Listen to this Post

Introduction:
Modern cloud security operations often struggle with scattered dashboards, disjointed reporting tools, and an inability to translate raw telemetry into actionable executive insights. Microsoft Defender portal now closes this gap by introducing integrated cloud security reporting capabilities built on a Cloud-Native Application Protection Platform (CNAPP) foundation. These new tools allow security teams to move from fragmented visibility to unified reporting, transforming how organizations monitor secure score trends, vulnerability exposure, and compliance across Azure, AWS, and GCP workloads.
Learning Objectives:
- Learn how to access and interpret built-in CNAPP Executive Summary and Cloud Posture reports within Defender portal
- Master the creation of custom cloud security reports by defining sections, adding data cards, and adjusting layouts
- Understand how to duplicate, modify, and control access to reports using visibility settings (Private, Tenant-level, Public)
- Apply Kusto Query Language (KQL) to extend reporting capabilities and automate security posture monitoring
- Implement cross-cloud hardening practices and leverage API security posture management extensions
You Should Know:
- Navigating Built-in Reports: CNAPP Executive Summary and Cloud Posture Dashboard
The Defender portal provides two foundational built-in reports that offer immediate visibility into cloud security posture.
Step‑by‑Step Guide to Access and Interpret Built-in Reports
Step 1: Access cloud security reports
Navigate to the Microsoft Defender portal (security.microsoft.com) and go to the Reporting page. Select the Cloud tab to reveal all available cloud security reports.
Step 2: Review the CNAPP Executive Summary
Select the CNAPP Executive Summary report. This high-level dashboard consolidates:
- Overview: Snapshot of key security indicators across your environment
- Secure Score: Historical trends with risk-based breakdowns
- Vulnerability Management: Exposure metrics and remediation progress
- Security Recommendations: Configuration gaps and best-practice deviations
- Investigation & Response: Detection and response activity summary
- Regulatory Compliance: Compliance posture across supported frameworks
Step 3: Analyze the Cloud Posture Report
The Cloud Posture report offers a centralized view of overall cloud security posture across environments. It highlights the cloud secure score, Defender CSPM plan coverage, actionable recommendations with remediation status, and regulatory compliance gaps.
Step 4: Apply filters and organize reports
Use filter options to refine the reports list by Report type (Built-in or Custom) or Visibility (Private, Tenant-level access, Public).
Step 5: Interpret secure score evolution
Pay attention to how the cloud secure score changes over time. The report provides breakdowns by environment and workload, helping identify areas with higher risk exposure or slower improvement rates.
Pro tip: Use the CNAPP Executive Summary for leadership briefings and high-level security reviews. Use the Cloud Posture report to monitor overall secure score progress and identify high-risk environments.
- Creating Custom Reports from Scratch for Specific Security Insights
When built-in reports don’t capture the exact metrics your organization needs, you can build fully customized reports tailored to your specific security use cases.
Step‑by‑Step Guide to Creating a Custom Report
Step 1: Initiate custom report creation
From the Reporting page, select Create report.
Step 2: Configure report metadata
Enter a descriptive Name for the report. Add a Description providing context about the report’s purpose. Configure Visibility settings to control who can access the report.
Step 3: Add content sections
Create logical sections to organize information within the report. Each section can contain multiple data cards that display specific security metrics or visualizations.
Step 4: Select and customize cards
Add cards to each section that display relevant data. Edit card titles as needed for clarity. Adjust card sizes to optimize layout and readability.
Step 5: Save and publish
Select Save to finalize your custom report. The report will appear in the reporting dashboard alongside built-in options.
Practical use cases: Create a custom report focused on regulatory compliance for auditors, another tracking vulnerability remediation progress for operations teams, and a third highlighting API security posture for DevOps leads.
- Duplicating and Modifying Existing Reports for Efficient Customization
Duplicating an existing report and modifying it saves time while ensuring you start from a validated baseline.
Step‑by‑Step Guide to Duplicate and Edit a Report
Step 1: Select a base report
From the Reporting page, select any existing report (built-in or custom) that you wish to use as a starting point.
Step 2: Create a duplicate
Select Duplicate. In the dialog, enter a new name, add a description, and set visibility preferences. Select OK to create the duplicate copy.
Step 3: Modify the duplicated report
Open the duplicated report and begin making changes. You can reorder sections, add new cards, remove unwanted cards, and modify card titles and sizes to match your specific requirements.
Step 4: Save your modifications
Select Save to preserve your changes. The modified report now exists alongside the original, allowing you to maintain multiple variations of similar reporting templates.
- Exporting Reports to PDF and Managing Access Controls
Sharing security insights with stakeholders and leadership requires controlled access and portable formats.
Step‑by‑Step Guide to Export and Control Report Access
Step 1: Export a report to PDF
Open the report you wish to share. Select Export to PDF from the report toolbar. Wait for the export process to complete. The PDF file automatically downloads to your local device.
Step 2: Understand visibility options
Three visibility levels control who can access each report:
- Private: Only you can view the report
- Tenant-level access: Users with tenant-wide permission to view data can access the report
- Public: All users within your tenant can view the report
Step 3: Update report visibility
To change a report’s visibility, open the report and select Settings or Edit. Change the visibility setting as needed, then select Save.
5. Extending Reporting with KQL and Automation
Beyond the UI-based reporting capabilities, advanced security teams can leverage Kusto Query Language (KQL) to build programmatic reporting and automated alerting.
Step‑by‑Step Guide to KQL-Powered Security Posture Monitoring
Step 1: Enable continuous export for security recommendations
Configure continuous export to send security recommendations from Defender for Cloud to a Log Analytics workspace. Navigate to Defender for Cloud → Environment settings → Select Subscription → Continuous Export and enable export for Security Recommendations to your chosen Log Analytics workspace.
Step 2: Write a KQL query to detect posture regressions
Use the following KQL query to identify resources that have changed from Healthy to Unhealthy status over the past two weeks:
// Get resources that are currently unhealthy within the last 7 days let now_unhealthy = SecurityRecommendation | where TimeGenerated > ago(7d) | where RecommendationState == "Unhealthy" // For each resource and recommendation, get the latest record | summarize arg_max(TimeGenerated, ) by AssessedResourceId, RecommendationId;
Source: Argon Systems
Step 3: Query the Enterprise Exposure Graph with KQL
For advanced risk hunting, leverage the Exposure Graph through Advanced Hunting. The `ExposureGraphNodes` table represents entities (virtual machines, user identities, databases, vulnerabilities), while `ExposureGraphEdges` captures relationships (access permissions, network connections, vulnerability exposures).
Example KQL query to find internet-exposed VMs with critical vulnerabilities:
ExposureGraphNodes
| where NodeLabel == "VirtualMachine"
| where NodeProperties.has("InternetExposed") and NodeProperties.has("CriticalVulnerability")
| project NodeId, NodeProperties
Step 4: Automate alerting with Azure Logic Apps
Create a scheduled Logic App that runs the KQL query periodically, formats results into an HTML table, and sends email alerts when regressions are detected. This creates a fully automated monitoring loop for security posture changes.
- Cloud Hardening Commands Across Azure, AWS, and GCP
Maintaining strong cloud security posture requires consistent hardening across all cloud environments.
Azure – Restrict public storage access
Azure PowerShell - Block public access on storage account Set-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "mystorageaccount" -PublicNetworkAccess "Disabled"
Source: Microsoft Learn
AWS – Enforce bucket encryption and block public ACLs
AWS CLI - Enable default encryption and block public access
aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
GCP – Enforce uniform bucket-level access
gcloud CLI - Enforce uniform bucket-level access gsutil uniformbucketlevelaccess set on gs://my-bucket
Cross-cloud identity and key management
- Restrict inbound and outbound traffic with security groups, firewalls, and network access controls
- Implement private subnets for critical workloads
- Enable encryption at rest and in transit using AWS KMS, Azure Key Vault, and GCP Cloud KMS
- API Security Posture Management and Defender for Cloud CLI Integration
Modern cloud security must extend beyond infrastructure to include API protection and CI/CD pipeline security.
Enabling API Security Posture Management
The API Security Posture Management extension in Defender for Cloud automatically detects and assesses security risks across APIs hosted in Azure API Management, Function Apps, and Logic Apps. These capabilities are automatically available to all Defender for Cloud Security Posture Management (DCSPM) customers who have enabled the extension.
Defender for Cloud CLI for CI/CD Pipeline Scanning
The Defender for Cloud CLI embeds security scanning directly into CI/CD workflows. Connector-based authentication is currently available as the preferred method for Azure DevOps and GitHub integration.
Basic CLI authentication and scanning:
Register Microsoft.Security resource provider for a management group az provider register --namespace Microsoft.Security --management-group-id "your-mg-id"
Source: Microsoft Learn
What Undercode Say:
- Unified visibility transforms security operations – The integration of Defender for Cloud into the Defender portal eliminates the fragmented dashboard experience, enabling security teams to view posture, threats, and response across Azure, AWS, and GCP from a single pane of glass. This convergence reduces context-switching overhead and accelerates incident response.
-
Custom reporting shifts power to practitioners – The ability to duplicate, modify, and create reports from scratch moves security analytics from rigid templates to flexible, team-specific insights. Security engineers can now tailor dashboards for auditors, executives, and operations teams without waiting for product updates.
-
KQL unlocks programmatic security – While the UI provides accessible reporting, KQL transforms the Exposure Graph into a programmable security engine. Organizations investing in KQL skills can build reusable query libraries, automate regression detection, and perform multi-hop attack path analysis far beyond UI limitations.
-
Security posture must extend to APIs and pipelines – The addition of API Security Posture Management and Defender CLI reflects the reality that cloud attacks increasingly target APIs and development pipelines. Organizations must harden not just workloads but also the interfaces and workflows that connect them.
-
Automated remediation closes the detection gap – Combining KQL queries with Logic Apps enables proactive monitoring of security recommendation state changes. This closes the gap between detection and response, ensuring posture regressions are flagged immediately rather than discovered during periodic reviews.
Expected Output:
Organizations adopting the new Defender portal cloud security reporting capabilities can expect:
- Reduced reporting overhead: Security teams spend less time manually gathering data from multiple consoles and more time analyzing and acting on insights
- Improved stakeholder communication: PDF exports and tailored reports enable clear, consistent communication with leadership, auditors, and compliance teams
- Faster remediation prioritization: Built-in reports highlight high-risk areas and configuration gaps, enabling security teams to focus on what matters most
- Cross-cloud consistency: Unified reporting across Azure, AWS, and GCP provides a single source of truth for multi-cloud security posture
- Automated posture monitoring: KQL-powered automation catches security regressions in near real-time, preventing silent drift from compliance baselines
Prediction:
Over the next 12 to 18 months, cloud security reporting will shift decisively from static dashboards to dynamic, programmatic insights embedded directly into security workflows. Microsoft’s integration of reporting APIs, KQL queryability, and automation hooks signals a future where security teams no longer “check reports” but instead receive real-time alerts when posture changes. As AI workloads and API-driven architectures proliferate, expect Defender CSPM to deepen its AI Bill of Materials (AI BOM) capabilities and API security extensions, moving from reactive posture management to predictive risk anticipation. Organizations that fail to embrace this programmable approach will find themselves drowning in dashboards while attackers exploit the gaps between them.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Markolauren Cnapp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


