Blog Post

Microsoft Defender External Attack Surface Management Blog
7 MIN READ

Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview

pcowger's avatar
pcowger
Icon for Microsoft rankMicrosoft
Mar 24, 2023

The Microsoft Defender EASM (Defender EASM) team is excited to share that new Data Connectors for Azure Log Analytics and Azure Data Explorer are now available in public preview. 

 

Defender EASM continuously discovers an incredible amount of up-to-the-minute Attack Surface Data, so connecting and automating this data flow to all our customers’ mission-critical systems that keep their organizations secure is essential. The new Data Connectors for Log Analytics and Azure Data Explorer can easily augment existing workflows by automating recurring exports of all asset inventory data and the set of potential security issues flagged as insights to specified destinations to keep other tools continually updated with the latest findings from Defender EASM. 

 

Common Use-Cases and Scenarios

 

  • Push asset data or insights to Log Analytics to create alerts based on custom asset or insight data queries. For example, a query that returns new High Severity vulnerability records detected on Approved inventory can be used to trigger an email alert giving details and remediation steps to the appropriate stakeholders. The ingested logs and Alerts generated by Log Analytics can also be visualized within tools like Workbooks or Microsoft Sentinel. 

 

  • Push asset data or insights to Azure Data Explorer/Kusto to generate custom reports or dashboards via Workbooks or Power BI. For example, a custom-developed dashboard that shows all of a customer’s approved Hosts with recent/current expired SSL Certificates that can be used for directing and assigning the appropriate stakeholders in your organization for remediation.

 

  • Include asset data or insights in a data lake or other automated workflows. For example, generating trends on new asset creation and attack surface composition or discovering unknown cloud assets that return 200 response codes.

 

Getting Started 

 

We invite all customers to participate and experience the value for themselves. Before beginning, ensure you have a few things enabled/configured/etc. 

 

Preview Prerequisites:

 

Aspect 

Details 

Required/Preferred  

Environmental Requirements  

Defender EASM resource must be created and contain an Attack Surface footprint. 
Must have Log Analytics and/or Azure Data Explorer/ Kusto 

Required Roles & Permissions  

Must have a tenant with Defender EASM created (or be willing to create one). 

Contributor (Log Analytics) 
User and Ingestor (Azure Data Explorer) 

 

The Defender EASM Data Connectors allow users to integrate two different kinds of attack surface data into the tool of their choice. Users can migrate asset data, attack surface insights, or both data types. Asset data provides complete details about all the assets in your inventory, whereas attack surface insights provide immediately actionable insights on potential security issues based on Defender EASM dashboards. 
 
To accurately present the infrastructure that matters most to your organization, please note that both content options will only include assets in the “Approved Inventory” state. 

 

Asset data: The Asset Data option will send data about all your assets to the tool of your choice. This option is best for use cases where the granular underlying metadata is vital to operationalizing your Defender EASM integration (e.g., customized reporting in Data Explorer might require this). This option does not provide any pre-determined insights about the assets; instead, it offers a full export of raw data so users can surface the customized insights they care about most. 

 

Attack surface insights: Attack Surface Insights provide an actionable set of results based on key insights delivered through the dashboards in Defender EASM. This option offers less granular metadata on each asset. Instead, it categorizes assets based on the corresponding insight(s) and provides the high-level context required to investigate further. This option is ideal for those who want to integrate these pre-determined insights into custom reporting workflows in conjunction with data from other tools. 

 

Accessing data connections


Users can access Data Connections from the Manage section of the left-hand navigation pane within their Defender EASM resource blade. This page displays the data connectors for both Log Analytics and Azure Data Explorer, listing any current connections and providing the option to add, edit or remove connections.  

 
Connection prerequisites: To successfully create a data connection, users must first ensure that they have completed the required steps to grant Defender EASM permission for the tool of their choice. This process enables the application to ingest our exported data and provides the authentication credentials needed to configure the connection. 

 

Configuring Log Analytics permissions

 

  1. Open the Log Analytics workspace that will ingest your Defender EASM data or create a new one
  2. Select Access control (IAM) from the left-hand navigation pane. For more information on access control, see identity documentation. 

  3. On this page, select +Add to create a new role assignment.  
  4. From the Role tab, select Contributor. Click Next 
  5. Open the Members tab. Click + Select members to open a configuration pane. Search for “EASM API” and click on the value in the members list. Once done, click Select, then Review + assign 
  6. Once the role assignment has been created, select Agents from the Settings section of the left-hand navigation menu.

  7. Expand the Log Analytics agent instructions section to view your Workspace ID and Primary key. These values will be used to set up your data connection. Save the values in the following format:  
     
    WorkspaceId=XXX;ApiKey=YYY 
     

Configuring Data Explorer permissions 

 

  1. Open the Data Explorer cluster that will ingest your Defender EASM data or create a new cluster 
  2. Select Databases in the Data section of the left-hand navigation menu. 
  3. Select + Add Database to create a database to house your Defender EASM data.  

  4. Name your database, configure retention and cache periods, then select Create. 

  5. Once your Defender EASM database has been created, click on the database name to open the details page. Select Permissions from the Overview section of the left-hand navigation menu.

To successfully export Defender EASM data to Data Explorer, users must create two new permissions for the EASM API: user and ingestor

 

  1. First, select + Add and create a user. Search for “EASM API,” select the value, then click Select.  
  2. Select + Add to create an ingestor. Follow the same steps outlined above to add the EASM API as an ingestor.  
  3. Your database is now ready to connect to Defender EASM. When configuring your Data Connection, you will need the cluster name, database name, and region in the following format. Please note this is case specific. 
     ClusterName=XXX;Region=YYY;DatabaseName=ZZZ 

 

Add a data connection:

 

Users can connect their Defender EASM data to either Log Analytics or Azure Data Explorer. To do so, select “Add connection” from the Data Connections page for the appropriate tool.  

 

A configuration pane will open on the right-hand side of the Data Connections screen. The following four fields are required:

  

  • Name: enter a name for this data connection.  
  • Connection String: enter the details required to connect your Defender EASM resource to another tool. For Log Analytics, users enter the workspaceID and the coinciding API key associated with their account. For Azure Data Explorer, users enter the cluster name, region, and database name associated with their account. Both values must be entered in the format shown when the field is blank.  
  • Content: users can select to integrate asset data, attack surface insights, or both datasets. Frequency: select the frequency that the Defender EASM connection sends updated data to the tool of your choice. Available options are daily, weekly, and monthly. 

Once all four fields are configured, select Add to create the data connection. At this point, the Data Connections page will display a banner that indicates the resource has been successfully created, and data will begin populating within 30 minutes. Once connections are created, they will be listed on the main Data Connections page under the applicable tool. 

 

Edit or delete a data connection:

 

Select the appropriate connection from the list on the main Data Connections page to edit or delete a data connection. This action will open a page that provides additional data about the connection. It displays the configurations you elected when creating the connection, as well as the following:  

  • Recurring on: the day of the week or month that Defender EASM sends updated data to the connected tool.  
  • Created: the date and time that the data connection was created. 
  • Updated: the date and time that the data connection was last updated. 

 

Users can elect to edit or delete their data connection from this page. If the data connection gets disconnected, users can reconnect to either Log Analytics or Data Explorer from this page, validating the configurations used to set up the integration. 

 

 

Opening the query editor of the Azure Data Explorer cluster database you created to ingest your Defender EASM data shows all the available ingested assets and attack surface insight data tables. These tables are updated at the frequency specified within the Data Connection configuration record. 

 

 

To view the ingested Defender EASM asset and attack surface insight data, you can use the query editor available by selecting the ”Logs” option from the left menu of the Azure Log Analytics Workspace you created earlier. These tables are also updated at the Data Connection configuration record frequency. 

 

Extending Defender EASM Asset and Insights data, via these two new data connectors, into Azure ecosystem tools like Log Analytics and Data Explorer enables customers to orchestrate the creation of contextualized data views that can be operationalized into existing workflows and provides the facility and toolsets for analysts to investigate and develop new methods of applicative Attack Surface Management. Head over to your Azure portal now to get started, and keep an eye here on our Tech Community Blog Page for more announcements on releases for Defender EASM.

 

For more information on all things EASM or to get started, head over to Overview | Microsoft Learn  

Updated Mar 24, 2023
Version 2.0
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    What about Sentinel? should this be connected? and if so, what is the recommended method?

  • Hi Dean_Gross  Yes,  External Attack Surface Management (EASM ) data connector to Sentinel can be connected   Reference : Defender EASM Data Connections | Microsoft Learn   

     

    If you get stuck at issue of data connector getting disconnected at connector page then you can additionally use below step

     

    Solution :

    For parameter input form for the connection to Log Analytics   ---  add a string component to each of the values as well i.e.    WorkspaceId=XXXXXXXXXX       and   ApiKey=XXXXXXXXX   

    Provide the parameter key and parameter value as part of the input