Microsoft Defender for Cloud
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Overview
Collect logs and alerts from Microsoft Defender for Cloud.
Defender for Cloud is a cloud-native application protection platform (CNAPP) that monitors Microsoft Azure applications, gives insight into Azure security risks through cloud security posture management (CSPM), and protects Azure cloud workloads for servers, containers, storage, and databases (CWPP).
Enable Datadog Cloud SIEM to use out-of-the-box security rules to monitor your Azure environment along side your other security infrastructure.
Setup
Installation
This integration requires that the Datadog Azure integration is enabled. It forwards logs to Datadog through Azure using event hubs. The integration requires that the log forwarder be at least version 1.0.1
or later.
Configuration
Configure Defender for Cloud to continuously export logs to the event hub. No additional configuration is needed within Datadog.
Validation
Follow these instructions from Microsoft to generate sample alerts in Defender for Cloud.
Defender for Cloud logs can be accessed using source:microsoft-defender-for-cloud
in Log Management.
If using Datadog Cloud SIEM, confirm that the Microsoft Defender for Cloud detection rules are enabled:
- In the Datadog menu, go to Security > Configuration and expand Cloud SIEM.
- Select “Detection Rules”. On the right-hand side, click the Group By selector and select Source to group the detection rules by source.
- Scroll down and expand the section titled Azure. Scroll through the list to find the Microsoft Defender for Cloud rules. Make sure the rules are toggled on.
Data Collected
Metrics
Microsoft Defender for Cloud does not include any metrics.
Service Checks
Microsoft Defender for Cloud does not include any service checks.
Events
Microsoft Defender for Cloud does not include any events.
Troubleshooting
To confirm that Cloud SIEM is receiving Defender for Cloud Alerts, follow these steps:
- In the Datadog menu, go to Security > Configuration and expand Cloud SIEM.
- Select Log Sources and scroll down to Azure.
- Review whether Microsoft Defender for Cloud is listed as Installed.
- Inspect the column chart to confirm that logs are being received.
- If logs are being received, go to Logs > Search and search for
source:microsoft-defender-for-cloud
. You may need to change the time window for logs to appear. - Inspect the logs and confirm that they are properly formed.
If you are still having trouble, contact Datadog support.