Azure-Blob-Google-Chronicle-integration

Abbas Ali 80 Reputation points
2024-05-17T04:17:18.67+00:00

Hello,

One of my customers uses Azure Stroage services along with GCP Chronicle SIEM system. This is the design I recommended, but just wanted to share it in the forum to get some expert advice.

Diagram is also attached.

Steps:

1.     A storage account shall be created, and Blob service endpoints needs to be setup.

2.     Cloud apps shall be enabled On the Defender XDR portal.

3.     Using the Defender for cloud apps, severity of the alerts to be configured under defender for endpoint settings.

4.     Streaming API to be configured under defender for endpoint settings.

5.     On the Chronicle side. To start receiving the alerts from the storage. Feed to be configured with blob storage as the source and Microsoft Defender for Endpoint as log type.

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
2,561 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anand Prakash Yadav 7,540 Reputation points Microsoft Vendor
    2024-05-17T12:20:07.03+00:00

    Hello Abbas Ali,

    Thank you for posting your query here!

    Your steps for setting up the integration between Azure Storage, Microsoft Defender for Endpoint, and GCP Chronicle SIEM are well thought out. Here's a structured breakdown:

    1. Create a Storage Account and Set Up Blob Service Endpoints:
      • Make sure to create an Azure Storage account and configure the necessary blob service endpoints. These endpoints allow communication between your applications and the storage account.
      • Ensure that you choose the appropriate redundancy level (e.g., locally redundant storage, geo-redundant storage) based on your requirements for data durability and availability.
    2. Enable Cloud Apps in Microsoft Defender XDR Portal:
      • Enabling cloud apps in the Defender XDR portal allows you to monitor and protect your cloud resources. It’s essential for integrating with Azure Blob Storage.
      • Verify that you’ve correctly configured the Defender XDR portal to recognize your Azure resources.
    3. Configure Severity of Alerts in Defender for Endpoint Settings:
      • Severity settings determine how alerts are prioritized and presented to security teams. Consider the following:
      • Set appropriate severity levels for different types of alerts (e.g., critical, high, medium).
      • Customize severity thresholds based on your organization’s risk tolerance and incident response capabilities.
    4. Set Up Streaming API in Defender for Endpoint Settings:
      • Streaming API allows real-time ingestion of alerts and logs from Defender for Endpoint into external systems (like Chronicle SIEM).
      • Ensure that you’ve configured the correct streaming endpoint (e.g., Azure Blob Storage) and that the necessary permissions are in place.
    5. Configure Chronicle SIEM to Receive Alerts from Blob Storage:
      • On the Chronicle side, create a feed configuration that uses Azure Blob Storage as the source and Microsoft Defender for Endpoint as the log type.
      • Ensure to check the following details:
      • Blob Container: Specify the container within your storage account where the alerts will be stored.
      • Log Type Mapping: Map the relevant fields from Defender for Endpoint alerts to Chronicle’s log schema.
      • Scheduled Ingestion: Set up a schedule for ingesting data from Blob Storage into Chronicle.

    Feedback:

    · Consider using a dedicated storage account for the integration, rather than sharing it with other applications or data sources. This can improve the performance, security, and manageability of the integration.

    · Consider using a managed identity to authenticate the blob storage with the Defender XDR portal, rather than using a shared access signature (SAS) token or a storage account key. This can enhance security and reduce the risk of credential compromise or expiration.

    · Consider using a custom log type for the feed on the Chronicle side, rather than using the Microsoft Defender for Endpoint log type. This can allow for more flexibility and customization of data ingestion and analysis.

    Do let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Abbas Ali 80 Reputation points
    2024-05-17T04:18:19.1433333+00:00
    0 comments No comments

  2. Abbas Ali 80 Reputation points
    2024-05-18T03:30:47.2033333+00:00

    Thank you Anand! One of the best responses I have seen in this forum.

    0 comments No comments