Console
    Contact Us Start free

    Collect Microsoft Defender for Cloud alert logs

    Supported in:

    Overview

    This parser extracts security alert data from Microsoft Defender for Cloud's JSON formatted logs. It transforms and maps the raw log fields into the Google SecOps UDM, handling various data types and nested structures, while also enriching the data with additional context and labels for improved analysis.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Privileged access to Microsoft Defender for Cloud.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Microsoft Defender for Cloud alert logs.
    5. Select Webhookas the Source type.
    6. Select Microsoft Defender for Cloudas the Log type.
    7. Click Next.
    8. Optional: specify values for the following input parameters:
      • Split delimiter: the delimiter that is used to separate log lines, such as \n .
    9. Click Next.
    10. Review the feed configuration in the Finalizescreen, and then click Submit.
    11. Click Generate Secret Keyto generate a secret key to authenticate this feed.
    12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
    13. On the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
    14. Click Done.

    Create an API key for the webhook feed

    1. Go to Google Cloud console > Credentials.

      Go to Credentials

    2. Click Create credentials, and then select API key.

    3. Restrict the API key access to the Google Security Operations API.

    Specify the endpoint URL

    1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.

    2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:

       X-goog-api-key = API_KEY 
X-Webhook-Access-Key = SECRET

      Recommendation: Specify the API key as a header instead of specifying it in the URL. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:

        ENDPOINT_URL 
?key= API_KEY 
&secret= SECRET

    Replace the following:

    • ENDPOINT_URL : the feed endpoint URL.
    • API_KEY : the API key to authenticate to Google Security Operations.
    • SECRET : the secret key that you generated to authenticate the feed.

    Create Azure Logic App

    1. Sign in to Azure Portal (https://portal.azure.com).
    2. Click Create a resourceand search for Logic App.
    3. Click Createto start the deployment process.
    4. Configure Logic App:
      • Name: Provide a descriptive name for the Logic App (for example, GoogleSecOpsWebhook).
      • Subscription: Select the appropriate subscription.
      • Resource Group: Choose an existing resource group or create a new one.
      • Location: Choose the location closest to your environment.
      • Log Analytics: Enable this option if you want to log diagnostic data for the Logic App.
    5. Click Review + Createto create the Logic App.
    6. Click Createto deploy the Logic App.

    Configure Azure Logic App Webhook connection

    1. Go to the Logic App created in the previous step.
    2. Click Development Tools > Logic App Designer.
    3. Click Add a trigger.

    4. Search Microsoft Defender for Cloud > When a Microsoft Defender for Cloud alert is created or triggeredas the trigger.

    5. Click Create newand follow the prompts to authenticate.

    6. Click Insert a new stepto add a new step to the workflow.

    7. Click Add an action.

    8. Search for HTT.

    9. Select HTTPas the action.

    10. Configure the HTTP action:

      • URI: This is where you'll enter the Google SecOps API endpoint URL.
      • Method: POST
      • Add Content-Type header: Set the Content-Type as header key and application/json as header value. This tells Google SecOps the format of the data being sent.
      • Add API Key to queries: Set the key as the first query key and <API_KEY> as the query value. API_KEY is the generated API Key value during Google SecOps Feed configuration.
      • Add Secret Key to queries: Set the secret as the second query key and <SECRET_KEY> as the query value. SECRET_KEY is the generated Secret Key during Google SecOps Feed configuration.
      • Set Body from previous step: Click Enter request content > click Enter the data from previous steps(button with lightning icon to the left of the input field).

    11. Click Save.

    Configure Microsoft Defender Cloud Alerts Webhook

    1. Go to Microsoft Defender for Cloud.
    2. Click Management > Workflow automation.
    3. Click Add workflow automation.
      • Name: Provide a descriptive name for the automation rule (for example, ForwardAlertsToGoogleSecOps).
      • Resource Group: Choose an existing resource group.
      • Defender for Cloud data type: Choose Security alert.
      • Alert severity: Choose Select all.
      • Show Logic App instances from the following subscriptions: Choose the subscription where the Logic App was created.
      • Select Logic App: Choose the Logic App created in the previous steps.
    4. Click Createto save the workflow automation.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    AlertLink
    		principal.resource.attribute.labels.AlertLink.value Directly mapped.
    AlertName
    		security_result.rule_name Directly mapped.
    AlertSeverity
    		security_result.severity Directly mapped if value is one of HIGH, MEDIUM, LOW, CRITICAL, UNKNOWN_SEVERITY. Otherwise mapped to security_result.severity_details . Value is converted to uppercase before comparison.
    AlertType
    		security_result.threat_name Directly mapped.
    CompromisedEntity
    		principal.resource.attribute.labels.CompromisedEntity.value Directly mapped.
    Description
    		security_result.description Directly mapped.
    DisplayName
    		security_result.summary Directly mapped.
    EndTime
    		about.resource.attribute.labels.EndTime.value Directly mapped.
    Entities[].Location.City
    		principal.location.city Directly mapped.
    Entities[].Location.CountryName
    		principal.location.country_or_region Directly mapped.
    ExtendedLinks[].Category
    		about.resource.attribute.labels.extendedLink_Category.value Directly mapped.
    ExtendedLinks[].Href
    		about.resource.attribute.labels.extendedLink_Href.value Directly mapped.
    ExtendedLinks[].Label
    		about.resource.attribute.labels.extendedLink_Label.value Directly mapped.
    ExtendedLinks[].Type
    		about.resource.attribute.labels.extendedLink_Type.value Directly mapped.
    ExtendedProperties.Account Session Id
    		network.session_id Directly mapped after renaming to accountSessionId .
    ExtendedProperties.Alert Id
    		metadata.product_log_id Directly mapped after renaming to alertId .
    ExtendedProperties.Authentication type
    		extensions.auth.auth_details Directly mapped after renaming to authenticationType .
    ExtendedProperties.Client Application
    		principal.application Directly mapped after renaming to clientApplication .
    ExtendedProperties.Client Hostname
    		principal.asset.hostname , principal.hostname Directly mapped after renaming to clientHostName .
    ExtendedProperties.Client IP address
    		principal.asset.ip , principal.ip Directly mapped after renaming to clientIpAddress .
    ExtendedProperties.Client IP location
    		principal.location.country_or_region Directly mapped after renaming to clientIpLocation .
    ExtendedProperties.Client Location
    		principal.location.country_or_region Directly mapped after renaming to clientLocation .
    ExtendedProperties.Client Principal Name
    		principal.user.userid Directly mapped after renaming to clientPrincipalName .
    ExtendedProperties.Compromised Host
    		principal.asset.hostname , principal.hostname Directly mapped after renaming to compromisedHost .
    ExtendedProperties.Suspicious Command Line
    		target.process.command_line Directly mapped after renaming to suspiciousCommandLine .
    ExtendedProperties.Suspicious Process
    		target.process.file.full_path Directly mapped after renaming to suspiciousProcess .
    ExtendedProperties.Suspicious Process Id
    		target.process.pid Directly mapped after renaming to suspiciousProcessId .
    ExtendedProperties.User agent
    		network.http.user_agent Directly mapped after renaming to userAgent .
    ExtendedProperties.User Name
    		principal.user.user_display_name Directly mapped after renaming to userName .
    ExtendedProperties.resourceType
    		principal.resource.name Directly mapped.
    IsIncident
    		security_result.detection_fields.IsIncident.value Directly mapped. Converted to string.
    ProcessingEndTime
    		about.resource.attribute.labels.ProcessingEndTime.value Directly mapped.
    ProductName
    		metadata.product_name Directly mapped.
    ResourceId
    		principal.resource.product_object_id Directly mapped.
    SourceSystem
    		security_result.detection_fields.SourceSystem.value Directly mapped.
    StartTime
    		about.resource.attribute.labels.StartTime.value Directly mapped.
    Status
    		security_result.detection_fields.Status.value Directly mapped.
    SystemAlertId
    		metadata.product_log_id Directly mapped.
    Tactics
    		security_result.attack_details.tactics.name Directly mapped.
    TenantId
    		additional.fields.TenantId.string_value Directly mapped.
    TimeGenerated
    		about.resource.attribute.labels.TimeGenerated.value Directly mapped.
    VendorName
    		metadata.vendor_name Directly mapped.
    WorkspaceResourceGroup
    		target.resource.attribute.labels.WorkspaceResourceGroup.value Directly mapped.
    WorkspaceSubscriptionId
    		target.resource.attribute.labels.WorkspaceSubscriptionId.value Directly mapped.
    _Internal_WorkspaceResourceId
    		target.resource.product_object_id Directly mapped.
    properties.alertDisplayName
    		security_result.rule_name Directly mapped.
    properties.alertType
    		security_result.threat_name Directly mapped.
    properties.alertUri
    		principal.resource.attribute.labels.AlertUri.value Directly mapped.
    properties.correlationKey
    		principal.resource.attribute.labels.correlationKey.value Directly mapped.
    properties.description
    		security_result.description Directly mapped.
    properties.endTimeUtc
    		additional.fields.EndTime.string_value Directly mapped.
    properties.entities[].location.city
    		principal.location.city Directly mapped.
    properties.entities[].location.countryName
    		principal.location.country_or_region Directly mapped.
    properties.entities[].location.latitude
    		principal.location.region_coordinates.latitude Directly mapped. Converted to float.
    properties.entities[].location.longitude
    		principal.location.region_coordinates.longitude Directly mapped. Converted to float.
    properties.extendedProperties.alert_Id
    		metadata.product_log_id Directly mapped.
    properties.extendedProperties.clientApplication
    		principal.application Directly mapped.
    properties.extendedProperties.clientIpAddress
    		principal.asset.ip , principal.ip Directly mapped. Parsed as IP address.
    properties.extendedProperties.clientLocation
    		principal.location.country_or_region Directly mapped.
    properties.extendedProperties.clientPrincipalName
    		principal.user.userid Directly mapped.
    properties.extendedProperties.compromisedEntity
    		principal.resource.attribute.labels.CompromisedEntity.value Directly mapped.
    properties.extendedProperties.resourceType
    		principal.resource.name Directly mapped.
    properties.IsIncident
    		security_result.detection_fields.isIncident.value Directly mapped. Converted to string.
    properties.productName
    		metadata.product_name Directly mapped.
    properties.resourceIdentifiers[].<key>
    		additional.fields.<key>_<index>.string_value Directly mapped. Keys $id and type are appended with the index of the element in the array.
    properties.severity
    		security_result.severity Directly mapped if value is one of HIGH, MEDIUM, LOW, CRITICAL, UNKNOWN_SEVERITY. Otherwise mapped to security_result.severity_details . Value is converted to uppercase before comparison.
    properties.startTimeUtc
    		additional.fields.StartTime.string_value Directly mapped.
    properties.status
    		security_result.detection_fields.Status.value Directly mapped.
    properties.timeGeneratedUtc
    		additional.fields.TimeGenerated.string_value Directly mapped. Set to "MICROSOFT_DEFENDER_CLOUD_ALERTS" if not provided in the log. Set to "MICROSOFT_DEFENDER_CLOUD_ALERTS". Set to "USER_RESOURCE_ACCESS" if principal or target are present, otherwise set to "GENERIC_EVENT".

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: