Supported Cortex XSOAR versions: 6.8.0 and later.
XSIAM collector for Microsoft Defender for Cloud alerts.
Navigate to Settings > Configurations > Data Collection > Automations & Feed Integrations.
Search for Microsoft Defender for Cloud Event Collector.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Microsoft Azure Management URL False Client ID Microsoft Defender for Cloud client ID True Tenant ID Microsoft Defender for Cloud Tenant ID True Client Secret Microsoft Defender for Cloud Client Secret True Certificate Thumbprint Used for certificate authentication. As appears in the "Certificates & secrets" page of the app. False Private Key Used for certificate authentication. The private key of the registered certificate. False Subscription ID to use True First fetch time interval First time to start fetching alerts from. False Trust any certificate (not secure) False Use system proxy settings False
Click Test to validate the URLs, token, and connection.
You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
This integration does not have a fetch limit parameter due to the limitations of the API functionality.
- The collector fetches all events between the current time and the last time it was fetched during every fetch operation.
- If the command is run for the first time, all events from first_fetch until the current time be fetched in one execution. It is possible that the above limitations may cause the fetch to take some time. You may need to increase the collector time out value in the server configuration if the collector fetch times out.
Lists alerts for the subscription according to the specified filters.
|Set this argument to True to create events, otherwise the command will only display them. Possible values are: true, false. Default is false.
|Maximum number of results to return.
|The display name of the alert.
|The entity on which the incident occurred.
|The time the vendor detected the incident.
|The estimated severity of this alert.
|The alert ID.
Run this command if for some reason you need to rerun the authentication process.
There are no input arguments for this command.
There is no context output for this command.