I observed that we didn’t receive any ‘Microsoft Defender for Cloud Apps’ logs in Defender ATP logs.
Generic SIEM integration with Defender for Cloud Apps | Microsoft Docs → I came across this document but they suggested to install agent.
Is there option to send logs directly to IIDR?
This is indeed for MS Defender for Cloud.
The question from @bhushan_ware seems to be for Microsoft Defender for Cloud Apps
AFAIK there is no direct integration. So you would have to setup the SIEM agent and send the syslog to the collector as a custom log. Within this log you could built custom alerts.
I do hope there is something on the roadmap to get this data as Cloud activity and Third Party Alert logs as there is an API
Ahh k… Like you said Defender for Cloud (previously Cloud App Security) doesn’t have the direct integration. We did exactly that and deployed their SIEM agent to ingest the events and from there pointed it to a collector.
We run custom alerts for certain things but its not pretty output… Certainly some room for improvement!