Integrate security solutions in Microsoft Defender for Cloud

Note

Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.

Learn more about the recent renaming of Microsoft security services.

This document helps you to manage security solutions already connected to Microsoft Defender for Cloud and add new ones.

Integrated Azure security solutions

Defender for Cloud makes it easy to enable integrated security solutions in Azure. Benefits include:

  • Simplified deployment: Defender for Cloud offers streamlined provisioning of integrated partner solutions. For solutions like antimalware and vulnerability assessment, Defender for Cloud can provision the agent on your virtual machines. For firewall appliances, Defender for Cloud can take care of much of the network configuration required.
  • Integrated detections: Security events from partner solutions are automatically collected, aggregated, and displayed as part of Defender for Cloud alerts and incidents. These events also are fused with detections from other sources to provide advanced threat-detection capabilities.
  • Unified health monitoring and management: Customers can use integrated health events to monitor all partner solutions at a glance. Basic management is available, with easy access to advanced setup by using the partner solution.

Currently, integrated security solutions include vulnerability assessment by Qualys and Rapid7 and Microsoft Azure Web Application Firewall on Azure Application Gateway.

Note

Defender for Cloud does not install the Log Analytics agent on partner virtual appliances because most security vendors prohibit external agents running on their appliances.

To learn more about the integration of vulnerability scanning tools from Qualys, including a built-in scanner available to customers who've enabled Microsoft Defender for servers, see Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines.

Defender for Cloud also offers vulnerability analysis for your:

How security solutions are integrated

Azure security solutions that are deployed from Defender for Cloud are automatically connected. You can also connect other security data sources, including computers running on-premises or in other clouds.

Partner solutions integration.

Manage integrated Azure security solutions and other data sources

  1. From the Azure portal, open Defender for Cloud.

  2. From Defender for Cloud's menu, select Security solutions.

From the Security solutions page, you can see the health of integrated Azure security solutions and run basic management tasks.

Connected solutions

The Connected solutions section includes security solutions that are currently connected to Defender for Cloud. It also shows the health status of each solution.

Connected solutions.

The status of a partner solution can be:

  • Healthy (green) - no health issues.
  • Unhealthy (red) - there's a health issue that requires immediate attention.
  • Stopped reporting (orange) - the solution has stopped reporting its health.
  • Not reported (gray) - the solution hasn't reported anything yet and no health data is available. A solution's status may be unreported if it was connected recently and is still deploying.

Note

If health status data is not available, Defender for Cloud shows the date and time of the last event received to indicate whether the solution is reporting or not. If no health data is available and no alerts were received within the last 14 days, Defender for Cloud indicates that the solution is unhealthy or not reporting.

Select VIEW for additional information and options such as:

  • Solution console - Opens the management experience for this solution.
  • Link VM - Opens the Link Applications page. Here you can connect resources to the partner solution.
  • Delete solution
  • Configure

Partner solution detail.

Discovered solutions

Defender for Cloud automatically discovers security solutions running in Azure but not connected to Defender for Cloud and displays the solutions in the Discovered solutions section. These solutions include Azure solutions, like Azure AD Identity Protection, and partner solutions.

Note

Enable advanced protections at the subscription level for the discovered solutions feature. Learn more in Quickstart: Enable enhanced security features.

Select CONNECT under a solution to integrate with Defender for Cloud and be notified of security alerts.

Add data sources

The Add data sources section includes other available data sources that can be connected. For instructions on adding data from any of these sources, click ADD.

Data sources.

Next steps

In this article, you learned how to integrate partner solutions in Defender for Cloud. To learn how to setup an integration with Microsoft Sentinel, or any other SIEM, see Continuously export Defender for Cloud data.