Microsoft Defender
  • 25 Oct 2023
  • 1 Minute to read
  • Contributors
  • Dark

Microsoft Defender

  • Dark

Article Summary


LimaCharlie can ingest Microsoft 365 Defender logs via an Azure Event Hub adapter. More information on setting this up can be found here.

Telemetry Platform: msdefender

Deployment Configurations

All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

  • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
  • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
  • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
  • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

Adapter-specific Options

  • connection_string - The connection string provided in Azure for connecting to the Azure Event Hub, including the EntityPath=... at the end which identifies the Hub Name (this component is sometimes now shown in the connection string provided by Azure).

Guided Deployment

In the LimaCharlie web app, you can find a helper for connecting to an existing Azure Event Hub and ingesting Microsoft Defender logs.


Collecting Microsoft Defender Logs via a Binary Adapter

The following example configuration ingests Microsoft Defender logs from an Azure Event Hub to LimaCharlie.

./lc_adapter azure_event_hub client_options.identity.installation_key=<INSTALLATION_KEY> client_options.identity.oid=<OID> client_options.platform=msdefender client_options.sensor_seed_key=<SENSOR_SEED_KEY> client_options.hostname=msdefender "connection_string=Endpoint=sb://;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=fnaaaaaaaaaaaaaaak0g54alYbbbbbbbbbbbbbbbALQ=;EntityPath=lc-stream"

Was this article helpful?