All Collections
Connectors
Cloud
Microsoft Defender for Cloud Connector (new revision)
Microsoft Defender for Cloud Connector (new revision)

Learn all about integrating Microsoft Defender for Cloud into the Vulcan Platform

Updated over a week ago

Am I reading the right user guide?

Certain connectors have more than one user guide. It depends on the environment's setup and on the connector's available releases (new vs. older revisions).

To access the user guide that is relevant to your environment, simply click on the "How to connect" button located on the connector's setup page. By doing so, you will be directed to the user guide that aligns with your specific environment, ensuring relevancy and accuracy.

Overview

About Microsoft Defender for Cloud

Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments.

Why integrating Microsoft Defender for Cloud into the Vulcan platform?

The Microsoft Defender for Cloud Connector by Vulcan integrates with the Microsoft Defender for Cloud platform to pull and ingest Host and Cloud Resources assets with their vulnerability data into your Vulcan Platform. Once the integration is complete, the Vulcan Platform scans the report's findings to correlate, consolidate, and contextualize the ingested data to impact risk and remediation priority.

Connector Details

Supported products

Category

Cloud

Ingested asset type(s)

Hosts

Cloud Resources

Integration type

UNI directional (data is transferred from the Connector to the Vulcan Platform in one direction)

Supported version and type

SaaS (latest)


Connector Setup

Prerequisites and user permissions

Before you begin configuring the Connector, make sure you have the following:

Vulcan App Registration in Microsoft Azure

  1. Go to Azure Active Directory and navigate to "App registrations." Next, create a new registration by clicking the "New registration" button.

  2. In your Azure subscription, go to "Access control (IAM)" and click on the "Add" button.

  3. Set the following parameters:

    • Role: Select "Reader" from the drop-down menu.

    • Members: Click on "Select members" and start typing the name of your new app registration. Then, select it from the list.

  4. Click on the "Review + assign" button.

  5. Return to the new app registration and navigate to "Certificates & secrets."

  6. Create a new client secret, and save the secret value for future use.

At this point, you should have the following information:

  • Azure App ID: Obtain it from the new app registration overview.

  • Azure App Secret: This was generated when you created the new client secret.

  • Azure Subscription ID: Retrieve it from the Subscriptions page.

Configuring the Microsoft Defender for Cloud Connector

  1. Log in to your Vulcan Cyber dashboard and go to Connectors.

  2. Click on Add a Connector.

  3. Click on the Microsoft Defender for Cloud icon.

  4. Set up the Connector as follows with the information you generated earlier:

    • For Tenant ID, enter the Azure App ID.

    • For the App ID, enter the Azure Subscription ID.

    • For API Token (Client Secret), enter the Azure App Secret.

  5. Click on Load Subscription IDS to load the subscription you created for this integration.

  6. Click the Test Connectivity button to verify that Vulcan Cyber can connect to your Microsoft Defender for Cloud instance, then click Create (or Save Changes).

  7. Inactive Assets: You can configure a Vulcan rule to consider inactive assets, and Vulcan will remove assets that do not appear in scans within the configured time range.

  8. Allow some time for the sync to complete. Then, you can review the sync status under Log on the Connector's setup page.

  9. To confirm the sync is complete, navigate to the Connectors page. Once the Microsoft Defender for Cloud icon shows Connected, the sync is complete.


Microsoft Defender for Cloud in the Vulcan Platform

Viewing Microsoft Defender for Cloud vulnerabilities in the Vulcan Platform

To view vulnerabilities by Connector/Source:

  1. Go to the Vulnerabilities page.

  2. Use the Search or Filter input box to select the Vulnerability Source or Connector filter.

  3. Select Defender for Cloud from the vulnerability source/Connector list to filter results.

  4. Click on any vulnerability for more vulnerability details.

Viewing Microsoft Defender for Cloud assets in the Vulcan Platform

To view assets by Connector/Source:

  1. Go to the Assets page.

  2. Click on the relevant asset type tab.

  3. Use the Search or filter input box to select Connector from the drop-down selection.

  4. Select Defender for Cloud from the Asset source/Connector list to filter results and view all synced assets.
    See the complete list of available asset filters per asset type

Taking Action on vulnerabilities and assets detected by Defender for Cloud

To take remediation action on vulnerabilities and assets detected by Microsoft Defender for Cloud:

  1. Go to Vulnerabilities / Assets Page.

  2. Click on the Search and Filter input box and select Connector from the drop-down selection.

  3. Locate the Microsoft Defender for Cloud option to view all synced vulnerabilities/assets.

  4. Select the relevant Vulnerability/Asset.

Automating remediation actions on vulnerabilities detected by Defender for Cloud

Large environments quickly become unmanageable if constant manual attention and effort are necessary to remediate vulnerabilities. Instead, you can take advantage of the automation capabilities of Vulcan Cyber and the Microsoft Defender for Cloud Connector.


From Microsoft Defender for Cloud to the Vulcan Platform - Data Mapping

The Vulcan Platform integrates with Microsoft Defender for Cloud through API to pull relevant vulnerabilities and assets data and map it into the Vulcan Platform pages and fields.

Host fields mapping

Microsoft Defender for Cloud field

Vulcan field

id

Asset uniqueness criteria

name

Asset Name

id (shows as azure_id)

endpoint

subscription name

subscription id

location

resources

vm_size

Asset Details

Host

Asset Type

privateIPAddress, ipAddress

Asset IP

storageProfile.osDisk.osType

Asset OS

storageProfile.imageReference

Asset OS Version

timeCreated

Asset Created date

macAddress

Asset Multiple mac addresses

subscription name, tags

Asset Tags - Vendor’s tags

alertDisplayName

Vulnerability uniqueness criteria

alertDisplayName

Vulnerability Title

description

Vulnerability Description

status.severity

publishDates.public

type (corresponds to endpoint)

Vulnerability Details

additionalData.cvss.3/2.0.base
Otherwise, use Severity (using the logic described in the Vulnerability Score Mapping section)

Vulnerability CVSS

additionalData.cve

Vulnerability CVE/S

additionalData.cvss.3/2.0.cvssVectorString

Vulnerability CVSS attack vector

asset id + systemAlertId (for alerts) + vulnerability id

Asset-Vulnerability connection uniqueness criteria

startTimeUtc OR timeGenerated OR firstEvaluationDate

Asset-Vulnerability connection First seen

endTimeUtc OR timeGenerated

Asset-Vulnerability connection Last seen

status (using the logic described in the Vulnerability Status Mapping section)

Asset-Vulnerability connection Status

endpoint

remediation_steps

severity

additional_data

Asset-Vulnerability connection Info tooltip (from Assets screen)

remediationDescription OR remediation OR extendedProperties.investigation Steps

Solution uniqueness criteria

Fix for alertDisplayName

Solution Title

(remediationDescription OR remediation OR extendedProperties.investigation Steps) AND impact.

Solution Description

Cloud Resource fields mapping

Microsoft Defender for Cloud field

Vulcan field

id

Asset uniqueness criteria

id (the string to the right of the last / symbol)

Asset Name

id

Asset ID

resourceDetails.source
Otherwise, 'Azure'

Asset Cloud (provider)

azure_id

endpoint

subscription name

subscription id

additionalData.EnvironmentDisplayName

additionalData.NativeCloudUniqueIdentifier

additionalData.ResourceUrl

additionalData.ResourceProvider

additionalData.Region

additionalData.__Tags__

Asset Details

Cloud Resource

Asset Type

subscription name

Asset Tags - Vendor’s tags

alertDisplayName

Vulnerability uniqueness criteria

alertDisplayName

Vulnerability Title

description

Vulnerability Description

status.severity

publishDates.public

type (corresponds to endpoint)

Vulnerability Details

additionalData.cvss.3/2.0.base
Otherwise, use Severity (using the logic described in the Vulnerability Score Mapping section)

Vulnerability CVSS

additionalData.cve

Vulnerability CVE/S

additionalData.cvss.3/2.0.cvssVectorString

Vulnerability CVSS attack vector

asset id + systemAlertId (for alerts) + vulnerability id

Asset-Vulnerability connection uniqueness criteria

startTimeUtc OR timeGenerated OR firstEvaluationDate

Asset-Vulnerability connection First seen

endTimeUtc OR timeGenerated

Asset-Vulnerability connection Last seen

status (using the logic described in the Vulnerability Status Mapping section)

Asset-Vulnerability connection Status changes (including resurface)

endpoint

remediation_steps

severity

additional_data

Asset-Vulnerability connection Info tooltip (from Assets screen)

remediationDescription OR remediation OR extendedProperties.investigation Steps

Solution uniqueness criteria

Fix for alertDisplayName

Solution Fix Title

(remediationDescription OR remediation OR extendedProperties.investigation Steps) AND impact.

Solution Description

Vulnerability status mapping

Microsoft Defender for Cloud Status

Vulcan Status

Active, Unhealthy

Vulnerable

Resolved, Healthy

Fixed

-

Ignored - false positive

Dismissed, NotApplicable

Ignored risk acknowledged

Vulnerability score mapping

Alerts

Microsoft Defender for Cloud Score (Alerts)

Vulcan Score

High

10

Medium

7

Low

5

-

3

Informational

0

Assessment / Sub-assessment

Microsoft Defender for Cloud Score (assessment/sub assessment)

Vulcan Score

-

10

High

7

Medium

5

Low

3

-

0

Status Update Mechanisms

Every day, the Vulcan Platform syncs with the vendor's platform to receive updates on existing vulnerabilities and assets and to retrieve new ones (if any added).

The table below lists how the status update mechanism works in the Microsoft Defender for Cloud connector for the vulnerabilities and assets in the Vulcan Platform.

Update type

Mechanism

Archiving Assets

  • By X days according to last seen - if the Asset hasn’t been seen for X days, the Vulcan Platform archives it.

  • If the Asset isn't fetched on the last, the Vulcan Platform archives it.

Change of vulnerability instances status from "Vulnerable" to "Fixed"

By the statuses: Active, Unhealthy.
If the Connector has a relevant vulnerability status that indicates that the Vulnerability is fixed, the vulnerability status changes to "Fixed".

Note: Asset or vulnerability updates on the vendor side are reflected on the Vulcan Platform only on the next scheduled connector sync (the next day).

API Endpoints in Use

API

API Version

Use in Vulcan

Permissions required

-

Authentication for other endpoints

No special permissions

2020-01-01

Load subscription options in connector screen

No special permissions

2021-04

Run microsoft.compute/virtualmachines endpoint

No special permissions

2022-03-01

Assets (Host). Run Microsoft.Network/networkInterfaces endpoint

No special permissions

2021-05-01

Asset enrichment (Host). Run Microsoft.Network/publicIPAddresses endpoint

No special permissions

2021-05-01

Asset enrichment (Host)

No special permissions

2021-11-01

Assets (Cloud Resource), asset-vulnerability connections (Host and Cloud Resource), vulnerabilities (Host and Cloud Resource), solutions (Host and Cloud Resource)

No special permissions

2021-06-01

Assets (Cloud Resource), asset-vulnerability connections (Host and Cloud Resource)

No special permissions

2019-01-01-preview

Assets (Cloud Resource), asset-vulnerability connections (Host and Cloud Resource), vulnerabilities (Host and Cloud Resource), solutions (Host and Cloud Resource)

No special permissions

2021-06-01

Vulnerabilities (Host and Cloud Resource), solutions (Host and Cloud Resource)

No special permissions

Data Validation

The purpose of this Data Validation section is to provide a clear understanding of how data from Microsoft Defender for Cloud appears when ingested into Vulcan. By following the guidelines mentioned here, you will gain insights into matching unique vulnerabilities, assets, and vulnerability instances.

Notes:

  1. To achieve optimal results, please ensure that you are logged into the Microsoft Defender for Cloud's UI with the appropriate user account, which is also configured in Vulcan. This will eliminate any permission or scoping discrepancies during testing.

  2. When comparing numbers, aim for approximate matches rather than expecting a 100% match due to potential time differences during synchronization.

Matching Vulnerabilities

This step aims to compare the vulnerability count in Microsoft Defender for Cloud with that in Vulcan.

Vulcan ingests both Defender for Cloud Recommendations and Security Alerts as vulnerabilities. Here's how to retrieve the counts for each:

Matching "Recommendations" Vulnerabilities

Click on the "Recommendations" tab in the left menu of Defender for Cloud.

The "Active recommendations" count represents the number of unique recommendations, which are mapped to unique vulnerabilities in Vulcan.

To view related assets for a specific recommendation, click on its name.

Matching "Security Alerts" Vulnerabilities

  1. Access the "Security alerts" section from the left menu.

  2. Apply filters for "Active" and "In progress" status, considering all severities.

The count on the left represents the number of active instances, not the unique alerts count.

To obtain the unique count of security alerts, download the CSV report and remove any duplications based on the alert name. Alternatively, you can apply a filter on the portal and observe that there are five unique alerts.

Matching Assets

This step aims to compare the asset count in Microsoft Defender for Cloud with that in Vulcan.

Vulcan Hosts

  1. In the Defender for Cloud interface, click "Inventory" and filter the resource type by virtual machines.

  2. In Vulcan, navigate to the "Hosts" section. The asset count should correspond to the resource count in Defender for Cloud.

Vulcan Cloud Resources

All Defender for Cloud (DFC) inventory items that are not virtual machines are represented as Vulcan's cloud resources.

In the Defender for Cloud resource type filter, select all types and uncheck "virtual machines."

Regions are also ingested as cloud resources and do not appear in the inventory listing in Defender for Cloud. Therefore, Vulcan may display a higher count of assets due to this inclusion.

Matching Vulnerability Instances

This step aims to establish connections between vulnerabilities and assets in Microsoft Defender for Cloud and compare them to Vulcan.

To view vulnerability instances in the Defender for Cloud portal, click on a specific asset and filter by the "Unhealthy" status.

Each Asset in Defender for Cloud contains "Recommendations" and "Alerts," which are ingested into Vulcan as vulnerabilities.


Did this answer your question?