Ingest Microsoft Defender for Cloud security events

  • Latest Dynatrace
  • How-to guide

This page has been updated to align with the new Grail security events table. For the complete list of updates and actions needed to accomplish the migration, follow the steps in the Grail security table migration guide.

Ingest Microsoft Defender for Cloud security events and analyze them in Dynatrace.

Get started

Overview

Dynatrace integration with Microsoft Defender for Cloud CNAPP platform allows users to unify and contextualize vulnerability findings across DevSecOps tools and products, enabling central prioritization, visualization, and automation of security findings.

In the initial version of this integration, we bring container image vulnerability assessments (part of the Microsoft Defender for Containers plan), powered by Microsoft Defender Vulnerability Management capabilities.

Use cases

  • Visualize and report your current security posture and trends around security findings across environments with Dashboards Dashboards.

  • Analyze and prioritize security findings across multiple tools and products uniformly with Notebooks Notebooks.

  • Create notifications and tickets for critical security findings with Workflows Workflows.

  • Use security findings as an additional dimension for threat hunting and incident forensics using Security Investigator.

Requirements

See below for the Microsoft Defender for Cloud and Dynatrace requirements.

Microsoft Defender for Cloud requirements

Dynatrace requirements

  • Permissions:

    • To query ingested data: storage:security.events:read.

  • Tokens:

Activation and setup

  1. In Dynatrace, open Hub.
  2. Look for Microsoft Defender for Cloud and select Install.
  3. Select Set up, then select Configure new connection.
  4. Follow the on-screen instructions to set up the ingestion.

Details

How it works

how it works

1. Events are ingested into Dynatrace

  1. Microsoft Defender for Cloud continuously exports security findings to Azure Event Hubs.

  2. An Azure Function app pre-processes the events and sends them to Dynatrace, taking advantage of the OpenPipeline dedicated security events ingest endpoint.

2. Security findings are processed and stored in Grail

  1. The fetched data is mapped to the Dynatrace Semantic Dictionary.

  2. Data is stored in Grail in a unified format, in a default bucket called default_securityevents. For details, see Built-in Grail buckets.

Monitor data

Once you ingest your Microsoft Defender for Cloud data into Grail, you can monitor your data in the app (in Dynatrace, go to Settings > Microsoft Defender for Cloud).

msftdefender

You can view

  • A chart of ingested data from all existing connections over time

  • A table with information about your connections

Visualize and analyze findings

You can create your own dashboards or use our templates to visualize and analyze container vulnerability findings.

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. In the Try our templates section, select the desired dashboard template.

Automate and orchestrate findings

You can create your own workflows or use our templates to automate and orchestrate container vulnerability findings.

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. In the Try our templates section, select the desired workflow template.

Query ingested data

You can query ingested data in Notebooks Notebooks or Security Investigator Security Investigator, using the data format in Semantic Dictionary.

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. Select Open with .
  3. Select Notebooks or Security Investigator.

Evaluate, triage, and investigate detection findings

You can evaluate, triage, and investigate detection findings with Threats & Exploits Threats & Exploits.

  1. In Dynatrace, open Threats & Exploits Threats & Exploits.
  2. Filter for Provider > Microsoft Defender for Cloud.

Delete connections

To stop sending events to Dynatrace

  1. In Dynatrace, go to Settings > Microsoft Defender for Cloud.
  2. For the connection you want to delete, select Delete.
  3. Follow the on-screen instructions to delete the resources. If you used values different from those specified in the setup dialog, adjust them accordingly.

This removes the Dynatrace resources created for this integration.

Licensing and cost

For billing information, see Events powered by Grail.

FAQ

Which data model is used for the security logs and events coming from Microsoft Defender for Cloud?

Which extension fields are added on the events ingested from Microsoft Defender for Cloud?

The container_image namespace is added to store all the container image-related information with the following fields:

  • container_image.digest represents the container image digest; this value can be used to match to the runtime containers

  • container_image.repository represents the container repository name

  • container_image.registry represents the container registry name

  • container_image.tags represents the labeled versions of the container images

What Microsoft Defender for Cloud asset types are supported by Dynatrace for runtime contextualization?

CONTAINER_IMAGE: All the findings from Microsoft Defender for Cloud are generated by vulnerability assessments of container images set with CONTAINER_IMAGE value in the object.type field, and the container_image namespace is added.

How do we normalize the risk score for Microsoft Defender for Cloud findings?

Dynatrace normalizes severity and risk scores for all findings ingested through the current integration. This helps you to prioritize findings consistently, regardless of their source.
For details on how normalization works, see Severity and score normalization.

  • dt.security.risk.level is mapped directly from the severity level set by Microsoft Defender for Cloud.

  • dt.security.risk.score is mapped directly from the severity score set by Microsoft Defender for Cloud.

dt.security.risk.level (mapped from finding.severity)dt.security.risk.score (mapped from finding.score)
Critical -> CRITICAL9.0-10.0
High -> HIGH7.0-8.9
Medium -> MEDIUM4.0-6.9
Low -> LOW0.1-3.9
Unknown, None -> NONE0.0
Hub

Explore in Dynatrace Hub

Ingest Microsoft Defender for Cloud security findings and scan events.

Related tags
Threat Observability