Classification:

attack

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect when Microsoft Defender for Cloud raises an alert.

Strategy

Defender for Cloud collects, analyzes, and integrates log data from your Azure, hybrid, and multicloud resources, the network, and connected partner solutions, such as firewalls and endpoint agents. Defender for Cloud uses the log data to detect real threats and reduce false positives. A list of prioritized security alerts is shown in Defender for Cloud, along with the information you need to quickly investigate the problem and take steps to remediate an attack.

Microsoft provides an alert reference guide for understanding each type of alert generated.

Triage and response

1. Investigate the Microsoft Defender for Cloud alert to determine if it is malicious or benign.
2. If the finding is deemed malicious, follow the remediation guidance provided by Microsoft and also any internal incident response processes.
3. A suppression rule can be created to manage noisy or false positive alerts.