Rediger

Prepare Azure resources for exporting to Splunk and QRadar

  • Artikkel

In order to stream Microsoft Defender for Cloud security alerts to IBM QRadar and Splunk, you have to set up resources in Azure, such as Event Hubs and Microsoft Entra ID. Here are the instructions for configuring these resources in the Azure portal, but you can also configure them using a PowerShell script. Make sure you review Stream alerts to QRadar and Splunk before you configure the Azure resources for exporting alerts to QRadar and Splunk.

To configure the Azure resources for QRadar and Splunk in the Azure portal:

Step 1: Create an Event Hubs namespace and event hub with send permissions

  1. In the Event Hubs service, create an Event Hubs namespace:

    1. Select Create.
    2. Enter the details of the namespace, select Review + create, and select Create.

    Screenshot of creating an Event Hubs namespace in Microsoft Event Hubs.

  2. Create an event hub:

    1. In the namespace that you create, select + Event Hub.
    2. Enter the details of the event hub, and select Review + create, and select Create.

  3. Create a shared access policy.

    1. In the Event Hub menu, select the Event Hubs namespace you created.
    2. In the Event Hub namespace menu, select Event Hubs.
    3. Select the event hub that you just created.
    4. In the event hub menu, select Shared access policies.
    5. Select Add, enter a unique policy name, and select Send.
    6. Select Create to create the policy. Screenshot of creating a shared policy in Microsoft Event Hubs.

Step 2: For streaming to QRadar SIEM - Create a Listen policy

  1. Select Add, enter a unique policy name, and select Listen.

  2. Select Create to create the policy.

  3. After the listen policy is created, copy the Connection string primary key and save it to use later.

    Screenshot of creating a listen policy in Microsoft Event Hubs.

Step 3: Create a consumer group, then copy and save the name to use in the SIEM platform

  1. In the Entities section of the Event Hubs event hub menu, select Event Hubs and select the event hub you created.

    Screenshot of opening the event hub Microsoft Event Hubs.

  2. Select Consumer group.

Step 4: Enable continuous export for the scope of the alerts

  1. In the Azure search box, search for "policy" and go to the Policy.

  2. In the Policy menu, select Definitions.

  3. Search for "deploy export" and select the Deploy export to Event Hub for Microsoft Defender for Cloud data built-in policy.

  4. Select Assign.

  5. Define the basic policy options:

    1. In Scope, select the ... to select the scope to apply the policy to.
    2. Find the root management group (for tenant scope), management group, subscription, or resource group in the scope and select Select.
      • To select a tenant root management group level you need to have permissions on tenant level.
    3. (Optional) In Exclusions you can define specific subscriptions to exclude from the export.
    4. Enter an assignment name.
    5. Make sure policy enforcement is enabled.

    Screenshot of assignment for the export policy.

  6. In the policy parameters:

    1. Enter the resource group where the automation resource is saved.
    2. Select resource group location.
    3. Select the ... next to the Event Hub details and enter the details for the event hub, including:
      • Subscription.
      • The Event Hubs namespace you created.
      • The event hub you created.
      • In authorizationrules, select the shared access policy that you created to send alerts.

    Screenshot of parameters for the export policy.

  7. Select Review and Create and Create to finish the process of defining the continuous export to Event Hubs.

    • Notice that when you activate continuous export policy on the tenant (root management group level), it automatically streams your alerts on any new subscription that will be created under this tenant.

Step 5: For streaming alerts to QRadar SIEM - Create a storage account

  1. Go to the Azure portal, select Create a resource, and select Storage account. If that option isn't shown, search for "storage account".

  2. Select Create.

  3. Enter the details for the storage account, select Review and Create, and then Create.

    Screenshot of creating storage account.

  4. After you create your storage account and go to the resource, in the menu select Access Keys.

  5. Select Show keys to see the keys, and copy the connection string of Key 1.

    Screenshot of copying storage account key.

Step 6: For streaming alerts to Splunk SIEM - Create a Microsoft Entra application

  1. In the menu search box, search for "Microsoft Entra ID" and go to Microsoft Entra ID.

  2. Go to the Azure portal, select Create a resource, and select Microsoft Entra ID. If that option isn't shown, search for "active directory".

  3. In the menu, select App registrations.

  4. Select New registration.

  5. Enter a unique name for the application and select Register.

    Screenshot of registering application.

  6. Copy to Clipboard and save the Application (client) ID and Directory (tenant) ID.

  7. Create the client secret for the application:

    1. In the menu, go to Certificates & secrets.
    2. Create a password for the application to prove its identity when requesting a token:
    3. Select New client secret.
    4. Enter a short description, choose the expiration time of the secret, and select Add.

    Screenshot of creating client secret.

  8. After the secret is created, copy the Secret ID and save it for later use together with the Application ID and Directory (tenant) ID.

Step 7: For streaming alerts to Splunk SIEM - Allow Microsoft Entra ID to read from the event hub

  1. Go to the Event Hubs namespace you created.

  2. In the menu, go to Access control.

  3. Select Add and select Add role assignment.

  4. Select Add role assignment.

    Screenshot of adding a role assignment.

  5. In the Roles tab, search for Azure Event Hubs Data Receiver.

  6. Select Next.

  7. Select Select Members.

  8. Search for the Microsoft Entra application you created before and select it.

  9. Select Close.

To continue setting up export of alerts, install the built-in connectors for the SIEM you're using.