a5/CIS_Microsoft_Azure_Foundations_Benchmark_v1.3.0.pdf"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-storage.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/ensure-that-azure-defender-is-set-to-on-for-storage#terraform"
+      "CLI": "az security pricing create -n StorageAccounts --tier Standard",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Storage at subscription level\nresource example_resource_name 'Microsoft.Security/pricings@2023-01-01' = {\n  name: 'StorageAccounts'\n  properties: {\n    pricingTier: 'Standard' // CRITICAL: sets the plan to Standard (ON) for Storage\n  }\n}\n```",
+      "Other": "1. In Azure portal, open Microsoft Defender for Cloud\n2. Go to Environment settings > select <subscription>\n3. Open Defender plans\n4. Set Storage to On (Standard)\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Storage at subscription level\nresource \"azurerm_security_center_subscription_pricing\" \"example_resource_name\" {\n  resource_type = \"StorageAccounts\"\n  tier          = \"Standard\" # CRITICAL: sets Storage plan to Standard (ON)\n}\n```"
    },
    "Recommendation": {
-      "Text": "By default, Microsoft Defender for Cloud is disabled for your storage accounts. Enabling the Defender security service for Azure storage accounts allows for advanced security defense using threat detection capabilities provided by the Microsoft Security Response Center (MSRC). MSRC investigates all reports of security vulnerabilities affecting Microsoft products and services, including Azure cloud services.",
-      "Url": ""
+      "Text": "Enable **Defender for Storage** at the `Standard` tier for subscriptions with storage workloads. Apply **defense in depth**: restrict network exposure, enforce **least privilege** on keys and `SAS`, use short-lived tokens and rotation, and route alerts to centralized monitoring for rapid response.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_defender_for_storage_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "forensics-ready"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_iot_hub_defender_is_on/defender_ensure_iot_hub_defender_is_on.metadata.json
@@ -1,29 +1,38 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_iot_hub_defender_is_on",
-  "CheckTitle": "Ensure That Microsoft Defender for IoT Hub Is Set To 'On'",
+  "CheckTitle": "Microsoft Defender for IoT Hub is enabled",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "DefenderIoT",
-  "Description": "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization.",
-  "Risk": "IoT devices are very rarely patched and can be potential attack vectors for enterprise networks. Updating their network configuration to use a central security hub allows for detection of these breaches.",
-  "RelatedUrl": "https://azure.microsoft.com/en-us/services/iot-defender/#overview",
+  "ResourceType": "microsoft.security/iotsecuritysolutions",
+  "Description": "**Microsoft Defender for IoT security solution** exists in the subscription and reports status `Enabled` for monitored **IoT Hub** resources",
+  "Risk": "Without **Defender for IoT**, device activity lacks telemetry and alerting, degrading CIA:\n- Compromised devices join botnets and exfiltrate data\n- Abused device identities alter cloud twins and commands\n- Lateral movement from IoT networks to Azure workloads\nThis blind spot increases dwell time and blast radius.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/mpram/Azure-Defender-for-IoT/blob/main/HOL+Steps/Microsoft+Defender+for+IoT+HOL.md",
+    "https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub",
+    "https://learn.microsoft.com/en-us/+azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub",
+    "https://www.slideshare.net/slideshow/design-and-deploy-microsoft-defender-for-iot-1-converted-edition-puthiyavan-udayakumar/282067489",
+    "https://azure.microsoft.com/en-us/services/iot-defender/#overview"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
-      "NativeIaC": "",
-      "Other": "",
-      "Terraform": ""
+      "NativeIaC": "```bicep\n// Enable Defender for IoT by creating an IoT Security Solution\nresource iotDefender 'Microsoft.Security/iotSecuritySolutions@2019-08-01' = {\n  name: '<example_resource_name>'\n  location: '<LOCATION>'\n  properties: {\n    displayName: '<example_resource_name>'\n    iotHubs: ['<IOT_HUB_RESOURCE_ID>']  // CRITICAL: links the IoT Hub; creating this solution enables Defender for IoT\n    status: 'Enabled'                   // CRITICAL: ensures the solution is enabled\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to IoT hubs and open your hub\n2. Select Defender for IoT > Overview\n3. Click Secure your IoT solution and complete onboarding (select the hub if prompted)\n4. If you see a toggle, set Enable Microsoft Defender for IoT to On and Save\n5. Verify the IoT Security Solution shows as Enabled under Defender for IoT",
+      "Terraform": "```hcl\n# Enable Defender for IoT by creating an IoT Security Solution\nresource \"azurerm_iot_security_solution\" \"<example_resource_name>\" {\n  name                = \"<example_resource_name>\"\n  resource_group_name = \"<example_resource_name>\"\n  location            = \"<LOCATION>\"\n  display_name        = \"<example_resource_name>\"\n  iothub_ids          = [\"<IOT_HUB_RESOURCE_ID>\"]  # CRITICAL: links the IoT Hub; creating this solution enables Defender\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. Go to IoT Hub. 2. Select a IoT Hub to validate. 3. Select Overview in Defender for IoT. 4. Click on Secure your IoT solution, and complete the onboarding.",
-      "Url": "https://learn.microsoft.com/en-us/azure/defender-for-iot/device-builders/quickstart-onboard-iot-hub"
+      "Text": "Enable **Defender for IoT** on all IoT Hubs and keep it `Enabled`. Route security data to a central workspace and your SIEM. Apply **least privilege** to IoT identities, enforce **network segmentation** and private access, and use **defense in depth** with continuous monitoring, alert tuning, and periodic coverage reviews.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_iot_hub_defender_is_on"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Enabling Microsoft Defender for IoT will incur additional charges dependent on the level of usage."
--- a/prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_mcas_is_enabled/defender_ensure_mcas_is_enabled.metadata.json
@@ -1,29 +1,38 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_mcas_is_enabled",
-  "CheckTitle": "Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected",
+  "CheckTitle": "Azure subscription has Microsoft Defender for Cloud Apps enabled",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "DefenderSettings",
-  "Description": "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud.",
-  "Risk": "Microsoft Defender for Cloud offers an additional layer of protection by using Azure Resource Manager events, which is considered to be the control plane for Azure. By analyzing the Azure Resource Manager records, Microsoft Defender for Cloud detects unusual or potentially harmful operations in the Azure subscription environment. Several of the preceding analytics are powered by Microsoft Defender for Cloud Apps. To benefit from these analytics, subscription must have a Cloud App Security license. Microsoft Defender for Cloud Apps works only with Standard Tier subscriptions.",
-  "RelatedUrl": "https://learn.microsoft.com/en-in/azure/defender-for-cloud/defender-for-cloud-introduction#secure-cloud-applications",
+  "ResourceType": "microsoft.security/pricings",
+  "Description": "Subscription settings contain the `MCAS` integration for **Microsoft Defender for Cloud Apps**, and the setting is `enabled`.",
+  "Risk": "Missing integration leaves **Defender for Cloud** blind to SaaS context, weakening correlation of control-plane activity with app usage. Attackers can hide data exfiltration via cloud apps, abuse OAuth grants, or mask unauthorized ARM changes-impacting confidentiality and integrity and slowing incident response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list",
+    "https://learn.microsoft.com/en-in/azure/defender-for-cloud/defender-for-cloud-introduction#secure-cloud-applications",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-cloud-apps-integration.html#",
+    "https://learn.microsoft.com/en-us/answers/questions/2045272/integrating-microsoft-defender-for-cloud-apps-with"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-cloud-apps-integration.html#",
-      "Terraform": ""
+      "CLI": "az rest --method PUT --uri https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/settings/MCAS?api-version=2021-06-01 --body '{\"properties\":{\"enabled\":true}}'",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Cloud Apps (MCAS) at subscription scope\ntargetScope = 'subscription'\n\nresource mcas 'Microsoft.Security/settings@2021-06-01' = {\n  name: 'MCAS'\n  properties: {\n    enabled: true // Critical: turns on MCAS integration for the subscription\n  }\n}\n```",
+      "Other": "1. In the Azure portal, open Microsoft Defender for Cloud\n2. Go to Environment settings and select your subscription\n3. Open Settings & monitoring (or Integrations)\n4. Turn on \"Allow Microsoft Defender for Cloud Apps to access my data\"\n5. Click Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Cloud Apps (MCAS)\nresource \"azurerm_security_center_setting\" \"example\" {\n  setting_name = \"MCAS\"\n  enabled      = true  # Critical: enables MCAS integration for the subscription\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Select Environment Settings blade. 4. Select the subscription. 5. Check App Service Defender Plan to On. 6. Select Save.",
-      "Url": "https://docs.microsoft.com/en-us/rest/api/securitycenter/settings/list"
+      "Text": "Enable and keep the `MCAS` integration consistent across subscriptions.\n- Apply **least privilege** to integration roles and data access\n- Use policy to enforce the setting and prevent drift\n- Practice **defense in depth** by correlating SaaS and cloud signals\n- Review licensing and validate alert coverage regularly",
+      "Url": "https://hub.prowler.com/check/defender_ensure_mcas_is_enabled"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "logging",
+    "forensics-ready"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Microsoft Defender for Cloud Apps works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource."
--- a/prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_notify_alerts_severity_is_high/defender_ensure_notify_alerts_severity_is_high.metadata.json
@@ -1,29 +1,37 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_notify_alerts_severity_is_high",
-  "CheckTitle": "Ensure that email notifications are configured for alerts with a minimum severity of 'High' or lower",
+  "CheckTitle": "Security contact has alert notifications enabled with minimum severity High or lower",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "high",
-  "ResourceType": "AzureEmailNotifications",
-  "Description": "Microsoft Defender for Cloud sends email notifications when alerts of a certain severity level or higher are triggered. By setting the minimum severity to 'High', 'Medium', or even 'Low', you ensure that alerts with equal or greater severity (e.g., High or Critical) are still delivered. Selecting a lower threshold like 'Low' results in more comprehensive alert coverage.",
-  "Risk": "If this setting is too restrictive (e.g., set to 'Critical' only), important security alerts with 'High' or 'Medium' severity might be missed. Ensuring that 'High' or a lower threshold is configured helps security teams stay informed about significant threats and respond in a timely manner.",
-  "RelatedUrl": "https://learn.microsoft.com/en-us/azure/defender-for-cloud/email-notifications-alerts#manage-notifications-on-email",
+  "ResourceType": "microsoft.resources/subscriptions",
+  "Description": "**Defender for Cloud** email notifications use a minimum alert severity of `High` or more inclusive (`Medium`/`Low`). The evaluation inspects security contacts to confirm a threshold is defined and not `Critical`.",
+  "Risk": "Setting the threshold to `Critical` or leaving it unset limits alerting, causing **delayed detection** of `High`/`Medium` threats. Attackers can persist, escalate privileges, and exfiltrate data, impacting **confidentiality**, **integrity**, and **availability** via ransomware or service disruption.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.prowler.com/checks/azure/azure-general-policies/bc_azr_general_4#terraform",
+    "https://learn.microsoft.com/en-us/azure/defender-for-cloud/email-notifications-alerts#manage-notifications-on-email",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/enable-high-severity-email-notifications.html",
+    "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/enable-high-severity-email-notifications.html",
-      "Terraform": "https://docs.prowler.com/checks/azure/azure-general-policies/bc_azr_general_4#terraform"
+      "CLI": "az rest --method PUT --url \"https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/securityContacts/default?api-version=2023-12-01-preview\" --body '{\"properties\":{\"emails\":\"<EMAIL>\",\"isEnabled\":true,\"notificationsSources\":[{\"sourceType\":\"Alert\",\"minimalSeverity\":\"High\"}]}}'",
+      "NativeIaC": "```bicep\ntargetScope = 'subscription'\n\nresource contact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {\n  name: '<example_resource_name>'\n  properties: {\n    emails: '<EMAIL>'\n    isEnabled: true\n    notificationsSources: [\n      {\n        sourceType: 'Alert'\n        minimalSeverity: 'High' // Critical line: sets minimum alert severity to High to pass the check\n      }\n    ]\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Defender for Cloud > Environment settings > select your subscription\n2. Open Email notifications\n3. Turn on \"Send email notifications for alerts\"\n4. Set \"Minimum alert severity\" to High (or Medium/Low)\n5. Enter at least one email address\n6. Click Save",
+      "Terraform": "```hcl\nresource \"azapi_resource\" \"<example_resource_name>\" {\n  type      = \"Microsoft.Security/securityContacts@2023-12-01-preview\"\n  name      = \"<example_resource_name>\"\n  parent_id = \"/subscriptions/<SUBSCRIPTION_ID>\"\n\n  body = jsonencode({\n    properties = {\n      emails               = \"<EMAIL>\"\n      isEnabled            = true\n      notificationsSources = [\n        {\n          sourceType     = \"Alert\"\n          minimalSeverity = \"High\" # Critical line: sets minimum alert severity to High to pass the check\n        }\n      ]\n    }\n  })\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. From Azure Home select the Portal Menu. 2. Select Microsoft Defender for Cloud. 3. Click on Environment Settings. 4. Click on the appropriate Management Group, Subscription, or Workspace. 5. Click on Email notifications. 6. Under 'Notify about alerts with the following severity (or higher)', select at least 'High' (or optionally 'Medium' or 'Low' for broader coverage). 7. Click Save.",
-      "Url": "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list"
+      "Text": "Configure the minimum alert notification severity to `High` (or `Medium`/`Low`) and send to accountable recipients and RBAC roles. Apply **defense in depth**: route alerts to SIEM, use redundant contacts, and periodically test delivery. Review thresholds regularly to balance noise while avoiding false negatives.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_notify_alerts_severity_is_high"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "logging"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_notify_emails_to_owners/defender_ensure_notify_emails_to_owners.metadata.json
@@ -1,29 +1,36 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_notify_emails_to_owners",
-  "CheckTitle": "Ensure That 'All users with the following roles' is set to 'Owner'",
+  "CheckTitle": "Defender for Cloud security contact notifications include the Owner role",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
  "Severity": "medium",
-  "ResourceType": "AzureEmailNotifications",
-  "Description": "Enable security alert emails to subscription owners.",
-  "Risk": "Enabling security alert emails to subscription owners ensures that they receive security alert emails from Microsoft. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details",
+  "ResourceType": "microsoft.resources/subscriptions",
+  "Description": "**Defender for Cloud** email notifications target subscription users in the `Owner` role through role-based recipients",
+  "Risk": "Without notifying **Owners**, critical alerts can be missed, delaying incident response. Attackers gain longer dwell time for data exfiltration, privilege abuse, and service disruption, undermining **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/email-to-subscription-owners.html",
+    "https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/email-to-subscription-owners.html",
-      "Terraform": ""
+      "CLI": "az security contact create --name default --email <EMAIL> --alerts-admins On",
+      "NativeIaC": "```bicep\n// Enable Defender for Cloud notifications to the Owner role\nresource contact 'Microsoft.Security/securityContacts@2023-12-01-preview' = {\n  name: 'default'\n  properties: {\n    emails: '<email@example.com>'\n    notificationsByRole: {\n      state: 'On'   // CRITICAL: Turn on role-based notifications\n      roles: [ 'Owner' ] // CRITICAL: Ensure the Owner role is notified\n    }\n  }\n}\n```",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > choose the target subscription\n3. Open Email notifications\n4. Enable \"Send email notifications to users with the following roles\"\n5. Select the role: Owner\n6. Click Save",
+      "Terraform": "```hcl\n# Enable notifications to subscription owners (Owner role)\nresource \"azurerm_security_center_contact\" \"<example_resource_name>\" {\n  email               = \"<email@example.com>\"\n  alert_notifications = true\n  alerts_to_admins    = true  # CRITICAL: Notifies users with the Owner role\n}\n```"
    },
    "Recommendation": {
-      "Text": "1. From Azure Home select the Portal Menu 2. Select Microsoft Defender for Cloud 3. Click on Environment Settings 4. Click on the appropriate Management Group, Subscription, or Workspace 5. Click on Email notifications 6. In the drop down of the All users with the following roles field select Owner 7. Click Save",
-      "Url": "https://docs.microsoft.com/en-us/rest/api/securitycenter/securitycontacts/list"
+      "Text": "Enable role-based notifications to the `Owner` role and use monitored, up-to-date distribution lists. Add secondary recipients (SOC/security admins) for redundancy, tune thresholds to reduce noise, and integrate with SIEM/automation. Apply **defense in depth** and **least privilege** for alert dissemination.",
+      "Url": "https://hub.prowler.com/check/defender_ensure_notify_emails_to_owners"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "identity-access"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": ""
--- a/prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_system_updates_are_applied/defender_ensure_system_updates_are_applied.metadata.json
@@ -1,29 +1,38 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_system_updates_are_applied",
-  "CheckTitle": "Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'",
+  "CheckTitle": "All virtual machines in the subscription have system updates applied",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "high",
-  "ResourceType": "AzureDefenderRecommendation",
-  "Description": "Ensure that the latest OS patches for all virtual machines are applied.",
-  "Risk": "The Azure Security Center retrieves a list of available security and critical updates from Windows Update or Windows Server Update Services (WSUS), depending on which service is configured on a Windows VM. The security center also checks for the latest updates in Linux systems. If a VM is missing a system update, the security center will recommend system updates be applied.",
-  "RelatedUrl": "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities",
+  "Severity": "critical",
+  "ResourceType": "microsoft.compute/virtualmachines",
+  "Description": "**Azure VMs** are evaluated for:\n- Presence of a monitoring agent\n- Periodic checks for missing updates\n- Installation of the latest **security and critical OS updates** on Windows and Linux",
+  "Risk": "Unpatched VMs are exposed to **known exploits** (RCE, privilege escalation), enabling **initial access** and **lateral movement**. This endangers **confidentiality** (data theft), **integrity** (tampering), and **availability** (ransomware, outages). Lapses in periodic assessment prolong exposure to critical vulnerabilities.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/VirtualMachines/apply-latest-os-patches.html",
+    "https://learn.microsoft.com/en-us/azure/virtual-machines/updates-maintenance-overview",
+    "https://techcommunity.microsoft.com/discussions/azure/system-updates-should-be-installed-on-your-machines-withwithout-powered-by-azure/4148748",
+    "https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-posture-vulnerability-management#pv-7-rapidly-and-automatically-remediate-software-vulnerabilities"
+  ],
  "Remediation": {
    "Code": {
      "CLI": "",
      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/VirtualMachines/apply-latest-os-patches.html",
+      "Other": "1. In the Azure portal, go to Microsoft Defender for Cloud > Recommendations\n2. Search for \"Log Analytics agent should be installed on virtual machines\"\n   - Select affected VMs > Fix > choose a Log Analytics workspace > Apply\n3. Search for \"Machines should be configured to periodically check for missing system updates\"\n   - Select affected VMs > Fix > Apply\n4. Search for \"System updates should be installed on your machines\" (may show as powered by Azure Update Manager)\n   - Select affected VMs > Fix > Install updates now (or One-time update) > Install\n5. Wait for installation to complete, then verify all three recommendations show Healthy for the subscription",
      "Terraform": ""
    },
    "Recommendation": {
-      "Text": "Follow Microsoft Azure documentation to apply security patches from the security center. Alternatively, you can employ your own patch assessment and management tool to periodically assess, report, and install the required security patches for your OS.",
-      "Url": "https://learn.microsoft.com/en-us/azure/virtual-machines/updates-maintenance-overview"
+      "Text": "Adopt **automated patching** for all VMs:\n- Schedule recurring assessments\n- Deploy security/critical updates promptly using maintenance windows and rings\n- Ensure a supported update/monitoring agent\n- Enforce risk-based SLAs, test in stages, keep backups, and use **least privilege** for patch tools",
+      "Url": "https://hub.prowler.com/check/defender_ensure_system_updates_are_applied"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities",
+    "logging"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Running Microsoft Defender for Cloud incurs additional charges for each resource monitored. Please see attached reference for exact charges per hour."
--- a/prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.metadata.json
+++ b/prowler/providers/azure/services/defender/defender_ensure_wdatp_is_enabled/defender_ensure_wdatp_is_enabled.metadata.json
@@ -1,29 +1,37 @@
 {
  "Provider": "azure",
  "CheckID": "defender_ensure_wdatp_is_enabled",
-  "CheckTitle": "Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected",
+  "CheckTitle": "Subscription has Microsoft Defender for Endpoint integration enabled",
  "CheckType": [],
  "ServiceName": "defender",
  "SubServiceName": "",
  "ResourceIdTemplate": "",
-  "Severity": "medium",
-  "ResourceType": "DefenderSettings",
-  "Description": "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud.",
-  "Risk": "Microsoft Defender for Endpoint integration brings comprehensive Endpoint Detection and Response (EDR) capabilities within Microsoft Defender for Cloud. This integration helps to spot abnormalities, as well as detect and respond to advanced attacks on endpoints monitored by Microsoft Defender for Cloud. MDE works only with Standard Tier subscriptions.",
-  "RelatedUrl": "https://learn.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows",
+  "Severity": "high",
+  "ResourceType": "microsoft.security/integrations",
+  "Description": "Azure subscription integrates **Microsoft Defender for Endpoint** with **Defender for Cloud** via `WDATP`. The setting's presence and enabled state at the subscription scope are evaluated.",
+  "Risk": "Without this integration, servers lack **EDR telemetry**, automated onboarding, and unified alerts, shrinking visibility. Hands-on-keyboard intrusions, ransomware, and credential theft can persist unnoticed, enabling data exfiltration (**confidentiality**), unauthorized changes (**integrity**), and outages (**availability**).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-endpoint-integration.html",
+    "https://learn.microsoft.com/en-in/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows"
+  ],
  "Remediation": {
    "Code": {
-      "CLI": "",
-      "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/azure/SecurityCenter/defender-endpoint-integration.html",
-      "Terraform": ""
+      "CLI": "az rest --method put --uri https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/settings/WDATP?api-version=2019-01-01 --body '{\"properties\":{\"isEnabled\":true}}'",
+      "NativeIaC": "```bicep\n// Enable Microsoft Defender for Endpoint (WDATP) integration at subscription scope\nresource <example_resource_name> 'Microsoft.Security/settings@2019-01-01' = {\n  name: 'WDATP'\n  properties: {\n    isEnabled: true // Critical: turns on the WDATP (Defender for Endpoint) integration\n  }\n}\n```",
+      "Other": "1. In Azure Portal, go to Microsoft Defender for Cloud\n2. Select Environment settings > choose your subscription\n3. Open Settings (or Integrations)\n4. Find Microsoft Defender for Endpoint (WDATP) integration\n5. Toggle On and Save",
+      "Terraform": "```hcl\n# Enable Microsoft Defender for Endpoint (WDATP) integration\nresource \"azurerm_security_center_setting\" \"<example_resource_name>\" {\n  setting_name = \"WDATP\"\n  enabled      = true # Critical: turns on WDATP integration\n}\n```"
    },
    "Recommendation": {
-      "Text": "",
-      "Url": "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide"
+      "Text": "Enable the **Defender for Endpoint** integration in **Defender for Cloud** at the subscription scope and ensure agents are deployed on supported machines.\n\n- Apply **least privilege** to onboarding roles\n- Centralize alerting and response\n- Use **defense in depth** with hardening and network controls to reduce attack surface",
+      "Url": "https://hub.prowler.com/check/defender_ensure_wdatp_is_enabled"
    }
  },
-  "Categories": [],
+  "Categories": [
+    "vulnerabilities",
+    "forensics-ready"
+  ],
  "DependsOn": [],
  "RelatedTo": [],
  "Notes": "Microsoft Defender for Endpoint works with Standard pricing tier Subscription. Choosing the Standard pricing tier of Microsoft Defender for Cloud incurs an additional cost per resource."
Author	SHA1	Message	Date
Rubén De la Torre Vico	8f31077f75	chore: add azure/defender metadata update to changelog	2025-12-22 09:45:50 +01:00
Rubén De la Torre Vico	7bdb71eb07	chore(azure/defender): adapt metadata to new standarized format	2025-12-22 09:45:45 +01:00