Microsoft Defender for Cloud in the Microsoft Defender portal
Applies to:
Microsoft Defender for Cloud is now part of Microsoft Defender XDR. Security teams can now access Defender for Cloud alerts and incidents within the Microsoft Defender portal, providing richer context to investigations that span cloud resources, devices, and identities. In addition, security teams can get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents.
The Microsoft Defender portal combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portal's detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.
Moreover, the Defender for Cloud incidents and alerts are now part of Microsoft Defender XDR's public API. This integration allows exporting of security alerts data to any system using a single API.
Prerequisite
To ensure access to Defender for Cloud alerts in the Microsoft Defender portal, you must be subscribed to any of the plans listed in Connect your Azure subscriptions.
Required permissions
You must be a global administrator or a security administrator in Azure Active Directory to view Defender for Cloud alerts and correlations. For users that don't have these roles, the integration is available only by applying unified role-based access control (RBAC) roles for Defender for Cloud.
Note
The permission to view Defender for Cloud alerts and correlations is automatic for the entire tenant. Viewing for specific subscriptions is not supported.
Investigation experience in the Microsoft Defender portal
The following section describes the detection and investigation experience in the Microsoft Defender portal with Defender for Cloud alerts.
Note
Informational alerts from Defender for Cloud are not integrated to the Microsoft Defender portal to allow focus on the relevant and high severity alerts. This strategy streamlines management of incidents and reduces alert fatigue.
| Area | Description |
|---|---|
| Incidents | All Defender for Cloud incidents will be integrated to the Microsoft Defender portal. - Searching for cloud resource assets in the incident queue is supported. - The attack story graph will show the cloud resource. - The assets tab in an incident page will show the cloud resource. - Each virtual machine has its own device page containing all related alerts and activity. There will be no duplication of incidents from other Defender workloads. |
| Alerts | All Defender for Cloud alerts, including multi-cloud, internal and external providers' alerts will be integrated to the Microsoft Defender portal. Defender for Cloud alerts will show on the Microsoft Defender portal alert queue. The cloud resource asset will show up in the Asset tab of an alert. Resources are clearly identified as an Azure, Amazon, or a Google Cloud resource.Defender for Cloud alerts will automatically be associated with a tenant.There will be no duplication of alerts from other Defender workloads. |
| Alert and incident correlation | Alerts and incidents are automatically correlated, providing robust context to security operations teams to understand the complete attack story in their cloud environment. |
| Threat detection | Accurate matching of virtual entities to device entities to ensure precision and effective threat detection. |
| Unified API | Defender for Cloud alerts and incidents are now included in Microsoft Defender XDR's public API, allowing customers to export their security alerts data into other systems using one API. |
Impact to Microsoft Sentinel users
Microsoft Sentinel customers integrating Microsoft Defender XDR incidents and ingesting Defender for Cloud alerts are required to make the following configuration changes to ensure that duplicate alerts and incidents aren't created:
- Connect the Tenant-based Microsoft Defender for Cloud (Preview) connector to synchronize collection of alerts from all your subscriptions with tenant-based Defender for Cloud incidents that are streaming through the Microsoft Defender XDR Incidents connector.
- Disconnect the Subscription-based Microsoft Defender for Cloud (Legacy) alerts connector to prevent alert duplicates.
- Turn off any analytics rules—either Scheduled (regular query-type) or Microsoft security (incident creation) rules—used to create incidents from Defender for Cloud alerts. Defender for Cloud Incidents are created automatically in the Defender portal and synchronized with Microsoft Sentinel.
- If necessary, use automation rules to close noisy incidents, or use the built-in tuning capabilities in the Defender portal to suppress certain alerts.
The following change should also be noted:
- The action to relate alerts to the Microsoft Defender portal incidents is removed.
Learn more at Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration.
Turn off Defender for Cloud alerts
The alerts for Defender for Cloud are turned on by default. To maintain your subscription-based settings and avoid tenant-based sync or to opt out from the experience, perform the following steps:
- In the Microsoft Defender portal, go to Settings > Microsoft Defender XDR.
- In Alert service settings, look for Microsoft Defender for Cloud alerts.
- Select No alerts to turn off all Defender for Cloud alerts. Selecting this option stops the ingestion of new Defender for Cloud alerts to the portal. Alerts previously ingested remain in an alert or incident page.
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for