Alerts and incidents in Microsoft Defender XDR

Microsoft Defender for Cloud is now integrated with Microsoft Defender XDR. This integration allows security teams to access Defender for Cloud alerts and incidents within the Microsoft Defender Portal. This integration provides richer context to investigations that span cloud resources, devices, and identities.

The partnership with Microsoft Defender XDR allows security teams to get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment. Security teams can accomplish this goal through immediate correlations of alerts and incidents.

Microsoft Defender XDR offers a comprehensive solution that combines protection, detection, investigation, and response capabilities. The solution protects against attacks on devices, email, collaboration, identity, and cloud apps. Our detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.

Incidents and alerts are now part of Microsoft Defender XDR's public API. This integration allows exporting of security alerts data to any system using a single API. As Microsoft Defender for Cloud, we're committed to providing our users with the best possible security solutions, and this integration is a significant step towards achieving that goal.

Investigation experience in Microsoft Defender XDR

The following table describes the detection and investigation experience in Microsoft Defender XDR with Defender for Cloud alerts.

Area Description
Incidents All Defender for Cloud incidents are integrated to Microsoft Defender XDR.
- Searching for cloud resource assets in the incident queue is supported.
- The attack story graph shows cloud resource.
- The assets tab in an incident page shows the cloud resource.
- Each virtual machine has its own entity page containing all related alerts and activity.

There are no duplications of incidents from other Defender workloads.
Alerts All Defender for Cloud alerts, including internal and external providers’ alerts, are integrated to Microsoft Defender XDR. Defenders for Cloud alerts show on the Microsoft Defender XDR alert queue.
Microsoft Defender XDR
The cloud resource asset shows up in the Asset tab of an alert. Resources are clearly identified as an Azure resource.

Defenders for Cloud alerts are automatically be associated with a tenant.

There are no duplications of alerts from other Defender workloads.
Alert and incident correlation Alerts and incidents are automatically correlated, providing robust context to security operations teams to understand the complete attack story in their cloud environment.
Threat detection Accurate matching of virtual entities to device entities to ensure precision and effective threat detection.
Unified API Defender for Cloud alerts and incidents are now included in Microsoft Defender XDR’s public API, allowing customers to export their security alerts data into other systems using one API.

Learn more about handling alerts in Microsoft Defender XDR.

Advanced hunting in XDR

Microsoft Defender XDR's advanced hunting capabilities are extended to include Defender for Cloud alerts and incidents. This integration allows security teams to hunt across all their cloud resources, devices, and identities in a single query.

The advanced hunting experience in Microsoft Defender XDR is designed to provide security teams with the flexibility to create custom queries to hunt for threats across their environment. The integration with Defender for Cloud alerts and incidents allows security teams to hunt for threats across their cloud resources, devices, and identities.

The CloudAuditEvents table in advanced hunting allows you to investigate and hunt through control plane events and to create custom detections to surface suspicious Azure Resource Manager and Kubernetes (KubeAudit) control plane activities.  

The CloudProcessEvents table in advanced hunting allows you to triage, investigate and create custom detections for suspicious activities that are invoked in your cloud infrastructure with information that includes details on the process details.   

Security alerts - a reference guide