Microsoft Defender 365 Integration Guide

This guide is for onboarding Microsoft 365 defender to QRadar

Steps to Follow

  1. Create EventHub and Storage Account.
  2. Configure Microsoft 365 Defender streaming API to send defender logs to Event hub created in step “A”.

Configuring Microsoft Azure Event Hubs to Communicate With QRadar:

To configure, we need 3 pieces of information.

  • Event Hub Connection String
  • Consumer Group (Should not be Default)
  • Storage Account Connection String

Before you Begin

To retrieve events in QRadar, you need to create a Microsoft Azure Storage Account and an Event Hub entity under the Azure Event Hub Namespace. For every Namespace, port 5671 must be open. For every Storage Account, port 443 must be open.

1.    Obtain a Microsoft Azure Storage Account Connection String

  1. Log in to the Azure Portal. (https://portal.azure.com)
  2. From the dashboard, in the All Resources section, select a Storage Account.
  3. From the All Types list, disable Select All. In the filter items search box, type Storage Accounts, and then select Storage Accounts from the list.
  4. From the Storage account menu, select Access keys.
  5. Record the value for the Storage account name. Use this value for the Storage Account Name parameter value when you configure a log source in IBM QRadar.
  6. From the Key 1 or Key 2 section, record the following values.
  • Key- Use this value for the Storage Account Key parameter value when you configure a log source in QRadar.
  • Connection string- Use this value for the Storage Account Connection String parameter value when you configure a log source in QRadar.

Example

DefaultEndpointsProtocol=https;AccountName=[Storage Account Name]

;AccountKey=[Storage Account Key];EndpointSuffix=core.windows.net

2.    Obtain a Microsoft Azure Hub Connection String

The Event Hub Connection String contains the Namespace Name, the path to the Event Hub within the namespace and the Shared Access Signature (SAS) authentication information.

  1. Log in to the Azure Portal (https://portal.azure.com).
  2. From the dashboard, in the All Resources section, select an Event Hub. Record this value to use as the Namespace Name parameter value when you configure a log source in QRadar.
  3. In the Entities section, select Event Hubs. Record this value to use for the Event Hub Name parameter value when you configure a log source in QRadar.
  4. From the All Types list, disable Select All. In the Filter Items search box, type event hub, and then select Event Hubs Namespace from the list.
  5. In the Event Hub section, select the event hub that you want to use from the list. Record this value to use for the Event Hub Name parameter value when you configure a log source in QRadar.
  6. In the Settings section, select Shared access policies.

Important: In the Entities section, ensure that the Consumer Groups option is listed. If Event Hubs is listed, return to Step c.

    1. Select a POLICY that contains a Listen CLAIMS. Record this value to use for the SAS Key Name parameter value when you configure a log source in QRadar.
    2. Record the values for the following parameters:
  • Primary Key or Secondary Key

Use the value for the SAS Key parameter value when you configure a log source in QRadar. The Primary key and Secondary key are functionally the same.

  • Connection String-Primary Key or Connection String-Secondary Key

Use this value for the Event Hub Connection String parameter value when you configure a log source in QRadar. The Connection string-primary key and Connection string-secondary key are functionally the same.

Example:

Endpoint=sb://[Namespace Name].servicebus.windows.net

/;SharedAccessKeyName=[SAS Key Name];SharedAccessKey=[SAS Key];

EntityPath=[Event Hub Name]

 

In the Entities section, select Consumer Groups. Record the value to use for the Consumer Group parameter value when you configure a log source in QRadar.

Configure Microsoft 365 Defender Streaming API:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide