Cloud Workload Protection (CWP) Integration
Microsoft Defender for Cloud alerts — mobile triage for cloud security findings.
PocketSOC connects to Microsoft Defender for Cloud through an Azure app registration with appropriate RBAC. Responders can view Defender for Cloud security alerts across Azure subscriptions and update alert status — dismiss, resolve, or reactivate — from iOS or Android. Useful when a misconfiguration or runtime threat needs immediate triage outside business hours.
Supported actions for Defender for Cloud
- View Defender for Cloud alerts across subscriptions
- Inspect alert details, resource context, and recommended actions
- Change alert status: dismiss, resolve, or reactivate
- Push notifications for high-severity cloud security alerts
- Filter alerts by subscription, severity, and resource type
Authentication and credentials
Microsoft Defender for Cloud uses an Azure app registration with the appropriate Azure RBAC role at the subscription scope. PocketSOC supports either Delegated permissions (user_impersonation) or Application permissions with the Security Reader or Security Admin role. Subscription scope is bound to the credential — you can grant access to only the subscriptions you want PocketSOC to surface.
How PocketSOC authenticates to security platforms · Where credentials are stored · Trust Center
Quick setup for Defender for Cloud
- In Azure Portal, go to App registrations → New registration
- Add user_impersonation (Delegated) or assign Security Reader/Admin RBAC role at the subscription scope
- Capture Tenant ID, Client ID, and Subscription ID
- Create a client secret if using Application permissions
- In PocketSOC, enter Tenant ID, Client ID, Client Secret, and Subscription ID
See the full Quick Start guide for Organization-mode setup with the PocketSOC Portal.
Defender for Cloud integration FAQ
Which Defender for Cloud subscriptions are visible?
Only the subscriptions where the Azure app registration has Security Reader or Security Admin role assignments. You can scope PocketSOC to a single subscription, a management group, or any subset of your Azure estate by managing role assignments in Azure RBAC.
Can PocketSOC remediate cloud misconfigurations?
No. PocketSOC surfaces Defender for Cloud alerts and allows status changes (dismiss / resolve / reactivate). Remediation actions on the underlying Azure resources happen in Azure itself; PocketSOC does not modify resource configurations. This is intentional — see our stance on automation.
Does PocketSOC use Microsoft Graph?
For Defender for Cloud, PocketSOC uses the Microsoft Defender for Cloud REST API directly. Microsoft Graph is not required for this integration.
See the full PocketSOC FAQ covering all vendors and security topics.