Skip to main content

Microsoft Defender for Cloud Event Collector

This Integration is part of the Microsoft Defender for Cloud Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

XSIAM collector for Microsoft Defender for Cloud alerts.

Configure Microsoft Defender for Cloud Event Collector on Cortex XSIAM#

  1. Navigate to Settings > Configurations > Data Collection > Automations & Feed Integrations.

  2. Search for Microsoft Defender for Cloud Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    Microsoft Azure Management URLFalse
    Client IDMicrosoft Defender for Cloud client IDTrue
    Tenant IDMicrosoft Defender for Cloud Tenant IDTrue
    Client SecretMicrosoft Defender for Cloud Client SecretTrue
    Certificate ThumbprintUsed for certificate authentication. As appears in the "Certificates & secrets" page of the app.False
    Private KeyUsed for certificate authentication. The private key of the registered certificate.False
    Subscription ID to useTrue
    First fetch time intervalFirst time to start fetching alerts from.False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Known limitations#

This integration does not have a fetch limit parameter due to the limitations of the API functionality.

  1. The collector fetches all events between the current time and the last time it was fetched during every fetch operation.
  • If the command is run for the first time, all events from first_fetch until the current time be fetched in one execution. It is possible that the above limitations may cause the fetch to take some time. You may need to increase the collector time out value in the server configuration if the collector fetch times out.


Lists alerts for the subscription according to the specified filters.

Base Command#



Argument NameDescriptionRequired
should_push_eventsSet this argument to True to create events, otherwise the command will only display them. Possible values are: true, false. Default is false.Required
limitMaximum number of results to return.Optional

Context Output#

MicrosoftDefenderForCloud.Alert.AlertDisplayNamestringThe display name of the alert.
MicrosoftDefenderForCloud.Alert.CompromisedEntitystringThe entity on which the incident occurred.
MicrosoftDefenderForCloud.Alert.DetectedTimeUtcdateThe time the vendor detected the incident.
MicrosoftDefenderForCloud.Alert.ReportedSeveritystringThe estimated severity of this alert.
MicrosoftDefenderForCloud.Alert.IDstringThe alert ID.


Run this command if for some reason you need to rerun the authentication process.

Base Command#



There are no input arguments for this command.

Context Output#

There is no context output for this command.