Ingest Microsoft Defender for Cloud security events

Latest Dynatrace Preview

Dynatrace integration with Microsoft Defender for Cloud CNAPP platform allows users to unify and contextualize vulnerability findings across DevSecOps tools and products, enabling central prioritization, visualization, and automation of security findings.

In the initial version of this integration, we bring container image vulnerability assessments (part of the Microsoft Defender for Containers plan), powered by Microsoft Defender Vulnerability Management capabilities.

How it works

how it works

  1. Microsoft Defender for Cloud continuously exports security findings to Azure Event Hubs.

  2. An Azure Function app pre-processes the events and sends them to Dynatrace, taking advantage of the OpenPipeline dedicated security events ingest endpoint.

  1. The fetched data is mapped to the Dynatrace semantic conventions.

  2. Data is stored in Grail in a unified format, in a default bucket called default_security_custom_events. For details, see Built-in Grail buckets.

Prerequisites

See below for the Microsoft Defender for Cloud and Dynatrace requirements.

Microsoft Defender for Cloud requirements

Dynatrace requirements

  • Generate an access token for security events ingestion with the openpipeline.events_security scope and save it for later.

Get started

To set up Microsoft Defender for Cloud ingestion, follow the steps below.

To download and deploy the configuration in your Azure subscription

  1. Download the azure_appsec_deployment.bicep file.

  2. In Azure CLI, run az login and select your Dynatrace subscription.

  3. Select a resource group or create a new one.

    To create a new resource group, run the command below, making sure to replace <RESOURCE_GROUP_NAME> and <LOCATION> with your values.

    az group create --name <RESOURCE_GROUP_NAME> --location <LOCATION>

    To view a list of locations:

    az account list-locations

  4. Run the bicep deployment, making sure to replace <RESOURCE_GROUP_NAME>, <YOUR_ENVIRONMENT_ID>, <DT_TOKEN>, and <DEPLOYMENT_NAME> with your values.

    az deployment group create --resource-group <RESOURCE GROUP NAME>\
    --template-file deployment.bicep --parameters dt_api_url=https://<YOUR_ENVIRONMENT_ID>.live.dynatrace.com/platform/ingest/v1/events.security\
    dt_token=<DT_TOKEN> --name <DEPLOYMENT_NAME>

    To verify that your deployment is complete, in Azure portal, go to your resource group and select Deployments.

  5. Set up continuous export to the Dynatrace event hub.

    In Continuous export, make sure to enter the following information:

    • For Export configuration, select the resource group you used or created at step 3 in instructions.

    • For Export target, select the name of your Dynatrace subscription created at step 4 in instructions.

      The event hub namespace, name, and policy name will be automatically filled in with the data you created during deployment.

    Example configuration:

    azure setup

Verify configuration by running the following queries in Notebooks:

  • For security finding events:

    fetch events
    | filter dt.system.bucket == "default_security_custom_events"
    | filter event.kind == "SECURITY_EVENT"
            AND event.provider=="Microsoft Defender for Cloud"
            AND event.type=="VULNERABILITY_FINDING"

  • For scan events:

    fetch events
    | filter dt.system.bucket == "default_security_custom_events"
    | filter event.kind == "SECURITY_EVENT"
            AND event.provider=="Microsoft Defender for Cloud"
            AND event.type=="VULNERABILITY_SCAN"

Use cases

With the ingested data, you can accomplish various use cases, such as

Frequently asked questions (FAQ)

Which data model is used for the security logs and events coming from Microsoft Defender for Cloud?

  • Vulnerability finding events store the individual vulnerability findings reported by Microsoft Defender for Cloud per container image and component.

  • Vulnerability scan events indicate coverage of scans for individual container images.

Which extension fields are added on the events ingested from Microsoft Defender for Cloud?

The container_image namespace is added to store all the container image-related information with the following fields:

  • container_image.digest represents the container image digest; this value can be used to match to the runtime containers

  • container_image.repository represents the container repository name

  • container_image.registry represents the container registry name

  • container_image.tags represents the labeled versions of the container images

What Microsoft Defender for Cloud asset types are supported by Dynatrace for runtime contextualization?

CONTAINER_IMAGE: All the findings from Microsoft Defender for Cloud are generated by vulnerability assessments of container images set with CONTAINER_IMAGE value in the object.type field, and the container_image namespace is added.

How do we normalize the risk score for Microsoft Defender for Cloud findings?

  • dt.security.risk.level is mapped directly from the severity level set by Microsoft Defender for Cloud.

  • dt.security.risk.score is mapped directly from the severity score set by Microsoft Defender for Cloud.

dt.security.risk.level (mapped from finding.severity)
dt.security.risk.score (mapped from finding.score)
Critical -> CRITICAL
9.0-10.0
High -> HIGH
7.0-8.9
Medium -> MEDIUM
4.0-6.9
Low -> LOW
0.1-3.9
Unknown, None -> NONE
0.0

Related topics