Create Custom Policy
Implementation Effort: Medium – Creating custom policies requires administrative permissions and familiarity with KQL or Azure Policy, along with coordination between security and compliance teams.
User Impact: Low – This is a backend configuration task; end users are not directly affected unless policy enforcement impacts resource behavior.
Overview
Creating custom policies in Microsoft Defender for Cloud allows organizations to tailor security recommendations and compliance checks to their specific operational and regulatory needs. These custom policies can be used to:
- Define organization-specific security requirements.
- Extend built-in security standards with custom logic.
- Automate detection of misconfigurations or risky behaviors.
There are two main approaches:
-
KQL-based Custom Recommendations (requires Defender CSPM plan):
- Navigate to Defender for Cloud > Environment settings.
- Select the relevant scope (Azure, AWS, or GCP).
- Go to Security policies > + Create > Custom recommendation.
- Define the recommendation details (name, severity, remediation steps).
- Use the query editor to write or modify a KQL query.
- Assign the recommendation to one or more custom security standards.
- Review and create 1.
-
Azure Policy-based Custom Standards:
This capability supports the Zero Trust principle of "Verify Explicitly" by enabling continuous evaluation of cloud resources against organization-specific controls, ensuring that security posture aligns with internal and external requirements.