Enable Corelight data integration

Applies to:

Important

Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.

Microsoft has partnered with Corelight, provider of the industry's leading open network detection and response (NDR) platform, to help you discover IoT/OT devices across your organization. Using data, sent from Corelight network appliances, Microsoft 365 Defender gains increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks.

With this data source enabled, all events from Corelight network appliances are sent to Microsoft 365 Defender. You can view these activities in the unmanaged devices timeline, available in the Microsoft Defender for Endpoint device inventory. For more information, see Device discovery.

Prerequisites

  1. To setup the Corelight data integration, the user must have the following roles:
    • Tenant Global Administrator in Azure Active Directory
    • Security Administrator for the Azure subscription that will be used for the Microsoft Defender for IoT integration
  2. An onboarded Defender for IoT plan. For more information, see Onboard Microsoft Defender for IoT with Microsoft Defender for Endpoint.

Enabling the Corelight integration

To enable the Corelight integration, you'll need to take the following steps:

Step 1: Turn on Corelight as a data source
Step 2: Provide permission for Corelight to send events to Microsoft 365 Defender
Step 3: Configure your Corelight appliance to send data to Microsoft 365 Defender

Step 1: Turn on Corelight as a data source

  1. In the navigation pane of the https://security.microsoft.com portal, select Settings > Device discovery > Data sources.

    The data sources page in the Microsoft 365 Defender portal

  2. Select Send Corelight data to M365D and select Save.

Step 2: Provide permission for Corelight to send events to Microsoft 365 Defender

Note

You must be a global admin to grant Corelight permission to access resources in your organization.

  1. As a Tenant Global Administrator, go to this link to grant permission.
  2. Go to https://security.microsoft.com portal, select Settings > Microsoft 365 Defender, and take note of the Tenant ID. You'll need this information when configuring your Corelight appliance.

Step 3: Configure your Corelight appliance to send data to Microsoft 365 Defender

Note

The integration is available in Corelight Sensor software v25 and later.

You will need internet connectivity for your sensor to reach both the Defender and Corelight cloud services for the solution to work.

Enable the integration in the Corelight web interface

  1. In the Corelight web interface, navigate to Sensor > Export.

    The kafka export

  2. Enable Export To Microsoft Defender.

  3. Enter your Microsoft 356 Defender Tenant ID.

  4. Optionally, you can:

    • set the Zeek Logs to Exclude. The minimal set of logs you must include are: dns, conn, files, http, ssl, ssh, x509, snmp, smtp, ftp, sip, dhcp, and notice.
    • choose to create a Microsoft Defender Log Filter.
  5. Select Apply Changes.

Enable the integration in the corelight-client

  1. Enable Export To Microsoft Defender using the following command in the corelight-client:

    corelight-client configuration update \
    --bro.export.defender.enable True
    
  2. Set your tenant ID

  3. Optionally, you can use the following command to exclude certain logs or to create a Microsoft Defender log filter. The minimal set of logs you must include are: dns, conn, files, http, ssl, ssh, x509, snmp, smtp, ftp, sip, dhcp, and notice.

      corelight-client configuration update \
     --bro.export.defender.exclude=<logs_to_exclude> \
     --bro.export.defender.filter=<logs_to_filter>
    

See also