About Defender for Cloud aggregated logs in Advanced Hunting

Hi,

I create this threat hoping that the Microsoft team will read and hopefully provide insights about future changes and roadmap.

When SOC teams use a non-Microsoft SIEM/SOAR, they need to export logs from M365 and Azure, and send them to the third-party SIEM/SOAR solution.

   • For M365 logs, there is the M365XDR connector that allows exporting logs using an Event Hub.

   • For Azure logs, we used to configure diagnostics settings and send them to an Event Hub.

This began to change with new features within Defender for Cloud (c.f. picture).:

   • Defender for Resource Manager now sends Azure Activity logs to M365XDR portal, and can be exported using M365XDR Streaming API

   • Defender for Storage now sends logs to M365XDR portal, and can be exported using M365XDR Streaming API (c.f. https://www.youtube.com/watch?v=Yraeks8c8hg&t=1s).

This is great as it is easy to configure and doesn't interfere with infrastructure teams managing operational logs through diagnostic settings.

I have two questions :

   • Is there any documentation about this? I didn't find any?

   • What can we expect in the future weeks, months regarding this native logs collection feature through various Defender for Cloud products? For example, can we expect Defender for SQL to send logs to M365XDR natively?

Thanks for you support!