Manage user data in Microsoft Defender for Cloud

This article provides information about how you can manage the user data in Microsoft Defender for Cloud. Managing user data includes the ability to access, delete, or export data.

Note

This article provides steps about how to delete personal data from the device or service and can be used to support your obligations under the GDPR. For general information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.

A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account Administrator can access customer data within the tool. To learn more about the Account Administrator role, see Built-in roles for Azure role-based access control to learn more about the Reader, Owner, and Contributor roles. See Azure subscription administrators.

Searching for and identifying personal data

A Defender for Cloud user can view their personal data through the Azure portal. Defender for Cloud only stores security contact details such as email addresses and phone numbers. For more information, see Provide security contact details in Microsoft Defender for Cloud.

In the Azure portal, a user can view allowed IP configurations using Defender for Cloud's just-in-time VM access feature. For more information, see Manage virtual machine access using just-in-time.

In the Azure portal, a user can view security alerts provided by Defender for Cloud including IP addresses and attacker details. For more information, see Managing and responding to security alerts in Microsoft Defender for Cloud.

Classifying personal data

You don't need to classify personal data found in Defender for Cloud's security contact feature. The data saved is an email address (or multiple email addresses) and a phone number. Contact data is validated by Defender for Cloud.

You don't need to classify the IP addresses and port numbers saved by Defender for Cloud's just-in-time feature.

Only a user assigned the role of Administrator can classify personal data by viewing alerts in Defender for Cloud.

Securing and controlling access to personal data

A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account Administrator can access security contact data.

A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account Administrator can access their just-in-time policies.

A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account Administrator can view their alerts.

Updating personal data

A Defender for Cloud user assigned the role of Owner, Contributor, or Account Administrator can update security contact data via the Azure portal.

A Defender for Cloud user assigned the role of Owner, Contributor, or Account Administrator can update their just-in-time policies.

An Account Administrator can't edit alert incidents. An alert incident is considered security data and is read only.

Deleting personal data

A Defender for Cloud user assigned the role of Owner, Contributor, or Account Administrator can delete security contact data via the Azure portal.

A Defender for Cloud user assigned the role of Owner, Contributor, or Account Administrator can delete the just-in-time policies via the Azure portal.

A Defender for Cloud user can't delete alert incidents. For security reasons, an alert incident is considered read-only data.

Exporting personal data

A Defender for Cloud user assigned the role of Reader, Owner, Contributor, or Account Administrator can export security contact data by:

  • Copying from the Azure portal
  • Executing the Azure REST API call, GET HTTP:
    GET https://<endpoint>/subscriptions/{subscriptionId}/providers/Microsoft.Security/securityContacts?api-version={api-version}
    

A Defender for Cloud user assigned the role of Account Administrator can export the just-in-time policies containing the IP addresses by:

  • Copying from the Azure portal
  • Executing the Azure REST API call, GET HTTP:
    GET https://<endpoint>/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Security/locations/{location}/jitNetworkAccessPolicies/default?api-version={api-version}
    

An Account Administrator can export the alert details by:

  • Copying from the Azure portal
  • Executing the Azure REST API call, GET HTTP:
    GET https://<endpoint>/subscriptions/{subscriptionId}/providers/microsoft.Security/alerts?api-version={api-version}
    

For more information, see Get Security Alerts (GET Collection).

A Defender for Cloud user can choose to opt out by deleting their security contact data.

Just-in-time data is considered non-identifiable data and is retained for a period of 30 days.

Alert data is considered security data and is retained for a period of two years.

Auditing and reporting

Audit logs of security contact, just-in-time, and alert updates are maintained in Azure Activity Logs.