forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathMicrosoftDefenderForCloudTenantBased.json
More file actions
91 lines (91 loc) · 3.56 KB
/
MicrosoftDefenderForCloudTenantBased.json
File metadata and controls
91 lines (91 loc) · 3.56 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
"id": "MicrosoftDefenderForCloudTenantBased",
"title": "Tenant-based Microsoft Defender for Cloud",
"publisher": "Microsoft",
"descriptionMarkdown": "Microsoft Defender for Cloud is a security management tool that allows you to detect and quickly respond to threats across Azure, hybrid, and multi-cloud workloads. This connector allows you to stream your MDC security alerts from Microsoft 365 Defender into Microsoft Sentinel, so you can can leverage the advantages of XDR correlations connecting the dots across your cloud resources, devices and identities and view the data in workbooks, queries and investigate and respond to incidents. For more information, see the [Microsoft Sentinel documentation](https://go.microsoft.com/fwlink/p/?linkid=2269832&wt.mc_id=sentinel_dataconnectordocs_content_cnl_csasci).",
"logo": "Microsoft.svg",
"graphQueriesTableName": "SecurityAlerts",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "SecurityAlerts",
"baseQuery": "SecurityAlert | where ProductName == \"Azure Security Center\""
}
],
"sampleQueries": [
{
"description": "All logs",
"query": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | sort by TimeGenerated"
},
{
"description": "Summarize by severity",
"query": "SecurityAlert\n| where ProductName == \"Azure Security Center\"\n| summarize count() by AlertSeverity"
}
],
"dataTypes": [
{
"name": "SecurityAlert(ASC)",
"lastDataReceivedQuery": "SecurityAlert | where ProductName == \"Azure Security Center\"\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "MtpAlerts",
"value": [
"MicrosoftDefenderForCloudTenantBased"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"tenant": [
"SecurityAdmin",
"GlobalAdmin"
],
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
}
],
"tenantMember": true
},
"instructionSteps": [
{
"title": "Connect Tenant-based Microsoft Defender for Cloud to Microsoft Sentinel",
"description": "After connecting this connector, **all** your Microsoft Defender for Cloud subscriptions' alerts will be sent to this Microsoft Sentinel workspace.\n\n> Your Microsoft Defender for Cloud alerts are connected to stream through the Microsoft 365 Defender. To benefit from automated grouping of the alerts into incidents, connect the Microsoft 365 Defender incidents connector. Incidents can be viewed in the incidents queue.",
"instructions": [
{
"parameters": {
"title": "Tenant-based Microsoft Defender for Cloud",
"connectorKind": "MicrosoftDefenderForCloudTenantBased",
"enable": true,
"newPipelineEnabledFeatureFlagConfig": {
"feature": "MdcAlertsByMtp",
"featureStates": {
"1": 2,
"2": 2,
"3": 2,
"4": 2,
"5": 2
}
},
"infoBoxMessage": "Your Microsoft Defender for Cloud alerts are connected to stream through the Microsoft 365 Defender. To benefit from automated grouping of the alerts into incidents, connect the Microsoft 365 Defender incidents connector. Incidents can be viewed in the incidents queue",
"shouldAlwaysDisplayInfoMessage": true
},
"type": "MicrosoftDefenderForCloudTenantBased"
}
]
}
]
}