Blog Post

Microsoft Defender for Cloud Blog
3 MIN READ

Continuous Export as Trusted Service to Event Hub

BojanMagusic1's avatar
BojanMagusic1
Icon for Microsoft rankMicrosoft
Jun 29, 2023

Introduction: 

Have you ever found yourself in a situation where you needed to stream Microsoft Defender for Cloud data to another system? Microsoft Defender for Cloud provides the option of streaming data like recommendations and security alerts, to a Log Analytics workspace, event hub, or another SIEM solution. This capability is called continuous export.

 

Imagine if the system you want to stream Microsoft Defender for Cloud data is located behind the firewall. How would you go about doing that?  This article teaches you how to accomplish this scenario by configuring export as a trusted service 

 

To configure Continuous export as a trusted service, you need to perform the following steps in sequence: 

  1. Identify the destination event hub. 
  2. Add the relevant role assignments on the destination event hub. 
  3. Configure continuous export as a trusted service to use the destination event hub. 
  4. Verify data is being exported to the destination event hub. 

 

The first step is identifying the event hub used to stream data from Defender for Cloud, to the system located behind the firewall.  

 

Identify the destination event hub  

Event hub provides you with a way to ingest data and integrate with other Azure services, like Defender for Cloud. For the purposes of configuring continuous export to stream data located behind a firewall you can either use an existing event hub or create a new one. 

To learn how to create a new event hub you can start at https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-quickstart-cli. 

After you identify the event hub to be used as the destination for your Defender for Cloud data, you need to grant the continuous export service access the necessary permissions. 

 

Add the relevant role assignment on the destination event hub 

To add the necessary permissions, perform the following actions: 

  1. Navigate to the Event Hubs dashboard.  
  2. Click the destination Event Hub. 
  3. Select Access Control > Add role assignment > Azure Event Hubs Data Sender.  
  4. Click + Select members > Windows Azure Security Resource Provider (like in figure 1). 
  5. Select > Review + assign. 

Figure 1. Adding the relevant role assignment on the destination event hub

 

After you add the relevant permissions to the event hub, you can proceed to the next step of configuring continuous export.  

 

Configure continuous export as a trusted service to use the destination event hub 

To configure continuous export, you need to have write permissions on the event hub policy. Imagine you wanted to stream data related to recommendations and security alerts in near real-time, to a system located behind a firewall. To achieve this scenario, perform the following actions: 

  1. Navigate to the Cloud for Cloud dashboard. 
  2. Select Environment settings.  
  3. Click the desired subscription.  
  4. On the left, select Continuous export. 
  5. Select Event hub.  
  6. Select Security recommendations and Security alerts.  
  7. Under Export frequency select streaming updates. 
  8. Ensure Export as a trusted service is selected (like in figure 2). 
  9. Choose the destination event hub. 

Figure 2. Ensure that Export as a trusted service is selected

 

If you need further guidance on how to configure continuous export as a trusted service you can start here.

 

After you perform these actions, you can optionally verifying that data is being sent to the destination event hub.  

 

Conclusion: 

Configuring continuous export as a trusted service to event hub, allows you to stream Defender for Cloud data to a system located behind a firewall. For the purposes on this article, I focus on teaching you how to configure continuous export with the portal. However, for large organizations it’s recommended to use something like Azure policy to configure this scenario at scale. To configure continuous export as a trusted service to event hub you can use the following Azure policy: Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data. The respective policy definition ID is af9f6c70-eb74-4189-8d15-e4f11a7ebfd4 

 

Reviewers:  

Arik Noyman, Principal Group Software Engineering Manager,  

Or Serok Jeppa, Senior PM Lead, 

Sulaiman Abu Rashed,  Software Engineer II 

 

Published Jun 29, 2023
Version 1.0