Defender for Cloud Compliance
Ingests compliance findings from Microsoft Defender for Cloud for audit and posture assessment.
Details
The Microsoft Defender for Cloud Compliance Results collector is designed to automatically ingest compliance results from Microsoft Defender for Cloud. It works by:
- Connecting to the Microsoft Defender for Cloud API using the provided credentials.
- Fetching compliance results based on the configured subscription and tenant IDs.
- Processing and forwarding the compliance results to your pipeline.
Requirements
Before using this collector, you need:
- A Microsoft Azure account with access to Microsoft Defender for Cloud.
- The following information from your Azure environment (see Setup section below for detailed instructions):
- Tenant ID
- Subscription ID
- Client ID
- Client Secret
Setup
To set up the required credentials and permissions:
-
Register an Application in Azure Active Directory:
- Navigate to Azure Portal → Azure Active Directory → App registrations
- Click "New registration"
- Enter a name for your application
- Select "Accounts in this organizational directory only" under supported account types
- Click "Register"
- Note the "Application (client) ID" and "Directory (tenant) ID" from the overview page
-
Create Client Secret:
- In your registered application, go to "Certificates & secrets"
- Click "New client secret"
- Add a description and choose an expiration
- Copy and securely store the generated secret value immediately (it won't be visible again)
-
Assign Required Permissions:
- In Azure Portal, navigate to your subscription
- Select "Access control (IAM)"
- Click "Add role assignment"
- Choose "Security Reader" role
- Select "Next"
- In the "Assign access to" field, choose "User, group, or service principal"
- Click "Select Members"
- Search for and select your registered application (Note: Use the Object ID from the Application's overview page if the app isn't visible in the list)
- Click "Review + assign" to complete the permission assignment
-
Get Subscription ID:
- In Azure Portal, go to "Subscriptions"
- Copy your subscription ID
Related Articles
- Microsoft Defender for Cloud Documentation
- Azure Active Directory Documentation
- Microsoft Defender for Cloud Compliance Results API Reference
- Register Applications in Azure AD
- Microsoft Defender for Cloud Permissions
Configuration
The collector requires the following configuration:
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| tenant_id | string | Yes | The tenant ID of the Azure AD directory associated with your Azure subscription. |
| subscription_id | string | Yes | The unique identifier of your Azure subscription, used to manage resources and billing in Azure Cloud. |
| cron | string | Yes | Cron schedule for periodic alert collection (e.g., "0 */1 * * *" for every hour) |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| client_id | string | Yes | The client ID of the Azure AD application |
| client_secret | string | Yes | The client secret of the Azure AD application |
Troubleshooting
Common issues and solutions:
-
Authentication Problems:
- Verify Azure AD app registration
- Check role assignments
- Confirm API permissions
- Validate secret expiration
-
Data Access Issues:
- Verify subscription status
- Check compliance standards enablement
- Confirm resource provider registration
- Review access policies
-
Collection Gaps:
- Monitor collection schedules
- Check for failed runs
- Verify retention settings
- Adjust collection frequency
Sample Record
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/complianceResults/EnsureSecureTransferToStorageAccountIsEnabled",
"name": "RemoveDeprecatedAccountsWithOwnerPermissions",
"type": "Microsoft.Security/complianceResults",
"properties": {
"resourceStatus": "NotApplicable"
}
}