I do NOT receive events from Microsoft Defender for Cloud Apps - using generic siem configuration

Raymundo L 1 Reputation point
2022-02-20T02:07:04.713+00:00

After configuring the siem agent and running the jar file, I am not receiving events on my syslog server. I already changed the port, used another protocol, tried it from another computer and the same

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,351 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,841 Reputation points Microsoft Employee
    2022-02-23T00:56:40.497+00:00

    Hi @Raymundo L ,

    Summary
    I understand that you are having issues receiving events from Microsoft Defender for Cloud apps in your syslog notifications.

    Symptom and possible causes

    This can happen if there are no security events to display, if there is some configuration missing, or if there is a connectivity issue.

    If you have any health alerts or recommendations in your tenant, those may be causing a connectivity issue, and I recommend resolving those alerts before troubleshooting the syslog notifications. I have particularly seen this in cases where domain controllers needed to be restarted or needed increased RAM.

    Troubleshooting steps

    The best way to test this and isolate the issue is to perform a simulation of “Network-mapping reconnaissance (DNS)”, where you can verify if you receive an alert after following the steps in this article.

    After the simulation test, you will be able to share if there is mismatch between events displayed in the portal and notifications.

    I would also verify whether the test message is working in the Defender for Identity portal under settings > Notifications and Reports > Notifications and share a screenshot of which types of notifications you have chosen to send.

    176968-image.png

    https://learn.microsoft.com/en-us/defender-for-identity/setting-syslog

    https://learn.microsoft.com/en-us/microsoft-365/security/defender-identity/notifications?view=o365-worldwide

    If you are still having this issue and share the results of these tests, it will be easier to isolate the issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.