Stream alerts to a SIEM, SOAR, or IT Service Management solution
Microsoft Defender for Cloud can stream your security alerts into the most popular Security Information and Event Management (SIEM), Security Orchestration Automated Response (SOAR), and IT Service Management (ITSM) solutions. Security alerts are notifications that Defender for Cloud generates when it detects threats on your resources. Defender for Cloud prioritizes and lists the alerts, along with the information needed for you to quickly investigate the problem. Defender for Cloud also provides detailed steps to help you remediate attacks. Alerts data is retained for 90 days.
There are built-in Azure tools for ensuring you can view your alert data in all of the most popular solutions in use today, including:
- Microsoft Sentinel
- Splunk Enterprise and Splunk Cloud
- IBM's QRadar
- Power BI
- Palo Alto Networks
Stream alerts to Microsoft Sentinel
Defender for Cloud natively integrates with Microsoft Sentinel, Azure's cloud-native SIEM and SOAR solution.
Microsoft Sentinel's connectors for Defender for Cloud
Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the subscription and tenant levels:
- Stream alerts to Microsoft Sentinel at the subscription level
- Connect all subscriptions in your tenant to Microsoft Sentinel
When you connect Defender for Cloud to Microsoft Sentinel, the status of Defender for Cloud alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert is also shown as closed in Microsoft Sentinel. If you change the status of an alert in Defender for Cloud, the status of the alert in Microsoft Sentinel is also updated, but the statuses of any Microsoft Sentinel incidents that contain the synchronized Microsoft Sentinel alert aren't updated.
You can enable the bi-directional alert synchronization feature to automatically sync the status of the original Defender for Cloud alerts with Microsoft Sentinel incidents that contain the copies of those Defender for Cloud alerts. So, for example, when a Microsoft Sentinel incident that contains a Defender for Cloud alert is closed, Defender for Cloud automatically closes the corresponding original alert.
Learn more in Connect alerts from Microsoft Defender for Cloud.
The bi-directional alert synchronization feature isn't available in the Azure Government cloud.
Configure ingestion of all audit logs into Microsoft Sentinel
Another alternative for investigating Defender for Cloud alerts in Microsoft Sentinel is to stream your audit logs into Microsoft Sentinel:
- Connect Windows security events
- Collect data from Linux-based sources using Syslog
- Connect data from Azure Activity log
Microsoft Sentinel is billed based on the volume of data that it ingests for analysis in Microsoft Sentinel and stores in the Azure Monitor Log Analytics workspace. Microsoft Sentinel offers a flexible and predictable pricing model. Learn more at the Microsoft Sentinel pricing page.
Stream alerts to QRadar and Splunk
The export of security alerts to Splunk and QRadar uses Event Hubs and a built-in connector. You can either use a PowerShell script or the Azure portal to set up the requirements for exporting security alerts for your subscription or tenant. Then you’ll need to use the procedure specific to each SIEM to install the solution in the SIEM platform.
Before you set up the Azure services for exporting alerts, make sure you have:
- Azure subscription (Create a free account)
- Azure resource group (Create a resource group)
- Owner role on the alerts scope (subscription, management group or tenant), or these specific permissions:
- Write permissions for event hubs and the Event Hub Policy
- Create permissions for Azure AD applications, if you aren't using an existing Azure AD application
- Assign permissions for policies, if you're using the Azure Policy 'DeployIfNotExist'
Step 1: Set up the Azure services
You can set up your Azure environment to support continuous export using either:
A PowerShell script (Recommended)
Download and run the PowerShell script. Enter the required parameters and the script performs all of the steps for you. When the script finishes, it outputs the information you’ll use to install the solution in the SIEM platform.
The Azure portal
Here's an overview of the steps you'll do in the Azure portal:
- Create an Event Hubs namespace and event hub.
- Define a policy for the event hub with “Send” permissions.
- If you're streaming alerts to QRadar - Create an event hub "Listen" policy, then copy and save the connection string of the policy that you’ll use in QRadar.
- Create a consumer group, then copy and save the name that you’ll use in the SIEM platform.
- Enable continuous export of security alerts to the defined event hub.
- If you're streaming alerts to QRadar - Create a storage account, then copy and save the connection string to the account that you’ll use in QRadar.
- If you're streaming alerts to Splunk:
- Create an Azure Active Directory (AD) application.
- Save the Tenant, App ID, and App password.
- Give permissions to the Azure AD Application to read from the event hub you created before.
For more detailed instructions, see Prepare Azure resources for exporting to Splunk and QRadar.
Step 2: Connect the event hub to your preferred solution using the built-in connectors
Each SIEM platform has a tool to enable it to receive alerts from Azure Event Hubs. Install the tool for your platform to start receiving alerts.
|Tool||Hosted in Azure||Description|
|IBM QRadar||No||The Microsoft Azure DSM and Microsoft Azure Event Hubs Protocol are available for download from the IBM support website.|
|Splunk||No||Splunk Add-on for Microsoft Cloud Services is an open source project available in Splunkbase.
If you can't install an add-on in your Splunk instance, for example if you're using a proxy or running on Splunk Cloud, you can forward these events to the Splunk HTTP Event Collector using Azure Function For Splunk, which is triggered by new messages in the event hub.
Stream alerts with continuous export
To stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions, connect Defender for Cloud using continuous export and Azure Event Hubs:
To stream alerts at the tenant level, use this Azure policy and set the scope at the root management group. You'll need permissions for the root management group as explained in Defender for Cloud permissions: Deploy export to an event hub for Microsoft Defender for Cloud alerts and recommendations.
Enable continuous export to stream Defender for Cloud alerts into a dedicated event hub at the subscription level. To do this at the Management Group level using Azure Policy, see Create continuous export automation configurations at scale.
Connect the event hub to your preferred solution using the built-in connectors:
Tool Hosted in Azure Description SumoLogic No Instructions for setting up SumoLogic to consume data from an event hub are available at Collect Logs for the Azure Audit App from Event Hubs. ArcSight No The ArcSight Azure Event Hubs smart connector is available as part of the ArcSight smart connector collection. Syslog server No If you want to stream Azure Monitor data directly to a syslog server, you can use a solution based on an Azure function. LogRhythm No Instructions to set up LogRhythm to collect logs from an event hub are available here. Logz.io Yes For more information, see Getting started with monitoring and logging using Logz.io for Java apps running on Azure
Optionally, stream the raw logs to the event hub and connect to your preferred solution. Learn more in Monitoring data available.
To view the event schemas of the exported data types, visit the Event Hubs event schemas.
Use the Microsoft Graph Security API to stream alerts to third-party applications
As an alternative to Microsoft Sentinel and Azure Monitor, you can use Defender for Cloud's built-in integration with Microsoft Graph Security API. No configuration is required.
You can use this API to stream alerts from your entire tenant (and data from many Microsoft Security products) into third-party SIEMs and other popular platforms:
- Splunk Enterprise and Splunk Cloud - Use the Microsoft Graph Security API Add-On for Splunk
- Power BI - Connect to the Microsoft Graph Security API in Power BI Desktop.
- ServiceNow - Install and configure the Microsoft Graph Security API application from the ServiceNow Store.
- QRadar - Use IBM's Device Support Module for Microsoft Defender for Cloud via Microsoft Graph API.
- Palo Alto Networks, Anomali, Lookout, InSpark, and more - Use the Microsoft Graph Security API.
This page explained how to ensure your Microsoft Defender for Cloud alert data is available in your SIEM, SOAR, or ITSM tool of choice. For related material, see: