The Security Command Center curated detections, threat investigation, and Cloud Infrastructure Entitlement Management (CIEM) capabilities for Microsoft Azure require the ingestion of Microsoft Azure logs using the Security Operations console ingestion pipeline. The Microsoft Azure log types required for ingestion differ based on what you are configuring:
- CIEM requires data from the Azure Cloud Services (AZURE_ACTIVITY) log type.
- Curated detections require data from multiple log types. To learn more about the different Microsoft Azure log types, see Supported devices and required log types.
Curated detections
Curated detections in the Enterprise tier of Security Command Center help identify threats in Microsoft Azure environments using both event and context data.
These rule sets require the following data to function as designed. You must ingest Azure data from each of these data sources to have maximum rule coverage.
- Azure cloud services
- Microsoft Entra ID, previously Azure Active Directory
- Microsoft Entra ID audit logs, previously Azure AD audit logs
- Microsoft Defender for Cloud
- Microsoft Graph API Activity
For more information, see the following in the Google SecOps documentation: