Check Resource Coverage
Implementation Effort: Medium
Security and IT teams must regularly review inventory and coverage dashboards to ensure all intended resources are protected under the Defender for Servers plan.
User Impact: Low
Coverage checks are performed by administrators; end users are not directly involved.
Overview
Checking resource coverage in Microsoft Defender for Servers ensures that all virtual machines (VMs), containers, and hybrid workloads are properly onboarded and protected. This is critical for maintaining visibility, compliance, and threat protection across Azure, AWS, GCP, and on-premises environments.
How to Check Coverage
-
Use the Inventory View:
- Go to Microsoft Defender for Cloud > Inventory.
- Use the Resource Type filter to view supported resources such as:
- Azure VMs
- AWS EC2 instances
- GCP Compute Engine instances
- Use the Environment filter to narrow results by cloud provider.
- Check the Defender for Cloud column:
- If set to On, the resource is protected by Defender for Cloud and any enabled plans (e.g., Defender for Servers) 1.
-
Use the Coverage Workbook:
- Navigate to Microsoft Defender for Cloud > Workbooks > Coverage.
- This provides a visual summary of protection status across all subscriptions and environments.
-
Review Plan Settings:
- Go to Environment Settings > Servers > Monitoring Coverage > Settings.
- Review which features (e.g., vulnerability assessment, endpoint protection, agentless scanning) are enabled or excluded 1.
Why It Matters
- Ensures no critical workloads are left unprotected.
- Helps identify misconfigured or unmonitored machines.
- Supports compliance audits and reporting.
- Enables proactive remediation of coverage gaps.
Failing to check resource coverage can result in blind spots, leaving workloads vulnerable to threats. This capability supports the "Assume Breach" principle of Zero Trust by ensuring continuous visibility and protection across all environments.