Configure Microsoft Defender for Cloud Collection
Alert Logic can pull Defender for Cloud logs from the Microsoft Azure Event Hub service and generate security incidents from the logs collected for each of the following Defender for Microsoft Office 365 applications:
-
Cloud Apps
-
Identity
-
Cloud
-
XDR
-
Microsoft Data Loss Prevention
-
AAD Identity Protection
Before you begin
-
You must have an Event Hub in your Tenant.
-
You must have an Azure deployment in the Alert Logic console (for the same subscription).
-
You can deploy your own Event Hub or use the Alert Logic ARM template to create one.
Configure Defender for Office 365
To get these logs into Alert Logic, configure Defender for Office 365 to send the logs to an Event Hub.
-
Configure Defender to stream to your Event Hub. For more information, see Enable raw data streaming.
For Events Types, you only need Alerts (AlertInfo and AlertEvidence). -
Configure your Event Hub for the collector setup by doing one of the following:
-
To deploy a new Event Hub, see Deploy the custom Azure Resource Manager template for a new Event Hub.
-
To collect from an existing Event Hub, see Deploy the custom Azure Resource Manager template for an existing Event Hub.
-
Once the ARM template has run, the EHub collector with the same Subscription ID will appear under the Configure Log Sources section of the deployment..
Verify Log Collection
You can verify your logs by doing either of the following:
-
Run a search in the Alert Logic console using this link.
-
Copy and paste the following search into the Search Expert Mode page to view your Defender for Cloud Logs:
CopySearchSELECT
time_recv AS "Time Received",
message AS "Message",
program AS "Syslog Program"
FROM logmsgs
WHERE message CONTAINS 'AdvancedHunting-AlertEvidence'
AND
"Syslog Program" = 'EHubGeneral'
ORDER BY "Time Received" DESC
LIMIT 1000