Recent Discussions
Updating SDK for Java used by Defender for Server/CSPM in AWS
Hi, I have a customer who is Defender for Cloud/CSPM in AWS. Last week, Cloud AWS Health Dashboard lit up with a recommendation around the use of AWS SDK for Java 1.x in their organization. This version will reach end of support on December 31, 2025. The recommendation is to migrate to AWS SDK for Java 2.x. The issue is present in all of AWS workload accounts. They found that a large amount of these alerts is caused by the Defender CSPM service, running remotely, and using AWS SDK for Java 1.x. Customer attaching a couple of sample events that were gathered from the CloudTrail logs. Please note that in both cases: assumed-role: DefenderForCloud-Ciem sourceIP: 20.237.136.191 (MS Azure range) userAgent: aws-sdk-java/1.12.742 Linux/6.6.112.1-2.azl3 OpenJDK_64-Bit_Server_VM/21.0.9+10-LTS java/21.0.9 kotlin/1.6.20 vendor/Microsoft cfg/retry-mode/legacy cfg/auth-source#unknown Can someone provide guidance about this? How to find out if DfC is going to leverage AWS SDK for Java 2.x after Dec 31, 2025? Thanks, Terru
MCAS logcollector docker image : 0 logs received
I followed that documentation : https://learn.microsoft.com/en-us/defender-cloud-apps/discovery-docker-ubuntu?tabs=ubuntu My Collector is displaying a connected status in the console : But as you can see, no data was received, and if I do a collector_status -P on my docker : I checked all possible logs files, nothing helped me So if someone can help about that.. Thank you !
Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent
I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one. Current Setup: I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables: Defender for Cloud Plan P2 Endpoint Protection Agentless scanning I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error. What I’ve Tried: For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No. Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for: All existing subscriptions Any new subscriptions created in the future Goal: No manual intervention in Defender for Cloud portal Fully automated via Azure Policy or another recommended approach uestions: Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level? Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically? Any best practices for ensuring compliance across multiple subscriptions? Any help is much appreciated and looking forward to your expertise! Thank you in advance. Best Regards, Pascal Slot
Problem with MDCA Session Control and Google Workspace
We have implemented MDCA Session Control with Google Workspace in a Customer. Almost all Google apps work and they are protected by Session Control, but we have found problems with Gemini, Analytics and Google Search. These apps don´t open under session control and it seems some kind of problems with SSO. Do anyone knows any fix for the problem?About Defender for Cloud aggregated logs in Advanced Hunting
Hi, I create this threat hoping that the Microsoft team will read and hopefully provide insights about future changes and roadmap. When SOC teams use a non-Microsoft SIEM/SOAR, they need to export logs from M365 and Azure, and send them to the third-party SIEM/SOAR solution. • For M365 logs, there is the M365XDR connector that allows exporting logs using an Event Hub. • For Azure logs, we used to configure diagnostics settings and send them to an Event Hub. This began to change with new features within Defender for Cloud (c.f. picture).: • Defender for Resource Manager now sends Azure Activity logs to M365XDR portal, and can be exported using M365XDR Streaming API • Defender for Storage now sends logs to M365XDR portal, and can be exported using M365XDR Streaming API (c.f. https://www.youtube.com/watch?v=Yraeks8c8hg&t=1s). This is great as it is easy to configure and doesn't interfere with infrastructure teams managing operational logs through diagnostic settings. I have two questions : • Is there any documentation about this? I didn't find any? • What can we expect in the future weeks, months regarding this native logs collection feature through various Defender for Cloud products? For example, can we expect Defender for SQL to send logs to M365XDR natively? Thanks for you support!File Integrity Monitoring - Agentless Issues in Detecting Changes to Files
Hello! Looks like there have been some recent updates made to File Integrity Monitoring. After reviewing the MS documentation https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview#recommended-items-to-monitor it looks like you can now create custom Rules for Files and for custom Registry keys. From what I can gather from the documentation, agentless scans are used for custom rules that you create and an agentless scan occurs once every 24 hours. I have created several custom rules to detect if a file has been Deleted, Added, Modified or Renamed and Defender for Cloud is still not detecting any changes. I have made changes to these files 3 days ago, and no changes have been reported back. Any ideas why this might not be working. I have already confirmed that the appropriate RBAC Roles have been assigned to my Key Vaults where CMK Disks are being used. I also wanted to know if the Agentless FIM can monitor Folders / Directories as well. I haven't seen anything about this in the documentation. Is this even supported?Problem Automatic Log Upload - Defender for Cloud Apps
Hello Community, I have a strange problem with the activity in the Title. I have create Data Sources from Fortinet And a Log collector With the correct documentation that is linked https://learn.microsoft.com/en-us/defender-cloud-apps/discovery-docker-ubuntu-azure?tabs=centos So i have a Fortinet Firewall that send by SYSLOG log to the VM Ubuntu in Azure, i have deploy docker, Ubuntu receive log from firewall, i see traffic is correct. But from Cloud Apps connector remains into "Connected" state. Regards, Guido
Restricting access to non SSO apps
I have multiple non SSO apps that my users need to access. I am looking to permit access but limit what actions users can take when visiting these apps/sites such as: blocking file uploads, blocking data download, restricting logins, etc to limit shadow IT. Is there a way to do this within MDCA? Session control policies, activity policies and access policies require the apps be onboarded or SSO configured which is not feasible for the numerous apps in scope. If not MDCA, what other services have you used to accomplish this?Defender for Cloud DCR
Enabling Defender for Servers Plan 2 and creating a custom DCR to enable the 500MB ingestion into log analytics. The workspace I am sending the logs to is connected to Sentinel. When I looked at creating the DCR I received this pop-up If I enable the Sentinel connector, will this duplicate the cost of the logs or will the connector just enable the data to be surfaced in Sentinel?Scope Profile - Device Group Creation - Help please
Hi Everyone, Hope all is well. I'm trying to make particular user group be excluded from a unsanctioned app. I saw you can create scoped profile which available under Setting - Apps - Scoped Profile. I'm following Microsoft documents here. https://docs.microsoft.com/en-us/defender-cloud-apps/governance-discovery On step 5 and step 6 it talks about selecting device group? how I create device group? I have bunch of azure ad device groups but nothing is coming up when search it which leads me to believe you need to import it. I tried importing through user groups but that does not seems to work. Please let me know if you know how to do this or another way to get this task completed. I'm trying to create Scope profile which is availableIs setting an index tag in Azure Defender for Cloud during file write an atomic operation?
Hi, When using Azure Defender for Cloud, is setting an index tag at the same time as writing a file considered an atomic operation? Or is there a propagation delay before the tag becomes fully available and effective for search and policy enforcement? Any insights or official documentation references would be appreciated!
Session controlled Microsoft apps very slow response
Hello For the past 2 months we have been receiving complaints regarding D365 slowness off and on. D365 was included in my session controlled policy. I disabled the policy and the complaints have stopped. Is there part of the policy setup that was missed. I really need the benefits of MCAS without impacting the business. ThanksGeneral Risk Factor - Logon URL - Null
I'm trying to create a policy that maps "Logon URL" field in the app details and if its empty/blank, it approves/sanction the application. My only challenge is that I'm not able to set an identifier that reads blank field. I tried ASCII null character but it doesn't work. Wondering if this use case is even possible.
Native DLP Failed on Mar 4, 2020, 3:29:13 PM. Error details: Download error
Hi i am facing issue with applying Sensitivity label on SharePoint files using MCAS, first i am able to apply the label but after that MCAS unable to scan the file, also creating rule to remove the label failed with native DLP failed error. i have a support request opened for more than a month and there is no solution. regardsPlaybooks with MDCA
I am attempting to integrate MDCA alerts with freshdesk as per the e.g. https://learn.microsoft.com/en-us/defender-cloud-apps/flow-integration I have E5 without teams licenses. I created the flow, Once from playbooks in MDCA portal and once in power automate directly and went to create a policy to test it out but the option "Sent to power automate" from the policy is always greyed out. Alerts are not automatically detected in the flow unless the action in the policy is set to send to power automate which again is greyed as option in the policies. Also playbooks tab in the MDCA portal does not show the flows I created before, It shows empty, Seems link is broken between MDCA and PowerAutomate. Any reason for this, Any Idea about this? Thanks in advance.
MISRA support in Defender
I want to check for MISRA C code compliance. The idea is to check for MISRA C compliance when asking for a Pull Request. If the code fails on those checks, the PR will not be created. This way, we enforce MISRA compliance before integrating the code to the repository. I am not seeing MISRA in the list of standards under - Regulatory Compliance>>Subscriptions>> Security Po;iciesRuntime protection - Microsoft Defender for Cloud DevOps Security (Defender CSPM)
Hi team! The current support status for Microsoft Defender for Cloud DevOps Security (Defender CSPM) and runtime protection across services are this one : Fully Supported for Runtime Protection Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS) are there more runtime in the product roadmap (Azure Container Apps, AWS, Fargate for Amazon ECS, Azure Functions, AWS Lambda)? Thanks
Recent Blogs
- 6 MIN READCloud-native development has made containerization vital, but it has also brought about new risks. In dynamic Kubernetes environments, a single vulnerable container image can open the door to an atta...Jan 09, 2026
- What's new in Defender for Cloud? Now in public preview, DCSPM (Defender for Cloud Security Posture Management) extends its capabilities to cover serverless workloads in both Azure and AWS, like A...Jan 05, 2026
