Introduction:
Have you ever found yourself in a situation where you needed to stream Microsoft Defender for Cloud data to another system? Microsoft Defender for Cloud provides the option of streaming data like recommendations and security alerts, to a Log Analytics workspace, event hub, or another SIEM solution. This capability is called continuous export.
Imagine if the system you want to stream Microsoft Defender for Cloud data is located behind the firewall. How would you go about doing that? This article teaches you how to accomplish this scenario by configuring export as a trusted service.
To configure Continuous export as a trusted service, you need to perform the following steps in sequence:
- Identify the destination event hub.
- Add the relevant role assignments on the destination event hub.
- Configure continuous export as a trusted service to use the destination event hub.
- Verify data is being exported to the destination event hub.
The first step is identifying the event hub used to stream data from Defender for Cloud, to the system located behind the firewall.
Identify the destination event hub
Event hub provides you with a way to ingest data and integrate with other Azure services, like Defender for Cloud. For the purposes of configuring continuous export to stream data located behind a firewall you can either use an existing event hub or create a new one.
To learn how to create a new event hub you can start at https://learn.microsoft.com/en-us/azure/event-hubs/event-hubs-quickstart-cli.
After you identify the event hub to be used as the destination for your Defender for Cloud data, you need to grant the continuous export service access the necessary permissions.
Add the relevant role assignment on the destination event hub
To add the necessary permissions, perform the following actions:
- Navigate to the Event Hubs dashboard.
- Click the destination Event Hub.
- Select Access Control > Add role assignment > Azure Event Hubs Data Sender.
- Click + Select members > Windows Azure Security Resource Provider (like in figure 1).
- Select > Review + assign.
After you add the relevant permissions to the event hub, you can proceed to the next step of configuring continuous export.
Configure continuous export as a trusted service to use the destination event hub
To configure continuous export, you need to have write permissions on the event hub policy. Imagine you wanted to stream data related to recommendations and security alerts in near real-time, to a system located behind a firewall. To achieve this scenario, perform the following actions:
- Navigate to the Cloud for Cloud dashboard.
- Select Environment settings.
- Click the desired subscription.
- On the left, select Continuous export.
- Select Event hub.
- Select Security recommendations and Security alerts.
- Under Export frequency select streaming updates.
- Ensure Export as a trusted service is selected (like in figure 2).
- Choose the destination event hub.
If you need further guidance on how to configure continuous export as a trusted service you can start here.
After you perform these actions, you can optionally verifying that data is being sent to the destination event hub.
Conclusion:
Configuring continuous export as a trusted service to event hub, allows you to stream Defender for Cloud data to a system located behind a firewall. For the purposes on this article, I focus on teaching you how to configure continuous export with the portal. However, for large organizations it’s recommended to use something like Azure policy to configure this scenario at scale. To configure continuous export as a trusted service to event hub you can use the following Azure policy: Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data. The respective policy definition ID is af9f6c70-eb74-4189-8d15-e4f11a7ebfd4.
Reviewers:
Arik Noyman, Principal Group Software Engineering Manager,
Or Serok Jeppa, Senior PM Lead,
Sulaiman Abu Rashed, Software Engineer II