Hey,
I observed that we didn’t receive any ‘Microsoft Defender for Cloud Apps’ logs in Defender ATP logs.
Generic SIEM integration with Defender for Cloud Apps | Microsoft Docs → I came across this document but they suggested to install agent.
Is there option to send logs directly to IIDR?
Thanks
Collect Azure Monitor events to offer Azure Security Center alerts as a third-party alert
Follow this. Azure Security Center has been rebranded to MS Defender for Cloud.
This is indeed for MS Defender for Cloud.
The question from @bhushan_ware seems to be for Microsoft Defender for Cloud Apps
AFAIK there is no direct integration. So you would have to setup the SIEM agent and send the syslog to the collector as a custom log. Within this log you could built custom alerts.
I do hope there is something on the roadmap to get this data as Cloud activity and Third Party Alert logs as there is an API
Ahh k… Like you said Defender for Cloud (previously Cloud App Security) doesn’t have the direct integration. We did exactly that and deployed their SIEM agent to ingest the events and from there pointed it to a collector.
We run custom alerts for certain things but its not pretty output… Certainly some room for improvement!
Hi!
Also have a look to the MS 365 Defender API. Some content from Defender for Cloud Apps are duplicated into this console.
It is easier to integrate as it is possible to stream data and alerts to an Event Hub and then pull data from collector.
Note that the incidents are not streamed via this method! They can only be collected via script and another API: List incidents API in Microsoft 365 Defender | Microsoft Docs
Sorry to dig up an old post. I just wondered if anyone had found a way to generate events for the “Microsoft Defender for Cloud Apps” alerts or if it’s still a case of creating a custom parser/detection rules from the event hub feed?
