About Defender for Cloud aggregated logs in Advanced Hunting
Hi, I create this threat hoping that the Microsoft team will read and hopefully provide insights about future changes and roadmap. When SOC teams use a non-Microsoft SIEM/SOAR, they need to export logs from M365 and Azure, and send them to the third-party SIEM/SOAR solution. • For M365 logs, there is the M365XDR connector that allows exporting logs using an Event Hub. • For Azure logs, we used to configure diagnostics settings and send them to an Event Hub. This began to change with new features within Defender for Cloud (c.f. picture).: • Defender for Resource Manager now sends Azure Activity logs to M365XDR portal, and can be exported using M365XDR Streaming API • Defender for Storage now sends logs to M365XDR portal, and can be exported using M365XDR Streaming API (c.f. https://www.youtube.com/watch?v=Yraeks8c8hg&t=1s). This is great as it is easy to configure and doesn't interfere with infrastructure teams managing operational logs through diagnostic settings. I have two questions : • Is there any documentation about this? I didn't find any? • What can we expect in the future weeks, months regarding this native logs collection feature through various Defender for Cloud products? For example, can we expect Defender for SQL to send logs to M365XDR natively? Thanks for you support!
Runtime protection - Microsoft Defender for Cloud DevOps Security (Defender CSPM)
Hi team! The current support status for Microsoft Defender for Cloud DevOps Security (Defender CSPM) and runtime protection across services are this one : Fully Supported for Runtime Protection Azure Kubernetes Service (AKS) Amazon Elastic Kubernetes Service (EKS) are there more runtime in the product roadmap (Azure Container Apps, AWS, Fargate for Amazon ECS, Azure Functions, AWS Lambda)? Thanks
Unable to resolve - A vulnerability assessment solution should be enabled on your virtual machines
We currently have a mix of approximately 45 Windows / Linux Servers and AVD machines which are not successfully being marked as compliant with the Defender recommendation "A vulnerability assessment solution should be enabled on your virtual machines". On the subscription level we have Defender for Servers Plan 2 enabled and Agentless Scanning CSPM enabled. Within a subscription some of the of these VMs are compliant and others are not. Their compliance state doesn't appear to have any relevance to if the Qualys or MDE extensions are installed. We have servers that are healthy that have Qualys, MDE, or none installed and are healthy. Our VMs are not using the full feature set of Defender Plan 2 as we use CrowdStrike so the Defender for Endpoint functionality of the Defender for Servers Plan 2 has been disabled, but to my knowledge this shouldn't impact Vulnerability assessments. In Security Portal it does seem that generally all the VMs that healthy for this recommendation are visible in the devices section. Whereas these 45 that are not, are either not searchable or have sensor health state "inactive". We have an Azure Policy generated to onboard devices to Vulnerability assessment using MDE.Tvm and it seems to be generally working but not for these 45 devices. The Microsoft Documentation is really unclear, what do we need to make these systems compliant?
Defender for Cloud Inventory API Coverage — No Official Way to Retrieve Per-Resource Coverage?
I'm reaching out to the Microsoft Defender for Cloud team and the broader community because I've run into a gap that I believe others may face too — and I’m hoping for guidance or clarification. I need to programmatically retrieve a list of resources from a subscription and determine if each resource is covered by a Defender for Cloud plan. This would replicate what we see in the Azure Portal under: Microsoft Defender for Cloud > Inventory: The goal is to fetch this data via API and replicate that table — but the problem is that it seems there’s no way to retrieve the “Defender for Cloud” coverage status per resource. Here’s what I’ve tried so far: The /pricings endpoint — returns plan tiers like Free or Standard, but only for the overall subscription or service type, not individual resources. Azure Resource Graph — the properties field does not contain any Defender-related indicators that would confirm whether a specific resource is covered. My Question Does an API exist today to retrieve per-resource Defender for Cloud coverage? Is there a /coverage endpoint or equivalent that is officially supported? If anyone from the Defender for Cloud or Azure product teams can point me in the right direction, I’d truly appreciate it. Thank you!DevOps Security: MDC-ADO integration through Service account
Hi All, Is it possible to integrate MDC-ADO Integration with Service Account? When I attempted to authorize ADO in MDC during the integration process, it appears to only accept individual accounts. Does anyone have insights on how to utilize a Service Account for this integration?Cost Calculator for Defender for Cloud (Public Preview)
Did you know Microsoft Defender for Cloud has a built-in cost calculator to easily calculate the costs of protected resources in your cloud environment? No? Well, I didn’t either until I stumbled upon the button in the MDC portal myself. Apparently, Microsoft announced the preview for the MDC cost calculator last month, on February 19, 2025. With this post, I’m sharing my experience with this new cost calculator for Microsoft Defender for Cloud, providing guidance and comparing available options to calculate the costs. https://myronhelgering.com/cost-calculator-for-defender-for-cloud/
Sensitivity Data Flag will not be deleted after Settings are changed
We have a lot of storage accounts which are flaged with risk factor "Sensitive Data" which also means all storage Accounts which have this label have risklevel critical. We deactivated Sensitive Data Scan but nothing happens As I got it correct once a resource is flagged with "Sensitive Data" the flag will not delete anymore What we did so far: turn off/on/off… the data scanning turn off/on/off Data sensitivity deselect all of different data sensitivity categories like Finance, PII, and Credentials turn off/on/off threshold for sensitive data labels turn off/on complete Defender There is also a support ticket where the support can the recommendation was to open a discussion here to have the product team look at this error (#2502031420002278)KQL Secure score controls and Assessments
I have a query that is working but is not producing what I need. a query that will combine the Recommedation categories( 13 listed under the Classic View in recommendations) and the individual assessments associated to those categories: securityresources | where type == "microsoft.security/securescores/securescorecontrols" | extend category_name = tostring(properties.displayName) //category name | extend Tenant_Id=tostring(tenantId) | extend healthy = properties.healthyResourceCount | extend unhealthy = properties.unhealthyResourceCount | extend notApplicable = properties.notApplicableResourceCount | extend score = properties.score | extend scr= parse_json(score) | project category_name, healthy, unhealthy, notApplicable, CurrentScore=scr.current, MaxScore=scr.max, Tenant_Id | join ( securityresources | where type == "microsoft.security/assessments" | extend assessment_name = tostring(properties.displayName) //assessment name | extend Tenant_Id=tostring(tenantId) | extend resourceName = properties.resourceDetails.ResourceName | extend status = properties.status.code | extend metadata = properties.metadata | extend severity = metadata.severity | project assessment_name, resourceName, status, severity, Tenant_Id ) on Tenant_Id | project category_name, assessment_name, resourceName, status, severity, healthy, unhealthy, notApplicable, CurrentScore, MaxScore,Tenant_Id This is a work in progress script, I do get a valid script but I know it is not working like I need it to work. For example, when I run this script, I get for "assessment_name: EDR solution should be installed on Virtual Machines" but for the "category_name" I get "Restrict unauthorized network access". It should be category_name = Enable endpoint protection. I'm trying to find a valid join field but not getting it correctly. Perhaps I need to add anothere "Type" but I'm not sure which. Please advise, Serge
Azure Secure Score Comparison for Similar Organizations
Is there a way to see comparison of Azure Secure Score for similar organizations like how Microsoft Secure Score in the Defender portal shows? For example, Microsoft Secure Score has the below options, and I am looking for a something similar in Azure Secure Score/Defender for Cloud Secure Score.
New Blog | Enhancing Server and Container Risk Score Analysis in Power BI
By iulio Astori Microsoft Defender for Cloud provides vulnerability assessments for both virtual machines (servers) and container images, identifying vulnerabilities as Common Vulnerabilities and Exposures (CVEs). The risk posed by each CVE is assessed using the Common Vulnerability Scoring System (CVSS), providing a standardized numerical score that ranges from 0.0 to 10.0, translated into severity ratings like Low, Medium, High, or Critical. While Microsoft Defender for Cloud provides a robust risk level assessment for each resource, there is an opportunity to enhance this by integrating additional factors such as the exploitability of each CVE, the age since it was made public, and whether the CVE is a zero-day vulnerability. Additionally, resources themselves have contextual elements such as the number of attack paths, which can significantly impact their overall risk. The Power BI solution builds Defender for Cloud's capabilities by integrating these multiple factors, providing a more comprehensive risk score for each resource and enhancing the prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources needing attention. Read the full post here: Enhancing Server and Container Risk Score Analysis in Power BI
