Collect Microsoft Defender for Cloud alerts

This document explains how to collect Microsoft Defender for Cloud (formerly Azure Security Center) alerts by setting up a Google Security Operations feed. You can configure ingestion using two methods: Azure Event Hub (recommended) or the Third Party API.

Microsoft Defender for Cloud is a cloud-native application protection platform that provides unified security management and threat protection across Azure, hybrid, and multi-cloud workloads.

Before you begin

Ensure that you have the following prerequisites:

• A Google SecOps instance
• Privileged access to the Microsoft Azure portal
• Security Admin or Contributor role on the Azure subscription containing Defender for Cloud
• Microsoft Defender for Cloud enabled on the subscription with at least one Defender plan active

Method 1: Azure Event Hub (recommended)

This method uses Defender for Cloud's Continuous Export feature to stream security alerts to an Azure Event Hub. Event Hub Capture writes the data to Azure Blob Storage, and Google SecOps ingests the logs from Blob Storage.

Configure Azure Storage Account

Create Storage Account

1. In the Azure portal, search for Storage accounts.
2. Click + Create.

3. Provide the following configuration details:

   Setting	Value
   Subscription	Select your Azure subscription
   Resource group	Select existing or create new
   Storage account name	Enter a unique name (for example, secopsdefenderalerts)
   Region	Select the region closest to your Event Hub namespace
   Performance	Standard (recommended)
   Redundancy	LRS (Locally redundant storage) or GRS (Geo-redundant storage)

4. Click Review + create.

5. Review the overview and click Create.

6. Wait for the deployment to complete.

Get Storage Account credentials

1. Go to the Storage Account you created.
2. In the left navigation, select Access keys under Security + networking.
3. Click Show keys.
4. Copy and save the following:
   • Storage account name
   • Key 1 or Key 2: The shared access key.

Create Event Hub namespace and Event Hub

Create Event Hub namespace

1. In the Azure portal, search for Event Hubs.
2. Click + Create.

3. Provide the following configuration details:

   Setting	Value
   Subscription	Select your Azure subscription
   Resource group	Select the same resource group as your storage account
   Namespace name	Enter a unique name (for example, secops-defender-alerts)
   Location	Select the same region as your storage account
   Pricing tier	Standard (required for Event Hub Capture)

4. Click Review + create, then click Create.

5. Wait for the deployment to complete.

Create Event Hub

1. Go to the Event Hub namespace you created.
2. Click + Event Hub at the top.
3. Provide the following configuration details:
   • Name: Enter a name (for example, defender-alerts).
   • Partition count: 2 (default, increase for higher throughput).
   • Cleanup policy: Delete.
   • Retention time (hrs): 24 (minimum, increase if needed for resilience).
4. Click Review + create, then click Create.

Enable Event Hub Capture

1. Go to the Event Hub you created (inside the namespace).
2. In the left navigation, select Capture.
3. Set Capture to On.

4. Provide the following configuration details:

   Setting	Value
   Time window (minutes)	5 (or lower for near-real-time)
   Size window (MB)	300
   Capture Provider	Azure Blob Storage
   Azure Subscription	Select your subscription
   Storage Account	Select the storage account you created
   Blob Container	Create or select a container (for example, defender-alerts-capture)

5. Click Save.

Configure Continuous Export to Event Hub

1. In the Azure portal, search for Microsoft Defender for Cloud.
2. In the left navigation, go to Environment settings.
3. Select the subscription you want to export alerts from.
4. In the left navigation, select Continuous export.
5. Select the Event Hub tab.
6. Set Export status to On.
7. In the Exported data types section, select Security alerts.
8. Optionally, set Include alert severity to filter by severity (for example, High and Medium only).
9. In the Export configuration section, provide the following details:
   • Resource group: Select the resource group containing your Event Hub.
   • Event hub namespace: Select the namespace you created (for example, secops-defender-alerts).
   • Event hub name: Select the Event Hub you created (for example, defender-alerts).
   • Event hub policy name: Select RootManageSharedAccessKey.

10. Click Save.

Configure a feed in Google SecOps to ingest Defender for Cloud alerts

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Defender for Cloud Alerts - Event Hub).
5. Select Microsoft Azure Blob Storage V2 as the Source type.
6. Select Microsoft Security Center as the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • Azure URI: Enter the Blob Service endpoint URL with the capture container path:

     https://<storage-account>.blob.core.windows.net/defender-alerts-capture/
     

     • Replace <storage-account> with your Azure storage account name.

   • Source deletion option: Select the deletion option according to your preference:

     • Never: Never deletes any files after transfers.
     • Delete transferred files: Deletes files after successful transfer.
     • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.

   • Maximum File Age: Include files modified in the last number of days. Default is 180 days.

   • Shared key: Enter the shared access key value from the Storage Account.

   • Asset namespace: The asset namespace.

   • Ingestion labels: The label to be applied to the events from this feed.

9. Click Next.

10. Review your new feed configuration in the Finalize screen, and then click Submit.

Configure Azure Storage firewall (if enabled)

If your Azure Storage Account uses a firewall, you must add Google SecOps IP ranges.

1. In the Azure portal, go to your Storage Account.
2. Select Networking under Security + networking.
3. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
4. In the Firewall section, under Address range, click + Add IP range.
5. Add each Google SecOps IP range in CIDR notation.
   • See IP Allowlisting documentation.
   • Or retrieve them programmatically using the Feed Management API.
6. Click Save.

Method 2: Third Party API

This method uses the Azure Resource Manager API to retrieve Defender for Cloud alerts directly from your Azure subscription.

Configure IP allowlisting

Before creating the feed, you must allowlist Google SecOps IP ranges in your Microsoft Azure network settings.

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. Note the IP ranges displayed in the feed creation interface.
4. Alternatively, retrieve IP ranges programmatically using the Feed Management API.

Configure Microsoft Entra app registration

Create app registration

1. Sign in to the Microsoft Entra admin center or Azure portal.
2. Go to Identity > Applications > App registrations.
3. Click New registration.
4. Provide the following configuration details:
   • Name: Enter a descriptive name (for example, Google SecOps Defender for Cloud Integration).
   • Supported account types: Select Accounts in this organizational directory only (Single tenant).
   • Redirect URI: Leave blank (not required for service principal authentication).
5. Click Register.
6. After registration, copy and save the following values:
   • Application (client) ID
   • Directory (tenant) ID

Create client secret

1. In the app registration, go to Certificates & secrets.
2. Click New client secret.

3. Provide the following configuration details:

   • Description: Enter a descriptive name (for example, Google SecOps Feed).
   • Expires: Select an expiration period.

4. Click Add.

5. Copy the client secret Value immediately.

Assign subscription-level role

The app registration requires read access to the Azure subscription to retrieve Defender for Cloud alerts.

1. In the Azure portal, go to Subscriptions.
2. Select the subscription containing Defender for Cloud.
3. Copy and save the Subscription ID (UUID format, for example, a1b2c3d4-e5f6-7890-abcd-ef1234567890).
4. Go to Access control (IAM).
5. Click + Add > Add role assignment.
6. In the Role tab, search for and select Security Reader.
7. Click Next.
8. In the Members tab, click + Select members.
9. Search for your app registration name and select it.

10. Click Select, then click Review + assign.

Configure a feed in Google SecOps to ingest Defender for Cloud alerts

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Microsoft Defender for Cloud Alerts).
5. Select Third Party API as the Source type.
6. Select Microsoft Security Center as the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • OAuth Client ID: Enter the Application (client) ID from the app registration.
   • OAuth Client Secret: Enter the client secret value you copied earlier.
   • Subscription ID: Enter the Subscription ID you copied earlier in UUID format (for example, a1b2c3d4-e5f6-7890-abcd-ef1234567890).
   • Tenant ID: Enter the Directory (tenant) ID from the app registration in UUID format.

   • API Hostname: Enter the Azure Resource Manager API hostname:

     management.azure.com
     

   • API Authentication Endpoint: Enter the Microsoft Active Directory authentication endpoint:

     login.microsoftonline.com
     

   • Asset namespace: The asset namespace.

   • Ingestion labels: The label to be applied to the events from this feed.

9. Click Next.

10. Review your new feed configuration in the Finalize screen, and then click Submit.

Regional endpoints

For Microsoft Azure deployments in sovereign clouds, use the appropriate regional endpoints:

Cloud Environment	API Hostname	API Authentication Endpoint
Global	management.azure.com	login.microsoftonline.com
US Government	management.usgovcloudapi.net	login.microsoftonline.us
China (21Vianet)	management.chinacloudapi.cn	login.chinacloudapi.cn

Multi-subscription ingestion

To ingest Defender for Cloud alerts from multiple Azure subscriptions, create a separate feed for each subscription. Each feed requires its own Subscription ID.

Alternatively, use the Event Hub method (Method 1) with Continuous Export configured on each subscription pointing to the same Event Hub namespace. This consolidates alerts from multiple subscriptions into a single Google SecOps feed.

Need more help? Get answers from Community members and Google SecOps professionals.