Ingest Microsoft Defender for Cloud security events

  • Latest Dynatrace
  • How-to guide
  • Preview

This page has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

Dynatrace integration with Microsoft Defender for Cloud CNAPP platform allows users to unify and contextualize vulnerability findings across DevSecOps tools and products, enabling central prioritization, visualization, and automation of security findings.

In the initial version of this integration, we bring container image vulnerability assessments (part of the Microsoft Defender for Containers plan), powered by Microsoft Defender Vulnerability Management capabilities.

Hub

Explore in Dynatrace Hub

Ingest Microsoft Defender for Cloud security findings and scan events.

How it works

how it works

  1. Microsoft Defender for Cloud continuously exports security findings to Azure Event Hubs.

  2. An Azure Function app pre-processes the events and sends them to Dynatrace, taking advantage of the OpenPipeline dedicated security events ingest endpoint.

  1. The fetched data is mapped to the Dynatrace Semantic Dictionary.

  2. Data is stored in Grail in a unified format, in a default bucket called default_securityevents. For details, see Built-in Grail buckets.

Prerequisites

See below for the Microsoft Defender for Cloud and Dynatrace requirements.

Microsoft Defender for Cloud requirements

Dynatrace requirements

Get started

  1. In Dynatrace, open Dynatrace Hub.
  2. Look for Microsoft Defender for Cloud and select Install.
  3. Select Set up, then select Configure new connection.
  4. Follow the on-screen instructions to set up the ingestion.

Monitor data

Once you ingest your Microsoft Defender for Cloud data into Grail, you can monitor your data in the app (in Dynatrace, go to Settings > Microsoft Defender for Cloud).

msftdefender

You can view

  • A chart of ingested data from all existing connections over time

  • A table with information about your connections

Visualize and analyze findings

You can create your own dashboards or use our templates to visualize and analyze container vulnerability findings.

To use a dashboard template

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. In the Try our templates section, select the desired dashboard template.

Automate and orchestrate findings

You can create your own workflows or use our templates to automate and orchestrate container vulnerability findings.

To use a workflow template

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. In the Try our templates section, select the desired workflow template.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator Security Investigator, using the data format in Semantic Dictionary.

To query ingested data

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. Select Open with .
  3. Select Notebooks or Security Investigator.

Delete connections

To stop sending events to Dynatrace

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. For the connection you want to delete, select Delete.
  3. Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

Frequently asked questions (FAQ)

Which data model is used for the security logs and events coming from Microsoft Defender for Cloud?

  • Vulnerability finding events store the individual vulnerability findings reported by Microsoft Defender for Cloud per container image and component.

  • Vulnerability scan events indicate coverage of scans for individual container images.

Which extension fields are added on the events ingested from Microsoft Defender for Cloud?

The container_image namespace is added to store all the container image-related information with the following fields:

  • container_image.digest represents the container image digest; this value can be used to match to the runtime containers

  • container_image.repository represents the container repository name

  • container_image.registry represents the container registry name

  • container_image.tags represents the labeled versions of the container images

What Microsoft Defender for Cloud asset types are supported by Dynatrace for runtime contextualization?

CONTAINER_IMAGE: All the findings from Microsoft Defender for Cloud are generated by vulnerability assessments of container images set with CONTAINER_IMAGE value in the object.type field, and the container_image namespace is added.

How do we normalize the risk score for Microsoft Defender for Cloud findings?

  • dt.security.risk.level is mapped directly from the severity level set by Microsoft Defender for Cloud.

  • dt.security.risk.score is mapped directly from the severity score set by Microsoft Defender for Cloud.

dt.security.risk.level (mapped from finding.severity)
dt.security.risk.score (mapped from finding.score)
Critical -> CRITICAL
9.0-10.0
High -> HIGH
7.0-8.9
Medium -> MEDIUM
4.0-6.9
Low -> LOW
0.1-3.9
Unknown, None -> NONE
0.0
Related tags
Threat Observability