When looking at the possible ways to consume information from Microsoft Defender for Cloud Apps, three major methods arise:
Portal: By using the portal at portal.com, you can consume information detected, generated, and aggregated natively by Microsoft Defender for Cloud Apps. You can access data, set policies and governance actions, and investigate alerts. Note that the access to data and available actions are directly dependent on the role assigned to the user as designated by Defender for Cloud Apps in the SIEM connector.
SIEM connector: Customers can utilize a Security Information and Event Management (SIEM) product to consume the data and enrichments offered by Microsoft Defender for Cloud Apps. Our customers frequently deploy a SIEM to aggregate alerts and raw data from several security products. For example, many of our customers use Microsoft Sentinel with the M365 Security suite to protect all facets of their organization while consuming alerts via a single interface, streamlining the SecOps experience while not compromising on protection.
API: An Application Programming Interface (API) is a way for a developer or a technically savvy customer to access a security products’ information and assets through a customized programmatic approach. Using the API allows for pulling raw data as well as enhanced data (like alerts) while filtering and configuring custom-made behavior.
Out of these methods, API-based access is the most customizable and allows aggregation and analysis of data by the customer.