Unified Cloud Security Reporting Now in Defender Portal – Executive Dashboard, Custom Reports, PDF Export, and RBAC Controls + Video

Listen to this Post

Featured Image

Introduction:

Modern cloud security operations often struggle with scattered dashboards, disjointed reporting tools, and an inability to translate raw telemetry into actionable executive insights. Microsoft Defender portal now closes this gap by introducing integrated cloud security reporting capabilities built on a Cloud-Native Application Protection Platform (CNAPP) foundation. These new tools allow security teams to move from fragmented visibility to unified reporting, transforming how organizations monitor secure score trends, vulnerability exposure, and compliance across Azure, AWS, and GCP workloads.

Learning Objectives:

  • Learn how to access and interpret built-in CNAPP Executive Summary and Cloud Posture reports within Defender portal
  • Master the creation of custom cloud security reports by defining sections, adding data cards, and adjusting layouts
  • Understand how to duplicate, modify, and control access to reports using visibility settings (Private, Tenant-level, Public)
  • Apply Kusto Query Language (KQL) to extend reporting capabilities and automate security posture monitoring
  • Implement cross-cloud hardening practices and leverage API security posture management extensions

You Should Know:

  1. Navigating Built-in Reports: CNAPP Executive Summary and Cloud Posture Dashboard

The Defender portal provides two foundational built-in reports that offer immediate visibility into cloud security posture.

Step‑by‑Step Guide to Access and Interpret Built-in Reports

Step 1: Access cloud security reports

Navigate to the Microsoft Defender portal (security.microsoft.com) and go to the Reporting page. Select the Cloud tab to reveal all available cloud security reports.

Step 2: Review the CNAPP Executive Summary

Select the CNAPP Executive Summary report. This high-level dashboard consolidates:

  • Overview: Snapshot of key security indicators across your environment
  • Secure Score: Historical trends with risk-based breakdowns
  • Vulnerability Management: Exposure metrics and remediation progress
  • Security Recommendations: Configuration gaps and best-practice deviations
  • Investigation & Response: Detection and response activity summary
  • Regulatory Compliance: Compliance posture across supported frameworks

Step 3: Analyze the Cloud Posture Report

The Cloud Posture report offers a centralized view of overall cloud security posture across environments. It highlights the cloud secure score, Defender CSPM plan coverage, actionable recommendations with remediation status, and regulatory compliance gaps.

Step 4: Apply filters and organize reports

Use filter options to refine the reports list by Report type (Built-in or Custom) or Visibility (Private, Tenant-level access, Public).

Step 5: Interpret secure score evolution

Pay attention to how the cloud secure score changes over time. The report provides breakdowns by environment and workload, helping identify areas with higher risk exposure or slower improvement rates.

Pro tip: Use the CNAPP Executive Summary for leadership briefings and high-level security reviews. Use the Cloud Posture report to monitor overall secure score progress and identify high-risk environments.

  1. Creating Custom Reports from Scratch for Specific Security Insights

When built-in reports don’t capture the exact metrics your organization needs, you can build fully customized reports tailored to your specific security use cases.

Step‑by‑Step Guide to Creating a Custom Report

Step 1: Initiate custom report creation

From the Reporting page, select Create report.

Step 2: Configure report metadata

Enter a descriptive Name for the report. Add a Description providing context about the report’s purpose. Configure Visibility settings to control who can access the report.

Step 3: Add content sections

Create logical sections to organize information within the report. Each section can contain multiple data cards that display specific security metrics or visualizations.

Step 4: Select and customize cards

Add cards to each section that display relevant data. Edit card titles as needed for clarity. Adjust card sizes to optimize layout and readability.

Step 5: Save and publish

Select Save to finalize your custom report. The report will appear in the reporting dashboard alongside built-in options.

Practical use cases: Create a custom report focused on regulatory compliance for auditors, another tracking vulnerability remediation progress for operations teams, and a third highlighting API security posture for DevOps leads.

  1. Duplicating and Modifying Existing Reports for Efficient Customization

Duplicating an existing report and modifying it saves time while ensuring you start from a validated baseline.

Step‑by‑Step Guide to Duplicate and Edit a Report

Step 1: Select a base report

From the Reporting page, select any existing report (built-in or custom) that you wish to use as a starting point.

Step 2: Create a duplicate

Select Duplicate. In the dialog, enter a new name, add a description, and set visibility preferences. Select OK to create the duplicate copy.

Step 3: Modify the duplicated report

Open the duplicated report and begin making changes. You can reorder sections, add new cards, remove unwanted cards, and modify card titles and sizes to match your specific requirements.

Step 4: Save your modifications

Select Save to preserve your changes. The modified report now exists alongside the original, allowing you to maintain multiple variations of similar reporting templates.

  1. Exporting Reports to PDF and Managing Access Controls

Sharing security insights with stakeholders and leadership requires controlled access and portable formats.

Step‑by‑Step Guide to Export and Control Report Access

Step 1: Export a report to PDF

Open the report you wish to share. Select Export to PDF from the report toolbar. Wait for the export process to complete. The PDF file automatically downloads to your local device.

Step 2: Understand visibility options

Three visibility levels control who can access each report:

  • Private: Only you can view the report
  • Tenant-level access: Users with tenant-wide permission to view data can access the report
  • Public: All users within your tenant can view the report

Step 3: Update report visibility

To change a report’s visibility, open the report and select Settings or Edit. Change the visibility setting as needed, then select Save.

5. Extending Reporting with KQL and Automation

Beyond the UI-based reporting capabilities, advanced security teams can leverage Kusto Query Language (KQL) to build programmatic reporting and automated alerting.

Step‑by‑Step Guide to KQL-Powered Security Posture Monitoring

Step 1: Enable continuous export for security recommendations

Configure continuous export to send security recommendations from Defender for Cloud to a Log Analytics workspace. Navigate to Defender for Cloud → Environment settings → Select Subscription → Continuous Export and enable export for Security Recommendations to your chosen Log Analytics workspace.

Step 2: Write a KQL query to detect posture regressions

Use the following KQL query to identify resources that have changed from Healthy to Unhealthy status over the past two weeks:

// Get resources that are currently unhealthy within the last 7 days
let now_unhealthy = SecurityRecommendation
| where TimeGenerated > ago(7d)
| where RecommendationState == "Unhealthy"
// For each resource and recommendation, get the latest record
| summarize arg_max(TimeGenerated, ) by AssessedResourceId, RecommendationId;

Source: Argon Systems

Step 3: Query the Enterprise Exposure Graph with KQL

For advanced risk hunting, leverage the Exposure Graph through Advanced Hunting. The `ExposureGraphNodes` table represents entities (virtual machines, user identities, databases, vulnerabilities), while `ExposureGraphEdges` captures relationships (access permissions, network connections, vulnerability exposures).

Example KQL query to find internet-exposed VMs with critical vulnerabilities:

ExposureGraphNodes
| where NodeLabel == "VirtualMachine"
| where NodeProperties.has("InternetExposed") and NodeProperties.has("CriticalVulnerability")
| project NodeId, NodeProperties

Step 4: Automate alerting with Azure Logic Apps

Create a scheduled Logic App that runs the KQL query periodically, formats results into an HTML table, and sends email alerts when regressions are detected. This creates a fully automated monitoring loop for security posture changes.

  1. Cloud Hardening Commands Across Azure, AWS, and GCP

Maintaining strong cloud security posture requires consistent hardening across all cloud environments.

Azure – Restrict public storage access

 Azure PowerShell - Block public access on storage account
Set-AzStorageAccount -ResourceGroupName "myResourceGroup" -Name "mystorageaccount" -PublicNetworkAccess "Disabled"

Source: Microsoft Learn

AWS – Enforce bucket encryption and block public ACLs

 AWS CLI - Enable default encryption and block public access
aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true

GCP – Enforce uniform bucket-level access

 gcloud CLI - Enforce uniform bucket-level access
gsutil uniformbucketlevelaccess set on gs://my-bucket

Cross-cloud identity and key management

  • Restrict inbound and outbound traffic with security groups, firewalls, and network access controls
  • Implement private subnets for critical workloads
  • Enable encryption at rest and in transit using AWS KMS, Azure Key Vault, and GCP Cloud KMS
  1. API Security Posture Management and Defender for Cloud CLI Integration

Modern cloud security must extend beyond infrastructure to include API protection and CI/CD pipeline security.

Enabling API Security Posture Management

The API Security Posture Management extension in Defender for Cloud automatically detects and assesses security risks across APIs hosted in Azure API Management, Function Apps, and Logic Apps. These capabilities are automatically available to all Defender for Cloud Security Posture Management (DCSPM) customers who have enabled the extension.

Defender for Cloud CLI for CI/CD Pipeline Scanning

The Defender for Cloud CLI embeds security scanning directly into CI/CD workflows. Connector-based authentication is currently available as the preferred method for Azure DevOps and GitHub integration.

Basic CLI authentication and scanning:

 Register Microsoft.Security resource provider for a management group
az provider register --namespace Microsoft.Security --management-group-id "your-mg-id"

Source: Microsoft Learn

What Undercode Say:

  • Unified visibility transforms security operations – The integration of Defender for Cloud into the Defender portal eliminates the fragmented dashboard experience, enabling security teams to view posture, threats, and response across Azure, AWS, and GCP from a single pane of glass. This convergence reduces context-switching overhead and accelerates incident response.

  • Custom reporting shifts power to practitioners – The ability to duplicate, modify, and create reports from scratch moves security analytics from rigid templates to flexible, team-specific insights. Security engineers can now tailor dashboards for auditors, executives, and operations teams without waiting for product updates.

  • KQL unlocks programmatic security – While the UI provides accessible reporting, KQL transforms the Exposure Graph into a programmable security engine. Organizations investing in KQL skills can build reusable query libraries, automate regression detection, and perform multi-hop attack path analysis far beyond UI limitations.

  • Security posture must extend to APIs and pipelines – The addition of API Security Posture Management and Defender CLI reflects the reality that cloud attacks increasingly target APIs and development pipelines. Organizations must harden not just workloads but also the interfaces and workflows that connect them.

  • Automated remediation closes the detection gap – Combining KQL queries with Logic Apps enables proactive monitoring of security recommendation state changes. This closes the gap between detection and response, ensuring posture regressions are flagged immediately rather than discovered during periodic reviews.

Expected Output:

Organizations adopting the new Defender portal cloud security reporting capabilities can expect:

  • Reduced reporting overhead: Security teams spend less time manually gathering data from multiple consoles and more time analyzing and acting on insights
  • Improved stakeholder communication: PDF exports and tailored reports enable clear, consistent communication with leadership, auditors, and compliance teams
  • Faster remediation prioritization: Built-in reports highlight high-risk areas and configuration gaps, enabling security teams to focus on what matters most
  • Cross-cloud consistency: Unified reporting across Azure, AWS, and GCP provides a single source of truth for multi-cloud security posture
  • Automated posture monitoring: KQL-powered automation catches security regressions in near real-time, preventing silent drift from compliance baselines

Prediction:

Over the next 12 to 18 months, cloud security reporting will shift decisively from static dashboards to dynamic, programmatic insights embedded directly into security workflows. Microsoft’s integration of reporting APIs, KQL queryability, and automation hooks signals a future where security teams no longer “check reports” but instead receive real-time alerts when posture changes. As AI workloads and API-driven architectures proliferate, expect Defender CSPM to deepen its AI Bill of Materials (AI BOM) capabilities and API security extensions, moving from reactive posture management to predictive risk anticipation. Organizations that fail to embrace this programmable approach will find themselves drowning in dashboards while attackers exploit the gaps between them.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Markolauren Cnapp – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky