The Defender streaming API Public has the functionality for exporting “specific “events to your storage account/ event hub. From the Azure Storage or Event Hub it is possible to export data into other SIEM solutions. The Streaming API exports the selected event types in the Microsoft 365 Defender Advanced Hunting schema.
Configure a storage account
- In the Azure console, search for "Storage accounts."
2. Click Create.
3. Select the Subscription, Resource Group, region, performance (recommend Standard), and Redundancy (recommend GRS or LRS) needed for the account, enter a name for the new Storage Account.
4. Click Review + Create, review the overview of the account and click Create.
5. On the Storage Account Overview page, select Access keys from the left navigation of the window.
6. Click Show keys and make a note of the shared key for the storage account.
7. Select Endpoints from the left navigation of the window.
8. Make a note of the Blob service endpoint.
(https://<storageaccountname>.blob.core.windows.net/)
Enable Defender for Endpoint integration with Defender for Cloud Apps
- In Microsoft 365 Defender, from the navigation pane, select Settings.
- Select Endpoints.
- Under General, select Advanced features.
- Toggle the Microsoft Defender for Cloud App to On.
- Select Apply.
Note
It takes up to two hours after you enable the integration for the data to show up in Defender for Cloud Apps.
To configure the severity for alerts sent to Microsoft Defender for Endpoint,
- In Defender for Cloud Apps, select the Settings icon, and then select Microsoft Defender for Endpoint.
- Under Alerts, select the global severity level for alerts.
- Select Save.
To forward Endpoints logs to Azure storage account:
- In Settings, select Microsoft 365 Defender.
- Go to Streaming API and click ADD.
- Add Name, enable Forward events to Azure Storage and provide Storage account Resource ID in below field to forward logs to storage account.
- Select all required Event Types.
- Click Submit.
Now go to azure portal, in storage account go to Containers. You will see all Events Types which we have enabled in previous step.
Open all the containers log and collect URI. Add individual feeds to Chronicle for each Container Log.
(For example, https://acme-azure-chronicle.blob.core.windows.net/insights-logs-advancedhunting-emailattachmentinfo)
Configure a feed in Chronicle
Complete the following steps to configure a feed in Chronicle to ingest the Azure logs:
- Go to Chronicle Settings and click Feeds.
- Click Add New.
3. Select Microsoft Azure Blob Storage for Source Type.
4. Select Microsoft Defender for Endpoint for Log Type.
5. Click Next.
6. Under Azure URI, enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-log. (Add different feeds for each alert type)
7. Under URI Source Type, select Directories including subdirectories.
8. Under Shared key, enter the shared key value you captured earlier.
9. Click Next and Finish.
Sample Logs
The following are the logs that MS Defender send to Chronicle.
{ "time": "2023-07-13T15:04:12.6775480Z",
"tenantId": "65db5961-9743-6673-ac47-6e57b37af74f", "operationName": "Publish",
"category": "AdvancedHunting-EmailUrlInfo",
"properties": {"ReportId":"4f8ee096-8c20-5d89-9066-08eb83b1c6dc-4750445125652790230",
"NetworkMessageId":"3f8de094-8d31-4e79-9076-09db89b1d0dc",
"Timestamp":"2023-07-13T15:00:05Z",
"Url":"https://graystoneca.us2.list-manage.com/unsubscribe?u=d7abdbeaa2832c7acf688f93e&id=345c6cfd8a&e=a035de3ed8&c=8711ce15dd",
"UrlDomain":"graystoneca.us2.list-manage.com","UrlLocation":"Body"},
"Tenant": "DefaultTenant"}
Comments
0 comments
Please sign in to leave a comment.