Skip to main content

Defender for Cloud Alerts

Pulls security alert events from Microsoft Defender for Cloud.

Details

The Microsoft Defender for Cloud Alerts collector is designed to automatically ingest security alerts from Microsoft Defender for Cloud. It works by:

  1. Connecting to the Microsoft Defender for Cloud API using the provided credentials.
  2. Fetching alerts based on the configured subscription and tenant IDs.
  3. Processing and forwarding the alerts to your pipeline.

Requirements

Before using this collector, you need:

  1. A Microsoft Azure account with access to Microsoft Defender for Cloud.
  2. The following information from your Azure environment (see Setup section below for detailed instructions):
    • Tenant ID
    • Subscription ID
    • Client ID
    • Client Secret

Setup

To set up the required credentials and permissions:

  1. Register an Application in Azure Active Directory:

    • Navigate to Azure Portal → Azure Active Directory → App registrations
    • Click "New registration"
    • Enter a name for your application
    • Select "Accounts in this organizational directory only" under supported account types
    • Click "Register"
    • Note the "Application (client) ID" and "Directory (tenant) ID" from the overview page

  2. Create Client Secret:

    • In your registered application, go to "Certificates & secrets"
    • Click "New client secret"
    • Add a description and choose an expiration
    • Copy and securely store the generated secret value immediately (it won't be visible again)

  3. Assign Required Permissions:

    • In Azure Portal, navigate to your subscription
    • Select "Access control (IAM)"
    • Click "Add role assignment"
    • Choose "Security Reader" role
    • Select "Next"
    • In the "Assign access to" field, choose "User, group, or service principal"
    • Click "Select Members"
    • Search for and select your registered application (Note: Use the Object ID from the Application's overview page if the app isn't visible in the list)
    • Click "Review + assign" to complete the permission assignment

  4. Get Subscription ID:

    • In Azure Portal, go to "Subscriptions"
    • Copy your subscription ID

Configuration

The collector requires the following configuration:

Settings

SettingTypeRequiredDescription
tenant_idstringYesThe tenant ID of the Azure AD directory associated with your Azure subscription.
subscription_idstringYesThe unique identifier of your Azure subscription, used to manage resources and billing in Azure Cloud.
cronstringYesCron schedule for periodic alert collection (e.g., "0 */1 * * *" for every hour)

Secrets

SecretTypeRequiredDescription
client_idstringYesThe client ID of the Azure AD application
client_secretstringYesThe client secret of the Azure AD application

Data Retention

Important: Microsoft Defender for Cloud retains alerts for a limited period. Ensure your collection schedule is configured to collect alerts within this retention period to avoid data loss.

It's recommended to:

  • Set up your cron schedule to run at least daily
  • Implement monitoring to detect collection failures
  • Configure alerting for collection gaps that approach the retention limit

Note on Collection Behavior

Due to API limitations, this collector will fetch all alerts during each collection cycle, regardless of whether they were previously collected. This means:

  • Each run retrieves the complete set of available alerts
  • Deduplication may be necessary in downstream processing
  • Consider adjusting the collection frequency to balance completeness with API usage

Error Handling

The collector implements comprehensive error handling:

  1. API Connection Errors:

    • Logs detailed error messages
    • Retries failed operations based on configured retry logic

  2. Alert Processing Errors:

    • Logs alert-specific errors
    • Continues processing other alerts
    • Maintains data consistency

Monitoring

The collector provides the following monitoring capabilities:

  1. Logging:

    • Debug logs for detailed operations
    • Info logs for major events
    • Error logs for failures
    • Structured logging with relevant fields

  2. Metrics:

    • Number of alerts processed

Troubleshooting

Common issues and solutions:

  1. API Connection Issues:

    • Verify Azure credentials
    • Ensure proper permissions

  2. Missing Data Issues:

    • Verify your collection schedule is running frequently enough
    • Ensure no collection gaps exceed the retention period

Sample Record

{
  "id": "/subscriptions/9c2df136-7403-467f-91c5-a9e1599f5cd2/resourceGroups/Production/providers/Microsoft.Security/locations/northeurope/alerts/66af7e32-6598-e333-077d-49a0ad8f3e6f",
  "name": "95ef5bf2-ae92-7636-a30d-433214f63cd7",
  "type": "Microsoft.Security/Locations/alerts",
  "properties": {
    "version": "2022-01-01",
    "alertType": "SUSPICIOUS_USER_ACTIVITY",
    "systemAlertId": "00c8d7b7-1d92-065a-498a-591bd2280823",
    "productComponentName": "Antimalware",
    "alertDisplayName": "Brute force attack against VM detected",
    "description": "This is a test alert generated by Azure Security Center. No further action is needed.",
    "severity": "High",
    "intent": "Credential Access",
    "startTimeUtc": "2025-08-11T23:46:41.135189Z",
    "endTimeUtc": "2025-08-11T23:46:41.135194Z",
    "resourceIdentifiers": [
      {
        "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/Development/providers/Microsoft.Compute/virtualMachines/database",
        "type": "AzureResource"
      },
      {
        "workspaceId": "aa614651-36cb-1ab7-c73a-b93761d91b9c",
        "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
        "workspaceResourceGroup": "Production",
        "agentId": "39c22dc7-b441-6036-b64d-61b6b145a907",
        "type": "LogAnalytics"
      }
    ],
    "remediationSteps": [
      "Update VM security patches."
    ],
    "vendorName": "Microsoft",
    "status": "Resolved",
    "extendedLinks": [
      {
        "Category": "threat_reports",
        "Label": "Incident Response Guide",
        "Href": "https://azure.com/guidance/SecurityAlert",
        "Type": "webLink"
      }
    ],
    "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/301962fd-1037-0143-e7cd-7804d632c73b/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/Production/referencedFrom/alertDeepLink/location/westus2",
    "timeGeneratedUtc": "2025-08-11T23:46:41.135455Z",
    "productName": "Azure Security Center",
    "processingEndTimeUtc": "2025-08-11T23:46:41.135457Z",
    "entities": [
      {
        "address": "10.0.0.123",
        "location": {
          "countryCode": "jp",
          "state": "paris",
          "city": "tokyo",
          "longitude": 23,
          "latitude": 71,
          "asn": 11163
        },
        "type": "ip"
      }
    ],
    "isIncident": false,
    "correlationKey": "j2q9KLPzxUff7rqrk5hmrBJ+MY1BX806W6q6+Ab5Mx=",
    "extendedProperties": {
      "Property1": "Property1 information",
      "SourceSystem": "AzureMonitor",
      "ResourceType": "NetworkInterface",
      "ResourceRegion": "eastus"
    },
    "compromisedEntity": "appserver",
    "techniques": [
      "T1053"
    ],
    "subTechniques": [
      "T1059.001"
    ],
    "supportingEvidence": {
      "type": "tabularEvidences",
      "title": "Login Attempts",
      "columns": [
        "Date",
        "Activity",
        "User",
        "TestedText",
        "TestedValue"
      ],
      "rows": [
        [
          "2025-08-11T23:46:41.135702Z",
          "Network connection",
          "system",
          "true",
          true
        ],
        [
          "2025-08-11T23:46:41.135764Z",
          "Log on",
          "testUser2",
          "true",
          true
        ],
        [
          "2025-08-11T23:46:41.135821Z",
          "Log on",
          "guest3",
          "false",
          true
        ]
      ]
    }
  }
}