Microsoft Defender for Cloud topics

Microsoft Defender for Cloud

Lucaraheller — Tue, 27 Jan 2026 11:31:58 GMT

For security operations teams managing Microsoft 365 and Azure environments, knowing which event logs to monitor in the Defender portal is fundamental. The right logs give you visibility into identity threats, device compromise, and policy violations before they escalate.

Here are the most critical event log categories:

## 1. Sign-In Logs (Entra ID)

**Location:** Microsoft Entra ID > Sign-in logs

Monitor failed sign-ins, unfamiliar locations, Conditional Access failures, and risky sign-ins flagged by Identity Protection. Identity is the primary attack surface—these logs detect credential compromise and lateral movement.

## 2. Audit Logs (Entra ID)

**Location:** Microsoft Entra ID > Audit logs

Track changes to user accounts, privilege escalations, Conditional Access modifications, and application consent grants. Unauthorized administrative changes can bypass security controls.

## 3. Device Compliance Logs (Intune)

**Location:** Microsoft Intune > Devices > Monitor

Monitor non-compliant devices, enrollment failures, and policy errors. Non-compliant endpoints represent unmanaged risk.

## 4. Threat & Vulnerability Management

**Location:** Microsoft Defender > Endpoints > TVM

Track critical vulnerabilities, missing updates, and exposed credentials. Proactive vulnerability management prevents exploitation.

## 5. Alerts and Incidents (Defender XDR)

**Location:** Microsoft Defender > Incidents & Alerts

Your central SOC dashboard—monitor high-severity alerts for ransomware, credential theft, and lateral movement across endpoints, identities, email, and apps.

## 6. Cloud App Activity Logs

**Location:** Defender for Cloud Apps > Activity log

Detect unusual file downloads, admin activity from unmanaged devices, and OAuth app permissions. These logs reveal unauthorized data exfiltration and risky SaaS behavior.

## 7. Email Threat Logs

**Location:** Microsoft Defender > Email & Collaboration > Threat Explorer

Monitor phishing attempts, malware attachments, and spoofed emails. Email remains the most common attack vector.

## 8. Cloud Security Alerts

**Location:** Microsoft Defender for Cloud > Security alerts

Track misconfigurations, policy violations, and threats across Azure subscriptions and hybrid workloads. Essential for cloud infrastructure protection and compliance monitoring.

## How to Use These Logs Effectively

1. Set up automated alerts in Sentinel

2. Establish baselines to detect anomalies

3. Correlate across sources for full attack context

4. Automate response with AIR features

5. Review high-severity logs weekly

**Microsoft Defender XDR Documentation:**

https://learn.microsoft.com/en-us/microsoft-365/security/defender/

**Entra ID Monitoring:**

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/

**Microsoft Defender for Cloud:**

https://learn.microsoft.com/en-us/azure/defender-for-cloud/

Monitoring the right logs is the foundation of a strong security posture. Start here, tune your alerts, and build the visibility your SOC needs.

#MicrosoftDefender #CyberSecurity #SOC #DefenderXDR #ThreatHunting #SecurityOperations #EntraID #Microsoft365 #ZeroTrust #DefenderForCloud

Defender for servers (P1)

Diddler431 — Mon, 12 Jan 2026 09:28:29 GMT

Hey guys,

I enabled my Defender for cloud trial licens (P1) for my Windows servers.

They are onboarded and i can see them visually in the (security.microsoft.com) EDR Portal.

My enforcement scope is set to Intune - so all my AV policies etc are created there.

I want to create a AV Policy for my Windows servers but i can't see the objects in Entra.

What is best practice. To register them in Entra manually or should it automaticlly create a object in Entra during the onboarding process?

Can't create & assign a AV policy etc until i create a group and put all my servers into that group.

Any ideas?

Also might be worth mentioning i see that they are managed by "unknown" and not Microsoft Sense? Should i point back the scope to the Defender portal? Whilst my endpoints are managed by Intune.

Updating SDK for Java used by Defender for Server/CSPM in AWS

terruahmad — Mon, 29 Dec 2025 17:26:21 GMT

Hi,

I have a customer who is Defender for Cloud/CSPM in AWS. Last week, Cloud AWS Health Dashboard lit up with a recommendation around the use of AWS SDK for Java 1.x in their organization. This version will reach end of support on December 31, 2025. The recommendation is to migrate to AWS SDK for Java 2.x. The issue is present in all of AWS workload accounts.

They found that a large amount of these alerts is caused by the Defender CSPM service, running remotely, and using AWS SDK for Java 1.x. Customer attaching a couple of sample events that were gathered from the CloudTrail logs. Please note that in both cases:

assumed-role: DefenderForCloud-Ciem
sourceIP: 20.237.136.191 (MS Azure range)
userAgent: aws-sdk-java/1.12.742 Linux/6.6.112.1-2.azl3 OpenJDK_64-Bit_Server_VM/21.0.9+10-LTS java/21.0.9 kotlin/1.6.20 vendor/Microsoft cfg/retry-mode/legacy cfg/auth-source#unknown

Can someone provide guidance about this? How to find out if DfC is going to leverage AWS SDK for Java 2.x after Dec 31, 2025?

Thanks,

Terru

Automate Defender for Cloud settings: FIM, Vulnerability Assessment, and Guest Configuration Agent

Pascal2 — Mon, 17 Nov 2025 13:27:07 GMT

I’m working on automating the configuration of Microsoft Defender for Cloud – Server Plans across multiple subscriptions (100+), including any newly deployed subscriptions. The goal is to avoid manual changes and ensure compliance from day one.

Current Setup:

I’ve used the built-in policy: Configure Microsoft Defender for Servers plan, which successfully enables:
- Defender for Cloud Plan P2
- Endpoint Protection
- Agentless scanning
I attempted to copy this policy and add parameters for Vulnerability Assessment, but the assignment fails with an error.

What I’ve Tried:

For File Integrity Monitor: Policy name → Configure ChangeTracking Extension for Windows virtual machines
For Vulnerability Assessment: Policy name → Configure machines to receive a vulnerability assessment provider
Assigning these policies works on my non-prod subscription, but the toggle in Defender for Cloud → Environment Settings remains No.

Challenge: How can I ensure these options (File Integrity Monitoring, Vulnerability Assessment, and preferably Guest Configuration Agent) are automatically enabled for:

All existing subscriptions
Any new subscriptions created in the future

Goal:

No manual intervention in Defender for Cloud portal
Fully automated via Azure Policy or another recommended approach

uestions:

Is there a way to extend the built-in policy or create a custom initiative that enforces these settings at the subscription level?
Are there ARM templates, Bicep modules, Powershell scripts or REST API calls that can toggle these settings programmatically?
Any best practices for ensuring compliance across multiple subscriptions?

Any help is much appreciated and looking forward to your expertise!
Thank you in advance.

Best Regards,

Pascal Slot

About Defender for Cloud aggregated logs in Advanced Hunting

Molx32 — Wed, 08 Oct 2025 13:31:18 GMT

Hi,

I create this threat hoping that the Microsoft team will read and hopefully provide insights about future changes and roadmap.

When SOC teams use a non-Microsoft SIEM/SOAR, they need to export logs from M365 and Azure, and send them to the third-party SIEM/SOAR solution.

• For M365 logs, there is the M365XDR connector that allows exporting logs using an Event Hub.

• For Azure logs, we used to configure diagnostics settings and send them to an Event Hub.

This began to change with new features within Defender for Cloud (c.f. picture).:

• Defender for Resource Manager now sends Azure Activity logs to M365XDR portal, and can be exported using M365XDR Streaming API

• Defender for Storage now sends logs to M365XDR portal, and can be exported using M365XDR Streaming API (c.f. https://www.youtube.com/watch?v=Yraeks8c8hg&t=1s).

This is great as it is easy to configure and doesn't interfere with infrastructure teams managing operational logs through diagnostic settings.

I have two questions :

• Is there any documentation about this? I didn't find any?

• What can we expect in the future weeks, months regarding this native logs collection feature through various Defender for Cloud products? For example, can we expect Defender for SQL to send logs to M365XDR natively?

Thanks for you support!

Defender for Cloud DCR

edwaro3 — Mon, 28 Jul 2025 14:25:43 GMT

Enabling Defender for Servers Plan 2 and creating a custom DCR to enable the 500MB ingestion into log analytics. The workspace I am sending the logs to is connected to Sentinel. When I looked at creating the DCR I received this pop-up

If I enable the Sentinel connector, will this duplicate the cost of the logs or will the connector just enable the data to be surfaced in Sentinel?

Is setting an index tag in Azure Defender for Cloud during file write an atomic operation?

vitoiacono — Fri, 25 Jul 2025 11:12:35 GMT

Hi,
When using Azure Defender for Cloud, is setting an index tag at the same time as writing a file considered an atomic operation? Or is there a propagation delay before the tag becomes fully available and effective for search and policy enforcement?
Any insights or official documentation references would be appreciated!

File Integrity Monitoring - Agentless Issues in Detecting Changes to Files

nopenuttn — Mon, 30 Jun 2025 17:29:03 GMT

Hello!

Looks like there have been some recent updates made to File Integrity Monitoring. After reviewing the MS documentation here it looks like you can now create custom Rules for Files and for custom Registry keys. From what I can gather from the documentation, agentless scans are used for custom rules that you create and an agentless scan occurs once every 24 hours.

I have created several custom rules to detect if a file has been Deleted, Added, Modified or Renamed and Defender for Cloud is still not detecting any changes. I have made changes to these files 3 days ago, and no changes have been reported back. Any ideas why this might not be working. I have already confirmed that the appropriate RBAC Roles have been assigned to my Key Vaults where CMK Disks are being used.

I also wanted to know if the Agentless FIM can monitor Folders / Directories as well. I haven't seen anything about this in the documentation. Is this even supported?

MISRA support in Defender

yogisrivastava — Tue, 10 Jun 2025 15:10:18 GMT

I want to check for MISRA C code compliance. The idea is to check for MISRA C compliance when asking for a Pull Request. If the code fails on those checks, the PR will not be created. This way, we enforce MISRA compliance before integrating the code to the repository.

I am not seeing MISRA in the list of standards under - Regulatory Compliance>>Subscriptions>> Security Po;icies

Runtime protection - Microsoft Defender for Cloud DevOps Security (Defender CSPM)

zafK — Mon, 09 Jun 2025 14:04:07 GMT

Hi team!

The current support status for Microsoft Defender for Cloud DevOps Security (Defender CSPM) and runtime protection across services are this one :

Fully Supported for Runtime Protection
Azure Kubernetes Service (AKS)
Amazon Elastic Kubernetes Service (EKS)

are there more runtime in the product roadmap (Azure Container Apps, AWS, Fargate for Amazon ECS, Azure Functions, AWS Lambda)?

Thanks

Onboarding MDE with Defender for Cloud (Problem)

GuidoImpe — Tue, 03 Jun 2025 06:09:20 GMT

Hello Community,

In our Customer i have a strange problem.

We onboarded with Azure Arc server and activate a Defender for Cloud servises only for Endpoint protection.

Some of this device onboarded into Microsoft Defender portale, but not appears as a device, infact i don't have opportunity to put them into a group to apply policy.

I have check sensor of Azure Arc and all works fine (device are in Azure Arc, are in the defender portal and see them on Intune (managed by MDE)).

From Intune portal

From Defender portal

But in difference from other device into entra ID exists only the enterprise application and not device

I show the example of device that works correctly (the same onboarding method)

Is there anyone who has or has had this problem?

Thanks and Regards,

Guido

Defender for AI data storage/processing

neiltreebeard — Thu, 22 May 2025 16:06:40 GMT

Hi, does anyone know where the data that Defender for AI uses is processed and what data is stored and available to Microsoft?

If abuse monitoring is turned off, the documentation says "Microsoft does not store the prompts and completions associated with the approved Azure subscription."

If content filtering is enabled the documentation says "Noo prompts or generated content are stored in the content classifier models."

https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy?tabs=azure-portal#preventing-abuse-and-harmful-content-generation

But I was wondering what data is stored/processed, where this happens and if there's any documentation around this for the Defender for AI service.

Could anyone point me to a page, please?

Thanks,

Neil.

Need help with enabling the "Security attack path" export data type in continuous export

santhoshcv20 — Fri, 09 May 2025 15:14:28 GMT

I tried enabling the "Security attack path" via API and CMDLET using Powershell. It is not working.

New-AzSecurityAutomation ` -Name $automationName ` -ResourceGroupName $resourceGroupName `

I am not sure .Which resource group we should mention here. Is it random RG in a subscription or LAW RG.it is failing in both ways.

API Method

$checkUrl="https://management.azure.com/subscriptions/$($subscription.Id)/resourceGroups/$resourceGroupName/providers/Microsoft.Security/automations/$automationName`?api-version=2023-12-01-preview"

Defender for Cloud Inventory API Coverage — No Official Way to Retrieve Per-Resource Coverage?

JuanOJG — Fri, 09 May 2025 13:34:16 GMT

I'm reaching out to the Microsoft Defender for Cloud team and the broader community because I've run into a gap that I believe others may face too — and I’m hoping for guidance or clarification.

I need to programmatically retrieve a list of resources from a subscription and determine if each resource is covered by a Defender for Cloud plan. This would replicate what we see in the Azure Portal under:

Microsoft Defender for Cloud > Inventory:

The goal is to fetch this data via API and replicate that table — but the problem is that it seems there’s no way to retrieve the “Defender for Cloud” coverage status per resource.

Here’s what I’ve tried so far:

The /pricings endpoint — returns plan tiers like Free or Standard, but only for the overall subscription or service type, not individual resources.
Azure Resource Graph — the properties field does not contain any Defender-related indicators that would confirm whether a specific resource is covered.

My Question

Does an API exist today to retrieve per-resource Defender for Cloud coverage?
Is there a /coverage endpoint or equivalent that is officially supported?

If anyone from the Defender for Cloud or Azure product teams can point me in the right direction, I’d truly appreciate it.

Thank you!

Microsoft Defender for Cloud - Servers & Apps Question

VijayGanji — Wed, 07 May 2025 21:39:05 GMT

Hi, while learning about the Microsoft Defender for Cloud (MDC) Cloud Workload Protection (CWP), I have seen below points.

Servers:

When we opt for MDC CWP for servers, I see Agentless scanning for machines and along with it below,

But we already have "Carbon Black" which handles the above role of Guest Configuration agent.

So, my question is, If I enroll for MDC - Cloud workload protection:

As we need to have a security/defender tool installed on Azure machines (In this case Guest Configuration agent). Would this then replace "Carbon Black" as we already, have it? Or do we see this MDC - Cloud workload protection for Servers as additional apart from Carbon Black?

Apps:

We have our Azure Apps protected by Cloudflare and VNet Integration which are with our firewall-based routes, do we still need to enroll for App Service protection by MDC CWP.

Please advise on above 2 areas. Thanks

Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines

sof_brad — Thu, 01 May 2025 17:09:14 GMT

We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment solution should be enabled on your virtual machines".

On the subscription level we have Defender for Servers Plan 2 enabled and Agentless Scanning CSPM enabled. Within a subscription some of the of these VMs are compliant and others are not. Their compliance state doesn't appear to have any relevance to if the Qualys or MDE extensions are installed. We have servers that are healthy that have Qualys, MDE, or none installed and are healthy.

Our VMs are not using the full feature set of Defender Plan 2 as we use CrowdStrike so the Defender for Endpoint functionality of the Defender for Servers Plan 2 has been disabled, but to my knowledge this shouldn't impact Vulnerability assessments.

In Security Portal it does seem that generally all the VMs that healthy for this recommendation are visible in the devices section. Whereas these 45 that are not, are either not searchable or have sensor health state "inactive".

We have an Azure Policy generated to onboard devices to Vulnerability assessment using MDE.Tvm and it seems to be generally working but not for these 45 devices.

The Microsoft Documentation is really unclear, what do we need to make these systems compliant?

How are you presenting CSPM and CNAPP insights to your executive leadership?

PauloNicolas — Mon, 21 Apr 2025 23:12:27 GMT

Hi everyone,

I'm a Cloud Security Specialist at Microsoft, working closely with Microsoft Defender for Cloud, and I wanted to start a conversation with the community — partly out of curiosity, but also to learn from your real-world experiences.

When it comes to reporting cloud security posture to your executive leadership (CISO, CTO, or broader security/tech leadership), how are you presenting insights from CSPM, CNAPP, or Defender for Containers?

Specifically, how do you communicate findings such as:

Misconfigurations
Vulnerabilities
Risk exposure across your cloud environments?

Are you using:

Power BI dashboards to centralize and visualize the data?
Manual Excel reports?
The native Defender for Cloud portal?
Or even exploring Microsoft Fabric for more advanced reporting scenarios?

I’d love to hear how you’re turning technical insights into executive-level narratives. Do you follow a particular structure, reporting cadence, or set of best practices?

Looking forward to hearing how others in the community are approaching this challenge — and how you're bridging the gap between cloud security and business strategy.

Defender for Servers

logger2115 — Fri, 18 Apr 2025 18:55:26 GMT

Defender for servers is part of Defender for Cloud CWP. We do not use this product, however we have interest in logging Servers both on-premise and multi cloud tenants to Sentinel workspace.

Couple of ways to accomplish:

Defender for Servers in passive - Since we're currently not subscribed can we get data in with ARC + AMA + Defender extension across multi cloud tenant? Objective is to NOT pay for Defender for Servers p1/p2 instead log Events for detections

Azure Monitor Agent and Data Collection Rule with logging level (Common, Minimal, Custom)

I've ideas on both but I'm leaning towards Defender for Servers in passive with Defender Extension and AMA. Will this automatically get charge as part of Defender for Server CWP or it flat out won't work if not enabled?

I can't get straight answer on this from anyone and I don't have full blown tenant owner permission to test this. When asked there is wait time to get response from other teams.

I'm interested getting data in via Defender in Passive relying and relaying partner as Defender Extension and ARC+AMA.

Let me know your thoughts!

DevOps Security: MDC-ADO integration through Service account

Mazhar2017 — Mon, 14 Apr 2025 10:23:58 GMT

Hi All,

Is it possible to integrate MDC-ADO Integration with Service Account?

When I attempted to authorize ADO in MDC during the integration process, it appears to only accept individual accounts. Does anyone have insights on how to utilize a Service Account for this integration?

Cost Calculator for Defender for Cloud (Public Preview)

MyronHelgering — Wed, 19 Mar 2025 20:18:21 GMT

Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025.

With this post, I’m sharing my experience with this new cost calculator for Microsoft Defender for Cloud, providing guidance and comparing available options to calculate the costs.

https://myronhelgering.com/cost-calculator-for-defender-for-cloud/