Create Custom Policy

Implementation Effort: Medium – Creating custom policies requires administrative permissions and familiarity with KQL or Azure Policy, along with coordination between security and compliance teams.

User Impact: Low – This is a backend configuration task; end users are not directly affected unless policy enforcement impacts resource behavior.

Overview

Creating custom policies in Microsoft Defender for Cloud allows organizations to tailor security recommendations and compliance checks to their specific operational and regulatory needs. These custom policies can be used to:

• Define organization-specific security requirements.
• Extend built-in security standards with custom logic.
• Automate detection of misconfigurations or risky behaviors.

There are two main approaches:

1. KQL-based Custom Recommendations (requires Defender CSPM plan):

   • Navigate to Defender for Cloud > Environment settings.
   • Select the relevant scope (Azure, AWS, or GCP).
   • Go to Security policies > + Create > Custom recommendation.
   • Define the recommendation details (name, severity, remediation steps).
   • Use the query editor to write or modify a KQL query.
   • Assign the recommendation to one or more custom security standards.
   • Review and create 1.

2. Azure Policy-based Custom Standards:

   • Create custom policy definitions and initiatives in Azure Policy.
   • Onboard them into Defender for Cloud as part of a custom security standard 1 2.

This capability supports the Zero Trust principle of "Verify Explicitly" by enabling continuous evaluation of cloud resources against organization-specific controls, ensuring that security posture aligns with internal and external requirements.

Reference

• Create custom security standards and recommendations – Microsoft Defender for Cloud
• Security policies in Defender for Cloud