From 15847bd15385031bcb895f328241f1255db52b19 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 29 Sep 2025 21:05:56 +0530 Subject: [PATCH 1/6] azure-security-microsoft-defender-for-identity --- blog-service/2025-09-29-apps.md | 14 + cid-redirects.json | 1 + ...ecurity-microsoft-defender-for-identity.md | 249 ++++++++++++++++++ docs/integrations/microsoft-azure/index.md | 6 + .../microsoft-defender-for-identity.md | 56 ---- .../product-list/product-list-a-l.md | 2 +- sidebars.ts | 2 +- 7 files changed, 272 insertions(+), 58 deletions(-) create mode 100644 blog-service/2025-09-29-apps.md create mode 100644 docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md delete mode 100644 docs/integrations/microsoft-azure/microsoft-defender-for-identity.md diff --git a/blog-service/2025-09-29-apps.md b/blog-service/2025-09-29-apps.md new file mode 100644 index 0000000000..27b9011abd --- /dev/null +++ b/blog-service/2025-09-29-apps.md @@ -0,0 +1,14 @@ +--- +title: Azure Security - Microsoft Defender for Identity (Apps) +image: https://help.sumologic.com/img/reuse/rss-image.jpg +keywords: + - apps + - azure + - microsoft + - azure-security-microsoft-defender-for-identity +hide_table_of_contents: true +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +We're excited to introduce the new Sumo Logic app for Azure Security - Microsoft Defender for Identity. This app offers you enhanced capabilities to protect endpoints and defend against advanced cyber threats. [Learn more](/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity). \ No newline at end of file diff --git a/cid-redirects.json b/cid-redirects.json index 4f5ecc11bc..444b502eab 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2940,6 +2940,7 @@ "/cid/1107": "/docs/integrations/saas-cloud/aws-iam-users", "/cid/1109": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365", "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo", + "/cid/1110": "/docs/integrations/saas-cloud/azure-security-microsoft-defender-for-identity", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration", diff --git a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md new file mode 100644 index 0000000000..498a45086a --- /dev/null +++ b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md @@ -0,0 +1,249 @@ +--- +id: azure-security-microsoft-defender-for-identity +title: Azure Security - Microsoft Defender for Identity +description: Learn how to collect alerts from the Azure Security - Microsoft Defender for Identity platform and send them to Sumo Logic for analysis. +--- + +import useBaseUrl from '@docusaurus/useBaseUrl'; + +Thumbnail icon + +The Azure Security – Microsoft Defender for Identity app enhances endpoint protection by centralising alert data from various devices, enabling faster detection, investigation, and response to cyber threats. It uses advanced analytics and threat intelligence to identify malicious behaviour and high-risk activity. With detailed dashboards and visualisations, it helps security teams track recurring incidents, assess vulnerabilities, and reduce response time, offering a comprehensive view of your organisation’s endpoint security posture. + +::note +This app includes [built-in monitors](#azure-security---microsoft-defender-for-identity-alerts). For details on creating custom monitors, refer to [Create monitors for Azure Security - Microsoft Defender for Identity app](#create-monitors-for-azure-security---microsoft-defender-for-identity-app) +::: + +## Log types + +The Azure Security – Microsoft Defender for Identity app uses SumoLogic’s Microsoft Graph Security source to collect [alerts](https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) from the Microsoft Graph Security source. + +### Sample log messages + +
+Alert Log + +```json +{ + "@odata.type": "#microsoft.graph.security.alert", + "id": "da637551227677560813_-961444813", + "providerAlertId": "da637551227677560813_-961444813", + "incidentId": "28282", + "status": "new", + "severity": "low", + "classification": "unknown", + "determination": "unknown", + "serviceSource": "microsoftDefenderForIdenity", + "detectionSource": "antivirus", + "detectorId": "e0da400f-affd-43ef-b1d5-afc2eb6f2756", + "tenantId": "b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "title": "Suspicious execution of hidden file", + "description": "A hidden file has been launched. This activity could indicate a compromised host. Attackers often hide files associated with malicious tools to evade file system inspection and defenses.", + "recommendedActions": "Collect artifacts and determine scope Review the machine timeline for suspicious activities that may have occurred before and after the time of the alert, and record additional related artifacts (files, IPs/URLs) Look for the presence of relevant artifacts on other systems.", + "category": "DefenseEvasion", + "assignedTo": null, + "alertWebUrl": "https://security.microsoft.com/alerts/da637551227677560813_-961444813?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "incidentWebUrl": "https://security.microsoft.com/incidents/28282?tid=b3c1b5fc-828c-45fa-a1e1-10d74f6d6e9c", + "actorDisplayName": null, + "threatDisplayName": null, + "threatFamilyName": null, + "mitreTechniques": [ + "T1564.001" + ], + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "lastUpdateDateTime": "2021-05-02T14:19:01.3266667Z", + "resolvedDateTime": null, + "firstActivityDateTime": "2021-04-26T07:45:50.116Z", + "lastActivityDateTime": "2021-05-02T07:56:58.222Z", + "comments": [], + "evidence": [ + { + "@odata.type": "#microsoft.graph.security.deviceEvidence", + "createdDateTime": "2021-04-27T12:19:27.7211305Z", + "verdict": "unknown", + "remediationStatus": "none", + "remediationStatusDetails": null, + "firstSeenDateTime": "2020-09-12T07:28:32.4321753Z", + "mdeDeviceId": "73e7e2de709dff64ef64b1d0c30e67fab63279db", + "azureAdDeviceId": null, + "deviceDnsName": "yonif-lap3.middleeast.corp.microsoft.com", + "hostName": "yonif-lap3", + "ntDomain": null, + "dnsDomain": "middleeast.corp.microsoft.com", + "osPlatform": "Windows10", + "osBuild": 22424, + "version": "Other", + "healthStatus": "active", + "riskScore": "medium", + "rbacGroupId": 75, + "rbacGroupName": "UnassignedGroup", + "onboardingStatus": "onboarded", + "defenderAvStatus": "unknown", + "ipInterfaces": [ + "1.1.1.1" + ], + "loggedOnUsers": [], + "roles": [ + "compromised" + ], + "detailedRoles": [ + "Main device" + ], + "tags": [ + "Test Machine" + ], + "vmMetadata": { + "vmId": "ca1b0d41-5a3b-4d95-b48b-f220aed11d78", + "cloudProvider": "azure", + "resourceId": "/subscriptions/8700d3a3-3bb7-4fbe-a090-488a1ad04161/resourceGroups/WdatpApi-EUS-STG/providers/Microsoft.Compute/virtualMachines/NirLaviTests", + "subscriptionId": "8700d3a3-3bb7-4fbe-a090-488a1ad04161" + } + } + ], + "systemTags" : [ + "Defender Experts" + ] +} +``` +
+ +### Sample queries + +```sql title="Alerts by Status" +_sourceCategory=MicrosoftGraphSecurityIdentity +|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop + +| where toLowerCase(service_source) matches("microsoftdefenderforidentity") + +// global filters +| where if ("{{severity}}" = "*", true, severity matches "{{severity}}") +| where if ("{{status}}" = "*", true, status matches "{{status}}") +| where if ("{{classification}}" = "*", true, classification matches "{{classification}}") + +// panel specific +| count by status,alert_id +| count as frequency by status +| sort by frequency,status +``` + +```sql title="Alerts by Classification" +_sourceCategory=MicrosoftGraphSecurityIdentity +|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop + +| where toLowerCase(service_source) matches("microsoftdefenderforidentity") + +// global filters +| where if ("{{severity}}" = "*", true, severity matches "{{severity}}") +| where if ("{{status}}" = "*", true, status matches "{{status}}") +| where if ("{{classification}}" = "*", true, classification matches "{{classification}}") + +// panel specific +| where !isBlank(classification) +| count by classification,alert_id +| count as frequency by classification +| sort by frequency +``` + +```sql title="Top 10 Alert Categories" +_sourceCategory=MicrosoftGraphSecurityIdentity +|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop + +| where toLowerCase(service_source) matches("microsoftdefenderforidentity") + +// global filters +| where if ("{{severity}}" = "*", true, severity matches "{{severity}}") +| where if ("{{status}}" = "*", true, status matches "{{status}}") +| where if ("{{classification}}" = "*", true, classification matches "{{classification}}") + +// panel specific +| where !isBlank(category) +| count by category,alert_id +| count as frequency by category +| sort by frequency +| limit 10 +``` + +## Collection configuration and app installation + +:::note +- Skip this step if you have already configured the [Microsoft Graph Security API Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/). +- Select **Use the existing source and install the app** to install the app using the `sourceCategory` of the Microsoft Graph Security API Source configured above. +::: + +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; + + + +:::important +Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your Azure Security - Microsoft Defender for Identity app is properly integrated and configured to collect and analyze your Azure Security - Microsoft Defender for Identity data. +::: + +### Create a new collector and install the app + +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; + + + +### Use an existing collector and install the app + +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; + + + +### Use an existing source and install the app + +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; + + + +## Viewing the Azure Security - Microsoft Defender for Identity dashboards + +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; + + + +### Overview + +The **Azure Security - Microsoft Defender for Identity - Overview** dashboard provides a comprehensive view of security threats detected across endpoints, enabling analysts to quickly assess, prioritise, and respond to potential incidents. Through an extensive set of visualisations, it presents key metrics such as total alerts, high-severity alerts, and their breakdown by status, classification, determination, service source, and detection source. + +Security teams can easily identify dominant alert categories, monitor the most recent alerts for immediate action, and track analyst assignments to ensure accountability. The dashboard also highlights top users associated with alerts, helping detect insider threats or compromised accounts that may require deeper investigation. + +Geo-location mapping adds another layer of insight by showing the origin of alerts, supporting region-specific risk assessments. By combining historical trends with real-time visibility, the dashboard enables security teams to focus on high-impact threats and improve response times. +
Azure Security - Microsoft Defender for Identity - Overview + +### Security + +The **Azure Security - Microsoft Defender for Identity - Security** dashboard offers a strategic, high-level view of the organisation’s endpoint threat landscape, enabling security teams to pinpoint risk concentrations and monitor how threats evolve over time. Interactive trend panels display shifts in alert severity, helping teams quickly identify surges in high-risk incidents and prioritise their response accordingly. + +Geo-location insights spotlight alerts originating from high-risk regions, supporting threat assessments tied to specific geopolitical contexts. The dashboard also provides critical visibility into top user accounts with compromised or privileged roles—potential indicators of targeted attacks or insider threats. + +Additionally, it ranks the most frequently attacked devices and highlights countries linked to malicious or suspicious IP activity, offering clear insight into the most vulnerable assets and regions. This intelligence allows for more focused defences and faster, more effective threat mitigation. + +By integrating trend analysis, threat origin mapping, and user risk profiling, the Security dashboard empowers analysts to detect emerging patterns, respond proactively, and strengthen the organisation’s resilience against sophisticated endpoint threats. +
Azure Security - Microsoft Defender for Identity - Security + +## Create monitors for Azure Security - Microsoft Defender for Identity app + +import CreateMonitors from '../../reuse/apps/create-monitors.md'; + + + +### Azure Security - Microsoft Defender for Identity alerts + +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | +|:--|:--|:--|:--| +| `Alerts Detected from Embargoed Locations` | This alert is triggered when activity is detected from a location flagged as high-risk, enabling you to monitor access attempts from unusual or restricted geographic regions. It enhances your ability to spot suspicious behaviour and potential threats originating from locations outside your organisation’s typical operating areas. | Critical | Count > 0 | +| `High Severity Alerts` | This alert is triggered when a high-severity threat is detected, allowing you to promptly monitor and respond to potentially harmful events that may compromise endpoint security. It ensures critical incidents are prioritised for swift investigation and mitigation. | Critical | Count > 0| +| `Embargoed Device` | This alert is triggered when a single device generates multiple alerts, indicating potentially malicious behaviour. It helps you identify high-risk devices, monitor suspicious activity more effectively, and take swift action to prevent further compromise. | Critical | Count > 5 | + +## Upgrade/Downgrade the Azure Security - Microsoft Defender for Office 365 app (Optional) + +import AppUpdate from '../../reuse/apps/app-update.md'; + + + +## Uninstalling the Azure Security - Microsoft Defender for Office 365 app (Optional) + +import AppUninstall from '../../reuse/apps/app-uninstall.md'; + + \ No newline at end of file diff --git a/docs/integrations/microsoft-azure/index.md b/docs/integrations/microsoft-azure/index.md index ec74640dcf..a2001164d5 100644 --- a/docs/integrations/microsoft-azure/index.md +++ b/docs/integrations/microsoft-azure/index.md @@ -281,6 +281,12 @@ This guide has documentation for all of the apps that Sumo Logic provides for Mi

Learn about the Sumo Logic collection process for the Azure Security - Defender for Cloud service.

+
+
+ thumbnail icon

Azure Security - Microsoft Defender for Identity

 +

Learn about the Sumo Logic collection process for the Azure Security - Microsoft Defender for Identity

+
+
thumbnail icon

Azure Security - Microsoft Defender for Office 365

 diff --git a/docs/integrations/microsoft-azure/microsoft-defender-for-identity.md b/docs/integrations/microsoft-azure/microsoft-defender-for-identity.md deleted file mode 100644 index 197d4e6646..0000000000 --- a/docs/integrations/microsoft-azure/microsoft-defender-for-identity.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -id: microsoft-defender-for-identity -title: Microsoft Defender for Identity -sidebar_label: Microsoft Defender for Identity -description: The Sumo Logic App for Microsoft Defender for Identity outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform. ---- - -import useBaseUrl from '@docusaurus/useBaseUrl'; - -Thumbnail icon - -Microsoft Defender for Identity is a cloud-based security solution that help you secure your identity monitoring across your organization. It helps deliver a modern identity threat detection (ITDR) solution across hybrid environments, including: -- Prevent breaches, using proactive identity security posture assessments. -- Detect threats, using real-time analytics and data intelligence. -- Investigate suspicious activities, using clear, actionable incident information. -- Respond to attacks, using automatic response to compromised identities. - -This document outlines the steps required to collect and analyse the [Microsoft Defender for Identity](https://learn.microsoft.com/en-us/defender-for-identity/what-is) alerts in the Sumo Logic platform. - -## Set up collection - -:::note -Skip this step if you have already configured the Microsoft Graph Security API Source. -::: - -Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Defender for Identity to the Sumo Logic platform. - -## Search alerts - -Use the following query to retrieve alerts generated by the Microsoft Defender for Identity. - -```sql -_sourcecategory=Labs/MicrosoftGraphSecurity -| json field=_raw "serviceSource" as service_source -| where service_source = "microsoftDefenderForIdentity" -``` - -## Analyse alerts - -Use the following query to extract detailed insights from the alert data: - -```sql -_sourceCategory=Labs/MicrosoftGraphSecurity -|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop -| where service_source = "microsoftDefenderForIdentity" -| where severity matches "*" and status matches "*" and classification matches "*" -| if(isNull(category),"-",category) as category -| if(isNull(classification),"-",classification) as classification -| if(isNull(determination),"-",determination) as determination -| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id -| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time -| tourl (alert_url,alert_id) as alert_id -| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination -| fields -_messageTime -| sort by time -``` \ No newline at end of file diff --git a/docs/integrations/product-list/product-list-a-l.md b/docs/integrations/product-list/product-list-a-l.md index 5c3b919abb..27b7b5320d 100644 --- a/docs/integrations/product-list/product-list-a-l.md +++ b/docs/integrations/product-list/product-list-a-l.md @@ -119,7 +119,7 @@ For descriptions of the different types of integrations Sumo Logic offers, see [ | Thumbnail icon | [AWS Simple Notification Service](https://aws.amazon.com/sns/) | Automation integration: [AWS Simple Notification Service](/docs/platform-services/automation-service/app-central/integrations/aws-simple-notification-service/) | | Thumbnail icon | [AWS WAF](https://aws.amazon.com/waf/) | Apps:
- [AWS WAF](/docs/integrations/amazon-aws/waf/)
- [AWS WAF Cloud Security Monitoring and Analytics](/docs/integrations/cloud-security-monitoring-analytics/aws-waf/)
Automation integration: [AWS WAF](/docs/platform-services/automation-service/app-central/integrations/aws-waf/)
Cloud SIEM integration: [Amazon AWS - Web Application Firewall (WAF)](https://github.com/SumoLogic/cloud-siem-content-catalog/blob/master/products/072b85a2-1765-45c2-911d-b0509880326e.md) | | Thumbnail icon | [Axonius](https://www.axonius.com/) | Automation integration: [Axonius](/docs/platform-services/automation-service/app-central/integrations/axonius/) | -| Thumbnail icon | [Azure](https://azure.microsoft.com/en-us) | Apps:
- [Azure Analysis Services](/docs/integrations/microsoft-azure/azure-analysis-services/)
- [Azure API Management](/docs/integrations/microsoft-azure/azure-api-management/)
- [Azure App Configuration](/docs/integrations/microsoft-azure/azure-app-configuration/)
- [Azure Application Gateway](/docs/integrations/microsoft-azure/azure-application-gateway/)
- [Azure App Service Environment](/docs/integrations/microsoft-azure/azure-app-service-environment/)
- [Azure App Service Plan](/docs/integrations/microsoft-azure/azure-app-service-plan/)
- [Azure Audit](/docs/integrations/microsoft-azure/audit/)
- [Azure Automation](/docs/integrations/microsoft-azure/azure-automation/)
- [Azure Backup](/docs/integrations/microsoft-azure/azure-backup/)
- [Azure Batch](/docs/integrations/microsoft-azure/azure-batch/)
- [Azure Cache for Redis](/docs/integrations/microsoft-azure/azure-cache-for-redis/)
- [Azure Cognitive Search](/docs/integrations/microsoft-azure/azure-cognitive-search/)
- [Azure Container Instances](/docs/integrations/microsoft-azure/azure-container-instances/)
- [Azure Cosmos DB](/docs/integrations/microsoft-azure/azure-cosmos-db/)
- [Azure Cosmos DB for PostgreSQL](/docs/integrations/microsoft-azure/azure-cosmos-db-for-postgresql/)
- [Azure Data Explorer](/docs/integrations/microsoft-azure/azure-data-explorer/)
- [Azure Data Factory](/docs/integrations/microsoft-azure/azure-data-factory/)
- [Azure Database for MariaDB](/docs/integrations/microsoft-azure/azure-database-for-mariadb/)
- [Azure Database for MySQL](/docs/integrations/microsoft-azure/azure-database-for-mysql/)
- [Azure Database for PostgreSQL](/docs/integrations/microsoft-azure/azure-database-for-postgresql/)
- [Azure Event Grid](/docs/integrations/microsoft-azure/azure-event-grid/)
- [Azure Event Hubs](/docs/integrations/microsoft-azure/azure-event-hubs/)
- [Azure Front Door](/docs/integrations/microsoft-azure/azure-front-door/)
- [Azure Functions](/docs/integrations/microsoft-azure/azure-functions/)
- [Azure HDInsight](/docs/integrations/microsoft-azure/azure-hdinsight/)
- [Azure IoT Hub](/docs/integrations/microsoft-azure/azure-iot-hub/)
- [Azure Key Vault](/docs/integrations/microsoft-azure/azure-key-vault/)
- [Azure Kubernetes Service (AKS) - Control Plane](/docs/integrations/microsoft-azure/kubernetes/)
- [Azure Load Balancer](/docs/integrations/microsoft-azure/azure-load-balancer/)
- [Azure Logic App](/docs/integrations/microsoft-azure/azure-logic-app/)
- [Azure Machine Learning](/docs/integrations/microsoft-azure/azure-machine-learning/)
- [Azure Monitor Logs](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source)
- [Azure Monitor Metrics](/docs/send-data/collect-from-other-data-sources/azure-monitoring/collect-metrics-azure-monitor/)
- [Azure Monitoring](/docs/send-data/collect-from-other-data-sources/azure-monitoring/)
- [Azure Network Interface](/docs/integrations/microsoft-azure/azure-network-interface/)
- [Azure Network Watcher](/docs/integrations/microsoft-azure/network-watcher/)
- [Azure Notification Hubs](/docs/integrations/microsoft-azure/azure-notification-hubs/)
- [Azure Public IP Addresses](/docs/integrations/microsoft-azure/azure-public-ipAddress/)
- [Azure Relay](/docs/integrations/microsoft-azure/azure-relay/)
- [Azure Security -Advisor](/docs/integrations/microsoft-azure/azure-security-advisor/)
- [Azure Security - Defender for Cloud](/docs/integrations/microsoft-azure/azure-security-defender-for-cloud/)
- [Azure Security - Microsoft Defender for Endpoint](/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint/)
- [Azure Security - Microsoft Defender for Office 365](/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365)
- [Azure Service Bus](/docs/integrations/microsoft-azure/azure-service-bus/)
- [Azure SQL](/docs/integrations/microsoft-azure/sql/)
- [Azure SQL Elastic Pool](/docs/integrations/microsoft-azure/azure-sql-elastic-pool/)
- [Azure SQL Managed Instance](/docs/integrations/microsoft-azure/azure-sql-managed-instance/)
- [Azure Storage](/docs/integrations/microsoft-azure/azure-storage/)
- [Azure Stream Analytics](/docs/integrations/microsoft-azure/azure-stream-analytics/)
- [Azure Synapse Analytics](/docs/integrations/microsoft-azure/azure-synapse-analytics/)
- [Azure Virtual Network](/docs/integrations/microsoft-azure/azure-virtual-network/)
- [Azure Virtual Machine](/docs/integrations/microsoft-azure/azure-virtual-machine/)
- [Azure Web Apps](/docs/integrations/microsoft-azure/web-apps/)
Automation integration: [Azure AD](/docs/platform-services/automation-service/app-central/integrations/azure-ad/)
Collectors:
- [Azure Blob Storage](/docs/send-data/collect-from-other-data-sources/azure-blob-storage/block-blob/collect-logs)
- [Azure Event Hubs Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/azure-event-hubs-source/)
- [Migrating to Azure Event Hubs Cloud-to-Cloud Source](/docs/send-data/collect-from-other-data-sources/azure-monitoring/azure-event-hubs-source-migration)
Webhook: [Webhook Connection for Microsoft Azure Functions](/docs/alerts/webhook-connections/microsoft-azure-functions/) | +| Thumbnail icon | [Azure](https://azure.microsoft.com/en-us) | Apps:
- [Azure Analysis Services](/docs/integrations/microsoft-azure/azure-analysis-services/)
- [Azure API Management](/docs/integrations/microsoft-azure/azure-api-management/)
- [Azure App Configuration](/docs/integrations/microsoft-azure/azure-app-configuration/)
- [Azure Application Gateway](/docs/integrations/microsoft-azure/azure-application-gateway/)
- [Azure App Service Environment](/docs/integrations/microsoft-azure/azure-app-service-environment/)
- [Azure App Service Plan](/docs/integrations/microsoft-azure/azure-app-service-plan/)
- [Azure Audit](/docs/integrations/microsoft-azure/audit/)
- [Azure Automation](/docs/integrations/microsoft-azure/azure-automation/)
- [Azure Backup](/docs/integrations/microsoft-azure/azure-backup/)
- [Azure Batch](/docs/integrations/microsoft-azure/azure-batch/)
- [Azure Cache for Redis](/docs/integrations/microsoft-azure/azure-cache-for-redis/)
- [Azure Cognitive Search](/docs/integrations/microsoft-azure/azure-cognitive-search/)
- [Azure Container Instances](/docs/integrations/microsoft-azure/azure-container-instances/)
- [Azure Cosmos DB](/docs/integrations/microsoft-azure/azure-cosmos-db/)
- [Azure Cosmos DB for PostgreSQL](/docs/integrations/microsoft-azure/azure-cosmos-db-for-postgresql/)
- [Azure Data Explorer](/docs/integrations/microsoft-azure/azure-data-explorer/)
- [Azure Data Factory](/docs/integrations/microsoft-azure/azure-data-factory/)
- [Azure Database for MariaDB](/docs/integrations/microsoft-azure/azure-database-for-mariadb/)
- [Azure Database for MySQL](/docs/integrations/microsoft-azure/azure-database-for-mysql/)
- [Azure Database for PostgreSQL](/docs/integrations/microsoft-azure/azure-database-for-postgresql/)
- [Azure Event Grid](/docs/integrations/microsoft-azure/azure-event-grid/)
- [Azure Event Hubs](/docs/integrations/microsoft-azure/azure-event-hubs/)
- [Azure Front Door](/docs/integrations/microsoft-azure/azure-front-door/)
- [Azure Functions](/docs/integrations/microsoft-azure/azure-functions/)
- [Azure HDInsight](/docs/integrations/microsoft-azure/azure-hdinsight/)
- [Azure IoT Hub](/docs/integrations/microsoft-azure/azure-iot-hub/)
- [Azure Key Vault](/docs/integrations/microsoft-azure/azure-key-vault/)
- [Azure Kubernetes Service (AKS) - Control Plane](/docs/integrations/microsoft-azure/kubernetes/)
- [Azure Load Balancer](/docs/integrations/microsoft-azure/azure-load-balancer/)
- [Azure Logic App](/docs/integrations/microsoft-azure/azure-logic-app/)
- [Azure Machine Learning](/docs/integrations/microsoft-azure/azure-machine-learning/)
- [Azure Monitor Logs](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source)
- [Azure Monitor Metrics](/docs/send-data/collect-from-other-data-sources/azure-monitoring/collect-metrics-azure-monitor/)
- [Azure Monitoring](/docs/send-data/collect-from-other-data-sources/azure-monitoring/)
- [Azure Network Interface](/docs/integrations/microsoft-azure/azure-network-interface/)
- [Azure Network Watcher](/docs/integrations/microsoft-azure/network-watcher/)
- [Azure Notification Hubs](/docs/integrations/microsoft-azure/azure-notification-hubs/)
- [Azure Public IP Addresses](/docs/integrations/microsoft-azure/azure-public-ipAddress/)
- [Azure Relay](/docs/integrations/microsoft-azure/azure-relay/)
- [Azure Security -Advisor](/docs/integrations/microsoft-azure/azure-security-advisor/)
- [Azure Security - Defender for Cloud](/docs/integrations/microsoft-azure/azure-security-defender-for-cloud/)
- [Azure Security - Microsoft Defender for Endpoint](/docs/integrations/microsoft-azure/microsoft-defender-for-endpoint/)
- [Azure Security - Microsoft Defender for Identity](/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity)
- [Azure Security - Microsoft Defender for Office 365](/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365)
- [Azure Service Bus](/docs/integrations/microsoft-azure/azure-service-bus/)
- [Azure SQL](/docs/integrations/microsoft-azure/sql/)
- [Azure SQL Elastic Pool](/docs/integrations/microsoft-azure/azure-sql-elastic-pool/)
- [Azure SQL Managed Instance](/docs/integrations/microsoft-azure/azure-sql-managed-instance/)
- [Azure Storage](/docs/integrations/microsoft-azure/azure-storage/)
- [Azure Stream Analytics](/docs/integrations/microsoft-azure/azure-stream-analytics/)
- [Azure Synapse Analytics](/docs/integrations/microsoft-azure/azure-synapse-analytics/)
- [Azure Virtual Network](/docs/integrations/microsoft-azure/azure-virtual-network/)
- [Azure Virtual Machine](/docs/integrations/microsoft-azure/azure-virtual-machine/)
- [Azure Web Apps](/docs/integrations/microsoft-azure/web-apps/)
Automation integration: [Azure AD](/docs/platform-services/automation-service/app-central/integrations/azure-ad/)
Collectors:
- [Azure Blob Storage](/docs/send-data/collect-from-other-data-sources/azure-blob-storage/block-blob/collect-logs)
- [Azure Event Hubs Source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/azure-event-hubs-source/)
- [Migrating to Azure Event Hubs Cloud-to-Cloud Source](/docs/send-data/collect-from-other-data-sources/azure-monitoring/azure-event-hubs-source-migration)
Webhook: [Webhook Connection for Microsoft Azure Functions](/docs/alerts/webhook-connections/microsoft-azure-functions/) | ## B diff --git a/sidebars.ts b/sidebars.ts index c9c92e6d62..0cf3c07c16 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2240,10 +2240,10 @@ integrations: [ 'integrations/microsoft-azure/kubernetes', 'integrations/microsoft-azure/azure-security-advisor', 'integrations/microsoft-azure/azure-security-defender-for-cloud', + 'integrations/microsoft-azure/Azure Security - Microsoft Defender for Identity', 'integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365', 'integrations/microsoft-azure/microsoft-defender-for-cloud-apps', 'integrations/microsoft-azure/microsoft-defender-for-endpoint', - 'integrations/microsoft-azure/microsoft-defender-for-identity', 'integrations/microsoft-azure/microsoft-dynamics365-customer-insights', 'integrations/microsoft-azure/microsoft-entra-id-protection', 'integrations/microsoft-azure/microsoft-purview-data-loss-prevention', From dc719665dea566a8078a7b3d2ae252b5b9e1b5f2 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 29 Sep 2025 21:21:13 +0530 Subject: [PATCH 2/6] uploaded dashboard images --- ...azure-security-microsoft-defender-for-identity.md | 12 ++++++------ sidebars.ts | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md index 498a45086a..458b84ee71 100644 --- a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md +++ b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md @@ -10,8 +10,8 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; The Azure Security – Microsoft Defender for Identity app enhances endpoint protection by centralising alert data from various devices, enabling faster detection, investigation, and response to cyber threats. It uses advanced analytics and threat intelligence to identify malicious behaviour and high-risk activity. With detailed dashboards and visualisations, it helps security teams track recurring incidents, assess vulnerabilities, and reduce response time, offering a comprehensive view of your organisation’s endpoint security posture. -::note -This app includes [built-in monitors](#azure-security---microsoft-defender-for-identity-alerts). For details on creating custom monitors, refer to [Create monitors for Azure Security - Microsoft Defender for Identity app](#create-monitors-for-azure-security---microsoft-defender-for-identity-app) +:::info +This app includes [built-in monitors](#azure-security---microsoft-defender-for-identity-alerts). For details on creating custom monitors, refer to [Create monitors for Azure Security - Microsoft Defender for Identity app](#create-monitors-for-azure-security---microsoft-defender-for-identity-app). ::: ## Log types @@ -209,7 +209,7 @@ The **Azure Security - Microsoft Defender for Identity - Overview** dashboard pr Security teams can easily identify dominant alert categories, monitor the most recent alerts for immediate action, and track analyst assignments to ensure accountability. The dashboard also highlights top users associated with alerts, helping detect insider threats or compromised accounts that may require deeper investigation. Geo-location mapping adds another layer of insight by showing the origin of alerts, supporting region-specific risk assessments. By combining historical trends with real-time visibility, the dashboard enables security teams to focus on high-impact threats and improve response times. -
Azure Security - Microsoft Defender for Identity - Overview +
Azure Security - Microsoft Defender for Identity - Overview ### Security @@ -220,7 +220,7 @@ Geo-location insights spotlight alerts originating from high-risk regions, suppo Additionally, it ranks the most frequently attacked devices and highlights countries linked to malicious or suspicious IP activity, offering clear insight into the most vulnerable assets and regions. This intelligence allows for more focused defences and faster, more effective threat mitigation. By integrating trend analysis, threat origin mapping, and user risk profiling, the Security dashboard empowers analysts to detect emerging patterns, respond proactively, and strengthen the organisation’s resilience against sophisticated endpoint threats. -
Azure Security - Microsoft Defender for Identity - Security +
Azure Security - Microsoft Defender for Identity - Security ## Create monitors for Azure Security - Microsoft Defender for Identity app @@ -236,13 +236,13 @@ import CreateMonitors from '../../reuse/apps/create-monitors.md'; | `High Severity Alerts` | This alert is triggered when a high-severity threat is detected, allowing you to promptly monitor and respond to potentially harmful events that may compromise endpoint security. It ensures critical incidents are prioritised for swift investigation and mitigation. | Critical | Count > 0| | `Embargoed Device` | This alert is triggered when a single device generates multiple alerts, indicating potentially malicious behaviour. It helps you identify high-risk devices, monitor suspicious activity more effectively, and take swift action to prevent further compromise. | Critical | Count > 5 | -## Upgrade/Downgrade the Azure Security - Microsoft Defender for Office 365 app (Optional) +## Upgrade/Downgrade the Azure Security - Microsoft Defender for Identity app (Optional) import AppUpdate from '../../reuse/apps/app-update.md'; -## Uninstalling the Azure Security - Microsoft Defender for Office 365 app (Optional) +## Uninstalling the Azure Security - Microsoft Defender for Identity app (Optional) import AppUninstall from '../../reuse/apps/app-uninstall.md'; diff --git a/sidebars.ts b/sidebars.ts index 0cf3c07c16..9c2af31c96 100644 --- a/sidebars.ts +++ b/sidebars.ts @@ -2240,7 +2240,7 @@ integrations: [ 'integrations/microsoft-azure/kubernetes', 'integrations/microsoft-azure/azure-security-advisor', 'integrations/microsoft-azure/azure-security-defender-for-cloud', - 'integrations/microsoft-azure/Azure Security - Microsoft Defender for Identity', + 'integrations/microsoft-azure/azure-security-microsoft-defender-for-identity', 'integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365', 'integrations/microsoft-azure/microsoft-defender-for-cloud-apps', 'integrations/microsoft-azure/microsoft-defender-for-endpoint', From f546766f1ff05eac06910e34f7748518c6a9d057 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Mon, 29 Sep 2025 21:58:29 +0530 Subject: [PATCH 3/6] Update cid-redirects.json --- cid-redirects.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cid-redirects.json b/cid-redirects.json index 444b502eab..364e8685cd 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2940,7 +2940,7 @@ "/cid/1107": "/docs/integrations/saas-cloud/aws-iam-users", "/cid/1109": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365", "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo", - "/cid/1110": "/docs/integrations/saas-cloud/azure-security-microsoft-defender-for-identity", + "/cid/1110": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration", From 1145fd12fe9f3406cc62648f8eddf247eff88fa6 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Tue, 30 Sep 2025 10:12:11 +0530 Subject: [PATCH 4/6] Update docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- .../azure-security-microsoft-defender-for-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md index 458b84ee71..cbefa476da 100644 --- a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md +++ b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md @@ -8,7 +8,7 @@ import useBaseUrl from '@docusaurus/useBaseUrl'; Thumbnail icon -The Azure Security – Microsoft Defender for Identity app enhances endpoint protection by centralising alert data from various devices, enabling faster detection, investigation, and response to cyber threats. It uses advanced analytics and threat intelligence to identify malicious behaviour and high-risk activity. With detailed dashboards and visualisations, it helps security teams track recurring incidents, assess vulnerabilities, and reduce response time, offering a comprehensive view of your organisation’s endpoint security posture. +The Sumo Logic app for Azure Security – Microsoft Defender for Identity enhances endpoint protection by centralizing alert data from various devices, enabling faster detection, investigation, and response to cyber threats. It uses advanced analytics and threat intelligence to identify malicious behavior and high-risk activity. With detailed dashboards and visualizations, it helps security teams track recurring incidents, assess vulnerabilities, and reduce response time, offering a comprehensive view of your organization’s endpoint security posture. :::info This app includes [built-in monitors](#azure-security---microsoft-defender-for-identity-alerts). For details on creating custom monitors, refer to [Create monitors for Azure Security - Microsoft Defender for Identity app](#create-monitors-for-azure-security---microsoft-defender-for-identity-app). From 722d3755812cd83129a56940d5b3789225c96e91 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Tue, 30 Sep 2025 10:12:19 +0530 Subject: [PATCH 5/6] Update docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md Co-authored-by: Kim (Sumo Logic) <56411016+kimsauce@users.noreply.github.com> --- .../azure-security-microsoft-defender-for-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md index cbefa476da..074dda3bc9 100644 --- a/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md +++ b/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity.md @@ -16,7 +16,7 @@ This app includes [built-in monitors](#azure-security---microsoft-defender-for-i ## Log types -The Azure Security – Microsoft Defender for Identity app uses SumoLogic’s Microsoft Graph Security source to collect [alerts](https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) from the Microsoft Graph Security source. +The Azure Security – Microsoft Defender for Identity app uses Sumo Logic’s Microsoft Graph Security source to collect [alerts](https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http) from the Microsoft Graph Security source. ### Sample log messages From 125f7f51e7c09408d7368904d7501daf51c3a569 Mon Sep 17 00:00:00 2001 From: Amee Lepcha Date: Tue, 30 Sep 2025 13:25:07 +0530 Subject: [PATCH 6/6] redirected the path --- cid-redirects.json | 1 + 1 file changed, 1 insertion(+) diff --git a/cid-redirects.json b/cid-redirects.json index 364e8685cd..0720d64315 100644 --- a/cid-redirects.json +++ b/cid-redirects.json @@ -2941,6 +2941,7 @@ "/cid/1109": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-office-365", "/cid/1108": "/docs/integrations/saas-cloud/trellix-mvision-epo", "/cid/1110": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", + "/docs/integrations/microsoft-azure/microsoft-defender-for-identity/": "/docs/integrations/microsoft-azure/azure-security-microsoft-defender-for-identity", "/Cloud_SIEM_Enterprise": "/docs/cse", "/Cloud_SIEM_Enterprise/Administration": "/docs/cse/administration", "/Cloud_SIEM_Enterprise/Administration/Cloud_SIEM_Enterprise_Feature_Update_(2022)": "/docs/cse/administration",