Microsoft Defender
  • 05 Oct 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light

Microsoft Defender

  • Dark
    Light

Article summary

Overview

LimaCharlie can ingest Microsoft 365 Defender logs via an Azure Event Hub Adapter. More information on setting this up can be found here.

Documentation for creating an event hub can be found here here.

Telemetry Platform: msdefender

Deployment Configurations

All adapters support the same client_options, which you should always specify if using the binary adapter or creating a webhook adapter. If you use any of the Adapter helpers in the web app, you will not need to specify these values.

  • client_options.identity.oid: the LimaCharlie Organization ID (OID) this adapter is used with.
  • client_options.identity.installation_key: the LimaCharlie Installation Key this adapter should use to identify with LimaCharlie.
  • client_options.platform: the type of data ingested through this adapter, like text, json, gcp, carbon_black, etc.
  • client_options.sensor_seed_key: an arbitrary name for this adapter which Sensor IDs (SID) are generated from, see below.

Adapter-specific Options

  • connection_string - The connection string provided in Azure for connecting to the Azure Event Hub, including the EntityPath=... at the end which identifies the Hub Name (this component is sometimes now shown in the connection string provided by Azure).

Guided Deployment

In the LimaCharlie web app, you can find a helper for connecting to an existing Azure Event Hub and ingesting Microsoft Defender logs.

image.png

Collecting Microsoft Defender Logs via a Binary Adapter

The following example configuration ingests Microsoft Defender logs from an Azure Event Hub to LimaCharlie.

./lc_adapter azure_event_hub client_options.identity.installation_key=<INSTALLATION_KEY> client_options.identity.oid=<OID> client_options.platform=msdefender client_options.sensor_seed_key=<SENSOR_SEED_KEY> client_options.hostname=msdefender "connection_string=Endpoint=sb://mynamespace.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=fnaaaaaaaaaaaaaaak0g54alYbbbbbbbbbbbbbbbALQ=;EntityPath=lc-stream"


Was this article helpful?