Hi Team
Can someone help me how i can integrate the below Microsoft Defender products with chronicle SIEM ?
| Microsoft Cloud App Security |
| Microsoft Defender for Endpoint |
| Microsoft Defender for O365 |
| Microsoft Defender for Cloud |
Page 1 / 1
Hi,
you should ingest it using the feed option:
Configure a feed in Google Security Operations to ingest the Azure logs
Complete the following steps to configure a feed in Google Security Operations to ingest the Azure logs:
- Go to Google Security Operations settings, and click Feeds.
- Click Add New.
- Select Microsoft Azure Blob Storage for Source Type.
- Select Microsoft Azure Activity for Log Type.
- Click Next.
- Under Azure URI, enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-logs (for example, https://acme-azure-chronicle.blob.core.windows.net/insights-activity-logs)
- Under URI Source Type select Directories including subdirectories.
- Under Shared key, enter the shared key value you captured earlier.
- Click Next and Finish.
https://cloud.google.com/chronicle/docs/ingestion/cloud/ingest-azure-activity-logs
*Change the log type name and the Azure URI based on the relevant source
This all depends on what you’re looking for. These a bunch of options.
If you want full events you may need to use blob storage or event hub(not officially supported.
You could potentially use bijdplane in your Azure environment.
Or as @citreno said you can use Graph API but that’s only going to give you alerts which may be okay in your use case.
This all depends on what you’re looking for. These a bunch of options.
If you want full events you may need to use blob storage or event hub(not officially supported.
You could potentially use bijdplane in your Azure environment.
Or as @citreno said you can use Graph API but that’s only going to give you alerts which may be okay in your use case.
@dnehoda / @citreno i did try the graph api today, i am seeing 2 issues
1) for the alerts i am not seeing all the field values captured. For example for an ransomware alert in Microsoft defender for cloud app security i not seeing the ip nor the files that were said to be modified. Only description and user was getting captured in events
2) product name is not coming the latest values - for example after a little research found that defender for endpoint and defender for atp are same , o365 security and compliance is equal to defender for o365.
3) i was getting the alerts from these devices and i wanted the incidents to be captured,.
Do you know how can i fix them?
@dnehoda / @citreno i did try the graph api today, i am seeing 2 issues
1) for the alerts i am not seeing all the field values captured. For example for an ransomware alert in Microsoft defender for cloud app security i not seeing the ip nor the files that were said to be modified. Only description and user was getting captured in events
2) product name is not coming the latest values - for example after a little research found that defender for endpoint and defender for atp are same , o365 security and compliance is equal to defender for o365.
3) i was getting the alerts from these devices and i wanted the incidents to be captured,.
Do you know how can i fix them?
It may only send hostname - I dont recall but it sounds like the rule your creating is based around data that’s not available or potentially hitting the wrong parser.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.