Microsoft Defender Secure Score Event Monitor
The Microsoft Defender Secure Score Event Monitor integrates with Microsoft Defender to alert you about changes and thresholds in your secure scores.
notitie
Overview
This event monitor connects to Microsoft Azure and allows you to receive alerts about secure scores for data, identity, devices, apps, infrastructure, and more.
info
Use Cases
- Receive timely alerts about lowered secure scores
- Track Defender scores over time for comparison and analysis
Monitoring Options
This event monitor provides the following options:
Alert Conditions
- Alert with [Info/Warning/Error/Critical] if Azure cannot be contacted. Sends an alert if the event monitor cannot connect to Azure.
- Alert if a specified amount of time has passed since the last control score synchronization. Notifies you when it's been too long since the last control score sync.
- Alert if the total secure score is less than a specified percentage. Triggers an alert if the total secure score drops below your defined threshold.
- Alert if the apps/data/device/identity/infrastructure secure score is less than a specified percentage. Sends alerts if any of these category scores fall below specified percentages.
- Alert with [Info/Warning/Error/Critical] if the total/apps/data/device/identity/infrastructure secure score is lower than the previous check. Notifies you if any of these scores decrease compared to the last run.
- Alert if any control score is less than a specified percentage. Alerts if any Defender control score is below your set threshold.
- Alert if any apps/data/device/identity/infrastructure control score is less than a specified percentage. Sends alerts if any control score in these categories is below the specified percentage.
Score Table and Filtering
- Include a table of control scores [before all/after all] event text. Generates a table of all control scores in the event text.
- Control scores to ignore. Specify control scores to exclude from monitoring (one per line).
Authentication and Security
The account used for authentication must have the SecurityEvents.Read.All permission at the application level.
Protocols
Data Points
This event monitor generates the following data points:
- Secure scores for total, apps, data, devices, identity, and infrastructure
- Individual control scores as configured in the monitoring options
- Time since last control score synchronization
- Connection status to Azure
| Data Point | Description |
|---|---|
| Comparative Secure Score (All Tenants) | The comparitive secure score for all tenants. |
| Comparative Secure Score (Total Tenants) | The comparitive secure score based on total seats available in your license. |
| Secure Score | The total secure score detected the last time the event monitor ran. |
| Secure Score "Apps" | The "Apps" secure score detected the last time the event monitor ran. |
| Secure Score "Data" | The "Data" secure score detected the last time the event monitor ran. |
| Secure Score "Device" | The "Device" secure score detected the last time the event monitor ran. |
| Secure Score "Identity" | The "Identity" secure score detected the last time the event monitor ran. |
| Secure Score "Infrastructure" | The "Infrastructure" secure score detected the last time the event monitor ran. |
Sample Output
