Skip to main content

Microsoft Defender for Cloud

Download With Dependencies

Unified security management and advanced threat protection across hybrid cloud workloads.

When migrating to Infrastructure-as-a-Service (IaaS), you are responsible for securing your environment.
This means you need to secure your network and services.
These processes were normally handled by your cloud provider within a Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) environment.
Azure Security Center provides threat protection for data centers within both cloud workloads and on-premises.

What does this pack do?

  • Apply security policies across your workloads.
  • Limit your exposure to threats.
  • Detect and respond to attacks.

License information

Must be enabled on at least 1 Azure subscription.

When migrating to Infrastructure-as-a-Service (IaaS), you are responsible for securing your environment.
This means you need to secure your network and services.
These processes were normally handled by your cloud provider within a Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) environment.
Azure Security Center provides threat protection for data centers within both cloud workloads and on-premises.

What does this pack do?

  • Apply security policies across your workloads.
  • Limit your exposure to threats.
  • Detect and respond to attacks.

License information

Must be enabled on at least 1 Azure subscription.

This pack includes:

Log Normalization - XDM mapping.

Supported Event Types:

Security Alerts

Supported Timestamp Formats:

MMM DD YYYY HH:MM:SS (UTC)


Data Collection

Cortex XSIAM supports two methods to fetch alerts from Microsoft Defender for Cloud:

  • Microsoft Defender for Cloud collector (API Collection).
  • Azure Event Hub.

Microsoft Defender for Cloud collector

This collection method is more relevant in cases where the number of subscriptions is low, as each integration's instance refers to one subscription.

For more information on how to configure this integration, refer to the integration's docs:

  1. Navigate to settingsAutomation & Feed Integrations.

  2. Search for Microsoft Defender for Cloud.

  3. Click + Add instance.

Azure Event Hub

This collection method is more relevant in cases where the number of subscriptions is high, and you want to stream alerts at the tenant level.
Nevertheless, it supports alerts streaming at the subscription level as well.

Prerequisites

  • Create an Azure event hub. For more information, refer to Microsoft's official documentation.
  • Make sure that you have permissions for the root management group.

Stream alerts with Continuous Export to Event Hub

Refer to the following links for detailed instructions:

More information can be found here.

Cortex XSIAM side

To connect Cortex XSIAM to the Azure Event Hub, follow the below steps.

Azure Event Hub Collector

  1. Navigate to SettingsData Sources.
  2. If you have already configured an Azure Event Hub Collector, select the 3 dots, and then select + Add New Instance. If not, select + Add Data Source, search for "Azure Event Hub" and then select Connect.
  3. Fill in the attributes based on the Azure Event Hub you streamed your data to.
  4. Uncheck the Use audit logs in analytics checkbox.
  5. Set the below values:
    • Vendor - microsoft
    • Product - defender_for_cloud
    • Log Format - JSON

More information can be found here.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedSeptember 7, 2020
Last ReleaseNovember 26, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.