Microsoft Defender for Cloud Apps: InsightIDR


I observed that we didn’t receive any ‘Microsoft Defender for Cloud Apps’ logs in Defender ATP logs.
Generic SIEM integration with Defender for Cloud Apps | Microsoft Docs → I came across this document but they suggested to install agent.
Is there option to send logs directly to IIDR?


Collect Azure Monitor events to offer Azure Security Center alerts as a third-party alert

Follow this. Azure Security Center has been rebranded to MS Defender for Cloud.


This is indeed for MS Defender for Cloud.
The question from @bhushan_ware seems to be for Microsoft Defender for Cloud Apps

AFAIK there is no direct integration. So you would have to setup the SIEM agent and send the syslog to the collector as a custom log. Within this log you could built custom alerts.

I do hope there is something on the roadmap to get this data as Cloud activity and Third Party Alert logs as there is an API

Ahh k… Like you said Defender for Cloud (previously Cloud App Security) doesn’t have the direct integration. We did exactly that and deployed their SIEM agent to ingest the events and from there pointed it to a collector.

We run custom alerts for certain things but its not pretty output… Certainly some room for improvement!

@ilyaaz_noerkhan @joe_delavalle Thank you for your inputs :blush:

Also have a look to the MS 365 Defender API. Some content from Defender for Cloud Apps are duplicated into this console.
It is easier to integrate as it is possible to stream data and alerts to an Event Hub and then pull data from collector.

Note that the incidents are not streamed via this method! They can only be collected via script and another API: List incidents API in Microsoft 365 Defender | Microsoft Docs