Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Defender for Cloud features will be officially retired in Azure in China region on August 18, 2026 per the announcement posted by 21Vianet.
To help customers prevent, detect, and respond to threats, Microsoft Defender for Cloud collects and processes security-related data, including configuration information, metadata, event logs, and more. Microsoft adheres to strict compliance and security guidelines—from coding to operating a service.
This article explains how data is managed and safeguarded in Defender for Cloud.
Data sources
Defender for Cloud analyzes data from the following sources to provide visibility into your security state, identify vulnerabilities and recommend mitigations, and detect active threats:
- Azure services: Uses information about the configuration of Azure services you have deployed by communicating with that service’s resource provider. For Azure AI resources this includes AI prompts and responses. 
- Network traffic: Uses sampled network traffic metadata from Microsoft’s infrastructure, such as source/destination IP/port, packet size, and network protocol. 
- Partner solutions: Uses security alerts from integrated partner solutions, such as firewalls and antimalware solutions. 
- Your machines: Uses configuration details and information about security events, such as Windows event and audit logs, and syslog messages from your machines. 
Data protection
Data segregation
Data is kept logically separate on each component throughout the service. All data is tagged per organization. This tagging persists throughout the data lifecycle, and it's enforced at each layer of the service.
Data access
To provide security recommendations and investigate potential security threats, Microsoft personnel might access information collected or analyzed by Azure services, including process creation events, AI prompts and other artifacts, which might unintentionally include customer data or personal data from your machines.
We adhere to the Microsoft Online Services Data Protection Addendum, which states that Microsoft won't use Customer Data or derive information from it for any advertising or similar commercial purposes. We only use Customer Data as needed to provide you with Azure services, including purposes compatible with providing those services. You retain all rights to Customer Data.
Data use
Microsoft uses patterns and threat intelligence seen across multiple tenants to enhance our prevention and detection capabilities; we do so in accordance with the privacy commitments described in our Privacy Statement.
Microsoft Defender for Cloud does not use Customer Data to train AI models without user consent. As per the Microsoft Product Terms: Microsoft Defender for Cloud or Microsoft Generative AI Services do not use Customer Data to train any generative AI foundation model, unless pursuant to the Customer’s documented instructions.
Manage data collection from machines
When you enable Defender for Cloud in Azure, data collection is turned on for each of your Azure subscriptions. You can also enable data collection for your subscriptions in Defender for Cloud.
If you aren't using Microsoft Defender for Cloud's enhanced security features, you can also disable data collection from virtual machines in the Security Policy. Data Collection is required for subscriptions that are protected by enhanced security features. VM disk snapshots and artifact collection will still be enabled even if data collection has been disabled.
You can specify the workspace and region where data collected from your machines is stored. The default is to store data collected from your machines in the nearest workspace in China.
Data consumption
Customers can access Defender for Cloud related data from the following data streams:
| Stream | Data types | 
|---|---|
| Azure Monitor logs | All security alerts. | 
| Azure Resource Graph | Security alerts, security recommendations, vulnerability assessment results, secure score information, status of compliance checks, and more. | 
| Microsoft Defender for Cloud REST API | Security alerts, security recommendations, and more. | 
Note
If there are no Defender plans enabled on the subscription, data will be removed from Azure Resource Graph after 30 days of inactivity in the Microsoft Defender for Cloud portal. After interaction with artifacts in the portal related to the subscription, the data should be visible again within 24 hours.
Data retention
When the cloud security graph collects data from Azure and other data source, it retains the data for a 14 day period. After 14 days, the data is deleted.
Calculated data, might be kept for an additional 14 days. Calculated data consist of data that is derived from the raw data collected from the environment.
This information is collected in accordance with the privacy commitments described in our Privacy Statement.
Defender for Cloud AI threat protection plan includes storing of prompts and model responses of the protected subscriptions. The data is stored securelyand retained for purpose of pattern recognition and anomaly detections and stored for a duration of 30 days
Defender for Cloud and Microsoft Defender 365 Defender integration
When you enable any of Defender for Cloud's paid plans you automatically gain all of the benefits of Microsoft Defender XDR. Information from Defender for Cloud will be shared with Microsoft Defender XDR. This data might contain customer data and will be stored according to Microsoft 365 data handling guidelines.