Microsoft Defender for Cloud

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Overview

Collect logs and alerts from Microsoft Defender for Cloud.

Defender for Cloud is a cloud-native application protection platform (CNAPP) that monitors Microsoft Azure applications, gives insight into Azure security risks through cloud security posture management (CSPM), and protects Azure cloud workloads for servers, containers, storage, and databases (CWPP).

Enable Datadog Cloud SIEM to use out-of-the-box security rules to monitor your Azure environment along side your other security infrastructure.

Setup

Installation

This integration requires that the Datadog Azure integration is enabled. It forwards logs to Datadog through Azure using event hubs. The integration requires that the log forwarder be at least version 1.0.1 or later.

Configuration

Configure Defender for Cloud to continuously export logs to the event hub. No additional configuration is needed within Datadog.

Validation

Follow these instructions from Microsoft to generate sample alerts in Defender for Cloud.

Defender for Cloud logs can be accessed using source:microsoft-defender-for-cloud in Log Management.

If using Datadog Cloud SIEM, confirm that the Microsoft Defender for Cloud detection rules are enabled:

  1. In the Datadog menu, go to Security > Configuration and expand Cloud SIEM.
  2. Select “Detection Rules”. On the right-hand side, click the Group By selector and select Source to group the detection rules by source.
  3. Scroll down and expand the section titled Azure. Scroll through the list to find the Microsoft Defender for Cloud rules. Make sure the rules are toggled on.

Data Collected

Metrics

Microsoft Defender for Cloud does not include any metrics.

Service Checks

Microsoft Defender for Cloud does not include any service checks.

Events

Microsoft Defender for Cloud does not include any events.

Troubleshooting

To confirm that Cloud SIEM is receiving Defender for Cloud Alerts, follow these steps:

  1. In the Datadog menu, go to Security > Configuration and expand Cloud SIEM.
  2. Select Log Sources and scroll down to Azure.
  3. Review whether Microsoft Defender for Cloud is listed as Installed.
  4. Inspect the column chart to confirm that logs are being received.
  5. If logs are being received, go to Logs > Search and search for source:microsoft-defender-for-cloud. You may need to change the time window for logs to appear.
  6. Inspect the logs and confirm that they are properly formed.

If you are still having trouble, contact Datadog support.