SumoLogic · amee-sumo · Jun 17, 2025 · Jun 3, 2025 · Jun 3, 2025 · Jun 16, 2025
@@ -0,0 +1,56 @@
+---
+id: microsoft-defender-for-cloud-apps
+title: Microsoft Defender for Clouds Apps
+sidebar_label: Microsoft Defender for Clouds Apps
+description: The Sumo Logic App for Microsoft Defender for Clouds Apps outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-for-cloud.png')} alt="Thumbnail icon" width="50"/>
+
+Microsoft Defender for Cloud Apps delivers full protection for SaaS applications, helping you monitor and protect your cloud app data across the following feature areas:
+* Fundamental cloud access security broker (CASB) functionality
+* SaaS Security Posture Management (SSPM)
+* Advanced threat protection
+* App-to-app protection
+
+This document outlines the steps required to collect and analyse the [Microsoft Defender for Cloud Apps](https://learn.microsoft.com/en-us/defender-cloud-apps/what-is-defender-for-cloud-apps) alerts in the Sumo Logic platform.
+
+## Set up collection
+
+:::note
+Skip this step if you have already configured the Microsoft Graph Security API Source.
+:::
+
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Defender for Cloud Apps to the Sumo Logic platform.
+
+## Search alerts
+
+Use the following query to retrieve alerts generated by the Microsoft Defender for Cloud Apps.
+
+```sql
+_sourcecategory=Labs/MicrosoftGraphSecurity
+| json field=_raw "serviceSource" as service_source
+| where service_source = "microsoftDefenderForCloudApps"
+```
+
+## Analyse alerts
+
+Use the following query to extract detailed insights from the alert data:
+
+```sql
+_sourceCategory=Labs/MicrosoftGraphSecurity  
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+| where service_source = "microsoftDefenderForCloudApps"
+| where severity matches "*" and status matches "*" and classification matches "*" 
+| if(isNull(category),"-",category) as category
+| if(isNull(classification),"-",classification) as classification
+| if(isNull(determination),"-",determination) as determination
+| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
+| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
+| tourl (alert_url,alert_id) as alert_id
+| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
+| fields -_messageTime    
+| sort by time
+```
@@ -0,0 +1,52 @@
+---
+id: microsoft-defender-for-endpoint
+title: Microsoft Defender for Endpoint
+sidebar_label: Microsoft Defender for Endpoint
+description: The Sumo Logic App for Microsoft Defender for Endpoint outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-for-identity.png')} alt="Thumbnail icon" width="60"/>
+
+Microsoft Defender for Endpoint is an enterprise-grade endpoint security platform designed to help you prevent, detect, investigate, and respond to advanced cyber threats on devices (endpoints) like laptops, desktops, mobile phones, and servers.
+
+This document outlines the steps required to collect and analyse the [Microsoft Defender for Endpoint](https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint) alerts in the Sumo Logic platform.
+
+## Set up collection
+
+:::note
+Skip this step if you have already configured the Microsoft Graph Security API Source.
+:::
+
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Defender for Endpoint to the Sumo Logic platform.
+
+## Search alerts
+
+Use the following query to retrieve alerts generated by the Microsoft Defender for Endpoint.
+
+```sql
+_sourcecategory=Labs/MicrosoftGraphSecurity
+| json field=_raw "serviceSource" as service_source
+| where service_source = "microsoftDefenderForEndpoint"
+```
+
+## Analyse alerts
+
+Use the following query to extract detailed insights from the alert data:
+
+```sql
+_sourceCategory=Labs/MicrosoftGraphSecurity  
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+| where service_source = "microsoftDefenderForEndpoint"
+| where severity matches "*" and status matches "*" and classification matches "*" 
+| if(isNull(category),"-",category) as category
+| if(isNull(classification),"-",classification) as classification
+| if(isNull(determination),"-",determination) as determination
+| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
+| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
+| tourl (alert_url,alert_id) as alert_id
+| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
+| fields -_messageTime    
+| sort by time
+```
@@ -0,0 +1,56 @@
+---
+id: microsoft-defender-for-identity
+title: Microsoft Defender for Identity
+sidebar_label: Microsoft Defender for Identity
+description: The Sumo Logic App for Microsoft Defender for Identity outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-for-identity.png')} alt="Thumbnail icon" width="60"/>
+
+Microsoft Defender for Identity is a cloud-based security solution that help you secure your identity monitoring across your organization. It helps deliver a modern identity threat detection (ITDR) solution across hybrid environments, including:
+- Prevent breaches, using proactive identity security posture assessments.
+- Detect threats, using real-time analytics and data intelligence.
+- Investigate suspicious activities, using clear, actionable incident information.
+- Respond to attacks, using automatic response to compromised identities.
+
+This document outlines the steps required to collect and analyse the [Microsoft Defender for Identity](https://learn.microsoft.com/en-us/defender-for-identity/what-is) alerts in the Sumo Logic platform.
+
+## Set up collection
+
+:::note
+Skip this step if you have already configured the Microsoft Graph Security API Source.
+:::
+
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Defender for Identity to the Sumo Logic platform.
+
+## Search alerts
+
+Use the following query to retrieve alerts generated by the Microsoft Defender for Identity.
+
+```sql
+_sourcecategory=Labs/MicrosoftGraphSecurity
+| json field=_raw "serviceSource" as service_source
+| where service_source = "microsoftDefenderForIdentity"
+```
+
+## Analyse alerts
+
+Use the following query to extract detailed insights from the alert data:
+
+```sql
+_sourceCategory=Labs/MicrosoftGraphSecurity  
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+| where service_source = "microsoftDefenderForIdentity"
+| where severity matches "*" and status matches "*" and classification matches "*" 
+| if(isNull(category),"-",category) as category
+| if(isNull(classification),"-",classification) as classification
+| if(isNull(determination),"-",determination) as determination
+| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
+| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
+| tourl (alert_url,alert_id) as alert_id
+| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
+| fields -_messageTime    
+| sort by time
+```
@@ -0,0 +1,57 @@
+---
+id: microsoft-defender-for-office-365
+title: Microsoft Defender for Office 365
+sidebar_label: Microsoft Defender for Office 365
+description: The Sumo Logic App for Microsoft Defender for Office 365 outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-defender-office-365.png')} alt="Thumbnail icon" width="40"/>
+
+Microsoft Defender for Office 365 is a cloud-based email security service designed to protect your organization using Microsoft 365 (formerly Office 365) against threats such as:
+- Phishing
+- Malware
+- Ransomware
+- Business Email Compromise (BEC)
+- Zero-day threats
+
+This document outlines the steps required to collect and analyse the [Microsoft Defender for Office 365](https://learn.microsoft.com/en-us/defender-office-365/mdo-about) alerts in the Sumo Logic platform.
+
+## Set up collection
+
+:::note
+Skip this step if you have already configured the Microsoft Graph Security API Source.
+:::
+
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Defender for Office 365 to the Sumo Logic platform.
+
+## Search alerts
+
+Use the following query to retrieve alerts generated by the Microsoft Defender for Office 365.
+
+```sql
+_sourcecategory=Labs/MicrosoftGraphSecurity
+| json field=_raw "serviceSource" as service_source
+| where service_source = "microsoftDefenderForOffice365"
+```
+
+## Analyse alerts
+
+Use the following query to extract detailed insights from the alert data:
+
+```sql
+_sourceCategory=Labs/MicrosoftGraphSecurity  
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+| where service_source = "microsoftDefenderForOffice365"
+| where severity matches "*" and status matches "*" and classification matches "*" 
+| if(isNull(category),"-",category) as category
+| if(isNull(classification),"-",classification) as classification
+| if(isNull(determination),"-",determination) as determination
+| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
+| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
+| tourl (alert_url,alert_id) as alert_id
+| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
+| fields -_messageTime    
+| sort by time
+```
@@ -0,0 +1,52 @@
+---
+id: microsoft-entra-id-protection
+title: Microsoft Entra ID Protection
+sidebar_label: Microsoft Entra ID Protection
+description: The Sumo Logic App for Microsoft Entra ID Protection outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-entra-id-protection.png')} alt="Thumbnail icon" width="50"/>
+
+Microsoft Entra ID Protection is a cloud-based identity security solution that helps you detect, investigate, and remediate identity-based risks in real time. It is a key component of the Microsoft Entra suite, which focuses on securing access to applications and data across cloud and on-premises environments.
+
+This document outlines the steps required to collect and analyse the [Microsoft Entra ID Protection](https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection) alerts in the Sumo Logic platform.
+
+## Set up collection
+
+:::note
+Skip this step if you have already configured the Microsoft Graph Security API Source.
+:::
+
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Entra ID Protection to the Sumo Logic platform.
+
+## Search alerts
+
+Use the following query to retrieve alerts generated by the Microsoft Entra ID Protection.
+
+```sql
+_sourcecategory=Labs/MicrosoftGraphSecurity
+| json field=_raw "serviceSource" as service_source
+| where service_source = "azureAdIdentityProtection"
+```
+
+## Analyse alerts
+
+Use the following query to extract detailed insights from the alert data:
+
+```sql
+_sourceCategory=Labs/MicrosoftGraphSecurity  
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+| where service_source = "azureAdIdentityProtection"
+| where severity matches "*" and status matches "*" and classification matches "*" 
+| if(isNull(category),"-",category) as category
+| if(isNull(classification),"-",classification) as classification
+| if(isNull(determination),"-",determination) as determination
+| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
+| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
+| tourl (alert_url,alert_id) as alert_id
+| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
+| fields -_messageTime    
+| sort by time
+```
@@ -0,0 +1,54 @@
+---
+id: microsoft-purview-data-loss-prevention
+title: Microsoft Purview Data Loss Prevention
+sidebar_label: Microsoft Purview Data Loss Prevention
+description: The Sumo Logic App for Microsoft Purview Data Loss Prevention outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
+---
+
+import useBaseUrl from '@docusaurus/useBaseUrl';
+
+<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-purview-data-loss-prevention.png')} alt="Thumbnail icon" width="100"/>
+
+Microsoft Purview Data Loss Prevention (DLP) is a tool that helps you prevent the accidental or intentional sharing of sensitive information, such as credit card numbers, social security numbers, or confidential business data, across Microsoft 365 environments.
+
+It’s part of the Microsoft Purview suite, which focuses on data governance, compliance, and risk management.
+
+This document outlines the steps required to collect and analyse the [Microsoft Purview Data Loss Prevention](https://www.microsoft.com/en-us/security/business/information-protection/microsoft-purview-data-loss-prevention) alerts in the Sumo Logic platform.
+
+## Set up collection
+
+:::note
+Skip this step if you have already configured the Microsoft Graph Security API Source.
+:::
+
+Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Purview Data Loss Prevention to the Sumo Logic platform.
+
+## Search alerts
+
+Use the following query to retrieve alerts generated by the Microsoft Purview Data Loss Prevention.
+
+```sql
+_sourcecategory=Labs/MicrosoftGraphSecurity
+| json field=_raw "serviceSource" as service_source
+| where service_source = "dataLossPrevention"
+```
+
+## Analyse alerts
+
+Use the following query to extract detailed insights from the alert data:
+
+```sql
+_sourceCategory=Labs/MicrosoftGraphSecurity  
+|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
+| where service_source = "dataLossPrevention"
+| where severity matches "*" and status matches "*" and classification matches "*" 
+| if(isNull(category),"-",category) as category
+| if(isNull(classification),"-",classification) as classification
+| if(isNull(determination),"-",determination) as determination
+| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
+| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
+| tourl (alert_url,alert_id) as alert_id
+| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
+| fields -_messageTime    
+| sort by time
+```
@@ -2224,7 +2224,13 @@ integrations: [
          'integrations/microsoft-azure/kubernetes',
          'integrations/microsoft-azure/azure-security-advisor',
          'integrations/microsoft-azure/azure-security-defender-for-cloud',
+         'integrations/microsoft-azure/microsoft-defender-for-cloud-apps',
+         'integrations/microsoft-azure/microsoft-defender-for-endpoint',
+         'integrations/microsoft-azure/microsoft-defender-for-identity',
+         'integrations/microsoft-azure/microsoft-defender-for-office-365',
          'integrations/microsoft-azure/microsoft-dynamics365-customer-insights',
+         'integrations/microsoft-azure/microsoft-entra-id-protection',
+         'integrations/microsoft-azure/microsoft-purview-data-loss-prevention',
          'integrations/microsoft-azure/network-watcher',
          'integrations/microsoft-azure/sql',
          'integrations/microsoft-azure/web-apps',